SAM Hive File Course

This course explains forensic artifacts found in the SAM (Security Account Manager) file, which stores and organizes information about each user on a system.

50 minutes

Course description

This course demonstrates how to identify each user account on a local machine using the relative identifier. Examiners can also learn to interpret username information including the users’ login dates, times and login count. The course will show how to identify the machine that the user account was created on, by interpreting a users’ SIDs (machine/domain identifiers) and recovering user password hashes.


Other Types of User Accounts

Video - 00:19:00

This video provides an overview of how to locate the identifiers of domain user accounts on a local machine. Includes an explanation of user groups and permissions.
Password Hashes

Video - 00:04:00

In this video, you'll look at an explanation of how user password hashes are stored on the local machine and how to extract the password hash.
User Accounts (RIDs)

Video - 00:12:00

In this video, you'll look at RIDs. These identify an individual user on a local machine.
Security Identifiers

Video - 00:07:00

Explore security identifiers, which identify the machine that the user account was created on. These are helpful to identify remote users and Microsoft accounts that were created on another system.
SAM File Overview

Video - 00:08:00

An overview of the security account manager (SAM file). Tracks information regarding user accounts on the local system.

Meet the author

Denise Duffy

In addition to being an Infosec instructor, Denise Duffy teaches computer forensics worldwide to European law enforcement through the European Anti-Fraud Office. During her 25-year career at the Middletown Police Department, Denise underwent extensive training in specialized computer and mobile device forensics, including widespread access data courses, multiple IACIS trainings, U.S. Secret Service Training at the National Computer Forensics Institute, BlackBag Technologies Training, many National White Collar Crime (NW3C) courses, an X-Ways online course and considerable Internet Crimes Against Children Training (ICAC) courses.

Denise currently holds the following certifications: CFCE (Certified Forensic Computer Examiner), CCFE (Certified Computer Forensics Examiner), CMFE (Certified Mobile Forensics Examiner) and CEH (Certified Ethical Hacker). She is most proud of her two sons who joined the U.S. Military, as Denise is a Desert Shield/Desert Storm veteran herself.

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • Cyber Operator
  • Law Enforcement / Counterintelligence Forensics Analyst
  • Cyber Defense Forensics Analyst

Plans & pricing

Infosec Skills Personal

$299 / year

  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo

Award-winning training you can trust