GPO Forensics

GPO (Group Policy Object) is one of the most useful features of the Windows ecosystem. Simply saying, GPO allows an admin to create a set of rules to be applied on domain-joined computers, making him no longer care about “how”, but rather “what”. The mechanism itself is not very complex and has three main components:

• Editor and management tools — bunch of utilities (GUI, PowerShell etc.) allowing you to create and edit the data to be served as the policy.
• Server — partially relying on AD Services and partially just a share (SYSVOL) where files made with editors are automatically placed. There is nothing like “save as” for GPO, and you realize it is just a share only if you want to dig deeper than the user interface of your tools.
• Client — namely gpsvc service, running on each domain-joined Windows machine, periodically trying to collect data from the AD and share, interpret it and apply.

To make it even more beautiful, Microsoft designed GPO as highly extendable, allowing you to put more on the server side (because it is just a share or AD data) and fit the client with DLLs, gathering their data and using it their own way. LAPS is one of the most notable GPO extension and if you dig behind the surface you can realize it is about AD attributes and the admpwd.dll on the client side.

If you have your admin rights, analysis of the GPO can be made by just opening the editor and looking into settings. It may be a nightmare if you have hundreds of policies (not that unusual) but there is no magic involved. The most interesting story begins if you have no permissions or no AD at all, just a content of the SYSVOL share. Of course, as AD keeps part of the GPO data, it would be nice to have it, but if you have only files it is ok too. You will miss some data (such as names or linked containers) but the real data to be applied is usually just a file and in most cases you can easily copy it to your computer exactly as gpsvc does. There are “only” two issues you have to face:

• Each policy is spread into multiple folders. Mostly empty ones, but you need to look into such folder to realize it. Multiply it by the number of GPOs (did I mention hundreds?) and you’ll have some fun for the rest of your day.
• Policy-related files have their own formats. And to make the whole thing even worse it is not one format for all of them. Such file may have the structure of an .ini (with sections in [] and param=value pairs), it may be XML, Augmented Backus-Naur Form, CSV, and a bunch of proprietary formats, including binary ones.

The most common files include:

• gpt.ini — containing information about the version of the policy. It looks like there was an idea of putting policy name to this file, but it never happened in practice
• adm files — not really used by the client, but allowing the editor to “translate” nice options displayed in a GUI to the real registry keys and values. Most of admins use files distributed by vendors (mainly Microsoft) but writing the own one is not that uncommon. Even if it is not directly used by gpsvc, it may be a valuable source of the knowledge for forensicators.
• GPTTmpl.inf files — security options set through GPO.
• GPE.ini — not very useful in practice as it contains usually only some information about versions.
• cmtx files — XML files containing information about the part of settings applied, including some admin comments.
• GPP (Group Policy Preferences) for files, registry, scheduled tasks and system services — another ones formatted as XML, with separate file for each scenario.
• Scripts — one of the most beautiful sources of knowledge, especially as sooner or later some authentication data will happen there.
• Scripts.ini — the definition of scripts automatically launched at startup/shutdown/logon/logoff.
• Fdeploy and fdeploy1 — information. about folder redirections.
• Audit policies — CSV files defining what exactly should be placed in the security event log.
• POL files — the last but definitely not least. Actually it is the oldest (and the core) part of GPO. It contains an information for the gpsvc about registry data to be added/changed/deleted. The file format is partially binary, partially unicode and in practice is the toughest to be read with just a text editor however you can try to guess what it is about.

Knowing this, one can define forensics process as gathering and interpreting files. Does not matter if it is live AD or just a backup or snapshot, if you are domain admin or not, if you perform it on AD-joined workstation or at home. If you have files, the only thing you need is to knowledge about formats and a bit or patience or computing power. As I opt for the later one, I have created a bunch of PowerShelll scripts fully automating the process. Enjoy!

PS Even if you are an admin, and all your GPOs are live, you are more than welcome to use scripts provided. They will convert your GPO data from “GPO oriented” to “settings oriented”, making it easier to analyze, especially if you want to review it quickly for the whole environment at once. It’s 100% read-only (as the SYSVOL share is), so nothing wrong could happen.