sam plugin issue

[jw4n6]

It seems that the sam plugin provides the wrong user creation timestamps, or it's intended by design, and instead provides the last modification timestamp, e.g. a users last password change. The expected creation time of the user should be "2021-12-28 06:57:23 UTC"

See below comparison with x-ways forensics and dissect, all timestamps in UTC.

x-ways

Registry report:

User ID of  | 0x000003EA (1002) |   | 2021-12-28 06:57:23

Registry viewer:
Screenshot shows last password change, which is the "creation" timestamp of dissect output below

dissect
target-query -q TestImage.E01 -f sam -j | jq . -C | less -r

{
  "hostname": "<redacted>",
  "domain": "<redacted>",
  "rid": 1002,
  "fullname": "<redacted>",
  "username": "<redacted>",
  "comment": "",
  "lockout": "1601-01-01T00:00:00.000000",
  "creation": "2021-12-28T07:41:13.536482",
  "lastlogin": "1601-01-01T00:00:00.000000",
  "flags": 528,
  "failedlogins": 0,
  "logins": 0,
  "lm": "<redacted>",
  "ntlm": "<redacted>",
  "_source": "TestImage.E01",
  "_classification": null,
  "_generated": "2022-12-28T03:27:52.017157",
  "_version": 1,
  "_type": "record",
  "_recorddescriptor": [
    "windows/registry/sam",
    1346789399
  ]
}

If this is by design, I would suggest to change "creation" timestamp to "last modified" or similar wording to avoid any confusions.

[Schamper]

Hi @wahlgren, thanks for reporting this! I don't think this is necessarily "by design", it's likely this happened because the sam plugin was based off of other SAM parsers, which seem to have the following field commonly specified in the F value:

char t_creation[8]; /* Time of account creation */

It looks like we just copied this naming 1:1 into our plugin.

Looks like we'll have to take a bit of a deep dive into SAM to fix this properly!

[Schamper]

This should be fixed with fox-it/dissect.target#121 so I'm closing this. Let me know if you find any other issues!