Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all
_________________
Forensic Control
twitter.com/WeFindData 

- keydet89

Asparajin,

what would you be querying with the EnScript?

Encase Enscript (LNK files querying)

Windows 7 not working  

- Jonathan

Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all

I haven't tested this, but theoretically you could also take out the network card, and use another (forensically controlled) system to read the MAC address. As an aside, on many systems it's possible to spoof the MAC addresses (software- or hardwarebased) something to consider in scenario's with skilled IT personnel..

Roland  

Roland,

That was actually addressed in Jonathan's response on the first page of this thread.  

- Jonathan

Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all

getmac is even simpler.

It could be argued that reading from the registry won't really help much. If it gives you something then it could be the address that the MAC is spoofed to.

Alternatively just Helix boot the original system and read the physical MAC using "ifconfig -a", the MAC is the HW Address.  

- forensic1zn

What is the quickest way to locate the mac address in registry?

In addition to the suggestions already posted, you may also look for version 1 UUIDs in registry. if the rule book is followed, they should be created from a timestamp and any of the MAC addresses present.

Version 1 UUID's follow the pattern:

xxxxxxxx-xxxx-1xxx-xxxx-xxxxxxxxxxxx

where x is a hexadecimal digit, and the last xxxxxxxxxxxx is a mac address. (It may be a multicast address, in which case it is assigned randomly, and thus useless for identification purposes.)

This is probably an area that could do with a little research -- when I check my own laptop (XP), I find that many keys in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

contain version 1 UUIDs, and when I check them out, I find that apart from one set that can be traced to vmware network connections, and another set that are multicast addresses, I get five unique MAC addresses.

One of them is from the Ethernet interface, and another from the WiFi interface. The remaining three I can't trace easily, but I suspect they may come from the PC Card and USB network devices I use from time to time. (Or perhaps they came with the installation image, as one of them is an IBM MAC, and I don't have a IBM network device that I know of.)

On a desktop system, I would expect the number of MAC addresses would be smaller.

Added: Yes -- on a Win7 desktop system, I find 10 unique MAC addresses, but 9 of them are multicast addresses and vmware virtual networks (OID: 005056). The remaining one is one of the two Realtek Ethernet interfaces. The second Realtek interface does not appear, perhaps because it has never been used.

These version 1 UUIDs also contain timestamps ... which at least would indicate a moment when that particular MAC was present.  

Last edited by athulin on Thu Mar 29, 2012 11:53 am; edited 1 time in total

Athulin,

Excellent point.

When I was researching and developing code to parse Win 7 Jump Lists, I came across the UUID v1 identifiers in the TrackerData block within the SHLL-LINK streams in the Jump Lists. As a reference for parsing these, I used RFC 4122 (http://www.ietf.org/rfc/rfc4122.txt). Para 4.1.6 describes the definition of the "node" field, and what you state is timely, relevant, and accurate.