Solved

Can't analyze image file of a PC for IP&MAC addresses

Posted on 2011-02-10
4
676 Views
Last Modified: 2012-05-11
Hi,
I have an image of a windows-xp-laptop. I want to list the network cards, IP addresses & MAC addresses used by that laptop.
I'm a newbie, I have FTK & Paraben demo version which works for limited time.
I mounted the image so I can browse it as a directory, but I can't execute commands like "regedit" or any command-line command.
I'd really appreciate it if I can have the answer before the end of Friday 11 Feb. 2011.

Many thanks.
0
Comment
Question by:techani7
  • 2
  • 2
4 Comments
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 34877368
Windows XP store all the registry information inside various files, you need not necessarily use regedit, see this reference PDF
@ http://www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf

You need to find the system files e.g. system, system.alt, system.log, system.sav to be exported out of the image to do offline analysis

For listing of network card, their ClassGuid = {4d36e972-e325-11ce-bfc1-08002be10318} under HKLM\SYSTEM\CurrentControlSet\Control\Class.  This subkey represents the class of network adapter devices that the system supports. Under this ClassGuid, there are further several 4-digit numbered subkeys, which represent particular network adapters. The key Values
> "DriverDesc" value identify the network adapter
> "NetCfgInstanceId" value identify the GUID given to it by system as the ID of the Adapter
> “NetworkAddress” value identify the MAC address

For the IP address, "IPAddress" key Value under  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ID for Adapter @ http://support.microsoft.com/kb/314053

There are some tool for viewing the registry files @ http://newsgroup.xnview.com/viewtopic.php?f=38&t=17927

I understand that FTK has a Registry Viewer @ http://www.h11-digital-forensics.com/registry-viewer.php

Hope it is not too late
0
 

Author Comment

by:techani7
ID: 34880074
Brilliant reply! Thanks a million! One last thing, how can I figure out the MAC address from this value shown in the pic? Same goes with IP address, I see similar results, not the regular IP address structure.

I attached a screenshot. FjegX.png
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 34881594
I did some manual check on my machine and some clarifications below.

a) For all the network related adapters, it is listed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions. Use the value of the desired card description to find straight into its main contents in the HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} instead of searching through the various "XXXX" (which can be alot).

b) For the MAC, the "NetworkAddress" you shown in the figure is not really the one I am referring to. I understand that it is a value straight under the four digit Subkeys. The other other "NetworkAddress" does not have any significant though. Easier to find all the "NetworkAddress" Entry and review the content under the HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\XXXX where the XXXX is the four digits subkey.

See this link @ http://www.windowsreference.com/networking/how-to-change-mac-address-in-windows-registry/

However, I did not managed to find this physical address (as shown in ipconfig /all) for the network adapter. If there is such entry, it would potentally override it or someone has use this to change the actual MAC. Sorry about that confusion. I tend to suspect that you may not find MAC (unless there is such entry) in the registry.

c) For the IPaddress, you can use the "NetCfgInstanceId" under HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\XXXX which is the ID for Adapter. You should be able to find this ID under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces. Thereafter check out the "DhcpIPAddress" or related IPAddress entries (in same sub key)

This user guide from AccessData can be useful
@ http://accessdata.com/media/en_us/print/manuals/Registry_Viewer_User_Guide.pdf
0
 

Author Closing Comment

by:techani7
ID: 34909607
Thanks mate! I couldn't solve it, but you helped me BIG TIME! I appreciate your time and effort. I still have to know how to find the Mac address & the IP address, because I couldn't find them ANYWHERE... and believe me, I analyzed a lot. The first link you added actually isn't correct in my case, there's NEVER been a file with "NetworkAddress" name.. I hope if things where that clear! As I showed you, it's a name of a folder and no MAC address structure there, either splitted or in one string.

If you passed by any additional tips please let me know (2pieces *at* gmail). I highly appreciate your answer though, you Helped me a lot!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website monitoring 3 571
how can you see .lnk files 10 1,294
Filtering exchange audit log 6 554
Need public domain images 7 117
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question