Forums
Main Category
General (Technical,...
Mac Address
 
Notifications
Clear all

Mac Address

 
Page 1 / 4
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 9 years ago
35 Posts
11 Users
0 Reactions
5,864 Views
RSS
 forensic1zn
(@forensic1zn)
Eminent Member
Joined: 14 years ago
Posts: 22
Topic starter 26/03/2012 10:58 am  

Hi Guys,

What is the quickest way to locate the mac address in registry?


   
Quote
nightworker
 nightworker
(@nightworker)
Estimable Member
Joined: 16 years ago
Posts: 134
26/03/2012 1:18 pm  

the best way which way i know. mount image with vfc 2 and look mac adress


   
ReplyQuote
 Jonathan
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
26/03/2012 1:42 pm  

Hi Guys,

What is the quickest way to locate the mac address in registry?

Googling "registry mac address", the first entry states where it is http//www.windowsreference.com/networking/how-to-change-mac-address-in-windows-registry/


   
ReplyQuote
nightworker
 nightworker
(@nightworker)
Estimable Member
Joined: 16 years ago
Posts: 134
26/03/2012 2:50 pm  

jonathan in windows 7 there is no network adress section and encase link to mac script didnt work in windows 7 too i am working on it


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
26/03/2012 4:10 pm  

Windows doesn't store the NIC MAC address in the Registry by default. If you fire up an acquired image in a VM, you'll get the MAC address of the VM interface.

The link to changing the MAC address does just that…changes it.

However, pp. 186-187 of "Windows Forensic Analysis 2/e" covers other places within the Registry that you *might* find the MAC address.

Depending upon the version of Windows you're referring to, you may find the MAC address in Windows shortcuts, or (on Windows 7) within the TrackerData block in the LNK streams within automaticDestinations Jump Lists.

HTH.


   
ReplyQuote
asparajin
 asparajin
(@asparajin)
Eminent Member
Joined: 16 years ago
Posts: 24
26/03/2012 4:26 pm  

here you can learn EnScript to obtain the MAC address of a non-running machine (http//www.forensickb.com)
versions that support Windows 2000/XP/Vista


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
26/03/2012 6:23 pm  

Asparajin,

what would you be querying with the EnScript?


   
ReplyQuote
 Jonathan
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
26/03/2012 9:11 pm  

Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all


   
ReplyQuote
asparajin
 asparajin
(@asparajin)
Eminent Member
Joined: 16 years ago
Posts: 24
27/03/2012 2:25 am  

Asparajin,

what would you be querying with the EnScript?

Encase Enscript (LNK files querying)

Windows 7 not working (


   
ReplyQuote
digintel
 digintel
(@digintel)
Trusted Member
Joined: 17 years ago
Posts: 51
28/03/2012 6:04 am  

Or from the command line type ipconfig/all?

If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all

I haven't tested this, but theoretically you could also take out the network card, and use another (forensically controlled) system to read the MAC address. As an aside, on many systems it's possible to spoof the MAC addresses (software- or hardwarebased) something to consider in scenario's with skilled IT personnel..

Roland


   
ReplyQuote
Page 1 / 4
Forum Jump:
  Previous Topic
Next Topic  
Share: