Track location of laptop on company network?

[mvietori]

Hello,

I'm no network security expert but have been asked to "investigate" someone who has been connecting their personal laptop to the company network and using our internet to do "questionable" activities.

Basically I have this information taken from our domain controller's logs:

- DHCP address that was leased to the laptop at the time of the "infractions".
- Computer name of the laptop.
- Precise date and time of when this person was connected to our network.

Based on the DCHP address, I can somewhat narrow it down to a few different switches at different locations in the building, but there's no way to pinpoint it exactly. If I can figure out which switch they connected to, I would know who did it.

How can I do this?

 

[Emerald]

are they connecting via wire or wirelessly?

do you have managed switches?

 

[Saga Lout]

If you have a MAC address , you could deny it future access but if the computer name doesn't give you any clues, you may never find out who they are. If they are connecting through a switch that narrows it down a bit but if they then start to connect wirelessly, the MAC will be a different one because a MAC belongs to the device and not the whole machine.

 

[someone19]

Back in college I was 'found' when they matched the IP of my machine with the username I was using to check my e-mail. Try snooping around the logs of servers you have control over and see if that IP in that time frame was being used to locate the 'offender.'

 

[mvietori]

They're connecting via wire that they unplug from their normal desktop workstation and then plug into their personal laptop. Yes we're using managed switches. So they would be connecting to one of our switches somewhere in the building. I just don't know which one. I don't have a MAC address.

 

[Saga Lout]

I don't have a MAC address.

The router has it and it will be the one with short term connections immediately after another disconnects and just before that one reconnects.

 

[hang-the-9]

The DHCP server would have the MAC address of the device it assigned an IP. It uses that info to re-asign the same IP to the same device when renewing. That is why a PC with a new Windows setup will get the same IP after a reboot, yet when you clone that system onto new hardware it gets a new IP.

Hunt around the logs a bit more on the DHCP server.