Episode Details

Back to Episodes
Course 13 - Network Forensics | Episode 7: Web Traffic Analysis and Browser Forensics: Handshakes, DNSSEC, and Cookies

Course 13 - Network Forensics | Episode 7: Web Traffic Analysis and Browser Forensics: Handshakes, DNSSEC, and Cookies

Published 5 months, 2 weeks ago
Description
In this lesson, you’ll learn about:
  • How to identify and analyze web traffic using network forensics techniques
  • The role of DNSSEC in securing DNS infrastructure
  • Browser forensics across IE, Firefox, Chrome, Edge, and Safari
  • How history files, caches, and artifacts differ between browsers
  • The forensic value of cookies and how they are stored and analyzed
1. Network Traffic Analysis Fundamentals A core skill in network forensics is the ability to recognize and interpret the TCP three-way handshake.
This handshake—SYN → SYN/ACK → ACK—is the best indicator of:
  • A new connection forming
  • Impending data transfer
  • The type of communication taking place
Identifying Web Traffic
  • Port 80 typically indicates HTTP web traffic
    • A GET request usually confirms this
  • Port 23 indicates Telnet, which sends data in plaintext
Older packet captures may reveal metadata about the remote system:
  • Example: Seeing IIS5 suggests the server was running Windows 2000
Being able to identify OS fingerprints and protocol behavior is critical for traffic analysis. 2. Enhancing Security with DNSSEC DNSSEC (DNS Security Extensions) is recommended to strengthen DNS infrastructure. Key Benefits of DNSSEC
  • Cryptographic signing of records prevents unauthorized changes
  • Makes DNS poisoning or zone file tampering extremely difficult
  • If a compromise occurs, DNSSEC provides detailed forensic evidence
    • Signatures
    • Validation failures
    • Tampered data traces
DNSSEC does not fix DNS’s entire design, but it dramatically increases integrity and trust. 3. Browser and Client-Side Forensics Different browsers store history, cache, and session data in different formats and file locations. These paths also vary across operating systems. Understanding these artifacts is essential for analyzing user activity. Internet Explorer (IE) Key artifact: index.dat
  • A binary file that logs significant browsing activity
  • Cannot be opened with Notepad or standard editors
  • Requires specialized tools or index.dat viewers
  • Older systems stored IE artifacts under:
    Local Settings\Temporary Internet Files
IE’s structure makes it rich in recoverable artifacts even after attempted deletion. Firefox Key artifact: history.dat
  • Stored in ASCII format, viewable in plain text
  • Easier to read than IE’s binary format
  • However, it does not directly link visited sites with cached pages
    • Reconstruction of user view is harder
  • Stored under the user profile in Application Data > Firefox folders
Firefox’s structured but separated data can make page reconstruction challenging. 4. The Forensic Significance of Cookies A cookie is a small text file saved by websites to store:
  • Language preferences
  • Activity
  • Session identifiers
  • Visit frequency
Cookies are critical in forensics because they persist even when:
  • History is deleted
  • Cache is wiped
  • Private browsing was used
Why Cookies Matter
  • Show repeated visits vs. “accidental” single access
  • Reveal behavior and browsing patterns
  • Tie activity to specific sessions or visits
  • Help reconstruct long-term user engagement
Cookie Characteristics
  • Minimum expected size: 4 KB
  • Contain six components (e.g., name, value, expiration date, domain, path, flags)
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us