Artifacts

NetworkList (Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
H. Carvey

Artifact Name
NetworkList

Artifact/Program Version
RegRipper w/ networklist.pl plugin v.20090812

Description
Vista and Windows 7 maintain a Registry key named
“NetworkList”:
HKLM\Microsoft\Windows NT\CurrentVersion\NetworkList

This key appears to contain profiles regarding managed and
unmanaged networks, including wireless networks that the system has
connected to, including SSID, the date the profile was created, the
date last connected, the MAC address of the WAP, etc. This MAC can be
looked up in the SkyHook database, and possibly converted to a Google
Map.

Registry Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList (Updated 6/3- Thanks to Troy)

File Locations
Software Hive

Forensic Programs of Use
RegRipper w/ networklist.pl plugin

2 Comments

Troy

June 2, 2011

arrow

Should be:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

Joe G

June 2, 2011

arrow

Thanks Troy! Updated the post

Joe

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment