DHCP Lease Logs

networkPerimeter SecurityNetwork CaptureSIEM / Log Aggregator

Location

DHCP server logs (Windows DHCP Server, ISC DHCP dhcpd.leases, Infoblox)

Description

DHCP lease transaction logs recording IP address assignments with MAC address, hostname, lease duration, and timestamps for DISCOVER, OFFER, REQUEST, and ACK messages.

Forensic Value

DHCP logs solve the critical problem of mapping IP addresses to physical devices at a specific point in time. When firewall or IDS logs show a suspicious internal IP, DHCP records identify the MAC address and hostname of the device that held that IP at the relevant timestamp. This is essential in environments with dynamic addressing. Historical leases also reveal rogue devices that connected to the network and obtained addresses.

Tools Required

SIEM (Splunk, Elastic)DHCP server consolegrepPowerShell (Get-DhcpServerv4Lease)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical