I'm working a case and looking at the network connections. OS is Windows 8.1 and Win 10. Within FTK in System Information tab it conveniently lists network connections which is extracted from SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.
If I look in ControlSet001\Services\Tcpip\Parameters\Interfaces\, I am able to see some other connections and IP info. What confuses me is that there are some MAC addresses listed in ControlSet001\Services\Tcpip\Parameters\Interfaces\ that are not listed in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.
I can see a MAC address under DhcpGatewayHardware in the ControlSet001\Services\Tcpip\Parameters\Interfaces\ keys. Some of those MAC addresses match with ones FTK displays in network connections which is extracted from SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles. However, some of the MAC addresses listed in ControlSet001\Services\Tcpip\Parameters\Interfaces\ are not shown in FTK Network Connections.
Could this be because the connections may have been made while using the same network profile name?
As a follow-on to this question, I have listed all the time periods of connections from SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles… What's really throwing me for a loop is that I have web history that occurs during a time period that the system was not connected to a network (if I go by first and last connect time for each network profile).
Try looking up the MAC address device types, it may provide a clue.
Try looking up the MAC address device types, it may provide a clue.
Do you mean MAC address vendor search? If so, I’ve done that and was able to identify 2 devices by manufacturer and positively identify one of the connections. What’s more significant to me is that I know the computer was connected and surfing the internet during a time where according to the NetworkList\Profiles, there was no connection peofile. So How useful is the NetworkList\Profiles if it’s obviously not 100% accurate?
Are Harlan Carvey's excellent digital forensic books no help?
Windows Registry Forensics Advanced Digital Forensic Analysis of the Windows Registry
Windows Forensic Analysis Toolkit Advanced Analysis Techniques for Windows 7
Are Harlan Carvey's excellent digital forensic books no help?
It's unlikely…they don't cover this exact question.
The issue may be one of the two different plugins showing different information; that is, yes, they provide information that include MAC addresses, but you have to look at the context of each. Simply because both are MAC addresses, doesn't make them the same information.
"What's really throwing me for a loop is that I have web history that occurs during a time period that the system was not connected to a network (if I go by first and last connect time for each network profile)."
It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.
Are Harlan Carvey's excellent digital forensic books no help?
It's unlikely…they don't cover this exact question.
The issue may be one of the two different plugins showing different information; that is, yes, they provide information that include MAC addresses, but you have to look at the context of each. Simply because both are MAC addresses, doesn't make them the same information.
"What's really throwing me for a loop is that I have web history that occurs during a time period that the system was not connected to a network (if I go by first and last connect time for each network profile)."
It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.
You are correct, his books don’t specifically answer my question.
I’m using FTK 6.3 so whatever methodology accessdata uses to extract the registry info for the network profiles is what is displayed in the “system information” tab for the case. If I extract the registry and navigate to tcpip\parameters\interfaces, I see some clues of IP addresses assigned, gateway, dns and gateway MAC. And some of the ones listed here are not listed in Networklist\profiles (which is where FTK pulls the data from)
Maybe it’s possible the machine was connected to a different network but the profile did not change? Meaning windows didnt popup that gui screen asking about setting up the network connection? Or the user cancelled it.. I know I’ve cancelled it sometimes if I dont have to change any tcpip setting. I may have to test this out in the lab to prove this theory.
It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.
"plugins" Could be, might be… Always worth a try… hmmm..
It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.
"plugins" Could be, might be… Always worth a try… hmmm..
Are you referring to plugins in regripper or some other tool?
An option to get historical information might be VSCs…just sayin'…export the hives, run the RegRipper plugins against each of them…
An option to get historical information might be VSCs…just sayin'…export the hives, run the RegRipper plugins against each of them…
Thanks that is what I plan to do tomorrow. Hopefully I'll find something fruitful. I also plan to test connecting a machine to 2 different networks without changing the network profile to see how that records in the registry.