Windows 7/10 stores profiles of wireless networks, to which a system has been connected. ArtiFast can locate and parse this data, extracting information such as the network name and connection time.
This artifact provides an investigator with information on wireless networks that were connected to, with a target system. It gives important details like when the connection first occurred, when it was last connected to, the wireless network name, the physical address of the network device etc. These can all prove useful to an investigator trying to get a timeline on a system’s association with a network.
Windows wireless networks artifact source file is located at C:\Windows\config\SOFTWARE.
Within the SOFTWARE hive, the artifact data can be found at Microsoft\Windows NT\CurrentVersion\NetworkList.
The SOFTWARE file is a registry hive file. The registry file format is a binary file analogous to a filesystem, with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.
This section will discuss how to use ArtiFast Windows to extract Wireless Networks artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select wireless networks artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Wireless Networks artifact in ArtiFast software.
Wireless Networks Artifact
The artifact contains information on wireless networks that were connected to using the system. The details you can view include: