DHCP Lease Logs

NetworkPerimeter SecurityNetwork CaptureSIEM / Log Aggregator

Location

DHCP server logs (Windows DHCP Server, ISC DHCP dhcpd.leases, Infoblox)

Description

DHCP lease transaction logs recording IP address assignments with MAC address, hostname, lease duration, and timestamps for DISCOVER, OFFER, REQUEST, and ACK messages.

Forensic Value

DHCP logs solve the critical problem of mapping IP addresses to physical devices at a specific point in time. When firewall or IDS logs show a suspicious internal IP, DHCP records identify the MAC address and hostname of the device that held that IP at the relevant timestamp. This is essential in environments with dynamic addressing. Historical leases also reveal rogue devices that connected to the network and obtained addresses.

Tools Required

SIEM (Splunk, Elastic)DHCP server consolegrepPowerShell (Get-DhcpServerv4Lease)

Collection Commands

PowerShell

Get-DhcpServerv4Lease -ScopeId 10.0.0.0 | Export-Csv dhcp_leases.csv -NoTypeInformation

ISC DHCP

cat /var/lib/dhcp/dhcpd.leases | grep -A 6 "^lease" > dhcp_lease_history.txt

Splunk

index=dhcp earliest=-30d | stats latest(hostname) as hostname, latest(mac) as mac_address by ip | sort by ip

MITRE ATT&CK Techniques

T1557T1200T1557.002T1016

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical