This page outlines some of the core concepts around OS Accounts and Realms and how they are stored.
OS Accounts are unique data types in the TSK datamodel and have more complexity than other types because
we often will not fully understand the details when creating the OS Accounts early in the processing and will
This page outlines some of the core concepts around OS accounts and realms and how they are stored.
OS accounts are unique data types in the TSK datamodel and have more complexity than other types because
we often will not fully understand the details when creating the OS accounts early in the processing and will
need to update them at various points as analysis continues.
\section os_acct_basics Basic Terminology
- An <b>OS Account</b> allows a person to do some action or access some resource on a device.
- A <b>realm</b> is the scope wherein the OS Account is defined. A realm can be scoped to a single host (i.e., for accounts that exist only on a single host) or to a network domain (such as Windows domain accounts).
- An <b>OS account</b> allows a person to do some action or access some resource on a device.
- A <b>realm</b> is the scope in which the OS account is defined. A realm can be scoped to a single host (i.e., for accounts that exist only on a single host) or to a network domain (such as Windows domain accounts).
\section os_acct_challenges OS Account Challenges
A key challenge with OS Accounts is that we do not know the account information until we have started to parse files, and the more detailed information will only come from OS configuration files. It is also possible that we may never know the details if we have only a media card.
A key challenge with OS accounts is that we do not know the account information until we have started to parse files, and the more detailed information will only come from OS configuration files. It is also possible that we may never know the details if we have only a media card.
As a user adds a disk image to the case, we may learn about addresses from the files. But, we won't yet know the account name or if it is domain-scoped or local-scoped. So, the basic properties of the realm and account may change as more data is ingested and analyzed. This could even result in needing to merge realms and accounts.
Another difference with other data types in the TSK data model is that OS Accounts may span multiple data sources if they are domain accounts. Therefore, they are not "children" of a data source and exist outside of the usual tree model in TSK.
Another difference from other data types in the TSK data model is that OS accounts may span multiple data sources if they are domain accounts. Therefore, they are not "children" of a data source and exist outside of the usual tree model in TSK.
\section os_acct_realm OS Account Realms
An org.sleuthkit.datamodel.OsAccountRealm represents the scope of a set of OS Accounts. A realm's scope is defined by org.sleuthkit.datamodel.OsAccountRealm.RealmScope. By default, the scope is set to host-level and the org.sleuthkit.datamodel.OsAccountRealm.ScopeConfidence is set to inferred. As more is learned, the confidence and scope can be made more specific.
An org.sleuthkit.datamodel.OsAccountRealm represents the scope of a set of OS accounts. A realm's scope is defined by org.sleuthkit.datamodel.OsAccountRealm.RealmScope. By default, the scope is set to host-level and the org.sleuthkit.datamodel.OsAccountRealm.ScopeConfidence is set to inferred. As more is learned, the confidence and scope can be made more specific.
A realm has two core fields:
- Address that the OS uses internally, such as part of a Windows SID
...
...
@@ -38,13 +38,13 @@ Realms are managed by org.sleuthkit.datamodel.OsAccountRealmManager.
An org.sleuthkit.datamodel.OsAccount represents an account that was configured in an operating system. It must be defined within the scope of an OsAccountRealm.
An Os Account has two core fields:
An OS account has two core fields:
- Login name that the user enters (such as jdoe)
- Address that the operating system uses internally (such as a UID of 0 or a Windows SID)
OS Accounts also have other properties, such as full name, creation date, etc. that can be set after it is created.
OS accounts also have other properties, such as full name, creation date, etc., that can be set after the account is created.
OS Accounts are managed by org.sleuthkit.datamodel.OsAccountManager.
OS accounts are managed by org.sleuthkit.datamodel.OsAccountManager.
\subsection os_acct_acct_os Supported Operating Systems
...
...
@@ -52,18 +52,16 @@ At this point, APIs exist for only Windows accounts, such as:
In the future, additional methods will be created for other operating systems.
The underlying database schema supports other operating systems, but the utility APIs do not exist to populate them other than with Windows SIDs.
The underlying database schema supports other operating systems, but the utility APIs do not exist to populate them other than with Windows SIDs. These methods may be added in the future.
\section os_account_storing Storing Original Account Data
We recommend that the OS Account addresses or names that were parsed from the data source are saved alongside any references to OsAccount objects. For example, the TSK database stores the UID or SID that was stored in a file system for a file in addition to the reference to the OsAccount object that is associated with that address. This helps to ensure the original data is preserved in case an OsAccount can't be created, gets deleted, or is incorrectly merged.
We recommend that the OS account addresses or names that were parsed from the data source be saved alongside any references to OsAccount objects. For example, the case database stores the UID or SID that was stored in a file system for a file in addition to the reference to the OsAccount object that is associated with that address. This helps to ensure the original data is preserved in case an Os account can't be created, gets deleted, or is incorrectly merged.
\section os_acct_example Example Creation & Update Code
There are three unique elements to creating and updating OS Accounts when adding data to the case database:
There are three unique elements to creating and updating OS accounts when adding data to the case database:
<ol>
<li>You cannot create or update OS accounts in a multi-step org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction. To avoid duplicates across multiple node systems, you need to insert and update in a single step. If you have a transaction open while creating accounts, the database will likely go into a deadlock in single-user cases because the thread can not have two connections at the same time.
...
...
@@ -71,20 +69,20 @@ There are three unique elements to creating and updating OS Accounts when adding
This means that if you are using CaseDbTransation to add a lot of files or artifacts, you'll need to:
<ol type="a">
<li>Pre-process the data to identify what accounts you need to find references to
<li>See if the OS Accounts already exist and update or make new ones
<li>See if the OS accounts already exist and update or make new ones
<li>Add the files and artifacts with references to the OsAccounts
</ol>
<li>You need to check if you have more information than what is already stored (e.g., maybe the realm name was unknown).
<li>You need to record that an OS Account was referenced on a given data source because OS Accounts are stored in parallel to data sources and are not children of them.
<li>You need to record that an OS account was referenced on a given data source because OS accounts are stored in parallel to data sources and are not children of them.
</ol>
Here are some examples.
\subsection os_acct_ex_get Adding a File or Data Artifact
If you pass in an OsAccount to the various methods to add files and data artifacts, then the database will make the association and record the occurence. All you need to do is get the account. You can do that with org.sleuthkit.datamodel.OsAccountManager.getWindowsOsAccount(). Note that sometimes that call will fail if the SID associated with the file is for a group, for example, if the OS Account has admin rights.
If you pass in an OsAccount to the various methods to add files and data artifacts, then the database will make the association and record the occurence. All you need to do is get the account. You can do that with org.sleuthkit.datamodel.OsAccountManager.getWindowsOsAccount(). Note that sometimes that call will fail if the SID associated with the file is for a group, for example, if the OS account has admin rights.
If you get an OsAccount, you can try to update it if you think you may have new information.
\subsection os_acct_ex_update Parsing OS Configuration Data
When parsing the Windows registry or other OS Configuration file, you may find updated information about OS Accounts. You can call various org.sleuthkit.datamodel.OsAccountManager methods to get and update the accounts. When adding extended attributes, you can choose to limit the scope of the attribute to the single host being parsed or domain-level.
When parsing the Windows registry or other OS Configuration file, you may find updated information about OS accounts. You can call various org.sleuthkit.datamodel.OsAccountManager methods to get and update the accounts. When adding extended attributes, you can choose to limit the scope of the attribute to the single host being parsed or to the domain-level.
You should make sure to call org.sleuthkit.datamodel.OsAccountManager.newOsAccountInstance() to ensure it is recorded that there was at least some reference to account on that data source. Otherwise, it will not be associated with the data source unless there were also files or artifacts that were mapped to the OS Account.
You should make sure to call org.sleuthkit.datamodel.OsAccountManager.newOsAccountInstance() to ensure it is recorded that there was at least some reference to account on that data source. Otherwise, it will not be associated with the data source unless there were also files or artifacts that were mapped to the OS account.
@@ -23,7 +23,7 @@ Some general notes on this schema:
# Schema Information
This was a big change. Tables were added to support analsis results, OS accounts, Hosts & Person strcture of data sources, and host addresses (IPs, DNS, etc.). It has a major version change because there are new Content enum types (OsAccount and HostAddress). More information on how to use these new objects can be found on the \ref mod_dspage and \ref mod_os_accounts_page pages.
This was a big change. Tables were added to support analysis results, OS accounts, hosts and person structure of data sources, and host addresses (IPs, DNS, etc.). The major component of the version number has been incremented because there are new org.sleuthkit.datamodel.TskData.ObjectType enum types (OsAccount and HostAddress). More information on how to use these new objects can be found on the \ref mod_dspage and \ref mod_os_accounts_page pages.
