I unfortunately have DNS scavenging on; information I need to retrieve could have been in Event Viewer DNS logs, but that's not there anymore, or maybe I am not looking for it properly.
Story: I need to report on a machine who was throwing suspicious activity on our network. The activity occurred between a specific window of time. DNS/IP has since changed. All the information I've gotten from the security team is an IP and a window of time.
Question: Is there any other place I can get that log information and track down which machine had a specific IP at a specific time? I will also be asking networking to look on the switch/gateway side of things (maybe nail it down to Mac address or something), but I'm hoping I can find a way to verify from the system side. Any ideas?
Best Answer
You say the IP has changed, which sounds like you may be using DHCP to assign addresses? Check the DHCP log files C:\Windows\system32\dhcp. Use the time and the IP to find the MAC address, then use your inventory system to track down that asset. https://technet.microsoft.com/en-us/library/dd183591%28v=ws.10%29.aspx