Hi there,
First time I have encountered case where I need to find information on PC(Windows10) about network drive that was connected, that's why I have few questions to more experienced forum members
1) Is there on Windows10 some kind of system logs(evtx) or any information regarding accessing shared network drive?
2) Where could I search configuration information about network drive?
3) What else I can find out about network drive?
At this point I have checked out application.evtx, system.evtx "../drivers/etc/hosts".
I have dd image and lots of time to learn something new. )
Thank You in advance for Your time.
At this point I have checked out application.evtx, system.evtx "../drivers/etc/hosts".
I would check the Registry.
Knowing how the good MS guys like to reuse code, it is likely that everything (or almost anything) valid in XP and in 7 is still valid in 10.
Like
https://
https://
https://
http//
Also (though not necessarily a password has been saved locally)
http//
jaclaz
….about network drive that was connected…
1) Is there on Windows10 some kind of system logs(evtx) or any information regarding accessing shared network drive?
2) Where could I search configuration information about network drive?
3) What else I can find out about network drive?
Are you referring to a network drive available on the system, or a network drive to which a user on the system connected?
If the network drive is on the system, that's in the Registry. Since you have the image of the system, run the RegRipper 'shares.pl' plugin against the System hive.
If you're looking for information on shares to which a user on the system connected, I'd start by looking to the shellbags artifacts.
HTH