Newbie Question on Artifacts!

1>How to identify and find traces of RDP intrusion, are there any LOGS, signs of connection in the registry been logged

If auditing of logins has been enabled, you might look to see if there are any event ID 528, type 10 entries in the Security Event Log.

There's also a great deal of information in the Registry for the user profile used to log into the system.

Does RDP_KBD, RDP_MSE denotes the connection was infact through RDP.

I have no idea. You're going to need to provide context to that data…like where you found it.

2>what does the following needs to be interpreted-
Sun Jul 27 165925 2008Z SAM\SAM\Domains\Account\Users\000003EE
Sun Jul 27 165921 2008Z SECURITY\RXACT

I'm not sure what you're asking for…you've asked what the data you've presented needs in order to be interpreted. The best answer I can give is knowledge of the structure of the Registry.

does the above means that there was an account deletetion taken place?

Nope. You'd most likely find indications of that in the Event Log (*if* the appropriate auditing was enabled) and maybe even in the unallocated space within the hive file itself.

what does 000003EE actually means??

3EE in hex translates to 1006 in decimal…from the location it's the user's RID.

3>How can i find the active IP address and MAC address, along with the ARP cache on a Windows XP SP2 Pro machine, while using the Image of the Suspects HDD.

IP Address - its in the Registry…check out RegRipper
MAC Address - it *may* be in the Registry (its not recorded by default)
ARP cache - that's not recorded (anywhere that I know of)

Sir,

Many Thanks for your reply!

I have actually used your tool RegRipper,

Auditing wasn't enabled, as the image of the victim is of the end-user, and was running Windows XP sp2 professional.

Here is the reg keys of the System hive, which contains the RDP_MOU and RDP_KBD

RDP_MOU
—-
Sun Jul 27 165823 2008Z \ControlSet001\Control\DeviceClasses\{2eb07ea0-7e70-11d0-a5d6-28db04c10000}\##?#Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}\#{eec12db6-ad9c-4168-8658-b03daef417fe}&{ABD61E00-9350-47e2-A632-4438B90C6641}
Sun Jul 27 165823 2008Z \ControlSet001\Control\DeviceClasses\{378de44c-56ef-11d1-bc8c-00a0c91405dd}\##?#Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}
Sun Jul 27 165823 2008Z
\ControlSet001\Control\DeviceClasses\{378de44c-56ef-11d1-bc8c-00a0c91405dd}\##?#Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}\#

—
RDP_KBD
—-
Sun Jul 27 165823 2008Z \ControlSet001\Control\DeviceClasses\{884b96c3-56ef-11d1-bc8c-00a0c91405dd}\##?#Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
Sun Jul 27 165823 2008Z \ControlSet001\Control\DeviceClasses\{884b96c3-56ef-11d1-bc8c-00a0c91405dd}\##?#Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}\#
Sun Jul 27 165823 2008Z \ControlSet001\Control\DeviceClasses\{97ebaacb-95bd-11d0-a3ea-00a0c9223196}\##?#Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}

finally,

I am still looking for references and Google for the-
"Sun Jul 27 165921 2008Z SECURITY\RXACT" what exactly would it interpret.

I know, i am yet to learn a lot, and I am referring your books as well, case by case basis and I am just in the start of my career, and this is my second case for Investigation.

Also, how can i use RegRipper to reveal and decode Rot13 entries from User Assist keys.

Thanks in advance.

Shilpa Agarwal
India

Here is the reg keys of the System hive, which contains the RDP_MOU and RDP_KBD

A quick lookup of the GUID indicates that these are RDP mouse and keyboard devices.

I am still looking for references and Google for the-
"Sun Jul 27 165921 2008Z SECURITY\RXACT" what exactly would it interpret.

I'm not sure that it interprets anything.

Also, how can i use RegRipper to reveal and decode Rot13 entries from User Assist keys.

RTFM. Blunt, I know…but seriously. There's a userassist.pl plugin that does that automatically when you either choose a plugins file that includes that plugin, or choose the plugin itself via rip.exe. It's all right there…I'm not sure what else to say, really.