UNIT III

Networking overview: Windows Networks, Users and Groups,

Introduction to Network investigations
Windows Networks

Windows networking is designed to enable communication, resource sharing, and security

within an enterprise environment. It is primarily based on Active Directory (AD) and various
networking protocols.

Definition: A Windows network refers to interconnected Windows computers that share

resources (files, printers, applications) via protocols like SMB, NetBIOS, and TCP/IP.

Key Features/Functions:

●​ Uses Active Directory for centralized user and resource management

●​ Communication over TCP/IP, SMB, and DNS
●​ Supports workgroups (peer-to-peer) and domains (centralized)

Windows Network Architecture

Windows networks are typically structured as either Workgroups or Domains:

A. Workgroup (Peer-to-Peer Network)

●​ No central administration (each computer manages its own resources).

●​ Computers communicate directly but do not share a common authentication system.
●​ Suitable for small networks (less than 10 computers).
●​ Uses NetBIOS and SMB for file sharing.

B. Domain (Client-Server Network)

●​ Uses Active Directory (AD) for centralized authentication and management.

●​ A Domain Controller (DC) manages user accounts, security policies, and
permissions.
●​ Suitable for large enterprises.
●​ Uses Kerberos authentication, LDAP (Lightweight Directory Access Protocol), and
SMB/CIFS for resource sharing.

Windows Networking Components

A. Active Directory (AD)

A centralized directory service that stores user information, policies, and security settings. It
consists of:

●​ Domain Controllers (DCs): Servers managing authentication.

●​ Organizational Units (OUs): Logical containers for grouping users, computers, and
policies.
●​ Group Policy Objects (GPOs): Used to enforce security settings across the network.​

B. Windows Networking Protocols

Windows networks rely on several key protocols:

1.​ SMB (Server Message Block): Used for file and printer sharing.
2.​ LDAP (Lightweight Directory Access Protocol): Used for querying and modifying AD
objects.
3.​ Kerberos: Default authentication protocol for AD.
4.​ RDP (Remote Desktop Protocol): Allows remote access to Windows machines.
5.​ DNS (Domain Name System): Resolves hostnames to IP addresses.
6.​ DHCP (Dynamic Host Configuration Protocol): Assigns IP addresses dynamically.

C. Windows File and Print Sharing

●​ Shared Folders: Users can share files via SMB (\servername\sharedfolder).

●​ Printer Sharing: Allows networked printers to be accessed by multiple users..

Windows Networking Services

A. DNS (Domain Name System)

●​ Translates domain names to IP addresses.

●​ Essential for Active Directory to function properly.

B. DHCP (Dynamic Host Configuration Protocol)

●​ Automatically assigns IP addresses, subnet masks, and default gateways.

●​ Reduces manual configuration errors.

C. Remote Access Services

1.​ VPN (Virtual Private Network): Secure remote access over the internet.
2.​ RDP (Remote Desktop Protocol): Allows remote access to Windows desktops and
servers.

D. Windows Firewall & Security Policies

 ●​ Windows Firewall: Controls network traffic using inbound and outbound rules.
●​ Group Policy Objects (GPOs): Enforce network security policies.

Windows Network Authentication & Security

A. Authentication Methods

1.​ Local Authentication: Uses local accounts on individual computers.

2.​ Domain Authentication: Uses Active Directory with Kerberos and NTLM.
3.​ Multi-Factor Authentication (MFA): Adds additional security layers.

B. Access Control

●​ ACL (Access Control List): Defines who can access files/folders.

●​ NTFS Permissions: Grants specific rights to users/groups.

Network Monitoring & Troubleshooting

A. Tools for Network Analysis

1.​ Wireshark: Captures and analyzes network traffic.

2.​ Netstat: Displays active network connections.
3.​ Event Viewer: Logs network activity and security events.
4.​ PowerShell Cmdlets (e.g., Get-NetAdapter, Get-NetTCPConnection): Used for
troubleshooting.

B. Common Network Issues

●​ IP Address Conflicts: Resolved using DHCP reservation.

●​ DNS Resolution Failure: Fixed by checking DNS settings and flushdns.
●​ Slow Network Performance: Diagnosed using Wireshark and performance
monitoring tools.

​ ​ Users and Groups

In Windows networks, Users and Groups are essential for managing access control,
security, and authentication. They help network administrators define who can access
resources and what actions they can perform.

