MAC Addresses, EUI-64, and Network Forensics: What Your Hardware Identifiers Reveal (2026)

Q: What can a MAC address reveal about a device?

The first three octets (24 bits) of a MAC address are the Organizationally Unique Identifier (OUI), assigned by IEEE to hardware manufacturers. Looking up the OUI reveals the device manufacturer (e.g., Apple, Samsung, Intel). Combined with DHCP logs, this identifies specific devices on a network. The locally administered bit (bit 1 of the first octet) indicates whether the address is factory-assigned or randomized — critical for distinguishing real hardware addresses from privacy-randomized ones.

Q: How does MAC randomization affect network forensics?

MAC randomization replaces the factory MAC address with a random one when connecting to Wi-Fi. iOS 14+ randomizes per-network and rotates every 24 hours (iOS 18 changed default to every 2 weeks). Android 10+ randomizes by default with persistent per-network addresses (Android 12+ uses non-persistent addresses that can change every 24 hours). Windows 10/11 supports it as opt-in. Randomized addresses have the locally administered bit set (second hex digit is 2, 6, A, or E), making them identifiable as randomized but preventing manufacturer identification and cross-network tracking.

Q: What is EUI-64 and why is it a privacy risk?

EUI-64 (Extended Unique Identifier, 64-bit) is a method of generating IPv6 interface identifiers from MAC addresses. It inserts FF:FE into the middle of the 48-bit MAC and flips the universal/local bit, creating a 64-bit identifier embedded in the IPv6 address. This means an IPv6 address generated via SLAAC with EUI-64 permanently exposes the device's MAC address — and therefore its manufacturer and unique identity — in every packet sent across the internet. RFC 8981 (2021) introduced temporary addresses to mitigate this, and RFC 8064 now advises against using EUI-64 for SLAAC.

Q: How can DHCP logs be used in incident response?

DHCP lease logs record which MAC address was assigned which IP address, at what time, and for how long. In incident response, this creates a forensic timeline: correlating a suspicious IP address from firewall or IDS logs back to a specific MAC address (and therefore a physical device) at a specific time. DHCP logs also record the hostname the client reported, the DHCP options requested (which can fingerprint the OS), and the lease duration. This data is critical for attributing network activity to specific devices.

A MAC address is a 48-bit identifier assigned to every network interface. The first 24 bits (the OUI) identify the manufacturer; the remaining 24 bits are device-specific. For investigators, MAC addresses reveal device manufacturers, enable cross-referencing with DHCP logs to attribute IP addresses to physical devices, and — when embedded in IPv6 addresses via EUI-64 — can track devices across networks. However, MAC randomization (default on iOS 14+, Android 10+) is rapidly eroding this forensic signal. Understanding when randomization applies, how to detect it, and what alternatives exist is now essential for network forensics.

48 bits

MAC Address Length

24 bits

OUI (Manufacturer ID)

~50K

Registered OUI Entries

iOS 14+

Per-Network Randomization

Android 10+

Default Randomization

RFC 8981

IPv6 Temporary Addresses

Anatomy of a MAC Address

A MAC address (Media Access Control) is a 48-bit identifier written as six octets in hexadecimal, separated by colons or hyphens: 00:1A:2B:3C:4D:5E. It operates at Layer 2 (data link) of the OSI model and is used for local network communication — every Ethernet frame and Wi-Fi packet carries source and destination MAC addresses.

The address has a defined structure. The first three octets (00:1A:2B) are the Organizationally Unique Identifier (OUI), assigned by the IEEE Registration Authority to hardware manufacturers. The remaining three octets (3C:4D:5E) are the Network Interface Controller (NIC) specific portion, assigned by the manufacturer. Two special bits in the first octet carry forensic significance: bit 0 (least significant) is the unicast/multicast flag (0 = unicast, 1 = multicast), and bit 1 is the universal/local flag (0 = globally unique factory address, 1 = locally administered). When MAC randomization is active, the locally administered bit is set to 1, making the second hex digit always 2, 6, A, or E — an immediate indicator that the address is not factory-assigned.

OUI Lookup: What the Manufacturer Tells You

The IEEE maintains a public registry of approximately 50,000 OUI assignments. Looking up the first three octets of a MAC address immediately identifies the device manufacturer. This is one of the simplest and most reliable OSINT techniques for network investigation: seeing 00:14:22 tells you the device is a Dell, 3C:22:FB is an Apple device, F8:28:19 is a Hewlett Packard Enterprise device. Our MAC Address Lookup tool performs this lookup instantly against the full IEEE registry.

OUI information becomes especially valuable when combined with other data. In a DHCP log, the OUI reveals what types of devices are on the network — if you see OUIs from security camera manufacturers, IoT vendors, or unfamiliar brands, that’s an immediate red flag for unauthorized devices. In incident response, the OUI can narrow down which physical device was involved even before you have physical access to it.

MAC Randomization: The Privacy-Forensics Arms Race

MAC randomization replaces the factory-assigned MAC address with a randomly generated one when connecting to Wi-Fi networks. This prevents network operators, advertisers, and surveillance systems from tracking devices across different locations using their hardware identifier. The feature has become default behavior across all major mobile operating systems, fundamentally changing the landscape for network forensics.

OS	Version	Behavior	Rotation	Default
iOS	8 (2014)	Randomized during Wi-Fi scanning only	Per scan	On
iOS	14 (2020)	Randomized per network (Private Wi-Fi Address)	Rotates every 24 hours	On
iOS	18 (2024)	Rotating default changed to every 2 weeks	Every 2 weeks	On (Rotating)
Android	8 (2017)	Randomized during scanning only	Per scan	Off
Android	10 (2019)	Persistent random per network (same MAC per SSID)	Persists until factory reset	On
Android	12 (2021)	Non-persistent randomization for some networks	Can change every 24 hours	On
Windows	10 / 11	Per-network randomization (Random hardware addresses)	Configurable	Off
macOS	All	Limited to AirPlay/AirDrop only	N/A	N/A
Linux	NetworkManager	Configurable via `wifi.cloned-mac-address`	Per connection	Varies by distro

Detecting Randomized Addresses

Randomized MAC addresses are identifiable by the locally administered bit. In a randomized address, the second hexadecimal digit of the first octet will be 2, 6, A, or E. For example, F2:xx:xx:xx:xx:xx is randomized (second digit is 2), while F0:xx:xx:xx:xx:xx could be a factory address (second digit is 0). This single-bit check lets investigators immediately triage whether a MAC address is genuine or randomized. Looking up a randomized address in an OUI database will return no result or an incorrect manufacturer — another indicator of randomization.

EUI-64 and IPv6: When Your MAC Leaks Globally

EUI-64 (Extended Unique Identifier, 64-bit) is the mechanism that embeds a MAC address into an IPv6 address. The process takes the 48-bit MAC address, splits it in half, inserts FF:FE in the middle, and flips the universal/local bit (bit 41), producing a 64-bit interface identifier. This identifier becomes the last 64 bits of the IPv6 address generated via Stateless Address Autoconfiguration (SLAAC).

MAC:    00:1A:2B:3C:4D:5E
Split:  00:1A:2B | 3C:4D:5E
Insert: 00:1A:2B:FF:FE:3C:4D:5E
Flip:   02:1A:2B:FF:FE:3C:4D:5E  (bit 41 flipped)
IPv6:   [prefix]:021A:2BFF:FE3C:4D5E

The forensic implication is profound: any IPv6 address generated with EUI-64 permanently embeds the device’s MAC address — and therefore its manufacturer and unique identity — into every packet sent across the internet. An investigator who sees ::021A:2BFF:FE3C:4D5E in a server log can reverse the EUI-64 process to recover the original MAC address 00:1A:2B:3C:4D:5E, look up the OUI to identify the manufacturer, and track the device across networks even as the IPv6 prefix changes. Our EUI-64 Decoder performs this reverse extraction automatically.

The Privacy Fix: RFC 8981 Temporary Addresses

The privacy risk of EUI-64 was recognized early. RFC 3041 (2001) introduced privacy extensions for SLAAC, creating temporary addresses with randomized interface identifiers. This evolved through RFC 4941 (2007) and culminated in RFC 8981 (2021), which is the current standard. RFC 8981 introduced key changes: stable EUI-64 addresses are no longer required (hosts may use only temporary addresses), maximum temporary address lifetime reduced from 1 week to 2 days, concurrent temporary addresses reduced from 7 to 3, and lifetime randomization was added so addresses don’t all expire simultaneously. Additionally, RFC 7217 introduced stable privacy addresses — per-subnet random addresses derived from a secret key, replacing EUI-64 for stable addresses. RFC 8064 now formally advises against using EUI-64 for SLAAC.

Despite these standards, some ISP CPE equipment (modems and routers) and legacy IoT devices still use EUI-64 by default, leaking MAC addresses into IPv6 traffic. Investigators can check whether a target system uses EUI-64 by looking for the FF:FE pattern in the interface identifier portion of its IPv6 address.

DHCP Lease Forensics

DHCP (Dynamic Host Configuration Protocol) servers assign IP addresses to devices and maintain lease logs that are a goldmine for network forensics. Each DHCP lease record typically includes: the MAC address of the requesting device, the IP address assigned, the lease start time and duration, the hostname the client reported (the hostname option), and the DHCP options requested by the client (which can fingerprint the operating system). Our Digital Presence Scorecard · DHCP Lease Parser extracts and analyzes these fields from lease files.

Forensic Use Cases

In incident response, DHCP logs answer the critical question: “which physical device had IP address X at time Y?” Firewall logs, IDS alerts, and web server access logs record IP addresses, but DHCP logs provide the bridge from IP to MAC to physical device. The reported hostname can reveal the device’s name (often the user’s name or department), and DHCP option fingerprinting can identify the operating system even when the hostname is generic. Even with MAC randomization active, the DHCP lease creates a temporal binding between a randomized MAC and an IP address for the duration of the lease — useful for correlating activity within a session even if the MAC changes between sessions.

Bluetooth and Other MAC Surfaces

While Wi-Fi MAC randomization is now widespread, Bluetooth MAC addresses remain a significant tracking vector. Bluetooth Low Energy (BLE) has supported address randomization since Bluetooth 4.0, but many devices — especially IoT, fitness trackers, and older headphones — still broadcast their factory MAC address. Bluetooth Classic (BR/EDR) generally does not randomize at all. Wired Ethernet connections also use the factory MAC address without randomization in virtually all implementations.

Investigation Workflow

A systematic approach to MAC-based investigation follows these steps. First, collect the MAC address from DHCP logs, ARP tables, switch CAM tables, or wireless controller logs. Second, check the locally administered bit to determine if the address is factory or randomized. Third, if factory: look up the OUI to identify the manufacturer, then cross-reference with DHCP hostname and OS fingerprinting. Fourth, check for EUI-64 leakage in any IPv6 addresses associated with the device. Fifth, correlate across data sources: the same MAC appearing in DHCP logs, 802.1X authentication logs, captive portal records, and wireless association logs creates a complete timeline of the device’s network activity.

Key Terminology

MAC Address (Media Access Control): A 48-bit hardware identifier assigned to network interface controllers. First 24 bits = OUI (manufacturer), last 24 bits = device-specific. Operates at Layer 2 for local network communication.
OUI (Organizationally Unique Identifier): The first three octets of a MAC address, assigned by IEEE to hardware manufacturers. A public registry of ~50,000 entries enables instant manufacturer identification from any MAC address.
Locally Administered Bit: Bit 1 of the first octet. When set to 1, indicates the address is not factory-assigned. All randomized MAC addresses set this bit, making the second hex digit 2, 6, A, or E. The fastest way to detect MAC randomization.
EUI-64 (Extended Unique Identifier): A method of deriving a 64-bit interface identifier from a 48-bit MAC address by inserting FF:FE and flipping bit 41. Used by SLAAC to generate IPv6 addresses, permanently embedding the MAC address in the IPv6 address.
SLAAC (Stateless Address Autoconfiguration): IPv6 mechanism where hosts auto-generate global addresses from router-advertised prefixes combined with interface identifiers. Originally used EUI-64; now recommended to use privacy extensions (RFC 8981) or stable privacy addresses (RFC 7217).
RFC 8981 Temporary Addresses: The current standard (2021) for IPv6 privacy extensions. Generates randomized interface identifiers that rotate approximately daily, with a maximum lifetime of 2 days. Prevents cross-session tracking via IPv6 addresses.
DHCP Fingerprinting: Identifying a device’s operating system by analyzing the DHCP options it requests. Different OS versions request different combinations of DHCP options in a characteristic order, creating a unique fingerprint even when the MAC is randomized.
MAC Randomization: Privacy feature that replaces the factory MAC address with a random one for Wi-Fi connections. Default on iOS 14+ and Android 10+. Sets the locally administered bit, preventing OUI-based manufacturer identification and cross-network device tracking.

Sources

Android MAC Randomization Behavior (persistent vs non-persistent randomization). RFC 8981 (Temporary Address Extensions for IPv6 SLAAC, Feb 2021). RFC 7217 (Semantically Opaque Stable IIDs). RFC 8064 (Recommendation on Stable IIDs). Eye Networks — MAC Randomization Guide (2025) (OS comparison). Purple AI — MAC Randomization (iOS 18 rotating default). SIDN — Privacy Aspects of IPv6 (2025) (EUI-64 leakage, CPE issues). Hawaii IPv6 — Privacy, SLAAC & RFC 8981 (SLAAC evolution).

Frequently Asked Questions

What can a MAC address reveal about a device?

The first three octets are the OUI, identifying the manufacturer (e.g., Apple, Samsung, Intel). Combined with DHCP logs, this identifies specific devices. The locally administered bit indicates whether the address is factory-assigned or randomized. Use our MAC Lookup tool for instant OUI identification.

How does MAC randomization affect network forensics?

MAC randomization replaces factory addresses with random ones. iOS 14+ randomizes per-network (iOS 18 rotates every 2 weeks). Android 10+ randomizes by default (persistent per-SSID; Android 12+ can rotate every 24 hours). Windows 10/11 supports opt-in randomization. Randomized addresses have the locally administered bit set (second hex digit is 2, 6, A, or E), making them identifiable but preventing manufacturer identification.

What is EUI-64 and why is it a privacy risk?

EUI-64 creates a 64-bit IPv6 interface identifier from a 48-bit MAC address by inserting FF:FE and flipping bit 41. This embeds the MAC — and manufacturer identity — into every IPv6 packet. RFC 8981 (2021) introduced temporary addresses to mitigate this. Our EUI-64 Decoder can reverse-extract the MAC from any EUI-64 IPv6 address.

How can DHCP logs be used in incident response?

DHCP logs record which MAC was assigned which IP at what time. This bridges firewall/IDS alerts (IP-based) to physical devices (MAC-based). Logs also include client hostnames and DHCP option fingerprints for OS identification. Use our Digital Presence Scorecard · DHCP Lease Parser to extract and analyze lease data.