Welcome back to Windows registry forensics course for the SAM hive file Section 5, other types of accounts. We're going to be talking about accounts that are not local user accounts, different types of accounts. The first type of account we're going to discuss is Microsoft accounts. Now Microsoft accounts are on Windows 8 and above computers. When these accounts first came to be, if you've ever tried to set up a new user on one of these computers, you can tell that Microsoft is trying to push you towards that Microsoft account. It takes a few more steps and a few more hoops to just create a local user account. They're really pushing these online accounts. You can log into these computers using your Microsoft account, and it would have to be a Windows 8 or above computer, and you would need, of course, internet access, but you can log in from anywhere you would like to. It does give us an added convenience features. Now the issue with this is the profiles are going to be stored in the Cloud as opposed to the local machine. So we're going to see a little less information on these types of computers and we are going to see several additional values that are going to be populated in the SAM file under the users sub key. We're going to take a look at that. The two values we're going to look at are going to be called the first one is the Internet UID, and then we're going to look at the Internet Username. Now the Internet UID is unique to that specific user as well as the Internet Username, when you set up your Microsoft account. We're going to be able to see these values. As you can see, there are significantly more values here. We not only have our F and our V, but we have quite a few additional values. We have an InternetSID and Internet Provider GUID. You're going to have more values under that key. But the two we're going to focus on are the UID and the UserName. They will stay consistent no matter where you're logging in from or which computer you're using to access your account. Now the Internet UID is going to be here under the F value, and it is in Unicode. It's going to be 16 Unicode characters and Unicode uses two bytes per character. You're actually going to have 32 bytes, but you're going to have 16 Unicode characters for a total of 32 bytes of information. Whether you log on at your home or at your office or wherever you log in, you're going to see that Internet UID created on that computer that you're using. You'll be able to tell that somebody used a Microsoft account on that computer. You'll be able to see their unique Internet user UID. We're also going to be able to see the Username. The Username is usually going to be some type of email account because that's what Microsoft wants you to use. In this particular one, you can see the email address that I used down below in Unicode. This is going to be a variable length value because it's going to depend on what you put in there for your username. But again, that's going to be the same across whatever computer you use. We can see that somebody logged in using their Microsoft account. Domain accounts. Domain accounts are going to be something you're going to see a lot of in a corporate environment. We're going to talk about some of the issues we're going to have here, but we are going to need to take a look at the software hive file at something called the profile list sub key to find out what's going on in a domain account because no entries are going to be made in the SAM file regarding the user. The path in the software hive file is going to be Software, Microsoft, Windows NT, Current Version and there's our profile sub key. When you log in for the first time, entries are created under this sub key profile list. This is how the computer knows how to find you. This is the reference point for Windows to find the user. It also gives a file path to where your profile is located on the computer itself. It's usually users, but it does give a profile path, so you could go out on the local machine or the image of the local machine and look at that user. Again, no entry is made in the SAM file. Which if it's your first domain computer, it is a little confusing, but we're going to look at that. Deleted accounts. It's going to depend. There's going to be information left behind because a Windows computer works a certain way. It unallocate things. It marks files as unallocated and generally leaves the data where it is. Data is still going to be there, whether it's in file slack, or whether the whole actual user account is still there. But we're going to take a look at deleted accounts also. The items are going to need for this section, we're going to need Registry Explorer. We're going to need Ivan SAM file from the one we exported from the Windows 10 machine, and we're going to need Ivan system file, the one we exported from the Windows 10 machine. First thing we're going to do is we're going to go ahead and open up Registry Explorer, and we're going to load in the Ivan SAM, so you'd go File, Load hive, navigate out to where you saved Ivan SAM file, and go ahead and load that, and then we're also going to load Ivan's software file. You'd follow the same procedure you File, Load hive, navigate to where you save that hive out, I think we made a file on our desktops for that and load that hive. Before we get started, I have some files in here you don't have it's of a domain computer. I want to show you what I mean when I say there's no entry in the SAM file. We're going to go ahead and navigate down in the SAM file, SAM, Domain, Accounts, Users, and I'll even expand names. Now, the person I was investigating in this particular case, whose names are Scott. But do I see in our Scott under the Users? No, there isn't one, so where are we going