Hello,
Using Encase or other type of static forensic software, what is the best way (not mounting the image) to view each of the users profile? I know that you can view c\documents and settings\ and see some information, but I am looking for the users permission levels (all on a windows system - XP). Where can I drill down to see what user is in what group and what user has what rights etc. Also, I am looking for the ability to see certain reg keys in this static image. Are these all done w/ the use of encase scripts?
Thanks
Where can I drill down to see what user is in what group…
The samparse plugin in RegRipper, which you can also use with rip.exe, will show you this.
Also, I am looking for the ability to see certain reg keys in this static image. Are these all done w/ the use of encase scripts?
Depending on which keys you're asking about, RegRipper may already do this. If not, let me know, and if the keys aren't part of the standard install, provide a sample hive file, and I can write up a plugin quickly.
Thanks for the info on Regripper, but I am looking only for the source location while viewing a static image in encase. I am familiar w/ regripper and that it is a very valuable tool, but I am confined at this point to encase to solve this issue.
thanks
A little more information. What I am trying to find out is if there is away when using tools such as encase and analysing a static file (dd image) to determine who the users on the system are, what their privs are (again I know I can determine the user by looking at the C\Documents and Settings\users….. I am looking for the information that is stored in the user groups of the control panel - management console.
Also since much of this information is stored in the registy, is there a way to view the registry hives through encase (in the explorer like window) or is it more of the encase scripts.
Also, what about applications that are installed on the system such as IIS, if I want to find out who has admin, or other rights to those applications through the same method as mentioned above.
Thanks
Sure, find the registry hive. Right click on it, and select View File Structure..
Fresponse_s,
Thanks for your advice. That is actually one of my questions. When I am drilling down in the exploer type window where you see all the files and directories, I looked all over and was unable to find where the HIVES are located. I googled everything and was unable to find where I would look for the hives (registry).
Thanks
ok, here's the short answer..
c\windows\system32\config
system, software, security, etc..
They are all hives.
Right click and View File Structure.
That should do it, you'll want to go to someone much more well versed in Registry "Secrets" than I if you want specific details.. Someone like "keydet89"…
M. Shannon
F-Response
Have a look at this registry file (as fresponse_s said, View File Structure) in Encase c\windows\system32\config\SAM
HTH
)
In V6 simply go to the Secure storage tab. There is a right-click menu with "User List" it lists the local users.
In the tree there are the aliases, groups and the "SAM users".
In the report view you'll see the details.
Jake,
Are you aware of the initialise case script in EnCase. In version 6 under Enscript tab in bottom rt pane-Forensic\Case Processor\Windows Initialise case. If you click on that and tick what you require. Accounts is one of the options that will identify user and default accounts including user groups and time/date settings.