Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files
![Cyber Meisam [CM]](https://miro.medium.com/v2/resize:fill:88:88/1*z3dPwSm2b3NSLl0gK21kYg.png){kind=small}
Let’s Connect | LinkedIn | Twitter
So far, we have discussed user account creation, deletion, privileges, and associated folders and settings such as users profile and AppData folders, and user-specific environment variables.
The above information is essential for an investigator to identify the existing and deleted user accounts. However, these data may not be sufficient to tag a user account as malicious or benign.
For instance, a legitimate user account with valid groups and permissions may look normal by analyzing the above information. However, there are many WHAT IFs that can change the story! What if the user…
- Runs an odd process
- Owns malicious files
- Has access to a restricted folder
- Installed unsolicited or malicious application
This post discusses the ownership of running processes, installed applications, folders, and files to address the above issues.
1- Running Processes
Windows programs [executables] run as one or more processes and tasks. The complete analysis of running processes will be explained in upcoming posts. This section covers the techniques to obtain the name of user accounts running a process on the Windows operating system.
Task Manager
The details Tab in task manager shows the name of running processes in addition to the user accounts name that running that processes, as shown in the figure below:
- The currently logged-in user is Cyfohub; however, a process named lsass.exe is running by the sechub user account!
- According to the Windows standard baseline for processes, the lsass.exe user name is supposed to be NT AUTHORITY\SYSTEM, not any other local user account.
Note: We will have a dedicated post for Windows process investigation.
Tasklist:
The tasklist is a built-in Windows command to display the running processes.
Tasklist /v
The Tasklist command allows us to list all the processes runs by a specific user account.
tasklist /fi “username eq Cyfohub”
Powershell:
Using powershell, we can obtain the list of running processes’ name, domain, and user name as follows:
Get-Process -IncludeUserName | Select-Object Name,Username
The above PowerShell command can be combined with findstr to list specific user name or processes as follows:
When it comes to installed applications and user accounts, the system investigators must look at it from two perspectives as follows:
- Who installed it? — Which user account installed that application.
- Installed for Who? — To check whether the application is installed for a specific user or all.
Let's answer the first question first. Who installed the application?
2- Installed Applications — Who Installed them?
To install any application in a Windows environment, we use two common installers such as Windows Installer (MSI) and EXE [e.g., setup.exe]. It's highly recommended to learn the differences between these installers.
MSI Installer:
In general, Windows logs few events [event ID 11707 and 1033] related to install/uninstall of applications if they use Windows Installer (MSI).
Limitation: The above events only log the applications installed by Windows Installer (MSI) and do not record any information related to any other type of installers such as .exe files.
Let's check the event ID of 11707 from Application Event Log to check the successful installation of an application.
wevtutil qe application /f:text “/q:*[System[(EventID=11707)]]”
The event ID of 1033 provides us with more details on installed product descriptions.
wevtutil qe application /f:text “/q:*[System[(EventID=1033)]]”
The results above show that Atpuosy software was installed by the sechub user on 20 April 2021 on the target system.
EXE Installer:
As discussed above, the event ID such as 11707 does not log any application with the EXE installer.
For instance, the above applications were installed in a test system using MSI and EXE installers. The Autopsy.exe installation information was easily obtained by event IDs 11707 and 1033.
In contrast, it was quite challenging to get the same info for another two applications as not all the EXE installers key in installation information to the application log!
TIP: There is another event with an ID of 4688 from security that logs the creation of a process. If an application creates an executable file [exe] upon successful installation, this event can be used to understand when the application is installed and by who.
wevtutil qe security /f:text “/q:*[System[(EventID=4688)]]”
3- Installed Applications — Installed for Who?
The second question for installed applications is whether they were installed for a specific user or all. Let's start with a tool before we discuss the rules.
UninstallView by Nirsoft:
Nirsoft developed an amazing tool called UninstallView to display data related to the installed applications, including “install to.”
As shown in the figure above, the Foxit Reader and KMPlayer are both installed for all users, where the Zoom is only installed for a specific user account called Cyfohub.
Event ID 4688:
As explained earlier, this event ID provides us information about process creation, such as “New Process Name,” which includes the full path of a process. The last part explains the User Profile and AppData Folders, and we can use the same concept here.
wevtutil qe security /f:text “/q:*[System[(EventID=4688)]]” | findstr [process name].exe
The applications such as Foxit Reader and KMPlayer, installed for all users, are located at C:\Program Files and C:\Program Files (x86). On the other hand, Zoom, installed for a specific user account, is located in the user AppData folder.
Windows Registry: HKEY_LOCAL_MACHINE
The HKEY_LOCAL_MACHINE, or in short HKLM, is a registry hive that keeps specific settings and information of the system. If an application is installed for all users, it should appear in HKEY_LOCAL_MACHINE\SOFTWARE or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node.
Note: The WOW6432Node registry records the 32-bit applications installed on 64-bit Windows.
reg query “HKEY_LOCAL_MACHINE”
and
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node"
The Foxit Reader and KMPlayer are listed under HKEY_LOCAL_MACHINE software indicated these applications are installed for all users.
Windows Registry: HKEY_USERS
The HKEY_USERS, aka HKU, is one of the Windows registry hives that stores user-specific information for all active user account, including the installed software.
Let's retrieve the software key data for the above user accounts.
reg query “HKEY_USERS\[User SID]\SOFTWARE
As expected, the Foxit Reader and KMPlayer can be found for both user accounts; in contrast, the Zoom application only exists under Cyfohub.
4- Folder and Files
Without a doubt, analyzing folders and files is an integral part of every digital forensics investigation; in the following post, we will explain it in detail. This section only focuses on the folder and files’ ownerships.
DIR Command:
The DIR is a built-in windows command to display the list of directories, subdirectories, and files. There are many switches to customize the output of the DIR command, and we are using two of them:
- /q: Displays file ownership information.
- /s: Lists all of the file names within the directory along with all subdirectories.
DIR /s/q
We can combine the above command with the findstr to list specific users:
DIR /s/q | findstr sechub
Powershell:
The Powershell Get-Acl displays the security descriptor for resources, including files and folders.
Let’s use it along with Get-ChildItem to displays owners for all folders, subfolders, and files.
Get-ChildItem d: -recurse | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path, Owner
5. What would be Next
This post explained the ownerships of Process, Applications, Folders, and Files. Yet we have no idea about applications that executed, recently opened directories and files.
Do you remember where to look for this information? Yes, you are correct … NTUSER.DAT! Stay Tune…
![Cyber Meisam [CM]](https://miro.medium.com/v2/resize:fill:144:144/1*z3dPwSm2b3NSLl0gK21kYg.png)