Hello all,
Here is a problem I'm trying to solve. Suppose someone sat you down at a PC (running windows xp professional, sp2) and asked you the following simple question has this PC ever been connected to any computer network?
The challenge is not necessarily to identify which networks, just a yes/no as to whether the PC has ever been on some network.
Also, please assume that nobody has been trying to hide their tracks on this PC by deleting logs or caches or events etc. It's not a crime I'm trying to solve here, just a theoretical question. So nothing has been deleted or cleaned from the PC.
In theory this sounds easy, but can it be proved rigorously?
Obviously, the first step would be to examine Internet Explorer histories, temp files etc, but suppose they were all empty. What then? As far as I can see XP does not by default store a history of IPs a PC has been assigned or a log of established connections.
Here are some ideas I had
1) If windows firewall logging was on, it would tell you about network connections, but if this logging was off (which it is by default), you're out of luck
2) if "ipconfig /all" simply output "Windows IP Configuration" would this prove the PC has never been on a network?
3) If there were no tcpip/browser/LAN source events in the event viewer, would this prove the PC has never been on a network?
Any other ideas?
Thanks for any help !
Obviously, the first step would be to examine Internet Explorer histories, temp files etc, but suppose they were all empty. What then? As far as I can see XP does not by default store a history of IPs a PC has been assigned or a log of established connections.
That isn't the first place I'd start…the question wasn't if the user had every used IE or surfed the web, but whether or not the system had ever been connected to a network. While Windows does not necessarily maintain a history of IPs use, and definitely doesn't maintain a history of established connections, there are a great number of places you can look for information pertaining to any sort of network connection.
Personally, I would start with some detailed Registry analysis, looking at specific keys and values, as well as key LastWrite times, in order to determine if some keys had been modified, such as their values deleted. As the system is XP, I would also do the same check through every available restore point. I would then check the contents of the Prefetch directory for files that contained information about network applications that may have been run.
1) If windows firewall logging was on, it would tell you about network connections, but if this logging was off (which it is by default), you're out of luck
There's no real logging by default, but yes, if the use had configured the firewall appropriately, and you saw logs indicating that connections had been dropped, etc., then that would be an indicator that the system had been on the network.
2) if "ipconfig /all" simply output "Windows IP Configuration" would this prove the PC has never been on a network?
No.
3) If there were no tcpip/browser/LAN source events in the event viewer, would this prove the PC has never been on a network?
I'm not sure what kind of events you're expecting to be found in the Event Logs…I have systems on my network all the time, and they don't have any events that include this sort of of information necessarily.
HTH,
h
That isn't the first place I'd start…the question wasn't if the user had every used IE or surfed the web, but whether or not the system had ever been connected to a network. While Windows does not necessarily maintain a history of IPs use, and definitely doesn't maintain a history of established connections, there are a great number of places you can look for information pertaining to any sort of network connection.
Thanks very much for your help. Yes, absolutely, IE is not what this question is about at all.
Personally, I would start with some detailed Registry analysis, looking at specific keys and values, as well as key LastWrite times, in order to determine if some keys had been modified, such as their values deleted. As the system is XP, I would also do the same check through every available restore point. I would then check the contents of the Prefetch directory for files that contained information about network applications that may have been run.
Great, thanks. Unfortunately I'm not familiar with which reg keys I'd need to check, nor am I familiar with the Prefetch directory. Could you point me to any relevant resources where I could study up on these ideas? That would be great.
I'm not sure what kind of events you're expecting to be found in the Event Logs…I have systems on my network all the time, and they don't have any events that include this sort of of information necessarily.
I was just experimenting around, and it seemed that anytime I connected to a network a "tcpip" event was written here. Are there situations where this is not the case?
Many thanks again !
Hello all,
Here is a problem I'm trying to solve. Suppose someone sat you down at a PC (running windows xp professional, sp2) and asked you the following simple question has this PC ever been connected to any computer network?
The challenge is not necessarily to identify which networks, just a yes/no as to whether the PC has ever been on some network.
Also, please assume that nobody has been trying to hide their tracks on this PC by deleting logs or caches or events etc. It's not a crime I'm trying to solve here, just a theoretical question. So nothing has been deleted or cleaned from the PC.
In theory this sounds easy, but can it be proved rigorously?
Obviously, the first step would be to examine Internet Explorer histories, temp files etc, but suppose they were all empty. What then? As far as I can see XP does not by default store a history of IPs a PC has been assigned or a log of established connections.
Here are some ideas I had
1) If windows firewall logging was on, it would tell you about network connections, but if this logging was off (which it is by default), you're out of luck
2) if "ipconfig /all" simply output "Windows IP Configuration" would this prove the PC has never been on a network?
3) If there were no tcpip/browser/LAN source events in the event viewer, would this prove the PC has never been on a network?
Any other ideas?
Thanks for any help !
You can take a look at some registry keys
SYSTEM\ControlSetXXX\Services\TCPIP\Parameters
(XXX denotes the control set the computer is using 001 or 002)
This will show TCPIP info including default gateway
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
This will show mapped network drives
Great, thanks. Unfortunately I'm not familiar with which reg keys I'd need to check, nor am I familiar with the Prefetch directory. Could you point me to any relevant resources where I could study up on these ideas? That would be great.
You might want to check out the book, "Windows Forensic Analysis".
I was just experimenting around, and it seemed that anytime I connected to a network a "tcpip" event was written here. Are there situations where this is not the case?
It all depends on what's being audited, via the audit configuration. For example, logons are only recorded in the Security Event Log if the necessary auditing is enabled.
You can take a look at some registry keys
SYSTEM\ControlSetXXX\Services\TCPIP\Parameters
(XXX denotes the control set the computer is using 001 or 002)
This will show TCPIP info including default gateway
This is one of the keys to check…but the ControlSet marked current is found in the Select key (see the "Current" value) within the System hive file. I've seen systems that had neither 001 nor 002, but instead had 003, 004, and 005.
The full path you're interested in will be
HKLM\SYSTEM\ControlSet00n\Services\Tcpip\Parameters\Interfaces
Beneath this key, you will see various GUID subkeys that represent the various network interfaces available (albeit not all are used) on the system.
To see the active network interfaces, go to
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Each of the numbered subkeys will contain a Description and ServiceName value.
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
This will show mapped network drives
Another good key to check, particular in corporate network environments.
I believe the reg key…
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
…would also give a clue as to whether it had ever been connected to a network.
calimelo…
Okay, go with that…what about a memory dump? How would you obtain the memory dump, what would you look for and what tools would you use to look for those items?
h
Ok, so how about this scenario. Assuming the following 3 statements are
known to be true
1) The only wireless utility ever on the PC was the windows zero config.
2) Under WZCSVC\Parameters\Interfaces none of the GUID keys have any static#000n entries.
3) Nobody (or program) has ever deleted/changed anything in the registry
(windows xp professional, SP2)
Could one then definitively say this PC has never been on a wireless network?
Thanks!
Ok, so how about this scenario. Assuming the following 3 statements are
known to be true1) The only wireless utility ever on the PC was the windows zero config.
2) Under WZCSVC\Parameters\Interfaces none of the GUID keys have any static#000n entries.
3) Nobody (or program) has ever deleted/changed anything in the registry(windows xp professional, SP2)
Could one then definitively say this PC has never been on a wireless network?
Thanks!
If nothing has changed anything in the registry (are we talking from the OS last install date?) then I suggest the computer has not been used since the last OS install date, let alone been on any networks. Have you checked unallocated space or for hidden partitions, etc?
Are these scenarios for college projects?