SAM Registry Hive

WindowsAuthentication & AccessDisk Image

Location

C:\Windows\System32\config\SAM

Description

Security Accounts Manager hive containing local user accounts, group memberships, password policy settings, and NTLM password hashes.

Forensic Value

Enumerating local accounts reveals rogue admin accounts created for persistence. Comparing last password change timestamps against known compromise windows identifies accounts likely tampered with by adversaries. Extracted NTLM hashes (with SYSTEM hive as decryption key) confirm whether pass-the-hash was feasible.

Tools Required

KAPERegRipperImpacket secretsdumpRegistry Explorer (Eric Zimmerman)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

reg.exe

reg save HKLM\SAM C:\output\SAM.hiv

Impacket

python3 secretsdump.py -sam SAM.hiv -system SYSTEM.hiv LOCAL

RegRipper

rip.exe -r C:\output\SAM.hiv -p samparse

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1003.002T1136.001T1078.003

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote