Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing

In this lesson, you’ll learn about: Network Forensics – Key Concepts and Techniques In this lesson, you’ll learn about:The fundamentals of networks and physical security risksCommon network attack vectors and exploitation techniquesCritical protocols, encryption methods, and anonymity technologiesEssential tools and methodologies used in network forensic investigations1. Network Fundamentals & Physical SecurityUnderstanding how networks operate is essential for forensic analysis.Physical access = high riskCoax-based networks are insecure.Wiring closets and data closets are prime targets.Example: An MIT associate once accessed a wiring closet, deployed a server, and was only detected via CCTV.Network devices by OSI layer:Hub → Layer 1 repeaterSwitch → Layer 2 (MAC-based)Router → Layer 3Firewall → Layer 4 (TCP/UDP port filtering)NAT ("poor man's proxy")Multiple internal IPs share one external IP.NAT blocks inbound attacks but is bypassed when an infected internal system creates an outbound tunnel.2. Attack Vectors and Network Exploits Wireless as a major weaknessWireless signals broadcast publicly, making them easy to attack.Deauthentication attacks can be launched with cheap hardware (e.g., ESP8266 boards for $20-$25).Core attack techniquesMAC SpoofingMAC addresses can be changed easily (e.g., using macchanger).Investigators look for activity stopping on one MAC/IP and continuing on another.Tracking spoofed devices typically requires WIPS and triangulation.ARP Poisoning & MAC FloodingARP poisoning redirects traffic by impersonating the gateway.MAC flooding forces switches to behave like hubs.Port security can mitigate these attacks.DNS PoisoningRedirects a domain to an attacker-controlled IP.Local host files can be manipulated (e.g., domain → 127.0.0.1).TCP/IP SpoofingEffective spoofing requires MITM positioning to block reset packets.Blind spoofing is used in large-scale DoS to confuse IDS systems.3. Protocols, Encryption & AnonymitySecure vs. insecure protocols:SSH (22) replaced Telnet (23).FTP sends credentials in plaintext.SNMP (161/162) must never be exposed externally due to sensitive config data.Malware ports commonly observed:666, 1337, 12345, 54321, 4444, 5555.IPv6 & IPSec:IPv6 often uses IPSec, enabling point-to-point encrypted traffic that is difficult to intercept or spoof.Tor and onion routing:Uses three layers of encryption across multiple nodes.Nearly impossible for a basic investigator to break.Only encrypted inside the Tor network—exit node traffic to non-HTTPS sites is exposed.4. Forensic Tools & Investigation Methodology Log-Based InvestigationExternal attacks rely on:Router logsFirewall logsIDS logsInternal attacks rely on logs from internal devices and systems.Key ToolsSecurity Information Management Systems (SIMS)Aggregate logs from thousands of sources.Normalize data and identify correlated attack patterns.Packet Sniffers & Protocol AnalyzersWireshark captures Layer 2 traffic.“Follow stream” helps isolate conversations and manually carve data.NetstatShows open ports and active network connections.Not forensically sound on original evidence—should be used only on a copy or VM.Timestamp SynchronizationTimestamps are critical for correlating logs.All systems should sync to a trusted NTP server.If timestamps differ, investigators must calculate and apply the correct offset.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy