Digital Forensics 0x3a : Windows Registry Forensics “Wireless Evidence”

In this article : 
For a forensic analyst, the registry can be a best place for searching evidence of what, where, when, and how something happened/took place on the system. In this step by step tutorial flow, we will see how the Windows registry works on basic and what evidence it creates behind when someone uses the system for good or bad purpose. This article will cover "Wireless Evidence"

HIVES : In registry, there are root folders. These root folders are hives. There are five (5) registry hives. 

HKEY_USERS: contains all the loaded user profiles 
HKEYCURRENT_USER: profile of the currently logged-on user 
HKEYCLASSES_ROOT: configuration information on the application used to open files
HKEYCURRENT_CONFIG: hardware profile of the system at startup 
HKEYLOCAL_MACHINE: configuration information including hardware and software settings.

Steps to follow : Getting into registry
- Go to search, and search as "regedit.exe" (exclude quotes)


- When find it, click or press enter. Then following screen shows up.


Since in this article, we will see Wireless Evidence History available in registry. 

WIRELESS EVIDENCE IN THE REGISTRY : 

We can go to following section for this process, 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\NetworkList\Profiles

In my case, see the image below.


Simple Proof, AP :
In right hand side, you're seeing "ProfileName" as pkr net_hcc talchowkm2 4
Now, we can say, indeed the system was connected to this AP.

Other information that can be found in registry are : time when the system was used, about files access, devices mounted like usb, phones etc, actions in system. 

Thank You.  

Comments