Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables

User Account Forensics — Deep-Dive Analysis
  1. Users Profile Location
systeminfo | findstr Directory
Windows Installation Directories
reg query “HKLM\software\microsoft\windows NT\currentVersion\profileList” | findstr ProfilesDirectory
Users Folder Location — Standard and Modified Examples
reg query "HKLM\software\microsoft\windows NT\currentVersion\profileList\S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-1001"
Cyfohub User Folder in Odd Location
Users Folder
  • Default: This is a hidden folder used by Windows as a generic template for the user accounts folder. When a new user account is created, Windows build the associated subfolder based on this default template.
  • Public: As the name suggests, all user accounts can access this folder to share files on the same machine.
  • User Account Folders [e.g. Cyfohub, and Sechub]: These are the user-specific folders that Windows create for each user account upon the first-time login.
dir /a | findstr “<DIR>”
Sechub User Subfolders
reg query “HKU\S-1–5–21–xxxxxxxx–xxxxxxxxxx–xxxxxxxxx–1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders”
Standard Folder Name and Location for a User Account
Non-Standard Name and Location for a User Account
NTUSER.DAT Location
  • Executed programs and applications
  • Recently opened directories, files, applications, and documents
  • Files executed with Run command and startup programs
  • Typed paths in Windows Explorer and User search history in the search bar
  • Internet Settings and typed URLs in Internet Explorer
  • File extensions, Desktop contents, ShellBags, and Connected printers
AppData Local Subfolder
  • UsrClass.dat: · Just Like NTUSER.DAT, the UsrClass is another registry hive to obtained user-related information. This file is located at AppData Local Microsoft Windows, and we need the FTK Imager to copy it during live analysis.
System:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
User:
HKEY_CURRENT_USER\Environment
HKEY_USERS\[USER SID ]\Environment
Environment Variables for Sechub

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store