Hello All! This is my first post to the site and I had a pressing question. While investigating a case I found that a ntuser.dat and its log were displayed as all 0's in FTK's Hex viwer. Is there any windows process that would do this or should I be suspicious of some type of cleaner? If there is a cleaner that anyone knows of that does this please list the product.
Thanks,
Mike H.
Hi Mike,
ALL zeros? XP? I'd suspect a cleaner. Since neither are created until a user signs in, it's safe to rule out the ID not being used. It was an active ID. At first use, both should be clones of Default Users' files, followed by appropriate updates. Both are highly structured files, so zero'ing out the file would probably render the user id a bit difficult to use, to say the least. I don't have a sacrifice machine to test on at the moment. I'd suspect you'll find many examples of wiping.
Don't know the tool however.
Mike,
If you dump the SAM file and parse it with sam_parse.exe from the DVD that accompanies my book, what does it tell you about that user account?
Dennis is right…zero'ing out the NTUSER.DAT file would perhaps render the account in an inoperable mode.
Another thing you might try is this…see if you can't boot the image in VMWare via LiveView. Copy the image, and see if you can't boot the copy. If you can get a password for an account on the system with Admin privileges, login and change the password for the suspicious account. Then attempt to log into that account. This way, you can test it. I suggest this because someone I know recently had an issue where they'd try to log in, but get a message about their profile being corrupted, and Windows would log them in using a temporary ID.
Just some thoughts…
H
Another possible explanation is that the clusters holding the file didn't image correctly - giving you a zero filled file.
Have a look in hex at the clusters before and after, and check the imaging report.
Cheers,
John.