Known Wi-Fi Networks (com.apple.wifi.known-networks.plist)
Location
SystemConfiguration/com.apple.wifi.known-networks.plistDescription
Property list file containing records of all Wi-Fi networks the device has previously connected to. Each network entry includes the SSID, BSSID (access point MAC address), security type (WPA2, WPA3, Open), first joined timestamp, last joined timestamp, and network usage data. Enterprise network entries may include additional EAP configuration details.
Forensic Value
Known Wi-Fi networks establish the physical locations where the device has been used by correlating SSIDs and BSSIDs with known access point locations via wardriving databases or organizational records. The first and last joined timestamps create a location timeline spanning the entire period the device has been in use. Connections to suspicious open networks, rogue access points, or networks associated with adversary infrastructure indicate potential compromise vectors. Enterprise Wi-Fi configurations may contain certificate and credential information relevant to network access investigations.