Monday, October 02, 2006

When did a user's access change?

I saw a question today on the Windows Forensic Analysis group on Yahoo that I thought was definitely worth repeating here. One of the members said that he was investigation a situation in which a limited helpdesk account was found to have Administrator-level rights on a system; his question was, how could he go about determining when the access level had changed.

Well, he never mentioned the version of Windows he was faced with, but if he were working with Windows XP or above, he could make use of the System Restore Points to answer that question.

How? Well, I wrote a ProScript to use with ProDiscover that parses through the SAM file of the Registry to extract things such as user information, and group membership information. Andreas posted some really good info on the specifics of parsing the Registry values, so I won't repeat it here. So...the ProScript works with the regular Registry files, but what to do about the Registry files located in the Restore points? Well, that's where the Offline Registry Parser comes in. By adapting regp.pl (from the SourceForge site) to include some code from my ProScript, one can then go back and parse through each of the SAM files in the Restore Points, until you find a point where the helpdesk account is no longer included in the Administrators account. Note that this will only work for accounts local on the system.

Not sure about the scripting but have a need for a tool that does something like this? Regp.pl will parse through the SAM file, dumping it all out to ASCII text, but it currently does not translate the specific values, particularly those that are REG_BINARY or REG_NONE types. However, a modicum of modification is all that's necessary to dump a report of just the information you want from that file. If this is something you'd be interested in, let me know, and maybe we can discuss some custom Perl coding. Need an EXE instead of a script? I can help with that, too.

1 comment:

Mark McKinnon - mark.mckinnon@sbcglobal.net said...

Sorry so late just catching up. How about we take your offline registry parser one step further and have it read in all the registry files in the restore points then you can create a time line of certain registry keys. I have done this with a few mods to your perl script and the use of a sqlite database. I also have a program that will pull the data off the DB and sort it for the time line. The only problem is there is a lot of data to parse through so you would have to pare down the data that you were looking through like only the HKEY_LOCAL_MACHINE\SOFTWARE or HKEY_USERS\user\Software keys and save that to the db. Also it takes a while to process thru all the files if you do everything and you will also have a huge DB to search through.