Global Information Assurance Certification Paper

Copyright SANS Institute

Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.

Interested in learning more?

Check out the list of upcoming events offering
"Wireless Penetration Testing and Ethical Hacking (Security 617)"
at http://www.giac.org/registration/gawn
 s.
Wireless Networks and the Windows Registry -

t
Just where has your computer been?

igh
lr
ul
GIAC (GAWN) Gold Certification

f
ns
Author: Jonathan Risto, [email protected]

ai
Advisor: Erik Avakian

et
rr
ho
t Accepted: September, 2010
Au
e,

Abstract
ut

Windows keeps track of everything you do on the system, what you have connected to
t
i

the computer and what you have used on the system. Knowing where to look for this
t
ns

information and what it tells you is one of the great challenges incident responders and
I

analysts have when looking at computers. This paper documents the registry remnants
that remain from both hardware connections (NIC's) being inserted into the computer, as
NS

well as information within the registry regarding the networks that the computer has
SA

connected too in the past for both Windows XP and Windows Vista systems.
11
20
©

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   2

1. Introduction

s.
The Windows Registry stores all of the information that is needed by the host

t
gh
operating system. This database contains all of the configurations, settings and options

i
that are both created initially by the operating system, as well as user configuring settings

lr
ul
and installed software. For example, a 1-year-old Vista system used in this paper has over

f
800,000 individual keys, as show in a screen capture from the Active Registry Monitor

ns
program (About Active Registry Monitor, 2010) shown in Figure 1.

ai
et
rr
ho
t
Au
e,

Figure  1  -­  Registry  Key  count  on  Windows  Vista  

t
iut
t

The sheer volume of information stored within the windows registry poses the
ns
I

challenge of finding the right information on the system. Randomly looking through the
NS

registry is not practical nor will you likely find the correct information quickly using this
approach. Adding to the challenge, Microsoft changes the locations where information is
SA

stored within the Windows registry depending on the operating system release (i.e.
Windows XP to Windows Vista).
11

Wireless network configuration settings are not exempted from being stored
20

ZLWKLQWKHZLQGRZVUHJLVWU\6HUYLFHVHWLGHQWLILHU¶V 66,'¶V RIQHWZRUNVWKDWWKH

©

computer has connected to, network configuration parameters of those networks, and
details relating to the Network Interface Cards on the system are all stored within the
Windows Registry.

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   3

s.
2. The Windows registry hierarchy

t
gh
 

i
lr
The windows registry is a database that contains the configuration for the system

ul
in question. All of this data is stored in one of six hives on the local system. Microsoft

f
describes a hive as ³a group of keys, sub keys, and values in the registry that has a set of

ns
ai
supporting files thDWFRQWDLQEDFNXSVRILWVGDWD³ (Windows Registry information for

et
Advanced Users, 2008) The five common root keys found on a system are as follows:

rr
x HKEY_LOCAL_MACHINE or HKLM
ho
t
x HKEY_CURRENT_CONFIG or HKCC
Au

x HKEY_CLASSES_ROOT or HKCR
e,

x HKEY_CURRENT_USER or HKCU
ut

x HKEY_USERS or HKU
t
i
t

These are shown in Figure 2, as seen through the built in Windows regedit
ns

program.
I
NS
SA
11
20
©

Figure  2  -­  Root  Windows  Vista  Registry  keys  

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   4

 
Each of these root keys could be considered similar to a folder, with items
pertaining to that key stored there. Each root key can and do have numerous sub-keys
stored within them. These sub-keys in turn can store other sub-keys, which can product a

s.
long list of folders to access the data you need. An example of a Windows Vista Registry

t
gh
key is:

i
lr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

ul
f
ns
ai
et
rr
ho
t
Au
e,
ut

F igure 3 - E xample of a W indows V ista registry key

t
i
t
ns

As shown in Figure 3, the registry key can contain only one item or it could
I

contain a large number of items, as shown in Figure 4.

NS
SA
11
20
©

F igure 4 - E xample of W indows V ista Registry keys

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   5

Regardless of the number of keys stored in any particular location, each key will

s.
be one of major types outlined in Table 1.

t
Name Data Type Description

igh
REG_BINARY Binary Value Raw binary data. Most hardware component

lr
ul
information is stored as binary data and is displayed
in Registry Editor in hexadecimal format.

f
ns
REG_DWORD DWORD Value Data represented by a number that is 4 bytes long (a

ai
32-bit integer). Many parameters for device drivers

et
and services are this type and are displayed in
Registry Editor in binary, hexadecimal, or decimal

rr
format. Related values are
ho
t DWORD_LITTLE_ENDIAN (least significant byte
is at the lowest address) and
Au

REG_DWORD_BIG_ENDIAN (least significant

byte is at the highest address).
e,
ut

REG_EXPAND_SZ Expandable String Value A variable-length data string. This data type includes
variables that are resolved when a program or service
t
i
t

uses the data.

ns

REG_MULTI_SZ Multi-String Value A multiple string. Values that contain lists or multiple
I

values in a form that people can read are generally

NS

this type. Entries are separated by spaces, commas, or

other marks.
SA

REG_SZ String Value A fixed-length text string.

11

Table 1 ± Major data types for Registry keys (Windows Registry information
20

for Advanced Users, 2008)

©

2.1. Windows Vista Wireless Registry Keys

Windows Vista stores wireless settings and configurations in several distinct

locations. The first location to find wireless information is the registry key that stores

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   6

 
data related to network interface cards 1,&¶V . This information is located in the
following location:

s.
t
HKLM\Y_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

igh
lr
ul
This can be seen in Figure 5 below.

f
ns
ai
et
rr
ho
t
Au
e,
t
iut
t
ns

Figure  5  -­  Network  card  registry  key  

I

 
NS

Within this key, the Globally Unique Identifier, or GUID, assigned to the
SA

interface is found. This information is stored in the ServiceName key. In the example in
Figure 5, this value is {2B33BB4B-6279-42AF-98BA-EA6E8A70F8B7}. If there are
11

multiple cards installed on the system, or if an additional card has been placed into the
20

computer, each card will be shown here with a unique identifier. Within Figure 5, it is
shown that an additional card, labeled 5, has been installed on this system, and has a
©

separate GUID assigned to it.

Knowing what the GUID assigned to this network interface, the wireless network
IP address and associated information are stored within the Vista registry is able to be
determined. The registry key associated with this is:

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   7

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}

s.
t
gh
An example of the information stored within this key location is shown in Figure

i
6, using the GUID found in the previous step. This GUID value is {2B33BB4B-6279-

lr
42AF-98BA-EA6E8A70F8B7}.

ul
f
ns
ai
et
rr
ho
t
Au
e,
t
iut
t
ns
I
NS

F igure 6 - T C PIP parameters associated with a wireless N I C

SA
11

From this example, it can be determined what IP address was assigned to the
20

computer (172.19.5.5), what the gateway address was (172.19.5.244), and the domain
assigned to the device (gateway.2wire.net). It is also shown that the gateway is the DHCP
©

server, so it may be safe to assume that this was a home gateway device.

Using another tool that is available to download for free called DCODE, we are able to
decode the time values associated with the various settings. For example, the time that the
lease was obtained is able to be determined using the DCODE tool (Free Tool ± DCODE,

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   8

 
2009). To calculate the date, place the numeric value of the LeaseObtainedTime key into
the tool, and selecting the correct format of UNIX: Numeric Value, we can see that this
DHCP lease was obtained on June 24, at 10:59:15 UTC. This output can be seen in
Figure 7.

s.
t
gh
Following a similar calculation, it is determined that the lease for that address

i
expired on June 27 at 01:40:19 UTC. Now it is known that the computer was connected

lr
to this network starting on June 24, 2010 at 10:59:15 UTC. We do not know when the

ul
computer was disconnected, but we do know it was before June 27, as the auto-renew

f
ns
functionally of DHCP would have renewed the lease prior to expiration.

