Thursday, February 4, 2016

EnCase v7 EnScript to parse WiFi/Network Profiles

This is an updated EnCase v7 EnScript to parse the WiFi profiles that may exist on Windows 7/8/10 system in the following locations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Running the EnScript displays a simple message box:

The EnScript will then search the case for all SOFTWARE registry hives that it can find based on name and location (\windows\system32\config) and attempt to parse any WiFi profile keys that may exist. All output is to the console in CSV format for quick import into Excel (copy and paste).

The EnScript parses the profile name, DNSSuffix (helpful sometimes in identifying owner or location of the network), MAC address of the access point, creation date/time of the profile & last connection date/time to the profile.

If you have access to the Google geolocation API, you can then possibly geolocate the WiFi access points based on the MAC address, which can tell an interesting story when also lined up by dates & times.

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles