Network History and Decoding System Time

Following on from my last post we had a GUID starting C1CDD (normally I would write the whole GUID down, but for the sake of not boring you all, I will keep it short), in this post we are going to see how that is useful.

Starting inside the Software Hive and finding the following key (Zelda style)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Registry_Viewer_NetworkCards_Key

As you can see from the massive list of network cards (you will most likely have more than one, depending on where the machine has been used) key ‘1’ contains the C1DCC GUID from earlier. You can now associate that with the Intel 82574L NIC. This will be useful to prove it was the actual NIC in the machine and not a VM (or vice versa)

Next Zelda, I need you to find the following Key

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet

Registry_Viewer_Network_NLA

Under Cache you may also have ‘Wireless’, but as no wireless card is configured with this VM, we don’t have one here. Under Intranet you will see a list of domains that your machine has been connected to. ‘localdomain’ is the same domain as the previous post shows us (go see for yourself) and there is that magical C1CDD again. This time pointing at the MAC Address of the default gateway of the ‘localdomain’ network.

Next my Robin Hood/Yellow Haired Elf Hybrid we need to find this Key

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

Registry_Viewer_Signatures_Unmanaged

This part can be a little annoying if unlike me you have multiple entries in here, click through until you get a match of ‘DefaultGatewayMac’ with the MAC address from the previous step (you are making notes of all these and where you got them from…. right?). If you know of another way of finding this please leave a comment below, everyday is a school day after all.

Now make a note of the ‘ProfileGuid’

And now young Zelda, for the final Key, not technically the Boss Key, but still…

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Registry_Viewer_Network_Profiles

Under the Profiles key you will see the ProfileGuid as a key name. This Key holds the data regarding the first and last time the network was connected to. Both of these date stamps are in 128 bit System time, which I will go through decoding in a moment. Firstly you will notice the ‘ProfileName’ does not match the ‘localdomain’, this is due to it being a cabled network, a Wireless network gives the name of the SSID here as well as under ‘Description’, the way you confirm this is a wired network is from the ‘NameType’ field, here is a short list of possible options you will meet:

  • 0x47 = Wireless
  • 0x06 = Wired
  • 0x17 = 3g

In order to decode the 128 bit system time you will need to use

DCode_Date_Icon

Dcode Date can decode a variety of times from Windows (except Microsoft seconds, no one can figure those things out, luckily we aren’t installing anything)

registry_Viewer_128bit_System_Time_Hex

Highlight the Hex from the bottom right window, then either CTRL+H or right click -> Copy Hex and paste it into DCode Date, ensure ‘Windows 128 bit SYSTEM structure’ is selected from the drop down and hit Decode. You should see the outcome as below:

DCode_Date_Screenshot

 

This entry was posted in Decoding Time, Windows Forensics, Windows Registry Forensics and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s