Introduction to Network Forensics and Protocols

Network forensics

Capturing, storing, and analyzing network data.

Digital forensics

Investigating digital media for potential artifacts.

Incident response specialist

Professional investigating suspicious digital activity.

Cryptographic hashes

Methods to verify evidence integrity post-acquisition.

Hashing algorithms

One-way functions for data integrity verification.

Deterministic property

Same input yields the same output consistently.

Fixed size

Output size remains constant regardless of input.

Fast to compute

Efficient calculation for large data sets.

Irreversibility resistance

Difficult to retrieve original input from hash.

Collision resistance

Hard to find different inputs with identical hashes.

Avalanche effect

Small input change causes drastic output change.

MD5

Common hashing algorithm, 128 bits output.

SHA-256

Secure hashing algorithm, 256 bits output.

Protocols

Standards of communication in network stacks.

OSI model

Seven-layer generic model for network communication.

TCP/IP

Four-layer operational model for internet communication.

Encapsulation

Data passes through layers with added headers.

De-encapsulation

Headers removed as data ascends through layers.

Physical layer

Tangible components like cabling and interfaces.

Data link layer

Communication between systems on the same network.

Network layer

Enables communication between different networks.

Transport layer

Ensures complete message delivery to the host.

Session layer

Manages communication streams between hosts.

Presentation layer

Handles data formatting and encryption/decryption.

Application layer

User interface and application programming interfaces.

Network access layer

Ensures communication within the same network.

OSI Model

Framework for understanding network communication layers.

Internet Layer

Equivalent to network layer in OSI, where IP resides.

Transport Layer

Layer 4 of OSI, uses ports for communication.

Application Layer

Covers functions of layers 5-7 in OSI model.

Protocol Data Units

Data wrapped in headers for layer identification.

ICANN

Assigns internet address space to organizations.

IP Address

Consists of network and host address components.

Subnet Mask

Defines network and host portions of an IP.

ICMP

Transmits error messages and diagnostic requests.

TCP

Ensures guaranteed delivery of messages between hosts.

Three-Way Handshake

Method to establish a connection between systems.

Daemon

Service managing communications in Unix-like systems.

Linux Service Management

Includes init scripts and systemd for services.

TCP Communications

Described using a four-tuple structure.

Netstat

Utility providing network information via command line.

Nbstat

Retrieves statistics related to NetBIOS over TCP/IP.

Ifconfig/IPConfig

Displays IP address configurations of network interfaces.

Sysinternals

Windows toolset for advanced system monitoring.

Tcpdump

Console tool for capturing network packets.

Wireshark

GUI tool for analyzing captured network packets.

Port Spanning

Technique for monitoring network traffic on a switch.

ARP Spoofing

Cyber attack using fake ARP messages on a network.

Passive Scanning

Monitors network data for detailed reporting.

Packet Analysis

Analyzing captured packets for statistics and decoding.

Denial of Service (DoS)

Makes a service unavailable to users.

SYN Floods

Flooding a server with incomplete TCP handshakes.

Malformed Packets

Issues with large packets causing assembly problems.

UDP Floods

Consuming network bandwidth using UDP packets.

Amplification Attacks

Increasing requests to disable services and systems.

Insider Threats

Attacks originating from within the organization.

SQL Injection

Malicious SQL queries to manipulate databases.

Cross-Site Scripting (XSS)

Injecting scripts into web pages to steal data.

Time Difference

Attacks at off hours are less likely detected.

Time Zones

Understanding event timing and system location.

Traceroute

Diagnostic tool using TTL to trace network paths.

Whois

Protocol to retrieve domain ownership information.

Geolocation

Determining location from IP and databases.

Location-Based Services

Services using location data for user applications.

WiFi Positioning

Locating systems via wireless network connections.

NetFlow

Cisco protocol for analyzing network activity.

Logging

Collecting data from systems for analysis.

Syslog

Unix-based logging system standardized by IETF.

Antivirus Programs

Detecting malware using known virus definitions.

Incident Response Preparation

Pre-planning systems for effective incident management.