Digital Forensics Tips & Tricks: Local User Accounts Membership

    During the digital forensics analyze process, you may need to find out a local (non-domain) user accounts membership in built-in groups. For example in case when you checking some objects' ACLs which contain permissions only for local security groups.

    I've tested a few system registry analyzers but didn't find at least one tool with such function. BTW if you know about such app, please write a it's name in comments.

    So, I tried to understand how to check a user account membership manually and here is the solution. All you need is any of hex editors and patience of course :)

    Firstly open SAM registry file in hex editor and find local Users Names node:

    image

    Then find a user account of interest and note it's Type field:

    image

    Now you should find Builtin \ Aliases node where all local security groups enlisted:

    image

    You can traverse all Aliases one by one and check it's readable name:

    image

    Or you can firstly select a group you are looking for by it's name in Builtin \ Aliases \ Names node and then use it's Type field to find related group in Builtin \ Aliases node:

    image

    Ok guys, we are almost at the finish line. Now select the group of interest. In the hex section you could see the ASCII name of group and the group description (inside orange rectangle). The lastest several lines contain information about group members (highlighted with green color):

    image

    And here is our user! Please note that users aliases are stored in "little endian" format - 03 EB from right to left

    image

    Thank you, I'll be back soon with other good Digital Forensics content!

    Also popular now: