REVIEWED by Sophos
This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen.
Windows maintains a list of wireless networks under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
It stores the following values we might be able to use:
- Description - SSID
- DateCreated - When the computer first connected to the network
- DateLastConnected - When the computer last connected to the network
Sadly, for ease of use, these two timestamp values are in a binary structure. To decode into something more meaningful, these need to be broken into 4 bytes. Each is in little-endian and corresponds to the: Year, Month, Weekday, Day, Hour, Minutes, Seconds, Thousands of a second. As a working example of converting these binary stored values:
Year, Month, Weekday, Day, Hour, Minutes, Seconds, Thousands
E1 07 09 00 03 00 1B 00 09 00 0E 00 30 00 9E 01 (The reg value)
E107 0900 0300 1B00 0900 0E00 3000 9E01 (Little-endian)
07E1 0009 0003 001B 0009 000E 0030 01E9 (Hex)
2017 9 3 27 09 14 48 489 (dec)
So the timestamp in question is the 3rd Sep 2017 at 09:14:48.489 UTC.
The most basic query to get a list of SSIDs might be:
select data as SSIDs from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\%\Description';
The data could be then exported, imported into Exel and pivoted into a form to reveal the devices where x percentage of networks overlap.
Of course, there is also the sophos_registry_journal table for reg events over time as well to draw upon.
It is also possible to map the public IP of a device back to an approximate location to narrow the net if needed.
Something to think about at a pinch.
Jak
