DHCP Lease Records
Location
/var/lib/NetworkManager/*.lease, /var/lib/dhcp/*.leases, /var/lib/dhclient/*.leases, or /run/NetworkManager/devices/*Common Names
Description
Lease files and runtime state created by DHCP clients such as NetworkManager, dhclient, or systemd-networkd. They retain assigned addresses, lease renewal times, DHCP server identifiers, routers, DNS servers, and option payloads negotiated with the network.
Forensic Value
DHCP lease artifacts place a system on a specific network segment at a specific time and often identify the upstream DHCP server, gateway, and DNS infrastructure used during that period. They can reveal rogue DHCP responses, attacker-controlled DNS settings, or temporary addressing associated with hotel, hotspot, or staging networks. Because lease timestamps survive after the interface disconnects, they provide durable network context for systems that move frequently between environments.
Tools Required
Collection Commands
find
find /var/lib/NetworkManager /var/lib/dhcp /var/lib/dhclient /run/NetworkManager -type f \( -name "*.lease" -o -name "*.leases" -o -name "*dhcp*" \) -exec cp --parents {} /forensics/output/ \; 2>/dev/nullnmcli
nmcli -f GENERAL.DEVICE,IP4.ADDRESS,IP4.GATEWAY,IP4.DNS device show > /forensics/output/current_ip_state.txt
journalctl
journalctl -u NetworkManager --since "2024-01-01" > /forensics/output/networkmanager_dhcp_journal.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Lease paths and formats vary by DHCP client. Runtime-only state under /run may disappear on reboot or interface reset.