Approved

Live Discover Query - Location

  REVIEWED by Sophos 

This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen.

Windows maintains a list of wireless networks under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

It stores the following values we might be able to use:

  • Description - SSID
  • DateCreated - When the computer first connected to the network
  • DateLastConnected - When the computer last connected to the network

Sadly, for ease of use, these two timestamp values are in a binary structure. To decode into something more meaningful, these need to be broken into 4 bytes. Each is in little-endian and corresponds to the: Year, Month, Weekday, Day, Hour, Minutes, Seconds, Thousands of a second. As a working example of converting these binary stored values:

Year, Month, Weekday, Day, Hour, Minutes, Seconds, Thousands

E1 07 09 00 03 00 1B 00 09 00 0E 00 30 00 9E 01  (The reg value)

E107  0900  0300  1B00  0900  0E00  3000  9E01   (Little-endian)

07E1  0009  0003  001B  0009  000E  0030  01E9   (Hex)

2017     9     3    27    09    14    48  489    (dec)

So the timestamp in question is the 3rd Sep 2017 at 09:14:48.489 UTC.

The most basic query to get a list of SSIDs might be: 

select data as SSIDs from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\%\Description';

The data could be then exported, imported into Exel and pivoted into a form to reveal the devices where x percentage of networks overlap.

Of course, there is also the sophos_registry_journal table for reg events over time as well to draw upon. 

It is also possible to map the public IP of a device back to an approximate location to narrow the net if needed.

Something to think about at a pinch.

Jak