Roland,
That was actually addressed in Jonathan's response on the first page of this thread.
Or from the command line type ipconfig/all?
If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all
getmac is even simpler.
It could be argued that reading from the registry won't really help much. If it gives you something then it could be the address that the MAC is spoofed to.
Alternatively just Helix boot the original system and read the physical MAC using "ifconfig -a", the MAC is the HW Address.
What is the quickest way to locate the mac address in registry?
In addition to the suggestions already posted, you may also look for version 1 UUIDs in registry. if the rule book is followed, they should be created from a timestamp and any of the MAC addresses present.
Version 1 UUID's follow the pattern
xxxxxxxx-xxxx-1xxx-xxxx-xxxxxxxxxxxx
where x is a hexadecimal digit, and the last xxxxxxxxxxxx is a mac address. (It may be a multicast address, in which case it is assigned randomly, and thus useless for identification purposes.)
This is probably an area that could do with a little research – when I check my own laptop (XP), I find that many keys in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
contain version 1 UUIDs, and when I check them out, I find that apart from one set that can be traced to vmware network connections, and another set that are multicast addresses, I get five unique MAC addresses.
One of them is from the Ethernet interface, and another from the WiFi interface. The remaining three I can't trace easily, but I suspect they may come from the PC Card and USB network devices I use from time to time. (Or perhaps they came with the installation image, as one of them is an IBM MAC, and I don't have a IBM network device that I know of.)
On a desktop system, I would expect the number of MAC addresses would be smaller.
Added Yes – on a Win7 desktop system, I find 10 unique MAC addresses, but 9 of them are multicast addresses and vmware virtual networks (OID 005056). The remaining one is one of the two Realtek Ethernet interfaces. The second Realtek interface does not appear, perhaps because it has never been used.
These version 1 UUIDs also contain timestamps … which at least would indicate a moment when that particular MAC was present.
Athulin,
Excellent point.
When I was researching and developing code to parse Win 7 Jump Lists, I came across the UUID v1 identifiers in the TrackerData block within the SHLL-LINK streams in the Jump Lists. As a reference for parsing these, I used RFC 4122 (http//
Or from the command line type ipconfig/all?
If it is forensic, (the OP doesn't say) clone the drive, put it back in the original computer, remove any log on password, then from the command line type ipconfig/all
getmac is even simpler.
It could be argued that reading from the registry won't really help much. If it gives you something then it could be the address that the MAC is spoofed to.
Alternatively just Helix boot the original system and read the physical MAC using "ifconfig -a", the MAC is the HW Address.
Never come across getmac before. Cheers. Every day I learn more about what I don't know!
Very good point on booting original with forensic boot disk too, far more efficient.
In addition to the suggestions already posted, you may also look for version 1 UUIDs in registry. if the rule book is followed, they should be created from a timestamp and any of the MAC addresses present.
Version 1 UUID's follow the pattern
xxxxxxxx-xxxx-1xxx-xxxx-xxxxxxxxxxxx
where x is a hexadecimal digit, and the last xxxxxxxxxxxx is a mac address. (It may be a multicast address, in which case it is assigned randomly, and thus useless for identification purposes.)
This is probably an area that could do with a little research – when I check my own laptop (XP), I find that many keys in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
contain version 1 UUIDs, and when I check them out, I find that apart from one set that can be traced to vmware network connections, and another set that are multicast addresses, I get five unique MAC addresses.
One of them is from the Ethernet interface, and another from the WiFi interface. The remaining three I can't trace easily, but I suspect they may come from the PC Card and USB network devices I use from time to time. (Or perhaps they came with the installation image, as one of them is an IBM MAC, and I don't have a IBM network device that I know of.)
On a desktop system, I would expect the number of MAC addresses would be smaller.
Added Yes – on a Win7 desktop system, I find 10 unique MAC addresses, but 9 of them are multicast addresses and vmware virtual networks (OID 005056). The remaining one is one of the two Realtek Ethernet interfaces. The second Realtek interface does not appear, perhaps because it has never been used.
These version 1 UUIDs also contain timestamps … which at least would indicate a moment when that particular MAC was present.
Do you have a reference for this? I ask, as I'm getting some pretty strange information when I convert the dates in the UUID v1 volume GUIDs.
If these are, in fact, UUID v1 GUIDs, do you happen to know what the date represents?
Thanks.
Do you have a reference for this? I ask, as I'm getting some pretty strange information when I convert the dates in the UUID v1 volume GUIDs.
If these are, in fact, UUID v1 GUIDs, do you happen to know what the date represents?
Not yet – I'm working on a small windows utility to 'deconstruct' an UUID into its constituent parts, and
extract MAC and timestamp, or whatever is sopposed to be in there. Once that is working, I'll check up further on those GUIDs
No new references RFC4122 is what I've been refering to.
I have already deconstructed the component parts of the UUID, and I'm working on trying to determine what the time stamps refer to.
Athulin,
So far, I've had some very interesting findings…
Just a quick follow-up…I've written RegRipper plugins for extracting MAC Addresses from both the System and NTUSER.DAT hives.