Posted: Thu Sep 28, 2006 12:08 am Post subject: ntuser.dat.log says "dirty"
We are inspecting a computer at work for potential abuse. We have found some graphic images and have run a few programs and noticed a lot of surfing to some questionable sites. We just checked the ntuser.dat.log under every username and all the files have the word "dirty" in them.
I just looked at my computer and my ntuser.dat.log does NOT have that word in there.
I'm assuming I have a big problem on my hand....any suggestions?
I hope for your sake and that of the company you know what you are doing and/or can prove that when push comes to shove if the employee in question ever decides to pursue litigation. I assume everyone here knows that, but, just in case before offering my opinion on the matter.
Since you haven't described exactly what you've done other than viewing a few graphic images and running a few programs and noticing a lot of surfing to some questionable sites, I wills start from the beginning.
This is all assuming you are using a forensics copy/image to do the investigation:
1.) Ran antivirus/spyware software to determine any kind of infection. The reasons I state this are because:
a) Questionable sites were visited - (although they shouldn't be questionable - it should be black and white - is the site appropriate or not - if not, then off limit sites were visted.)
b) All the user accounts are showing the same thing, so, to me, it looks like a system wide problem, not just a user account. If that is the case, then some serious security issues comes to mind such as the privelages of the user account in question in the first place and why was the account with a high level or privelage (assuming this was the account that created the infection if there is an infection) surfing the net. BTW, if possible, I would isolate the machine as well since this seems like a system wide thing.
2.) The Ntuser.dot.log file says dirty. Where does it say this. For example, when I look at my ntuser.dat.log file, it has the following:
Under name: ntuser.dat.LOG
Size: Will vary
Type: Text document
Modified: Will vary
So, is the dirty part of the file name, like ntuser.dat.dirty.LOG or is it under type, or where exactly is the word dirty showing up. I have never seen the issue before, so I am interested in what it looks like.
3.) Since the log file is questionable, I would assume the item it logs is also questionable, the NTuser.dat file. This file, along with the log file affect the HKEY_CURRENT_USER registry. Since this hive is the current profile loaded, unless you are logged in under the user, no point in looking there. What you want to look at is the HKEY_USERS, but it depends where to look. If the account is held at a domain controller, then you will have to find the SID of the user account, and I am assuming - never done this - look at the registry hive on the domain controller in which the account is local. If the account is a local account to the machine, then you could look at the HKEY_USERS there.
My next step would be to analyze the hive to see what is going on. I would use the results from the antivirus/spyware scan to assist with this. Beyond those starting points, I would have to see it to understand what was going on.
Just as a reminder, this is not an expert opinion, just my view on how I would go looking into things. Just remember the legal impacts if this goes any further - for example any discipline to the owner of the account in question.
"dirty" refers to the live system hive not being updated properly:
When you make changes to the Registry that affect the HKEY_LOCAL_MACHINE\SYSTEM hive, the changes are first applied to the actual system hive, then to the alternate hive. If there is a system failure during the updates to the alternate hive, there is no problem, and after the system boots, NT updates the alternate hive to again be an exact copy of the actual system hive. However, if there is a failure during an update to the actual system hive, when NT reboots it detects that the system hive is dirty, so instead it boots using the alternate hive, which is in an older but stable state. It then rolls back changes to the original system hive.
Posted: Fri Sep 29, 2006 11:41 pm Post subject: More about the log...
Thank you both for your posts. They are very helpful. To reply to Precision, here is some more information.
The computer is isolated and has not affected any other machines in our network. We've run spyware/adaware/antivirus, etc and did not find anything. We are assuming the graphic images were brought in from an outside source i.e.-floppy, flash drive, cd, etc. These images are on only 1 machine.
Here is the text from the ntuser.dat.log file on that computer:
regf¦ ¦ \Lx–£ŻĘ 0 t t i n g s \ A d m i n i s t r a t o r \ N T U S E R . D A T ¸ÄĻńDIRT˙
We would definitely appreciate any and all replies.
Well, I don't know how your documents and settings folder looks, but I did a little looking in mine, and this is what I found.
A while back, I had problems with my profile, but still had data I wanted to get (but I still have yet to go back and back it up - silly me) so I left the original profile in place and made another one with the same username. So, my documents and settings folder has the following:
So, I am logged in with the username.domain account, and can't view my ntuser.dat.log file because it is in use since I am logged in. But, I can go view my username ntuser.dat.log file, and to my suprise, I saw the same thing:
username\ n t u s e r . d a t --- DIRTA
(the dashes are parts I took out just in case they are something that could be revealing of my system - all me paranoid!)
I then went and looked the the all users folder in Documents and Settings and got this:
\ a l l u s e r s \ n t u s e r . d a t --- DIRT˙
I logged out, checked my file from another account, it does not have this.
I believe the issue might be created when using generic accounts, or duplicate accounts - if you are anything like me, when you create another user account, all you do is clone a default account and slap a new name on it for the next victim.
So, my final conclusion for now - probably nothing to be concerned with - I would chalk this one up to MS silliness.
But, I have thought of a way you could check this, but it would probably have to be tweaked. You could try duplicating another account, and see what you get in that ntuser.dat.log file. Who knows...
Clean system, never been hooked to the net, just formatted and the OS installed. Nothing else installed.
Created a user account besides admin named panther. Logged in once, then restarted the machine properly. Logged in via admin and took a look at the ntuser.dat.log file, and yet again, the dirty is there.
So, I started to wonder, and took a look at the ntuser.dat file. Seems it has a lot of these as well: ˙ .
So I got to thinking... maybe that is a control character, and what we are really seeing is just DIRT (like the above post mentions). Since the ntuser.dat file is nothing more than the hive of the user in the registry, those characters have to be in the registry somewhere. So, what to do.... search the registry. Only two keys found that contain DIRT, and they don't look promissing for anything. So, I could try DIR, but as you imagine, that would take forever to go through in the registry of just a regular install!
So hmm.... dunno where it comes from, but it definately is not anything malicious unless my CD from MS is bugged or the backdoor is so good it is hiding in my BIOS. (ok ok, I'm joking now..)
Now I am wondering about the ˙ now!
Thought to fire up the ol' hex editor and find the hex for the character, turns out to be FF - so I am guessing it is the end of a line or something.
Posted: Thu Jan 25, 2007 7:51 am Post subject: Here's what I know about dirt˙
Please suspend your disbelief, or at least be kind to me when you tell me I am crazy. In short, I think this dirt˙ thing is likely something to be concerned about.
For more than a year, I have been plagued with a security problem that no one can fix, and so pretty much everyone tells me it's not real--with the exception of a guy who leads a Computer Forensics seminar for mid-level IT guys from big companies. I won't get into the details of the problem here, but suffice it to say that I have reformatted five different computers a total of at least 100 times. (The definition of madness...)
Here's what I have recently observed about "dirt˙" in my world: I began to notice this five or six reformats ago in all of the three computers I own. I did a search for dirt˙ *before* connecting to the Internet, and found three instances. Once I connected to the internet, there were more than a dozen of them.
What I believe about my security issue is that the hard drive isn't really being cleaned, even though I use methods including FDISK with a retail XPPro disk, DBAN, and other things besides the manufacturers' restore disk.
In short, I think this dirt˙ thing is indeed something to be concerned about.
I am writing this from someone else's computer, with an e-mail address that I will not be accessing from my dirt˙ computer.
If you are interested enough in this to know more, I will be greatly appreciative of your insights and opinions. Perhaps even your Experience, Strength, and Hope.
Joined: Jan 03, 2006 Posts: 255 Location: The Netherlands
Posted: Thu Jan 25, 2007 4:53 pm Post subject:
Sounds a bit to heavy on the paranoia mode to me....
Regarding the image, it was mentioned in the second post already, are you doing the investigation an a forensically sound image of the drive under investigation?
About the DIRT hyve issue. Was Windows event logging activated? Does it mention any issues regarding user profiles not being able to be unloaded during logout? How was the computer shutdown prior to making the forensic copy?
I would focus on the validity of browser logs and try to match any unwanted visits to other activity that might be attributed to an actual person. Otherwise all you have is a computer used to visit certain websites. You'd still have to prove beyond some form of certainty who was actually sitting at the keyboard during those visits.
As I said earlier I spend some time in the MaximumPC forums and they have been helpfull. They recomended I use Panda scan to find files which are of some concern, at least to the Panda. So, I have done that and Chumly in the Free Clinic room said there was a weird signature on one of the file it said this;
Then there's a mystery host list that scares the crap out of me. O16-O17 should be noted. The "whois" on those IP's point to this address:
I know this takes up a lot of space, but I'm looking for answers before I wipe the hard drive. On that note how exactly do I go about doing that. I have already backed up my info and need to move or have some idea of where I am heading. Thanks everyone . I don't even know where he saw that name and adress, but it is weird. He recommended I delete the weatherbug button and ASL (I think), I did any thoughts any one .
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum