Artifacts

Posts Tagged ‘vista’


NetworkList (Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
H. Carvey

Artifact Name
NetworkList

Artifact/Program Version
RegRipper w/ networklist.pl plugin v.20090812

Description
Vista and Windows 7 maintain a Registry key named
“NetworkList”:
HKLM\Microsoft\Windows NT\CurrentVersion\NetworkList

This key appears to contain profiles regarding managed and
unmanaged networks, including wireless networks that the system has
connected to, including SSID, the date the profile was created, the
date last connected, the MAC address of the WAP, etc. This MAC can be
looked up in the SkyHook database, and possibly converted to a Google
Map.

Registry Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList (Updated 6/3- Thanks to Troy)

File Locations
Software Hive

Forensic Programs of Use
RegRipper w/ networklist.pl plugin

Google Chrome Browser Profile (Windows Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Windows Vista/Windows 7)

Artifact/Program Version
Windows Vista/Windows 7

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder. Most times, this will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70