ai
et
rr
ho
t
Au
e,
t
iut
t
ns
I
NS
SA

F igure 7 - Date decoding using the D C O D E tool

11

Since it is known what timeframe this interface connected to the network,

20

determining which network it connected to remains to be discovered. Within the

©

following registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   9

 
each of the networks that the computer has connected to is recorded by the system. Each
one is identified by a profileGUID, similar to the device GUID seen previously. Within
this registry key, the SSID of the network is contained within the Description key. When

s.
the computer first connected to the network is recorded in the DateCreated field, as well

t
gh
as the last time the computer connected, which is recorded in the DateLastConnected

i
lr
field. Examples of the registry key values and parameters are shown in Figure 8.

ul
f
ns
ai
et
rr
ho
t
Au
e,

F igure 8 - W ireless profile settings registry key

t
iut
t

The date format recorded within this key is different from the format in the TCPIP
ns

section. These are in a system binary structure, which can be broken up into 4-byte parts.
I
NS

Each part is in little endian format and corresponds to the following values, in order:

Year, Month, Weekday, Day, Hour, Minutes, Seconds, Thousandths

SA

From the example shown in Figure 8, the Date Created registry key value is:
11
20

Da07 0300 0600 0600 1400 3600 0900 e000

©

To start translating this key, we need to break the key value into 4-byte pieces, as
shown above. After breaking it up into these pieces, each piece will need to be changed to
a format we can use from little endian. To manually convert this value, the 4 bytes pieces

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
0
 
will need to be converted to a decimal value, and to convert these values, the following is
performed.

s.
Year - da07 changes to 07da = 2010

t
Month = 0300 changes to 0003 = March

igh
Weekday ± 0600 changes to 0006 = Saturday

lr
ul
Day - 0600 changes to 0006 = 06

f
Hour ±1400 changes to 0014 = 20

ns
ai
Minutes ± 3600 changes to 0036 = 54

et
Seconds ± 0900 changes to 0009 = 09

rr
Thousandths ± e000 changes to 00e0 ± 224
ho
t
Au

Based on the above information, the correct date from this translation of the key
e,

value is Saturday March 6, 2010 at 20:54:09.224. This is the first time that the computer
ut

connected to this network. (Computer Forensics/E-Discovery Tips/Tricks and

t
i

Information, 2009)
t
ns

Valid values for this conversation are as follows:

I
NS

Year ± Any valid year

Weekday ± Sunday to Saturday, starting from value 0000 to value 0006

SA

Day ± from 1 to 31
11

Hour ± from 00 to 23
20

Minute ± from 0 to 59
©

Second ± from 0 to 59

Thousandths ± from 000 to 999

To avoid this manual calculation, the DCODE tool provides the ability to translate
this date format also as shown in Figure 9.

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
1
 

s.
t
igh
lr
ul
f
ns
ai
et
rr
ho
t
Au

F igure 9 - D C O D E of the Date C reated registry key

e,
ut

By using the tool, or performing the task manually, the last access date is
t

determined which is found to be Friday March 12th, 2010 at 21:53:05.572. From the
i
t
ns

information gained from the interface settings, this is before the network connection time
I

that is being looked for.

NS

Selecting another key, we see the data shown in Figure 10.

SA
11
20
©

F igure 10 - W ireless profile settings registry key

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
2
 

Using the same technique, it is found that this network, with the SSID of (Not

s.
Yours ± Disconnect), was first connected to this network on Wed, 15 July 2009

t
14:09:27.897 and the last time the system was connected was on Sun, 18 July 2010

gh
20:34:18.429. This network falls within the range of the dates in question, so it would be

i
lr
a possibility to consider. The remaining registry keys would need to be examined to

ul
determine if this is the only network that was accessed.

f
ns
One final piece of wireless network information that is stored within the registry

ai
keys is found in the following registry key location:

et
rr
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatues\Unmanaged
ho
\{ProfileGUID}
t
Au

This registry key contains the MAC address of the wireless access point that the
e,

system connected to. It also contains the DNS suffix assigned to this network, the SSID,
ut

and the ProfileGUID is assigned in this registry. By searching for this GUID, you would
t
i
t

be able to find either this key or the registry key containing the IP address information.
ns
I
NS
SA
11
20
©

F igure 11 - W ireless access point information

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
3
 
Once the MAC address is known, pin pointing down the exact access point that
the computer has connected to becomes easier. Geolocation may also be possible using
tools such as those provided by Skyhook (Skyhook, 2010). Skyhook has mapped out

s.
wireless access points within major cities and their associated MAC addresses. If the

t
gh
geographical location of the access point is important to know, then the use of such a site

i
lr
to help determine locations may be warranted.

ul
f
ns
2.2. Windows XP Wireless Registry Keys

ai
et
Registry analysis on a Windows XP system is easier to do than on Windows

rr
Vista. This is not due to a better registry setup, but rather due to the numerous tools
ho
widely available that have the ability to parse through the hives and pull out the data. One
t
tool that does an excellent job, puts the data into a useful text file and still provides you
Au

with the locations of the keys is the program regripper by Harlan Carvey. (Carvey, 2010)
e,

XP registry entries for wireless network connections are stored in the following
ut

location (Carvey, 2009) :

t
i
t

HKLM|SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID}
ns
I
NS

An example of this registry is shown in Figure 12

SA
11
20
©

Figure  12  -­  Windows  XP  wireless  registry  example  

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
4
 
 
Within this registry key, the important information is shown in several locations.
First, the ActiveSettings contains the information for the active wireless profile on the

s.
t
system. When this key is opened, the SSID of the network is shown. An example is of a

gh
network SSID (Not yours ± Disconnect) is shown in Figure 13

i
lr
 

ul
f
ns
ai
et
rr
ho
t
Au
e,
t
iut
t

 
ns

 
I

Figure  13  -­  SSID  within  the  ActiveSettings  registry  key  

NS

 
The other important information within this key is found within the Static#000
SA

value. This location shows each of the wireless networks that the system has connected to
11

on this interface. If you open this registry key, you will see the SSID, which is the same
20

as the active session. This is shown in Figure 14

 
©

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
5
 

s.
t
igh
lr
ul
f
ns
ai
et
rr
ho
t
Figure  14  -­  Static#000  registry  details  
 
Au

Most systems have connected to many wireless networks on the wireless interface
e,

installed. A laptop system that has been active for a longer period would likely display
ut

multiple values, such as seen in Figure 15.

t
i
t
ns
I
NS
SA
11
20
©

 
Figure  15  -­  Typical  wireless  settings  view

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
6
 
 
Within figure 15, each of the Static#xxx lines is a separate wireless network that
the computer has connected to. The more entries located here, the more wireless

s.
t
networks the computer has connected to.

gh
Because the system locks the hives when active, analysis on an active system is

i
lr
not possible, and so creting a copy is required.

ul
To quickly find and determine all of this information, we can use the previously

f
mentioned tool Regripper to create a copy of the registry hives. When launching

ns
regripper, you will be presented with a screen similar to the following:

ai
et
rr
ho
t
Au
e,
t
iut
t
ns
I
NS

 
SA

Figure  16  -­  Regripper  main  screen

11

To run the program, 3 pieces of information are needed: the hive location, the
20

RXWSXWILOHQDPHDQGWKHKLYHW\SH SOXJLQILOH :LWKWKLVLQIRUPDWLRQFOLFNRQWKH³5LS

,W´EXWWRQDQGWKHRXWSXWILOHZLOOEHFUHDWHG$VDPSOHRXWSXWVFUHHQXVLQJWKHV\VWHP
©

registry hive is shown in Figure 17.

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
7
 

s.
t
igh
lr
ul
f
ns
ai
et
rr
ho
t
Au

 
Figure  17  -­  regripper  output
e,
ut

After the program has completed running, the text file output contains all of the
t
i
t

information that was contained within the hive. It provides the key location, as well as the
ns

details surrounding the data stored within those keys, in text format, with all values
I

decoded. An examples of information provided in the system hive relative to wireless

NS

settings is as follows:
SA

Network key
11

ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
20

Interface {0E6EA4A0-E8D2-4DEC-A2E4-26DDA65291FB}
LastWrite time Sat Aug 22 14:30:50 2009 (UTC)
©

Name = Wireless Network Connection

PnpInstanceID =
PCI\VEN_168C&DEV_0013&SUBSYS_3A131186&REV_01\4&5855BE9&0&10F0
MediaSubType =2

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
8
 
IpCheckingEnabled = 1

Interface {3FFB9D68-E701-40DE-ADAC-1F69A4EEA438}

s.
LastWrite time Sun June 13 12:20:55 2010 (UTC)

t
gh
Name = Wireless Network Connection 2

i
lr
PnpInstanceID = USB\VID_07B8&PID_6001\5&30589810&0&7

ul
MediaSubType =2

f
ns
This provides the {GUID} of each interface, what each interface is called, as well

ai
as when each interface was last changed. Details surrounding the IP data for that network

et
are also found within the report.

rr
ho
t Interface {3FFB9D68-E701-40DE-ADAC-1F69A4EEA438}
Name: Wireless Network Connection 2
Au

Control\Network key LastWrite time Sun June 13 12:20:55 2010 (UTC)

e,

Services\Tcpip key LastWrite time Sun June 13 16:30:57 2010 (UTC)

ut

DhcpDomain =
t
i
t

DhcpIPAddress = 172.18.0.100
ns

DhcpSubnetMask = 255.255.255.0
I

DhcpNameServer =
NS

DhcpServer = 172.18.0.240
SA

Interface {0E6EA4A0-E8D2-4DEC-A2E4-26DDA65291FB}
11

Name: Wireless Network Connection

20

Control\Network key LastWrite time Sat Aug 22 14:30:50 2009 (UTC)

Services\Tcpip key LastWrite time Sun June 13 18:27:30 2010 (UTC)
©

DhcpDomain = gateway.2wire.net
DhcpIPAddress = 172.19.5.6
DhcpSubnetMask = 255.255.255.0
DhcpNameServer = 172.19.5.244
DhcpServer = 172.19.5.244

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   1
9
 

This provides us with all of the IP address information associated with the
wireless interfaces, collected all together in an easy to read format. Next, performing the

s.
same task with the software hive, the following additional wireless information is found:

t
igh
lr
NetworkCards

ul
Microsoft\Windows NT\CurrentVersion\NetworkCards

f
ns
Intel(R) PRO/100 VE Network Connection [Sat Aug 15 00:32:55 2009]

ai
XPC 802.11b/g Wireless Kit [Sun June 13 12:20:55 2010]

et
D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B) [Tue Aug 11 00:58:08

rr
2009]
ho
t ----------------------------------------
SSID
Au

Microsoft\WZCSVC\Parameters\Interfaces
e,
ut

NIC: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B)

t
i
t

Static#0000 SSID : rocky - go away :) [Sun June 13 03:47:36 2010]

ns

Static#0001 SSID : Not yours - Disconnect [Sun June 13 18:26:09 2010]

I

NIC: XPC 802.11b/g Wireless Kit

NS

Static#0000 SSID : Not your AP - go away :) [Sun June 13 16:30:33 2010]

Static#0001 SSID : Not yours - Disconnect [Sun June 13 13:10:15 2010]
SA

Static#0002 SSID : New rocky - go away :) [Sun June 13 14:08:54 2010]

11
20

From this information, it can be determined that both network cards were
connected to the same SSID at one point, and, in total, there are 4 different networks that
©

have been connected. This tool removes the need to go manually into the registry and
calculate values and parameters. An excellent time saver for sure, but if the raw registry
format needs to be examined, an example of the information contained within the TCPIP
parameters is shown in Figure 18  

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   2
0
 
 
 

s.
t
igh
lr
ul
f
ns
ai
et
rr
ho
t
Au
e,
t
iut
t
ns
I
NS
SA
11

Figure  18  -­  Example  TCPIP  parameters  registry  key  

20

 
©

2.3. Automating Registry Analysis

 
A simple tool, Active Registry Monitor (About Active Registry Monitor, 2010),
was used to perform registry comparisons throughout this paper to help determine
registry key locations. With this tool, changes made from one registry scan to the next

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   2
1
 
can be compared to view which keys and values have changed. For example, when a new
USB wireless device is connected to a Windows Vista system, the following information
is displayed:

s.
t
 

igh
lr
ul
f
ns
ai
et
rr
ho
t
 
Au

Figure  19  -­  Installing  a  new  device  on  Windows  Vista  

e,

       
ut

 This installation creates a large number of registry key, and by using the Active
t
i

Registry Monitor program, it is easy to determine which keys have changed. In this
t
ns

example, a new USB wireless NIC was inserted into the computer in question. A scan
I

was performed prior to inserting the USB device and again immediately after the system
NS

installation was completed. As shown in Figure 21, there were 259 additions to the
registry from this task. Some wireless specific key data is shown in Figures 21 and 22.
SA
11
20
©

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   2
2
 

s.
t
igh
lr
ul
f
ns
ai
et
rr
Figure  20  -­  Keys  added  from  installing  a  new  USB  Wireless  NIC  
ho
t
Au
e,
t
iut
t
ns
I
NS
SA

Figure  21  -­  TCPIP  parameters  created  with  the  installation  of  a  new  NIC  
 
11

With this program, it is possible to determine exactly what registry keys are
changed when certain activities occur on a specific computer. For example, when a
20

system connects to a network or when a system is connecting to a new network, this tool
©

can quickly map out all this information to show exactly which registry keys are
impacted and to aid the examiner during future investigations.

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   2
3
 
3. Conclusions
 
A Windows registry contains most of the configuration settings for the specific

s.
computer. With some knowledge of key locations as well as some basic analysis of the

t
gh
registry keys shown within this paper, an examiner is able to discover wireless network

i
connection information, including when and where these networks were connected to, the

lr
ul
IP addresses assigned, and the identification of these networks, either by SSID or by

f
MAC addresses. It has been shown where this information is stored within the registry, as

ns
well as providing some tools that can assist in locating and decoding the various registry

ai
values more efficiently that via manual methods. Understanding the location of the

et
registry keys, and the means to decode the values contained within provides the incident

rr
responder and analyst a powerful avenue for determining possible vectors for infection as
ho
well as verifying compliance with wireless polices that may be in place.
t
 
Au

 
 
e,
t
iut
t
ns
I
NS
SA
11
20
©

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.
 Wireless Networks and the Windows Registry ± Just where has your computer been?   2
4
 
 
 

s.
4. References

t
gh
 
About  Active  Registry  Monitor.  (2010).  Retrieved  April  10th,  2010  from  Device  Lock  website:  

i
http://www.devicelock.com/arm/      

lr
ul
 Windows  Registry  information  for  Advanced  Users.  (2008).  Retrieved  March  20,2010  from  Microsoft  
Support  website:  http://support.microsoft.com/kb/256986    

f
 

ns
 Windows  Registry  information  for  Advanced  Users.  (2008).  Retrieved  March  20,2010  from  Microsoft  
Support  website:  http://support.microsoft.com/kb/256986  

ai
 

et
 Free  Tool  Ȃ  DCODE.  (2009).  Retrieved  April  4th,  2010  from  Digital  Detective  website:  
http://www.digital-­‐detective.co.uk/freetools/decode.asp    

rr
 
 Computer  Forensics/E-­Discovery  Tips/Tricks  and  Information.  (2009).  Retrieved  April  4th,  2010  from  
ho
Computer  Forensics/E-­‐Discovery  Tips/Tricks  and  Information  website:  http://cfed-­‐
ttf.blogspot.com/2009/08/decoding-­‐datecreated-­‐and.html    
t
 
Au

 Skyhook.  (2010).  Retrieved  August  19th,  2010  from  Skyhook  website:  

http://www.skyhookwireless.com/    
e,

 
 Carvey,  Harlan.  (2010).  RegRipper.    Retrieved  June  10,  2010  from  RegRipper  website:  
ut

http://regripper.net/      
 
t
i

 Carvey,  Harlan.  (2009).  Windows  Forensics  Analysis.  Burlington,  MA:  Syngress  Publishing
t

 
ns
I
NS
SA
11
20
©

Jonathan  Risto,  [email protected]  

©2011TheSANSI
nst
it
ute Aut
horr
etai
nsf
ull
right
s.