Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files

Let’s Connect | LinkedIn | Twitter

So far, we have discussed user account creation, deletion, privileges, and associated folders and settings such as users profile and AppData folders, and user-specific environment variables.

The above information is essential for an investigator to identify the existing and deleted user accounts. However, these data may not be sufficient to tag a user account as malicious or benign.

For instance, a legitimate user account with valid groups and permissions may look normal by analyzing the above information. However, there are many WHAT IFs that can change the story! What if the user…

  • Runs an odd process
  • Owns malicious files
  • Has access to a restricted folder
  • Installed unsolicited or malicious application

This post discusses the ownership of running processes, installed applications, folders, and files to address the above issues.

1- Running Processes

Windows programs [excutables] run as one or more processes and tasks. The complete analysis of running processes will be explained in upcoming posts. This section covers the techniques to obtain the name of user accounts running a process on the Windows operating system.

Task Manager: Forensically Unreliable!

The details Tab in task manager shows the name of running processes in addition to the user accounts name that running that processes, as shown in the figure below:

Users that Run a Process — Task Manager
  • The currently logged-in user is Cyfohub; however, a process named lsass.exe is running by the sechub user account!
  • According to the Windows standard baseline for processes, the lsass.exe user name is supposed to be NT AUTHORITY\SYSTEM, not any other local user account.

Note: We will have a dedicated post for Windows process investigation.

The Task Manager is not forensically reliable as the malicious processes can be hidden from the task manager.

Tasklist:

The tasklist is a built-in Windows command to display the running processes.

Tasklist /v
Users that Run a Process — Tasklist

The Tasklist command allows us to list all the processes runs by a specific user account.

tasklist /fi “username eq Cyfohub”
List of Processes Running by Specific User Accounts — Tasklist

Powershell:

Using powershell, we can obtain the list of running processes’ name, domain, and user name as follows:

Get-Process -IncludeUserName | Select-Object Name,Username
Users that Run a Process — Powershell

The above PowerShell command can be combined with findstr to list specific user name or processes as follows:

List of Processes Running by Specific User Accounts — Powershell

When it comes to installed applications and user accounts, the system investigators must look at it from two perspectives as follows:

  • Who installed it? — Which user account installed that application.
  • Installed for Who? — To check whether the application is installed for a specific user or all.

Let's answer the first question first. Who installed the application?

2- Installed Applications — Who Installed them?

To install any application in a Windows environment, we use two common installers such as Windows Installer (MSI) and EXE [e.g., setup.exe]. It's highly recommended to learn the differences between these installers.

MSI Installer:

In general, Windows logs few events [event ID 11707 and 1033] related to install/uninstall of applications if they use Windows Installer (MSI).

Limitation: The above events only log the applications installed by Windows Installer (MSI) and do not record any information related to any other type of installers such as .exe files.

Let's check the event ID of 11707 from Application Event Log to check the successful installation of an application.

wevtutil qe application /f:text “/q:*[System[(EventID=11707)]]”
Successful Installation of Autopsy Application — Event ID 11707

The event ID of 1033 provides us with more details on installed product descriptions.

wevtutil qe application /f:text “/q:*[System[(EventID=1033)]]”
Successful Installation of Autopsy Application — Event ID 1033

The results above show that Atpuosy software was installed by the sechub user on 20 April 2021 on the target system.

EXE Installer:

As discussed above, the event ID such as 11707 does not log any application with the EXE installer.

MSI vs. EXE Installers

For instance, the above applications were installed in a test system using MSI and EXE installers. The Autopsy.exe installation information was easily obtained by event IDs 11707 and 1033.

In contrast, it was quite challenging to get the same info for another two applications as not all the EXE installers key in installation information to the application log!

TIP: There is another event with an ID of 4688 from security that logs the creation of a process. If an application creates an executable file [exe] upon successful installation, this event can be used to understand when the application is installed and by who.

wevtutil qe security /f:text “/q:*[System[(EventID=4688)]]”
Obtain a Process Creator

3- Installed Applications — Installed for Who?

The second question for installed applications is whether they were installed for a specific user or all. Let's start with a tool before we discuss the rules.

UninstallView by Nirsoft:

Nirsoft developed an amazing tool called UninstallView to display data related to the installed applications, including “install to.”

UninstallView by Nirsoft

As shown in the figure above, the Foxit Reader and KMPlayer are both installed for all users, where the Zoom is only installed for a specific user account called Cyfohub.

Event ID 4688:

As explained earlier, this event ID provides us information about process creation, such as “New Process Name,” which includes the full path of a process. The last part explains the User Profile and AppData Folders, and we can use the same concept here.

wevtutil qe security /f:text “/q:*[System[(EventID=4688)]]” | findstr [process name].exe
Installed Application Executable File Locations

The applications such as Foxit Reader and KMPlayer, installed for all users, are located at C:\Program Files and C:\Program Files (x86). On the other hand, Zoom, installed for a specific user account, is located in the user AppData folder.

Windows Registry: HKEY_LOCAL_MACHINE

The HKEY_LOCAL_MACHINE, or in short HKLM, is a registry hive that keeps specific settings and information of the system. If an application is installed for all users, it should appear in HKEY_LOCAL_MACHINE\SOFTWARE or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node.

Note: The WOW6432Node registry records the 32-bit applications installed on 64-bit Windows.

reg query “HKEY_LOCAL_MACHINE”
and
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node"
List of Applications that are installed for All Users

The Foxit Reader and KMPlayer are listed under HKEY_LOCAL_MACHINE software indicated these applications are installed for all users.

Windows Registry: HKEY_USERS

The HKEY_USERS, aka HKU, is one of the Windows registry hives that stores user-specific information for all active user account, including the installed software.

List of Softwares Installed for Specific User

Let's retrieve the software key data for the above user accounts.

reg query “HKEY_USERS\[User SID]\SOFTWARE
List of Softwares Installed for Specific User [Cyfohub and sechub user accounts]

As expected, the Foxit Reader and KMPlayer can be found for both user accounts; in contrast, the Zoom application only exists under Cyfohub.

4- Folder and Files

Without a doubt, analyzing folders and files is an integral part of every digital forensics investigation; in the following post, we will explain it in detail. This section only focuses on the folder and files’ ownerships.

DIR Command:

The DIR is a built-in windows command to display the list of directories, subdirectories, and files. There are many switches to customize the output of the DIR command, and we are using two of them:

  • /q: Displays file ownership information.
  • /s: Lists all of the file names within the directory along with all subdirectories.
DIR /s/q
Folder and File Owners with DIR Command

We can combine the above command with the findstr to list specific users:

DIR /s/q | findstr sechub
Folder and File for Specific Owner

Powershell:

The Powershell Get-Acl displays the security descriptor for resources, including files and folders.

Folder Owners with Powershell

Let’s use it along with Get-ChildItem to displays owners for all folders, subfolders, and files.

Get-ChildItem d: -recurse | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path, Owner
Folder, Subfolder, and File Owners with Powershell

5. What would be Next

This post explained the ownerships of Process, Applications, Folders, and Files. Yet we have no idea about applications that executed, recently opened directories and files.

Do you remember where to look for this information? Yes, you are correct … NTUSER.DAT! Stay Tune…

by Meisam Eslahi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store