Incident Response with EZTools - User Access Logging Forensics

SumECmd is bundled with EZTools. This tool process Microsoft User Access Logs.

User Access Logging is a feature in Windows Server that aggregates client usage data by role and product on a local server. It helps Windows server administrators quantify requests from client computers for roles and services on a local server.

User Access Logging is a feature that “logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.”

From an incident response perspective, responders need to know where to look to find evidence if an attacker contacted a system. Breadcrumbs of this action performed by the attacker can be found on the user records and through UAL artifacts can help the responder to correlate an account used by the attacker and the source IP address with actions performed remotely on systems.

User Access Logs can be  found under C:\Windows\System32\LogFiles\SUM

 

User Access Logging (UAL) Forensics