Sanjivani Rural Education Society’s

Sanjivani College of Engineering, Kopargaon-423 603

(An Autonomous Institute, Affiliated to Savitribai Phule Pune University, Pune)
NAAC ‘A’ Grade Accredited, ISO 9001:2015 Certified

Department of Computer Engineering

(NBA Accredited)

Subject- Digital Forensics (DF) [CO 315A)]

Unit 4 :- Network Forensic

Prof. Abhijit S. Bodhe

Assistant Professor
Department of Computer Engineering
E-mail :
[email protected]
Contact No: 7709 340 570
 Unit 3:- Computer Forensics analysis and validation
• Computer Forensics analysis and validation: Determining what
data to collect and analyse, validating forensic data, addressing data-
hiding techniques.
• Network Forensics: Network forensics overview, performing live
acquisitions, developing standard procedures for network forensics,
using network tools, examining the honeynet project.
• Computer Forensic tools(Case Study): Encase, Helix, FTK,
Autopsy, Sleuth kit Forensic Browser, FIRE, Found stone Forensic
ToolKit, WinHex, Linux dd and other open source tools

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 2

 CIA:-Computer Forensic tools-Case Study
1. Tools support & details in which OS,hardware,software any other
2. Description of tool
3. Use of tool
4. Application of tool (Th)
5. Real time application of tool (possibly demo)
6. Advangage/limitation/risk of tool
7. Comparision with any other one tool (complusory)
8. Summary of tool in brief (min 1 page)
9. Reference link/websites

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 3

 Unit 4:-Network Forensic
• Network Forensic: Collecting and analyzing network-based evidence,
Network-based evidences:- 1.reconstructing web browsing history, 2.e-
mail activity, 3.windows registry changes,4.intrusion detection,
5.tracking offenders.
• Mobile Network Forensic: Introduction,
• Mobile Network Technology,
• Investigations, Collecting Evidence,
• Where to seek Digital Data for further Investigations,
• Interpretation of Digital Evidence on Mobile Network.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 4

 Network Forensic
• Network forensic concerns the gathering, monitoring and analyzing of
network activities to uncover the source of attacks, viruses, intrusions
or security breaches that occur on a network or in network traffic.
• With the help of network forensics, the entire data of crime scene can
be retrieved from the any type of network or networks, data includes
messages, file transfers, e-mails, and, web browsing history, and
reconstructed to expose the original transactions.
• For identifying the attacks on network, investigators must understand
and have the in depth knowledge of the network protocols and
applications such as web protocols, Email protocols, Network
protocols, file transfer protocols, etc.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 5

 Processes involved in network forensics
1. Identification: In this process, investigators identify and evaluate the
incident based on the network pointers.
2. Safeguarding: In this process, the investigators preserve and secure the
data so that the tempering can be prevented.
3. Accumulation: In this step, a detailed report of the crime scene is
documented and all the collected digital shreds of evidence are duplicated.
4. Observation: In this process, all the visible data is tracked along with the
metadata.
5. Investigation: In this process, a final conclusion is drawn from the
collected shreds of evidence.
6. Documentation: In this process, all the shreds of evidence, reports,
conclusions are documented and presented in court.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 6
Major challenges in network forensics

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 7

 Advantages of Network Forensics
• Advantages:
1. Network forensics helps in identifying security threats and vulnerabilities.
2. It analyzes and monitors network performance demands.
3. Network forensics helps in reducing downtime.
4. Network resources can be used in a better way by reporting and better
planning.
5. It helps in a detailed network search for any trace of evidence left on the
network.
• Disadvantage:
• The only disadvantage of network forensics is that It is difficult to
implement.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 8
 Collecting and analyzing network-based evidence
• What is network based evidence?:- Network-based digital evidence is a type
of digital evidence which arises as product of the communications over a
network.
• Network evidence collection should proceed by making exact copies (forensic
images) of relevant data sources, such as traffic logs, firewall configurations,
and packet captures.
• Collecting network evidence forensically means following a systematic and
rigorous process that preserves the integrity, authenticity, and admissibility of
the evidence.
• Example:-This can include taking screenshots of affected desktops and any
applications that were running at the time of the crime. Additionally, it is
recommended to perform a network status audit in order to gather details
regarding the network.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 9
 Types & Techniques of Network-based Evidence Collection

• Type1-Passive Network-based Evidence Collection: involves the collection of

evidence from network traffic without actively affecting the network. can provide
information about network activity and potentially relevant evidence.
• Type2-Active Network-based Evidence Collection:involves the collection of
evidence from network devices and infrastructure by actively interacting with the
network. can provide more detailed information about network activity and
potentially relevant evidence.
• 1 . Network Packet Capture: involves capturing and analyzing individual network
packets. can provide detailed information about network traffic and potentially
relevant evidence, Less cost involve
• 2. Network Device and Infrastructure Analysis: involves analyzing network devices
and infrastructure for evidence of malicious activity. can provide information about
network security and potentially relevant evidence, More costly technique
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 10
 Analyzing network-based evidence
• Network forensic analysis concerns the gathering, monitoring and
analyzing of network activities to uncover the source of attacks,
viruses, intrusions or security breaches that occur on a network or in
network traffic.
• we introduce a methodology to follow during network forensic
investigations called OSCAR, which consists of steps to be executed
in sequence.
• These steps are: Obtain information, strategize, collect evidence,
analyze and finally report.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 11

 Network forensics tool-Case study
• NetFlow Analyzer is a comprehensive network forensics analysis tool
that can: Monitor top talkers of the network by application, IP address,
and device. Detect IP addresses accessing your network. Maintain the
quality of your network with service-level agreement (SLA)
monitoring.
• It is a real-time NetFlow traffic analysis tool that provides visibility
into the network bandwidth performance.
• NetFlow Analyzer is one of the best free network traffic
monitoring tools that provides a holistic view of your network
traffic. With our network analyzer, you can quantify your network
use pattern and purpose.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 12

 Reconstructing web browsing history
• It means retrieving details about websites that were visited on a
computer or device even if the user tried to delete them.
• When we reconstruct someone's web browsing history, In network
forensics we look for: Visited websites (URLs),Time and date of visits,
Search queries, Downloaded files, Browser used (e.g., Chrome,
Firefox),Browsing patterns (e.g., how long they stayed on a page).
• Data is typically found in: Browser files (history databases, cookies,
cache), Operating system logs (recent files, DNS cache), Network logs
(from routers, proxies),Cloud sync data (Google/Apple accounts),RAM
or disk analysis (even if history was deleted).

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 13

 E-mail activity in network forensics
• E-mail activity in network forensics plays a major role in identifying
cybercrimes like phishing, data exfiltration or corporate espionage. (illegal
and unethical practice of gathering confidential information)
• This helps investigators to: Detect malicious emails (e.g., phishing,
malware),Identify unauthorized data sharing, Trace communication suspects
• Process of E-mail activity (CoC for email):-
1. Capture traffic (live or via logs/PCAPs)
2. Identify email protocols (SMTP, POP3, IMAP)
3. Reconstruct and extract email content
4. Analyze headers to trace source and route
5. Scan for keywords, malware, or data exfil
6. Correlate with other evidence (files, logs, user activity)
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 14
 Windows Registry Changes in N/W forensics
• Monitoring and analyzing registry modifications that are triggered by network-
related activity, such as malware received via email, tools executed after
remote access, or browser/network settings altered by an attacker.
• Registry Changes Matter Because:-
1. Malware often modifies the registry to disable defenses.
2. Remote Access Tools (RATs) change settings to allow/control network
behavior.
3. Network configuration changes (proxy, firewall, DNS) are stored in the
registry.
4. Startup keys may be used to relaunch malware after reboot.
5. Helps correlate host behavior with network events (e.g., infection timeline).
 Intrusion detection in network forensics
• Intrusion Detection refers to the identification of unauthorized, abnormal, or malicious
activity on a network. it is mostly used to:
1. Detect signs of attacks or data breaches.
2. Collect evidence of intrusions for later analysis or prosecution ( legal proceedings).
3. Trace the who, what, when, and how of an actual incident.
Detection Techniques:-
1. Signature-based :- Matches known attack patterns (e.g., specific malware)
2. Anomaly-based:-Detects deviations from normal behavior (e.g., sudden surge in traffic)
3. Heuristic-based:-Uses rule-based logic for suspicious behavior
4. AI/ML-based:-Uses machine learning to detect (evolving) threats.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 16

