Notifications
Clear all

Basic User Analysis

7 Posts
6 Users
0 Likes
212 Views
(@patrick1981)
Posts: 5
Active Member
Topic starter
 

I did a quick search for this topic but feel free to shut it down if A. it has been covered already, B. it is too basic and/or C. it is too general.

Basically I am a new analyst and am working on my first case. Part of the request is to simply indicate all users of a particular system. General, I know.

I have a single .e01 image of a Windows 7 laptop and have immidate access to EnCase 6/7, FTK, IEF and NUIX. If other tools are better at performing this task, which I'll explain, then feel free to suggest as we do have access to other tools although these are the applications at my immidiate disposal and based on the question's seeming simplicity, albeit complex enough to me that I am seeking input, I assume they will be more than enough.

The only background I can divulge is that the laptop was thought to have been used by Mr. A however the only user profile I see under Windows - Users belongs to Mrs. B. My understanding is that it is being requested that we provide a list of all users who had direct access to the system in question. Of course this comes with the understanding of how difficult/impossible it can be to prove who was at the keyboard but general tips as to how a best-guess investigation regarding this type of request would still be appreciated.

I've conducted a keyword search for Mr. A's name which returned results in various categories of IEF however I'm having trouble determining how to interpret the results, i.e. an email from Mr. A could mean the system user was reading an email from Mr. A and not that Mr. A was the system user checking his email.

I know it is an extremely basic question so feel free to ignore as it may simply be too general but I thought I'd ask just in case someone felt like jotting down a few "Idiot's Guide to Determing System Users" tips.

Thanks in advance.

 
Posted : 24/01/2015 12:09 am
(@deltron)
Posts: 125
Estimable Member
 

he only background I can divulge is that the laptop was thought to have been used by Mr. A however the only user profile I see under Windows - Users belongs to Mrs. B. My understanding is that it is being requested that we provide a list of all users who had direct access to the system in question. Of course this comes with the understanding of how difficult/impossible it can be to prove who was at the keyboard but general tips as to how a best-guess investigation regarding this type of request would still be appreciated.

Did a quick look of your question may interpret it wrong; Fist you are mainly trying to see if MR.A had a profile on the computer, but you are only finding MR. B having a profile on the computer? Do you know for a fact that MR. A ever had a profile? Did he use someone else? What Users did you pull from the registry? Have you looked in the Reg? Any shadow copies you can roll back to, maybe he had a profile that is no longer on the computer. IDK just spiting out quick ideas.

 
Posted : 24/01/2015 2:27 am
(@jerryw)
Posts: 56
Trusted Member
 

A good source of information is the web browser history. You might particularly consider the 'autofill' results, where the user has entered details into online forms. Therefore you may have names, address, dates of birth, email addresses.

You say you have access to IEF, that will readily show you those categories for the main browsers in use.

 
Posted : 24/01/2015 2:56 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Here's a start
http//windowsir.blogspot.com/2013/07/howto-determine-users-on-system.html

I get that your goal is to "indicate all users of a particular system", but the fact is, you're not going to be able to do that. Mrs. B could have been logged in and walked away, and Mr. A could have used the system using Mrs. B's account.

All you're going to be able to show are the user profiles on the system. With Windows, you can create an account, but the profile isn't created until the user logs in for the first time, so it's possible to have multiple local accounts, but only a few profiles.

HTH

 
Posted : 24/01/2015 5:35 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

… for that matters, Mr.A could have opened the desk drawer of Mr.B (the top one on the left wink ) and got from the post-it in it Mr.B's password.

Making a complete timeline would be IMHO useful, as if - say - there is a login with Mr.B credentials on a day when Mr.B was on leave or at a time where he was known for sure to be somewhere else, you may have proof that the account credentials were compromised (not necessarily by Mr.A, however, th eculrit could be Mr.C which snooped on the e-mails of BOTH Mr.A. and Mr.B ? ).

jaclaz

 
Posted : 24/01/2015 9:47 pm
(@athulin)
Posts: 1156
Noble Member
 

My understanding is that it is being requested that we provide a list of all users who had direct access to the system in question.

In addition to what has already been noted

The file system and the registry registers file/key owners in the form of a SID. Those may provide additional information.

You may have Windows event logs in which activities of SIDs can be found.

You may also want to keep en eye out for 'holes' in the SID/RID sequence of accounts found in the SAM those are (I believe) accounts that have been removed. You may not be able to identify the users (unless you find a file or registry entry created by that account and which contains a name or other identification), but at least you'll be able to say that there are X users unaccounted for. You may even be able to say during what time such account was created.

 
Posted : 24/01/2015 9:51 pm
(@patrick1981)
Posts: 5
Active Member
Topic starter
 

Thanks so much for the help! This is more than enough to get me going, I really appreciate it.

Deltron, thanks for the advice. I am going to look at the registry now and see if there are any shadow volume copies that can be processed.

JerryW, I hadn't thought about the 'autofill' results. I will look at what IEF turns up regarding browsers and follow up on that. Thanks!

Keydet89, thanks for the insight. I was leaning towards that conclusion but wanted confirmation from the community before I resolved myself to the reality that there's not much that can be done to prove who was behind the keyboard. Thanks for the help and that link is awesome!

Jaclaz, I hadn't thought of much so it is no surprise that timeline analysis was another tactic that I hadn't considered. It makes perfect sense though and would definitely be useful, thanks!

Athulin, wow. I realy hadn't thought or heard of looking for 'holes' in the SID sequence. I'll definitely look into that and bring this concept up with my colleagues. Thanks for the tip!

 
Posted : 26/01/2015 8:13 pm
Share: