Awesome
werejugo
Version 0.9 - beta
Identifies physical locations where a laptop has been based upon multiple forensics artifacts on host. Including
- Wireless Profiles in SOFTWARE registry hive
- Wireless SSID from WLAN_AUTOCONFIG Application Event logs
- Wireless Diagnostic Event ID 6100 in SYSTEM.EVTX
- Wireless Profile Names from SRUM.DAT
To run this tool you need three files from this github repo. Werejugo.exe werejugo.yaml and template.html. Download them and place them in a directory.
You must edit werejugo.yaml and give it some API keys. This tool requires that you provide both a wigle.net API key and a Google Geolocation API key. Place those keys in the werejugo.yaml configuration file. The google API key requires a credit card but the first several thousand requests per month are free so you can experiment with the tool with out incurring a cost.
Run the tool with administrative privileges on the target laptop for live aquistion of required files. Auto file aquisition will only work on systems that have a version of esentutl.exe that supports extracting unlocked files. If automatic acquisition fails then use another forensics tool to extract the locked files.
If you have a forensics image with unlocked files then you can browse to those files manually.