User Folders
Overview
Section titled “Overview”Evidence: User Folders
Description: Collect User Folders Information
Category: System
Platform: windows
Short Name: usrfldrs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows creates a profile folder for each user account under C:\Users. Each user folder contains subfolders for Documents, Desktop, AppData, and other user-specific data. The timestamps on these folders can indicate when user accounts were created, last accessed, or modified.
User folder enumeration provides a complete inventory of user accounts that have logged on to the system and can reveal dormant, deleted, or unauthorized accounts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about user folders.
User Folders Data
Section titled “User Folders Data”| Field | Description | Example |
|---|---|---|
Path | Full path to user folder | C:\Users\user |
FileModified | Folder modification timestamp | 2023-10-15T14:30:00 |
FileAccessed | Folder access timestamp | 2023-10-15T15:45:00 |
FileCreated | Folder creation timestamp | 2023-10-01T10:00:00 |
Collection Method
Section titled “Collection Method”This collector:
- Searches for all folders under
Users\* - Filters to only include directories (not files)
- Retrieves MAC timestamps for each folder
- Records full folder paths
Forensic Value
Section titled “Forensic Value”User folder timestamps help identify user account activity and profile creation. Investigators use this data to enumerate all user accounts on the system, identify when accounts were created, detect dormant or unused accounts, track recent user activity, identify deleted user profiles, and establish user account timelines.