Welcome back to Windows Registry Forensic Course 5, the Software Hive File. In Section 2, we're going to be looking at Networks and Browsers. We're going to be mainly concentrating in the network list subkey and the keys beneath it. We're going to look at wireless network connections, we're going to look at the installed Internet browsers, all the Internet browsers that are installed on the machine, and we're going to locate which one is the default Internet browser for that particular machine. Now the first two keys we're going to take a look at, like I said, is NetworkList, the subkey and it's located in the software file and the file path is Microsoft Windows NT, Current Version NetworkList. Now under the NetworkList subkey, there are two other subkeys of interests called profiles and signatures. The profile subkey contains network information stored by GUID, and this information contains the date first connected and the date last connected. It'll show us the date that this was first connected to the wireless network and the date this particular machine was last connected to this wireless network. That's going to be in the profile subkey, and that's going to be beneath the NetworkList subkey. Now the signature subkey gives us a little bit more information about the wireless network. The signature subkey stores profile information in the gateway MAC address of the network that was connected to. The signature subkey also has two additional subkeys below it called managed and unmanaged. The managed subkey indicates a managed network like a domain. The unmanaged subkey indicates a simple network connection like a home computer or wireless router. Each subkey is represented as a GUID. The value profile GUID in the subkey will correspond to the profiles subkey. We're going to see what we mean by that in just a second when we look at it. In walk-through number 1, we're going to look at these three subkeys: NetworkList subkey, profiles subkey, and signatures subkey. This is all maintaining to wireless network connections. Now when we look at the values in the NetworkList subkey, we're going to be able to get all this information out of here. You're going to get the network name, the network type, the first connected, last connected, whether or not it's managed, its DNS suffix, the gateway MAC address and the profile GUID. All these things are going to be contained within this NetworkList subkey and it's additional keys beneath it. This is what it's going to look like when we take a look at it. We're going to have a parent key of NetworkLists, beneath that, we're going to have profiles, and then beneath profiles we'll have signatures and then we have managed and unmanaged beneath signatures and managed, like I said, would be a corporate environment, a domain network. Unmanaged is more like your home network, your wireless router. The values in the profile subkey, we're going to have a lot of values under there. The profile name, what that is is that is the SSID or the server that it was connected to. We're going to have a descriptions value and that usually matches the profile name. Then we're going to have a value called managed. This is what's going to tell you whether or not the network is managed. If the value in the managed column is a zero, it would be a wireless router, and if the value in the managed column is a one, that would mean it is a managed network, connects to a server. The date created is going to be the date the device first connected to the wireless network and the date last connected is what it says it is, it's the date last connected to the wireless network. We're going to take a look at the profiles subkey and we're going to be able to see these values within that subkey. Now, when we look at the subkey itself, those times are going to be stored as Windows 128 bit system structure. When we look at the subkey, we're going to see hex values. We're going to have to decode those hex values to get the first connected and last connected date. What we need to remember here is it is 128-bit system structure is the date format. When we look at the default gateway, we're under the signatures subkey where we have the MAC address, and that MAC address is the default gateway. If you do an IP config, you can find your default gateway that you're currently connected to. Then if you did an ARP minus a command and we're in command prompt in Windows, you would be able to resolve that IP address to a MAC address. We would know the MAC address we were looking for because we would have that information in the signature subkey. Now, ARP is Address Resolution Protocol. It is a method for finding the host link layer MAC address. The ARP table is used to maintain a correlation between each MAC address in its corresponding IP address. The ARP table can be corrupted. The ARP table can be manually entered by a user. That's something for another course, but the ARP table can be tampered with. The items we're going to use in this section. We're going to use registry viewer, Ivan software file, and if you want to decode those values, you're going to need decode. Let's go ahead and bring up Registry Explorer. If you haven't done so already, go ahead and file, load hive, navigate to the software file, and click "Open" to load the hive. We are going to now navigate to the network lists subkey. We can use the bookmarks, common, network lists, and we see our network lists subkey. We see, we have all the information here. What you saw in that slide was I used the export, exported it, and then just put it into the slide so we could see it. It is easier to view exported. It's not too bad up here. You can move the columns around, but you can see all the dates and times. You can see the gateway MACs, and you can see the profile GUID. When we expand the network subkey, we can see the profiles subkey. We expand profiles and we see these GUIDs. Each of these GUIDs represents one entry in that table. It represents a wireless network that was connected to by the machine. Here we see those dates created. The date created would be the date first connected. The date last connected is the date last connected. We see the profile name, which is network. We see that it is not a managed network because our value in the managed column is zero, and the description does indeed match the profile name. We can look through all of these. Network 4 was the one that we had in the up slide where showed you the MAC address, but we'll take a look at that when we get to signatures. But it shows the networks, the profile name, the description, the first connected, and the last connected. Under the signatures key, we see our managed. At least we we have no managed networks here, so there were no domains or servers. We see the unmanaged, and under the unmanaged, we see more GUIDS. When we click on them, we now can see more information. We see a profile GUID. This profile GUID is going to match one of the GUIDs under profiles. In this case, it would match this one, the 5EE, which would be Network 4, the last network it was connected to, or the most recent network it was connected to. We see the network description. It's a local domain. Here is where we see that default gateway MAC address, and each one of these entries will correspond to one of the grid profile. The profile grid will match one of the grids under the profiles' sub key, and that will identify that network. That's zero C, that's network 2. Again, we have the same information and we have that grid. This can be very important if you're looking for a specific connection to a network. If you believe somebody may be connected into your network or connected to your machine through your network or through another network, or if you're looking for maybe somebody, you took their laptop somewhere and used a public default gateway to do something nefarious where they didn't think they could be tracked. But yet that gateway MAC address still resides in the software file on their computer, and we can show that. The really nice thing is, not only do we have a first connected and last connected time, we also have times and all these sub keys which will match the times for first and last connected. But it's nice to be able to see the first time something's connected and the last time. All the information just to review one more time. All the information we're getting out of here, we're getting a name, we're getting a type. These are all saying that they're wired. They're probably not. But that's what they're saying. We have first connected, last connected, default MAC gateway, the MAC address of the default gateway, and we do have those profile grids to match to the profile sub key. We can also see those profile grids in the unmanaged sub key or managed sub key depending on what network you're looking at under signatures. We can gleam quite a bit of information from here, and it gives us a much better understanding of the networks that we're connecting to. Let's take a look at browsers next. But before we do that, let's go ahead and collapse these sub keys. Because we're going to do another exercise with browsers and we want to start clean. You can minimize Registry Explorer and back to the PowerPoint. Browsers installed and default browsers. The main sub key we're going to be looking at here is menu internet, and the location of this sub key, it's going to be under software clients, start menu, internet. This is where we're going to be looking to find our default browser. To see the browsers that are installed on the particular machine that we're looking at. Because that might be important to us if connections were made over a certain internet browser. We're going to look at the installed internet browsers and the default internet browser. The items we're going to use is we're going to need Registry Explorer, and we're going to use Ivan's Software File, the same file we've been using. Let's go ahead and bring back up Registry Explorer. Now we're going to navigate to that key. We can go to our bookmarks common, and we want to go to Start menu, internet, which is our default web browser. We can click on that, and we can see the key path down below, clients Start menu, internet. When we look at the key, we noticed it does have the last right time. We can see right here in the data that our default browser, value name is default, data is Internet Explorer. I e explorer would be Internet Explorer. On this particular computer, the default browser is Internet Explorer. Now we expand this key and we can see beneath it the other browsers that are installed on the computer. Again, we do have a last right time. This is going to correspond to the date when these browsers were installed on the system. It's not going to be the last time these browsers were launched. It's going to be the last time these browsers were installed on the system. We know what our default browser is and we can see what the installed browsers on the computer are. We can go ahead and minimize Registry browser. In the next section, we are going to look at USB connected devices and a block.
