SAM Account Time Co...
 
Notifications
Clear all

SAM Account Time Confusion

7 Posts
4 Users
0 Likes
2,217 Views
(@bkkchop)
Posts: 4
New Member
Topic starter
 

Hi everyone,

I've been racking my brain trying to figure out why a local admin account is displaying weird time stamps for created, last login, and password change. I exported the SAM hive, and viewed it in registry explorer.

Created 2018-02-02
Last login 2015-04-23
Password last changed 2017-09-25

Could the password last changed, perhaps be 2 years after last login because it was changed by another account on the system? As for created 3 years after last login, could this be because the account was at one point disabled, then re-enabled?

Any thoughts?

 
Posted : 10/10/2018 9:18 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

Created 2018-02-02
Last login 2015-04-23
Password last changed 2017-09-25

Have you checked the install date for the OS? I have seen it where there is a service pack update rolled out, and it changed the install date of the OS to after documents were created. So documents on the system will show a January 2017 created date, but the install date of the OS would be August 2017. This might help resolve your created date issue.

 
Posted : 11/10/2018 12:53 pm
(@bkkchop)
Posts: 4
New Member
Topic starter
 

Thanks kastajamah,

I appreciate the reply, it looks like the install date was 1420091339 (01 January 2015) converted from Unix time. More info on the system is, it's Windows 7 Pro, SP 1, Build 7601, information coming from. SOFTWARE\Microsoft\Windows\CurrentVersion.

 
Posted : 11/10/2018 2:07 pm
(@athulin)
Posts: 1156
Noble Member
 

I exported the SAM hive, and viewed it in registry explorer.

What exact tool did you use? I find three or four possibilities …

Created 2018-02-02
Last login 2015-04-23
Password last changed 2017-09-25

That seems to be part of the problem. The F and V subkeys contain (based on the information found in http//www.ijfcc.org/vol5/455-F005.pdf, but as it doesn't cite any obviously trustworthy sources, I'd be careful) timestamps for

lockout
account creation
last login

'Password last change' is not part of the data. So from where does your tool get it? You need to find out. That's probably where the problem is.

(I may guess that it is might be a misinterpretation of the LastWriteTime attribute found in registry key information, and documented for example here https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-_key_full_information. Perhaps someone changed the passwords, observed that time timestamp changed, and concluded it must be a 'password last changed' password. I'm guessing wildly.

However, it reflects (as far as I understand) the last time the key, its attributes or its value changed. And that could be any of the attributes, not just the password. Easy test set up a test account, get time stamp, then change the account comment. Check the time stamp again.

Could the password last changed, perhaps be … .
[…] could this be because …

There's no other answer than 'yes'. In the absence of authoritative information or research, it could be. But you should not be concerned with 'could-bes' except as far as you are prepared to do research. Outside that, you don't know that should be your statement.

You do need to check your tool and its tool maker you may get a better answer than this.

 
Posted : 11/10/2018 2:56 pm
(@bkkchop)
Posts: 4
New Member
Topic starter
 

Thanks for the insight, athulin. You bring up some good points. The tool I'm using is Registry Explorer, I threw the SAM file inside there for the analysis. I did do some research prior to coming here but didn't find anything of much value. I'll continue to research and post back if I find a conclusive answer.

Thanks

 
Posted : 12/10/2018 12:35 pm
(@rich2005)
Posts: 535
Honorable Member
 

Hi everyone,

I've been racking my brain trying to figure out why a local admin account is displaying weird time stamps for created, last login, and password change. I exported the SAM hive, and viewed it in registry explorer.

Created 2018-02-02
Last login 2015-04-23
Password last changed 2017-09-25

Could the password last changed, perhaps be 2 years after last login because it was changed by another account on the system? As for created 3 years after last login, could this be because the account was at one point disabled, then re-enabled?

Any thoughts?

What's the creation time for the Admin account's folder? Same or different?

 
Posted : 12/10/2018 2:19 pm
(@athulin)
Posts: 1156
Noble Member
 

Thanks for the insight, athulin. You bring up some good points.

Unfortunately, the point I was convinced was the problem, based on the cited paper … is actually not. I should have extended my suspicion to the paper itself, not only to its sources. So I only confused the issue – my apologies.

The table of the F parameter contents (called 'project F content') in that paper does does not correspond with other sources. And in the absence of an explanation for that, we (that is, I) cannot conclude that the F entry lacks information about last password change.

Unfortunately, I have yet to find a source I do consider fully trustworthy … which is a bit of a problem. (By fully trustworthy I mean that it references some kind of methodical procedure for identifying relevant SAM content.)

If anyone knows one, please post. It should be added to Forensic Wiki so that we don't forget it.

There is clearly some kind of timestamp for last password change 'net user' lists it, and the NetEnumUser() system call returns structures where the corresponding field is populated. The F entry seems to be the most likely candidate for its location … yet the systematic identification of it seems absent.

 
Posted : 12/10/2018 2:28 pm
Share: