Account Usage

Forensic evidence of account usage refers to the evidence that can be collected and analyzed to determine who used a particular account, when the account was accessed, and what actions were taken while the account was in use. This type of evidence can be useful in a variety of situations, including investigations into the user of Valid Accounts.

There are several types of forensic evidence that can be used to identify account usage:

  1. Log Files: Such as system logs, network logs, and application logs, can contain information about who accessed a particular account and when.

  2. System Artifacts: Such as registry keys, system files, and application data, can contain information about the accounts that have been used on a particular system or application.

  3. Network Traffic: Such as packet captures and network flow related telemetry, can contain information about the accounts that were used to access systems or data over the network.

  4. User Artifacts: User artifacts, such as files and documents, can contain information about the accounts that were used to create or modify them.

The evidence extracted from investigating Account Usage can often provide insight into possible Initial Entry, Persistence, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement tactics.

Last Login and Last Password Change

The "Last Login" and "Last Password Change" artifacts refer to the time stamps that are recorded when a user logs into an account or changes their password. These artifacts can be useful in forensic investigations to determine the usage of an account and to identify any suspicious activity.

The "Last Login" artifact is a time stamp that is recorded when a user logs into an account. This artifact can be useful in determining the last time that the account was accessed and can help to identify any suspicious activity.

The "Last Password Change" artifact is a time stamp that is recorded when a user changes their password. This artifact can be useful in determining the last time that the password for the account was changed and can help to identify any suspicious activity.

WIN: XP+ SRV: NULL

Location

# Filepath
C:\windows\System32\config\SAM

# Registry
SAM\Domains\Account\Users

Interpretation and Investigative Notes

The System32\config\SAM file is a system file that is used to store information about user accounts on a Windows system. This file can be a useful source of forensic evidence in investigations into cybercrimes, unauthorized access to systems or data, and employee misconduct.

The SAM file contains several types of forensic evidence that can be useful in investigations, including:

  1. User account information: The SAM file contains information about the user accounts that have been created on the system, including the usernames, account types, and security identifiers (SIDs). This information can be useful in determining who has accessed the system and what actions they have taken.

  2. Hashed passwords: The SAM file contains hashed versions of the passwords for the user accounts.

  3. Last login and password change timestamps: The SAM file contains time stamps for the last time that each user account was accessed and the last time that the password was changed. These timestamps can be useful in determining the usage of the accounts and identifying any suspicious activity.

Tools

Sources

Remote Desktop Protocol (RDP) Usage (Security.evtx)

The security.evtx event log is a system log that is used to record security-related events on a Windows system. This log can contain forensic evidence related to the usage of the Remote Desktop Protocol (RDP), which is a network protocol that allows users to remotely connect to and control another computer.

The security.evtx event log can contain several types of forensic evidence related to RDP usage, including:

  1. Remote login and logoff events: These events are recorded when a user logs in or logs off of the system using RDP. The log entries may contain information about the user who logged in, the IP address of the remote system, and the date and time of the login or logoff.

  2. Remote connection and disconnection events: These events are recorded when a user establishes or terminates an RDP connection to the system. The log entries may contain information about the user who connected, the IP address of the remote system, and the date and time of the connection or disconnection.

  3. Remote desktop session events: These events are recorded when a user starts or ends a remote desktop session using RDP. The log entries may contain information about the user who started or ended the session, the IP address of the remote system, and the date and time of the session start or end.

WIN: 7+ SRV: 2003+

Location

%SYSTEM ROOT%\System32\winevt\logs\Security.evtx

Interpretation and Investigative Notes

Here is a table listing some event IDs that may be useful for tracking Remote Desktop Protocol (RDP) usage in the security.evtx log:

Tools

Sources

Windows Service/Process Events

The system.evtx and security.evtx logs are system logs that are used to record system related events. These logs can contain forensic evidence related to service execution including the user of whom interacted with a service or process.

Windows processes utilise cmd.exe, which unfortunately does not natively record a history of command parameters executed. However, the system.evtx and security.evtx logs can contain several types of forensic evidence related to service execution and user names, including:

  1. Service Start and Stop Events: These events are recorded when a service is started or stopped on the system.

  2. Service Creation and Installation: These events record the details for newly created or installed services or processes on the system.

  3. Service Crashes: These events record the details for terminated or crashed services or processes and are typically good indicators of possible process manipulation.

WIN: 7+ SRV: 2003+

Location

%SYSTEM ROOT%\System32\winevt\logs\System.evtx
%SYSTEM ROOT%\System32\winevt\logs\Security.evtx

Interpretation and Investigative Notes

Here is a table listing some event IDs that may be useful for tracking service and process interaction in the security.evtx and system.evtx logs:

Tools

Sources

Account Interaction

The security.evtx event log can be a useful source of forensic evidence related to user account interaction.

WIN: XP+ SRV: 2003+

Location

%SYSTEM ROOT%\System32\winevt\logs\Security.evtx

Interpretation and Investigative Notes

Here is a table of some useful event IDs for Account interaction in the security.evtx log:

The Event ID 4624 also contains logon type codes that are used to classify the type of logon that occurred and can be helpful in understanding how a user logged on to the device. The details recorded for each logon type may vary, but generally include the security identifier (SID) of the user, the user's account name and domain, the logon ID, and the logon type. The logon type codes are in the table below:

Tools

Sources

Account Authentication Events

Authentication mechanism artifacts, logging details regarding Local Account and Domain authentication. Details are recorded on system that authenticated the credentials (Domain Controller).

  • Local Account = Host Machine

  • Domain Account = Active Directory

WIN: XP+ SRV: 2003+

Location

%SYSTEM ROOT%\System32\winevt\logs\Security.evtx

Interpretation and Investigative Notes

Here is a table of some useful event IDs for account authentication in the security.evtx log:

Tools

Sources

PreviousEvidence of...NextFile Download

Last updated