Jun 20 07:05:15 dhcp1 dhcpd: DHCPREQUEST for 66.121.9.155 from 00:0d:56:1a:6a:05 (GMMHF41) via xl1
Jun 20 07:05:15 dhcp1 dhcpd: DHCPACK on 66.121.9.155 to 00:0d:56:1a:6a:05 (GMMHF41) via xl1
Jun 20 07:05:15 dhcp1 dhcpd: DHCPDISCOVER from 00:14:22:bc:09:94 via 66.121.66.1
Jun 20 07:05:16 dhcp1 dhcpd: DHCPOFFER on 66.121.66.203 to 00:14:22:bc:09:94 (DFVDJP81) via 66.121.66.1
Jun 20 07:05:16 dhcp1 dhcpd: Added new forward map from DFVDJP81.dhcp.mycompany.com to 66.121.66.203
Jun 20 07:05:16 dhcp1 dhcpd: added reverse map from 203.66.121.66.in-addr.arpa. to DFVDJP81.dhcp.mycompany.com
Jun 20 07:05:16 dhcp1 dhcpd: DHCPREQUEST for 66.121.66.203 (66.130.0.56) from 00:14:22:bc:09:94 (DFVDJP81) via 66.121.66.1
Jun 20 07:05:16 dhcp1 dhcpd: DHCPACK on 66.121.66.203 to 00:14:22:bc:09:94 (DFVDJP81) via 66.121.66.1
Jun 20 07:05:15 dhcp1 dhcpd: DHCPACK on 66.121.9.155 to 00:0d:56:1a:6a:05 (GMMHF41) via xl1
***********************************
What does this tell you?
How can this be helpful to an investigation?
Example #1 – DNS “Malicious User”
ABC Lollipop Incorporated reported that one of their contractors turned bad. It seemed that the malicious user had hooked up his laptop to their network and compromised various servers, however when they examined the laptop, they couldn’t find any trace of his malicious activities. The company utilizes DHCP and they aren’t even sure that he used the laptop in question.
How would you be able to determine if the laptop was used to commit these crimes?
DHCP Logs - Intrusion
Jun 20 07:05:15 dhcp1 dhcpd: DHCPDISCOVER from 00:14:22:bc:09:94 via 66.121.66.1
***********************************
During the first DHCP request, the packet includes the MAC address of the machine requesting the IP address. This request will traverse all routers and gateways intact. This is seen under the DHCPDISCOVER line which designates the gateway of request.
From the above request, the IP of 66.121.9.155 was assigned to the physical NIC with MAC 00:0d:56:1a:6a:05 with machine name GMMHF41.
Even if the user decides to wipe his hard drive, the IP address is tied to his physical device. The device can be seen as the “weapon” utilized to commit the crime.