Skip to content
AIR Knowledge Base

Wireless Connection History

Overview

Section titled “Overview”

Evidence: Wireless Connection History
Description: Enumerate Wireless Connection History
Category: Network
Platform: windows
Short Name: wrlsshst
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

Windows network profiles store SSIDs and connection metadata (first/last connected, category, managed). This data is essential for tracking network access.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about wireless connection history.

Collection Method

Section titled “Collection Method”

This collector reads HKLM…\NetworkList\Profiles for each profile, extracting timestamps and attributes into wireless_history.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations to link hosts to networks over time and identify suspicious connections.