Tracing the Digital Footprints - Network Activity/Physical Location
In the intricate world of digital forensics, understanding a system's network interactions and even its physical movements can be crucial for an investigation. Windows operating systems leave behind a wealth of data, often unintentionally, that can help reconstruct a timeline of events, identify user behavior, and even pinpoint geographical locations. This post delves into key artifacts that shed light on "Network Activity" and "Physical Location" aspects of a Windows machine.
Timezone
Understanding the system's timezone is fundamental for accurately correlating all other time-stamped activities.
Description: This artifact identifies the current system time zone.
Location: The timezone information is located in the SYSTEM Hive, specifically at
SYSTEM\CurrentControlSet\Control\TimeZoneInformation.Interpretation: Time activity is incredibly useful for correlation of activity across various logs and artifacts. Internal log files and date/timestamps will be based on the system's configured time zone. It's also vital for correlating information with other network devices, ensuring all timelines align accurately.
Cookies
Cookies offer valuable insights into a user's web browsing habits and online interactions.
Description: Cookies give insight into what websites have been visited and what activities may have taken place there.
Location: The location of cookies varies by browser and Windows version:
Internet Explorer:
IE6-8 and IE10:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies.IE11:
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies.Edge:
%USERPROFILE%\AppData\Local\Packages\microsoft.microsoftedge_<APPID>\AC\MicrosoftEdge\Cookies.
Firefox:
XP:
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\cookies.sqlite.Win7/8/10:
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\cookies.sqlite.
Chrome:
XP:
%USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\Local Storage.Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage.
Interpretation: While the general description highlights their use for understanding visited websites and activities, specific types like Google Analytics Cookies provide even deeper insights. For instance,
__utmatracks unique visitors, including domain hash, visitor ID, cookie creation time, time of most and second most recent visits, and number of visits.__utmbaids in session tracking, noting domain hash, page views in the current session, outbound link clicks, and when the current session started. Lastly,__utmzfocuses on traffic sources, revealing the domain hash, last update time, and number of visits.
Network History
This artifact is critical for identifying the networks a computer has connected to, providing a historical record of its network environments.
Description: This artifact identifies networks that the computer has been connected to. This includes both wireless or wired networks, and helps to identify the domain name/intranet name, SSID, and Gateway MAC Address.
Location: On Windows 7/8/10, these details are stored in the SOFTWARE HIVE at several locations:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged.SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed.SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache.
Interpretation: Identifying intranets and networks a computer has connected to is incredibly important for investigations. Forensicators can determine the intranet name and the last time the network was connected to based on the last write time of the key. This also reveals any networks that have been connected to via a VPN. Furthermore, the MAC Address of the SSID for the Gateway could potentially be physically triangulated.
WLAN Event Log
For wireless network connections, the WLAN Event Log provides a detailed history, aiding in physical location determination.
Description: The WLAN Event Log helps determine what wireless networks the system associated with and identify network characteristics to find location. Key Event IDs include:
11000: Wireless network association started.8001: Successful connection to a wireless network.8002: Failed connection to a wireless network.8003: Disconnect from a wireless network.6100: Network diagnostics (found in the System log).
Location: This log is found at
Microsoft-Windows-WLAN-AutoConfig Operational.evtx.Interpretation: This artifact shows a historical record of wireless network connections. It contains both the SSID and BSSID (MAC address), which can be used to geolocate the wireless access point (though BSSID is not present on Win8+ systems).
Browser Search Terms
While often associated with general browsing history, browser artifacts also explicitly record search terms entered into search engines.
Description: The browser's history records websites visited by date and time, with details stored for each local user account, including the number of times visited (frequency). It also tracks access to local system files. Crucially for this section, the history will also include the website history of search terms in search engines.
Location: The locations vary by browser and operating system:
Internet Explorer:
IE6-7:
%USERPROFILE%\Local Settings\History\History.IE5.IE8-9:
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5.IE10-11, Edge:
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat.
Firefox:
XP:
%userprofile%\Application Data\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite.Win7/8/10:
%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\places.sqlite.
Chrome:
XP:
%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\History.Win7/8/10:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History.
Interpretation: The history records can reveal many sites that list files opened from remote sites and downloaded to the local system. It also records access to files on websites that were accessed via a link. Specifically, the inclusion of search terms from search engines can indicate a user's intent or areas of interest, even if the resulting files or websites are no longer present.
System Resource Usage Monitor (SRUM)
SRUM provides a rich dataset of system performance and network activity, offering a broad view of applications and their resource consumption.
Description: SRUM records 30 to 60 days of historical system performance. This includes applications run, the user account responsible for each, and application and bytes sent/received per application per hour.
Location: SRUM data is found in the SOFTWARE Registry Hive and an associated database file:
Registry keys:
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions.Specific GUIDs within Extensions include:
{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89}: Application Resource Usage Provider.{973F5D5C-1D90-4944-BE8E-24B94231A174}: Windows Network Data Usage Monitor.{DD6636C4-8929-4683-974E-22C046A43763}: Windows Network Connectivity Usage Monitor.
Additional location:
SOFTWARE\Microsoft\WlanSvc\Interfaces\.Database file:
C:\Windows\System32\SRU\.
Interpretation: To interpret SRUM data, forensicators should use tools such as
srum_dump.exeto cross correlate the data between the registry keys and the SRUM ESE Database. This correlation allows for a comprehensive understanding of an application's network activity and overall resource usage over a significant historical period.
By leveraging these powerful Windows artifacts, forensic investigators can meticulously piece together a comprehensive picture of a system's network engagements and even its movements, providing critical intelligence for any digital investigation.
