System Configuration: Network Artifacts & Filesystem Timestamps

Mar 28, 2024
4 min read

Updated: 4 days ago

There's a moment in every good investigation where the evidence stops being abstract and starts being geographic.

Not just "this file was opened" — but "this laptop was sitting in an airport in Utah on a Tuesday afternoon, connected to a specific access point, and here's the MAC address to prove it."

That moment is made possible by a surprisingly rich collection of registry artifacts that Windows quietly accumulates every time a network cable gets plugged in, a Wi-Fi password gets entered, or a VPN tunnel gets established. Combined with filesystem timestamp settings that tell you whether you can trust your access times at all, this is where device forensics gets genuinely cinematic.

Let's start with a setting that trips up more analysts than it should.

----------------------------------------------------------------------------------------------------

NTFS Last Access Timestamps: Trust Issues

Every file on an NTFS volume carries a Last Access timestamp.

In theory, this tells you the last time someone opened or read that file.
In practice, it's considerably more complicated — and on most modern Windows systems, it's not being updated at all.

Microsoft quietly disabled Last Access timestamp updates starting with Windows Vista, specifically for NTFS volumes, citing performance concerns. Every file read triggering a disk write just to update a timestamp adds up across millions of operations. So they turned it off.

The catch: this only applies to NTFS.

ExFAT and FAT volumes still update Last Access timestamps normally. Which means your assumption about whether this timestamp is meaningful depends entirely on what filesystem you're looking at — and what the registry says about the current setting.

----------------------------------------------------------------------------------------------------

Network Interfaces: Mapping Where a Device Has Been

Here's a thought experiment.

You have a laptop from a suspect. You don't have their travel records, their hotel receipts, or their phone. Can you still place that device in a specific location?

Often, yes.

Windows records network interface configuration under

SYSTEM\<CurrentControlSet>\Services\Tcpip\Parameters\Interfaces.

Every network adapter on the machine — physical Ethernet cards, Wi-Fi adapters, VPN tunnels, virtual machine adapters — gets its own subkey here, named by a globally unique identifier (GUID).

Inside each subkey: IP addresses used, DHCP settings, lease times, and connected domain information.

That last one is quietly powerful. Network domain names often reveal a provider and region.

An IP address might sit in a publicly geo-locatable range.
A DHCP lease time can bracket when the device was on a specific network. Put it all together and you can sometimes place a laptop in a coffee shop in a specific city on a specific afternoon — without a single witness.

Starting with Windows 8, some adapters generate child subkeys of their own, preserving historical connection data across multiple sessions with the same adapter.

The most recent connection lives in the primary Interface key; previous connections sit in the subkeys beneath it.

To identify which GUIDs correspond to actual physical hardware (as opposed to VPN or virtual adapters), cross-reference with:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Match the GUID using the ServiceName value and you'll know exactly what physical device made those connections.

--------------------------------------------------------------------------------------------------------

Network Location Awareness: The Accidental Forensic Goldmine

Here's a beautiful example of a feature built entirely for user convenience that became one of the most forensically useful artifacts in Windows.

Network Location Awareness (NLA) was introduced in Vista to solve a simple problem:

how does Windows know whether you're on a safe corporate network or a sketchy airport hotspot, so it can apply the right firewall rules?

The answer: it remembers every network it's ever connected to and stores a profile for each one.

For Windows, this is a security feature. For forensic analysts, it's a travel log.

Every time a device connects to a new network, Windows creates a profile under:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\

...organized into two buckets:

Managed (corporate domain networks)
Unmanaged (everything else — home networks, hotel Wi-Fi, coffee shops, airports).

The profile stores the DNS suffix, the SSID, and — critically — the gateway MAC address of the access point.

That MAC address is something special. It can be fed into databases like Wigle to physically geo-locate the access point. In many cases, you can determine not just which city a device was in, but which specific building or street.

--------------------------------------------------------------------------------------------------------

Connecting the Dots: The Three-Key Network Investigation

Network profiling in the registry isn't a single-key lookup. It's a three-stop investigation where each key hands you something the others can't provide on their own.

The Interfaces key tells you what IP addresses and network domains a specific adapter used, and gives you DHCP lease windows to bracket timing.
The Signatures key tells you the identity of each network — the name, the wireless SSID, and the gateway MAC address you can use for physical geolocation.
The Profiles key tells you the timing — when the device first connected to that network, and the last time it came back.

The ProfileGUID value is the thread that ties the Signatures and Profiles keys together. Find the network you care about in Signatures, grab its ProfileGUID, and look for the matching subkey in Profiles to get the timestamps.

Registry Explorer's "Known Networks" plugin does all of this correlation automatically — pulling from all three key locations, converting timestamps, and presenting the complete picture in a single sortable, filterable table.

It's the kind of feature that saves hours. You can filter by NameType to isolate every VPN connection the device ever made, sort by DateCreated to find new networks that appeared during the investigation window, or export the MAC addresses directly for Wigle geo-location queries.

--------------------------------------------------------------------------------------------------------

Keys To remember

Registry Details: NLA-related information is primarily stored in the Windows Registry under specific locations:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList
SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\ Unmanaged
SOFTWARE\Microsoft\ Windows NT\ CurrentVersion \NetworkList\Signatures\Managed

Historical data, including connection times, can be found under the Cache key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache

--------------------------------------------------------------------------------------------------------

The Wrong Machine Problem

Here's a real scenario

An organization notifies them of a compromised machine, ships them a hard drive, and after all the careful network profiling work — the IP addresses don't match what was seen at the crime.

The sysadmins seized the wrong machine. Or maybe not accidentally.

Documenting the hostname and IP address information early in an investigation doesn't just help your case. It protects you. It ensures you're analyzing what you're authorized to analyze, and it catches mistakes — deliberate or otherwise — before you spend days going in the wrong direction.