December 07, 2025

Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

15 minutes

In this lesson, you’ll learn about:

Core networking architectures and components
The evidentiary value of network design for forensic investigations
MAC vs. IP addressing, IPv4 vs. IPv6
Ports, protocols, and how systems communicate
TCP (reliable) vs. UDP (unreliable) communication
Essential protocols: ICMP, DHCP, DNS

1. Networking Architecture & Its Forensic Importance

Network forensics requires a solid understanding of how networks operate.
The Internet is defined as a collection of interconnected networks using internet protocols to exchange messages.
Key network types:
- LAN – Local Area Network
- WAN – Wide Area Network
- CAN – Campus Area Network
- MAN – Metropolitan Area Network
DMZ (Demilitarized Zone):
- Positioned between the internal LAN and the internet.
- Hosts publicly accessible systems (web servers, mail servers).
- A critical zone for forensic evidence.

Evidentiary Value Across the Architecture When an attacker moves from the internet → DMZ → internal network, evidence is left in multiple locations, including:

Point of origin
Routers across the internet
ISP-facing router
Firewalls
DMZ switching infrastructure
The compromised server
Understanding these layers allows investigators to reconstruct attacker movement.

2. Network Components, Addressing & Infrastructure Network Components

Transmission media: cables, fiber, wireless
NICs (Network Interface Cards)
Nodes (any device connected to the network)

MAC vs. IP Addresses

MAC Address
- Layer 2
- Physical/hardware identifier
- Typically permanent
IP Address
- Layer 3
- Logical/virtual
- Changes frequently depending on network

IPv4 vs. IPv6

IPv4 → 32-bit addressing
IPv6 → 128-bit addressing with IPSec built in (encryption/authentication)

Public vs. Private Addressing

Public = Routable on the internet
Private = Non-routable (internal networks)
NAT (Network Address Translation) is used to map internal private IPs to a public-facing address.

IP Address Classes

Class A
Class B
Class C
Class E (experimental)

3. Ports & Communication Protocols Ports

Think of ports as "traffic lanes" used for communication.
Total: 65,535 ports
- 1–1024 → Well-known ports
- 1025+ → Ephemeral or dynamic ports
Services (Windows) / Daemons (Linux) bind to these ports.

Protocols

Protocols define communication rules between systems.
Governed by RFCs (Request for Comments) standards.

4. TCP – The Reliable Protocol Key TCP Header Elements

Source port
Destination port
Sequence number
Flags

Connection Management

Three-Way Handshake (Start of session)
- SYN → SYN/ACK → ACK
Four-Way Combo (End of session)
- FIN/ACK → ACK → FIN/ACK → ACK
Total overhead: 7 packets for a complete start + close cycle.

Important TCP Flags

Urgent Pointer – Marks urgent/priority data
Push (PSH) – Forces buffered data to transmit immediately
Reset (RST) – Abruptly closes a session

TCP is reliable because it ensures ordered, confirmed delivery. 5. UDP – The Unreliable Protocol

Connectionless, no handshake.
Faster, lower overhead.
Ideal for short or time-sensitive bursts of data.
Common uses:
- DNS queries
- Audio/video streaming
- VoIP

UDP does not guarantee delivery, order, or error correction. 6. Other Essential Protocols ICMP (Internet Control Message Protocol)

Used for error reporting and network diagnostics.
Helps identify optimal routing paths.

DHCP (Dynamic Host Configuration Protocol)

Automatically assigns IP addresses, subnet masks, and gateways to clients.

DNS (Domain Name System)

Translates human-friendly domain names into IP addresses.
Essential for both internal and external connectivity.

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

...more

View all episodes

By CyberCode Academy

December 07, 2025

Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

15 minutes

In this lesson, you’ll learn about:

Core networking architectures and components
The evidentiary value of network design for forensic investigations
MAC vs. IP addressing, IPv4 vs. IPv6
Ports, protocols, and how systems communicate
TCP (reliable) vs. UDP (unreliable) communication
Essential protocols: ICMP, DHCP, DNS

1. Networking Architecture & Its Forensic Importance

Network forensics requires a solid understanding of how networks operate.
The Internet is defined as a collection of interconnected networks using internet protocols to exchange messages.
Key network types:
- LAN – Local Area Network
- WAN – Wide Area Network
- CAN – Campus Area Network
- MAN – Metropolitan Area Network
DMZ (Demilitarized Zone):
- Positioned between the internal LAN and the internet.
- Hosts publicly accessible systems (web servers, mail servers).
- A critical zone for forensic evidence.

Evidentiary Value Across the Architecture When an attacker moves from the internet → DMZ → internal network, evidence is left in multiple locations, including:

Point of origin
Routers across the internet
ISP-facing router
Firewalls
DMZ switching infrastructure
The compromised server
Understanding these layers allows investigators to reconstruct attacker movement.

2. Network Components, Addressing & Infrastructure Network Components

Transmission media: cables, fiber, wireless
NICs (Network Interface Cards)
Nodes (any device connected to the network)

MAC vs. IP Addresses

MAC Address
- Layer 2
- Physical/hardware identifier
- Typically permanent
IP Address
- Layer 3
- Logical/virtual
- Changes frequently depending on network

IPv4 vs. IPv6

IPv4 → 32-bit addressing
IPv6 → 128-bit addressing with IPSec built in (encryption/authentication)

Public vs. Private Addressing

Public = Routable on the internet
Private = Non-routable (internal networks)
NAT (Network Address Translation) is used to map internal private IPs to a public-facing address.

IP Address Classes

Class A
Class B
Class C
Class E (experimental)

3. Ports & Communication Protocols Ports

Think of ports as "traffic lanes" used for communication.
Total: 65,535 ports
- 1–1024 → Well-known ports
- 1025+ → Ephemeral or dynamic ports
Services (Windows) / Daemons (Linux) bind to these ports.

Protocols

Protocols define communication rules between systems.
Governed by RFCs (Request for Comments) standards.

4. TCP – The Reliable Protocol Key TCP Header Elements

Source port
Destination port
Sequence number
Flags

Connection Management

Three-Way Handshake (Start of session)
- SYN → SYN/ACK → ACK
Four-Way Combo (End of session)
- FIN/ACK → ACK → FIN/ACK → ACK
Total overhead: 7 packets for a complete start + close cycle.

Important TCP Flags

Urgent Pointer – Marks urgent/priority data
Push (PSH) – Forces buffered data to transmit immediately
Reset (RST) – Abruptly closes a session

TCP is reliable because it ensures ordered, confirmed delivery. 5. UDP – The Unreliable Protocol

Connectionless, no handshake.
Faster, lower overhead.
Ideal for short or time-sensitive bursts of data.
Common uses:
- DNS queries
- Audio/video streaming
- VoIP

UDP does not guarantee delivery, order, or error correction. 6. Other Essential Protocols ICMP (Internet Control Message Protocol)

Used for error reporting and network diagnostics.
Helps identify optimal routing paths.

DHCP (Dynamic Host Configuration Protocol)

Automatically assigns IP addresses, subnet masks, and gateways to clients.

DNS (Domain Name System)

Translates human-friendly domain names into IP addresses.
Essential for both internal and external connectivity.

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

...more

Share Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

Sign up to save your podcasts

Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value