VSCs were not useful. I did conduct my own experiment. The results were rather perplexing. Here is what I did
Test Conducted with Windows 8.1 and Windows 10
Baseline Fresh OS install. Not connected to any netoworks yet.
1 - Export system32\Config
2 - Run Registry report detailing
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*.*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\*.*
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*.*
Connect to network A DHCP/Router 192.168.1.1
1 - Export system32\Config
2 - Run Registry report detailing
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*.*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\*.*
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*.*
Connect to network B DHCP/Router 192.168.1.1
1 - Export system32\Config
2 - Run Registry report detailing
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*.*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\*.*
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*.*
Results, Windows 8.1
No registry keys updated until connected to Network B.
The only change recorded was a key in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\ was created
The weird thing is default gaateway MAC address is recorded as the MAC for Network A.
Results, Windows 10
After connect to Network A
key in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged\ was created
Default gateway MAC address is listed as the correct MAC for Network A gateway.
Key created in SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\
IP info and DHCP MAC are recorded accurately
After connect to Network B
No change to any keys.
When connecting to both networks, I saw Windows 10 go through setting up network profiles in the gui. Network A was called "Network", Network B was called "Network 2". I was assumingh this would for sure create a new network profile.
When connecting to both networks with Windows 8.1, no visible network configuration prompts were seen.
There seems to be no rhyme or reason as to what causes entries in the registry for network connections.
One would think if it detected a different gateway MAC address it would trigger a new network profile/connection.
What about switching from different DCHP subnets?
What if the IP address issued stayed the same or changed?
So many unknowns and this test really only proved to me that the registry is not 100% accurate in recording network connections/profiles. I have not seen this specific phenomenon addressed anywhere in forensic publications. I may continue to analyze and write a white paper on this.
I have not seen this specific phenomenon addressed anywhere in forensic publications.
This will likely be the case for many similar items.
Sometimes it's hard to believe that nobody has tried to solve the same problem I am tackling. I must be getting used to the age of the internet where someone has already gone through what you're trying to do.
In this particular case, I figured surely someone has done this. It seems that it's a common area that would be valuable for many cases. Although, this is the first time I have had to prove this in 11yrs.
I will continue to research this and document.
Sometimes it's hard to believe that nobody has tried to solve the same problem I am tackling.
Someone may have already solved this problem; however, they may not have shared it publicly, thinking that someone else has already done so, or that anything they could provide would not be of any particular value to anyone else.
Or, they simply don't want anyone to review their work.
Something I'm not seeing in your testing is an indication of "atomic" tests…do one thing, stop, document. Do another thing, stop, document. Also, what types of networks are you connecting to? Wired? Wireless? What are the types of routers? All of these things may make a difference in our testing.
If you're able to going forward, I'd suggest connecting to a network, doing something (ie., web browsing), shut down the system, and image. Create a timeline, even if it's just using the Software hive. Lather, rinse, repeat.
Good info. For my initial test I did the following
Fresh image of Windows
Shut down
Capture baseline of System32\Config (connected drive to my T356789iu)
Run Registry report against the keys that I am focused on
Boot up
Connect Network A (Ethernet)
Verify connectivity (browser to Yahoo.com)
Shut down
Capture Contents of System32\Config (connected drive to my T356789iu)
Run Registry report against the keys that I am focused on
Boot up
Connect Network A (Ethernet)
Verify connectivity (browser to Yahoo.com)
Shut down
Capture Contents of System32\Config (connected drive to my T356789iu)
I captured a single image at the end just for posterity but yes, I agree it would be better to image after each phase of the testing. I tried to keep it as controlled as possible fore each test given the time constraint. I was able to prove that Windows does not always create or update registry info for every single time it is connected to a network. This is good enough for my case report. But as I said, I am curious what causes the registry to get written to or not.
The machine for my case was only using Ethernet and did not have any WiFi card present. For my test, I only connected to Ethernet (routers set as 192.168.1.1 running DHCP).
I plan to test a couple different routers, IP configurations. Also will record my actions and any feedback in the GUI more thoroughly, i.e. Windows recognizing a new network and popping up the window to select Private/Public.