Blog >> Windows Network Interfaces

Investigating Windows Network Interfaces

23/06/2022 Thursday

Windows operating systems store network configuration details in the registry. There are registry keys for TCP/IP configuration and network interface/adapter details which are important in a digital forensic investigation. By analyzing these registry keys, we can collect IP address(es) of the interface(s), DNS, DHCP details and many more.

Digital Forensics Value of Network Interfaces Artifact

This artifact stores networking configuration details about the target system. "HKLM\System\ControlSet00x\Services\tcpip" and "HKLM\System\ControlSet00x\Control\Network" are two locations where we collect network interface details of a Windows operating system. By analyzing those locations recursively we can get information about:

1. Domain (if domain joined),
2. HostName,
3. Name server(s),
4. Network connection(s),
5. Network interface names, and many more.

Location of Network Interfaces Artifact

Information about Network Interfaces are found in the following registry keys;
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\

Structure of Windows Network Interfaces

Network interfaces are structured under two registry keys. The first one is \SYSTEM\ControlSet00x\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\, network adapter names are under this key. The second one is \SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\, configuration details of the networking are under this key.By analyzing both locations we can collect details about network adapters and networking configurations.The image below shows an example of both registry locations.

Analyzing Network Interfaces Artifact with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze network interfaces artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Network Interfaces artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Network Interfaces artifact in ArtiFast.

Network Interfaces Artifact

The artifact contains network interfaces and networking configuraiton details in Windows operating systems. The details you can view include:

• Adapter Name - Network adapter name under the registry key.
• DHCP Enable - Indicates whether the IP address is assigned by DHCP.
• DHCP IPv4 - DHCP assigned IP address is version 4.
• DHCP Server - DHCP server IP address. If address was assigned manually this value is "255.255.255.255".
• DHCP Subnet Mask - Subnet mask of the DHCP server IP Address zone.
• DHCP Default Gateway - DHCP server gateway configuration details.
• DHCP DNS Server(s) - DHCP server domain name system details.
• IPv4 Address - IP version 4 address of the host.
• DNS Server - DNS Server IP address of the host.
• Subnet Mask - Subnet mask of the host.
• Lease Terminates Time - DHCP IP address lease termination time.
• Key Last Updated Date/Time - Registry key update time. This is useful to understand when the latest time that adapter was used.

For more information or suggestions please contact: [email protected]