I have 2 computers hooked to a router. I can only find the internal IP address from the registry. Where can I get the router IP?
From the command line, assuming your computer is Windows, type tracert bbc.co.uk
The first hop listed should be the IP address of the router.
I'm sorry I should have been more specific…yes, these are Windows XP systems and I'm looking at an image of the system in EnCase v6.14.1. Is there a file or registry key that would show me the router IP?
Greetings,
"ipconfig /all" will tell you the default gateway, among other things.
-David
Have you tried the Windows Initialize case script (in Case Processor). This often will get out the Default Gateway IP address (if there is one stored).
I'm not sure if it matters whether the address was allocated by DHCP or statically, though you'd think it would store it somewhere.
Run RegRipper against the System Hive. This should parse the network key for you.
I'm sorry I should have been more specific…yes, these are Windows XP systems and I'm looking at an image of the system in EnCase v6.14.1. Is there a file or registry key that would show me the router IP?
How are the systems connected? Via RJ-45 or wireless?
Actually, what you're probably looking for is the default gateway…RegRipper can get this from the System hive for you quite easily.
Search the registry (HKLM\System\ControlSet\Services\Tcpip\Parameters) for the "DefaultGateway" (you may need to identify which interface you are interested in).
The values for the most recent control set will tell you if it is DHCP assigned or manually assigned. If you want to be more comprehensive, search all of the control sets.
I guess you may be trying to find the external IP address of the router.
If this is the case it is unlikely to be found in the registry.
Here are some notes I have previously made on this question -
* If the Windows Time Service is running, when the service connects to the time server an event is logged in the System Event Log (in WXPP SP2 this is at C\WINDOWS\system32\config\SysEvent.evt). The log shows the IP address of the local computer and the time server. Unfortunately when connected via a router this may only show internal addresses.
* Symantec Live Update has been found to record a log of the update including dates/times and IP address of local computer. Logs are in a file Log.LiveUpdate and in unallocated a good search string would be "LuComServer" this string appears in the section of the logs where the IP addresses are recorded.
* Cookie files sometimes contain the IP address of the local computer
* Your IP address might be found in C\Documents and Settings\ProfileUserName\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML
* If the user has been running MSN Messenger and at some stage connection logging has been on, resulting in a file named MsnMsgr.txt being created in C\Documents and Settings\UserName\My Documents\My Received Files then this file contains details of the user's IP address.
You might also find the external IP address embedded in a web page visited by the user as web pages sometimes like to capture and display this.
I would suggest you try a grep search for IP addresses in targeted areas, like TIFs, any log files, and evt files.
If you have the router you might find it there. If you know the ISP you could possibly get it from them with the appropriate legal authority.
H