NETWORKING
The NETWORKING plugin gets network interface and DHCP related information. The output of this plugin and is split into three parts. Each is explained below along with the corresponding file that is parsed. There are many places where artifacts are pulled from. See below for details.
| Artifact | File Path |
|---|---|
| Interface | /Library/Preferences/SystemConfiguration/preferences.plist |
| Connected Interfaces | /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist |
| IPAddress | /private/var/db/dhcpclient/DUID_IA.plist |
| DHCP Leases | /private/var/db/dhcpclient/leases/en1-1,xx:xx:xx:xx:xx:xx |
This plugin does not support standalone mode.
$ python mac-apt.py -x -o ~/Case_Output E01 ~/Acquisition.E01 NETWORKING
| Field Name | Notes |
|---|---|
| Interface | Name of Interface |
| MAC_Address | Interface's MAC address |
| IPAddress | Interface's IPv4 address |
| LeaseLength | Length of lease-time (in seconds) |
| LeaseStartDate | Start date/time of lease |
| PacketData | Data stored as "Packet Data" (in hexadecimal) |
| RouterHardwareAddress | MAC address of router |
| RouterIPAddress | IP address of router |
| SSID | SSID of wireless network connected to this interface |
| Source | Source file from which DHCP information was retrieved |
| Field Name | Notes |
|---|---|
| Category | Category of device; should be "INTERFACE" |
| Active | (Boolean) Whether or not that device is currently active |
| BSD Name | BSD/interface name |
| IOBuiltin | (Boolean) If the interface is currently active, whether or not the IO interface is built-in |
| IOInterfaceNamePrefix | Prefix to the IO interface |
| IOInterfaceType | Type of network interface that this interface represents (common 6 is Ethernet, reference bsd/net/if_types.h for full list of other IO Interface Types) |
| IOInterfaceUnit | The unit number assigned to the interface object |
| IOMACAddress | MAC address of the interface |
| IOPathMatch | Path of the interface |
| SCNetworkInterfaceInfo | User-defined name of interface |
| SCNetworkInterfaceType | Type associated with the interface |
| Source | Source file from which interface information was retrieved |
| Field Name | Notes |
|---|---|
| UUID | Universally Unique Identifier of the associated interface |
| IPv4.ConfigMethod | Method used to configure IPv4 address. Can be configured with DHCP (Dynamic Host Configuration Protocol) or PPP (Point-to-Point Protocol) |
| IPv6.ConfigMethod | Method used to configure IPv6 address. Can be configured with DHCP (Dynamic Host Configuration Protocol) or PPP (Point-to-Point Protocol) |
| DeviceName | Name of the interface device |
| Hardware | Hardware type associated with interface |
| Type | Type of interface |
| SubType | Sub-Type of interface (if applicable) |
| UserDefinedName | User-Defined Name of interface |
| Proxies.ExceptionsList | Exceptions listed to the proxy (such as hosts or IPs) |
| SMB.NetBIOSName | NetBIOS name associated with service (if applicable) within a Server Message Block |
| SMB.Workgroup | Workgroup to which the service belongs (if applicable) within a Server Message Block |
| PPP | Parameters or other information pertaining to Peer-to-Peer Protocol (PPP) (if applicable) |
| Modem | Parameters or other information pertaining to Modem configuration (if applicable) |
| Source | Source file from which Network Details were retrieved |
Each item listed below is an individual sheet/table. All are included when running this plugin.
*Incomplete output.