Include SID in reports

I work in a state hospital that houses sexual predators. They have a network of computers that allow them to access the Nexis Lexis web site for legal research only. It is secured by IPFire firewall and Squid proxy and url filter.

The predators do not have individual accounts, but many users use a generic login that is limited to a specific computer. The only way we have to identify who was using a computer at a specific time is to examine video footage to see who was on a specific computer at a specific time.

I found a massive amount of child pornography that has been copied to various folders, either looked at or copied, then the folders deletd. Autopsy finds the orphaned files quite well, but given that we do not have individual accounts for them, I am really in need of the SID that is shown as below:

In a report, preferably with each photo thumbnail as in this picture.

Sleuthkit Help2

This way we can pinpoint exactly which computer put the files there, and via video of the PC, which predator has the thumbdrive.

I hope these pictures show up, and I hope someone can help.

Thank you
Tim

1 Like

I just wanted to clarify, it is a large campus, and each living unit has 2 computers. Each are part of a domain and the user account for each computer automatically logs in on boot. The SID allows me to verify which user account, and therefore which computer since it is an automatic login limited to a single computer. From there we can look at video to see who was at the computer when the CP was introduced to the system. Having the SID on each picture just allows for a faster linkage of the image to the perpetrator. Thanks.

Me gustaría conocer un poco más de tu investigación. Para poder analizar un disco con un caso similar.