Windows Local-User Login-Count Decoder
This script decodes the login-count for local user accounts stored in SAM Registry hive files in the current case.
Output/feedback is by way of bookmarks and the console window.
The files specified by the user will only be processed if they have the name 'SAM'.
The login-count is assumed to be located at offset 66 in the 'F' Registry value for each user.
For additional information, please see the following Twitter post:
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now