Episode Details

Back to Episodes
Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

Published 5 months, 2 weeks ago
Description
In this lesson, you’ll learn about:
  • Core networking architectures and components
  • The evidentiary value of network design for forensic investigations
  • MAC vs. IP addressing, IPv4 vs. IPv6
  • Ports, protocols, and how systems communicate
  • TCP (reliable) vs. UDP (unreliable) communication
  • Essential protocols: ICMP, DHCP, DNS
1. Networking Architecture & Its Forensic Importance
  • Network forensics requires a solid understanding of how networks operate.
  • The Internet is defined as a collection of interconnected networks using internet protocols to exchange messages.
  • Key network types:
    • LAN – Local Area Network
    • WAN – Wide Area Network
    • CAN – Campus Area Network
    • MAN – Metropolitan Area Network
  • DMZ (Demilitarized Zone):
    • Positioned between the internal LAN and the internet.
    • Hosts publicly accessible systems (web servers, mail servers).
    • A critical zone for forensic evidence.
Evidentiary Value Across the Architecture When an attacker moves from the internet → DMZ → internal network, evidence is left in multiple locations, including:
  • Point of origin
  • Routers across the internet
  • ISP-facing router
  • Firewalls
  • DMZ switching infrastructure
  • The compromised server
    Understanding these layers allows investigators to reconstruct attacker movement.
2. Network Components, Addressing & Infrastructure Network Components
  • Transmission media: cables, fiber, wireless
  • NICs (Network Interface Cards)
  • Nodes (any device connected to the network)
MAC vs. IP Addresses
  • MAC Address
    • Layer 2
    • Physical/hardware identifier
    • Typically permanent
  • IP Address
    • Layer 3
    • Logical/virtual
    • Changes frequently depending on network
IPv4 vs. IPv6
  • IPv4 → 32-bit addressing
  • IPv6 → 128-bit addressing with IPSec built in (encryption/authentication)
Public vs. Private Addressing
  • Public = Routable on the internet
  • Private = Non-routable (internal networks)
  • NAT (Network Address Translation) is used to map internal private IPs to a public-facing address.
IP Address Classes
  • Class A
  • Class B
  • Class C
  • Class E (experimental)
3. Ports & Communication Protocols Ports
  • Think of ports as "traffic lanes" used for communication.
  • Total: 65,535 ports
    • 1–1024 → Well-known ports
    • 1025+ → Ephemeral or dynamic ports
  • Services (Windows) / Daemons (Linux) bind to these ports.
Protocols
  • Protocols define communication rules between systems.
  • Governed by RFCs (Request for Comments) standards.
4. TCP – The Reliable Protocol Key TCP Header Elements
  • Source port
  • Destination port
  • Sequence number
  • Flags
Connection Management
  • Three-Way Handshake (Start of session)
    • SYN → SYN/ACK → ACK
  • Four-Way Combo (End of session)
    • FIN/ACK → ACK → FIN/ACK → ACK
  • Total overhead: 7 packets for a complete start + close cycle.
Important TCP Flags
  • Urgent Pointer – Marks urgent/priority data
  • Push (PSH) – Forces buffered data to transmit imme
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us