Blog >> Windows Wireless Networks

Investigating Windows Wireless Networks

10/05/2021 Monday

Windows 7/10 stores profiles of wireless networks, to which a system has been connected. ArtiFast can locate and parse this data, extracting information such as the network name and connection time.

Digital Forensics Value of Wireless Networks Artifacts

This artifact provides an investigator with information on wireless networks that were connected to, with a target system. It gives important details like when the connection first occurred, when it was last connected to, the wireless network name, the physical address of the network device etc. These can all prove useful to an investigator trying to get a timeline on a system’s association with a network.

Location of Wireless Networks Artifacts

Windows wireless networks artifact source file is located at C:\Windows\config\SOFTWARE.

Within the SOFTWARE hive, the artifact data can be found at Microsoft\Windows NT\CurrentVersion\NetworkList.

Structure of Wireless Networks Artifacts

The SOFTWARE file is a registry hive file. The registry file format is a binary file analogous to a filesystem, with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.

Analyzing Wireless Networks Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract Wireless Networks artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select wireless networks artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Wireless Networks artifact in ArtiFast software.

Wireless Networks Artifact

The artifact contains information on wireless networks that were connected to using the system. The details you can view include: