Tracking SSIDs of networks connect to

I'm doing a forensic exam of a computer. I'm trying to figure out where in
the registery or in what file the SSID's and other settings for wireless
connections are stored so I can try to determine what networks the suspect
computer may have connected to.

Where are those settings stored? Are they in the registry or a seperate
file, and if so where?

For various reasons I can't just start up the machine and look as that
changes evidence on the drive.

thanks

"MPD352" <MPD352@discussions.microsoft.com> wrote in message
news:3F003CC0-1A26-49D2-B4EC-E14319714ECA@microsoft.com...
> I'm doing a forensic exam of a computer. I'm trying to figure out where in
> the registery or in what file the SSID's and other settings for wireless
> connections are stored so I can try to determine what networks the suspect
> computer may have connected to.
>
> Where are those settings stored? Are they in the registry or a seperate
> file, and if so where?
>
> For various reasons I can't just start up the machine and look as that
> changes evidence on the drive.


Ummm, OK, if you can't turn on the machine, how
you gonna do anything?

>
> thanks

I've taken a bit for bit image of the hard drive and examine that. We never
run the machine on the original drive as it gives the defense lawyer an
opening to claim we destroyed evidence.

"V Green" wrote:

>
> "MPD352" <MPD352@discussions.microsoft.com> wrote in message
> news:3F003CC0-1A26-49D2-B4EC-E14319714ECA@microsoft.com...
> > I'm doing a forensic exam of a computer. I'm trying to figure out where in
> > the registery or in what file the SSID's and other settings for wireless
> > connections are stored so I can try to determine what networks the suspect
> > computer may have connected to.
> >
> > Where are those settings stored? Are they in the registry or a seperate
> > file, and if so where?
> >
> > For various reasons I can't just start up the machine and look as that
> > changes evidence on the drive.
>
>
> Ummm, OK, if you can't turn on the machine, how
> you gonna do anything?
>
> >
> > thanks
>
>
>

OK, figured it must be something like that, took
your post a bit too literally.

SSID's I've been to recently are at:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E972-E325-11CE-B
FC1-08002bE10318}\0011]

The value in the { } brackets and the \0011 are machine - specific
and won't be the same in the Registry you're looking at.

You will just need to nav to the HKLM and look around.

"MPD352" <MPD352@discussions.microsoft.com> wrote in message
news:9A20C5FD-FDFB-4457-9E2A-5476CD221D10@microsoft.com...
> I've taken a bit for bit image of the hard drive and examine that. We never
> run the machine on the original drive as it gives the defense lawyer an
> opening to claim we destroyed evidence.
>
> "V Green" wrote:
>
> >
> > "MPD352" <MPD352@discussions.microsoft.com> wrote in message
> > news:3F003CC0-1A26-49D2-B4EC-E14319714ECA@microsoft.com...
> > > I'm doing a forensic exam of a computer. I'm trying to figure out where
in
> > > the registery or in what file the SSID's and other settings for wireless
> > > connections are stored so I can try to determine what networks the suspect
> > > computer may have connected to.
> > >
> > > Where are those settings stored? Are they in the registry or a seperate
> > > file, and if so where?
> > >
> > > For various reasons I can't just start up the machine and look as that
> > > changes evidence on the drive.
> >
> >
> > Ummm, OK, if you can't turn on the machine, how
> > you gonna do anything?
> >
> > >
> > > thanks
> >
> >
> >

V.Green:

Thanks, if found a lot of keys that control the hardware, but no SSIDs. I'm
searching my by laptop because I know what my SSID's are. If I could find
thm on my machine I would know where to look witht eh registry analyzer on
the image.

"V Green" wrote:

> OK, figured it must be something like that, took
> your post a bit too literally.
>
> SSID's I've been to recently are at:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E972-E325-11CE-B
> FC1-08002bE10318}\0011]
>
> The value in the { } brackets and the \0011 are machine - specific
> and won't be the same in the Registry you're looking at.
>
> You will just need to nav to the HKLM and look around.
>
> "MPD352" <MPD352@discussions.microsoft.com> wrote in message
> news:9A20C5FD-FDFB-4457-9E2A-5476CD221D10@microsoft.com...
> > I've taken a bit for bit image of the hard drive and examine that. We never
> > run the machine on the original drive as it gives the defense lawyer an
> > opening to claim we destroyed evidence.
> >
> > "V Green" wrote:
> >
> > >
> > > "MPD352" <MPD352@discussions.microsoft.com> wrote in message
> > > news:3F003CC0-1A26-49D2-B4EC-E14319714ECA@microsoft.com...
> > > > I'm doing a forensic exam of a computer. I'm trying to figure out where
> in
> > > > the registery or in what file the SSID's and other settings for wireless
> > > > connections are stored so I can try to determine what networks the suspect
> > > > computer may have connected to.
> > > >
> > > > Where are those settings stored? Are they in the registry or a seperate
> > > > file, and if so where?
> > > >
> > > > For various reasons I can't just start up the machine and look as that
> > > > changes evidence on the drive.
> > >
> > >
> > > Ummm, OK, if you can't turn on the machine, how
> > > you gonna do anything?
> > >
> > > >
> > > > thanks
> > >
> > >
> > >
>
>
>

V.Green:

You got me looking in the right place, and I found it. It is within
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfac es\ You then look within
the keys for entries named Static#0000, Static#000, so on. These are the
SSID's in binary - with the right tool you can view the SSID. This
particular machine belonged to a transient, and was full of statics, which
indicates he was just walking around looking for open access points. Thanks,

"MPD352" wrote:

> I'm doing a forensic exam of a computer. I'm trying to figure out where in
> the registery or in what file the SSID's and other settings for wireless
> connections are stored so I can try to determine what networks the suspect
> computer may have connected to.
>
> Where are those settings stored? Are they in the registry or a seperate
> file, and if so where?
>
> For various reasons I can't just start up the machine and look as that
> changes evidence on the drive.
>
> thanks

Yep, that makes sense.

I don't use WZC (ugh!), preferring the Intel wireless config
utility, hence the different location.

Glad it worked out.

"MPD352" <MPD352@discussions.microsoft.com> wrote in message
news:01E1E3AB-C1D0-4FA6-8C8D-010AFCE61802@microsoft.com...
> V.Green:
>
> You got me looking in the right place, and I found it. It is within
> HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfac es\ You then look within
> the keys for entries named Static#0000, Static#000, so on. These are the
> SSID's in binary - with the right tool you can view the SSID. This
> particular machine belonged to a transient, and was full of statics, which
> indicates he was just walking around looking for open access points. Thanks,
>
> "MPD352" wrote:
>
> > I'm doing a forensic exam of a computer. I'm trying to figure out where in
> > the registery or in what file the SSID's and other settings for wireless
> > connections are stored so I can try to determine what networks the suspect
> > computer may have connected to.
> >
> > Where are those settings stored? Are they in the registry or a seperate
> > file, and if so where?
> >
> > For various reasons I can't just start up the machine and look as that
> > changes evidence on the drive.
> >
> > thanks