 Tracking Offenders in network forensics
Tracking offenders refers to detecting intruders, malware spreaders, or insider
threats.
Techniques for tracking offenders:-
1. Intrusion Detection Systems (IDS): Tools like Snort or Suricata analyze network
traffic for suspicious activity.
2. Network Traffic Analysis: Using packet sniffers (Wireshark, tcpdump) to
examine anomalies in network.
3. IP traceback: Techniques to trace the origin of malicious traffic.
4. Honeypots: Trap systems designed to identify and analyze attacker behavior.
5. SIEM tools: (Security Information and Event Management) tools like Splunk or
ELK stack help correlate logs to detect offenders.
Case Study on Network forensics
 Mobile Network Forensic: Introduction
• Mobile Network Forensics is a sub-discipline of digital forensics focused on the
monitoring, acquisition, analysis, and presentation of evidence collected from mobile
communication networks.
• Unlike device forensics (which targets data on mobile phones), network forensics
investigates data transmitted over telecom infrastructure.
• Major Goals of Mobile Network Forensics are:-
1. Identify and locate offenders
2. Track communication patterns
3. Preserve integrity of evidence
4. Support legal proceedings with admissible data
 Mobile Network Technology
• Mobile Network Technology enables wireless communication over large
distances through cellular infrastructure.
• This Technology has evolved through multiple generations:
2G (Second Generation):-Introduced digital voice communication,Enabled
SMS, MMS Technologies: GSM, CDMA
3G (Third Generation):-Faster data speeds, supporting mobile internet, Video
calling and multimedia messaging, Technologies: UMTS, HSPA
4G (Fourth Generation):-High-speed internet and IP-based communication,
Streaming, VoIP, mobile gaming,Technology: LTE (Long Term Evolution)
5G (Fifth Generation):-Ultra-fast data, low latency, supports IoT,Enables
smart cities, autonomous vehicles. Technologies: NR (New Radio),
mmWave.
 Investigations in Mobile Network Forensics
• It involve examining mobile communication networks to detect,
collect, analyze, and preserve digital evidence related to cybercrimes,
fraud, unauthorized access, or other malicious activities involving
mobile devices and telecom networks.
• Purpose of Mobile Network Forensic Investigations
1. Identify and track malicious users or attackers.
2. Investigate cybercrimes conducted via mobile phones.
3. Collect legal evidence from mobile networks.
4. Detect fraud or policy violations in telecom systems.
5. Recover deleted or hidden mobile communication data.
 Collecting Evidences in Mobile forensics
• Collecting evidence in mobile forensics is a critical step that involves
securing and extracting digital data from mobile devices, SIM cards,
memory cards, and even mobile networks while maintaining its
integrity for legal or investigative purposes.
Evidence can come from various components of a mobile ecosystem:
1. Mobile Devices:- Call logs, SMS/MMS, Emails and contacts,
Photos, videos, and documents
2. App data (WhatsApp, Telegram, Facebook, etc.):- Web history and
downloads, GPS/location data,Deleted files (if recoverable)
3. SIM Card:-IMSI number,Contacts stored on SIM,SMS stored on
SIM, Last dialed numbers
 Collecting Evidences in Mobile forensics
4.Memory Cards:-Media files, Encrypted or hidden data, Third-party app
data
5.Network Evidence:- Call Detail Records (CDRs), Location data from cell
towers, IP logs from telecom providers, Packet data (if available through
lawful interception).
• Best Practices in Evidence Collection:-
1. Isolate the device (e.g., use Faraday bags to block signals).
2. Document everything (time of seizure, condition, photos)..
3. Maintain chain of custody to ensure evidence is admissible in court.
4. Hashing to verify data integrity (MD5/SHA-256).
 Where to seek Digital Data for further Investigations
In mobile network forensics, investigators can seek digital data from various
sources to support their analysis and uncover evidence. These sources are
typically categorized based on:-
1.Mobile Device Itself
The mobile device is the most direct source of evidence.
2.Mobile Network Infrastructure
This includes data available from cellular networks and base stations.
•Call Detail Records (CDRs): Metadata about calls, SMS, and mobile data
sessions, Cell Tower Logs: Data about which towers a phone connected to
(used for geolocation),Location Area Code (LAC) and Tracking Area Code
(TAC) info, Roaming records
 Where to seek Digital Data for further Investigations

•3. Cloud Services & Backup Platforms:- iCloud, Google Drive backups,
Contacts, calendars, and notes,Photos, emails, and app data, App-specific
backups (WhatsApp, Telegram cloud, etc.)
4. Internet Service Providers (ISPs) and VPN Logs:-IP addresses used by the
device, Timestamps and session durations, Proxy/VPN access records
5. SIM Card and Subscriber Information:-IMSI (International Mobile
Subscriber Identity),SMS stored on SIM,Last used phone numbers, Contacts
saved on SIM.
6.Wi-Fi Networks and Hotspot Logs:-SSIDs of connected networks,
Timestamps of connections, MAC address logs (from routers or access points)
 Interpretation of Digital Evidence on Mobile Network

Once digital evidence has been collected from mobile networks, devices,
and related systems, the interpretation phase begins. This involves
analyzing the raw data to extract meaningful insights, patterns, timelines,
and potentially incriminating or exculpatory evidence.
Interpretation in mobile network forensics means:
Making sense of collected data by connecting technical information to
human actions, behaviors, or events relevant to the investigation.
Behavioral and Pattern Analysis:-
• Frequent contacts → Identify inner circle of communication.
• Unusual spikes in data usage → May signal use of secure apps or file
transfers.
• Night-time activities → May point to suspicious behavior patterns.
• SIM changes or tower hopping → Evasion tactics or use of multiple
 Unit 5:- Software Reverse Engineering

• Software Reverse Engineering: Defend against software targets for

viruses,
• worms and other malware,
• improving third party software library,
• identifying hostile codes-buffer overflow,
• provision of unexpected inputs.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 16

 Unit 6:- Computer crime and Legal issues
• Computer crime and Legal issues: Intellectual property.
• privacy issues.
• Criminal Justice system for forensic.
• audit/investigative.
• situations and digital crime procedure/standards for extraction,
preservation, and deposition of legal evidence in a court of law.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 17