A registry viewer and a hex editor suffice to enumerate the members of a group during post-mortem analysis of a Microsoft Windows installation.
An analysis of a Windows installation wouldn't be complete without a close inspecion of group memberships, especially of the local Administrators group.
Microsoft Windows stores information about local user accounts and groups in the Securiry Account Manager's database (also known as SAM). This database is part of the registry. It can be found at HKEY_LOCAL_MACHINE\SAM.
On a running system a user won't see much at this location, because access to the SAM requires SYSTEM privileges. Beeing an administrator one could easily elevate his privileges with the help of the scheduler or several other services executed at the SYSTEM level.
In a forensic analysis I usually access the registry offline. The SAM's data is kept in the file %SystemRoot%\system32\config\SAM. Open this file with EnCase or any other registry viewer and navigate to the SAM.
Local groups are kept below SAM\SAM\Domains\Builtin\Aliases followed by the (hexadecimal) number of the group. For example, this number will be 220 for the local Administrators group. The "C" value contains some information about the group. At its very end a trained eye immediately recognizes some Security IDs (SIDs). They identify the members of the group.
A hex editor will help you during a thorough examination. For this, first save all the data from the "C" value as a binary file. Then open this file in a hex editor of your choice. At a first glance you'll recognize two UNICODE strings, the group's name and it's description.
The structure starts with the numerical ID of that group. It is followed by offset and length pairs for the Security Descriptor, the name and the description. At last there's the offset and length of the memory region keeping the member's SIDs as well as the member count:
uint32 GroupID; uint32 OfsSD; uint32 LenSD; FSkip(4); // unused, always 0 uint32 OfsName; uint32 LenName; FSkip(4); // unused, always 0 uint32 OfsDesc; uint32 LenDesc; FSkip(4); // unused, always 0 uint32 OfsMember; uint32 LenMember; uint32 CntMember;
This structure can be turned into a template for the 010 Editor with ease. The template will clearly display group members and the complex security descriptor. Creating such a template should also be possible for Hex Workshop and WinHex, which are two other well-known hex editors.
Update 02/17/2006: Harlan Carvey just posted an article on the same matter.
