Network Interfaces

Having the last known IP address of a machine can help you to identify if it was in the wrong segment of the network (everyone does segment their network…. right?), if the address was static or dynamically assigned or if it had been connected directly to the internet.

Within the System Hive there lives a key, the address of that key is thus:

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Registry_Viewer_Interfaces

Regviewer will give you this nice view, highlighted is the last DHCP address this machine had. As you can see from a lot of the other fields this is a one-stop shop for basic interface information.

The name of the Key (starting C1CC) is the GUID of the NIC, my next post will show why this is relevant…. get a pen and write it down! I actually don’t know what this VM was connected to, those details are not from any of my networks, so lets go find out shall we?

This entry was posted in Windows Forensics, Windows Registry Forensics and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s