Network History (Vista/Win7–11)
Network history on Windows Vista through Windows 10 systems provides a valuable resource for forensic analysts. It contains detailed records of both wired and wireless networks that a computer has connected to, including network names (SSIDs for wireless networks), domain names for intranets, gateway MAC addresses, and more. This information is stored in the Windows Registry within the SOFTWARE hive, offering insights into user movement, network usage patterns, and potential security risks associated with connecting to certain networks.
Location and Description of Network History in the Registry
Network history information can be found in the following Registry locations:
Unmanaged Networks: This key stores information about networks that are not managed by a network policy (e.g., public Wi-Fi networks). Each subkey represents a different network and contains details such as the SSID for wireless networks, the MAC address of the gateway, and timestamps.
Managed Networks: Similar to unmanaged networks, but for networks managed by a network policy (e.g., corporate networks). This can include networks connected via domain authentication.
Nla (Network Location Awareness) Cache: The NLA cache provides information about the network location and type, including recent connections and their categorization (Public, Private, DomainAuthenticated).
Interpreting Network History
Intranet and Network Identification: By examining the entries in these Registry keys, you can identify the networks the computer has connected to, whether they are internal (intranet) or external (internet via Wi-Fi or Ethernet).
Connection Timestamps: The "last write time" of each key provides a timestamp indicating the last time the computer connected to that network, which is critical for reconstructing a timeline of the device's movements or usage.
VPN Connections: Networks connected through VPNs can also be identified, offering insights into remote connections and potentially revealing the user's attempts to secure their internet activity or access remote resources.
Physical Location Triangulation: With the MAC address of the gateway (typically the wireless access point or router for wireless connections), it's possible, in some cases, to triangulate the physical location of the network connection. This can be done through databases that map Wi-Fi networks' MAC addresses to geographical locations.
Practical Steps for Analysis
Accessing the Registry: Use tools like
Regeditor command-line utilities to access the Registry and navigate to the relevant keys. For forensic analysis, it's recommended to work with a copy of the Registry from an image of the system being analyzed to avoid altering any data.Documenting Findings: For each network, document the SSID, domain/intranet name, gateway MAC address, and connection timestamps. This documentation can be crucial for correlating network connections with other events or artifacts found on the system.
Cross-Referencing: Cross-reference the documented networks with other artifacts such as logs (e.g., DHCP lease logs, Wi-Fi logs, VPN logs), browser history, and files that might indicate activities performed while connected to these networks.
Tools for Enhanced Analysis: Consider using forensic analysis tools that can automatically parse and present network connection data from the Registry, streamlining the analysis process.
Last updated
Was this helpful?