Introduction
Welcome to the first part of Module 3 - Network and Communication Forensics. In this section, you will understand the fundamentals of networking that form the basis for every cyber crime investigation. The importance of network knowledge comes from the fact that most cyber crimes occur over the internet or involve network communications.
After this part, you will be able to explain TCP/IP protocol, understand the OSI model, identify different types of IP addresses, and explain the working of DNS and DHCP.
TCP/IP Protocol
TCP/IP (Transmission Control Protocol/Internet Protocol) is the fundamental protocol of the internet. This protocol suite enables communication between different computers and networks.
What is TCP/IP?
TCP/IP is a layered protocol suite that defines how data is packaged, addressed, transmitted, routed, and received over the network. It has four layers:
Application Layer
The layer where users interact with the network. Protocols like HTTP, FTP, SMTP, DNS operate here.
Transport Layer
Responsible for end-to-end communication. TCP (reliable) and UDP (fast) are the main protocols.
Internet Layer
Handles logical addressing and routing. IP, ICMP, ARP protocols operate here.
Network Access Layer
Handles physical data transmission. Ethernet, Wi-Fi, and other technologies operate here.
TCP vs UDP
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented | Connectionless |
| Reliability | Reliable (acknowledgment) | Unreliable (no acknowledgment) |
| Speed | Slower | Faster |
| Usage | Web, Email, File Transfer | Video Streaming, Gaming, DNS |
| Header Size | 20-60 bytes | 8 bytes |
TCP connections have a 3-way handshake (SYN, SYN-ACK, ACK) which is helpful for establishing the time of the connection. Investigators can use this information to establish when the connection started.
OSI Model
The OSI (Open Systems Interconnection) model is a theoretical framework for understanding network communication. It has 7 layers, and each layer performs specific functions.
The Seven Layers of OSI Model
Application Layer
HTTP, FTP, SMTP, DNS - User applications interact here
Presentation Layer
Data encryption, compression, and format conversion
Session Layer
Session establishment, management, and termination
Transport Layer
TCP/UDP - End-to-end communication and error recovery
Network Layer
IP addressing and routing - Logical addressing
Data Link Layer
MAC addresses, frames, switch operation
Physical Layer
Cables, connectors, electrical signals - Physical transmission
"All People Seem To Need Data Processing" - This mnemonic (from Layer 7 to 1) helps remember all layers: Application, Presentation, Session, Transport, Network, Data Link, Physical.
IP Addresses
An IP (Internet Protocol) address is a unique numerical identifier assigned to every device connected to a network. It is essential for cyber crime investigation because IP addresses help identify where the criminal activity was coming from.
IPv4 (Internet Protocol version 4)
IPv4 is a 32-bit address that is typically displayed in dotted-decimal format.
IPv4 Address Classes
| Class | Range | Usage | Default Subnet Mask |
|---|---|---|---|
| Class A | 1.0.0.0 - 126.255.255.255 | Large networks | 255.0.0.0 |
| Class B | 128.0.0.0 - 191.255.255.255 | Medium networks | 255.255.0.0 |
| Class C | 192.0.0.0 - 223.255.255.255 | Small networks | 255.255.255.0 |
| Class D | 224.0.0.0 - 239.255.255.255 | Multicast | N/A |
| Class E | 240.0.0.0 - 255.255.255.255 | Experimental | N/A |
Private IP Addresses
These addresses are not routable on the internet and are used for internal networks:
- 10.0.0.0 - 10.255.255.255 (Class A private range)
- 172.16.0.0 - 172.31.255.255 (Class B private range)
- 192.168.0.0 - 192.168.255.255 (Class C private range)
IPv6 (Internet Protocol version 6)
IPv6 is a 128-bit address developed to overcome the limitations of IPv4.
IPv6 addresses are more complex to track but ISPs and organizations have started maintaining IPv6 logs. Investigators need to understand both IPv4 and IPv6 formats.
Public vs Private IP
Public IP
Globally unique, internet routable, assigned by ISP. This is the address that is shown when a cyber crime is traced.
Private IP
Used in local networks, not internet routable, can be same in different networks. NAT converts it to public IP.
DNS (Domain Name System)
DNS is the "phone book" of the internet that converts human-readable domain names (like google.com) to IP addresses (like 142.250.190.14).
How DNS Works
- User Query: User types "www.example.com" in browser
- Local Cache Check: Browser and OS check their cache first
- Recursive Resolver: If not found, query is sent to ISP's DNS server
- Root Server: Resolver queries root server for .com TLD
- TLD Server: TLD server provides authoritative nameserver for example.com
- Authoritative Server: Returns the IP address for www.example.com
- Response: IP address is returned to user and cached
DNS Record Types
| Record Type | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 address | example.com -> 93.184.216.34 |
| AAAA | Maps domain to IPv6 address | example.com -> 2606:2800:220:1:... |
| MX | Mail server for domain | mail.example.com |
| CNAME | Alias for another domain | www -> example.com |
| TXT | Text information (SPF, DKIM) | SPF record for email authentication |
| NS | Nameserver for domain | ns1.example.com |
| PTR | Reverse DNS lookup | IP -> Domain mapping |
DNS logs can help identify which domains a suspect visited. Reverse DNS lookup (PTR record) helps find the domain associated with an IP address. Malware often uses DNS for command and control (C2) communication.
DHCP (Dynamic Host Configuration Protocol)
DHCP automatically assigns IP addresses and other network configuration to devices. Understanding DHCP is important for cyber crime investigation because DHCP logs can identify which device was assigned which IP at what time.
DHCP Process (DORA)
Discover
Client broadcasts to find a DHCP server on the network.
Offer
DHCP server offers an IP address and configuration to the client.
Request
Client requests the offered IP address.
Acknowledge
Server confirms IP assignment and sends additional configuration.
DHCP Provides This Information
- IP Address: Unique address for the device
- Subnet Mask: Defines network boundaries
- Default Gateway: Router address for external communication
- DNS Server: Address of DNS server
- Lease Time: Duration for which IP is assigned
DHCP logs record MAC address, assigned IP, and timestamp. This is extremely useful to identify which physical device (via MAC) was assigned which IP at what time. Investigators request DHCP logs from network administrators.
Example of DHCP Log Entry
Common Network Ports
A port is a virtual endpoint for network communication. Understanding common ports helps in network traffic analysis and firewall log interpretation.
| Port | Protocol | Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol |
| 22 | TCP | SSH | Secure Shell (remote access) |
| 23 | TCP | Telnet | Unencrypted remote access |
| 25 | TCP | SMTP | Email sending |
| 53 | TCP/UDP | DNS | Domain Name System |
| 80 | TCP | HTTP | Web traffic (unencrypted) |
| 110 | TCP | POP3 | Email receiving |
| 143 | TCP | IMAP | Email access |
| 443 | TCP | HTTPS | Secure web traffic |
| 3389 | TCP | RDP | Remote Desktop Protocol |
- TCP/IP is the fundamental protocol of the internet with four layers - Application, Transport, Internet, and Network Access
- The OSI model has 7 layers that describe different aspects of network communication
- IPv4 addresses are 32-bit and IPv6 addresses are 128-bit - both are important for investigation
- DNS converts domain names to IP addresses - DNS logs are valuable for investigation
- DHCP automatically assigns IP addresses - DHCP logs help identify devices
- Understanding common ports helps in analyzing network traffic and logs