Account usage can tell us a lot about a users activity while using a computer. This can include everything from when the user last logged in to when they last changed their password or used a remote access tool. When conducting a forensic or incident response, we look look for a range of evidence related to account usage, including:
- When the user last accessed the account in question
- Did the user change the password of an account
- Did an attacker gain access to a system with Remote Desktop Protocol (RDP)
- Were there any suspicious login attempts related to an account
In a forensic investigation, artifacts related to account usage can show which user accounts did what, in the lead up to an event. They can show accounts logging in after hours, the creation of accounts with elevated privileges, which user accounts were responsible for the deletion of other accounts, or whether accounts were remotely accessed. All this can help to build a picture of suspicious activity, narrowing down potential suspects.
The evidence gathered in relation to account usage can help piece together a timeline of how and when an incident occurred. Also, it can be used to determine how the attacker gained unauthorised access or otherwise show their motives behind accessing a system.
In an incident response case, RDP and suspicious login events can be used to show how and when the attacker obtained access. This can then be used to determine what mitigation strategies a business can implement to reduce the risk of recurrence and improve protection.