Let’s Connect | LinkedIn | Twitter

Without a doubt, the Windows registry is one of the most valuable forensics data sources that investigators can use. I should think of a dedicated series on Windows Registry Forensics, but, for now, we only focus on NTUSER.DAT and its role in user account forensics.

Part 10 explained how we could forensically extract one of the most important files to analyse user profiles, settings, and activities…


Let’s Connect | LinkedIn | Twitter

One of the main challenges in live forensics is to deal with in-use or locked files and resources. Unlike the traditional forensics investigation, we are not making a full forensics image of the hard disk during system live analysis.

In fact, we are interacting with running and operational systems where numbers of files and resources may be in use by running process and cant be open with any tools. Thus, we would face the nursing message as below:

Opening an in-use file failed!

Are you wondering how this could be related to user account forensics? Let's review two important…


Let’s Connect | LinkedIn | Twitter

So far, we have discussed user account creation, deletion, privileges, and associated folders and settings such as users profile and AppData folders, and user-specific environment variables.

The above information is essential for an investigator to identify the existing and deleted user accounts. However, these data may not be sufficient to tag a user account as malicious or benign.

For instance, a legitimate user account with valid groups and permissions may look normal by analyzing the above information. However, there are many WHAT IFs that can change the story! What if the user…

  • Runs an…


Let’s Connect | LinkedIn | Twitter

As discussed in part 6, the user account forensics roadmap consists of three phases: Data collection and validation, User categorization and profiling, and Deep-dive analysis.

The deep-dive analysis phase focuses on detailed analysis of user settings and behaviours to obtain information about:

User Account Forensics — Deep-Dive Analysis

This part discusses the Profile Folder, AppData, and Environment Variables for each user account.

  1. Users Profile Location

As discussed earlier, windows create a user profile folder for each user account upon the First-time Login. The folders are located in C:\users. The “C:\” here refers to the OS installation drive [%SystemDrive%].

systeminfo |…


Let’s Connect | LinkedIn | Twitter

Here we are with the second phase of windows user accounts live forensics to categorize the local user accounts in a windows test system and profile them into four categories as follows:

  • Valid Users with Valid Groups and permissions
  • Valid Users with odd groups and permissions
  • Newly Created Users [Unknowns]
  • Missing Users!

Note: It is essential to understand the operational needs, business logic, and standard configuration [baseline] of the targeted system and form a standard system profile to look for any deviation accordingly.

Read more on previous parts: Users, Groups, and Privileges | User…


Let’s Connect | LinkedIn | Twitter

In part 5, I have shared few techniques to retrieve information related to user accounts, their groups, and privileges.

Digital forensics and incident response are not about obtaining the data only. Profiling the activities, analyzing them, and looking for any evidence of suspicious/malicious activities is a challenging part of the journey.

Collecting data could be much more comfortable in comparison to data analysis and evidence interception. This part presents a road map for user accounts forensics to identify the good, the bad, and the unknown!!

  1. User Account Forensics — The Road Map

The proposed…


Let’s Connect | LinkedIn | Twitter

Have you enjoyed reading the previous parts? The needs for system live analysis, rules, and some required tools, the checklist to carry out Windows live investigation, and how to retrieve the system information and configuration.

This part will discuss one of the most exciting topics in forensics investigations…. “existing users on a target system, account groups, and users’ privileges!


Let’s Connect | LinkedIn | Twitter

I have discussed the need for system live analysis, rules, and some required tools, and the checklist to carry out Windows live investigation in the previous parts.

Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main step in an investigation's early stage.

1- General…


Let’s Connect | LinkedIn | Twitter

In part one, I have discussed the differences between dead-box and live box analysis and why the system live analysis is an offer we can’t refuse! Besides, I explained the role of Ioc and IoA for an investigation.

Part two covers the rules and tools that can be employed to conduct live forensics analysis on the Windows platform.

In part three, I will focus on the type of data to be collected in addition to the tools, commands, and technical requirements. Let’s review the six categories again:

Windows Live Analysis Checklist


Let’s Connect | LinkedIn | Twitter

Hope you enjoy reading part one of this series: Part 1: Blue Team: System Live Analysis - A Proactive Hunt!.

Part two will cover some rules and tools that can be employed to conduct live forensics analysis on the Windows platform. So which one comes first rules or tools?

1- Know the rules before using tools

I keep telling myself this every time before starting any investigation, be prepared! Well prepared. It does not matter how good is your tools and how effective is your techniques.

Cybersecurity Hub

by Meisam Eslahi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store