Given an artifact from KAPE output, my task is to find and analyze anything related to Wi-Fi.
Path in KAPE output:
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx
Utilize EvtxECmd and Timeline Explorer to parse all event logs and view it with GUI application:
.\EvtxECmd.exe -d ~\Desktop\logs\ --csv ~\Desktop\I found several pieces of information regarding the network connection:
- Timestamp
- Connection mode
- SSID
- Adapter model
-Forensics.png)
I tried to find the BSSID (MAC Address) of the access point from the Event Logs but could not. After a while of digging, I found it from the SOFTWARE registry under NetworkList
-Forensics-1.png)
Reviewing Wi-Fi profiles:
.../KAPEOUT/C/ProgramData/Microsoft/Wlansvc/Profiles/Interfaces/{18C11DBD-93AB-4CA9-A804-4F4475DA25B8}/