Learn about the types of evidence in the account information category that the Incident Response Evidence Collection playbook, Collect Evidence task, and Trend Micro Incident Response Toolkit collect.
User
|
Evidence data
|
Description
|
|
Username
|
The name of the user account.
|
|
SID
|
The user signature identifier.
|
|
Domain
|
The domain name of the user.
|
|
Type
|
The user account type.
|
|
Description
|
The comment associated with the user account.
|
|
Directory
|
The profile image path.
|
|
UID
|
The user ID (last part of SID).
|
|
GID
|
The user Group ID.
|
|
Acct expires
|
The date and time when the account expires.
|
|
Auth flag
|
The user's operator privileges.
|
|
Bad PW count
|
The number of times the user tried to log on to the account using an incorrect password.
|
|
Code page
|
The code page for the user's language of choice.
|
|
Country code
|
The country/region code for the user's language of choice.
|
|
Flags
|
The user account control flags.
|
|
Home dir drive
|
The drive letter assigned to the user's home directory for logon purposes.
|
|
Last logoff
|
The date and time when the last logoff occurred.
|
|
Last logon
|
The date and time when the last logon occurred.
|
|
Logon server
|
The name of the server to which logon requests are sent.
|
|
Num logons
|
The number of times the user logged on successfully to this account.
|
|
Password expired
|
The password expiration information.
|
|
Priv
|
The level of privilege assigned to the user.
|
|
Workstations
|
The names of workstations from which the user can log on.
|
|
Password age
|
The number of seconds that have elapsed since the user password was last changed.
|
User group
|
Evidence data
|
Description
|
|
GID
|
The User Group ID.
|
|
Group name
|
The User Group Name.
|
|
User names
|
The User Names within the group.
|