You might assume that the logon session begins when you connect to the share and then ends when you disconnect from it – usually when logging off your local workstation.
In all such cases you will need to look at the Logon Type specified in the logon event 528/540/4624.
A full list of Logon Types is provided at the provided links for those events but in short: When you logon to your workstation or access a shared folder on a file server, you are not “logging onto the domain”.
In forensic situations, they provide an estimate of how long the user was logged on (as long as the user remains logged on group policy will refresh about every 90 minutes), and can help to infer that the preceding authentication events for the same user were in conjunction with an interactive or remote desktop logon as opposed to a service or scheduled task logon.
What about the other service ticket related events seen on the domain controller?
In this case the same 528/4624 event is logged but the logon type indicates a “remote interactive” (aka Remote Desktop) logon. When looking at logon events we need to consider what type of logon are we dealing with: is this an interactive logon at the console of the sever indicating the user was physically present, or is it a remote desktop logon?
For that matter the logon could be associated with a service starting or a scheduled task kicking off.If the workstation is a member of a domain, at this point it’s possible to authenticate to this computer using a local account or a domain account – or a domain account from any domain that this domain trusts.When the user logs on with a domain account, since the user specifies a domain account, the local workstation can’t perform the authentication because the account and its password hash aren’t stored locally.Basically, after your initial authentication to the domain controller which logs log 672/4768 you also obtain a service ticket (673, 4769) for every computer you logon to including your workstation, the domain controller itself for the purpose of group policy and any member servers such as in connection with shared folder access.Then as computers remain up and running and users remain logged on, tickets expire and have to be renewed which all generate further Account Logon events on the domain controller.This accounts repeated logon/logoff events on Windows file servers by the same user throughout the course of the day.