Answer the questions below and be specific and straight to the point.Kindly help.
Unformatted Attachment Preview
How to complete Content Questions
Review questions are also be provided at the end of the tutorial. The following is an example of a
review question format. Since type the answer in provided grey or colored box.
1. What is the purpose of a partitioned data set? Answer:
It’s a set of data with many members that contain a different sub-set of data and it can be used to hold
medical records, insurance records or any records to be used by the program used to run it.
Type in the answer to the question into the grey or colored box.
It is recommended that you use Table of Contents at the beginning of the tutorial to review and
navigate to the concept presented in the review question. Students will find that using the
document FIND tool or searching GOOGLE may also be valuable for researching the review
You MUST type or paste your answer in the box or table area provided, else you will receive ZERO
credit. Simply position the cursor inside box or table and type or paste your answer.
1.0 Introduction to Network Forensics
1.1 What is Network Forensics?
Network forensics is a sub-branch of digital forensic the legal capture, recording, and analysis
of network events in order to discover the source of security attacks or other problem
incidents. Simson Garfinkel has classified two types of network forensics systems.
➢ “Catch-it-as-you-can” systems – In which all packets passing through a certain traffic
point are captured and written to storage with analysis being done subsequently in
batch mode. This approach requires large amounts of storage, usually involving a
➢ “Stop, look and listen” systems – in which each packet is analyzed in a rudimentary
way in memory and only certain information saved for future analysis. This approach
requires less storage but may require a faster processor to keep up with incoming
1.2 End-to-end Forensic Investigations
End-to-end forensic investigations attempts to track all elements of an attack, including
➢ Who, what, and how (tools), was an attack started, including source computer and
operating system, of the malicious origin.
➢ What was network origin, path of intermediate network devices, e.g., switches, routers,
firewalls, DHCP, DNS and IDS, and network destination of the compromised network
➢ What were the network protocols used to remotely transmit data between the origin
computer, each intermediate network link, and the destination to the attacked device
➢ Who, what was results or outcomes of the attack?
➢ What was the data types of malicious payload and data compromised? Example
include text, binary, image, voice, audio, other, encrypted or non-encrypted.
➢ What security precautions were in place during the attack?
1.3 Data-link and physical layer (Ethernet Evidence)
Text Link – What is Network Forensics?
Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This
can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture
traffic data from a network card interface configured in promiscuous mode. Those tools allow
investigator to filter traffic and reconstruct attachments transmitted over the network. In addition,
protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any
higher level protocols. However, this can be averted with encryption. Encryption might indicate that
the host is suspicious since the attacker uses encryption to secure his connection and bypass
eavesdropping. The disadvantage of this method is that it requires a large storage capacity.
What type of Identity forensic evidence is provided at the Data Link Layer?
➢ An 802.x MAC (Media Access Control) Address is a unique physical network address that
identifies a network device that is connected to a network. This applies to all types of network
cards, including Ethernet cards and WiFi cards. ALL network protocols must be eventually
delivered frames to a MAC address, no matter what the higher level protocol is.
➢ Even though an 802.x MAC is hard coded into physical network device, it can be logical
changed by the operating system or by spoofing. There are many reasons for this, mostly
related to bypassing some kind of MAC address filter set on a modem, router or firewall, or
identify masking. Changing the MAC Address can help you bypass certain network restrictions
by emulating an unrestricted MAC Address or by spoofing a MAC address that is already
➢ Unless intermediate network devices cooperate in modified MAC addresses, a frame or packet
may be delivered, but no frames or messages will be returned. The limitations of MAC
spoofing to hide a network identity if the objective is simple to conduct a denial of
services (DOS or DDOS) attack or simply to deliver malware. However, once a key
logging malware program has been delivered, the return path for a valid TCP port number,
IP address and MAC address, must be specified e specified to return the captured data. A
previously, delivered configuration file will be stored on the victim’s computer that contains
Change or Spoof a MAC Address in Windows or OS X – https://www.online-tech-tips.com/computertips/how-to-change-mac-address/
P a g e 2 | 69
Does the MAC address of Data Link Layer provide the user identity who is using the MAC
The simple correct answer is not necessarily. There many different types of network, operating
system logs, and organization logs available to collect forensic evidence. For example, a malicious
user may claim that another user had used their computer during a malicious attack. Multiple logs
recorded from different network devices can be correlated together to reconstruct the attack scenario.
Consider the following general forensic words of wisdom.
1. No single log or other sources forensic data collection provides sufficient data for a forensic
conclusion. However, multiple forensic evidence logs or data collection methods are often
required to prove a malicious event without a reasonable doubt.
2. To use multiple sources of forensic data the a) timestamps must be correlated during the
event, b) the chain of custody from the time of the event to determination must be maintained,
c) each source of data must be kept in a regular business, and d) the accuracy and integrity of
each source of data must be ensures by a qualified witness or other commonly accepted
3. Challenges facing multiple sources of forensic data include: different evidence and propertiary
formats, some sources may incomplete or missing evidence, or some gaps in the chains of
It was stated previously that MAC addressed assigned to a suspicious user’s computer does not
confirm the user’s identify. However, consider the following additional sources of forensic evidence
➢ The expected user swiped his organization identity card to the a security system to his/her
office minutes before user’s computer was turned on and requested the DHCP server to
dynamically assign the MAC address of his/her computer to a IP address.
➢ The DHCP server logged the time and date that the Physical MAC address and TCP/IP
address was assigned, most likely before it could be spoofed.
➢ Minutes after user’s computer was assigned an IP address the user successfully logon to
server operating system, and the OS logon and recorded the MAC and IP address, and
authentication data information.
1.4 Transport and network layer (TCP/IP Evidence)
Apply forensics methods on the network layer. The network layer provides router
information based on the routing table present on all routers and also provides
authentication log evidence. Investigating this information helps determine compromised
packets, identifying source, and reverse routing and tracking data.
What type of Identity forensic evidence is provided at the IP Layer?
The IP address is a unique logical network identity assigned to only one network device that
is either manually assigned, automatically assigned by the operating system, or is
dynamically assigned by a DHCP.
P a g e 3 | 69
➢ Domain names are symbolic names of an IP address
➢ An IP address may only be assigned to only one network device; however, a network
device may be assigned more than once unique network IP address. A network device
may listen for network traffic from more than one IP network addresses.
➢ A server may be identified by one or more IP addresses, by installing more than one
physical or logical network device. For example, most routers have multiple network
connections which listen to multiple, unique IP addresses.
➢ An IP address can easily spoof or impersonated.
➢ Private Network IP address cannot be routed and a Public IP address and port number
may be assigned by a NAT (Network Address Translation) or PAT (Port Address
➢ The substitution of public network address by using NAT or PAT can be logged by the
P a g e 4 | 69
What type Identity forensic evidence is provided at the TCP Layer?
While an IP address will provide a unique logical network identity for a network device or
computer, a TCP Port Number represents a logical application identity for a process
executing by an IP address. IP addresses represent devices. Port Numbers represent
Port numbers number between 1 and 1023 are commonly known. For example, the port
number that is “commonly” assigned to a HTTP or web server is 80. Assigning port number
80 to a web server is NOT required.
1.5 Application Layer Evidence
A client application, e.g., a network browser, will transmit data or information to and from a
server application, e.g., a web server. The application layer provides commands instructing
each application 1) what service is being requested or to be performed, and 2) information
about the format or structure of data to be processed.
For example, assume a browser (client) requests the delivery of web page from a web server,
and the identity (URL path) or the web page to be delivered is specified in the data partition of
the message. Then the web server returns the web page back to the client format as a HTML
document, and the actual HTML document is stored in the data portion of the message.
Every network application or business application requires client and server
applications which agree on1) the commands to be executed by the executed to
control the flow of data, 2) commands that identify the format and structure of the data
to be transferred, and 3) the actual data transmitted.
Each network or business application server normally provides a log that will include
considerable network forensics information, authentication information, and application server
control information. Every HTTP (web), SMTP (email), FTP (File transfer), SSH (Secure
Shell), Firewall, IDS and will support its own customizable log.
P a g e 5 | 69
1.6 Packet Sniffers and Protocol Analyzers
1.6.1 Introduction to Packet Sniffers and Protocol Analyzers
Packet sniffers or protocol analyzers are tools that are commonly used by network technicians
to diagnose network-related problems. Packet sniffers can also be used by hackers for less
than noble purposes such as spying on network user traffic and collecting passwords. Packet
sniffers work by intercepting and logging network traffic that they can ‘see’ via the wired or wireless
network interface that the packet sniffing software has access to on its host computer.
On a wired network, what can be captured depends on the structure of the network. A packet sniffer
might be able to see traffic on an entire network or only a certain segment of it, depending on how the
network switches are configured, placed, etc. On wireless networks, packet sniffers can usually only
capture one channel at a time unless the host computer has multiple wireless interfaces that allow for
Once the raw packet data is captured, packet sniffing software must analyze it and present it in
human-readable form so that the person using the packet sniffing software can make sense of it.
There are a variety of general software-based packing sniffing and protocol analyzer tool tools,
such as WireShark, tshark and tcpdump. However, packet sniffing and protocol analyzer algorithms
are built into almost every network device, e.g., switches, routers, or routers, or intrusion detection
If you’re a network technician or administrator and you want to see if anyone on your network is using
a sniffer tool, check out a tool called Antisniff. Antisniff can detect if a network interface on your
network has been put into ‘promiscuous mode’, which is the required mode for packet capture
1.6.3 Protecting Network Traffic from Packet Sniffers
To protect your network traffic from being sniffed use encryption such as Secure Sockets Layer
(SSL) or Transport Layer Security (TLS). Encryption doesn’t prevent packet sniffers from seeing
source and destination information, but it does encrypt the data packet’s payload so that all the sniffer
sees is encrypted gibberish. Any attempt to modify or inject data into the packets would likely fail
since messing with the encrypted data would cause errors that would be evident when the encrypted
information was decrypted at the other end.
P a g e 6 | 69
1.6.4 Limitations of Using Packet Sniffing Forensic Evidence
➢ Given volume of network packet data it is difficult to store packet raw data or convert it
log format. To be analyzed the packet data is temporarily stored in memory buffer and that
buffer will overload in a few seconds. Even when the packet data is stored on a storage
device, the storage retention period may be hours, days, or rarely more than a week.
➢ Sophisticated archived storage policies are required to store raw packet data, but there will
be less data if only the network headers are stored and not the actual data transmitted.
➢ Given the high processing demand to analyze packets, a denial of service attacked may
overwhelm the ability to process or store network packet evidence.
➢ Intrusion Detection Systems does not attempt to analyze all received packets, but attempts
to determine if the contents of packets that contain suspicious content (called a signature) or a
sequence of packets exhibit a certain pattern of behavior. IDS analysis are maturing to use
artificial intelligence and machine learning algorithms to take dynamic action to protect the
system and collect detailed network forensic data.
1.7 Network Buffer Analysis Evidence
As stated previously packet data is temporarily stored in memory buffer and that buffer will overload in
a few seconds. In addition to packet data, the memory buffer will also store execution status
information used by the protocol or intrusion detection analyzer. In simple terms, the IDS will dump or
store the complete buffer which all network and analysis evidence at that critical moment, or this is
WHY intrusion detection analyzer declared a critical moment.
1.8 Penetration Testing (Ethical Hacking), Network Forensics, and Cyber Security
Penetration Testing is NOT Network Forensics, but they are related. Let us review a definition of a
A penetration test, colloquially known as a pen test, is an authorized simulated cyber- attack on a
computer system, performed to evaluate the security of the system. The test is performed to identify
both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties
to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment
to be completed.
Kali Linux distributions includes many open-source (FREE, FREE, FREE, and FREE) penetration
testing tools. But, a Kali Linux distribution does not provide many log analysis or other forensic tools.
Many cyber security and forensics majors have used the nmap command. Nmap, short for Network
Mapper, is a free, open-source tool for vulnerability scanning and network discovery. Network
administrators use Nmap to identify what devices are running on their systems, discovering hosts that
are available and the services they offer, finding open ports and detecting security risks.
Nmap will not provide the details of network and application protocols. Nmap will not analyze
or provide information from important network forensic logs or raw packet forensic data. But,
using nmap and unusual large number of packets that 1) students can review and learn from
P a g e 7 | 69
the log data generated by nmap, and 2) test a network forensic plan to learn if collection of
forensic and log procedures are adequate to provide sufficient network forensic data.
Nmap does not provide evidence sufficient to test application or business logs and procedures. But,
using nmap is a great tool provide data to learn network forensics
1.9 Questions – Network Forensics
Chapter 1: Practical Investigation Strategies – Network Forensics: Tracking Hackers through
Backboard – Unit 1 Network Forensics, Digital Evidence, and OSCAR
Many of the following questions will be nswered by Unit !
What is Network forensics? – https://en.wikipedia.org/wiki/Network_forensics
Network Forensics – http://searchsecurity.techtarget.com/definition/network-forensics
Why Use Network Forensics? – https://www.netfort.com/blog/the-three-primary-use-cases-fornetwork-forensics/
Video- Network Forensics – https://www.youtube.com/watch?v=9_u1eriQtSY
Video – What Is Network Forensics? – https://www.youtube.com/watch?v=UjSyHiTauQs
Tools:Network Forensics – http://forensicswiki.org/wiki/Tools:Network_Forensics
1. Define Network Forensics. Answer:
It’s a sub-branch of digital forensic that it involves analyzing and monitoring of network traffic in a
computer with the aim of gathering information, detection of intruders into the network and legal
evidence. It basically deals with dynamic and volatile information unlike other branches of digital
2. Describe several characteristics of “Catch-it-as-you-can” network forensics system model. Answer:
1. There is subsequent analyzation of data.
2. Capturing of data passing through a certain traffic.
3. This model requires an enormous amount of storage.
3. Describe several characteristics of “Stop, look and listen” network forensics system model. Answer:
1. Packets of data are analyzed in memory.
2. Certain information in this model are stored for future analysis
3. Requires less storage and a faster processor.
P a g e 8 | 69
4. List and describe at least 5 forensic activities that are common to End-to-end forensic investigations
1.The origin of the attack. That is the computer and operating system that the malicious
2.The origin of the attack and the path that the malicious network took and finally the
destination of the malicious network.
3.The end results of the attack or rather what came forth after the attack.
4.The types of data that has been compromised by the attack e.g. records, image encrypted
and decrypted information.
5.The security precautions that were there when the attack took place.
5. The following table lists three popular categories used for network forensic evidence. Describe and
list at three or more examples of forensic activities for each category.
Categories for the use of
Examples of Forensic
Network Forensic Evidence
Security and compliance
6. Hackers have compromised a targeted system and its operating system and network logs. The
operating system logs do not provide evidence of this hack event. How can network forensic
overcome this challenge? List a second popular tool employed in network forensic evidence. Answ …
Purchase answer to see full