Cyber Crime

Investigation
and Digital
Forensics
UNIT - IV
Network Forensics: Networks basics for
Digital investigators, Applying Forensics
science to Networks, Digital evidence on
Physical and datalink layers, Digital Evidence
on Network and Transport layers.
 Network Forensics
Network forensics is a specialized area of digital forensics that focuses on analyzing
network traffic to investigate cyber incidents, detect intrusions, and gather evidence. It
involves capturing, recording, and examining data flowing across a network to
understand what happened during a security event. This helps identify attackers,
understand the scope of an attack, and potentially prevent future incidents.

Key Aspects of Network Forensics:

 Monitoring and Analysis:
Network forensics relies on monitoring network traffic and analyzing data packets to identify suspicious
activities and patterns.
 Evidence Collection:
It involves capturing and preserving network data as evidence for legal proceedings or internal
investigations.
 Incident Response:
Network forensics plays a crucial role in incident response by providing insights into the nature and
scope of an attack.
 Threat Detection:
By analyzing network traffic, network forensics can help detect various threats, including malware,
botnets, and unauthorized access attempts.
 Compliance:
It can also help organizations meet regulatory requirements by providing detailed records of network
activities.
Tools and Techniques:
Network forensics utilizes various tools and techniques, including:
 Packet sniffers: Software or hardware that captures network packets.
 Flow analysis: Analyzing network traffic patterns to identify anomalies.
 Log analysis: Examining system and application logs for clues about an incident.
 Timeline analysis: Reconstructing the sequence of events during an incident.
 Data mining: Using data mining techniques to identify patterns and anomalies in network traffic.
Examples of Network Forensics Applications:
 Cybercrime Investigations:
Network forensics can be used to investigate cybercrimes, such as data breaches, online fraud, and
hacking.
 Network Security Audits:
Analyzing network traffic helps assess the security posture of a network and identify vulnerabilities.
 Incident Response:
Network forensics is essential for responding to security incidents, such as malware infections or data
breaches.

Understanding network basics is essential for digital investigators because much of today's evidence
and activity—such as cybercrimes, unauthorized access, or data exfiltration—travels through or depends
on computer networks.

Networks basics for Digital investigators

🔌 1. What is a Network?

A network is a group of interconnected devices (computers, servers, phones, etc.) that communicate to
share resources and data.

 LAN (Local Area Network): Small geographical area (e.g., office or home).
 WAN (Wide Area Network): Covers large areas (e.g., the Internet).

🌐 2. Key Network Components

 Router: Directs traffic between networks.

 Switch: Connects multiple devices on a LAN.
 Firewall: Filters network traffic for security.
 Modem: Converts digital signals to/from analog for Internet access.
 Access Point (AP): Allows wireless devices to connect to the network.

🧭 3. Important Network Protocols

 TCP/IP: Core protocol suite of the Internet.

 IP (Internet Protocol): Provides addressing.
 TCP (Transmission Control Protocol): Ensures reliable delivery.
 UDP (User Datagram Protocol): Faster but less reliable.
 HTTP/HTTPS: Web traffic.
 FTP/SFTP: File transfers.
 DNS: Translates domain names to IP addresses.
📡 4. IP Addresses and MAC Addresses

 IP Address (e.g., 192.168.1.1): Logical address for communication.

 MAC Address (e.g., 00:1A:2B:3C:4D:5E): Hardware address unique to network devices.

5. Network Investigation Tools

 Wireshark: Captures and analyzes packet data.

 Nmap: Scans for live hosts and open ports.
 Netstat: Displays active network connections.
 Traceroute: Shows path of packets across the network.
 NSLookup: Resolves domain names to IP addresses.

🔍 6. Why Network Basics Matter in Investigations

 Log Analysis: Investigators review firewall, router, or server logs.

 Traffic Analysis: Identify unusual communication patterns (e.g., data exfiltration).
 Attribution: Match IP/MAC addresses to devices or users.
 Incident Response: Quickly isolate compromised systems.

🧑‍💻 7. Common Network-Based Attacks

 DDoS: Overwhelm a service with traffic.

 Man-in-the-Middle (MitM): Intercept communication between parties.
 Packet Sniffing: Capture unencrypted data.
 Phishing & Spoofing: Trick users into revealing credentials.

Network Layers (OSI Model Overview)

Understanding the OSI model helps break down how data travels across a network:
 1. Physical – Cables, switches.
2. Data Link – MAC addressing.
3. Network – IP addressing, routing.
4. Transport – TCP/UDP ports.
5. Session – Establishing/maintaining connections.
6. Presentation – Encryption, data formatting.
7. Application – User interfaces (e.g., web browsers, email clients).

9. Common Ports and Services

Recognizing ports helps identify services:

 Port 80 / 443 – HTTP / HTTPS (web)

 Port 21 / 22 – FTP / SSH
 Port 25 / 587 – SMTP (email)
 Port 53 – DNS
 Port 3389 – RDP (Remote Desktop)

Digital Tip: If port 22 (SSH) is being accessed frequently from unknown IPs, it may suggest brute-force
attempts.
🪪 10. Network Identification and Tracing

 DHCP logs: Track which device got which IP.

 ARP tables: Map IP addresses to MAC addresses.
 Syslogs: Show timestamps of connections.
 SIEM tools: Aggregate logs from multiple devices for analysis.

🔐 11. Encryption and VPNs

 SSL/TLS encrypts web data—investigators often look at certificate info.

 VPNs mask real IP addresses, making attribution difficult.
o Look for DNS leaks or VPN misconfigurations.

12. Indicators of Compromise (IoCs) in Network Traffic

 Abnormal outbound traffic.

 Repeated failed login attempts.
 Connections to known malicious IPs or C2 (Command & Control) servers.
 Traffic spikes during off-hours.

📄 13. Capturing and Analyzing Network Evidence

 PCAP files: Packet captures from Wireshark or tcpdump.

 Metadata: Timestamps, source/destination IPs, protocols.
 Payloads: Actual data, sometimes includes credentials or malware.

📁 14. Logs to Collect in Investigations

 Firewall logs
 Router/switch logs
 Windows Event Logs
 Syslogs from Linux systems
 IDS/IPS alerts (e.g., Snort, Suricata)

🌍 15. Cloud Networking Considerations

 Logs may be distributed across regions.

  Use of virtual networks (VPCs in AWS).
 Track API calls and user access events.
 Important to check cloud firewall/security group logs.

🧑‍⚖️16. Legal and Ethical Aspects

 Chain of custody: Ensure collected network data is preserved without tampering.

 Warrants/authorization: Required for packet capturing in many jurisdictions.
 Privacy: Avoid collecting unnecessary personal data.

17.network topology is another core concept in network basics, especially important for digital
investigators because it helps in understanding how devices are connected, where data flows, and how
to trace potential points of compromise.

 What is Network Topology?

 Network topology refers to the physical or logical layout of connected devices (nodes) in a
network.


 🔗 Types of Network Topologies (with Pros & Forensics Insight)

Topology Description Pros Investigation Notes

All devices share a single A failure affects all; traffic easily

Bus Simple, cheap
backbone cable. sniffed.

All devices connect to a Easy to manage; Investigate central device logs for
Star
central hub/switch. isolate devices traffic.

Each device connects to two Failure in one node can break

Ring Predictable data flow
others in a loop. communication.

Every device connects to High redundancy; Complex; need automated tools

Mesh
every other. fault-tolerant to trace paths.

Tree Combines star topologies in a Investigators can follow branches

Scalable; organized
(Hierarchical) hierarchy. to source.

Hybrid Mix of topologies (e.g., star- Flexible Understand logical layout during
Topology Description Pros Investigation Notes

mesh) breach analysis.

Applying Forensic Science to Networks:

1) Like computers, networks contain digital evidence that can be used to establish that a crime has
been committed, determine how a crime was committed, provide investigative leads, reveal links
between an offender and victim, disprove or support witness statements, and identify likely
suspects.

2) For instance, several hours after the Columbia Space Shuttle crash in 2003, it became evident
that a crime was being committed when pieces of the spacecraft were being offered for sale on
eBay.

3) A missing person’s e-mail has provided a link between the victim and offender, revealing where
she went and who she arranged to meet.

4) Child pornography posted on the Internet has led investigators to victims who were being
abused by a family member without the knowledge of other family members, neighbors, or others
close to the family.

5) Web proxy logs have been used to demonstrate that an offender took precautions to conceal
his illegal activities, casting doubt on his claims that he did not know that what he was doing was
wrong.

6) When someone witnesses an unknown offender making a call from his/her mobile phone, it
may be possible to obtain records from local base stations for that time period and determine
who made calls from the region, thus narrowing the suspect pool.

7) Processing a hard drive for evidence is a relatively well-defined procedure. When dealing with
evidence on a network, however, digital investigators face a number of unpredictable challenges.

1]Preparation and Authorization:

1) In some cases, digital evidence exists on networks that were not directly involved in a crime and
the network administrators are cooperative, often helping digital investigators obtain evidence.
Some system administrators even capture useful data routinely to detect and resolve performance
and security problems, effectively collecting evidence proactively.

2) However, this proactive evidence gathering might not meet the standards for legal action and
digital investigators may need to perform additional steps to preserve these data as evidence.
Additionally, there are often more sources of digital evidence on a network than even the system
administrators realize. Therefore, to ensure that all relevant data are located, digital investigators
must use their understanding of networks in general to query system administrators thoroughly,
and clearly communicate what types of digital evidence are needed.

3) When system administrator cooperation is not forthcoming, digital investigators have to gather
intelligence themselves about the target systems before obtaining authorization to seize evidence.
For instance, when a Web site is under investigation, it is necessary to determine where the Web
servers are located before obtaining authorization to seize the systems.

Additionally, it is useful for digital investigators to know what kinds of computers to expect so that
they can bring the necessary tools. Digital investigators might also want to copy as much of the
material from the Web site as possible prior to the search to demonstrate probable cause or as a
precautionary measure.

5) Collecting digital evidence from a large network requires significant planning, particularly when
the administrators are not cooperative. Obtaining information about the target systems prior to
the actual search can be a time-consuming process.

6) A] Case Example: The alibi of a prime suspect in a homicide case depended on his employer’s
network. Unfortunately, system administrators who assisted investigators did not know about an
administrative console that contained key digital evidence and failed to preserve it promptly. By
the time the suspect pointed out the console, it was too late—he was accused of fabricating digital
evidence on the console after the fact to support his alibi. If the investigators in this case had not
relied on the system administrators’ incomplete knowledge of their network, the suspect probably
would not be in jail today.

2] Identification:

1) Recall that the cybertrail is bi-directional. When dealing with a computer as a source of
evidence, the crime scene search generally leads to a connected network and ultimately the
Internet.

2) Conversely, when digital investigators find digital evidence on the Internet, their search often
leads them through a smaller, private network (e.g., ISP, employer, and home networks) to an
individual computer.
3) These search areas are depicted in Figure B.1 with a dashed line between the Internet and the
smaller, private network because the division between the two is not always clearly defined.

4) For example, corporate networks often have internal servers that are used to share information
within the organization and these servers are sometimes accessible to employees via the Internet.
5) Given the amount of information that can exist in any of these areas, it is necessary to have a
method of quickly locating systems that contain the most useful digital evidence.

The first phase is to seek the end-points and intermediate systems such as switches, routers, and
proxies. These systems can contain digital evidence that helps establish the continuity of offense
and gain a more complete understanding of the crime.

7) For example, log files on an e-mail server used to send harassing e-mail can provide a more
complete view of the harasser’s activities than a single message. Additionally, intermediate
systems like routers and switches may generate detailed logs of network activity, which lead to
the second phase.

8) The second phase is to seek log files that provide an overview of activities on the network, such
as packet logs from traffic monitoring systems, traffic logs from Argus probes, NetFlow logs from
routers, and alert logs from intrusion detection systems.

9) These network-level logs are very useful for determining what occurred and which other
systems on the network might be involved. For example, when investigating an intrusion into one
computer, network-level logs may reveal that the same intruder targeted several other systems.
The third phase is to look for supporting systems such as authentication servers and caller-id
systems that can help attribute online activities to an individual.

10) In practice, these three phases are conducted simultaneously as, in some instances, the
second and third phases may lead to other intermediate systems or end-points.

11) This three-phase approach is useful for focusing the search for digital evidence on a network
to reconstruct the crime.

3] Documentation, Collection, and Preservation:

1) In some instances, it is desirable to preserve digital evidence on a networked system by gaining

physical access to the associated computer and making a bitstream copy of the contents using the
guidelines provided in previous topic.

2) Also, the same procedures are used to preserve loose media and related backup tapes, and
collect associated hardware and software needed to read them. The primary differences when
dealing with networked systems arise when digital investigators cannot make a bitstream copy of
digital evidence.
 3) A bitstream copy may not be viable in some situations because the system cannot be shut
down, the hard drive may be too large to copy, or the digital investigator may not have authority
to copy the entire drive.

4)Also, digital investigators often rely on large Internet Service Providers to collect evidence From
their own systems such as subscriber information. Furthermore, digital investigators may not be
able to gain physical access to the system containing evidence, requiring them to collect evidence
remotely.

5) Digital investigators also collect digital evidence remotely when there is a strong chance that it
will be destroyed before they can reach the machine. For instance, data on the Internet such as
Web pages and Usenet messages can be altered or removed at any time and computer intruders
often delete log files.

6) Another example of real-time evidence gathering is an IRC chat session in which digital
investigators keep a running log of their conversation with a suspect.

However, if a significant amount of information is being displayed onscreen it may be desirable to

record a visual representation of events.

8) A visual recording can be created using a video camera or a software program that can capture
dynamic digital evidence, like a sequence of onscreen events, and can replay them at a later time
much like a videotape.

9) Notably, these and other programs that are useful for collecting digital evidence do not
perform integrity checking and other documentation that can be used to authenticate the data.
10) When dealing with network logs, preserving the entire log file rather than individual entries is
preferable to collecting only relevant portions because digital investigators may later find that
other portions of the log are relevant to the case.

11) Case Example: In a homicide case, digital investigators collected information from the login
server relating to the victim’s activities but did not collect the entire log file. It was later
determined that the offender may have been logged into the server at the same time, allowing
them to chat in real time and arrange a meeting an hour later. By the time this was realized,
archived copies of the relevant log files had been overwritten (the backup tapes had been reused)
and it was not possible to determine who else was accessing the system at the time.

4] Filtering and Data Reduction:

1) Investigations involving computers often result in a large amount of data, much of it unrelated
to the crime under investigation.
 2) Also, when dealing with files containing captured network traffic, there may be privileged or
confidential information that forensic examiners are required to ignore or remove.

3) Therefore, data filtering and reduction are essential parts of any investigation involving
networks, enabling a more efficient and thorough forensic analysis of the digital evidence.

4) Filtering out irrelevant data from log files may be as simple as extracting entries that match
certain criteria such as a certain time period, an IP address, or failed logon events. For instance,
the following output shows only failed logon events relating to the user ―”eco”extracted from a
Windows NT Event Log using ntlast utility.

Digital evidence on Physical and datalink

layers
Digital evidence on the Physical and Data Link layers of the OSI model typically involves information that
can be used in cybercrime investigations or forensic analysis. Here's a breakdown of the kind of evidence
that can be gathered at each of these layers:

1. Physical Layer (Layer 1)

The Physical Layer is responsible for the transmission and reception of raw data bits over a physical
medium (e.g., cables, wireless).

Types of Digital Evidence:

 Cabling and Hardware Taps: Evidence of physical tampering, wiretaps, or signal interception
devices.
 Signal Interference or Jamming: Logs or recordings of signal interference used to disrupt
communications.
 Device Presence: Evidence of a device physically connected to a network (e.g., via MAC address
appearing on connected switches).
 Power Usage Logs: Smart power strips or UPS systems may show when a device was powered
on/off.
 Radio Frequency (RF) Logs: In wireless forensics, RF signals can be captured to show the
presence of unauthorized access points or devices.

Tools Used:

 RF scanners
  Network taps
 Hardware keyloggers
 Oscilloscopes (in hardware-level forensics)

2. Data Link Layer (Layer 2)

The Data Link Layer is responsible for node-to-node data transfer and includes MAC addressing and
switching.

Types of Digital Evidence:

 MAC Address Logs: Logs showing the MAC addresses that were connected to a network, useful
for identifying devices.
 Switch Logs / ARP Tables: Can reveal which MAC addresses were seen on which ports and
when.
 Network Traffic Captures: Using tools like Wireshark to capture Ethernet frames (with MAC
addresses and other Layer 2 data).
 WLAN Traffic: For wireless, includes SSIDs, BSSIDs, and management frames.
 VLAN Logs: Help identify which virtual networks were used by which systems.
 Frame Manipulation Evidence: Detection of ARP spoofing, MAC flooding attacks, or
unauthorized network bridging.

Tools Used:

 Wireshark (packet analyzer)

 tcpdump
 Switch port analyzers (SPAN)
 Aircrack-ng (for wireless Layer 2 data)
 Network monitoring software

Summary Table
Layer Evidence Type Tools

RF scanners, taps,
Physical Signal captures, device connection
cables

logs, tampering signs Hardware analyzers

Wireshark, tcpdump,
Data Link MAC addresses, ARP tables, traffic
Aircrack
 Layer Evidence Type Tools

frames, VLAN tagging info Network switch logs

Additional Digital Evidence:

1. Physical Access Logs:

o Card swipe or biometric logs showing physical access to networking hardware (e.g.,
server rooms).
2. Environmental Logs:
o Temperature and humidity logs from network hardware (indicating overheating,
tampering, or environmental sabotage).
3. Evidence of Cable Cuts or Damage:
o Fiber optics or Ethernet cables being cut or damaged deliberately to disrupt
communication.
4. Line Monitoring Equipment Logs:
o Devices that passively record signals (e.g., signal analyzers or wiretap devices).
5. Power Supply Evidence:
o Sudden power loss or fluctuations can be correlated with attack timing.
6. Physical Layer Protocol Anomalies:
o Unusual voltage or timing patterns that suggest hardware manipulation or signal
injection.
7. Wi-Fi Signal Strength Data:
o Signal strength logs from access points showing movement or physical proximity of
devices.
8. Signal Spectrum Analysis:
o Identifies rogue or unauthorized RF transmitters (Wi-Fi jammers, illegal APs).

🔹 Data Link Layer (Layer 2) – Expanded Points

This layer handles MAC addressing, framing, and error detection between nodes on the same network
segment.

✅ Additional Digital Evidence:

1. MAC Spoofing Detection:

o Logs showing multiple MACs on a single port or MAC address changing over time.
2. Port Security Logs:
o Events where a switch port was shut down due to unauthorized MAC addresses.
3. ARP Cache Evidence:
o ARP entries used to correlate IP addresses with MAC addresses during specific times.
4. Switch CAM Table Logs:
o Data showing which MACs were active on which ports—used to locate devices.
 5. Bridge Protocol Data Units (BPDU):
o Evidence from Spanning Tree Protocol can reveal rogue switches or bridge loop attacks.
6. Wireless Association Logs:
o Wireless AP logs showing when and which devices associated/disassociated from the
network.
7. Frame Check Sequence (FCS) Errors:
o Frequent frame errors could indicate deliberate interference or faulty hardware.
8. Wi-Fi Management Frames:
o Evidence from beacon, probe request/response, association, and deauthentication
frames.
9. DHCP Server Logs (L2 Relevant):
o Helps link MAC addresses to issued IPs and detect rogue DHCP servers.
10. VLAN Hopping Attempts:
o Unusual tagging or double-tagging behavior used to escape VLAN restrictions.

Digital evidence on Network and Transport

layers
Digital evidence available at the Network (Layer 3) and Transport (Layer 4) layers of the OSI model,
both of which are critical for tracing communication paths, analyzing sessions, and identifying
malicious activity in cyber forensics.

🔷 Network Layer (Layer 3)

Handles routing, IP addressing, and packet forwarding between networks.

✅ Digital Evidence at Layer 3:

1. IP Address Logs:
o Source and destination IPs in captured traffic.
o Useful for identifying external and internal communicating hosts.
2. Router Logs:
o Track path taken by packets (e.g., traceroute logs, routing table changes).
o Logs from OSPF, BGP, RIP protocols (indicating route changes or hijacking).
3. Firewall Logs:
o Show blocked or allowed IP traffic.
o Can reveal intrusion attempts (e.g., scans, port probes).
4. NAT Logs:
o Translate internal private IPs to public IPs — critical for identifying specific devices
behind NAT.
 5. IP Packet Headers:
o TTL (Time to Live), source/destination IPs, protocol types (TCP/UDP/ICMP).
o TTL can help infer the number of hops or detect spoofing.
6. IP Fragmentation Evidence:
o Fragmented packets may indicate evasion attempts (e.g., intrusion detection system
bypass).
7. ICMP Logs (Ping, Traceroute):
o Can show connectivity tests or scanning activities.
o Ping floods, Smurf attacks leave ICMP traces.
8. VPN and Tunneling Evidence:
o Encapsulated IP packets, IPsec headers, or GRE tunnels may suggest encrypted
communication.
9. Geolocation from IPs:
o Source IPs can be mapped to approximate physical locations or ISPs.

🔷 Transport Layer (Layer 4)

Handles end-to-end communication, port addressing, and flow control via TCP and UDP.

✅ Digital Evidence at Layer 4:

1. TCP/UDP Port Numbers:

o Identify services or applications (e.g., 80 for HTTP, 443 for HTTPS, 22 for SSH).
o Helps determine which services were targeted or used.
2. TCP Session Logs:
o SYN, SYN-ACK, ACK packets allow tracking of connection attempts.
o Evidence of SYN floods (DoS attacks), or half-open connections.
3. Sequence and Acknowledgment Numbers:
o Show data flow and integrity.
o Help reconstruct sessions (session hijacking detection).
4. TCP Flags:
o SYN, ACK, FIN, RST flags indicate session states.
o Can reveal port scans (e.g., Xmas scan, NULL scan).
5. UDP Traffic Analysis:
o Detection of suspicious use of DNS, VoIP, or gaming ports.
o Evidence of data exfiltration over less-monitored UDP ports.
6. Connection Duration and Timing:
o Long or abnormal sessions may indicate data transfer or tunneling.
o Correlation with timestamps helps build event timelines.
7. Transport Layer Anomalies:
o Port spoofing, random port generation, or unreachable port attempts.
8. Load Balancer Logs:
o May log Layer 4 information about client-server connections.
9. TLS/SSL Handshakes (Layer 4/5 cross):
o Even if encrypted, metadata like certificates and handshakes is observable at Layer 4.
🧪 Use of Evidence:
Purpose Layer 3 (Network) Layer 4 (Transport)

Identifying systems IP addresses, NAT logs Port numbers, session metadata

Detecting attacks ICMP scans, routing anomalies Port scans, DoS attacks, protocol misuse

Reconstructing events IP packet flow TCP session flow, flags, durations

Attribution IP + time correlation to device/user Port-specific behavior per IP