Definition: Windows manages access control through user accounts and groups. Users can be
local or domain-based; groups help assign permissions collectively.

Key Components:
 ●​ Users: Individual login accounts (e.g., Administrator, Guest)
●​ Groups: Collections of users with common privileges (e.g., Administrators, Users)
●​ Tools: lusrmgr.msc, net user, net localgroup

Function:

●​ Helps enforce access control, privilege separation, and policy application

Windows Users in a Network

A user in a Windows network is an individual account that can log in and perform actions based
on assigned permissions.

Types of Users in a Windows Network

1.​ Local Users​

○​ Exist only on a specific computer.

○​ Stored in the Security Account Manager (SAM) database.
○​ Example: A standalone Windows PC user.​

2.​ Domain Users

○​ Managed centrally by Active Directory (AD) on a Domain Controller (DC).
○​ Can log into any system within the network domain.
○​ Use Kerberos authentication.
3.​ Built-in Windows Users
○​ Administrator: Full system control.
○​ Guest: Limited access.
○​ DefaultAccount: Used internally by Windows.
○​ SYSTEM: The most privileged built-in account.

Windows Groups in a Network

A group is a collection of users with shared permissions. Instead of assigning permissions

individually, administrators assign them to groups.

Types of Windows Groups

1.​ Local Groups

○​ Exist on a single machine.
○​ Used in Workgroups (non-domain networks).
2.​ Domain Groups
○​ Managed in Active Directory.
○​ Used in enterprise networks.
 3.​ Built-in Groups in Windows Networks
○​ Administrators: Full control over the network.
○​ Users: Standard privileges.
○​ Power Users: More privileges than normal users.
○​ Guests: Temporary access with minimal privileges.

Active Directory (AD) Groups in Windows Networks

In Windows Server environments, Active Directory (AD) is used to manage users and
groups.

Types of AD Groups

1.​ Security Groups

○​ Used for access control.
○​ Example: A Finance Group with access to financial records.​

2.​ Distribution Groups

○​ Used for email communication.
○​ Example: A Company Announcement Group for all employees.

Group Scope in Active Directory

1.​ Global Groups

○​ Used across the entire domain.
○​ Example: "HR Department" group.
2.​ Domain Local Groups
○​ Used for access control within a single domain.
3.​ Universal Groups
○​ Used across multiple domains in large organizations.

User & Group Management in Windows Networks

Creating & Managing Users

●​ Open Active Directory Users and Computers (ADUC).

●​ Use PowerShell:

Introduction to Network investigations

Network investigation is the process of analyzing network traffic, logs, and digital evidence
to detect security breaches, cybercrimes, or unauthorized activities. It plays a vital role in
cybersecurity, incident response, and forensic analysis.
Definition: The process of analyzing network activity to detect anomalies, breaches, or
malicious behavior.

Purpose:

●​ Identify unauthorized access or data exfiltration

●​ Analyze traffic, logs, and connection histories

Tools/Techniques:

●​ Packet capture (Wireshark)

●​ Netstat, TCPView, Sysinternals tools
●​ Firewall & proxy logs

1. What is Network Investigation?

Network investigation is the process of monitoring, analyzing, and interpreting network

✅
activity to detect security breaches, unauthorized access, and cybercrimes. It helps in:​

✅
Identifying intrusions (e.g., malware infections, hacking attempts).​

✅
Tracing digital evidence (e.g., IP addresses, timestamps).​

✅
Recovering compromised data.​
Understanding attack methods (e.g., phishing, denial-of-service attacks).

Key Aspects of Network Investigations:

A. Network Traffic Analysis

●​ Capturing network packets to analyze real-time and past communications.

●​ Identifying malicious activities like DNS poisoning, ARP spoofing, and
unauthorized access.
●​ Tools used:
○​ Wireshark: Captures and analyzes network packets.
○​ tcpdump: Command-line packet analyzer.

B. Log Analysis

●​ Monitoring logs from firewalls, routers, servers, and endpoints.

●​ Types of logs examined:
○​ Windows Event Logs (for user authentication, system activity).
○​ Syslog (Linux logs) (for network and system events).
○​ Firewall Logs (for blocked and allowed traffic).
○​ Proxy Logs (for internet activity tracking).
○​ VPN and RDP Logs (for remote access tracking).

