Where has this laptop been?

First thought is to check what WiFi networks the laptop has connected to.

This won't really show definitive proof as I can easily name my home network "LAX Airport Free WiFi" or something like that but this could provide corroborative evidence if you can find some other indication of location.

The 3G software may have it's own connection logs which may assist, and if you are LE then you always have the avenue of seeking information from the Telco and ISP as to any 3G connections the laptop has made.

Thank you for the quick reply!

I forgot to mention that this is for a college course so I'm still learning the ins and outs of things around the forensics world. I found a few posts on here about accessing the SOFTWARE and SYSTEM registry files but when I followed those leads, I came up empty. So I must have done something wrong.

Do you have any other information that could help me get jump started? I just need to prove that the computer was in a different location than it was supposed to be.

Have a look at the NTUser.dat file as well as this has plenty of user specific data.

Casting my mind back to my own University lecturers they tend to be pretty sneaky and not use obvious answers sometimes (at least mine were) so WiFi might be too simple.

Have they given you a date range where this activity is suspected to have occurred? If they have then another approach might be to look at file activity around those dates. I'm guessing you will be using a Linux based free tool rather than EnCase or Xways so I can't really help you with how to operate those tools but looking at the temporary internet files and internet history might also be somewhere worth looking to get an idea of what they are doing.

Emails are also a good source of information, start thinking about what you would do if you were traveling (air line tickets/bookings, hotel, car hire, restaurant reviews, google map histroy, iphone backup files etc etc).

Maybe look for time zone changes in the event logs.

Even if the laptop time didn't change, if you look for at daily login times you might find the user normally starts work on the laptop a 9am. Then if you see a few days where the user logged in at 3am in the morning, it might be an indication that the user has moved around the world.

Maybe you can find cached web pages that do geo-location. e.g. Google USA being used instead of Google UK for a few days.

Maybe holiday photos from Florida are on the disk.

Maybe GPS locations in photos from an Iphone (yes, I am looking at you, John McAfee).

Possibilities are endless…

Thanks for the replies.

Casting my mind back to my own University lecturers they tend to be pretty sneaky and not use obvious answers sometimes (at least mine were) so WiFi might be too simple.

That's what I was thinking. But it was worth a shot.

I'm guessing you will be using a Linux based free tool rather than EnCase or Xways so I can't really help you with how to operate those tools…

I'm using FTK 4.1 and have access to Xways and EnCase.

Possibilities are endless…

That statement couldn't be more true. Thank you for some ideas to look into though.

I'll keep looking around.

if limewire is installed i've found that it stores the city that the computer is currently in in ones of its files (that i cant remember the name of)

I forgot to mention that this is for a college course so I'm still learning the ins and outs of things around the forensics world. I found a few posts on here about accessing the SOFTWARE and SYSTEM registry files but when I followed those leads, I came up empty. So I must have done something wrong.

I doubt an introductory college course would get into the weeds like this (i.e. requiring a student to deal with historical Registry information), but for those of you interested more broadly in the "where has this laptop been?" question… we have recently started using Registry Recon (our Windows Registry forensics tool) to look at the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList subkeys in a historical sense, to get an idea of where laptops have been.

The workflow goes something like this

1.) Collect BSSIDs/MACs from these subkeys with Registry Recon
2.) Run them against Google and WiGLE
3.) (Hopefully) Identify approximate latitude/longitude of access points

WiGLE is hit or miss and of course it's dependent upon the volume and quality of the information submitted by the community. I've had some success in our testing with downtown Boston. The signal strength is a neat value to play with (WiGLE gives you historical submission information)…

This is relatively straightforward on OS X as well.

Mark Spencer, President
Arsenal Consulting, Inc.
www.ArsenalExperts.com

Adam,

Have a look at the NTUser.dat file as well as this has plenty of user specific data.

Can you elaborate on this a bit…specifically, what should the OP look for within the NTUSER.DAT hive?

Have they given you a date range…

This would be a good time to create a timeline of system/user activity….

…iphone backup files etc etc).

This is something I'd definitely look for, but as was mentioned before, I don't see this being used in an introductory course.

All in all, I would follow Mark's advice. You can use the RegRipper networklist.pl plugin (for Vista+ systems), to retrieve the MAC addresses from the Software hive.

The script I wrote, macl.pl, for submitting MAC addresses to WiGLe.net (you have to have a user account with the site, and enter your credentials at the command line for the tool…) and getting a Google Maps URL or Google Earth file in return can be found here

http//code.google.com/p/winforensicaanalysis/downloads/list

The topic of Wifi geo-location is addressed in a sidebar on pp135-136 of "Windows Forensic Analysis Toolkit 3/e", and addressed in even more detail on pp. 142-148 of "Windows Registry Forensics".

HTH

The script I wrote, macl.pl, for submitting MAC addresses to WiGLe.net (you have to have a user account with the site, and enter your credentials at the command line for the tool…) and getting a Google Maps URL or Google Earth file in return can be found here

http//code.google.com/p/winforensicaanalysis/downloads/list

This is awesome… somehow I managed to overlook your script until this thread. Copy and paste is only so scalable. 😉

Thanks Harlan!