The other day I came across an interesting question, and that was “how can I tell when the computer had internet access or not?” I thought for a while, and I initially thought that you could look at when windows connected to various wireless networks. The thought here was that it’s almost unheard of that a wireless network doesn’t have internet access, and what’s more is that connecting to a wireless network that doesn’t have internet seems almost pointless. However, what if the computer is connected via ethernet? We could look at event logs of when the computer got an IP address and some other logs to determine when the computer was plugged into the network. But that still does not answer the question of when internet was available.
I had to think for a while, and what I remembered was that the task bar has the icon for network connectivity, which is supposed to tell you if/when you are connected to the network and the status of it. I remembered also, that when you don’t have internet access the icon changes from a normal connection icon to one that has a yellow yield icon over it. When this happens Windows has determined that you no longer have access to the internet. That got me thinking, that Windows logs a lot of things, and that it might just make an entry for when it detected the internet was no longer available. I was right.
The logs that you want to look for are buried here:
Applications and Services Logs/
You will want to filter just eventID 55. Once you have these events you’ll notice it uses plain language and states very clearly “Is the internet available: true” (or false).
According to an article written by Ed Bott from ZDNet, he states that Windows will be checking about every 15 minutes for telemetry data and information to send back to Microsoft. However, this detection of internet status does not appear to follow that time delay. In my testing in my Win10 VM, the log entry showed up immediately under all of my tests below:
- In the Win10 VM menu, I disconnected the network adapter. This change was noticed by the utcsvc, and a log entry was made saying the internet was not available.
- In the Win10 VM menu, I reconnected the network adapter and similar results populated almost immediately stating the internet was back.
- On my Macbook Pro, I disabled my Wi-Fi, and observed the Win10 VM logged yet another entry that the internet was no longer available.
- On my Macbook Pro, I re-enabled the Wi-Fi and as expected, the Win10 VM detected internet was back and made the appropriate log entries.
As I am still a student working towards my DFIR degree, I am not fully aware of how useful this information is to an analyst, but here are my thoughts.
- There may be an instance of a user being identified as having been using their computer to attack or attempt to gain access to a remote system via the internet. An argument could be made that the user is a victim of MAC spoofing and at the time the user is being accused of performing the actions the machine was offline. Looking at these event logs would be able to reliably (thus far) determine if the internet was/was not available and therefore prove/disprove the claim against the user. I do also know that there would be a stack of evidence elsewhere on the system to show data transfers, cache files, browser histories, etc… I am simply stating that it could be used to add information to the report.
- Another instance that actually came up during my tenure at a schoolhouse, the students are given laptops to perform their school functions. They are also given the instruction that they are not allowed to use any other Wi-Fi networks other than the one provided for the students. The staff does have their own private network that they use, and have a password on it. When the students are taking their exams, the student access to the internet is turned off and they are not able to access the internet (to prevent googling answers). If a student were suspected of cheating, I could quickly look at this log file (remotely) and determine if the user had internet connectivity or not and would not have to even interface with the physical laptop. Nor would I have to dig through browser history and compare timestamps and hope that new cache files were created during their browsing events.
If time permits, I will write a python or powershell script that will pull all the event 55 entries from that log to make life easier for you. If you’re interested in looking at any of my past programming projects, please check my GitHub.
I hope that you found this article useful, or at least informative. If you did, please follow and let me know via twitter @Mr_Hobbits.