Does anyone know the location of any artefacts (if indeed there are any) on a Vista Home PC related to the connection TO that host PC through a home network running the WEP protocol?
I want to rule in/out any suggestion that a rogue third party (neighbour/drive-by connection/etc) has established a connection to the PC by compromising the WEP 'protection' on the router. I'm not currently familiar with the art of router forensics.
Thanks.
I'd start with "netstat -ano" for one; depending upon the type of connection, you may find something in the output of 'net' commands, such as 'net sessions'…
Depending on the router, you may find leases on the routers DHCP client table. Vista's event log may also contain some useful connection information.
I really like Russix (free) even for troubleshooting. It's main focus was for wireless pentration testing but it gives you a lot of detail in one nice bootable cd instead of installing/configuring the programs individually (airmon, aircrack, airreplay etc..)
It shows you a nice list of what devices are connected to each AP that is visible.
In this case, you can see what wireless networks other cards are configured to connect to by default. Does that make sense?
What I mean is if a user has set any "auto-connect-nextime" wireless networks in his adapter config, everytime they power on their pc the wireless adaptor "looks" for those networks and is captured and displayed. You can see who is set to connect to your AP or even just see real time what devices are connected to your AP.