Investigating Profiles List
04/07/2022 Monday
Windows operating systems create a user profile the first time a user logs on to a computer. At the following logons, the system loads the user's profile, and the user's environment is configured according to the information in the profile. User profiles provide unique settings to individual users. On a shared computer each user receives their customized desktop environment after they logged on.
Digital Forensics Value of Profiles List Artifact
Windows profiles are structured in folders under C:\Users directory. Simply analyzing each folder under this location can be sufficient during an investigation. However, to get a better overview of all profiles, including SYSTEM and Network Service, we need to analyze the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\. Being able to retrieve a list of all users' profiles on a system can be crucial during an investigation.
Location of Profiles List Artifact
Information related to Profiles List artifact are maintained within the registry at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
Structure of Profiles List Artifact
Profiles List artifact is configured in the registry. Each profile’s configuration details are stored in a separate registry key. User-specific configuration values are stored under the SID values. Structure of the artifact is shown in the figure below.
User profile directory is stored in "ProfileImagePath" value, which is useful for investigations.
Analyzing Profiles List Artifact with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract Profiles List artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Profiles List artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Profiles List artifact in ArtiFast.
Profiles List Artifact
The artifact contains information related to users' profiles and their locations. The details you can view include:
- User SID - Security identifier of the user.
- Profile Path - Profile image path of the user.
- Last Update - Last Update date/time of the key.
For more information or suggestions please contact: [email protected]
