Without a doubt, the Windows registry is one of the most valuable forensics data sources that investigators can use. I should think of a dedicated series on Windows Registry Forensics, but, for now, we only focus on NTUSER.DAT and its role in user account forensics.
Note: This post only focuses on the NTUSER.DAT, however, the rules and tools can be used for other registry files such as System, Sam, Security, Software, and Default.
Part 10 explained how we could forensically extract one of the most important files to analyse user profiles, settings, and activities…
One of the main challenges in live forensics is to deal with in-use or locked files and resources. Unlike the traditional forensics investigation, we are not making a full forensics image of the hard disk during system live analysis.
In fact, we are interacting with running and operational systems where numbers of files and resources may be in use by running process and cant be open with any tools. Thus, we would face the nursing message as below:
So far, we have discussed user account creation, deletion, privileges, and associated folders and settings such as users profile and AppData folders, and user-specific environment variables.
The above information is essential for an investigator to identify the existing and deleted user accounts. However, these data may not be sufficient to tag a user account as malicious or benign.
For instance, a legitimate user account with valid groups and permissions may look normal by analyzing the above information. However, there are many WHAT IFs that can change the story! What if the user…
The deep-dive analysis phase focuses on detailed analysis of user settings and behaviours to obtain information about:
This part discusses the Profile Folder, AppData, and Environment Variables for each user account.
As discussed earlier, windows create a user profile folder for each user account upon the First-time Login. The folders are located in C:\users. The “C:\” here refers to the OS installation drive [%SystemDrive%].
Here we are with the second phase of windows user accounts live forensics to categorize the local user accounts in a windows test system and profile them into four categories as follows:
Note: It is essential to understand the operational needs, business logic, and standard configuration [baseline] of the targeted system and form a standard system profile to look for any deviation accordingly.
In part 5, I have shared few techniques to retrieve information related to user accounts, their groups, and privileges.
Digital forensics and incident response are not about obtaining the data only. Profiling the activities, analyzing them, and looking for any evidence of suspicious/malicious activities is a challenging part of the journey.
Collecting data could be much more comfortable in comparison to data analysis and evidence interception. This part presents a road map for user accounts forensics to identify the good, the bad, and the unknown!!
Have you enjoyed reading the previous parts? The needs for system live analysis, rules, and some required tools, the checklist to carry out Windows live investigation, and how to retrieve the system information and configuration.
This part will discuss one of the most exciting topics in forensics investigations…. “existing users on a target system, account groups, and users’ privileges!
Data Types: User account information, login timestamps, account activities, account groups, and privileges.
Investigation Value: To look for any questionable activities related to user accounts such as suspicious and unexpected login hours, locations, and privileges.
Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main step in an investigation's early stage.
Data Types: Current System settings and configurations [e.g. OS installation date, essential folders, hotfixes, drives, shadow copies, top-level network information, etc.]
Investigation Value: To understand the current state of the machine and to plan accordingly.
Let’s Connect | LinkedIn | Twitter
In part one, I have discussed the differences between dead-box and live box analysis and why the system live analysis is an offer we can’t refuse! Besides, I explained the role of Ioc and IoA for an investigation.
Part two covers the rules and tools that can be employed to conduct live forensics analysis on the Windows platform.
In part three, I will focus on the type of data to be collected in addition to the tools, commands, and technical requirements. Let’s review the six categories again:
Note 1: The above checklist is for…
Hope you enjoy reading part one of this series: Part 1: Blue Team: System Live Analysis - A Proactive Hunt!.
Part two will cover some rules and tools that can be employed to conduct live forensics analysis on the Windows platform. So which one comes first rules or tools?
1- Know the rules before using tools
I keep telling myself this every time before starting any investigation, be prepared! Well prepared. It does not matter how good is your tools and how effective is your techniques.
Digital environments are fragile and keep changing every…