Blog >> Mapped Network Drives

Investigating Windows Mapped Network Drives

14/07/2022 Thursday

In Windows systems, mapping a network drive enables users to access a particular shared folder, file or even an entire storage drive on a remote system more efficiently. Mapping assigns a drive letter to a shared folder, then, the user can access the shared folder from File Explorer without having to browse the network as if it was a local drive. When a user map shares via the Map Network Drive Wizard, an entry related to the drive is populated in the Registry.



Digital Forensics Value of Mapped Network Drive Artifacts


Mapped Network Drives and Mapped Network Drive MRU artifacts can provide valuable information during a forensic analysis. The artifacts contain information related to the network shares that the user has connected to, which might uncover suspicious or unusual activity.


Location and structure of Mapped Network Drive Artifacts


When a user maps a network drive persistently, a key with the name as that of the drive letter will appear under HKEY_CURRENT_USER\Network registry key. Each subkey beneath the Network key corresponds to a mapped network drive and stores information about the drive such as the path of the share and the username used to connect to the share. On the other hand, a list of recently used/accessed network shares are maintained within the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Similar to other MRU keys, the values listed under this key are named for lowercase letters (a, b and so on) and each value stores the UNC path of the mapped drive. The key also contains an "MRUList" that lists the order in which the drives were used.


Analyzing Mapped Network Drive Artifacts with ArtiFast Windows


This section discusses how to use ArtiFast Windows to analyze Mapped Network Drive related artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select from the Mapped Network Drive related artifacts:






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Mapped Network Drive and Mapped Network Drive MRU artifacts in ArtiFast Windows.


Mapped Network Drives Artifact

The artifact contains information related to mapped network drives. The details you can view include:



Mapped Network Drive MRU Artifact

The artifact contains a list of recently used network shares. The details you can view include:



For more information or suggestions please contact: asmaa.elkhatib@forensafe.com