Thursday, February 4, 2016

EnCase v7 EnScript to parse WiFi/Network Profiles

This is an updated EnCase v7 EnScript to parse the WiFi profiles that may exist on Windows 7/8/10 system in the following locations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Running the EnScript displays a simple message box:



The EnScript will then search the case for all SOFTWARE registry hives that it can find based on name and location (\windows\system32\config) and attempt to parse any WiFi profile keys that may exist. All output is to the console in CSV format for quick import into Excel (copy and paste).

The EnScript parses the profile name, DNSSuffix (helpful sometimes in identifying owner or location of the network), MAC address of the access point, creation date/time of the profile & last connection date/time to the profile.



If you have access to the Google geolocation API, you can then possibly geolocate the WiFi access points based on the MAC address, which can tell an interesting story when also lined up by dates & times.

Download Here

2 comments:

Eswar-4n6 Wednesday, 08 June, 2016  

Sir,

Can you please help me in retrieving the serial number of the parent Hard Disk from registry files retrieved from an image and a way to ascertain whether there is a change in the hard disk.

Lance Mueller Thursday, 09 June, 2016  

Which serial number? The physical hard drive serial number, the disk signature or a volume serial number?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles