possible to prove that a PC has (or has not) ever been on anynetwork?

[bodywerk]

Hi,

Is this information available in XP in a log file or event history ?
In other words, is there any way to tell if
a computer running XP has ever been connected to any network (dial-up,
LAN, wireless,...) ?

A strange request I know, but thanks for any help !

BW

 

[R. McCarty]

Only by accessing the Internet with a browser which would likely leave
a trail of placed cookies in the Profile folder. Joining a Wireless network
using XP's native Zero Wireless would leave an entry in the Wireless
Network list. A LAN membership might leave TCP/IP data such as the
Gateway or DNS IP Address used for that LAC.

 

[Neil]

This might be a little too specialised for this group.

Check out www.forensicfocus.com where they deal with this sort of query on a
regular basis.

HTH

Neil
www.nwarwick.co.uk

 

[Big Al]

Only by accessing the Internet with a browser which would likely leave
a trail of placed cookies in the Profile folder. Joining a Wireless network
using XP's native Zero Wireless would leave an entry in the Wireless
Network list. A LAN membership might leave TCP/IP data such as the
Gateway or DNS IP Address used for that LAC.

I might add that the IE cache will have web pages and images etc cached.

 

[Robert Moir]

Hi,

Is this information available in XP in a log file or event history ?
In other words, is there any way to tell if
a computer running XP has ever been connected to any network (dial-up,
LAN, wireless,...) ?

A strange request I know, but thanks for any help !

Depending on the boundaries you're setting, it may be damn near impossible.
As Neil suggests, this could go down to specialist forensic stuff but even
then this could only find proof that the computer had been connected to a
network, however, absence of this proof wouldn't be proof that it had not
been on the network.

For example -
"The event logs will show networking events" - The event logs can be cleared
very easily from the event viewer.

"The browser cache would show stuff if it had been on the Internet" - yes
but you can clear that.

"Isn't there some stuff left behind when you clear your browser history? I'm
sure I read something on slashdot about some foul Microsoft conspiracy to
eliminate the meal of "breakfast" that used this somehow!" - yes but the
residue can be cleaned up. If you can find out where to look then the person
hiding their tracks can find out where to clean.

"Forensic examination of the disk would still find the information" -
assuming it was on there, what if the hard disk had been changed since then,
or if the person connecting the computer to the web used a "Live Linux" CD
instead of the OS on the hard disk.

"If it was on the net, the network card's MAC address would be in a log
somewhere" - Most modern operating systems, network cards and network card
drivers allow you to change the MAC address of a device, and if that isn't
so then new network cards are not expensive these days.

Rob Moir
rhymeswithgeek.com

 

[bodywerk]

Thanks very much for all the ideas ! Very interesting and useful. I
should add the following information: I'm not investigating somebody
who is trying to hide the fact that their PC has
been connected to a network, by covering their tracks. So, assuming
this is the case (i.e nobody has deleted any histories or caches or
events or files etc), can one simply determine
somehow whether or not a PC running XP (professional, SP2) has ever
been on any network?

I have looked into this myself, I figured XP might store a history of
IPs, or ESTABLISHED connections (like in the netstat output), but I
can't find any such histories....

Thanks again guys