C. IP Address & Geolocation Tracking

 ●​ Finding the source of attacks using IP tracking tools.
●​ Identifying attacker locations (though VPNs and proxies can obfuscate real locations).
●​ Tools used:
○​ IP lookup services (e.g., WHOIS, GeoIP).
○​ Traceroute & Ping (to analyze network paths).

D. Malware & Intrusion Detection

1.​ Detecting malware-infected traffic using Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS).
2.​ Common IDS/IPS tools:
a.​ Snort: Open-source network intrusion detection.
b.​ Suricata: Advanced network threat detection.
3.​ Network Traffic Analysis – Examines real-time and stored network packets using
tools like Wireshark, tcpdump, and Suricata to detect suspicious activities.
4.​ Log Analysis – Investigates logs from firewalls, routers, and servers to track user
authentication and system activity.
5.​ IP Address & Geolocation Tracking – Traces attacker locations using tools like
WHOIS, Traceroute, and GeoIP lookup.
6.​ Intrusion Detection & Malware Analysis – Uses Intrusion Detection Systems (IDS)
like Snort and Suricata to detect malware, phishing, and botnet attacks.
7.​ Network Device Forensics – Examines routers, switches, and network appliances
to reconstruct attack scenarios.

Network Investigation (Forensic) Process:

1.​ Data Collection – Capturing logs and network traffic from servers, firewalls, and
endpoints using tools like Wireshark, Splunk.
2.​ Data Analysis – Examine logs and network packets for suspicious patterns. Identify
attack methods like brute-force attacks and DNS spoofing.
3.​ Timeline Reconstruction – Correlate timestamps from logs and network events.​
Understand when and how an attack happened.
4.​ Attribution & Reporting – Identifying the source of attacks (IP tracing, malware
signatures)and generating reports for legal action.

Common Tools for Network Investigations:

Challenges in Network Investigations:

●​ Encryption & VPNs Attackers hide activities using encryption.

●​ Spoofing techniques Fake IPs and identities make tracking difficult.
●​ Cloud-based attacks Investigating cloud-based attacks adds complexity.
●​ Massive data volumes Requires powerful tools to process large logs and traffic (
require advanced tools).

Conclusion:

Network investigations are critical for detecting cyber threats, recovering evidence, and
improving cybersecurity.

Windows and Linux servers: Server roles, Server analysis,

Windows Registry, Event logs

Server roles

A server role defines the specific function a server performs within a network.
Definition: Server roles define the primary function of a Windows Server within a network.

Common Roles:

●​ Active Directory Domain Services (AD DS) – Manages domain authentication and
policies
●​ DNS Server – Resolves domain names
●​ DHCP Server – Assigns IP addresses dynamically
●​ File/Print Server – Shares files and printers
●​ Web Server (IIS) – Hosts websites/applications
Windows Server Roles

Windows servers are widely used in enterprise environments, supporting Active Directory, file
sharing, and web services.

✔ Active Directory Domain Services (AD DS) – Manages users, groups, and authentication.​
✔ File Server – Provides centralized file storage and sharing.​
✔ Web Server (IIS) – Hosts websites and applications.​
✔ DNS Server – Translates domain names into IP addresses.​
✔ DHCP Server – Assigns IP addresses dynamically.​
✔ Mail Server (Microsoft Exchange) – Handles corporate emails.​
✔ SQL Server – Manages and processes databases.​
✔ Remote Desktop Services (RDS) – Enables remote access to applications..

Linux Server Roles

Linux servers are known for stability, security, and open-source flexibility.

🔹 Apache Web Server – Runs websites and web applications.​

🔹 MySQL/PostgreSQL Database Server – Stores and manages databases.​
🔹 Samba Server – Enables file sharing between Linux and Windows.​
🔹 SSH Server – Allows secure remote access to Linux systems.​
🔹 DNS & DHCP Server – Provides name resolution and IP address management.​
🔹 Mail Server (Postfix, Sendmail) – Handles email communications.​
🔹 LAMP Stack – Linux, Apache, MySQL, PHP/Perl/Python for web applications.

Server analysis

Definition: Examining server performance, configuration, and security for abnormalities or

issues.​​ ​ ​ ​
Server analysis is the process of monitoring, diagnosing, and troubleshooting server
performance, security, and network activity. It helps identify issues, detect intrusions, and
ensure optimal server performance
Focus Areas:

●​ Resource usage (CPU, memory)

●​ Event logs
●​ Service configurations
●​ Network connections

Tools:

●​ Task Manager, Resource Monitor, Performance Monitor

●​ Event Viewer, PowerShell, Sysinternals Suite

Overall summary

​ ​ Windows Registry,

Definition

The Windows Registry is like a settings database for your computer. It stores information
about how Windows and installed programs should work
(or) A hierarchical database that stores low-level OS and application settings.

Key Paths:

●​ HKEY_LOCAL_MACHINE (HKLM)
●​ HKEY_CURRENT_USER (HKCU)

Function:

●​ Controls startup programs, installed apps, user preferences

 ●​ Can be used for persistence by attackers (e.g., Run keys)

Tools:

●​ regedit, reg query, Autoruns (Sysinternals)

Why is it Important?

✅ Controls system settings and configurations​

✅ Stores user preferences (wallpapers, themes, etc.)​
✅ Helps programs run properly​
✅ Used for troubleshooting and fixing system issues
Key Components of the Windows Registry:

✔ HKEY_LOCAL_MACHINE (HKLM) – Stores system-wide settings, including hardware

configurations, drivers, and installed software.

✔ HKEY_CURRENT_USER (HKCU) – Contains settings specific to the currently logged-in

user, such as desktop preferences and installed applications.

✔ HKEY_CLASSES_ROOT (HKCR) – Manages file associations and Object Linking and

Embedding (OLE) settings.

✔ HKEY_USERS (HKU) – Stores user-specific settings for all users on the system.

✔ HKEY_CURRENT_CONFIG (HKCC) – Contains information about the current hardware

profile.

Accessing the Windows Registry:

→ Open Run (Win + R) → Type regedit → Press Enter

Common Use Cases in Windows Servers

✔ Managing Active Directory and Group Policy settings.​

✔ Configuring network and security policies.​
✔ Controlling server startup behavior and installed software.​
✔ Investigating server misconfigurations and security breaches.

Linux Configuration Files (Alternative to Windows Registry)

Unlike Windows, Linux does not have a centralized registry. Instead, it stores system and
user configurations in text-based configuration files.

Key Configuration File Locations in Linux:

🟠 /etc/ – Contains system-wide configuration files (e.g., network settings, user accounts,
and service configurations).​
🟠 /home/user/.config/ – Stores user-specific settings for applications and desktop
environments.​
🟠 /var/lib/ – Maintains application data and databases (similar to registry entries in
Windows).​
🟠 /proc/ – A virtual filesystem containing real-time system and kernel information.
Common Use Cases in Linux Servers

✔ Managing network configurations (/etc/network/interfaces).​

✔ Controlling system boot settings (/etc/systemd/).​
✔ Setting up user and group permissions (/etc/passwd, /etc/group).​
✔ Managing software packages (/etc/apt/sources.list).

📌 How to Edit Linux Configuration Files?

●​ Use nano or vim (sudo nano /etc/sysctl.conf)
●​ Modify environment variables using export VAR=value.

📌 Key Differences Between Windows Registry and Linux Configuration

​ ​ ​ ​
Event logs

Event logs record system activities, security events, and errors, helping administrators and
forensic analysts troubleshoot and investigate issues.
Windows Event Logs
Definition: Logs that record system, application, and security events.

Types:

●​ System Log – OS-related events (e.g., driver failure)

●​ Application Log – Events from running apps
●​ Security Log – Login attempts, privilege changes (very useful in forensics)

Function:

●​ Used for auditing, troubleshooting, and forensic analysis

Tool: Event Viewer (eventvwr.msc)

Windows Event Logs

Windows logs events using Event Viewer (eventvwr.msc), which categorizes logs into
different sections.

✅ System Logs record OS-related events such as hardware issues, driver failures, and
shutdowns. These logs are useful for troubleshooting system crashes and performance issues.

✅ Security Logs track logins, failed login attempts, and access control changes. They are
critical for intrusion detection and compliance auditing.

✅ Application Logs store events from installed applications, including software crashes and
updates. These logs help diagnose program failures and compatibility issues.

