±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34837
New Yesterday: 1 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

SAM Account Time Confusion

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

SAM Account Time Confusion

Post Posted: Wed Oct 10, 2018 3:18 pm

Hi everyone,

I've been racking my brain trying to figure out why a local admin account is displaying weird time stamps for created, last login, and password change. I exported the SAM hive, and viewed it in registry explorer.

Created: 2018-02-02
Last login: 2015-04-23
Password last changed: 2017-09-25

Could the password last changed, perhaps be 2 years after last login because it was changed by another account on the system? As for created 3 years after last login, could this be because the account was at one point disabled, then re-enabled?

Any thoughts?  

bkkchop
Newbie
 
 
  

Re: SAM Account Time Confusion

Post Posted: Thu Oct 11, 2018 6:53 am

- bkkchop


Created: 2018-02-02
Last login: 2015-04-23
Password last changed: 2017-09-25



Have you checked the install date for the OS? I have seen it where there is a service pack update rolled out, and it changed the install date of the OS to after documents were created. So documents on the system will show a January 2017 created date, but the install date of the OS would be August 2017. This might help resolve your created date issue.  

kastajamah
Member
 
 
  

Re: SAM Account Time Confusion

Post Posted: Thu Oct 11, 2018 8:07 am

Thanks kastajamah,

I appreciate the reply, it looks like the install date was 1420091339 (01 January 2015) converted from Unix time. More info on the system is, it's Windows 7 Pro, SP 1, Build 7601, information coming from. SOFTWARE\Microsoft\Windows\CurrentVersion.  

bkkchop
Newbie
 
 
  

Re: SAM Account Time Confusion

Post Posted: Thu Oct 11, 2018 8:56 am

- bkkchop
I exported the SAM hive, and viewed it in registry explorer.


What exact tool did you use? I find three or four possibilities ...


Created: 2018-02-02
Last login: 2015-04-23
Password last changed: 2017-09-25


That seems to be part of the problem. The F and V subkeys contain (based on the information found in www.ijfcc.org/vol5/455-F005.pdf, but as it doesn't cite any obviously trustworthy sources, I'd be careful) timestamps for

lockout
account creation
last login

'Password last change' is not part of the data. So from where does your tool get it? You need to find out. That's probably where the problem is.

(I may guess that it is might be a misinterpretation of the LastWriteTime attribute found in registry key information, and documented for example here: docs.microsoft.com/en-...formation. Perhaps someone changed the passwords, observed that time timestamp changed, and concluded it must be a 'password last changed' password. I'm guessing wildly.

However, it reflects (as far as I understand) the last time the key, its attributes or its value changed. And that could be any of the attributes, not just the password. Easy test: set up a test account, get time stamp, then change the account comment. Check the time stamp again.

Could the password last changed, perhaps be ... .
[...] could this be because ...


There's no other answer than 'yes'. In the absence of authoritative information or research, it could be. But you should not be concerned with 'could-be:s' except as far as you are prepared to do research. Outside that, you don't know: that should be your statement.

You do need to check your tool and its tool maker: you may get a better answer than this.  

athulin
Senior Member
 
 
  

Re: SAM Account Time Confusion

Post Posted: Fri Oct 12, 2018 6:35 am

Thanks for the insight, athulin. You bring up some good points. The tool I'm using is Registry Explorer, I threw the SAM file inside there for the analysis. I did do some research prior to coming here but didn't find anything of much value. I'll continue to research and post back if I find a conclusive answer.

Thanks  

bkkchop
Newbie
 
 
  

Re: SAM Account Time Confusion

Post Posted: Fri Oct 12, 2018 8:19 am

- bkkchop
Hi everyone,

I've been racking my brain trying to figure out why a local admin account is displaying weird time stamps for created, last login, and password change. I exported the SAM hive, and viewed it in registry explorer.

Created: 2018-02-02
Last login: 2015-04-23
Password last changed: 2017-09-25

Could the password last changed, perhaps be 2 years after last login because it was changed by another account on the system? As for created 3 years after last login, could this be because the account was at one point disabled, then re-enabled?

Any thoughts?


What's the creation time for the Admin account's folder? Same or different?  

Rich2005
Senior Member
 
 
  

Re: SAM Account Time Confusion

Post Posted: Fri Oct 12, 2018 8:28 am

- bkkchop
Thanks for the insight, athulin. You bring up some good points.


Unfortunately, the point I was convinced was the problem, based on the cited paper ... is actually not. I should have extended my suspicion to the paper itself, not only to its sources. So I only confused the issue -- my apologies.

The table of the F parameter contents (called 'project F content') in that paper does does not correspond with other sources. And in the absence of an explanation for that, we (that is, I) cannot conclude that the F entry lacks information about last password change.

Unfortunately, I have yet to find a source I do consider fully trustworthy ... which is a bit of a problem. (By fully trustworthy I mean that it references some kind of methodical procedure for identifying relevant SAM content.)

If anyone knows one, please post. It should be added to Forensic Wiki so that we don't forget it.

There is clearly some kind of timestamp for last password change: 'net user' lists it, and the NetEnumUser() system call returns structures where the corresponding field is populated. The F entry seems to be the most likely candidate for its location ... yet the systematic identification of it seems absent.  

athulin
Senior Member
 
 

Page 1 of 1