Wednesday, January 13, 2010

A Little Forensics Goes a Long Way

Today I had a friend complain that his user account was continually getting locked out. I asked the usual questions and he was sure that it was not him and his fat fingers. Straight away I put my Super Admin hat on try and find out whats going on. As a big fan of the event logs I decided to start there, and with this being an account lockout I went straight to the PDC Emulator as I knew there would be events for the account lockout in the security log.

Using Microsofts free EventCombNT I specified a date range and I configure it to extract just the account lockout events from the PDC Emulator.

After EventCombNT had finished I use the fantastic free Highlighter tool from Mandiant to find all occurrences of account lockouts for this users account.

After filtering by Keyword on my friends username I see all the occurances (in red) where his name is present in the logs. I select one of these events, highlight his name and select "Show Only" from the context menu.

This removes all other events and I'm left with just the events that relate to the lockout of my friends account. I glance down the list and quickly identify the computer which is responsible for the lockouts. Just as my friend decides to go down there and give the user a good talking to I tell him to give me a second. I quickly check the C:\Windows\Prefetch\ directory on the offending computer to see what programs were run at the time of the lockouts.

On seeing the applications listed that correspond with twe times of the lockout my friend goes very quiet. Then he tells me he remembers configuring software for this user. To get the software to work he had to use his own account, and.........well you guessed it, he has since changed his password.

What a nugget!!!


Robert said...

Great post. I use EventCombNT all the time, but mostly pumping it out to a csv to parse in Excel. But that other program could be priceless! I will have to look that up and put it into my bag of tricks!
As always thanks!

DarkOperator said...

Keep up the great work I really love your post. This has to be one of my favorite blogs to follow.

SynJunkie said...

Robert - I hope it's of use. I heard about it on the cyberspeak podcast a couple of years back and the more recent versions are really good.

Carlos - Cheers dude. I'm a big fan of your work too. The effort and time you have put into the Metasploit Project and BackTrack is certainly appreciated.

Sherwyn aka (Infolookup) said...

Nice posting I recently had to invigilate an incident and which I knew of this tool.

Nice work with the post, good tool for analyzing prefetch files is

SynJunkie said...

Thanks for the tip Sherwyn, i'll be taking a look at that for sure.


Anonymous said...

Nice job. You can olso link to the Prefetch Parser. It makes nice reports af the prefetch folder.

It can be downloaded from here -

Regards Netcowboy

SynJunkie said...

Cheers Netcowboy. I've definitely got that on my list of fun things to look at.