✅ Setup Logs record Windows installation and update activities. They are useful for
troubleshooting failed updates or installations.
✅ Forwarded Logs collect logs from remote computers for centralized monitoring.
> Access Windows Logs:​
Open Run (Win + R) → Type eventvwr → Press Enter​
Use PowerShell (Get-EventLog or Get-WinEvent) for log analysis.

Linux Event Logs

Linux logs events in text-based log files, mostly stored in /var/log/.

✅ Syslog (/var/log/syslog or /var/log/messages) is the main system log that records

general system activity. It helps monitor system health and troubleshoot issues.

✅ Authentication Log (/var/log/auth.log) keeps track of login attempts, SSH

connections, and sudo commands, helping detect unauthorized access.

✅ Kernel Log (/var/log/kern.log) records kernel-level activities, including hardware

failures and driver issues, useful for debugging crashes and security analysis.

✅ Boot Log (/var/log/boot.log) contains details of system startup processes, helping

identify boot failures and performance issues.

✅ Application Logs (/var/log/app_name/) store logs for services like Apache

(/var/log/apache2/), MySQL, and Nginx, essential for troubleshooting and security
monitoring.

📌 Accessing Linux Logs:​

→ Use cat, less, or tail (tail -f /var/log/syslog) to view logs.​
→ Use journalctl -xe for systemd-based logs.
Linux Forensics: Linux File systems, Linux server configurations,
Linux artifacts, Apache server
forensics, LAMP forensics, SMB and Linux file shares

1️⃣ Linux File Systems

🔹 Definition:​
A file system manages how data is stored and retrieved. Linux uses various file systems.

Common file systems: ext2, ext3, ext4, XFS, Btrfs.

🔹Key Forensic Concepts:

●​ Inodes: Store metadata about files (owner, permissions, timestamps).
●​ Timestamps:​
atime – Last access time​
mtime – Last modified time​
ctime – Last metadata change time
●​ Journal Recovery (ext3/ext4): Helps recover recently deleted or modified files.
●​ Unallocated space: Potential source of deleted data remnants.

🔹 Features:
●​ Inodes: Store metadata (permissions, timestamps, etc.)
●​ Journaling (ext3/ext4): Logs changes before applying them (useful for recovery).
●​ Mount Points: Attach file systems to directories.
●​ Permissions & Ownership: Controls access (user/group/others).

🔹 Tools:
extundelete, debugfs, fsstat, fls, blkls (TSK tools)​
Autopsy or sleuthkit for timeline creation and file recovery

2️⃣ Linux Server Configurations

🔹 Definition:​
Configuration files control the behavior of services, users, permissions, and startup processes
in a Linux server.

🗂️ Key Configuration Files

 ●​ /etc/ssh/sshd_config – SSH server settings (look for changed ports, root login
enabled, etc.)
●​ /etc/passwd – User account information
●​ /etc/shadow – Encrypted user passwords (root-only access)
●​ /etc/sudoers – Sudo privileges; check for unauthorized users

Important Log Files

●​ /var/log/auth.log – Authentication events (Debian/Ubuntu)

●​ /var/log/syslog – System messages
●​ /var/log/messages – General logs (common in RHEL/CentOS)

⏰ Scheduled Tasks (Cron Jobs)

●​ Check user cron jobs: crontab -l
●​ Check system-wide cron: /etc/crontab, /etc/cron.*
●​ Look for suspicious entries or scripts running at odd times

User Activity & Management

●​ lastlog – Last login of all users

●​ w, who – Currently logged in users
●​ id, groups – Check user/group memberships

🔹 Features:
●​ /etc/passwd, /etc/shadow: User info and password hashes.
●​ /etc/ssh/sshd_config: SSH settings.
●​ /etc/sudoers: Privilege escalation.
●​ Crontab Files: Scheduled tasks (may indicate persistence).
●​ Systemd and init.d: Manage system services and startup scripts.​

🔹 Forensic Function:
●​ Detect unauthorized users or changes.
●​ Identify privilege escalation paths.
●​ Spot persistence mechanisms (cron jobs, rc.local, systemd services).
●​ Analyze service configurations for security issues.
3️⃣ Linux Artifacts

🔹 Definition:​
Artifacts are traces left by user/system activity, useful in forensic investigations.

🔹 Features:
●​ Bash History: ~/.bash_history
●​ Login Records: last, who, w, lastlog
●​ Log Files: /var/log/auth.log, /var/log/syslog, /var/log/messages
●​ Process Info: /proc, ps, top
●​ Package Info: /var/log/apt/history.log, dpkg, rpm

🔹 Forensic Function:
●​ Reconstruct user activity.
●​ Identify intrusion attempts or suspicious logins.
●​ Detect unauthorized processes or network activity.
●​ Trace file changes and application installs.

4️⃣ Apache Server Forensics

Definition: Apache is one of the most widely used open-source web servers. Forensics focuses
on investigating attacks or misuse of web services hosted using Apache.
(or) Apache is a widely used web server on Linux. Forensics involves analyzing logs and
configurations for attack traces.

🔑 Key Features:
●​ Access Logs (/var/log/apache2/access.log or
/var/log/httpd/access_log)
○​ Records every HTTP request made to the server (IP, URL, timestamp, status
code, user agent).
●​ Error Logs (/var/log/apache2/error.log)
○​ Captures server-side issues, misconfigurations, script errors.
●​ .htaccess files
○​ Local directory access rules—can be abused to hide malware or redirect
requests.
●​ Config Files (/etc/apache2/apache2.conf, httpd.conf)
○​ Defines virtual hosts, directories, ports, and modules.
Forensic Functions:

●​ Detect attacks:
○​ SQL injection, XSS, path traversal, log poisoning, file uploads.
●​ Log Analysis:
○​ Find anomalies in user-agents, IPs, or repetitive request patterns.
●​ Backdoor Traces:
○​ Look for unusual .php, .cgi, or .pl files in web directories.
●​ Check for web shells:
○​ Files like cmd.php, shell.php, etc.
●​ Timeline Creation:
○​ Reconstruct attacker steps from logs

5️⃣ LAMP Forensics (Linux, Apache, MySQL, PHP)

🔹 Definition:​
LAMP is a popular stack for web applications. Forensics involves analyzing all components for
compromise signs. (or)

LAMP is a common stack for hosting dynamic websites or applications:​

Linux OS, Apache Web Server, MySQL Database, PHP Scripting.

Key Components & Artifacts:

●​ Linux:
○​ System logs, bash history, file changes.
●​ Apache:
○​ Access/Error logs, configuration, .htaccess, suspicious scripts.
●​ MySQL:
○​ Query history, database dumps, logs (/var/log/mysql/error.log).
●​ PHP:
○​ Application code, logs (/var/log/php_errors.log), suspicious eval/exec
commands.

Forensic Functions:

●​ Web Application Attacks:

○​ SQL Injection (check MySQL queries), XSS, RCE via PHP.
●​ Data Tampering Detection:
○​ Unusual database queries or changes.
●​ PHP Backdoor Analysis:
○​ Check for obfuscated code using eval(), base64_decode(), system().
 ●​ PHP Upload Abuse:
○​ Attackers might upload backdoors through vulnerable forms.
●​ Full Stack Trace:
○​ Follow logs from user request → Apache → PHP → MySQL

6️⃣ SMB and Linux File Shares

🔹 Definition:​
SMB (Server Message Block) is used for file and printer sharing, implemented on Linux using
Samba. (or)

SMB (Server Message Block) is a file-sharing protocol originally from Windows. On Linux, it's
implemented using Samba to allow sharing files/folders over a network.

Key Components:

●​ Configuration File: /etc/samba/smb.conf

○​ Defines shared directories, access rules, permissions.
●​ Samba Logs:(Log Files)
○​ /var/log/samba/ for general logging.
●​ User Management:
○​ Samba users and passwords may differ from Linux system users.

Forensic Functions:

●​ Unauthorized File Access:

○​ Review logs to track unauthorized access or uploads.(Track shared resource
access.)
●​ File Tampering/Exfiltration:
○​ Check if sensitive files were copied, edited, or deleted.(Detect unauthorized file
transfers or access).
●​ Privilege Escalation:
○​ Misconfigured shares (guest ok = yes, write access to all) can be abused.
●​ Indicators of Malware Spread:
○​ Worms or ransomware spreading via network shares
●​ Analyze Samba logs for suspicious file operations.
●​ Investigate permissions, access control, and sharing behavior.​