I am using EnCase Forensic v6.18 and am trying to determine exactly how many times a custodian accessed their company network as well as any wifi networks during a specific date range…Can anyone point me in the right direction as to how to obtain this information or if it is even possible to determine?
What are you examining? Logs from a WAP or a system? If you're analyzing a system, which OS and version are you examining?
I am examining a system w/ Microsoft Windows XP service pack 3.
RegRipper has a plugin named "ssid.pl" that will extract this information for you; however, it will only tell you the last time that the device was connected to the WAP. You'll have to extract the System hives from the various Restore Points to get historical information.
I actually have already used RegRipper to parse the registry files and was only able to see what networks he accessed. I need to be able to see the amount of times each network was accessed between a specific date range. When you say "you'll have to extract the System hives from the various Restore Points to get historical information" do you mean simply exporting the "system" files and parsing it in RegRipper?
I actually have already used RegRipper to parse the registry files and was only able to see what networks he accessed. I need to be able to see the amount of times each network was accessed between a specific date range.
Sorry, to the best of my knowledge, WinXP doesn't maintain that information.
When you say "you'll have to extract the System hives from the various Restore Points to get historical information" do you mean simply exporting the "system" files and parsing it in RegRipper?
Yes.