Getting information about connecting network cards
The result of the analysis of the list of network cards can be used by an expert as evidence of the use of an external network card (or a device that performs the role of external network card).
When a new network card is connected, the system saves the data to the SOFTWARE \Microsoft \ Windows NT \ CurrentVersion \ NetworkCards.
Inside this section are subkeys, each of which stores information on a separate network card. These keys are not updated, respectively, you can use their time stamp to determine the date of installation of the network card.
SOFTWARE \Microsoft \ Windows NT \ CurrentVersion \
NetworkCards
Network Neighborhood Information
The analysis of information stored on the network environment, can give the researcher representation of network activity, which was produced on the analyzed system. These are the installed network cards, the networks to which the machine was connected, and, what’s the most important, list of wireless networks. There are many cases of using anonymous wireless networks to commit unlawful acts.
Information about network interfaces is stored in the following registry key:
SYSTEM \ ControlSet00x \ Services \ Tcpip \ Parameters \ Interfaces.
SYSTEM \ ControlSet00x \ Services \ Tcpip \ Parameters \ Interfaces
Additional information may be found in the following key of the hive
SYSTEM: SYSTEM \ ControlSet00x \ Control \ Class \ {4D36E972-E325-11CE-BFC1-08002bE10318} \ {00nn}.
It is established that the system stores a complete list of network cards ever used by the system.
This section contains the keys as key name is used GUID. The key contains many values that describe network interface settings: DHCP options, IP address, default gateway, and so on.
By GUID you can get the network name from the section SYSTEM \ ControlSet00x \ Control \ Network \{4D36E972- E325-11CE-BFC1-08002BE10318} \ {GUID}.
SYSTEM \ ControlSet00x \ Control \ Class \ {4D36E972-E325-11CE-BFC1-08002bE10318} \ {00nn}.
Wireless network
For any wireless network to which a connection was made, an entry is created in the SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ NetworkList \ Nla \ Wireless section.
This key only contains a list of identifiers of wireless networks;
Detailed information can be obtained by linking these identifiers with signatures from the SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ NetworkList \ Signatures \ Unmanaged section.
After that, you must associate the signature and profile, which are in the record of the ProfileGuid value. To do this, select the data from the key entry SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ NetworkList \ Profiles \ {ProfileGuid}.
The summary data contains the following important information:
•date of creation;
•date of last connection;
•profile name;
•MAC default gateway.
The OS keeps a complete list of wireless networks, signatures and profiles (if the user does not delete the data manually).
