Notifications
Clear all

Mac Address

35 Posts
11 Users
0 Likes
3,924 Views
(@forensic1zn)
Posts: 22
Eminent Member
Topic starter
 

Hi Guys,

What is the quickest way to locate the mac address in registry?

 
Posted : 26/03/2012 9:58 am
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

the best way which way i know. mount image with vfc 2 and look mac adress

 
Posted : 26/03/2012 12:18 pm
(@jonathan)
Posts: 878
Prominent Member
 

Hi Guys,

What is the quickest way to locate the mac address in registry?

Googling "registry mac address", the first entry states where it is http//www.windowsreference.com/networking/how-to-change-mac-address-in-windows-registry/

 
Posted : 26/03/2012 12:42 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

jonathan in windows 7 there is no network adress section and encase link to mac script didnt work in windows 7 too i am working on it

 
Posted : 26/03/2012 1:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Windows doesn't store the NIC MAC address in the Registry by default. If you fire up an acquired image in a VM, you'll get the MAC address of the VM interface.

The link to changing the MAC address does just that…changes it.

However, pp. 186-187 of "Windows Forensic Analysis 2/e" covers other places within the Registry that you *might* find the MAC address.

Depending upon the version of Windows you're referring to, you may find the MAC address in Windows shortcuts, or (on Windows 7) within the TrackerData block in the LNK streams within automaticDestinations Jump Lists.

HTH.

 
Posted : 26/03/2012 3:10 pm
asparajin
(@asparajin)
Posts: 24
Eminent Member
 

here you can learn EnScript to obtain the MAC address of a non-running machine (http//www.forensickb.com)
versions that support Windows 2000/XP/Vista

 
Posted : 26/03/2012 3:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Asparajin,

what would you be querying with the EnScript?

 
Posted : 26/03/2012 5:23 pm
(@jonathan)
Posts: 878
Prominent Member
 

Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all

 
Posted : 26/03/2012 8:11 pm
asparajin
(@asparajin)
Posts: 24
Eminent Member
 

Asparajin,

what would you be querying with the EnScript?

Encase Enscript (LNK files querying)

Windows 7 not working (

 
Posted : 27/03/2012 1:25 am
digintel
(@digintel)
Posts: 51
Trusted Member
 

Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all

I haven't tested this, but theoretically you could also take out the network card, and use another (forensically controlled) system to read the MAC address. As an aside, on many systems it's possible to spoof the MAC addresses (software- or hardwarebased) something to consider in scenario's with skilled IT personnel..

Roland

 
Posted : 28/03/2012 5:04 am
Page 1 / 4
Share: