Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

In this lesson, you’ll learn about:Core networking architectures and componentsThe evidentiary value of network design for forensic investigationsMAC vs. IP addressing, IPv4 vs. IPv6Ports, protocols, and how systems communicateTCP (reliable) vs. UDP (unreliable) communicationEssential protocols: ICMP, DHCP, DNS1. Networking Architecture & Its Forensic ImportanceNetwork forensics requires a solid understanding of how networks operate.The Internet is defined as a collection of interconnected networks using internet protocols to exchange messages.Key network types:LAN – Local Area NetworkWAN – Wide Area NetworkCAN – Campus Area NetworkMAN – Metropolitan Area NetworkDMZ (Demilitarized Zone):Positioned between the internal LAN and the internet.Hosts publicly accessible systems (web servers, mail servers).A critical zone for forensic evidence.Evidentiary Value Across the Architecture When an attacker moves from the internet → DMZ → internal network, evidence is left in multiple locations, including:Point of originRouters across the internetISP-facing routerFirewallsDMZ switching infrastructureThe compromised serverUnderstanding these layers allows investigators to reconstruct attacker movement.2. Network Components, Addressing & Infrastructure Network ComponentsTransmission media: cables, fiber, wirelessNICs (Network Interface Cards)Nodes (any device connected to the network)MAC vs. IP AddressesMAC AddressLayer 2Physical/hardware identifierTypically permanentIP AddressLayer 3Logical/virtualChanges frequently depending on networkIPv4 vs. IPv6IPv4 → 32-bit addressingIPv6 → 128-bit addressing with IPSec built in (encryption/authentication)Public vs. Private AddressingPublic = Routable on the internetPrivate = Non-routable (internal networks)NAT (Network Address Translation) is used to map internal private IPs to a public-facing address.IP Address ClassesClass AClass BClass CClass E (experimental)3. Ports & Communication Protocols PortsThink of ports as "traffic lanes" used for communication.Total: 65,535 ports1–1024 → Well-known ports1025+ → Ephemeral or dynamic portsServices (Windows) / Daemons (Linux) bind to these ports.ProtocolsProtocols define communication rules between systems.Governed by RFCs (Request for Comments) standards.4. TCP – The Reliable Protocol Key TCP Header ElementsSource portDestination portSequence numberFlagsConnection ManagementThree-Way Handshake (Start of session)SYN → SYN/ACK → ACKFour-Way Combo (End of session)FIN/ACK → ACK → FIN/ACK → ACKTotal overhead: 7 packets for a complete start + close cycle.Important TCP FlagsUrgent Pointer – Marks urgent/priority dataPush (PSH) – Forces buffered data to transmit immediatelyReset (RST) – Abruptly closes a sessionTCP is reliable because it ensures ordered, confirmed delivery. 5. UDP – The Unreliable ProtocolConnectionless, no handshake.Faster, lower overhead.Ideal for short or time-sensitive bursts of data.Common uses:DNS queriesAudio/video streamingVoIPUDP does not guarantee delivery, order, or error correction. 6. Other Essential Protocols ICMP (Internet Control Message Protocol)Used for error reporting and network diagnostics.Helps identify optimal routing paths.DHCP (Dynamic Host Configuration Protocol)Automatically assigns IP addresses, subnet masks, and gateways to clients.DNS (Domain Name System)Translates human-friendly domain names into IP addresses.Essential for both internal and external connectivity.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy