Forums
Main Category
General (Technical,...
How to find when us...
 
Notifications
Clear all

How to find when user accounts were created?

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by JaredDM 9 years ago
13 Posts
6 Users
0 Reactions
6,582 Views
RSS
 kurt2121
(@kurt2121)
Eminent Member
Joined: 9 years ago
Posts: 43
Topic starter 10/06/2016 11:00 am  

Hey guys. I made a thread here a few weeks ago and got really great help, so I figure I'll try again! I'll just start off by saying that my computer forensics knowledge isn't the best (planning on getting into it when I can afford it).

Anyway, here's what I know.

I'm trying to find out the date when one of my old user accounts was created. (On windows XP)

The account was deleted. A new account was made with the same User name. (also deleted)

Things I've tried.

1. I tried looking at the Security Log from the Event Viewer, but it doesn't go back far enough.
2. System restore doesn't go back far enough
3.I tried looking in the SOFTWARE hive (\Microsoft\Windows NT\CurrentVersion\ProfileList, but it wasn't listed.

I feel like there has to be a way to figure this out, any ideas?


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
10/06/2016 3:23 pm  

The account was deleted. A new account was made with the same User name. (also deleted)

So in practice the main file NTUSER.DAT (and the user folder structure) was overwritten and then deleted. 😯

It is extremely unlikely that you will be able to find some traces on disk, but making an attempt costs really nothing.

You may found some traces (in some cases, i.e. if the original user connected a USB device) in setupapi.log, but even if found they don't really "prove" anything about the user, see
https://hatsoffsecurity.com/2014/06/17/usb-forensics-pt-6-which-user-account-used-the-usb-device/
and following.

jaclaz


   
ReplyQuote
 kurt2121
(@kurt2121)
Eminent Member
Joined: 9 years ago
Posts: 43
Topic starter 10/06/2016 10:20 pm  

The account was deleted. A new account was made with the same User name. (also deleted)

So in practice the main file NTUSER.DAT (and the user folder structure) was overwritten and then deleted. 😯

It is extremely unlikely that you will be able to find some traces on disk, but making an attempt costs really nothing.

You may found some traces (in some cases, i.e. if the original user connected a USB device) in setupapi.log, but even if found they don't really "prove" anything about the user, see
https://hatsoffsecurity.com/2014/06/17/usb-forensics-pt-6-which-user-account-used-the-usb-device/
and following.

jaclaz

Somebody said I may have luck finding it in Shellbags? Possible?


   
ReplyQuote
 Randy_Randerson
(@randy_randerson)
Eminent Member
Joined: 9 years ago
Posts: 24
10/06/2016 10:39 pm  

Have you looked at the SAM hive at all? If you're trying to find the user accounts, they could still be in there. I know Registry Viewer by Zimmerman and TZ Works has a registry GUI that can find deleted accounts.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
10/06/2016 10:51 pm  

Somebody said I may have luck finding it in Shellbags? Possible?

It depends on who was the somebody.

Try and you will see what can be found (or cannot) on the specific system
http//www.williballenthin.com/forensics/shellbags/

Though - as often happens - you will have not definite proof of *anything*, at the most you will be able to say that "on date dd/mm/yyyy an account with the folder name "zzzzzzzzz" existed on the machine" which is a looong way from saying "on date dd/mm/yyyy an account with user name "zzzzzzzzz" was created for the first time on the machine",

Please consider how when you change a user account name the folder name is not changed, which in itself could provide a whole separate set of possibilities.

jaclaz


   
ReplyQuote
 kurt2121
(@kurt2121)
Eminent Member
Joined: 9 years ago
Posts: 43
Topic starter 11/06/2016 12:00 am  

Have you looked at the SAM hive at all? If you're trying to find the user accounts, they could still be in there. I know Registry Viewer by Zimmerman and TZ Works has a registry GUI that can find deleted accounts.

I had asked about the SAM hive on another forum, and was told when a user account is deleted, it is removed from the SAM hive. Perhaps that is not the case?

I'll try the viewer you suggested and see how it goes.


