8. Network profile key: -First and last name connected:
Windows XP: The Legacy of Wireless Zero Configuration
In the Windows XP era, the Wireless Zero Configuration (WZC) service was the backbone of wireless network management. Deep within the registry at
SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces{GUID}
lies a goldmine of data. Here, the machine meticulously records its encounters with wireless access points, preserving SSIDs and timestamps of connection. These SSIDs, akin to unique security identifiers, serve as digital footprints, revealing the machine's proximity to specific locations and networks.
Windows 7-10: The Evolution of Network List Profiles
The Network List Profiles, housed within below key and took center stage. Each subkey, adorned with a GUID, encapsulates network names and types, delineated by hexadecimal values.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Whether wireless (0x47)
wired (0x06)
broadband (0x17),
each network type leaves its mark, illuminating the user's connectivity landscape.
Decoding the Temporal Enigma: CreationTime and LastDateConnected
The CreationTime and LastDateConnected timestamps, shrouded in 128-bit system time, hold the key to unraveling network chronicles. Utilizing the DCodeDate tool, these timestamps unveil the saga of network encounters, from the maiden connection to the latest rendezvous.
CMD:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles"
9. Shares and offline locations:
System Hive
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\
CMD:
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\
Detecting Open Shares: A Critical Investigation
The first step in examining file shares is detecting their presence on a machine. In many cases, users may inadvertently share their entire hard drive, unknowingly granting remote access to sensitive files. Identifying these open shares is crucial in understanding how files may have appeared on a workstation, thereby mitigating potential arguments regarding unauthorized access or file manipulation.
Client-Side Caching (CSC): The Silent Culprit
A covert method of file exfiltration lies in Windows Offline Files' client-side caching (CSC) feature. By enabling offline access to specific files, users can discreetly cache them on their system, allowing access regardless of network connectivity. This poses a significant challenge in detecting unauthorized file transfers, as cached files may go unnoticed by traditional monitoring methods. However, examining CSC Flags options can provide insights into how folders are cached, shedding light on potential file exfiltration attempts.
Windows Offline Files caches files in the directory C: \Windows\ CSC.
• CSCFlag = 0: Default option means that the user must specify which files he would like to be cached.
• CSCFlag = 16: For automatic document caching, "All files and programs that users open from the shared folder are automatically available offline" with the "optimize for performance" unchecked.
• CSCFlag = 32: For automatic program caching. Same as above, but with "Optimize for performance" checked.
• CSCFlag = 48: Caching is disabled.
• CSCFlag = 2048: Default Win7-l O setting until user disables the "Simple File Sharing" or uses the "advanced" sharing options. It is also the default setting for "Homegroup."
Key Data Fields: Unraveling the Mystery
Max Uses: Total number of connections to a single share. Set to 4294967295 at default, which is also the highest number you can get using 32 bits.
Path: Local path
Permissions: Apparently, the value can help us determine how a share was created. 0 is default meaning that GUI or PowerShell created the share. For Win7-10, if the value is 9, then it was created via advanced file sharing. If the value is 63, then a command line created the share.
Type: Type of device or share accessed
• 0 = Disk Drive or Folder
• 1 = Printer
• 2 = Device
• 3 = IPC
• 2147483648 = Admin (Disk, Printer, Device, or IPC)
Will continue in next blog...................
Akash Patel
留言