Sign up to save your podcasts
Or
Share Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing
In this lesson, you’ll learn about: Network Forensics – Key Concepts and Techniques In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- The fundamentals of networks and physical security risks
- Common network attack vectors and exploitation techniques
- Critical protocols, encryption methods, and anonymity technologies
- Essential tools and methodologies used in network forensic investigations
- Understanding how networks operate is essential for forensic analysis.
- Physical access = high risk
- Coax-based networks are insecure.
- Wiring closets and data closets are prime targets.
- Example: An MIT associate once accessed a wiring closet, deployed a server, and was only detected via CCTV.
- Network devices by OSI layer:
- Hub → Layer 1 repeater
- Switch → Layer 2 (MAC-based)
- Router → Layer 3
- Firewall → Layer 4 (TCP/UDP port filtering)
- NAT ("poor man's proxy")
- Multiple internal IPs share one external IP.
- NAT blocks inbound attacks but is bypassed when an infected internal system creates an outbound tunnel.
- Wireless signals broadcast publicly, making them easy to attack.
- Deauthentication attacks can be launched with cheap hardware (e.g., ESP8266 boards for $20-$25).
- MAC Spoofing
- MAC addresses can be changed easily (e.g., using macchanger).
- Investigators look for activity stopping on one MAC/IP and continuing on another.
- Tracking spoofed devices typically requires WIPS and triangulation.
- ARP Poisoning & MAC Flooding
- ARP poisoning redirects traffic by impersonating the gateway.
- MAC flooding forces switches to behave like hubs.
- Port security can mitigate these attacks.
- DNS Poisoning
- Redirects a domain to an attacker-controlled IP.
- Local host files can be manipulated (e.g., domain → 127.0.0.1).
- TCP/IP Spoofing
- Effective spoofing requires MITM positioning to block reset packets.
- Blind spoofing is used in large-scale DoS to confuse IDS systems.
- Secure vs. insecure protocols:
- SSH (22) replaced Telnet (23).
- FTP sends credentials in plaintext.
- SNMP (161/162) must never be exposed externally due to sensitive config data.
- Malware ports commonly observed:
- 666, 1337, 12345, 54321, 4444, 5555.
- IPv6 & IPSec:
- IPv6 often uses IPSec, enabling point-to-point encrypted traffic that is difficult to intercept or spoof.
- Tor and onion routing:
- Uses three layers of encryption across multiple nodes.
- Nearly impossible for a basic investigator to break.
- Only encrypted inside the Tor network—exit node traffic to non-HTTPS sites is exposed.
- External attacks rely on:
- Router logs
- Firewall logs
- IDS logs
- Internal attacks rely on logs from internal devices and systems.
- Security Information Management Systems (SIMS)
- Aggregate logs from thousands of sources.
- Normalize data and identify correlated attack patterns.
- Packet Sniffers & Protocol Analyzers
- Wireshark captures Layer 2 traffic.
- “Follow stream” helps isolate conversations and manually carve data.
- Netstat
- Shows open ports and active network connections.
- Not forensically sound on original evidence—should be used only on a copy or VM.
- Timestamps are critical for correlating logs.
- All systems should sync to a trusted NTP server.
- If timestamps differ, investigators must calculate and apply the correct offset.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about: Network Forensics – Key Concepts and Techniques In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- The fundamentals of networks and physical security risks
- Common network attack vectors and exploitation techniques
- Critical protocols, encryption methods, and anonymity technologies
- Essential tools and methodologies used in network forensic investigations
- Understanding how networks operate is essential for forensic analysis.
- Physical access = high risk
- Coax-based networks are insecure.
- Wiring closets and data closets are prime targets.
- Example: An MIT associate once accessed a wiring closet, deployed a server, and was only detected via CCTV.
- Network devices by OSI layer:
- Hub → Layer 1 repeater
- Switch → Layer 2 (MAC-based)
- Router → Layer 3
- Firewall → Layer 4 (TCP/UDP port filtering)
- NAT ("poor man's proxy")
- Multiple internal IPs share one external IP.
- NAT blocks inbound attacks but is bypassed when an infected internal system creates an outbound tunnel.
- Wireless signals broadcast publicly, making them easy to attack.
- Deauthentication attacks can be launched with cheap hardware (e.g., ESP8266 boards for $20-$25).
- MAC Spoofing
- MAC addresses can be changed easily (e.g., using macchanger).
- Investigators look for activity stopping on one MAC/IP and continuing on another.
- Tracking spoofed devices typically requires WIPS and triangulation.
- ARP Poisoning & MAC Flooding
- ARP poisoning redirects traffic by impersonating the gateway.
- MAC flooding forces switches to behave like hubs.
- Port security can mitigate these attacks.
- DNS Poisoning
- Redirects a domain to an attacker-controlled IP.
- Local host files can be manipulated (e.g., domain → 127.0.0.1).
- TCP/IP Spoofing
- Effective spoofing requires MITM positioning to block reset packets.
- Blind spoofing is used in large-scale DoS to confuse IDS systems.
- Secure vs. insecure protocols:
- SSH (22) replaced Telnet (23).
- FTP sends credentials in plaintext.
- SNMP (161/162) must never be exposed externally due to sensitive config data.
- Malware ports commonly observed:
- 666, 1337, 12345, 54321, 4444, 5555.
- IPv6 & IPSec:
- IPv6 often uses IPSec, enabling point-to-point encrypted traffic that is difficult to intercept or spoof.
- Tor and onion routing:
- Uses three layers of encryption across multiple nodes.
- Nearly impossible for a basic investigator to break.
- Only encrypted inside the Tor network—exit node traffic to non-HTTPS sites is exposed.
- External attacks rely on:
- Router logs
- Firewall logs
- IDS logs
- Internal attacks rely on logs from internal devices and systems.
- Security Information Management Systems (SIMS)
- Aggregate logs from thousands of sources.
- Normalize data and identify correlated attack patterns.
- Packet Sniffers & Protocol Analyzers
- Wireshark captures Layer 2 traffic.
- “Follow stream” helps isolate conversations and manually carve data.
- Netstat
- Shows open ports and active network connections.
- Not forensically sound on original evidence—should be used only on a copy or VM.
- Timestamps are critical for correlating logs.
- All systems should sync to a trusted NTP server.
- If timestamps differ, investigators must calculate and apply the correct offset.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy