Which DNS and DHCP artifacts are valuable for investigations?

DNS and DHCP investigations rely on the logs that record who did what, when, and from where. DNS query/response logs capture every domain lookup, the requesting host, the time, the type of query, and the server’s response, giving a precise record of domain activity. DHCP lease logs show which IP address was assigned to which device (often tied to a MAC address and hostname) and when the lease started and ended, providing a clear timeline of network address usage. Together, these artifacts let you map a specific host to its domain activity and understand the network timeline during an incident. They’re especially valuable for identifying who was connected to what resources, spotting unusual lookups or new devices, and correlating activity across systems. Other artifacts like RAM dumps or general event logs may be helpful in broader investigations, but DNS query/response and DHCP lease logs are the most direct sources for reconstructing DNS/DHCP activity.