Wednesday, November 20, 2013

Daily Blog #150: Forensic artifacts from renaming accounts in Windows 7

Hello Reader,
             One of things I enjoy is talking to other examiners out there and hearing about mysteries they find that our current knowledge base does not cover. I like hearing about these because then I can try to help by setting up a test platform to determine what is causing the underlying mystery and identify a new artifact that we can all benefit from. Such an instance happened yesterday in a discussion with an examiner, who can attribute himself if he chooses to, regarding a system he was looking at.

The system in question was running Windows 7 and had a peculiar situation occurring. When the examiner looked at the file system a user SID and name we'll call 'NameB' was associated, however the SAM and event logs made referenced to the same SID but with another user name that we'll call 'NameA'. The same SID, thus the same user, be referenced by two different names by two different sources both generated by the system itself. This was odd to say the least and the examiner pointed out that he saw 'NameB' in the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' key while he saw 'NameA' in the SAM registry located within %SYSTEM DRIVE%\Windows\System32\Config\SAM.

My hypothesis, that I thought unlikely, was that there was a bug in windows. If an account is first created and then renamed that the two registries would be out of sync. So test to this hypothesis I took one of my stock Windows 7 virtual machines and created two accounts:

1. I created two accounts
           a. standarduser - A non administrative account
           b. testuser - An administrative account
2. I then logged into each account and logged off of them to make sure all profile data was created
3. I then rebooted the system to make sure all changes were flushed to the system registries
4. I then logged in as a third user and renamed both accounts
           a. I renamed standarduser to notstandarduser
           b. I renamed testuser to NotTestUser
5. I then inspected the registries

What I found was interesting. The profile names in the Users directory and within the stub of the SAM file remained the same but within the 'V' key under SAM\Domains\Account\Users\\V I found the old and new names listed. 


I need to find the specification of this key so we can parse this automatically as there is no termination character between the two names.

So if in the future you have a case where your names of ownership and login don't line up check SAM\Domains\Account\Users\\V to find out if the account was renamed. Of course if you only relied on the SID you wouldn't have this problem but most of like to attribute a username as well as that's what others outside of our field would understand.

Hope this was helpful! Leave a comment if you've seen something similar or have found other changes that can cause similar behavior.