Determining if a co...
 
Notifications
Clear all

Determining if a computer has been on any network

24 Posts
8 Users
0 Reactions
1,528 Views
(@shanex)
Active Member
Joined: 17 years ago
Posts: 8
Topic starter  

Hi Jonathan,

No this is certainly not for a college project. How I wish I was still in college 😉

I see your point ! When I said that the registry has never been changed, I meant that these particular (windows wireless zero config) keys had never been changed in any way or deleted. So that is the supposition I intended.

Sorry for the confusion.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Assuming the following 3 statements are
known to be true

1) The only wireless utility ever on the PC was the windows zero config.
2) Under WZCSVC\Parameters\Interfaces none of the GUID keys have any static#000n entries.
3) Nobody (or program) has ever deleted/changed anything in the registry

(windows xp professional, SP2)

Could one then definitively say this PC has never been on a wireless network?

I usually try to not be so absolute in my statements, but with a few other things, such as "No Prefetch files that indicate the use of a wireless configuration utility" and "No Registry entries in other hives that indicate that wireless configuration software was installed or used", one could say that there are no indications that the system had been connected to a wireless network.


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

Just a quick thought …

Just because a network card has been configured, doesn't mean that it has been plugged in, and even if it has been attached to a cable, if it has been configured wrong it doesn't mean that it will work and any traffic will flow up the TCP stack …


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Just because a network card has been configured, doesn't mean that it has been plugged in, and even if it has been attached to a cable, if it has been configured wrong it doesn't mean that it will work and any traffic will flow up the TCP stack …

Good thought…now, what would be the artifacts of this?


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

Heh … Didn't think that far …

I've been thinking along the lines of the ARP table - but I'm not sure if/where it persists on the disk - without a connection to the network this would be empty as no ARP requests would have been made/received. I suspect that this would definitely be available in the memory dump should one have been done though … Although - again - it only would show the current state, and you can dump the ARP table. Therefore an empty ARP table wouldn't be proof that it hadn't been connected, however one or more entries would be proof that it had - and also to what.

I suspect that there would be some errors in the logs as well, which said something like "Couldn't get DHCP address" or the like. "Cable not Connected" also possibly ?


   
ReplyQuote
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
 

Just because a network card has been configured, doesn't mean that it has been plugged in, and even if it has been attached to a cable, if it has been configured wrong it doesn't mean that it will work and any traffic will flow up the TCP stack …

Good thought…now, what would be the artifacts of this?

If it had attempted to connect to a network but failed perhaps errors show in system event logs? If the network interface hadn't been attached to the computer in question then there would be no entry for it in the hardware devices list… these are both guesses and would need testing. Difficult though while I'm on holiday in Japan! 8) wink


   
ReplyQuote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

I usually try to not be so absolute in my statements, but with a few other things, such as "No Prefetch files that indicate the use of a wireless configuration utility" and "No Registry entries in other hives that indicate that wireless configuration software was installed or used", one could say that there are no indications that the system had been connected to a wireless network.

Harlan wisely uses the phrase "no indications". How feasible is that once all possible sources of network connection have been established (registry entries, log files, etc.) a utility can be written to remove all such indications without leaving any suspicious footprint behind (not just of itself, but of its actions)? What challenges might such a tool face if the author knew the machine was to be the subject of forensic analysis?

A little off-topic as far as the original post is concerned but interesting nonetheless.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Jamie,

Good point, and definitely a discussion for another thread…suffice to say, I do believe that once someone starts clearing Registry data, they're doing themselves more harm than good.

As far as the other responses go…I'd like to something more definitive along the lines of what might be in the Event Logs, as well as a tool that can be used to extract the arp cache/table from a memory dump…

h


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

Well … I suspect that some of the following would show errors with the initialisation of the network card. Other network errors exist, but they all imply more communication over the network and errors being received.

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=1007&EvtSrc=DHCP&LCID=1033

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=1222&EvtSrc=Kernel&LCID=1033

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=2136&EvtSrc=System&LCID=1033

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1001&EvtSrc=DHCP&LCID=1033

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1007&EvtSrc=DHCP&LCID=1033

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=57&EvtSrc=Kernel&LCID=1033

http//www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1008&EvtSrc=DHCPServer&LCID=1033

I'll get back to you on the memory parser …


   
ReplyQuote
(@shanex)
Active Member
Joined: 17 years ago
Posts: 8
Topic starter  

Regarding registry key LastWrite times….

Is there a default timestamp of some sort? I was just checking some keys (on a laptop which is only a month old) and some of the dates on keys are from 2005..?!

Thanks.


   
ReplyQuote
Page 2 / 3
Share: