Saturday, April 05, 2008

Windows Oddities

Here are a couple of odd things about forensic analysis of Windows systems that I thought I'd share...

Windows Accounts
A user on one of the lists recently sent in an email with a question that I thought others might be interested in...well, interested in the question, and the answer...

The user said that they'd found profiles on an XP system with the following format for the directory names:

UserName
UserName.DomainName
UserName.DomainName.000

Evidently, according to this information on EvilBytes, this can occur when the user looses "Full Control" to their profile directory.

Fortunately, MS has something to say about this, as well...
Ch. 7 - Intro to Config and Mgmt
If another user with an account name jeffsmith logs on to the same Windows 2000 Professional–based computer from an identically named source (either a domain or local computer) and the SIDs of the two accounts are not the same, a new folder is created with an extension indicating how many times the user account name was used. This occurs when the user accounts are re-created and the user logs on to the same computer...

Also see:
How to restore a user profile in Windows 2000
How to restore a user profile in Windows 2003

Mrt.log
I was looking up something related to running a checked build of netlogon.dll today and I ended up in the %SystemRoot%\Debug directory. I saw a couple of log files, one of them named "mrt.log". Evidently, this is an MS Malicious Software Removal Tool log file...follow the previous link to get a list of software that is detected and removed by MSRT. This can be useful information for a forensic examiner, particularly when coupled with any AV software that is installed on the system...you get a version number, the date/time that it was last run, as well as the results. Say you're examining a system that has Symantec's product installed, as well as MSRT...it would then make sense to review the data available in these logs, and then use a disparate product when scanning for malware.

Passwd.log
While looking at the mrt.log file, I noticed that in the same directory is a passwd.log file and thought that was curious. Not surprisingly I found NO information at MS about this file whatsoever...however, I did find one post that indicated that the file is used by lsass.exe to record information about the TSInternetUser account's password attempts, changes, etc. Granted, the post is six years old...but still, this may remain a valid use for the file. Additional posts found on Google (by searching the Web and Groups...) indicate that it may be associated with more than just the TSInternetUser account, but it definitely appears to be associated with the SamChangePasswordUser2 API.

If your passwd.log file has entries approximately every 24 hrs, associated with the TSInternetUser account, you may want to look to MS KB Q244057 for some useful info.


Resources
A Guide to Basic Computer Forensics

3 comments:

Anonymous said...

Hi Harlan,

I wanted to mention another situation where you may encounter user account structures like the first section of your post. When user accounts are migrated from one Active Directory (AD) environment to another (or NT to AD) using Quest Migration Manager or similar products, a new account in the destination domain is created with the same name as the old account. The same net result as what you describe, but more a side-effect of an intentional action rather than suspicious activity.

Thanks for all the great posts and please keep the books coming!

Steve

H. Carvey said...

Steve,

Thanks, great stuff! Got a reference for that? Surely MS has that documented somehow... =)

Anonymous said...

Well, it's hardly explicitly detailed anywhere I've been able to find, but it is referred to here and here . Perhaps more could be found within the Windows Protocols area, but what little I understood didn't help me out.

Steve