Week 7 - Network Forensics

Question 1

Why has network forensics become critical?

Answer 1

Explosion in breaches across home/corporate/internet/vehicle networks. Blurring of physical vs cloud data.
Common devices (laptops, phones, smart TVs, Alexa, IoT) all leave traces.

Question 2

List the main sources of network forensic evidence.

Answer 2

Firewall / IDS alerts
Captured (“sniffed”) network traffic
ISP logs, network device logs (switches/routers)
Application logs (web servers, email)
VoIP traffic
Security monitoring (e.g., NetFlow)

Question 3

What organisational challenges exist in network investigations?

Answer 3

Often handled by general IT staff - poor evidence handling.
High stakes - financial liability, reputation.
Investigations span client devices + interlinked distributed servers/services.

Question 4

What are the main difficulties in network forensics?

Answer 4

Distributed systems - hard to capture everything
Transient data (network flows) - dynamic; use system logs where possible
Encryption - still possible to capture metadata

Question 5

Closed vs Open systems – definitions?

Answer 5

Closed: Never connected to internet or other systems
Open: Ever connected (most real-world systems)

Question 6

What are the two opportunities for forensic capturing?

Answer 6

Real-time capture and analysis (live)
Retroactive capture and analysis (logs/artefacts)

Question 7

Why use layered models like OSI/TCP/IP?

Answer 7

Simplifies complex processes
Abstraction
Interoperability across vendors
Easier troubleshooting by isolating layers.

Question 8

OSI Layer: 7 Application (purpose, data type, forensic notes)

Answer 8

User/app services (HTTP, DNS, SMTP)
HTTP, DNS, SMTP
Client-server, peer-to-peer

Question 9

OSI Layer: 6 Presentation (purpose, data type, forensic notes)

Answer 9

Data readability (encryption, format conversion)
mp3, jpeg
Encryption challenges

Question 10

OSI Layer: 5 Session (purpose, data type, forensic notes)

Answer 10

Maintain dialogues/conversations
Conversation fragments
Session hijacking, tracking conversations

Question 11

OSI Layer: 4 Transport (purpose, data type, devices, forensic notes)

Answer 11

Node-to-node comms, slip sessions into packets for travel
Reliable delivery
TCP, UDP
Firewalls
TCP SYN flooding, 3-way handshake

Question 12

OSI Layer: 3 Network (purpose, data type, devices, forensic notes)

Answer 12

Routing, IP-to-MAC
Packets
Routers
IP spoofing, timeline critical

Question 13

OSI Layer: 2 Data Link (purpose, data type, devices, forensic notes)

Answer 13

Local network hops
Frames
Hubs, bridges, switches, MAC
MAC spoofing possible, LAN evidence

Question 14

OSI Layer: 1 Physical (purpose, data type, devices, forensic notes)

Answer 14

Physical connection
Bits
Devices - NIC, Network hub
Physical taps/access

Question 15

Key Transport Layer protocols and attacks?

Answer 15

TCP: connection-oriented, reliable, 3-way handshake (SYN → SYN-ACK → ACK)
UDP: connectionless, fast, best-effort (VoIP, video)
Attack: TCP SYN flooding (DoS – table overflow)

Question 16

Key Network Layer concepts (IPv4, NAT, ARP)?

Answer 16

IPv4 classes (A/B/C), subnetting
NAT: multiple devices share one public IP
ARP: IP ↔ MAC mapping
Home range: 192.168.0.0 – 192.168.255.255

Question 17

What tools inspect network traffic?

Answer 17

Packet sniffers (Wireshark, tcpdump, ngrep) – inspect layers 2-3, carve files, view TCP headers (easily spoofed).

Question 18

Why is timeline critical in network forensics?

Answer 18

IP addresses change over time; spoofing is common.

Question 19

Common anonymisation techniques?

Answer 19

Proxies: hide client IP, all clients appear same
Onion routing (Tor): layered encryption, each node only knows neighbours
Web drops: web-based email without direct sending

Question 20

Forensic value of WWW / Browser artefacts?

Answer 20

Browser cache, history, cookies (dates, domains, values).
HTTP methods (GET safe; POST/PUT harmful).
Plugins/BHOs can be compromised.

Question 21

Forensic concerns with Cookies?

Answer 21

Rich source (Created, Domain, Expires, Name, Path, Value) but easily manipulated/deleted.

Question 22

Email protocols and forensic issues?

Answer 22

SMTP (sending, port 25), POP3/IMAP (retrieval). Headers easily forged (spam). Full headers often hidden – check .PST or raw mail files.

Question 23

Forensic differences between Client-Server and Peer-to-Peer chat/forums?

Answer 23

Client-Server: central node; client rarely has partner IP
Peer-to-Peer: nodes keep contact IP lists; super-nodes act as directory

Question 24

VoIP forensic concerns?

Answer 24

Easily spoofed caller ID, inadequate security, PBX voicemail fraud.

Question 25

Compare Hubs, Switches, Routers (forensic view).

Answer 25

Hub: broadcasts everything (Layer 1) Switch: intelligent forwarding (Layers 2-3) Router: connects networks, routes by IP, often encrypted (WPA2/3)

Question 26

Forensic value of Proxy Servers?

Answer 26

Hide/spoof addresses; web proxy cache reveals internet activity.

Question 27

What do Web Server logs contain?

Answer 27

Source IP, date/time, HTTP status, requested resource.

Question 28

Forensic value of DHCP & DNS servers?

Answer 28

DHCP: MAC ↔ IP assignments, lease times, routing table DNS: FQDN → IP, WHOIS ownership info, traceroute hops

Question 29

Firewall types and what they log?

Answer 29

Stateless (ACL: IP + port) Stateful (tracks active connections) UTM / NGFW (Layer 7, content) Logs: origin/dest, timestamps, data volume, protocols, blocked attempts.

Question 30

IDS vs IPS – differences?

Answer 30

IDS: monitors & alerts (NIDS, NNIDS, HIDS) IPS: detects + automatically blocks/resets

Question 31

IoT forensic challenges? (4)

Answer 31

High diversity of devices Permanently online Difficult preservation Lack of standards for acquisition.

Question 32

What is Triage in incident response?

Answer 32

Determining most urgent items: filter false positives, mitigate risk, capture perishable data, prevent further damage, involve ISP/police, share threat intelligence.

Question 33

What is an Advanced Persistent Threat (APT)?

Answer 33

Sophisticated, long-term, coordinated attack (often state-sponsored) to steal IP. Uses lateral movement and timestomping.

Question 34

Outline the Intrusion Kill Chain.

Answer 34

Reconnaissance → Weaponisation → Delivery → Exploitation → Command & Control → Exfiltration.

Question 35

What are Indicators of Compromise (IoC)?

Answer 35

Anything showing an attack occurred (changed from normal): unusual registry keys, DLLs, files in odd locations, etc.

Question 36

Key forensic concerns when handling network evidence? (4)

Answer 36

Cannot always map virtual identity to real-world person Copy & sign digital logs Routers have limited storage – logs may be sent remotely Local logs lost on shutdown (use console port if possible)