NetworkManager Connection Profiles

Location

Common Names

Description

NetworkManager keyfiles describing saved Ethernet, Wi-Fi, VPN, bridge, and cellular connection profiles. Profiles retain interface names, SSIDs, VPN endpoints, proxy settings, static routes, and secrets or secret references depending on the backend.

Forensic Value

Saved connection profiles expose the networks, VPNs, and upstream infrastructure a Linux system was configured to trust. They can reveal attacker-added rogue VPN tunnels, proxy redirection, static routes for lateral movement, or recently joined Wi-Fi networks on laptops and workstations. Because profiles persist after the interface is offline, they help reconstruct expected and unexpected connectivity long after transient runtime state is gone.

Tools Required

Collection Commands

nmcli connection show > /forensics/output/nmcli_connections.txt

find /etc/NetworkManager/system-connections -type f -exec cp --parents {} /forensics/output/ \; 2>/dev/null

grep -Rni "vpn\|proxy\|ssid\|gateway\|route" /etc/NetworkManager/system-connections /etc/sysconfig/network-scripts 2>/dev/null > /forensics/output/networkmanager_profile_hits.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Only systems managed by NetworkManager maintain these profiles. Server builds may instead use network-scripts, systemd-networkd, netplan, or vendor-specific tooling.

MITRE ATT&CK Techniques

References