Evidence: Wireless Network Connections
Description: Collect Wireless Network Connections
Category: Network
Platform: macos
Short Name: wncon
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Known Wi‑Fi networks provide a history of SSIDs and connection metadata. This data is essential for tracking user mobility, rogue AP exposure, and lateral movement via wireless.
Data Collected
This collector gathers structured data about wireless network connections.
Collection Method
This collector parses /Library/Preferences/com.apple.wifi.known-networks.plist and records entries into wireless_network_connections.
Forensic Value
This evidence is crucial for forensic investigations as it reveals trusted SSIDs, join behavior, and captive portal interactions that can indicate risk or compromise.
