We have a saying in Arabic “ان تأتي متآخراً، خيراً من أن لا تأتي أبدا” and in English “Better late, than never!”. This is my review to Harlan Carvey‘s last book titled “Investigating Windows Systems” which I should have wrote a long time ago (Sorry Harlan)!
If you have been reading for Harlan over the years (like I have), then this book is totally different than those. It is not about a specific Windows version and it is also definitely not about Windows Registry. You might be asking “Then why should I be interested and why is the title about Windows?” This is what I will explain in this post. A couple days ago, Harlan wrote a post about “Improving Your DFIR Skills” adding to another great post by Brett Shaver’s post titled “Want to improve in #DFIR? Study someone else’s case work.” discussing the same concept. I’m not going to repeat what they discuss in their posts, because I’m sure they are well written and share great ideas, I’m just going to explain how this is true from my experience as an instructor and how Harlan’s book is a good choice for you. Continue reading →
This is my first forensic analysis post in English; as I’m sure you noticed by now that all of it is in Arabic; so excuse me for my bad English :)
The whole idea came out when @azeemnow asked the #DFIR community the following: how can you tell the difference between a Windows account created from cmdline vs GUI interface?
Found here: URL
I tried to help by giving ideas, but it seems they didn’t help solve the case! So I said to myself why not replicate the process and do some checks!
Actions below done not in exact listed order (more later)!!!
1- Started a cmd.exe with Administration priveleges, and executed: net user cmduser cmduser /add
2- From the Windows Control Panel and using the User Account applet, I added a user named guiuser.
Now; the first idea I had in mind is I thought that checking the system logs alone was enough to find clues about the exact location of execution & creation. I was wrong about that! Both log entries showed no difference at all except the username for sure :) Continue reading →