Notifications
Clear all

Login count SAM

15 Posts
7 Users
0 Likes
6,516 Views
(@cotem)
Posts: 14
Active Member
Topic starter
 

Hi,

I'm investigating a WIN 8.1 system.

In the SAM registry hive, i see two manually created user account.

Both have a login count of "0" and a last logon time of "Never".

How is this possible when i know that the computer has been used a lot?

Thanks

 
Posted : 31/03/2015 12:27 am
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

did you look event log ? log on event id filter

 
Posted : 31/03/2015 12:49 am
(@cotem)
Posts: 14
Active Member
Topic starter
 

did you look event log ? log on event id filter

Is this something i can see in EnCase, cause i can't use the live system

 
Posted : 31/03/2015 12:54 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Try OSForensics by Passmark (www.passmark.com).

There is a 30 day trial version that will work.

1) Account Login Information

The "System Information" button will create a report listing all user accounts, like the below example (taken from OSForensics)

"Username [ID] Administrator [500]
Account Created Monday, March 30, 2015, 25919 PM
Last Login Saturday, January 10, 2015, 20628 PM
Password Reset Saturday, November 20, 2010, 105724 PM
Password Fail Date Wednesday, January 21, 2015, 42401 PM
Password Fail Count 4
Login Count 13
Notes *Password never expires* *Account disabled*"

NOTES

1. Mount your forensic image file read & write using FTK Imager (NOT read only)
2. Point OSForensics at the newly mounted volume (FTK Imager will tell you what drive letter the OS was mounted as, such as "J").

2) Event Log Viewer

Again with the forensic image file mounted in FTK Imager, run the "Recent Activity" button on the mounted OS drive letter.

OSForensics will extract out the Event Log and give you "Shutdown and System Boot" entries (see real example below)

Item,Event Log Type,Record ID (Windows),Type ID (Windows),User ID (Linux),User,Event Time,
Shutdown,System,120873,1074,,,1/21/2015, 1125 AM,
System boot,System,120903,6009,,,1/21/2015, 1126 AM,

Regards,

Larry

 
Posted : 31/03/2015 1:08 am
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

yes you can do it with encsase event log parser or you can export evtx files and read them with windows evet log viewer or whatever tool you want

 
Posted : 31/03/2015 1:47 am
(@cotem)
Posts: 14
Active Member
Topic starter
 

thanks to all, i'll try your solutions.

doesn't explain why the registry is wrong though

 
Posted : 31/03/2015 2:38 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

1. Mount your forensic image file read & write using FTK Imager (NOT read only)

This seems to be an odd recommendation; however, I'll give you the benefit of the doubt. Would you mind explaining?

 
Posted : 31/03/2015 4:42 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Sure-

For some reason, OSForensics will not work with a virtual disk that has been mounted by FTK Imager as "read-only".

The metadata that OSForensics can report on about the FTK Imager "read/write" mounted virtual drive does not get altered by virtue of the forensic image file being mounted "read/write".

I am unsure why there is a need for the "read/write" setting to be turned on, but there it is.

 
Posted : 31/03/2015 7:05 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Fair enough, I was just curious. Sounds like Passware's issue, and anyway, it's not a major problem. That's what hashing is for. -)

 
Posted : 31/03/2015 9:08 am
(@twjolson)
Posts: 417
Honorable Member
 

thanks to all, i'll try your solutions.

doesn't explain why the registry is wrong though

Why is the registry wrong? I would argue that the artifacts we find are never 'wrong' - we may just not understand why they are what they are.

What tool are you using? Maybe the program you are using hasn't been updated for Windows 8 (long shot, I know, but still worth trying), or has some other flaw. Try a second tool.

The other thing that popped into my head is that you are looking at local accounts, but what about domain accounts? Those are stored in the Security hive if I recall correctly.

Hope this can help,
Terry

 
Posted : 31/03/2015 1:05 pm
Page 1 / 2
Share: