WEBVTT 0:00:02.680000 --> 0:00:06.840000 In this video, we will continue to use Registry Explorer, but this time 0:00:06.840000 --> 0:00:10.600000 we will be using it to analyze the security account manager, which is 0:00:10.600000 --> 0:00:18.080000 the SAM file. If you recall from our last video, we extracted the SAM 0:00:18.080000 --> 0:00:21.540000 file along with a couple of other registry values. 0:00:21.540000 --> 0:00:24.620000 We'll be using the Registry Explorer to show how easy it is to analyze 0:00:24.620000 --> 0:00:26.640000 the SAM Registry file. 0:00:26.640000 --> 0:00:30.880000 All we need to do is select Load Offline Hive and select the SAM file 0:00:30.880000 --> 0:00:32.640000 you wish to load. 0:00:32.640000 --> 0:00:36.660000 Now that the file is loaded, we can simply drill down. 0:00:36.660000 --> 0:00:41.600000 As we do so, we have domains and we can see accounts. 0:00:41.600000 --> 0:00:44.060000 Let's click on the user's folder. 0:00:44.060000 --> 0:00:47.380000 Now we see several details displayed to the right. 0:00:47.380000 --> 0:00:52.200000 Let me expand a few columns here. 0:00:52.200000 --> 0:00:56.820000 Here we have the user ID for this particular one, it's 500, which is usually 0:00:56.820000 --> 0:00:59.840000 designated for the administrator. 0:00:59.840000 --> 0:01:04.140000 We can see here under the created on column when it was created. 0:01:04.140000 --> 0:01:06.540000 We can also see the last login time. 0:01:06.540000 --> 0:01:10.540000 When the user last changed their password, the last incorrect password 0:01:10.540000 --> 0:01:14.560000 changed for when the user tried to change it and it was incorrect. 0:01:14.560000 --> 0:01:17.580000 We also have expiration date and the full name. 0:01:17.580000 --> 0:01:21.440000 If the user had a password hint, we would be able to find it here under 0:01:21.440000 --> 0:01:23.960000 the password hint column. 0:01:23.960000 --> 0:01:29.940000 Under groups, it would display what the user was a member of. 0:01:29.940000 --> 0:01:32.440000 And next to that is the comments. 0:01:32.440000 --> 0:01:37.780000 As you can see, we can obtain a lot of information and details from the 0:01:37.780000 --> 0:01:40.760000 SAM file with the help of the Registry Explorer. 0:01:40.760000 --> 0:01:45.600000 We can also see two additional users that were added to the system, with 0:01:45.600000 --> 0:01:50.340000 user IDs of 1005 and 1006. 0:01:50.340000 --> 0:01:55.980000 The first user has a user name of user1 and the second is called hacker. 0:01:55.980000 --> 0:01:59.300000 As a call out, I don't think this one user name is very suspicious by 0:01:59.300000 --> 0:02:02.600000 the way. It was probably meant as a joke. 0:02:02.600000 --> 0:02:07.420000 The first user account was created on September 2, 2015 at 9.05. 0:02:07.420000 --> 0:02:11.020000 The user was last logged in at the same time. 0:02:11.020000 --> 0:02:14.620000 The second user was created shortly after the first. 0:02:14.620000 --> 0:02:17.780000 This is very suspicious because it might have been done using a command 0:02:17.780000 --> 0:02:23.020000 line CMD, so this might need further investigation. 0:02:23.020000 --> 0:02:26.980000 As you can see, Registry Explorer provides us all of these details, which 0:02:26.980000 --> 0:02:30.080000 allows us to analyze them quite easily. 0:02:30.080000 --> 0:02:34.060000 If we go back over to the left panel where we drilled down earlier, under 0:02:34.060000 --> 0:02:36.980000 the user's folder we see several other folders that represent an entry 0:02:36.980000 --> 0:02:41.380000 for the users. Below that, we can find the names of the users. 0:02:41.380000 --> 0:02:48.220000 We have Administrator, which is this key here. 0:02:48.220000 --> 0:02:51.020000 The Guest key is 1F5. 0:02:51.020000 --> 0:02:52.940000 The Hacker key is 3EE. 0:02:52.940000 --> 0:02:58.480000 Which you can see here to the right in the Value Type Text field, and 0:02:58.480000 --> 0:03:01.360000 the user key is 3ED. 0:03:01.360000 --> 0:03:04.900000 You can use the Value Type Text field to check which key corresponds to 0:03:04.900000 --> 0:03:06.440000 the appropriate user name. 0:03:06.440000 --> 0:03:09.740000 Let's now expand built-in. 0:03:09.740000 --> 0:03:13.640000 Here we can see the aliases, as well as names, which are all built-in 0:03:13.640000 --> 0:03:15.940000 users and groups that are found. 0:03:15.940000 --> 0:03:19.620000 If we click on Administrators and look at the Value Type, we can see which 0:03:19.620000 --> 0:03:23.580000 key it corresponds to under aliases, which is this one here. 0:03:23.580000 --> 0:03:27.260000 To figure out which key belongs to which alias, we can continue on in 0:03:27.260000 --> 0:03:33.020000 the same way. Along the top, there's a bookmark icon, and once expanded, 0:03:33.020000 --> 0:03:35.220000 we see a user accounts option. 0:03:35.220000 --> 0:03:38.500000 Currently, there's only one, and if we click it, it takes us directly 0:03:38.500000 --> 0:03:44.660000 to it. We also have the option to export all of these details. 0:03:44.660000 --> 0:03:49.020000 To do so, simply go to File, and then Export Registry Hives. 0:03:49.020000 --> 0:03:51.820000 We have a few options to select from. 0:03:51.820000 --> 0:03:54.900000 So, as an example, let's select this. 0:03:54.900000 --> 0:04:04.680000 Users, and export it as a CSV to the Desktop. 0:04:04.680000 --> 0:04:07.940000 Now, let's open the file and see what's there. 0:04:07.940000 --> 0:04:09.560000 We have a lot of details here. 0:04:09.560000 --> 0:04:12.820000 We could even use another tool to analyze them. 0:04:12.820000 --> 0:04:17.280000 As you can see, analyzing a SAM file using Registry Explorer is easy, 0:04:17.280000 --> 0:04:21.760000 and the information presented to us is really useful. 0:04:21.760000 --> 0:04:25.400000 Navigating back to the Registry Explorer, we have a lot more information 0:04:25.400000 --> 0:04:28.240000 that can be extracted from the SAM file. 0:04:28.240000 --> 0:04:32.100000 There are lots of other Registry Analyzers, but this one is open source 0:04:32.100000 --> 0:04:35.040000 and I highly recommend you use it. 0:04:35.040000 --> 0:04:38.700000 The tool is very easy to use, and you could even start using it now with 0:04:38.700000 --> 0:04:41.700000 your investigations. 0:04:41.700000 --> 0:04:45.400000 This concludes this video lesson on how to use Registry Explorer to parse 0:04:45.400000 --> 0:04:48.560000 a SAM security count manager file. 0:04:48.560000 --> 0:04:49.280000 Thanks for joining us.