Sign up to save your podcasts
Or
Share Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- The purpose and scope of Network Forensics
- Key evidence sources across a networked environment
- Essential security tools: scanners, sniffers, IDS/IPS
- Defensive architecture: firewalls, DMZs, bastion hosts
- Core security protocols: Kerberos, VPNs, SSH, SSL/TLS
- Integrity monitoring and log management systems
- Network forensics is a branch of digital forensics focused on analyzing network traffic to gather evidence, detect intrusions, and understand attacker behavior.
- It allows investigators to determine:
- How an intruder entered
- The intrusion path taken
- The techniques used
- Requires systematic tracking of inbound/outbound traffic and knowledge of “normal” behavior to spot anomalies.
- Skilled attackers are harder to trace, but all intruders leave artifacts somewhere.
- Firewalls
- Routers
- IDS/IPS systems
- Packet sniffers
- Proxy servers
- Authentication servers
- Logs from these devices form the foundation of network investigation.
- Network forensics complements computer/memory forensics. Examples:
- Packet analysis may reveal what to look for on a compromised machine.
- Memory forensics may indicate specific encrypted packets that require deeper analysis.
- Tools like tcpdump extract raw packet data.
- Attacker attribution sometimes requires legal processes (e.g., subpoenas to ISPs or Wi-Fi providers).
- The OSI model helps identify where vulnerabilities exist.
- Layers 1, 2, 6, and 7 tend to be weaker than layers 3, 4, and 5.
- Port Scanners
- Identify open ports and exposed services.
- Example: Nmap.
- Packet Sniffers / Analyzers
- Wireshark (analyzer that can sniff)
- tcpdump (pure command-line sniffer)
- Intrusion Detection Systems (IDS)
- Example: Snort.
- Works like a sniffer with rules; alerts on malicious patterns.
- Intrusion Prevention Systems (IPS)
- Active responses: modify packets, block ports, shut down segments.
- Must be configured carefully to avoid accidental denial-of-service events.
- Hardware + software systems controlling access based on packet characteristics.
- Packet Filtering (Layer 3)
- Early model, examines only IP and port.
- Does not track session state.
- Stateful Firewalls (Layer 4)
- Track session state and connection flows.
- Prevent forged packets unless the session was legitimately initiated.
- Application-Layer Firewalls (Layers 6–7)
- Deep packet inspection.
- Can enforce command-level rules (e.g., allow FTP GET but block FTP PUT).
- A network segment between internal LAN and the external internet.
- Hosts public-facing resources (web, mail servers).
- Hardened system placed in the untrusted network zone (DMZ).
- Common examples: web servers, mail servers.
- A trusted third-party authentication system.
- Uses a ticket-granting server to authenticate:
- Client → Kerberos → Resource (e.g., printer)
- Commonly used for Single Sign-On.
- Encrypt traffic between two endpoints.
- Important note: VPNs do not create isolated physical paths; they still traverse the same routers.
- Encryption layers:
- Layer 2 → L2TP
- Layer 3 → IPSec
- Layers 5–7 → SSL/TLS
- Purpose: privacy, not magical invisibility.
- Commonly used for encrypted remote access, tunneling, and file transfer.
- Operates on port 22.
- Browser creates a secret session key.
- Browser encrypts this key using the server’s public key.
- Server decrypts it using its private key.
- Both sides now share the secret and switch to symmetric encryption for the session.
- Tools like Tripwire monitor critical files.
- Use hashing to detect unauthorized changes.
- Alerts admins when files are modified.
- SIEM solutions combine:
- Security Information Management (SIM)
- Security Event Management (SEM)
- Examples: LogRhythm, Splunk.
- Aggregate logs from across the environment, correlate events, and identify patterns.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- The purpose and scope of Network Forensics
- Key evidence sources across a networked environment
- Essential security tools: scanners, sniffers, IDS/IPS
- Defensive architecture: firewalls, DMZs, bastion hosts
- Core security protocols: Kerberos, VPNs, SSH, SSL/TLS
- Integrity monitoring and log management systems
- Network forensics is a branch of digital forensics focused on analyzing network traffic to gather evidence, detect intrusions, and understand attacker behavior.
- It allows investigators to determine:
- How an intruder entered
- The intrusion path taken
- The techniques used
- Requires systematic tracking of inbound/outbound traffic and knowledge of “normal” behavior to spot anomalies.
- Skilled attackers are harder to trace, but all intruders leave artifacts somewhere.
- Firewalls
- Routers
- IDS/IPS systems
- Packet sniffers
- Proxy servers
- Authentication servers
- Logs from these devices form the foundation of network investigation.
- Network forensics complements computer/memory forensics. Examples:
- Packet analysis may reveal what to look for on a compromised machine.
- Memory forensics may indicate specific encrypted packets that require deeper analysis.
- Tools like tcpdump extract raw packet data.
- Attacker attribution sometimes requires legal processes (e.g., subpoenas to ISPs or Wi-Fi providers).
- The OSI model helps identify where vulnerabilities exist.
- Layers 1, 2, 6, and 7 tend to be weaker than layers 3, 4, and 5.
- Port Scanners
- Identify open ports and exposed services.
- Example: Nmap.
- Packet Sniffers / Analyzers
- Wireshark (analyzer that can sniff)
- tcpdump (pure command-line sniffer)
- Intrusion Detection Systems (IDS)
- Example: Snort.
- Works like a sniffer with rules; alerts on malicious patterns.
- Intrusion Prevention Systems (IPS)
- Active responses: modify packets, block ports, shut down segments.
- Must be configured carefully to avoid accidental denial-of-service events.
- Hardware + software systems controlling access based on packet characteristics.
- Packet Filtering (Layer 3)
- Early model, examines only IP and port.
- Does not track session state.
- Stateful Firewalls (Layer 4)
- Track session state and connection flows.
- Prevent forged packets unless the session was legitimately initiated.
- Application-Layer Firewalls (Layers 6–7)
- Deep packet inspection.
- Can enforce command-level rules (e.g., allow FTP GET but block FTP PUT).
- A network segment between internal LAN and the external internet.
- Hosts public-facing resources (web, mail servers).
- Hardened system placed in the untrusted network zone (DMZ).
- Common examples: web servers, mail servers.
- A trusted third-party authentication system.
- Uses a ticket-granting server to authenticate:
- Client → Kerberos → Resource (e.g., printer)
- Commonly used for Single Sign-On.
- Encrypt traffic between two endpoints.
- Important note: VPNs do not create isolated physical paths; they still traverse the same routers.
- Encryption layers:
- Layer 2 → L2TP
- Layer 3 → IPSec
- Layers 5–7 → SSL/TLS
- Purpose: privacy, not magical invisibility.
- Commonly used for encrypted remote access, tunneling, and file transfer.
- Operates on port 22.
- Browser creates a secret session key.
- Browser encrypts this key using the server’s public key.
- Server decrypts it using its private key.
- Both sides now share the secret and switch to symmetric encryption for the session.
- Tools like Tripwire monitor critical files.
- Use hashing to detect unauthorized changes.
- Alerts admins when files are modified.
- SIEM solutions combine:
- Security Information Management (SIM)
- Security Event Management (SEM)
- Examples: LogRhythm, Splunk.
- Aggregate logs from across the environment, correlate events, and identify patterns.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy