Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Can't analyze image file of a PC for IP&MAC addresses

Posted on 2011-02-10
Medium Priority
Last Modified: 2012-05-11
I have an image of a windows-xp-laptop. I want to list the network cards, IP addresses & MAC addresses used by that laptop.
I'm a newbie, I have FTK & Paraben demo version which works for limited time.
I mounted the image so I can browse it as a directory, but I can't execute commands like "regedit" or any command-line command.
I'd really appreciate it if I can have the answer before the end of Friday 11 Feb. 2011.

Many thanks.
Question by:techani7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 65

Accepted Solution

btan earned 1000 total points
ID: 34877368
Windows XP store all the registry information inside various files, you need not necessarily use regedit, see this reference PDF
@ http://www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf

You need to find the system files e.g. system, system.alt, system.log, system.sav to be exported out of the image to do offline analysis

For listing of network card, their ClassGuid = {4d36e972-e325-11ce-bfc1-08002be10318} under HKLM\SYSTEM\CurrentControlSet\Control\Class.  This subkey represents the class of network adapter devices that the system supports. Under this ClassGuid, there are further several 4-digit numbered subkeys, which represent particular network adapters. The key Values
> "DriverDesc" value identify the network adapter
> "NetCfgInstanceId" value identify the GUID given to it by system as the ID of the Adapter
> “NetworkAddress” value identify the MAC address

For the IP address, "IPAddress" key Value under  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ID for Adapter @ http://support.microsoft.com/kb/314053

There are some tool for viewing the registry files @ http://newsgroup.xnview.com/viewtopic.php?f=38&t=17927

I understand that FTK has a Registry Viewer @ http://www.h11-digital-forensics.com/registry-viewer.php

Hope it is not too late

Author Comment

ID: 34880074
Brilliant reply! Thanks a million! One last thing, how can I figure out the MAC address from this value shown in the pic? Same goes with IP address, I see similar results, not the regular IP address structure.

I attached a screenshot. FjegX.png
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 34881594
I did some manual check on my machine and some clarifications below.

a) For all the network related adapters, it is listed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions. Use the value of the desired card description to find straight into its main contents in the HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} instead of searching through the various "XXXX" (which can be alot).

b) For the MAC, the "NetworkAddress" you shown in the figure is not really the one I am referring to. I understand that it is a value straight under the four digit Subkeys. The other other "NetworkAddress" does not have any significant though. Easier to find all the "NetworkAddress" Entry and review the content under the HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\XXXX where the XXXX is the four digits subkey.

See this link @ http://www.windowsreference.com/networking/how-to-change-mac-address-in-windows-registry/

However, I did not managed to find this physical address (as shown in ipconfig /all) for the network adapter. If there is such entry, it would potentally override it or someone has use this to change the actual MAC. Sorry about that confusion. I tend to suspect that you may not find MAC (unless there is such entry) in the registry.

c) For the IPaddress, you can use the "NetCfgInstanceId" under HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\XXXX which is the ID for Adapter. You should be able to find this ID under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces. Thereafter check out the "DhcpIPAddress" or related IPAddress entries (in same sub key)

This user guide from AccessData can be useful
@ http://accessdata.com/media/en_us/print/manuals/Registry_Viewer_User_Guide.pdf

Author Closing Comment

ID: 34909607
Thanks mate! I couldn't solve it, but you helped me BIG TIME! I appreciate your time and effort. I still have to know how to find the Mac address & the IP address, because I couldn't find them ANYWHERE... and believe me, I analyzed a lot. The first link you added actually isn't correct in my case, there's NEVER been a file with "NetworkAddress" name.. I hope if things where that clear! As I showed you, it's a name of a folder and no MAC address structure there, either splitted or in one string.

If you passed by any additional tips please let me know (2pieces *at* gmail). I highly appreciate your answer though, you Helped me a lot!

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question