Wireless Security Settings

Here's a blog post that discusses using Registry settings from Vista and above to get information about wireless networking, and using it in geolocation of the WAPs
http//windowsir.blogspot.com/2009/09/where-was-waldo.html

That doesn't answer the OP's question…mostly because the information isn't publicized by MS, but it does address other questions in the thread.

There is a tool that decodes the values located at the SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} reg key.

http//www.live-forensics.com/dl/DateDecoder.zip

All,

I'm trying to determine what kind of Wireless Security (if any) has been used on a Laptop (OS is WindowsXP) from an Encase Image.

I would need information where in the registry these settings are stored and how to identify if WEP/WPA/WPA2/NONE has been used, if possible for both cases (when Zero Config Service from Windows is used as opposed to the use of the vendor provided Software)

Thank you

Chris

Hi Chris,

Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\lnterfaces\

0x34 Encryption type (TKIP, AES, WEP, Disabled)

WEP 00
Disabled 01
TKIP 04
AES 06

Any questions let me know.

And if you like GUIs (and who doesn't really!) there is on of NirSofts many little apps that I like

WirelessKeyView v1.34
http//www.nirsoft.net/utils/wireless_key.html

Caveat to this you would want to run the image in a VM. Would also highly recommend verify all results with methods listed above from a static analysis perspective.

Also, this is an excellent read regarding the topic
http//www.iccyber.org/2009/uploads/trabalhos/20090925/RCMP_Eric_Rowe.pdf
WiFi Related Registry Keys
by Eric Rowe, Royal Canadian Mounted Police, Canadian Police College