Module 3, Part 1 of 6
17% Complete
Part 1 of 6

Network Fundamentals for Investigators

Build a solid foundation in network concepts essential for cyber crime investigation. Understanding how data flows across networks is crucial for tracing digital evidence.

🕑 1.5-2 hours 📚 Foundation Level 🎓 No Prerequisites
Introduction

Introduction to Network Forensics

Network forensics involves capturing, recording, and analyzing network traffic to discover the source of security attacks or other incidents. For a cyber crime investigator, understanding how networks operate is fundamental to tracing digital communications and gathering evidence.

Every online activity leaves traces in the form of network packets, log files, and connection records. Learning to interpret these traces enables investigators to reconstruct events, identify perpetrators, and build cases that stand up in court.

💡 Why Network Knowledge Matters
In cyber crime investigation, you will frequently encounter IP addresses, port numbers, protocol names, and network logs. Understanding these concepts helps you:
  • Trace the origin of malicious traffic
  • Analyze email headers and messaging data
  • Interpret CDR/IPDR records from telecom providers
  • Work effectively with technical teams and ISPs
  • Present technical evidence in a comprehensible manner to courts
IP Addressing

Understanding IP Addresses

An Internet Protocol (IP) address is a unique numerical identifier assigned to every device connected to a network. Think of it as a postal address for computers - it tells the network where to send data packets.

IPv4 vs IPv6

IPv4 (Internet Protocol version 4): Uses 32-bit addresses written as four decimal numbers separated by dots (e.g., 192.168.1.100). Can support approximately 4.3 billion unique addresses.


IPv6 (Internet Protocol version 6): Uses 128-bit addresses written in hexadecimal (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). Supports virtually unlimited addresses and is being adopted to address IPv4 exhaustion.

IP Address Classes (IPv4)

Class Range Default Subnet Usage
Class A 1.0.0.0 - 126.255.255.255 255.0.0.0 Large networks
Class B 128.0.0.0 - 191.255.255.255 255.255.0.0 Medium networks
Class C 192.0.0.0 - 223.255.255.255 255.255.255.0 Small networks

Private vs Public IP Addresses

Understanding the difference between private and public IP addresses is crucial for investigations:

Type Private Ranges Investigative Significance
Class A Private 10.0.0.0 - 10.255.255.255 Internal network - needs NAT translation records
Class B Private 172.16.0.0 - 172.31.255.255 Internal network - needs NAT translation records
Class C Private 192.168.0.0 - 192.168.255.255 Home/small office networks - common in residential investigations
🔎
Investigation Tip: NAT and Investigations
When investigating crimes, you often encounter Network Address Translation (NAT). Multiple devices behind a router share one public IP address. To identify a specific device, you need:
  • The public IP address and timestamp
  • Internal NAT/DHCP logs from the network administrator
  • The source port used in the communication
ISPs maintain CGNAT (Carrier-Grade NAT) logs that can help identify specific subscribers.
OSI Model

The OSI Model

The Open Systems Interconnection (OSI) model is a conceptual framework that standardizes network communication into seven layers. Understanding this model helps investigators identify where evidence can be found and how different types of attacks work.

Seven Layers of the OSI Model

7 Application Layer HTTP, HTTPS, FTP, SMTP, DNS, POP3, IMAP
6 Presentation Layer SSL/TLS, JPEG, GIF, encryption
5 Session Layer NetBIOS, RPC, authentication
4 Transport Layer TCP, UDP - ports and connections
3 Network Layer IP, ICMP, routers - IP addressing
2 Data Link Layer Ethernet, MAC addresses, switches
1 Physical Layer Cables, hubs, physical transmission

Evidence at Each Layer

  • Application Layer (7): Email content, web browsing history, application logs
  • Transport Layer (4): Port numbers, connection states, TCP sequence numbers
  • Network Layer (3): IP addresses, routing information, TTL values
  • Data Link Layer (2): MAC addresses, VLAN information, switch logs
TCP/IP

TCP/IP Protocol Stack

While the OSI model is a theoretical framework, TCP/IP is the practical protocol suite that powers the internet. Understanding TCP/IP is essential for analyzing network traffic during investigations.

TCP/IP Four-Layer Model

Application Layer User-facing protocols: HTTP, FTP, SMTP, DNS, SSH
Transport Layer TCP (reliable) and UDP (fast) - manages connections
Internet Layer IP addressing and routing between networks
Network Access Physical network hardware and data frames

TCP vs UDP

TCP (Transmission Control Protocol)

Connection-oriented

Provides reliable, ordered delivery of data. Used for web browsing, email, file transfers. The three-way handshake (SYN, SYN-ACK, ACK) creates traceable connection records.

UDP (User Datagram Protocol)

Connectionless

Fast but unreliable - no delivery guarantee. Used for streaming, gaming, DNS queries, VoIP. Harder to trace due to no connection establishment.

Common Protocols

Common Protocols for Investigators

Understanding common network protocols helps you interpret evidence from network logs and packet captures. Here are the protocols you will encounter most frequently:

HTTP/HTTPS

Ports 80 / 443

Web browsing protocol. HTTPS encrypts data in transit. Web server logs contain valuable evidence.

SMTP

Port 25, 587

Email sending protocol. SMTP headers reveal the path of email transmission.

DNS

Port 53

Domain Name System - translates domains to IPs. DNS logs can show websites visited.

FTP/SFTP

Ports 21 / 22

File transfer protocols. FTP logs reveal file upload/download activities.

SSH

Port 22

Secure Shell - encrypted remote access. SSH logs show login attempts and sessions.

RDP

Port 3389

Remote Desktop Protocol. Often targeted by attackers for unauthorized access.

Example: Identifying Protocol from Port Number
Source: 192.168.1.100:54321 -> Destination: 203.0.113.50:443
Port 443 indicates HTTPS traffic (encrypted web browsing)

Source: 10.0.0.5:49152 -> Destination: mail.example.com:25
Port 25 indicates SMTP traffic (email being sent)
Practical Application

Practical Application for Investigations

🕵
Case Scenario: Tracing a Cyber Attack

A company reports unauthorized access to their server. Here is how network knowledge helps:

  1. Firewall logs show connection from IP 203.0.113.50 on port 3389 (RDP)
  2. WHOIS lookup identifies the IP belongs to a VPN provider in Country X
  3. Timestamp analysis reveals connection at 02:30 AM local time
  4. Legal process initiated to obtain subscriber information from VPN provider
  5. Correlation with other evidence (failed login attempts, unusual data transfers)

Key Takeaways

  • IP addresses identify devices on networks but may be shared (NAT) or masked (VPN/Proxy)
  • Understanding protocols helps identify the type of activity from port numbers
  • Network evidence exists at multiple layers - collect from all available sources
  • Timestamps are critical - always note time zones and synchronization
  • Legal processes vary by jurisdiction when requesting records from ISPs
Navigation