±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 26818
Visitors: 53

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Network Users

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Network Users

Post Posted: Wed Nov 28, 2012 9:26 am

Hello,

On image (Win 7 Home premium) got few user profiles with stuff of my interest incl all folder structure, however I cannot determine using local SAM when those users last logged in etc… as they do not exist there.

If they were network /domain accounts obviously there would be nothing on local SAM but SID’s (Different to local ones) for those users should be available in $.Recycle.Bin, even If nothing was moved there.

So I wonder is there any other way to determine from the image to find out more about those users, perhaps someone accessed this PC remotely….

NTUSER.DAT is present and was created after OS Install.

Any clues?  

pajkow
Member
 
 
  

Re: Network Users

Post Posted: Wed Nov 28, 2012 9:45 am

Was the system part of a domain or corporate infrastructure?

Take a look at the last mod time on the NTUSER.DAT files in question to figure out when the users may have last logged out. From there, look in the Security Event Log to see if you can determine when (and from where) the users may have logged in.

You might also consider creating a timeline to get a better idea of what was going on and when.  

keydet89
Senior Member
 
 
  

Re: Network Users

Post Posted: Wed Nov 28, 2012 9:52 am

keydet89 – thanks

Yes, last written timeSER.dat will tell me when they last logged in. However I need to know whether the user account in particular was password protected.

In terms of event log – that’s a good point!

Do you have any docs explaining detailed examination of event logs from the image?  

pajkow
Member
 
 
  

Re: Network Users

Post Posted: Wed Nov 28, 2012 10:20 am

- pajkow

Yes, last written timeSER.dat will tell me when they last logged in. However I need to know whether the user account in particular was password protected.


Well, that's different from what you said before...

- pajkow

So I wonder is there any other way to determine from the image to find out more about those users, perhaps someone accessed this PC remotely….


If the user accounts are not in the SAM, then you're not going to find that information on the system.

Since you didn't respond to my questions regarding the domain, I'm going to assume that this isn't the case.

I would look at the contents of the ProfileList Registry key in the Software hive and compare the SIDs for the users, perhaps the ones for your users in question will be different from those accounts that do exist in the SAM. If the system is not connected to a domain, then perhaps this is an instance of re-installing Windows over a previous version (kind of reaching here, I know...). That *might* account for what you're seeing. Without more information, it's difficult to tell...pretty much anything I could offer would be pure speculation and might not be of use at all.

- pajkow

In terms of event log – that’s a good point!

Do you have any docs explaining detailed examination of event logs from the image?


Well, there're my books, but if you don't understand what you're looking for, they won't be of much good to you.  

keydet89
Senior Member
 
 
  

Re: Network Users

Post Posted: Tue Dec 04, 2012 12:52 pm

Alright , this is how it looks:

Have 4 accounts say: A, B, C, D

Account A: has approx. Close last written time in NTUSER.dat to last login time from SAM reg. – all ok
Account B: NTUSER.dat – NTUSER.dat is last written time is long BEFORE last login time in SAM.reg. – no sense at all. Plus NTUSER.dat is empty.

Account C – NTUSER.dat is ok and last written time seems to be ok, and NTUSER.dat is not empty however no trace of this account in SAM

Account D – NTUSER.dat last written time is very similar to Account B, it is also empty inside and no trace of this account in SAM

Now in profile list in SYSTEM hive only two accounts are present: Account A (Last Written time is same as NT User.dat relating to account A – all ok) and C (Last written time similar/after last login of account B)

Internet browsing history relating to user B – is stored in local index.dat in AppData of account C - strange

Used VMware – only two accounts exists on live machine – A and B – so it looks like account C must have been renamed to account B.

So – I think this indicates that account B was renamed from account C or became corrupt.

BTW perhaps anyone could send me link where exactly on Win 7 is info indicating whether account is password protected or not.

In SAM\Domains\Account\Users we have three values:

Password Required (True/False)

HAS LAN Manager Password: (True/False) – I guess this is network login if used

HAS NTLMv2 Password (True/False)

Could anyone tell me which is responsible for password protection on local machine if computer is used only on local workgroup?  

pajkow
Member
 
 
  

Re: Network Users

Post Posted: Tue Dec 04, 2012 1:39 pm

- pajkow
Alright , this is how it looks:

Have 4 accounts say: A, B, C, D

Account A: has approx. Close last written time in NTUSER.dat to last login time from SAM reg. – all ok
Account B: NTUSER.dat – NTUSER.dat is last written time is long BEFORE last login time in SAM.reg. – no sense at all. Plus NTUSER.dat is empty.

Account C – NTUSER.dat is ok and last written time seems to be ok, and NTUSER.dat is not empty however no trace of this account in SAM

Account D – NTUSER.dat last written time is very similar to Account B, it is also empty inside and no trace of this account in SAM


I think it would be really valuable to know if any of these account names are anything like "NetworkService" or "LocalService" or "DefaultUser".

- pajkow

Now in profile list in SYSTEM hive only two accounts are present: Account A (Last Written time is same as NT User.dat relating to account A – all ok) and C (Last written time similar/after last login of account B)


You looked at the wrong key...the ProfileList key is located in the Software hive; if you found it in the System hive, you've been tricked - I'm not aware of the operating system using a key or value with that name within the System hive.

Okay, I know what folks are going to say...someone's going to respond with, "maybe he meant the Software hive...", and maybe that's the case. However, I have to go with the fact that the OP took the time to review that they'd written, and edited it appropriately before clicking "Submit".

So, could you (the OP) go back and check the Software hive, and also check for deleted keys?

- pajkow

Internet browsing history relating to user B – is stored in local index.dat in AppData of account C - strange


That is strange...what's even stranger is how you were able to determine that...

- pajkow

Used VMware – only two accounts exists on live machine – A and B – so it looks like account C must have been renamed to account B.

So – I think this indicates that account B was renamed from account C or became corrupt.


Interesting. Do you have any other data to support that theory? An Event Log entry indicating this, or something similar? For example, one thing you haven't addressed is the SIDs...

- pajkow

BTW perhaps anyone could send me link where exactly on Win 7 is info indicating whether account is password protected or not.

In SAM\Domains\Account\Users we have three values:

Password Required (True/False)

HAS LAN Manager Password: (True/False) – I guess this is network login if used

HAS NTLMv2 Password (True/False)

Could anyone tell me which is responsible for password protection on local machine if computer is used only on local workgroup?


Just use any of the available password cracking tools (Cain and Abel, John the Ripper, OphCrack, etc.) to determine this...the "Password Not Required" flag has nothing to do with whether or not an account actually has a password.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1