Examing Windows 200...
 
Notifications
Clear all

Examing Windows 2003 Domain Controller Using Encase  

  RSS
pisonic
(@pisonic)
New Member

hi folks,

when we are examining folders, files, etc that is located on a windows 2003 domain controller, under the permission and details i can only see the SID rather than the user name.

how do we actually using encase to correlate the SID to the individual users to get the user id or name?

any help is deeply appreciated.

Quote
Posted : 11/05/2010 11:26 am
brede
(@brede)
Member

About Encase do You have EDS module? if so run Analyze EFS option and after that go to Secure Storage tab. From the content menu choose User list- users with corresponding SIDs.

ReplyQuote
Posted : 11/05/2010 4:44 pm
(@itcentral)
New Member

Was the domain connected to another, you will sometimes see GUIDs fro accounts from other domains when the DC cant enumerate them, and if an account has been deleted but permissions where applied directly to a fodler

p

ReplyQuote
Posted : 11/05/2010 9:35 pm
(@erowe)
Active Member

The commands you want are "dsget user" and "dsquery user"

You can use dsquery user to list all the users on the system, and you should then be able to and pipe the output through dsget user -dn -samid -sid.

You might have to fiddle around a bit to get the syntax right, but I believe it should be something like this

dsquery user | dsget user -dn -samid -sid

-dn will give you their distinguisned names, -samid will give you the users logon names, and -sid will give you their SIDs.

You need to run these commands on the server…

ReplyQuote
Posted : 11/05/2010 10:26 pm
pisonic
(@pisonic)
New Member

About Encase do You have EDS module? if so run Analyze EFS option and after that go to Secure Storage tab. From the content menu choose User list- users with corresponding SIDs.

hi, tried it, but it does not list the domain users. it shows nothing inside the domain user panel.

it only list the user under the loca user panel.

ReplyQuote
Posted : 12/05/2010 8:46 am
Share: