From http://www.forensickb.com/

Per a reader’s request, here is an EnScript that will recurse through all evidence in a case and parse the SYSTEM registry hive located in the system32config folder. It will then display any DHCP or static IP address information for all the interfaces found in the SYSTEM registry hive.

The EnScript will also parse any SYSTEM registry hives found in the XP System Restore Points (System Volume Information Folder – “_REGISTRY_MACHINE_SYSTEM”) and display those as well. This EnScript is compatible with Windows 2000/XP/Vista/2003.

All output is in the console tab for review. Example of output:

Reading file: Case 1FiskeCSystem Volume Information_restore{F7B7E177-A202-4882-ADC2-D0A88A676F63}RP3snapshot_REGISTRY_MACHINE_SYSTEM

Interface GUID: {FA987DAF-1C7E-40E2-B570-8EBF1FFFA371}
IPAddress: 0.0.0.0
DhcpServer: 192.168.1.1
Lease: 86400 seconds
LeaseObtainedTime: 08/22/03 08:25:45PM
LeaseTerminatesTime: 08/23/03 08:25:45PM
DhcpIPAddress: 192.168.1.101

Reading file: Case 1FiskeCSystem Volume Information_restore{F7B7E177-A202-4882-ADC2-D0A88A676F63}RP4snapshot_REGISTRY_MACHINE_SYSTEM

Interface GUID: {2AF8F12B-22F6-4FAE-974D-564BA481D3FF}
IPAddress: 0.0.0.0

Interface GUID: {FA987DAF-1C7E-40E2-B570-8EBF1FFFA371}
IPAddress: 0.0.0.0
DhcpServer: 67.21.13.74
Lease: 43200 seconds
LeaseObtainedTime: 10/08/03 08:56:49AM
LeaseTerminatesTime: 10/08/03 08:56:49PM
DhcpIPAddress: 68.66.201.16