Windows network con...
 
Notifications
Clear all

Windows network connection analysis

stevegut78
(@stevegut78)
Junior Member

I'm working a case and looking at the network connections. OS is Windows 8.1 and Win 10. Within FTK in System Information tab it conveniently lists network connections which is extracted from SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.

If I look in ControlSet001\Services\Tcpip\Parameters\Interfaces\, I am able to see some other connections and IP info. What confuses me is that there are some MAC addresses listed in ControlSet001\Services\Tcpip\Parameters\Interfaces\ that are not listed in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.

I can see a MAC address under DhcpGatewayHardware in the ControlSet001\Services\Tcpip\Parameters\Interfaces\ keys. Some of those MAC addresses match with ones FTK displays in network connections which is extracted from SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles. However, some of the MAC addresses listed in ControlSet001\Services\Tcpip\Parameters\Interfaces\ are not shown in FTK Network Connections.

Could this be because the connections may have been made while using the same network profile name?

As a follow-on to this question, I have listed all the time periods of connections from SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles… What's really throwing me for a loop is that I have web history that occurs during a time period that the system was not connected to a network (if I go by first and last connect time for each network profile).

Quote
Topic starter Posted : 14/08/2018 7:09 pm
watcher
(@watcher)
Active Member

Try looking up the MAC address device types, it may provide a clue.

ReplyQuote
Posted : 14/08/2018 10:39 pm
stevegut78
(@stevegut78)
Junior Member

Try looking up the MAC address device types, it may provide a clue.

Do you mean MAC address vendor search? If so, I’ve done that and was able to identify 2 devices by manufacturer and positively identify one of the connections. What’s more significant to me is that I know the computer was connected and surfing the internet during a time where according to the NetworkList\Profiles, there was no connection peofile. So How useful is the NetworkList\Profiles if it’s obviously not 100% accurate?

ReplyQuote
Topic starter Posted : 15/08/2018 12:06 am
trewmte
(@trewmte)
Community Legend

Are Harlan Carvey's excellent digital forensic books no help?

Windows Registry Forensics Advanced Digital Forensic Analysis of the Windows Registry
Windows Forensic Analysis Toolkit Advanced Analysis Techniques for Windows 7

ReplyQuote
Posted : 15/08/2018 9:42 am
keydet89
(@keydet89)
Community Legend

Are Harlan Carvey's excellent digital forensic books no help?

It's unlikely…they don't cover this exact question.

The issue may be one of the two different plugins showing different information; that is, yes, they provide information that include MAC addresses, but you have to look at the context of each. Simply because both are MAC addresses, doesn't make them the same information.

"What's really throwing me for a loop is that I have web history that occurs during a time period that the system was not connected to a network (if I go by first and last connect time for each network profile)."

It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.

ReplyQuote
Posted : 15/08/2018 8:39 pm
stevegut78
(@stevegut78)
Junior Member

Are Harlan Carvey's excellent digital forensic books no help?

It's unlikely…they don't cover this exact question.

The issue may be one of the two different plugins showing different information; that is, yes, they provide information that include MAC addresses, but you have to look at the context of each. Simply because both are MAC addresses, doesn't make them the same information.

"What's really throwing me for a loop is that I have web history that occurs during a time period that the system was not connected to a network (if I go by first and last connect time for each network profile)."

It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.

You are correct, his books don’t specifically answer my question.

I’m using FTK 6.3 so whatever methodology accessdata uses to extract the registry info for the network profiles is what is displayed in the “system information” tab for the case. If I extract the registry and navigate to tcpip\parameters\interfaces, I see some clues of IP addresses assigned, gateway, dns and gateway MAC. And some of the ones listed here are not listed in Networklist\profiles (which is where FTK pulls the data from)

Maybe it’s possible the machine was connected to a different network but the profile did not change? Meaning windows didnt popup that gui screen asking about setting up the network connection? Or the user cancelled it.. I know I’ve cancelled it sometimes if I dont have to change any tcpip setting. I may have to test this out in the lab to prove this theory.

ReplyQuote
Topic starter Posted : 15/08/2018 8:53 pm
trewmte
(@trewmte)
Community Legend

It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.

"plugins" Could be, might be… Always worth a try… hmmm..

ReplyQuote
Posted : 15/08/2018 9:03 pm
stevegut78
(@stevegut78)
Junior Member

It might help to have a bit more information; specifically, the plugin will provide information from the Registry regarding first and last connected times, but there may be times in between those during which the system was connected. That is say, 'first' and 'last' may not constitute 'only'.

"plugins" Could be, might be… Always worth a try… hmmm..

Are you referring to plugins in regripper or some other tool?

ReplyQuote
Topic starter Posted : 15/08/2018 9:04 pm
keydet89
(@keydet89)
Community Legend

An option to get historical information might be VSCs…just sayin'…export the hives, run the RegRipper plugins against each of them…

ReplyQuote
Posted : 16/08/2018 12:25 am
stevegut78
(@stevegut78)
Junior Member

An option to get historical information might be VSCs…just sayin'…export the hives, run the RegRipper plugins against each of them…

Thanks that is what I plan to do tomorrow. Hopefully I'll find something fruitful. I also plan to test connecting a machine to 2 different networks without changing the network profile to see how that records in the registry.

ReplyQuote
Topic starter Posted : 16/08/2018 2:26 am
stevegut78
(@stevegut78)
Junior Member

VSCs were not useful. I did conduct my own experiment. The results were rather perplexing. Here is what I did

Test Conducted with Windows 8.1 and Windows 10

Baseline Fresh OS install. Not connected to any netoworks yet.
1 - Export system32\Config
2 - Run Registry report detailing
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*.*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\*.*
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*.*

Connect to network A DHCP/Router 192.168.1.1
1 - Export system32\Config
2 - Run Registry report detailing
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*.*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\*.*
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*.*

Connect to network B DHCP/Router 192.168.1.1
1 - Export system32\Config
2 - Run Registry report detailing
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*.*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\*.*
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*.*

Results, Windows 8.1
No registry keys updated until connected to Network B.
The only change recorded was a key in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\ was created
The weird thing is default gaateway MAC address is recorded as the MAC for Network A.

Results, Windows 10
After connect to Network A
key in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\ was created
Default gateway MAC address is listed as the correct MAC for Network A gateway.

Key created in SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\
IP info and DHCP MAC are recorded accurately

After connect to Network B
No change to any keys.

When connecting to both networks, I saw Windows 10 go through setting up network profiles in the gui. Network A was called "Network", Network B was called "Network 2". I was assumingh this would for sure create a new network profile.
When connecting to both networks with Windows 8.1, no visible network configuration prompts were seen.

There seems to be no rhyme or reason as to what causes entries in the registry for network connections.

One would think if it detected a different gateway MAC address it would trigger a new network profile/connection.
What about switching from different DCHP subnets?
What if the IP address issued stayed the same or changed?

So many unknowns and this test really only proved to me that the registry is not 100% accurate in recording network connections/profiles. I have not seen this specific phenomenon addressed anywhere in forensic publications. I may continue to analyze and write a white paper on this.

ReplyQuote
Topic starter Posted : 21/08/2018 9:14 pm
keydet89
(@keydet89)
Community Legend

I have not seen this specific phenomenon addressed anywhere in forensic publications.

This will likely be the case for many similar items.

ReplyQuote
Posted : 22/08/2018 11:38 am
stevegut78
(@stevegut78)
Junior Member

Sometimes it's hard to believe that nobody has tried to solve the same problem I am tackling. I must be getting used to the age of the internet where someone has already gone through what you're trying to do.

In this particular case, I figured surely someone has done this. It seems that it's a common area that would be valuable for many cases. Although, this is the first time I have had to prove this in 11yrs.

I will continue to research this and document.

ReplyQuote
Topic starter Posted : 22/08/2018 2:19 pm
keydet89
(@keydet89)
Community Legend

Sometimes it's hard to believe that nobody has tried to solve the same problem I am tackling.

Someone may have already solved this problem; however, they may not have shared it publicly, thinking that someone else has already done so, or that anything they could provide would not be of any particular value to anyone else.

Or, they simply don't want anyone to review their work.

Something I'm not seeing in your testing is an indication of "atomic" tests…do one thing, stop, document. Do another thing, stop, document. Also, what types of networks are you connecting to? Wired? Wireless? What are the types of routers? All of these things may make a difference in our testing.

If you're able to going forward, I'd suggest connecting to a network, doing something (ie., web browsing), shut down the system, and image. Create a timeline, even if it's just using the Software hive. Lather, rinse, repeat.

ReplyQuote
Posted : 22/08/2018 3:14 pm
stevegut78
(@stevegut78)
Junior Member

Good info. For my initial test I did the following

Fresh image of Windows
Shut down
Capture baseline of System32\Config (connected drive to my T356789iu)
Run Registry report against the keys that I am focused on

Boot up
Connect Network A (Ethernet)
Verify connectivity (browser to Yahoo.com)
Shut down
Capture Contents of System32\Config (connected drive to my T356789iu)
Run Registry report against the keys that I am focused on

Boot up
Connect Network A (Ethernet)
Verify connectivity (browser to Yahoo.com)
Shut down
Capture Contents of System32\Config (connected drive to my T356789iu)

I captured a single image at the end just for posterity but yes, I agree it would be better to image after each phase of the testing. I tried to keep it as controlled as possible fore each test given the time constraint. I was able to prove that Windows does not always create or update registry info for every single time it is connected to a network. This is good enough for my case report. But as I said, I am curious what causes the registry to get written to or not.

The machine for my case was only using Ethernet and did not have any WiFi card present. For my test, I only connected to Ethernet (routers set as 192.168.1.1 running DHCP).

I plan to test a couple different routers, IP configurations. Also will record my actions and any feedback in the GUI more thoroughly, i.e. Windows recognizing a new network and popping up the window to select Private/Public.

ReplyQuote
Topic starter Posted : 22/08/2018 4:23 pm
Share: