Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables
The deep-dive analysis phase focuses on detailed analysis of user settings and behaviours to obtain information about:
This part discusses the Profile Folder, AppData, and Environment Variables for each user account.
- Users Profile Location
As discussed earlier, windows create a user profile folder for each user account upon the First-time Login. The folders are located in C:\users. The “C:\” here refers to the OS installation drive [%SystemDrive%].
systeminfo | findstr Directory
We can’t rely on the above technique alone as there may be a chance that users folder location changed to another drive or folder. Thus, we should always validate the correct location.
reg query “HKLM\software\microsoft\windows NT\currentVersion\profileList” | findstr ProfilesDirectory
reg query "HKLM\software\microsoft\windows NT\currentVersion\profileList\S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-1001"
The example above shows a User Folder with an odd location [i.e. System32 folder] instead of the default location, which is %SystemDrive%\Users.
2. Users Profile Subfolders
There are different types of subfolders in the User Folder regardless of its location as follows:
- Default: This is a hidden folder used by Windows as a generic template for the user accounts folder. When a new user account is created, Windows build the associated subfolder based on this default template.
- Public: As the name suggests, all user accounts can access this folder to share files on the same machine.
- User Account Folders [e.g. Cyfohub, and Sechub]: These are the user-specific folders that Windows create for each user account upon the first-time login.
Each user profile folder [e.g. sechub] contains numbers of subfolders as follows:
dir /a | findstr “<DIR>”
The folder names suggest their forensics values, such as Desktop, Downloads, Favorites, Music, etc. The content of each folder may help forensics analysts to understand each user’s behaviour.
Note: We may also found application-related folders created by an application installed on the system under specific user accounts.
For instance, the Nmap is installed on the target system under the Cyfhub user. Once the Zenmap runs for the first time, it creates a folder in the Cyfohub user folder.
The above folder names and their location [%USERPROFILE%] are standards modified by users. Thus, we should validate them.
reg query “HKU\S-1–5–21–xxxxxxxx–xxxxxxxxxx–xxxxxxxxx–1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders”
As shown in the figure above, the Downloads folder for the Cyfohub user account moved to drive D. The AppData Roaming folder moved to drive D, and its name changed to Cyfohub.
The NTUSER.DAT is the main registry hive for the users residing in the user account profile folder and contains the most valuable forensics data. Each user accounts has its NTUSER.DAT file that stores user profiles, settings, and activities.
Windows keep a backup of all the activities and changes such as accessing folders, opening files, network shares, etc., in the transaction logs called netuser.dat.LOG1 and netuser.dat.LOG2 during the live session and saves them into NTUSER.DAT during Log off.
Note: To have the most updated version of NTUSER.DAT, we should also have the transaction logs 1 and 2.
The file and associated logs provide us with fantastic information with high forensics values as follows:
- Executed programs and applications
- Recently opened directories, files, applications, and documents
- Files executed with Run command and startup programs
- Typed paths in Windows Explorer and User search history in the search bar
- Internet Settings and typed URLs in Internet Explorer
- File extensions, Desktop contents, ShellBags, and Connected printers
Note: We cannot use standard copy and paste methods to copy the NTUSER.DAT, LOG1, and LOG2 for the logged-in user during the live investigation as the files are in active use and protected. The forensics tools such as FTK Imager will help to make a copy. We will discuss this in the following posts.
4. AppData Folder
One of the most exciting data sources for windows forensics is AppData [Hidden] Folder containing custom settings files and other information created by applications installed on the system.
The data in Local and LocalLow subfolders are under Windows user profile only and cannot be synced to move them to another computer in a domain environment.
On the other hand, the Roaming subfolder data can be synced to a server and move with our user profile from a computer to another.
- UsrClass.dat: · Just Like NTUSER.DAT, the UsrClass is another registry hive to obtained user-related information. This file is located at AppData Local Microsoft Windows, and we need the FTK Imager to copy it during live analysis.
5. Environment Variables
Environment variables are stored information such as search paths for files, directories for temporary files, application-specific options, etc., that tells us about the environment used by each user.
Part 4 of the system live analysis series explained how to retrieve environment variables for the system and current user by SET command and Regquery as follows:
To check the environment variables for other user accounts, we can use reg query too; however, we need to obtain the information from another location as follows:
HKEY_USERS\[USER SID ]\Environment
Using the above technique, I obtained the sechub user account’s environment variables while logged in with the Cyfohub user account.
Stay Tune ..next posts will cover the rest of our journey in the deep-dive analysis of user accounts.