Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 752
  • Last Modified:

Can't analyze image file of a PC for IP&MAC addresses

Hi,
I have an image of a windows-xp-laptop. I want to list the network cards, IP addresses & MAC addresses used by that laptop.
I'm a newbie, I have FTK & Paraben demo version which works for limited time.
I mounted the image so I can browse it as a directory, but I can't execute commands like "regedit" or any command-line command.
I'd really appreciate it if I can have the answer before the end of Friday 11 Feb. 2011.

Many thanks.
0
techani7
Asked:
techani7
  • 2
  • 2
2 Solutions
 
btanExec ConsultantCommented:
Windows XP store all the registry information inside various files, you need not necessarily use regedit, see this reference PDF
@ http://www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf

You need to find the system files e.g. system, system.alt, system.log, system.sav to be exported out of the image to do offline analysis

For listing of network card, their ClassGuid = {4d36e972-e325-11ce-bfc1-08002be10318} under HKLM\SYSTEM\CurrentControlSet\Control\Class.  This subkey represents the class of network adapter devices that the system supports. Under this ClassGuid, there are further several 4-digit numbered subkeys, which represent particular network adapters. The key Values
> "DriverDesc" value identify the network adapter
> "NetCfgInstanceId" value identify the GUID given to it by system as the ID of the Adapter
> “NetworkAddress” value identify the MAC address

For the IP address, "IPAddress" key Value under  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ID for Adapter @ http://support.microsoft.com/kb/314053

There are some tool for viewing the registry files @ http://newsgroup.xnview.com/viewtopic.php?f=38&t=17927

I understand that FTK has a Registry Viewer @ http://www.h11-digital-forensics.com/registry-viewer.php

Hope it is not too late
0
 
techani7Author Commented:
Brilliant reply! Thanks a million! One last thing, how can I figure out the MAC address from this value shown in the pic? Same goes with IP address, I see similar results, not the regular IP address structure.

I attached a screenshot. FjegX.png
0
 
btanExec ConsultantCommented:
I did some manual check on my machine and some clarifications below.

a) For all the network related adapters, it is listed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions. Use the value of the desired card description to find straight into its main contents in the HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} instead of searching through the various "XXXX" (which can be alot).

b) For the MAC, the "NetworkAddress" you shown in the figure is not really the one I am referring to. I understand that it is a value straight under the four digit Subkeys. The other other "NetworkAddress" does not have any significant though. Easier to find all the "NetworkAddress" Entry and review the content under the HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\XXXX where the XXXX is the four digits subkey.

See this link @ http://www.windowsreference.com/networking/how-to-change-mac-address-in-windows-registry/

However, I did not managed to find this physical address (as shown in ipconfig /all) for the network adapter. If there is such entry, it would potentally override it or someone has use this to change the actual MAC. Sorry about that confusion. I tend to suspect that you may not find MAC (unless there is such entry) in the registry.

c) For the IPaddress, you can use the "NetCfgInstanceId" under HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\XXXX which is the ID for Adapter. You should be able to find this ID under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces. Thereafter check out the "DhcpIPAddress" or related IPAddress entries (in same sub key)

This user guide from AccessData can be useful
@ http://accessdata.com/media/en_us/print/manuals/Registry_Viewer_User_Guide.pdf
0
 
techani7Author Commented:
Thanks mate! I couldn't solve it, but you helped me BIG TIME! I appreciate your time and effort. I still have to know how to find the Mac address & the IP address, because I couldn't find them ANYWHERE... and believe me, I analyzed a lot. The first link you added actually isn't correct in my case, there's NEVER been a file with "NetworkAddress" name.. I hope if things where that clear! As I showed you, it's a name of a folder and no MAC address structure there, either splitted or in one string.

If you passed by any additional tips please let me know (2pieces *at* gmail). I highly appreciate your answer though, you Helped me a lot!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now