WiFi Profile Registry
Windows stores every SSID a machine has connected to under HKLM, along with connection timestamps and MAC address of the AP — strong location evidence.
Where to find it
Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.
- $HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\
- $HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\
Forensic significance
Common scenarios in which this artifact becomes decisive evidence.
- Laptop stolen in X city — did it connect to hotel WiFi en route?
- Establishing which networks a compromised workstation trusts
- Correlating travel with wireless beacons
MITRE ATT&CK mapping
Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.
Tools that parse it
unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.
Related artifacts
Android WiFi History
WifiConfigStore.xml and netpolicy.xml record every network the device connected to, including SSID, BSSID (MAC), and encryption type — strong location inference.
macOS Bluetooth plist
System Bluetooth configuration plist records paired devices with their MAC address, display name, device type, and last seen / last connected timestamps.
Shell Bags
Windows Explorer view preferences recorded per-folder in UsrClass.dat. Shell Bags prove a user navigated to a folder, even after the folder or attached volume is long gone.
Amcache.hve
Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.
Stop parsing artifacts by hand
unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.
Try unJaena AI →