SAM Registry Hive

windowsAuthentication & AccessDisk Image

Location

C:\Windows\System32\config\SAM

Description

Security Accounts Manager hive containing local user accounts, group memberships, password policy settings, and NTLM password hashes.

Forensic Value

Enumerating local accounts reveals rogue admin accounts created for persistence. Comparing last password change timestamps against known compromise windows identifies accounts likely tampered with by adversaries. Extracted NTLM hashes (with SYSTEM hive as decryption key) confirm whether pass-the-hash was feasible.

Tools Required

KAPERegRipperImpacket secretsdumpRegistry Explorer (Eric Zimmerman)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical