Memory Users
05/06/2026 Friday
Users are Windows account identities that may be associated with system activity, logon sessions, running processes, services, and other user-context data. During normal system operation, user account information may be present in memory while accounts are active, recently used, or referenced by operating system components. The Memory Users artifact in ArtiFast is used to display user account entries that were recovered during memory analysis.
Digital Forensics Value of Memory Users
The Memory Users artifact can provide useful identity context during
memory-based investigations. User account information recovered from
memory may help show which Windows accounts were present, referenced, or
active enough to be captured during acquisition. This information may
assist in connecting memory based activity to a specific account when it
is reviewed with related artifacts such as processes, sessions, handles,
services, and network activity.
Location of Memory Users
The Memory Users artifact is not recovered from a fixed Windows system folder in the same way as registry hives, event logs, or application databases. These records are produced during memory forensic processing and are parsed from the forensic output generated from the acquired memory image.
Analyzing Memory Users Artifact with ArtiFast
This section will discuss how to use ArtiFast to extract the Memory
Users artifact from Windows devices’ volatile data and what kind of
digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the
investigation, at the Artifact Selection phase, you can select the
MemoryUsers artifact parser:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Memory Users artifact in ArtiFast.
Memory Users
- Index: The index value assigned to the recovered user entry is shown here.
- SID: The Security Identifier assigned to the Windows account is displayed in this field.
- Username: The recovered account name is shown here.
For more information or suggestions please contact: ali.tora@forensafe.com
