LIFARS Technical Guide

In this article we will be focusing only on NTUSER.DAT and not on related registry hives or artifacts that are not located within NTUSER hive. This file which stores user profile and settings information can be useful in many use cases.

We can gain evidence of program executions, torrent clients, or other unapproved applications that should not be present on the workstation.

It can help us create rough timeline during forensic investigation or provide proof of tampering with file timestamps. Also, it can be very useful when searching for evidence of execution or access to specific file, or reassembling user activity. We can gain evidence of folder access/presence on the system, evidence of access or user activity.

It can help us gain insight in user behavior during investigation of disgruntled employee or insider threat, finding out if user opened malicious file or accessed sensitive documents. We can find evidence of execution for files accessed on network share or removable media. It is a good place to look for persistence created by PUA, trojans or malwares running under permissions of a user.

Read more here