Okay guys,
So apparently i have a laptop that has 3 Local Users and 4 Domain Users. I've got a couple of notorious programs installed. Whats the best method to identify what user installed those programs?
I've been going back and forth on different Registry files looking for any indication, but got nothing so far.
Well, there are a couple of questions I would ask…
First, which version of the OS are you dealing with? That can make a difference as to some of what you look at or for…
Regardless of the version, there are some things common across versions of Windows that you can look at. For example, parse the UserAssist subkey values. The value names are Rot-13 "encrypted", but can be easily decrypted to reveal the names of applications the user has launched via the shell (that is, by clicking or double-clicking an icon, etc.). For command line tools, I'd look at the user MUICache entries.
Do you know what these "notorious" programs are called? Do you know where they are installed? I ask, because they may have been "installed" in the sense of .exe files copied to the system (rather than installed via an MSI or setup.exe file) and could be the result of an infection of some kind. If that were the case, there are other things I'd look for instead.
I hope that helps enough to get you started.
CopyRight,
first of all, I would try to determine when these "notorious" programs were installed. Then I would create a full timeline of users' activity around these dates (in temporal proximity, e.g. +/- 12 hours or even 1 day) to determine who was logged in at given period, what files were accessed/executed by given users at this time etc. (if you're lucky, you may find artifacts indicating that given user accessed installation media on external devices, network shares or other mass storage devices or executed given program just after installation).
To create a timeline I would use timestamped data from sources tied to specific user (e.g. Security event log, browser history files located in user's profile, shellbags,
Btw, did you check who's the owner of installed "notorious" programs? That's fairly obvious, but sometimes it works D.
Good luck!
Greg
On the basis that many apps are downloaded form the Internet and not installed from physical media, have a look at Internet History for all users; that may show up who accessed relevant web-sites and when
Also, have a look in each user's profile and see if there are corresponding entries in the AppData folder (for Win7, or equivalent for XP)
HTH
Cheers
On the basis that many apps are downloaded form the Internet and not installed from physical media, have a look at Internet History for all users; that may show up who accessed relevant web-sites and when
Good point. If they were downloaded, you may also see the ADSs associated with downloads…
Am just thinking about user behaviour, it's not unknown for a user to run a portable app from a USB device of some kind (likely a stick) and subsequently copy it to the internal HDD. They may or may not run it again.
However, there may be some evidence lurking around in USB artefacts, .LNK files or (Jump Lists?) which could identify that a stick was used and if so you should be able to tie that to specific user(s)?
Am just thinking about user behaviour, it's not unknown for a user to run a portable app from a USB device of some kind (likely a stick) and subsequently copy it to the internal HDD. They may or may not run it again.
Good thinking. UserAssist artifacts may show that; MUICache just shows file names and not paths.
However, there may be some evidence lurking around in USB artefacts, .LNK files or (Jump Lists?) which could identify that a stick was used and if so you should be able to tie that to specific user(s)?
I use LNK/Jump List artifacts to tie user activity to a specific device all the time…
Thanks guys, UserAssists and Jumplists worked out for me , and little bit of timeline analysis. worked as a charm.
Cheers! evil
Can you share the tools that you used (names)?
Yeah sure,
1-Latest Version of FTK
2-Reg Ripper
3-AD register viewer
Would you have recommended a different set of tools?
