Let’s Connect | LinkedIn | Twitter

One of the main challenges in live forensics is to deal with in-use or locked files and resources. Unlike the traditional forensics investigation, we are not making a full forensics image of the hard disk during system live analysis.

In fact, we are interacting with running and operational systems where numbers of files and resources may be in use by running process and cant be open with any tools. Thus, we would face the nursing message as below:

Opening an in-use file failed!

Are you wondering how this could be related to user account forensics? Let's review two important…

Let’s Connect | LinkedIn | Twitter

So far, we have discussed user account creation, deletion, privileges, and associated folders and settings such as users profile and AppData folders, and user-specific environment variables.

The above information is essential for an investigator to identify the existing and deleted user accounts. However, these data may not be sufficient to tag a user account as malicious or benign.

For instance, a legitimate user account with valid groups and permissions may look normal by analyzing the above information. However, there are many WHAT IFs that can change the story! What if the user…

  • Runs an…

Let’s Connect | LinkedIn | Twitter

As discussed in part 6, the user account forensics roadmap consists of three phases: Data collection and validation, User categorization and profiling, and Deep-dive analysis.

The deep-dive analysis phase focuses on detailed analysis of user settings and behaviors to obtain information about:

User Account Forensics — Deep-Dive Analysis

This part discusses the Profile Folder, AppData, and Environment Variables for each user account.

  1. Users Profile Location

As discussed earlier, windows create a user profile folder for each user account upon the First-time Login. The folders are located in C:\users. The “C:\” here refers to the OS installation drive [%SystemDrive%].

systeminfo |…

Let’s Connect | LinkedIn | Twitter

Here we are with the second phase of windows user accounts live forensics to categorize the local user accounts in a windows test system and profile them into four categories as follows:

  • Valid Users with Valid Groups and permissions
  • Valid Users with odd groups and permissions
  • Newly Created Users [Unknowns]
  • Missing Users!

Note: It is essential to understand the operational needs, business logic, and standard configuration [baseline] of the targeted system and form a standard system profile to look for any deviation accordingly.

Read more on previous parts: Users, Groups, and Privileges | User…

Let’s Connect | LinkedIn | Twitter

In part 5, I have shared few techniques to retrieve information related to user accounts, their groups, and privileges.

Digital forensics and incident response are not about obtaining the data only. Profiling the activities, analyzing them, and looking for any evidence of suspicious/malicious activities is a challenging part of the journey.

Collecting data could be much more comfortable in comparison to data analysis and evidence interception. This part presents a road map for user accounts forensics to identify the good, the bad, and the unknown!!

  1. User Account Forensics — The Road Map

The proposed…

Let’s Connect | LinkedIn | Twitter

Have you enjoyed reading the previous parts? The needs for system live analysis, rules, and some required tools, the checklist to carry out Windows live investigation, and how to retrieve the system information and configuration.

This part will discuss one of the most exciting topics in forensics investigations…. “existing users on a target system, account groups, and users’ privileges!

Data Types: User account information, login timestamps, account activities, account groups, and privileges.

Investigation Value: To look for any questionable activities related to user accounts such as suspicious and unexpected login hours, locations, and privileges.

Let’s Connect | LinkedIn | Twitter

In the previous parts, I have discussed the needs for system live analysis, rules, and some required tools, and the checklist to carry out Windows live investigation.

Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information and understanding its configuration is one main steps in an early stage of an investigation.

Data Types: Current System settings and configurations [e.g. OS installation date, essential folders, hotfixes, drives, shadow copies, top-level network information, etc.]

Investigation Value: To understand the current state of the machine and to plan accordingly.

Let’s Connect | LinkedIn | Twitter

In part one, I have discussed the differences between dead-box and live box analysis and why the system live analysis is an offer we can’t refuse! Besides, I explained the role of Ioc and IoA for an investigation.

Part two covers the rules and tools that can be employed to conduct live forensics analysis on the Windows platform.

In part three, I will focus on the type of data to be collected in addition to the tools, commands, and technical requirements. Let’s review the six categories again:

Windows Live Analysis Checklist

Note 1: The above checklist is for…

Let’s Connect | LinkedIn | Twitter

Hope you enjoy reading part one of this series: Part 1: Blue Team: System Live Analysis - A Proactive Hunt!.

Part two will cover some rules and tools that can be employed to conduct live forensics analysis on the windows platform. So which one comes first rules or tools?

1- Know the rules before using tools

I keep telling myself this every time before starting any investigation, be prepared! Well prepared. It does not matter how good is your tools and how effective is your techniques.

Digital environments are fragile and keep changing every…

Let’s Connect | LinkedIn | Twitter

If you have not hit by cyberattacks yet, It does not mean it will never happen to you! It’s just a matter of time!

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; — Sun Tzu

As well quoted by Sun Tzu, it’s all about our readiness, what would you do? Just deploy a tool and wait for alerts? No way! …

Cybersecurity Hub

by Meisam Eslahi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store