Windows Oddities
Here are a couple of odd things about forensic analysis of Windows systems that I thought I'd share...
Windows Accounts
A user on one of the lists recently sent in an email with a question that I thought others might be interested in...well, interested in the question, and the answer...
The user said that they'd found profiles on an XP system with the following format for the directory names:
UserName
UserName.DomainName
UserName.DomainName.000
Evidently, according to this information on EvilBytes, this can occur when the user looses "Full Control" to their profile directory.
Fortunately, MS has something to say about this, as well...
Ch. 7 - Intro to Config and Mgmt
If another user with an account name jeffsmith logs on to the same Windows 2000 Professional–based computer from an identically named source (either a domain or local computer) and the SIDs of the two accounts are not the same, a new folder is created with an extension indicating how many times the user account name was used. This occurs when the user accounts are re-created and the user logs on to the same computer...
Also see:
How to restore a user profile in Windows 2000
How to restore a user profile in Windows 2003
Mrt.log
I was looking up something related to running a checked build of netlogon.dll today and I ended up in the %SystemRoot%\Debug directory. I saw a couple of log files, one of them named "mrt.log". Evidently, this is an MS Malicious Software Removal Tool log file...follow the previous link to get a list of software that is detected and removed by MSRT. This can be useful information for a forensic examiner, particularly when coupled with any AV software that is installed on the system...you get a version number, the date/time that it was last run, as well as the results. Say you're examining a system that has Symantec's product installed, as well as MSRT...it would then make sense to review the data available in these logs, and then use a disparate product when scanning for malware.
Passwd.log
While looking at the mrt.log file, I noticed that in the same directory is a passwd.log file and thought that was curious. Not surprisingly I found NO information at MS about this file whatsoever...however, I did find one post that indicated that the file is used by lsass.exe to record information about the TSInternetUser account's password attempts, changes, etc. Granted, the post is six years old...but still, this may remain a valid use for the file. Additional posts found on Google (by searching the Web and Groups...) indicate that it may be associated with more than just the TSInternetUser account, but it definitely appears to be associated with the SamChangePasswordUser2 API.
If your passwd.log file has entries approximately every 24 hrs, associated with the TSInternetUser account, you may want to look to MS KB Q244057 for some useful info.
Resources
A Guide to Basic Computer Forensics
Windows Accounts
A user on one of the lists recently sent in an email with a question that I thought others might be interested in...well, interested in the question, and the answer...
The user said that they'd found profiles on an XP system with the following format for the directory names:
UserName
UserName.DomainName
UserName.DomainName.000
Evidently, according to this information on EvilBytes, this can occur when the user looses "Full Control" to their profile directory.
Fortunately, MS has something to say about this, as well...
Ch. 7 - Intro to Config and Mgmt
If another user with an account name jeffsmith logs on to the same Windows 2000 Professional–based computer from an identically named source (either a domain or local computer) and the SIDs of the two accounts are not the same, a new folder is created with an extension indicating how many times the user account name was used. This occurs when the user accounts are re-created and the user logs on to the same computer...
Also see:
How to restore a user profile in Windows 2000
How to restore a user profile in Windows 2003
Mrt.log
I was looking up something related to running a checked build of netlogon.dll today and I ended up in the %SystemRoot%\Debug directory. I saw a couple of log files, one of them named "mrt.log". Evidently, this is an MS Malicious Software Removal Tool log file...follow the previous link to get a list of software that is detected and removed by MSRT. This can be useful information for a forensic examiner, particularly when coupled with any AV software that is installed on the system...you get a version number, the date/time that it was last run, as well as the results. Say you're examining a system that has Symantec's product installed, as well as MSRT...it would then make sense to review the data available in these logs, and then use a disparate product when scanning for malware.
Passwd.log
While looking at the mrt.log file, I noticed that in the same directory is a passwd.log file and thought that was curious. Not surprisingly I found NO information at MS about this file whatsoever...however, I did find one post that indicated that the file is used by lsass.exe to record information about the TSInternetUser account's password attempts, changes, etc. Granted, the post is six years old...but still, this may remain a valid use for the file. Additional posts found on Google (by searching the Web and Groups...) indicate that it may be associated with more than just the TSInternetUser account, but it definitely appears to be associated with the SamChangePasswordUser2 API.
If your passwd.log file has entries approximately every 24 hrs, associated with the TSInternetUser account, you may want to look to MS KB Q244057 for some useful info.
Resources
A Guide to Basic Computer Forensics