Blog >> Windows Network Interfaces

Investigating Windows Network Interfaces

23/06/2022 Thursday

Windows operating systems store network configuration details in the registry. There are registry keys for TCP/IP configuration and network interface/adapter details which are important in a digital forensic investigation. By analyzing these registry keys, we can collect IP address(es) of the interface(s), DNS, DHCP details and many more.


Digital Forensics Value of Network Interfaces Artifact


This artifact stores networking configuration details about the target system. "HKLM\System\ControlSet00x\Services\tcpip" and "HKLM\System\ControlSet00x\Control\Network" are two locations where we collect network interface details of a Windows operating system. By analyzing those locations recursively we can get information about:

  1. Domain (if domain joined),
  2. HostName,
  3. Name server(s),
  4. Network connection(s),
  5. Network interface names, and many more.


Location of Network Interfaces Artifact


Information about Network Interfaces are found in the following registry keys;
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\


Structure of Windows Network Interfaces


Network interfaces are structured under two registry keys. The first one is \SYSTEM\ControlSet00x\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\, network adapter names are under this key. The second one is \SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\, configuration details of the networking are under this key.By analyzing both locations we can collect details about network adapters and networking configurations.The image below shows an example of both registry locations.


Analyzing Network Interfaces Artifact with ArtiFast Windows


This section discusses how to use ArtiFast Windows to analyze network interfaces artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Network Interfaces artifact:








Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Network Interfaces artifact in ArtiFast.


Network Interfaces Artifact

The artifact contains network interfaces and networking configuraiton details in Windows operating systems. The details you can view include:



For more information or suggestions please contact: asmaa.elkhatib@forensafe.com