to go to look for that? We're going to need to look in the software file because I'm not going to get anything from the SAM file except the one thing I can get, and we talked about under the Accounts key and the V-value, those last 12 bytes of data. I can get that machine or domain ID, and we talked about how we would convert that. This is going to tell me when I look at these SSIDs, either in the recycle bin or somewhere else out on the computer, which ones were created on the local machine. Very important. I can get that information from the SAM file from these last 12 bytes that 31 should be highlighted. It will do if we get it to go from these last 12 bytes of data. Leaving the SAM file, I'm going to close that up. We're going to go to the system file, and we're going to go navigate down to the path. We go to here, we open the software hive, we're going to navigate down to Microsoft, we're going to navigate to Windows NT, down to Windows NT current version, and we're looking for Profile List. Now, under Profile List, you can see I do have a 1,000 User, and I do have a User, with a very interesting RID. If RID start at 1,000, depending on, if this is Windows 7 or 1,001, if it's 8 or 10. To get up to this number, I am probably looking at a Domain Account. But nowhere did I see this SSID, the security identifier when I looked at the SAM hive. Now, if I click on it and take a look at the values that are populated, I can see in my profile image path, and like I said, this will tell you where the User's profile is stored out on the system. It is in the C:/Users/robscott, so that is where the profile is stored out on the system, and this would be the SSID and RID for the User I'm investigating. If we look at the 1,000 that is a User created account and it is for URIadmin. Now I could go back and try to determine if this is the local machine using the machine ID. Now I wanted to show you deleted accounts. We're going to look at the Ivan file that you have, and we're going to go ahead and expand the SAM file, and Ivan, we're going to expand Sam Domain, Accounts, Users. One of the nice things about Registry Explorer is it does show deleted accounts. Registry Browser will not show you the deleted accounts like this. I can actually see the red x in the red and I know I'm looking at a deleted account. Now, because there wasn't a lot written and rewritten to this machine it is still all intact. I do have my F value and I do have my V value. I would have all my information. I can expand names and I can see new user is the deleted account. I click on "New user." I can see here, like we talked about in the hexadecimal, it's going to be that 3EB. If I look at 3EB, that is was my deleted user, you could also go ahead and correlate all the names to the users and look through. But that is how you would find the deleted account and you would always want to look for those deleted accounts. Another nice feature, and I don't think I showed this to you guys yet. With Registry, if I'm looking at this file, I'm going to go to Bookmarks, Common, and then User account. It's going to give me this Excel-looking type spreadsheet, which is going to list all my users and give me all their pertinent information. But the only problem is it's very hard to read in this fashion. What you can do is you can export it, and you would choose a folder to export it to. If I just choose, "My desktop" for now, and I click "Okay", it's going to go ahead and export that out in an Excel type spreadsheet. When we take a look at the spreadsheet, we can see the values for the accounts. Now, I went ahead and highlighted the deleted user account. That's very easy to do in Excel. But I can see each account with all their values. I can see the user IDs for all my accounts, I can see when they were created, I can see their last logons, password change, the username. If there's a password hint, you can even see that. What's also nice is I can see the groups that each user belongs to. Who has Remote Desktop rights, who has administrative rights, who's a system manager account. You can also see the comments for your built-in accounts, and default users, and account managed by the system. I could see if it's disabled, locked, if its password expires, if it has any trust certificates. There's a lot of information we can gain here. Then that is a nice built-in feature of that tool, and it is a free tool, and it is a very accurate tool that's been through a lot of testing. If you are doing a domain computer and you're not seeing anything in the same file, because this administrator is going to be 500. This isn't that 1,000 URL administrator. That's a user-created account, this is a Windows 7 system. User account start at 1,000. Eight and 10, they start at 1,001. You're going to see default user as 1,000 in a Windows 8 and 10 system. That is account managed by the system as we just saw when we looked at our Excel spreadsheet. But you're not going to see anything here. The first time I saw this, I was a little confused. But we need to know the users read because it's not just the recycle bin, you're going to want to run a search with the users read to see where it comes up out on the system to connect items back to that particular user. One more time, we would look in the software file, Microsoft, Windows NT, Current Version, ProfileList. We would also want to go ahead in using the methodology we talked about earlier in this course to cipher the machine and domain IDs. We can see which account was created on this local machine, if any of them were, or maybe it was somebody who was a remote user, or someone who logged into the machine another way. You definitely want to make sure that you do that. I hope you enjoyed the course. I hope you learned a lot.
