Tuesday, March 10, 2009

Using grep to Unearth Old Windows User Names (7/30/08):

Identifying Deleted User Accounts in Windows


I was recently presented with three laptop computers suspected as stolen. My task was to identify the owners. I chose to use a Linux forensic boot disk (one that would not automatically mount the partitions) to conduct the examination to avoid disassembling the computers to access the hard disk drives.

It became apparent on the first computer that the original user account(s) were deleted. There was a major discrepancy between the single user account (in one of the suspect's names) and in the installation date of the Windows Vista OS.

After studying Internet Explorer index.dat files recently, I decided to target deleted index.dat content. IE index.dat files contain the usernames of the active user browsing the web with Internet Explorer, as well as some local file system activities. I used the following command from the Linux terminal to fish for old user account names:

$ tr '[:cntrl:]' '\n' < /dev/sda | grep -abE --colour=auto '(((:[0-9]{16,16}|Visited):[[:space:]])|Cookie:).+@'

The command, broken down, does the following:
  1. tr '[:cntrl:]' '\n' - translates control characters to line feeds to keep the grep memory buffer from exhausting.
  2. < /dev/sda - feeds the raw data from device sda (the laptop hard disk) into the translate command. The device may be substituted with any file, such as a raw disk image.
  3. | grep -abE --colour=auto '(((:[0-9]{16,16}|Visited):[[:space:]])|Cookie:).+@' finds the Internet Explorer cookie and history index.dat data that contains user names. The The hits are in color to help them stand out and the results can be redirected to a text file by appending the command with "> grep.results.txt". Broken down further:
  • grep -abE : a=treat binary as text; b=show byte offset; E=treat as extended regular expression
  • --colour=auto : show regex matches in color
  • '(((:[0-9]{16,16}|Visited):[[:space:]])|Cookie:).+@' : Match expressions ":<16>: @" or "Visited: @" or "Cookie:@" where is any name of one character or more.
Example of Command Output:

254468840::2007052620070527: user@:Host: cis.cuesta.edu
286125672:Cookie:user@www.ibm.com/rc
161464680:Visited: user@http://encarta.msn.com/proscribed.html

The rest of the story

I analyzed the hits and observed user names inconsistent with those in the Vista /USERS directory. Further examination of the new user names showed they existed previous to the current user account (as determined from the index.dat date code), and urls for the users MySpace page. The newly discovered user was contacted through his MySpace page and identified the computer as stolen in June, 2007.

This a simplified discussion of the full process, which included examining the file system to determine existing users using The Sleuthkit. The purpose of the article is to demonstrate how grep can be used from a boot CD or USB device to locate Windows artifacts that show deleted accounts that can be used to identify the account holders.

In this case. the hard disk drive being examined was never mounted. Grep searches can be directed against unallocated sectors through a similar process which I will discuss at a later time.