Wednesday, April 15, 2009

EnScript to obtain DHCP and Static IP Address information

Per a reader's request, here is an EnScript that will recurse through all evidence in a case and parse the SYSTEM registry hive located in the \system32\config folder. It will then display any DHCP or static IP address information for all the interfaces found in the SYSTEM registry hive.

The EnScript will also parse any SYSTEM registry hives found in the XP System Restore Points (System Volume Information Folder - "_REGISTRY_MACHINE_SYSTEM") and display those as well. This EnScript is compatible with Windows 2000/XP/Vista/2003.

All output is in the console tab for review. Example of output:
Reading file: Case 1\Fiske\C\System Volume Information\_restore{F7B7E177-A202-4882-ADC2-D0A88A676F63}\RP3\snapshot\_REGISTRY_MACHINE_SYSTEM

Interface GUID: {FA987DAF-1C7E-40E2-B570-8EBF1FFFA371}
IPAddress: 0.0.0.0
DhcpServer: 192.168.1.1
Lease: 86400 seconds
LeaseObtainedTime: 08/22/03 08:25:45PM
LeaseTerminatesTime: 08/23/03 08:25:45PM
DhcpIPAddress: 192.168.1.101

Reading file: Case 1\Fiske\C\System Volume Information\_restore{F7B7E177-A202-4882-ADC2-D0A88A676F63}\RP4\snapshot\_REGISTRY_MACHINE_SYSTEM

Interface GUID: {2AF8F12B-22F6-4FAE-974D-564BA481D3FF}
IPAddress: 0.0.0.0

Interface GUID: {FA987DAF-1C7E-40E2-B570-8EBF1FFFA371}
IPAddress: 0.0.0.0
DhcpServer: 67.21.13.74
Lease: 43200 seconds
LeaseObtainedTime: 10/08/03 08:56:49AM
LeaseTerminatesTime: 10/08/03 08:56:49PM
DhcpIPAddress: 68.66.201.16

Download Here

1 comments:

Anonymous Tuesday, 26 May, 2009  

Great enscript! The enscript showed me old IP adresses used by a Stalker. The ISP could not deliver the user information (Bad administration?). With the output of the Enscript I can proof that the Computer of the Stalker was used.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles