What Windows Doesn't Keep Silent About. Forensic Network Artifacts on the Host

Hello digital detectives!

The network forensics direction is aimed at collecting information about who, where and when connected, what data was transmitted/received. If we consider the issue in the plane of incident investigation and information security tools, then it is important whether the traffic was malicious and whether it can indicate any anomalies, for example, corporate users gaining access to resources that should not be accessible, traffic surges from workstations outside working hours, etc. In this article, we will consider what network artifacts can be obtained from a Windows host, provided that it was not specially configured in advance.

The first thing you can find out is information about network interfaces and their parameters that were last set for them (IP, mask, gateway, if DHCP was used, information about the interface itself). All this is located in several places in the Windows registry.

Let's look at the location: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}.

An interesting fact is that the name of the key {4d36e972-e325-11ce-bfc1-08002be10318} is most likely a GUID identifier for the Network Adapter device category (all GUIDs, according to MS description used in drivers and system components). Each subkey in this registry location refers to a separate interface, the subkey name is a unique interface identifier within the system (this identifier will also be found in other places in the registry). Subkey parameters and their purpose:

  • Name – interface name.

  • PnPInstanceId – Windows Plug and Play device identifier.

  • MediaSubType – connection type, for WiFi this is always the dword value 00000002, for a local wired connection the value is usually dword 00000001.

  • ShowIcon – most likely this is necessary for the system to understand whether it is necessary to display the adapter icon in the taskbar or not.

Second location in the registry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\.
Some of the subkey names correspond to the subkey names from the first location. Subkey parameters and their purpose:

  • AddressType – most likely indicates the IPv4/IPv6 protocol type.

  • EnableDHCP – if it is 1, then the interface parameters were received via DHCP.

  • dhcpserver – DHCP server address.

  • DhcpIPAddress – address received from the DHCP server.

  • DhcpSubnetMask – network mask received from the DHCP server.

  • DhcpSubnetMaskOpt – network mask received from DHCP server, before applying the received value to DhcpSubnetMask it is written to DhcpSubnetMaskOpt.

  • DhcpDefaultGateway – default gateway obtained from DHCP.

  • DhcpNameServer – DNS server addresses.

  • DefaultGateway – default gateway.

  • IPAddress – address specified manually.

  • SubnetMask – Subnet mask.

  • NameServer – DNS server addresses.

  • LeaseObtainedTime – time of receiving parameters from DHCP.

  • LeaseTerminatesTime – DHCP parameters expiration time.

Third location in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}. There will be no information about network interface settings here, but you can understand what a particular network interface was used for by the parameter values ​​that are in this location. For example, find VPN network interfaces (see the values ​​for DriverDesc and ProviderName). You can compare the identifiers of these interfaces with interfaces from other registry paths by the values ​​of the RootDevice parameters in /Linkage. Subkey parameters and their purpose:

  • DriverDesc – description of the network interface driver.

  • ProviderName – organization/vendor.

  • InstallTimeStamp – date the network interface was added to the system, SYSTEMTIME, as a Little Endian hexadecimal string.

The data from the fourth location duplicates the information from the second location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces.

Finally, the data from the last location is similar, but for the IPv6 protocol: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces.

Windows event logs can be used to find out when exactly a host connected to a network (Wi-Fi or wired connection). In the directory: C:\Windows\System32\winevt\Logs we will be interested in the file Microsoft-Windows-NetworkProfile%4Operational.evtx. It contains events with ID 10000 “Network Connected” talk about the fact of connection to the network. Inside this event, in addition to the connection time, you can find the following information:

  • Network type (managed or unmanaged). A managed network means that the host is part of a domain, i.e. it is a corporate network and the host is managed by one or more domain controllers. An unmanaged network is a “home” network, WORKGROUP.

  • The network category defines the system behavior and rules for Windows Firewall. In Private/Private network, the system activates network discovery, i.e. tries to find neighbors, other hosts with Windows. This functionality uses the Microsoft WS-Discovery (WSD) protocol and is needed to organize network access to files (file sharing). In the Public/Public network, this functionality is disabled by default.

Events ID 10001 “Network disconnected” The same file talks about disconnecting from the network and contains similar 10000 information.

More information about connecting to wireless networks can be found in the log file. Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx. It belongs to the Wireless LAN Service (WLAN AutoConfig), in Windows it is responsible for interaction with Wi-Fi networks.

Events with ID 8000 “WLAN AutoConfig service started a connection to a wireless network” – tell us that a Wi-Fi connection has been initiated. Useful information about this event:

  • The name of the network interface and its GUID (can be compared with registry information).

  • SSID (Service Set Identifier, access point name) of a Wi-Fi network.

  • Connection Mode, if the value is set to “Automatic connection with a profile”, this means that a connection has already been established and the Wi-Fi password has been saved.

Events with ID 8001 “WLAN AutoConfig service has successfully connected to a wireless network” – a successful connection to a Wi-Fi network was established. The useful information is similar to event 8000, but this event also contains some technical information about the connection itself (authentication type, encryption, Physical Layer (PHY) type).

Events with ID 11000 “Wireless network association started” will show the local MAC address that the host used when connecting to Wi-Fi. You can also find the MAC of the network device to which the host connected from Windows, but this MAC is saved separately, in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures in the “Managed” and “Unmanaged” keys (according to the network type) for nested keys this will be the DefaultGatewayMac parameter. In the same location you can find the ProfileGuid, i.e. the unique identifier of the network profile.

Events with ID 8003 “WLAN AutoConfig service has successfully disconnected from a wireless network” – disconnection from Wi-Fi network. Useful information is similar to event 8000, in addition to them there is also a Reason item indicating the reason for disconnection from the network (may be useful not so much for forensic research, but for troubleshooting).

Information about network profiles (description network profiles from MS), including Wi-Fi networks, can be found in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

The network profile is created automatically the very first time you connect to the network. The names of the subkeys in this registry location are unique identifiers for network profiles. Useful information includes:

  • NameType – the hexadecimal value 47 indicates that this is a Wi-Fi profile.

  • ProfileName and Description – network profile name/description, by default matches the Wi-Fi SSID, but can be changed manually by the user.

  • DateCreated – time of first connection to the network, SYSTEMTIME Little-Endian.

  • DateLastConnected – time of last connection using this profile, SYSTEMTIME Little-Endian.

Wi-Fi connection passwords are stored encrypted separately from network profiles (Windows saves passwords automatically when you first connect to a network and create a network profile) inside XML files in the directory %ProgramData%\Microsoft\Wlansvc\Profiles\InterfacesThe Windows DPAPI mechanism is used to encrypt passwords.

If you have a RAM dump, you can extract information about network connections at the time the dump was taken. For this, you can use the well-known Volatility3: python vol.py -f ../ram_dmp.raw windows.netstat.NetStatFrom this information you can find out:

  • Port numbers, programs that listened to these ports, IP addresses.

  • Approximate geolocation/country, who owns the address (organization), whether the address has been noticed during attacks, use in malware (for this in the case of public white IPs, you can try to use whois, geoip lookup, services like URLhaus).

Another source of artifacts on a Windows host, or even as it is called “a window to the world”, is the browser and traces of its use. It is not necessarily the pre-installed Internet Explorer or Edge. As a rule, the history of downloads/opened sites is stored in the form of a sqlite database. For example, for Google Chrome this is %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\HistoryFirefox has a file

%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\profile_name\places.sqlite. There are many forensic utilities for automatic parsing of these artifacts. For example, free utilities from foxton forensics or built-in functionality of Autopsy.

To sum up, a Windows host itself contains interesting network artifacts for a forensic specialist, but if it is a corporate environment or there is an opportunity to obtain logs from network equipment (NGFW, traffic analyzer), then there can be many times more useful information, since advanced network protection tools usually have the functionality of identifying specific applications in traffic, the ability to calculate the transmitted/received traffic volume and session time, decrypt encrypted traffic (SSL Inspection, in fact MITM).

To be continued…

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *