(Just for my references)
On digital forensics, sometimes you need to find out what IPs that the laptop got and when was the time it has these IPs.
Suppose you have a Windows 10 DD image, and you want to find out the IP addresses that were assigned to it and the lease time, so you can use it to search the logs (firewall, AD etc.) to find out the relevant events.
The information could be found on the registry key (Below screenshots were from a Windows 10 DD Image).
If the IP was permanently assigned, it could be found on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\Parameters\Tcpip.
If it was DHCP, it could be found on
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx }
or even easier, search “dhcpipaddress” to find the IPs.
There were 2 keys: LeaseObtainedTime and LeaseTerminatesTime. They were using Epoch time format.
You can use python3 to convert them:
matrix@matrix ~ % python3
Python 3.9.1 (default, Jan 8 2021, 17:17:43)
[Clang 12.0.0 (clang-1200.0.32.28)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from datetime import datetime
>>> datetime.fromtimestamp(1614085226).isoformat()
'2021-02-23T08:00:26'
>>> datetime.fromtimestamp(1614161347).isoformat()
'2021-02-24T05:09:07'
>>> datetime.fromtimestamp(1614123286).isoformat()
'2021-02-23T18:34:46'
>>> datetime.fromtimestamp(1614151831).isoformat()
'2021-02-24T02:30:31'
>>>
There are 2 other keys (T1 and T2) that related to time stamps and also have Epoch time format. They stores the time that the interface acquired the lease on its IP address.
The client attempts to renew its lease when the value of T1 expires and, if necessary, attempts again when the value of T2 expires. By default, T1 is equal to half of the value of Lease and T2 is equal to 7/8 (87.5%) of the value of Lease.
.
.
