Regripper profileli...
 
Notifications
Clear all

Regripper profilelist entries

Page 1 / 2
NalakaHewa
(@nalakahewa)
New Member

Hi All,

Ripping the software registry hive using reg ripper would show the following entries under profilelist.

Path %SystemDrive%\Documents and Settings\Administrator
SID S-1-5-21-4233660156-2680169946-3658910183-500
LastWrite Wed Jun 15 042208 2016 (UTC)
LoadTime Wed Jun 15 042126 2016 (UTC)

But I couldn't find any related entry to "loadtime" in the actual registry entry. Anyone know how this is obtained? Does it stands to mean the profile load time. Can we use this to infer the login time of the user?

How valid is it to use the "lastwrite" time to deduce the login time of the user? Should we only rely on event log time stamps or could we use Lastwrite or Loadtime for that?
Please let me know your opinion.

Thanks in advance.

Quote
Topic starter Posted : 02/10/2016 12:12 pm
NalakaHewa
(@nalakahewa)
New Member

Any opinion on this? cry

ReplyQuote
Topic starter Posted : 04/10/2016 6:39 am
Chris_Ed
(@chris_ed)
Active Member

Looking at 'profilelist.pl', the load time is taken from two entries; 'ProfileLoadTimeLow' and 'ProfileLowtimeHigh' in the 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profile List' key.

In terms of what it means, I'm not sure; but if you examine the dates and times it reports against event log entries (as you suggest) I'm sure it will provide a clearer picture. After all, "load time" most likely suggests the time it was loaded into memory, which might even be on boot.

ReplyQuote
Posted : 04/10/2016 1:14 pm
randomaccess
(@randomaccess)
Active Member

Assuming you're looking for the last login time of a user, have you looked at the SAM file?

running samparse on a local SAM file can provide the last login date
alternatively the event logs (EVT/EVTX) would be useful

combining them together would give you decent idea

you can run evtxparse.pl or evtparse.pl and output to TLN format, along with samparse_tln

is that what you're after?

ReplyQuote
Posted : 04/10/2016 2:13 pm
NalakaHewa
(@nalakahewa)
New Member

Thanks a lot for the response "Chris_Ed" and "randomaccess". The reason I have used profilelist.pl is to identify the last login time of the Domain users. SAM parsing would only reveal the local users login time right?

My concern basically was whether it is correct to rely on the profilelist output (Loadtime) to check the last login time of the users. But based on your response I think it is best to rely on the event log entries rather than the registry. Is that correct?

Thanks again for your time.

ReplyQuote
Topic starter Posted : 05/10/2016 4:30 pm
randomaccess
(@randomaccess)
Active Member

Yeah I'm not entirely sure with domain users outside of event logs
But I would suggest creating a timeline of lastwrite times and corrolate them with the login times from event logs. That might give you an idea of what keys may have been updated from doing that

ReplyQuote
Posted : 05/10/2016 5:11 pm
vootz
(@vootz)
Junior Member

What Windows OS is it? In Windows 7, the following Registry path has the login time of the last logged in domain user

SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnSAMUser

(yes, I know it says SAMUser, but it actually refers to the domain user in this case)

ReplyQuote
Posted : 05/10/2016 5:38 pm
athulin
(@athulin)
Community Legend

How valid is it to use the "lastwrite" time to deduce the login time of the user?

Strictly speaking, unless you have evidence that they are connected, you shouldn't use them. That is, either published research or your own research, and performed on the platform you are examining.

I don't know of any such evidence myself – which is one reason I suggest you better be very cautious. It's very tempting to treat anything RegRipper produces as important evidence – but ultimately it's up to you to show that there is a connection between a forensic artifact and a physical reality.

Note that the relevant plugin is dated 2008 (with an update in 2010). That suggest that the use of the plugin is at least eight years old – does that affect interpretation? Have things change since then? How? Do you know?

There may be relevant info in Carvey's books on registry forensics – but I assume you checked those the first thing you did, right?

LastWrite is – I very strongly suspect – not a registry value name, but the registry key attribute, indicating the last change to any of the values in that key (i.e. a value was added, deleted, renamed or modified), and perhaps even a change in the other attributes that keys carry, such as the key security descriptor (though I'm not 100% sure of that last part).

But … what external realities that connects to is another thing. That's what research would be for.

LoadTime … is possibly related to profile loading (i.e. HKU-connection), but under what circumstances that happens for, say, roaming profiles, and how various other registry settings related to those affect it, is another kettle of fish. As are mandatory profiles, network profile load timeouts, etc, etc. That is pretty deep sysadmin stuff, and something I bet Microsoft issues certifications for. (Added Does RegLoadKey() set that key?)

Added Especially keep the possibility in mind that LastWrite might have been modified because LoadTime was modified. In this case, the difference is fairly large, but … with a roaming profile (possibly HUGE) and load timeouts …

ReplyQuote
Posted : 05/10/2016 9:03 pm
NalakaHewa
(@nalakahewa)
New Member

@randomaccess Thanks a lot and yeap, I should have done that. That way I would be able to learn what keys I should look for.
@vootz Yes, It was a windows 7 system and I checked the registry entry you have mentioned. I didn't knew that previously. But with that, I'll be able to correctly say the last logged in domain user. Thanks a lot for that. Only issue is the login time. There is no direct key which records the login times. Best way would be to rely on event logs if they are available.
@athulin Thanks a lot for insightful answer. I'm going to read Carvey's book )

but ultimately it's up to you to show that there is a connection between a forensic artifact and a physical reality.

I think this is the most important aspect. I get questioned a lot for the possibilities of happening something else when I say something based on single evidence. Therefore like you said, I should go with either published research for my own research before putting that into the report.

I think the conclusion would be not to rely on registry key entry values entirely, when it comes to login times of users. If the event logs are there, we should correlate it with registry keys to provide stronger evidence. I'm planning to have a closer look on what other registry keys we could look at. If I found any, I'll update this thread. Thanks a lot for all the answers. You guys rock.

ReplyQuote
Topic starter Posted : 14/10/2016 7:19 am
keydet89
(@keydet89)
Community Legend

Fascinating.

ReplyQuote
Posted : 27/11/2016 7:04 pm
passcodeunlock
(@passcodeunlock)
Senior Member

If it is about logging in to a domain, I would certainly use the domain server logs for my research and not the local workstation registry entries.

ReplyQuote
Posted : 28/11/2016 2:24 am
jaclaz
(@jaclaz)
Community Legend

If it is about logging in to a domain, I would certainly use the domain server logs for my research and not the local workstation registry entries.

Well, IMHO you CANNOT do that. 😯
IF you have two data points, you cannot ignore one at your choice.

The whole idea of a complete timeline is to insert as much data points as possible from *whatever* source and
1) see if they ALL fit into a given "scheme"
2) provide reasons why this (or that) data point is "out".

jaclaz

ReplyQuote
Posted : 28/11/2016 1:42 pm
passcodeunlock
(@passcodeunlock)
Senior Member

I didn't say that the workstation logs shouldn't be used at all, I would just not rely on those in the matter of trust.

My point is to use the domain server logs for start, since those are harder to compromise then some local workstation registry entries )

ReplyQuote
Posted : 28/11/2016 3:11 pm
Chris_Ed
(@chris_ed)
Active Member

Fascinating.

Good way to rescurrect a thread after a month and a half without actually providing valuable input, thumbs up.

ReplyQuote
Posted : 29/11/2016 12:56 pm
jaclaz
(@jaclaz)
Community Legend

I didn't say that the workstation logs shouldn't be used at all, I would just not rely on those in the matter of trust.

My point is to use the domain server logs for start, since those are harder to compromise then some local workstation registry entries )

Well, your point is understood ) , but it is still not the right approach IMHO.

ALL data available should be retrieved, put into context and only then hypothesis should be made on what to trust, what to suspect, etc..

If you start giving "more credibility" to this piece of data (instead of that one) it is more likely that your hypothesis will be biased.

jaclaz

ReplyQuote
Posted : 30/11/2016 1:28 am
Page 1 / 2
Share:
Share to...