Investigating Windows Wireless Networks
10/01/2022 Monday
Windows 7/10 stores profiles of wireless networks, to which a system has been connected. ArtiFast can locate and parse this data, extracting information such as the network name and connection time.
Digital Forensics Value of Wireless Networks Artifacts
This artifact provides an investigator with information on wireless networks that were connected to, with a target system. It gives important details like when the connection first occurred, when it was last connected to, the wireless network name, the physical address of the network device and more. These can all prove useful to an investigator trying to get a timeline on a system's association with a network.
Location of Wireless Networks Artifacts
Windows wireless networks artifact source file is located at C:\Windows\config\SOFTWARE.
Within the SOFTWARE hive, the artifact data can be found at Microsoft\Windows
NT\CurrentVersion\NetworkList.
Structure of Wireless Networks Artifacts
The SOFTWARE file is a registry hive file. The registry file format is a binary file analogous to a filesystem, with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.
Analyzing Wireless Networks Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract Wireless Networks artifact from Windows
machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection
phase, you can select Wireless Networks artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Wireless Networks artifact in ArtiFast software.
Wireless Networks Artifact
The artifact contains information on wireless networks
that were connected to using the system. The details you can view include:
- Profile GUID – Network profile GUID.
- Profile Name – Name of the network profile.
- Description – Description of the network profile.
- First Network – First network.
- MAC Address – Physical address of the wireless network device.
- DNS Suffix – DNS suffix.
- Is Managed – Indicates whether the network is managed or unmanaged.
- Created Date/Time – Date and time when the network profile was created.
- Last Connected Date/Time – Date and time when the system was last connected to the network.
- Key Last Updated Date/Time – Profile registry key last update date/time.
For more information or suggestions please contact: ummulkulthum.wambai@forensafe.com
