Book Image

Learning Network Forensics

By : Samir Datt
Book Image

Learning Network Forensics

By: Samir Datt

Overview of this book

We live in a highly networked world. Every digital device—phone, tablet, or computer is connected to each other, in one way or another. In this new age of connected networks, there is network crime. Network forensics is the brave new frontier of digital investigation and information security professionals to extend their abilities to catch miscreants on the network. The book starts with an introduction to the world of network forensics and investigations. You will begin by getting an understanding of how to gather both physical and virtual evidence, intercepting and analyzing network data, wireless data packets, investigating intrusions, and so on. You will further explore the technology, tools, and investigating methods using malware forensics, network tunneling, and behaviors. By the end of the book, you will gain a complete understanding of how to successfully close a case.
Table of Contents (17 chapters)
Learning Network Forensics
About the Author
About the Reviewers

Strengthening our technical fundamentals

Before we develop our skills on network forensics, we need to have certain basic fundamentals in place.

A network, in general parlance, is a group of computers/devices that are connected to each other. The connection could be wired or wireless. Every device on the network has a unique network address. This can be temporary (session specific) or permanent. Addresses are numeric quantities that are easy for computers to work with; however, they are not for humans to remember. These are known as IP addresses. For example Consider the following diagram:

A simple network

To make these numeric addresses easy for humans to remember, they are stored as textual addresses as Domain Name Server (DNS) records. DNS servers are responsible for translating textual Internet addresses into numeric Internet addresses.

While numeric IP addresses identify a specific host machine working on a network, a numeric port number is used to identify specific processes that are running on a host machine. The number of ports is not functionally limited. Some of the common ports are as follows:

Port number









SMTP (mail)






POP3 (mail)



When devices are connected to each other; they can communicate. The mode of communication between devices is via exchange of data. Data is transferred using packet switching. Messages are broken into packets and transmitted over the network. Each of these packets have a specified maximum size, and are split in to a header and data area. As each packet is being sent from a source computer to a destination computer or device, their addresses and the information that is necessary to properly sequence the packets at the reconstruction stage is included in the header.

Communications between two connected computers on a network are governed by rules known as protocols.

Protocols define the following:

  • Addressing of messages

  • Routing of messages

  • Error detection

  • Error recovery

  • Packet sequence

  • Flow controls

Protocol design is based on a layered architecture model such as the Open Systems Interconnection (OSI) reference model.

This is also known as the seven-layer model.

The seven-layer model

As the name suggests, this model consists of seven layers. Each of these are explained in the following:

  • Layer 1: This is called the physical layer. This is the actual physical infrastructure over which the data travels. This consists of the cables, hubs, and so on. This is the electronics that ensures the physical transmission and reception of raw and unstructured bits and bytes.

  • Layer 2: This is called the data link layer. This layer is responsible for the data encapsulation in the form of packets and their interpretation at the physical layer. This will initiate and terminate a logical link between two nodes on a network. Layer 2 is responsible for error-free transfer of data over the physical layer.

  • Layer 3: This is called the network layer. This layer is in charge of a packet's transmission from a source to its destination. This layer decides the route, mapping of the logical and physical addresses, and data traffic control.

  • Layer 4: This is called the transport layer. The transport layer is in charge of the delivery of the packets from a source to a destination. This ensures that the message is delivered in a sequence without duplication or loss and is error-free.

  • Layer 5: This is called the session layer. The session layer manages the network access. It establishes sessions among the processes running on different nodes via different logical ports. Layer 5 also handles session establishment, maintenance, and termination.

  • Layer 6: This is called the presentation layer. The role of the presentation layer is to format the data transmitted to applications, data conversion, compressing/decompressing, encrypting, and so on. This allows access to end user for various Windows services such as resource sharing, remote printing, and so on.

  • Layer 7: This is called the application layer. This is the end user layer. This layer contains the applications, such as Java, Microsoft Word, and so on, that are used by the end user.

As the data travels between layers, each layer adds or removes its header to the data unit. At the destination, each added header is removed one-by-one until the receiving application gets the data that is intended for it.

The TCP/IP model

The TCP/IP model consists of only four layers. These are application, transport, internet, and network.

These layers are shown in the following table:

Layer Name



This is responsible for applications and processes running on the network


This provides end-to-end data delivery


This makes datagrams and handles data routing


This allows access to the physical network

Let's take a look at each of these one by one, starting from the network interface layer and working our way upwards.

  • Network layer: The network (or network interface layer, as it is also known) is the bedrock of the TCP/IP model. This drives the signals across the network. It transmits and receives bits over the network hardware such as co-axial or twisted pair copper cable. This exists over the physical layer and includes the following protocols:

    • Ethernet

    • Token-ring

    • Frame relay

    • FDDI

    • X.25

    • RS-232

    • v.35

  • Internet layer: The Internet layer is at the heart of the TCP/IP model. This packages the data into IP datagrams and performs routing for these datagrams based on the source and destination information in the header. The protocols used at this layer include the following:

    • Internet Protocol (IP)

    • Internet Control Message Protocol (ICMP)

    • Address Resolution Protocol (ARP)

    • Reverse Address Resolution Protocol (RARP)

  • Transport layer: This layer manages the communication session between the host computers. During the data transportation process, this defines the level of service and the connection status. The transport layer uses the following protocols:

    • Transmission Control Protocol (TCP)

    • User Datagram Protocol (UDP)

    • Real-time Transport Protocol (RTP)

  • Application layer: The application layer combines the functions of the OSI application, presentation, and session layers. This layer defines how the host programs interface with transport layer services as well as their related application protocols. Some of the protocols in this layer are as follows:

    • Simple Mail Transfer Protocol (SMTP)

    • HTTP

    • FTP

    • Telnet

    • Simple Network Management Protocol (SNMP)

    • DNS

    • Trivial File Transfer Protocol (TFTP)

    • X-Windows

The following image depicts both models in graphic form. It also shows their interrelation:

Understanding the concept of interconnection between networks/Internet

In 1966, the Defense Advanced Research Project Agency Network, implemented a research network of networks. This consisted of connecting several computer networks based on different protocols.

This threw up a unique problem of having to define a common interconnection protocol on top of the local protocols. The Internet Protocol (IP) plays this role by defining unique addresses for a network device and host machines. The following diagram depicts this interconnection of devices using IP routing:

Internet Protocol (IP)

Whenever we see a stranger that we want to speak to, it always helps if we speak the same language. In computer world, the language of communication is called a protocol. IP is one of the languages that multiple computers use to communicate with each other as a part of the layered architecture model.

On top of the IP, there are TCP, UDP, and some others.

There are two versions of the IP being used, as follows:

  • Internet Protocol version 4 (IPv4)

  • Internet Protocol version 6 (IPv6)

The Internet Protocol has the following two main functions:

  • Splitting the data stream into standard size packets at the source and then putting them together again in the correct order at the destination.

  • Guiding or routing a packet through a number of intermediary networks, starting from the source device IP address to the destination device IP address.

How does it work?

It splits or breaks up the initial data (that is to be sent) into datagrams. Each datagram will have a header, including the IP address and the port number of the destination. Datagrams are then sent to selected gateways, that is, IP routers. These routers are connected to the local network and to an IP service provider network at the same time. These routers start the relay process, wherein datagrams are transferred from gateway to gateway until they arrive at their final destination.

The following diagram illustrates this concept in a simple-to-understand manner:

Whenever two hosts communicate with each other using the Internet Protocol, there is no need for a continuous connection. One host sends the data to another via a data packet. Each packet header contains the source destination addresses as well as the sequence number and is treated as an independent unit of data. The TCP is responsible for reading the packet headers and putting the packets in the correct sequence so that the message is readable.

Today, the most widely used version of IP is the IPv4. However, IPv6 is also beginning to be supported. IPv6 was introduced when it was realized that IPv4 addresses were running out. The exponential increase in the number of devices connected to the Internet resulted in the anticipation of IPv4 address exhaustion. IPv6 provides for much longer addresses and also the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets.

Structure of an IP packet

Let's take a look at the following structure of an IP packet:

  • The IP's functionality and limitations are defined by the fields at the beginning of the packet. This is called the frame header.

  • The source and destination address fields have 32 bits allocated to encode their data.

  • Various additional information, such as the total packet length in bytes, is encoded in 16 bytes in the remainder of the header.

Normally, the application layer sends the data that is to be transmitted to the transport layer. The transport layer adds a header and sends it to the Internet layer. The Internet layer adds its own header to this and sends it to the network layer for physical transmission in the form of an IP datagram. The network layer adds its own frame header and footer and then physically transmits it over the network.

At the other end, when the datagram is received, this process is reversed and the different headers are stripped as the data moves from layer to layer. The following diagram represents how headers are added and removed as we move from layer to layer:

Datagram headers as we move from layer to layer

Transmission Control Protocol (TCP)

IP packets are a basic service that do not guarantee safe delivery. TCP remedies this by adding the following elements:

  • Error detection

  • Safe data transmission

  • Assurance that data is received in the correct order

Before sending the data, TCP requires the computers that are communicating to establish a connection with each other:

TCP/IP communications

Whereas IP is limited to sending 64-kb data streams, large data streams can be sent as one big stream of data using TCP. TCP does this by breaking up the data stream into separate data packets. Each packet is numbered and its sequence number is stored in the header. On arrival, these disparate packets are reassembled using sequence and sequence acknowledgement numbers. TCP specifies the port numbers. This improves the capabilities over IP. Every TCP/IP machine can communicate using 65,536 different ports or sockets.

All data in a TCP packet is accompanied by a header. The header contains information related to the source port, destination port, sequence number, sequence acknowledgement number, and some miscellaneous header data.

User Datagram Protocol (UDP)

Similar to the TCP, the UDP is also built on top of the IP. It has the same packet-size limit (64 kb) as IP; however, it allows specifying port numbers. This provides 65,536 different ports, which is the same as TCP. Therefore, every machine has two sets of 65,536 ports: one for TCP and the other for UDP.

The difference between the two is that UDP is a connection-less protocol, without any error detection facility. It only provides support for data transmission from one end to other without any verification. As it does not do any further verification, UDP is very fast. This is its main feature and it is extremely useful in sending small and repetitive data at a very high speed. Some examples of this are audio and video streaming, games, time information that is continuously streamed, and so on.

Internet application protocols

On top of the TCP/IP layers is the application layer. The Internet Engineering Task Force (IETF) definition document for the application layer in the Internet protocol suite is RFC 1123. The application layer's role is to support network applications by the means of application protocols.

Some of the application protocols include the following:

  • Telnet: This is a text input-based protocol that allows the user to perform a remote login on another computer

  • File Transfer Protocol (FTP): This is for the file transfer

  • SMTP: This is for the transportation of electronic mail

  • DNS: This is for the networking support

  • SNMP: This is for the remote host management

  • Hypertext Transfer Protocol (HTTP)

  • Network News Transfer Protocol (NNTP): This is allow the users to create news groups around specific subjects

Newer applications can also spawn additional application protocols such as BitTorrent, Bitcoin, eDonkey, and so on.