Is the domain account that EnCase is picking up from the same OS installation?
Could EnCase be showing a previously existing account (deleted), check the dates associated with that account and it's activity.
Have you got a test machine you can install Win 7 on, join it to a domain and see what changes are made.
When you booted into the cloned install were you able to log in with the local user account? Did you check the management console and see what user accounts were listed there?
Have you checked for this key in the registry?
Code::
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50
source http://support.microsoft.com/kb/172931
↧