Sign up to save your podcasts
Or
Share Course 13 - Network Forensics | Episode 7: Web Traffic Analysis and Browser Forensics: Handshakes, DNSSEC, and Cookies
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 13 - Network Forensics | Episode 7: Web Traffic Analysis and Browser Forensics: Handshakes, DNSSEC, and Cookies
In this lesson, you’ll learn about:
This handshake—SYN → SYN/ACK → ACK—is the best indicator of:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- How to identify and analyze web traffic using network forensics techniques
- The role of DNSSEC in securing DNS infrastructure
- Browser forensics across IE, Firefox, Chrome, Edge, and Safari
- How history files, caches, and artifacts differ between browsers
- The forensic value of cookies and how they are stored and analyzed
This handshake—SYN → SYN/ACK → ACK—is the best indicator of:
- A new connection forming
- Impending data transfer
- The type of communication taking place
- Port 80 typically indicates HTTP web traffic
- A GET request usually confirms this
- Port 23 indicates Telnet, which sends data in plaintext
- Example: Seeing IIS5 suggests the server was running Windows 2000
- Cryptographic signing of records prevents unauthorized changes
- Makes DNS poisoning or zone file tampering extremely difficult
- If a compromise occurs, DNSSEC provides detailed forensic evidence
- Signatures
- Validation failures
- Tampered data traces
- A binary file that logs significant browsing activity
- Cannot be opened with Notepad or standard editors
- Requires specialized tools or index.dat viewers
- Older systems stored IE artifacts under:
Local Settings\Temporary Internet Files
- Stored in ASCII format, viewable in plain text
- Easier to read than IE’s binary format
- However, it does not directly link visited sites with cached pages
- Reconstruction of user view is harder
- Stored under the user profile in Application Data > Firefox folders
- Language preferences
- Activity
- Session identifiers
- Visit frequency
- History is deleted
- Cache is wiped
- Private browsing was used
- Show repeated visits vs. “accidental” single access
- Reveal behavior and browsing patterns
- Tie activity to specific sessions or visits
- Help reconstruct long-term user engagement
- Minimum expected size: 4 KB
- Contain six components (e.g., name, value, expiration date, domain, path, flags)
- Session cookies: deleted when browser closes
- Persistent cookies: stored long-term and replayed on revisit
- Often used for access control and session management
- Burp Suite
- Browser developer tools
- Modifying session cookies
- Changing identifiers
- Influencing e-commerce machine-learning systems that adjust prices based on user interest/visit frequency
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
This handshake—SYN → SYN/ACK → ACK—is the best indicator of:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- How to identify and analyze web traffic using network forensics techniques
- The role of DNSSEC in securing DNS infrastructure
- Browser forensics across IE, Firefox, Chrome, Edge, and Safari
- How history files, caches, and artifacts differ between browsers
- The forensic value of cookies and how they are stored and analyzed
This handshake—SYN → SYN/ACK → ACK—is the best indicator of:
- A new connection forming
- Impending data transfer
- The type of communication taking place
- Port 80 typically indicates HTTP web traffic
- A GET request usually confirms this
- Port 23 indicates Telnet, which sends data in plaintext
- Example: Seeing IIS5 suggests the server was running Windows 2000
- Cryptographic signing of records prevents unauthorized changes
- Makes DNS poisoning or zone file tampering extremely difficult
- If a compromise occurs, DNSSEC provides detailed forensic evidence
- Signatures
- Validation failures
- Tampered data traces
- A binary file that logs significant browsing activity
- Cannot be opened with Notepad or standard editors
- Requires specialized tools or index.dat viewers
- Older systems stored IE artifacts under:
Local Settings\Temporary Internet Files
- Stored in ASCII format, viewable in plain text
- Easier to read than IE’s binary format
- However, it does not directly link visited sites with cached pages
- Reconstruction of user view is harder
- Stored under the user profile in Application Data > Firefox folders
- Language preferences
- Activity
- Session identifiers
- Visit frequency
- History is deleted
- Cache is wiped
- Private browsing was used
- Show repeated visits vs. “accidental” single access
- Reveal behavior and browsing patterns
- Tie activity to specific sessions or visits
- Help reconstruct long-term user engagement
- Minimum expected size: 4 KB
- Contain six components (e.g., name, value, expiration date, domain, path, flags)
- Session cookies: deleted when browser closes
- Persistent cookies: stored long-term and replayed on revisit
- Often used for access control and session management
- Burp Suite
- Browser developer tools
- Modifying session cookies
- Changing identifiers
- Influencing e-commerce machine-learning systems that adjust prices based on user interest/visit frequency
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy