In this episode, we'll take a look at User Access Logging (UAL). This feature is built-in to Windows Server 2012 and later, is enabled by default, and can contain a wealth of forensic data that may not be available elsewhere. We'll start with the basics of this artifact, and then we'll see it all in action as we learn how to acquire and parse the UAL databases. *** If you enjoy this video, please consider supporting 13Cubed on Patreon at *** 📖 Chapters 00:00 - Intro 02:47 - Acquiring the UAL Databases 05:05 - Using SumECmd and Database Repair 08:28 - Reviewing SumECmd Output 12:26 - Using KStrike 15:42 - Recap 🛠 Resources A New Type of User Access Log: Getting Started with User Access Logging: SumECmd and Timeline Explorer: #! KStrike: #Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics