adam's notes

Network Forensics
Network Basics
Network Packet Analysis
Packet Headers
Network Attacks
Network Traffic Analysis Tools
Network Traffic Analysis
Using Log Files as Evidence
Wireless
Router Forensics
Getting Evidence From The Router
Firewall Forensics
Collecting Data

❯

❯

Network Forensics

Network Forensics

Goals

Understand network packets

Perform network analysis

Analyze routers for forensic evidence

Examine firewall logs for evidence

Network Basics

Network Packet Analysis

packets are divided into three sections
- header
- payload
- footer
there are different types of packets, but all organized in the same way

Packet Headers

a protocol data unit (PDU) can have several headers from each layer
headers contain source and destination addresses
TCP header contains
- source port
- destination port
- sequence number
- synchronization bits
  - used to establish and terminate communications
- other fields

TCP Header Synchronization Bits

URG
- traffic is marked as urgent
- rarely used
ACK
- acknowledges the attempt to synchronize communications
RST
- resets the connection
SYN
- Synchronizes sequence numbers
FIN
- No more data from sender

Network Attacks

Network Traffic Analysis Tools

WireShark
Nmap
TCPDump
Snort
NetWitness

Network Traffic Analysis

Using Log Files as Evidence

end-to-end investigation looks at entire attack
- how it starts
- intermediate devices
- result of attack
evidence can result at each device
logs show a variety of user activity
- found on computers, network equipment, security devices, etc.

Wireless

Router Forensics

Getting Evidence From The Router

you do not shut down the device and image it
be very careful not to alter anything
Steps
1. connect with the router to run commands
  - Hyperterminal is a free tool that can be used to connect to routers
  - since router is live, important to record everything you do
2. Run commands
  - for Cisco
    - show version provides information on hardware and software
      - platform
      - OS version
      - system image file
      - interfaces
      - RAM
      - network and voice interfaces
    - show running-config gets the current executing configuration
    - show startup-config shows system’s startup configuration
    - show ip route shows the routing table
    - show clock detail
    - show reload
    - show ip arp
    - show users
    - show logging
    - show ip interface
    - show interfaces
    - show tcp breif all
    - show ip sockets
    - show ip nat translations verbose
    - show ip cache flow
    - show ip cef
    - show snmp user
    - show snmp group
    - show tech-support
      - is a new Cisco IOS command that combines many other commands
      - show version, show running-config, show stacks, show interface, show controller, show process cpu, show process memory, show buffers

Firewall Forensics

Collecting Data

all traffic going through a firewall is part of a connection
- consists of
  - two IP addresses
  - two port numbers
concatenation of an IP address and a port number is called a socket
- is unique while active
three ranges for port numbers:
- well-known ports
  - 0-1023
- registered ports
  - 1024-49151
- dynamic ports
  - 49152-65535
check logs for connection attempts to suspicious ports

Graph View

Backlinks

D431 - Digital Forensics in Cybersecurity

Created with Quartz v4.5.2 © 2026

CC BY-NC-SA
adamfurman.me