Digital Forensics Tips & Tricks: Local User Accounts Membership
During the digital forensics analyze process, you may need to find out a local (non-domain) user accounts membership in built-in groups. For example in case when you checking some objects' ACLs which contain permissions only for local security groups.
I've tested a few system registry analyzers but didn't find at least one tool with such function. BTW if you know about such app, please write a it's name in comments.
So, I tried to understand how to check a user account membership manually and here is the solution. All you need is any of hex editors and patience of course :)
Firstly open SAM registry file in hex editor and find local Users Names node:
Then find a user account of interest and note it's Type field:
Now you should find Builtin \ Aliases node where all local security groups enlisted:
You can traverse all Aliases one by one and check it's readable name:
Or you can firstly select a group you are looking for by it's name in Builtin \ Aliases \ Names node and then use it's Type field to find related group in Builtin \ Aliases node:
Ok guys, we are almost at the finish line. Now select the group of interest. In the hex section you could see the ASCII name of group and the group description (inside orange rectangle). The lastest several lines contain information about group members (highlighted with green color):
And here is our user! Please note that users aliases are stored in "little endian" format - 03 EB from right to left
Thank you, I'll be back soon with other good Digital Forensics content!
I've tested a few system registry analyzers but didn't find at least one tool with such function. BTW if you know about such app, please write a it's name in comments.
So, I tried to understand how to check a user account membership manually and here is the solution. All you need is any of hex editors and patience of course :)
Firstly open SAM registry file in hex editor and find local Users Names node:
Then find a user account of interest and note it's Type field:
Now you should find Builtin \ Aliases node where all local security groups enlisted:
You can traverse all Aliases one by one and check it's readable name:
Or you can firstly select a group you are looking for by it's name in Builtin \ Aliases \ Names node and then use it's Type field to find related group in Builtin \ Aliases node:
Ok guys, we are almost at the finish line. Now select the group of interest. In the hex section you could see the ASCII name of group and the group description (inside orange rectangle). The lastest several lines contain information about group members (highlighted with green color):
And here is our user! Please note that users aliases are stored in "little endian" format - 03 EB from right to left
Thank you, I'll be back soon with other good Digital Forensics content!