During the digital forensics analyze process, you may need to find out a local (non-domain) user accounts membership in built-in groups. For example in case when you checking some objects' ACLs which contain permissions only for local security groups.

I've tested a several system registry analyzers but didn't find at least one tool with such function. BTW if you know about such app, please write a it's name in comments.

So, I tried to understand how to check a user account membership manually and here is the solution. All you need is any of hex editors and patience of course :)

Firstly open SAM registry file in hex editor and find local Users Names node:

image

Then find a user account of interest and note it's Type field:

image

Now you should find Builtin\Aliases node where all local security groups enlisted:

image

You can traverse all Aliases one by one and check it's readable name:

image

Or you can firstly select a group you are looking for by it's name in Builtin\Aliases\Names node and then use it's Type field to find related group in Builtin\Aliases node:

image

Ok guys, we are almost at the finish line. Now select the group of interest. In the hex section you could see the ASCII name of group and the group description (inside orange rectangle). The lastest several lines contain information about group members (highlighted with green color):

image

And here is our user! Please note that users aliases are stored in «little endian» format — 03 EB from right to left

image

Thank you, I'll be back soon with other good Digital Forensics content!

Комментарии (1)


  1. 0xc8
    25.02.2019 10:18

    Nice! I will wait for the continuation.