Notifications
Clear all

System logs

3 Posts
3 Users
0 Likes
843 Views
(@ebmetric)
Posts: 10
Active Member
Topic starter
 

Hi there,

First time I have encountered case where I need to find information on PC(Windows10) about network drive that was connected, that's why I have few questions to more experienced forum members
1) Is there on Windows10 some kind of system logs(evtx) or any information regarding accessing shared network drive?
2) Where could I search configuration information about network drive?
3) What else I can find out about network drive?

At this point I have checked out application.evtx, system.evtx "../drivers/etc/hosts".

I have dd image and lots of time to learn something new. )

Thank You in advance for Your time.

 
Posted : 09/03/2019 6:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

At this point I have checked out application.evtx, system.evtx "../drivers/etc/hosts".

I would check the Registry.
Knowing how the good MS guys like to reuse code, it is likely that everything (or almost anything) valid in XP and in 7 is still valid in 10.
Like
https://social.technet.microsoft.com/Forums/windows/en-US/0c44732e-60dd-4ddd-a19f-c5772cdfd54e/map-network-drive-registry-path?forum=w7itprovirt
https://superuser.com/questions/1105292/backup-mapped-drive-paths
https://superuser.com/questions/885754/where-does-windows-store-network-drive-mappings
http//www.bloggingforlogging.com/2018/11/22/windows-mapped-drives-what-the-hell-is-going-on/

Also (though not necessarily a password has been saved locally)
http//www.nirsoft.net/utils/network_password_recovery.html

jaclaz

 
Posted : 10/03/2019 4:17 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

….about network drive that was connected…

1) Is there on Windows10 some kind of system logs(evtx) or any information regarding accessing shared network drive?
2) Where could I search configuration information about network drive?
3) What else I can find out about network drive?

Are you referring to a network drive available on the system, or a network drive to which a user on the system connected?

If the network drive is on the system, that's in the Registry. Since you have the image of the system, run the RegRipper 'shares.pl' plugin against the System hive.

If you're looking for information on shares to which a user on the system connected, I'd start by looking to the shellbags artifacts.

HTH

 
Posted : 19/03/2019 10:39 am
Share: