Notifications
Clear all

System logs  

  RSS
ebmetric
(@ebmetric)
New Member

Hi there,

First time I have encountered case where I need to find information on PC(Windows10) about network drive that was connected, that's why I have few questions to more experienced forum members
1) Is there on Windows10 some kind of system logs(evtx) or any information regarding accessing shared network drive?
2) Where could I search configuration information about network drive?
3) What else I can find out about network drive?

At this point I have checked out application.evtx, system.evtx "../drivers/etc/hosts".

I have dd image and lots of time to learn something new. )

Thank You in advance for Your time.

Quote
Posted : 09/03/2019 6:05 pm
jaclaz
(@jaclaz)
Community Legend

At this point I have checked out application.evtx, system.evtx "../drivers/etc/hosts".

I would check the Registry.
Knowing how the good MS guys like to reuse code, it is likely that everything (or almost anything) valid in XP and in 7 is still valid in 10.
Like
https://social.technet.microsoft.com/Forums/windows/en-US/0c44732e-60dd-4ddd-a19f-c5772cdfd54e/map-network-drive-registry-path?forum=w7itprovirt
https://superuser.com/questions/1105292/backup-mapped-drive-paths
https://superuser.com/questions/885754/where-does-windows-store-network-drive-mappings
http//www.bloggingforlogging.com/2018/11/22/windows-mapped-drives-what-the-hell-is-going-on/

Also (though not necessarily a password has been saved locally)
http//www.nirsoft.net/utils/network_password_recovery.html

jaclaz

ReplyQuote
Posted : 10/03/2019 4:17 pm
keydet89
(@keydet89)
Community Legend

….about network drive that was connected…

1) Is there on Windows10 some kind of system logs(evtx) or any information regarding accessing shared network drive?
2) Where could I search configuration information about network drive?
3) What else I can find out about network drive?

Are you referring to a network drive available on the system, or a network drive to which a user on the system connected?

If the network drive is on the system, that's in the Registry. Since you have the image of the system, run the RegRipper 'shares.pl' plugin against the System hive.

If you're looking for information on shares to which a user on the system connected, I'd start by looking to the shellbags artifacts.

HTH

ReplyQuote
Posted : 19/03/2019 10:39 am
Share: