Digital forensics

Networking Fundamentals for Forensic Analysts

The need for understanding Networking 

To be able to successfully conduct a network attack investigation, it is important to have the knowledge of networking. Let us consider a scenario, where an attacker compromises an externally exposed system and intrudes into an organization’s internal system through the initially compromised system. During this attack, an attacker may leave traces in various devices and logs and knowledge of networking will help to visualize the attack and to understand where to look for the logs to be able to investigate further. The following sections of the article provides a high level overview of some networking concepts that can act as a refresher for Forensic Analysts or any security practitioner.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

What is a Network?

A system of interconnected computers and computerized peripherals such as printers is called computer network. The primary purpose of interconnecting computers is to facilitate information sharing among them. Computers may connect to each other by either wired or wireless media. Following are various network media options used in networks.

Wired:

• Fiber
• Coax
• Twisted-Pair

Wireless:

• Wi-Fi
• Microwave
• Bluetooth
• Infrared

Network Addressing

A network address is an identifier for a node or host on a network. Network addresses are designed to be unique identifiers across the network, although some networks allow for local, private addresses, or locally administered addresses that may not be unique.

IP addresses are used as network addresses in IP networks including the Internet

MAC address are used in Ethernet and other related IEEE 802 network technologies

IP addresses are available in two versions - IPv4 and IPv6

IPv4 addresses:

IPv4 addresses are 32 bit long divided into four groups of 8 bits. Following is a sample IPv4 address: 121.12.32.143. As we can notice IPv4 addresses are 32-bit numeric addresses written as four numbers separated by periods. Each number is called an octet. The number in each octet will be in range from 0-255. Computers and network devices actually read them in binary format. It should be noted that the IP address 127.0.0.1 is called loopback address and it is used to point to the same host.

IPv6 Addresses:

There are about 4 billion IPv4 addresses possible and they are not enough to serve the entire internet in near future and thus IPv6 is introduced. 

IPv6 addresses are the next generation of IP addresses and are 128 bit long hexadecimal addresses. Following is an example of an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334. As we can notice, each IPv6 address is divided into eight 16 bit groups that are separated by colons. When there are two consecutive hextets with all 0s as highlighted below, the address, those hextets can be replaced with double colons.

2001:0db8:85a3:0000:0000:8a2e:0370:7334

So, the preceding address can also be represented as follows.

2001:0db8:85a3::8a2e:0370:7334

The following address is the loopback address in IPv6.

0:0:0:0:0:0:0:1

All the preceding 0’s in this address can be replaced by double colons and this address can be represented as follows.

::1

 

MAC addresses:

MAC stands for Media Access Control. It is a unique identifier assigned to a network interface. IP addresses assigned to a node or host can be changed. Unlike IP addresses, MAC addresses are described as physical addresses, which cannot be changed. However, it's technically possible to spoof the MAC addresses. Following is an example of a MAC address: 00:1A:C2:7B:00:47.

As we can notice, a MAC address is 48 bits long. A MAC address can be divided into two parts. The first part (24 bits) highlighted below is known as the vendor address, which is unique to the organization which manufactured the network card.

00:1A:C2:7B:00:47

The remaining 24 bits are a unique value assigned by the vendor to make the address unique. One of the commonly seen MAC addresses that is worth noting is a broadcast address, which is highlighted below.

FF:FF:FF:FF:FF:FF

A broadcast address is used when a device needs to send a message to all the devices in the network. MAC addresses are used in Layer 2 communications, whereas IP addresses are used in Layer 3 communications.

Common Ports and Protocols

A port is another address typically an application or service uses. This will allow traffic to be passed to appropriate applications over the network. Port numbers range between 0 and 65,535. Ports 1-1024 are known as privileged ports and administrative privileges or required on a computer to bind these ports to an application or service. While inbound connections end with a connection to port, outbound connections start with a connection from a source port. Source ports are usually the ports above 1024. Following are some common services and the default ports they use.

HyperText Transfer Protocol (HTTP) - port 80

Secure Sockets Layer (SSL) - port 443

File Transfer Protocol (FTP) - port 21

DNS - port 53

Telnet - Port 23

TCP vs UDP

The communications between the computers and services mentioned earlier happen using a communication protocol. TCP and UDP are two most common communication protocols used in computer networking. 

What is TCP?

Transmission Control Protocol (TCP) is a connection-oriented protocol that computers use to communicate over the internet. It is one of the main protocols in TCP/IP networks. TCP provides error-checking and guarantees delivery of data and that packets will be delivered in the order they were sent. TCP uses a three way handshake to establish a reliable connection. 

FTP and HTTP are some examples of applications that make use of TCP.

What is UDP?

User Datagram Protocol (UDP) is a connectionless protocol that works just like TCP but assumes that error-checking and recovery services are not required. Instead, UDP continuously sends datagrams to the recipient whether they receive them or not.

UDP is used in video streaming, VOIP calls and internet games.

Both protocols use different types of header to pack the data for transmission. 

TCP Header format:

The following figure shows TCP header.

As we can notice, the TCP header contains information for both compulsory and optional functions. TCP header is 20 bytes and 24 bytes in length without options and with options respectively. It has a source port and destination port address, both are 16 bit addresses. It has a 32 bit segment number which is used to reassemble the message at the receiver end. It also has a 32 bit acknowledgement number for the previous bytes being received successfully. It has a 4-bit HLEN which stores the length of the header by number of 4- byte words in the header.

There are 6 control flags each of 1 bit and each of them has unique functionality.

•      URG: Urgent pointer Flag
•      ACK: Acknowledgement Flag
•      PSH: Request for push Flag
•      RST: Reset the connection Flag
•      SYN: Synchronize sequence Flag
•      FIN: Terminate the connection Flag

In addition to it, It has a 16 bit checksum which is used for error control. The 16 bit urgent pointer holds the data with the highest priority. Finally, it has a padding capacity upto 40bytes.

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Get Started

UDP Header format:

The following figure shows the UDP header.

UDP header contains information only about the compulsory functions and it is 8 bytes in length. It has source and destination port addresses each of 16 bit, which identify port numbers of source and destination. It has a 16 bit length segment which holds the length of UDP header along with data. It also has a 16 bit checksum similar to TCP for error control.

 

Sources

1. https://www.geeksforgeeks.org/user-datagram-protocol-udp/
2. https://www.ibm.com/support/knowledgecenter/ssw_aix_72/network/protocols_tcp_headerfields.html
3. https://www.sciencedirect.com/topics/computer-science/acknowledgment-number