Trundle Motor company has reported that somebody has somehow compromised their systems. However, a detailed review of their Firewall logs show that there were no attempts from the outside world. Also, since they are a family company, they don’t believe that any of their employees would have commited this crime.
How can DHCP logs help this investigation?
IP Address:66.111.113.141 => 00:06:5b:17:88:c3-(UHC05R01)[Dell Computer Corp.]
IP Address:66.111.113.146 => 00:11:43:3f:1e:8b-(J0W8L61)[DELL INC.]
IP Address:66.111.113.147 => 00:06:5b:17:89:0e-(6B05R01)[Dell Computer Corp.]
IP Address:66.111.113.153 => 00:06:5b:17:8a:1a-(8C05R01)[Dell Computer Corp.]
IP Address:66.111.113.154 => 00:05:5d:6f:06:38-(wireless)[D-Link Systems, Inc.]
IP Address:66.111.113.155 => 00:06:5b:17:8a:a0-(4D15R01)[Dell Computer Corp.]
IP Address:66.111.113.156 => 00:06:5b:17:87:9e-(BF15R01)[Dell Computer Corp.]
IP Address:66.111.113.157 => 00:06:5b:17:89:19-(1D05R01)[Dell Computer Corp.]
IP Address:66.111.113.158 => 00:06:5b:17:87:b3-(75Z4R01)[Dell Computer Corp.]
IP Address:66.111.113.177 => 00:0c:29:d2:64:53-(d8e63e7d5)[VMware, Inc.]
***********************************
By examining the above logs, you can tell that IP 66.119.191.94 comes back to a D-Link router. This may be an unauthorized wireless extension of the network. The intruder could have entered the network utilizing this method. This method of entry would not leave any traces in the Firewall, VPN, or remote connection logs.
The first three octets of the MAC address can be looked up in the IEEE OUI and Company_id Assignment tables at
http://standards.ieee.org/regauth/oui/index.shtml