When did a user's access change?
I saw a question today on the Windows Forensic Analysis group on Yahoo that I thought was definitely worth repeating here. One of the members said that he was investigation a situation in which a limited helpdesk account was found to have Administrator-level rights on a system; his question was, how could he go about determining when the access level had changed.
Well, he never mentioned the version of Windows he was faced with, but if he were working with Windows XP or above, he could make use of the System Restore Points to answer that question.
How? Well, I wrote a ProScript to use with ProDiscover that parses through the SAM file of the Registry to extract things such as user information, and group membership information. Andreas posted some really good info on the specifics of parsing the Registry values, so I won't repeat it here. So...the ProScript works with the regular Registry files, but what to do about the Registry files located in the Restore points? Well, that's where the Offline Registry Parser comes in. By adapting regp.pl (from the SourceForge site) to include some code from my ProScript, one can then go back and parse through each of the SAM files in the Restore Points, until you find a point where the helpdesk account is no longer included in the Administrators account. Note that this will only work for accounts local on the system.
Not sure about the scripting but have a need for a tool that does something like this? Regp.pl will parse through the SAM file, dumping it all out to ASCII text, but it currently does not translate the specific values, particularly those that are REG_BINARY or REG_NONE types. However, a modicum of modification is all that's necessary to dump a report of just the information you want from that file. If this is something you'd be interested in, let me know, and maybe we can discuss some custom Perl coding. Need an EXE instead of a script? I can help with that, too.
Well, he never mentioned the version of Windows he was faced with, but if he were working with Windows XP or above, he could make use of the System Restore Points to answer that question.
How? Well, I wrote a ProScript to use with ProDiscover that parses through the SAM file of the Registry to extract things such as user information, and group membership information. Andreas posted some really good info on the specifics of parsing the Registry values, so I won't repeat it here. So...the ProScript works with the regular Registry files, but what to do about the Registry files located in the Restore points? Well, that's where the Offline Registry Parser comes in. By adapting regp.pl (from the SourceForge site) to include some code from my ProScript, one can then go back and parse through each of the SAM files in the Restore Points, until you find a point where the helpdesk account is no longer included in the Administrators account. Note that this will only work for accounts local on the system.
Not sure about the scripting but have a need for a tool that does something like this? Regp.pl will parse through the SAM file, dumping it all out to ASCII text, but it currently does not translate the specific values, particularly those that are REG_BINARY or REG_NONE types. However, a modicum of modification is all that's necessary to dump a report of just the information you want from that file. If this is something you'd be interested in, let me know, and maybe we can discuss some custom Perl coding. Need an EXE instead of a script? I can help with that, too.