HI,
Anyone aware if Windows(xp) stores anything locally regarding DHCP.
Example
I have a users who has changed locations on the network many times.
This pc has been on various network segments and has obtained different IPs.
I am wondering if on that client pc, there is any evidence of what Ip addresses have been obtained over a period of time?
I hope that makes sense.
-ss
This might be a stretch but you might be able to glean a bit of info this way. TCP/IP uses the ARP protocol which stores info in the ARP cache. Pull the network card MAC address and search unallocated for that HEX value. When you find it the assigned IP address would be present if it were an ARP broadcast. I do not believe IP address other than currently assigned would be in the registry nor the event logs. Wish I had a more positive answer but that is where I would start. Again other option is to check the DHCP server logs.
nate,
That is a very positive answer.
Thanks.
All anyone can really expect in from a forum is a point in the right direction.
-ss
Again other option is to check the DHCP server logs.
I guess I could have started off by saying that this agency did not have adequate logging. There are no DHCP server logs (
.
There is registry information about DHCP stored in
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HTH.
SS,
The short answer is "no".
However…since you're referring to XP specifically, there are some options. First, go to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards key and get the ServiceName entries for each of the active NICs on the system. These will appear as GUIDs.
Now, map that information to the key that Hogfly pointed out, and you'll get the information from each subkey regarding IP address(es) obtained.
To get historical data, locate the System file in each of the Restore Points and do the same thing.
HTH,
Harlan
SS,
The short answer is "no".
However…since you're referring to XP specifically, there are some options. First, go to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards key and get the ServiceName entries for each of the active NICs on the system. These will appear as GUIDs.
Now, map that information to the key that Hogfly pointed out, and you'll get the information from each subkey regarding IP address(es) obtained.
To get historical data, locate the System file in each of the Restore Points and do the same thing.
HTH,
Harlan
dood,
/me bows in your presense..
I am honored that you have replied )
I have read your windows forensics book and I use your scripts. (helix/IR)
Great response! I am looking into your suggestions now.
Also, hogfly, thanks!
Harlan, Do you recommend Offline registry parser for this? or WMI?
TIA,
-ss
Harlan,
That worked nicely.
If anyone else is interested, this is what I did.
I refered to this link http//
On a side note I was testing this on my personnal pc at work and even with administrative rights the local policy denied me access to the system volume info folder on the root of the drive.
So, I launched cmd.exe from the task scheduler (at) using the /INTERACTIVE option, the result was a shell in the context of the user 'system' and I was able to perform these tasks.
Thanks again!
-ss
SS,
Actually, there's a quicker way to do all that using Perl…
H
Could I expect to see something like that with your new book?
-ss
CHFI/SnortCP