Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture

In this lesson, you’ll learn about:The purpose and scope of Network ForensicsKey evidence sources across a networked environmentEssential security tools: scanners, sniffers, IDS/IPSDefensive architecture: firewalls, DMZs, bastion hostsCore security protocols: Kerberos, VPNs, SSH, SSL/TLSIntegrity monitoring and log management systems1. What Is Network Forensics?Network forensics is a branch of digital forensics focused on analyzing network traffic to gather evidence, detect intrusions, and understand attacker behavior.It allows investigators to determine:How an intruder enteredThe intrusion path takenThe techniques usedRequires systematic tracking of inbound/outbound traffic and knowledge of “normal” behavior to spot anomalies.Skilled attackers are harder to trace, but all intruders leave artifacts somewhere.Key Evidence SourcesFirewallsRoutersIDS/IPS systemsPacket sniffersProxy serversAuthentication serversLogs from these devices form the foundation of network investigation.Role of Other ForensicsNetwork forensics complements computer/memory forensics. Examples:Packet analysis may reveal what to look for on a compromised machine.Memory forensics may indicate specific encrypted packets that require deeper analysis.Tools like tcpdump extract raw packet data.Attacker attribution sometimes requires legal processes (e.g., subpoenas to ISPs or Wi-Fi providers).2. Security Tools & OSI Layer WeaknessesThe OSI model helps identify where vulnerabilities exist.Layers 1, 2, 6, and 7 tend to be weaker than layers 3, 4, and 5.Key Security ToolsPort ScannersIdentify open ports and exposed services.Example: Nmap.Packet Sniffers / AnalyzersWireshark (analyzer that can sniff)tcpdump (pure command-line sniffer)Intrusion Detection Systems (IDS)Example: Snort.Works like a sniffer with rules; alerts on malicious patterns.Intrusion Prevention Systems (IPS)Active responses: modify packets, block ports, shut down segments.Must be configured carefully to avoid accidental denial-of-service events.3. Defensive Network Architecture FirewallsHardware + software systems controlling access based on packet characteristics.Types of FirewallsPacket Filtering (Layer 3)Early model, examines only IP and port.Does not track session state.Stateful Firewalls (Layer 4)Track session state and connection flows.Prevent forged packets unless the session was legitimately initiated.Application-Layer Firewalls (Layers 6–7)Deep packet inspection.Can enforce command-level rules (e.g., allow FTP GET but block FTP PUT).DMZ (Demilitarized Zone)A network segment between internal LAN and the external internet.Hosts public-facing resources (web, mail servers).Bastion HostHardened system placed in the untrusted network zone (DMZ).Common examples: web servers, mail servers.4. Authentication, Encryption & Secure Protocols Kerberos (SSO Authentication)A trusted third-party authentication system.Uses a ticket-granting server to authenticate:Client → Kerberos → Resource (e.g., printer)Commonly used for Single Sign-On.VPNs (Virtual Private Networks)Encrypt traffic between two endpoints.Important note: VPNs do not create isolated physical paths; they still traverse the same routers.Encryption layers:Layer 2 → L2TPLayer 3 → IPSecLayers 5–7 → SSL/TLSPurpose: privacy, not magical invisibility.SSH (Secure Shell)Commonly used for encrypted remote access, tunneling, and file transfer.Operates on port 22.SSL/TLS Process A hybrid crypto model:Browser creates a secret session key.Browser encrypts this key using the server’s public key.Server decrypts it using its private key.Both sides now share the secret and switch to symmetric encryption for the session.5. File Integrity & Log Management File Integrity CheckingTools like Tripwire monitor critical files.Use hashing to detect unauthorized changes.Alerts admins when files are modified.Log Management & SIEMSIEM solutions combine:Security Information Management (SIM)Security Event Management (SEM)Examples: LogRhythm, Splunk.Aggregate logs from across the environment, correlate events, and identify patterns.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy