Is there any way to obtain the timestamp that an IP address was allocated to an XP PC from the PC? I know we can check DHCP server logs, but for reasons I won't go into here, please assume that isn't an option.
I am hoping for something like a MAC time from some file that gets touched when a PC accepts an IP address assignement from a DHCP server.
I need to be able to make a statement along the lines of "On dd/mm/yy at HHMMSS, IP address xxx.xxx.xxx.xxx was assigned to this PC", and I need to be able to make that statement based only on a forensic examiniation of the PC's hard drive.
Can anyone tell me how to do this for a WinXP PC?
Windows logs network connections – such as the IP address, DHCP domain, subnet mask, etc. in the registry under
HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\
Beneath \Interfaces you will see some GUIDs that may contain ip and dhcp information.
If you find one that lists the ip, subnet, gateway, etc. there should be a value here called LeaseObtainedTime, which has a hexadecimal time associated with it. It is to by knowledge that this is the time in which the ip address was obtained from the DHCP server.
For example - I have a time value associated with my current ip address right now of 471d1e69 - When I translate this hex number it gives me the Date & Time of Mon, 22 October 2007 170425, which is the exact time I released and renewed my ip address.
You can translate the hex time with a tool from
http//
Note this timestamp is a Unix 32 bit hex value - Big Endian.
Derrick
Many thanks Derrick. That is exactly the info I needed!
One problem you are likely to have is that the DHCP lease may only go back a week or so - i.e. to the last assignment of a lease to the PC.
If you want to go back weeks or months , you may want to look at the restore points and verify the the same key that dfarmer03 mentioned.
I've never actually done this, but I imagine it should work.
Also, XP restore points are ON by default, so you should be able to find the info with any luck.
Good point erowe. I did a bit of digging and found the following very useful site for restore point forensics info
http//128.175.24.251/forensics/restorepoints.htm
Assuming the restore points have not been disabled, it should be possible to put together a DHCP lease history (with assigned IP and timestamp info) from the backup copies (restore points) of the registry hives.
Thanks again everyone for the assist.
For those who run EnCase, Lance Mueller has posted an EnScript on his blog that will find/mount/parse all registry files (including restore points) to extract DHCP information (lease start, lease end, Assigned IP, etc.).
Here is the link to his post
http//
Thank you Lance!
(Note I have tested it with EnCase 6.12.1 and it works well. Output is in the Console window)
One word…RegRipper. It's free and it gets this information.