   
ReplyQuote
 kurt2121
(@kurt2121)
Eminent Member
Joined: 9 years ago
Posts: 43
Topic starter 11/06/2016 12:11 am  

Somebody said I may have luck finding it in Shellbags? Possible?

It depends on who was the somebody.

Try and you will see what can be found (or cannot) on the specific system
http//www.williballenthin.com/forensics/shellbags/

Though - as often happens - you will have not definite proof of *anything*, at the most you will be able to say that "on date dd/mm/yyyy an account with the folder name "zzzzzzzzz" existed on the machine" which is a looong way from saying "on date dd/mm/yyyy an account with user name "zzzzzzzzz" was created for the first time on the machine",

Please consider how when you change a user account name the folder name is not changed, which in itself could provide a whole separate set of possibilities.

jaclaz

Even if I cant find the exact date an account was created, seeing some dates when it existed could help a bit for making an estimation of the date.

Not sure what you are trying to say with that last bit. Are you suggesting that I may have changed the account name instead of deleting it? I am 100% sure it was deleted.

Anyway, I'll have to give some of these things a try, I don't have any experience using them, so there's a good chance I'll be back asking for help haha.

EDIT Okay, so it says these shell bags are located in the HKEY_CURRENT_USER. Are they really going to contain anything about a deleted account?


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
11/06/2016 12:47 am  

Even if I cant find the exact date an account was created, seeing some dates when it existed could help a bit for making an estimation of the date.

Not sure what you are trying to say with that last bit. Are you suggesting that I may have changed the account name instead of deleting it? I am 100% sure it was deleted.

I was only giving you some context about the possibilities.
You are looking for something "peculiar", and you should know how the results may (or may not) be univocally linked to the information you actually want.

EDIT Okay, so it says these shell bags are located in the HKEY_CURRENT_USER. Are they really going to contain anything about a deleted account?

Somebody said I may have luck finding it in Shellbags? Possible?

It depends on who was the somebody.

Waiter, come taste the soup …
… Ah-ha wink
http//www.imdb.com/title/tt0094898/quotes?item=qt1099763

jaclaz


   
ReplyQuote
 kurt2121
(@kurt2121)
Eminent Member
Joined: 9 years ago
Posts: 43
Topic starter 11/06/2016 1:42 am  

Even if I cant find the exact date an account was created, seeing some dates when it existed could help a bit for making an estimation of the date.

Not sure what you are trying to say with that last bit. Are you suggesting that I may have changed the account name instead of deleting it? I am 100% sure it was deleted.

I was only giving you some context about the possibilities.
You are looking for something "peculiar", and you should know how the results may (or may not) be univocally linked to the information you actually want.

EDIT Okay, so it says these shell bags are located in the HKEY_CURRENT_USER. Are they really going to contain anything about a deleted account?

Somebody said I may have luck finding it in Shellbags? Possible?

It depends on who was the somebody.

Waiter, come taste the soup …
… Ah-ha wink
http//www.imdb.com/title/tt0094898/quotes?item=qt1099763

jaclaz

hahaha

Alright, so I take it the Shell bags isn't going to help with a deleted account. Now what can I do?!


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
11/06/2016 4:21 pm  

Alright, so I take it the Shell bags isn't going to help with a deleted account. Now what can I do?!

As said you can try checking the disk to find some remaining data, but it is unlikely that you will be able to find any of them, and even if you find them, they won't actually be able to answer your question.

As well, as suggested by Randy_Randerson you may want to inspect the SAM, but if the account was deleted and then recreated with the same name it has to be seen if there are still traces of the "original" one and if any date can be linked to it.

The way you asked your question makes (to me at least) little sense, maybe you can provide some context, explain the reasons why you would be looking for this deleted and recreated account, etc.

Personally, from the info you gave, I doubt that an exact date can be found at all, but maybe by doing a really thorough examination of the system and of the disk one could have some "hints".
I mean there may be programs that were run when logged in with that account and that wrote some temp data or logs, there may be a file in the NTFS with that account ownership, all tiny breadcrumbs, and nothing"definitive" anyway, I believe.

jaclaz


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: