Tracking SSIDs of networks connect to

  • Thread starter Thread starter MPD352
  • Start date Start date
M

MPD352

I'm doing a forensic exam of a computer. I'm trying to figure out where in
the registery or in what file the SSID's and other settings for wireless
connections are stored so I can try to determine what networks the suspect
computer may have connected to.

Where are those settings stored? Are they in the registry or a seperate
file, and if so where?

For various reasons I can't just start up the machine and look as that
changes evidence on the drive.

thanks
 
MPD352 said:
I'm doing a forensic exam of a computer. I'm trying to figure out where in
the registery or in what file the SSID's and other settings for wireless
connections are stored so I can try to determine what networks the suspect
computer may have connected to.

Where are those settings stored? Are they in the registry or a seperate
file, and if so where?

For various reasons I can't just start up the machine and look as that
changes evidence on the drive.
Click to expand...


Ummm, OK, if you can't turn on the machine, how
you gonna do anything?
 
I've taken a bit for bit image of the hard drive and examine that. We never
run the machine on the original drive as it gives the defense lawyer an
opening to claim we destroyed evidence.
 
OK, figured it must be something like that, took
your post a bit too literally.

SSID's I've been to recently are at:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-B
FC1-08002bE10318}\0011]

The value in the { } brackets and the \0011 are machine - specific
and won't be the same in the Registry you're looking at.

You will just need to nav to the HKLM and look around.
 
V.Green:

Thanks, if found a lot of keys that control the hardware, but no SSIDs. I'm
searching my by laptop because I know what my SSID's are. If I could find
thm on my machine I would know where to look witht eh registry analyzer on
the image.

V Green said:
OK, figured it must be something like that, took
your post a bit too literally.

SSID's I've been to recently are at:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-B
FC1-08002bE10318}\0011]

The value in the { } brackets and the \0011 are machine - specific
and won't be the same in the Registry you're looking at.

You will just need to nav to the HKLM and look around.

MPD352 said:
I've taken a bit for bit image of the hard drive and examine that. We never
run the machine on the original drive as it gives the defense lawyer an
opening to claim we destroyed evidence.
Click to expand...
Click to expand...
 
V.Green:

You got me looking in the right place, and I found it. It is within
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\ You then look within
the keys for entries named Static#0000, Static#000, so on. These are the
SSID's in binary - with the right tool you can view the SSID. This
particular machine belonged to a transient, and was full of statics, which
indicates he was just walking around looking for open access points. Thanks,
 
Yep, that makes sense.

I don't use WZC (ugh!), preferring the Intel wireless config
utility, hence the different location.

Glad it worked out.
 
Back
Top