UNIT-III -NETWORK FORENSICS

NETWORK FORENSICS

Network Forensics is a sub-branch of cyber forensics that revolves around

examining networking-related digital evidence. It involves monitoring,
recording, analyzing, and interpreting network traffic.

Components of Network Forensics:

• Packet capture and analysis
• Network device acquisition
• Incident response

OSI MODEL

Designed by the International Organization of Standardization (ISO), the Open Systems

Interconnection (OSI) model is a seven-layered networking concept that is used to define
networking between systems as. It was developed in 1984 to chalk out the guidelines for
interoperability between computer network manufacturers.This model helps our
understanding of how our networks communicate with each other and elaborates the
process. The OSI model allows all network
components to function together irrespective of the manufacturers by
standardizing the functions of a communication system.
Theses seven layers are divided in two groups: Upper and Lower layers. While the upper layers
focus on user applications and file representation prior to transport, the lower layers oversee the
communication across the network.

Layer 1: Physical Layer

Starting from the bottom, this is the lowest layer of the OSI model,
which is concerned with the transmission and reception of
unstructured raw bit stream over a physical medium. It is referred
to as the hardware layer of the model. Networking devices such
as cables, Ethernet, hub, switchers, repeaters, etc., work on this
layer.
Functions:
• Data encoding
• Transmission
 Layer 2: Data Link Layer
This layer provides the error-free transfer of data frames between
nodes over the physical layer. This layer is also responsible for taking
data from the upper layers and converting them into bits that are to be
transferred across the physical wire, and vice versa. It is split into two
layers:
• Logical link control (LLC) – LLC is responsible for providing
end-to-end flow and error control, and multiplexing the different
protocols of the MAC layer of the DLL.
• Media Access Control (MAC)- –MAC provides a unique
addressing identification and channel access control mechanism for
network nodes to communicate with each other.

Layer 3: Network Layer

The Network Layer of the OSI model is responsible for routing,
addressing, fragmentation, reassembly, and error reporting. Routers
operate at this layer, determining the best path for data using logical
addresses (IP addresses). It also handles fragmentation when packets
need to be adjusted for different network protocols.
Key protocols in this layer include:

● IP (Internet Protocol): Defines rules for addressing and routing

data across networks (IPv4 or IPv6).
● RIP (Routing Information Protocol): A protocol for routers to
share routing information.
● OSPF (Open Shortest Path First): A link-state protocol used for
efficient routing by exchanging topology information.
● IPX (Internetwork Packet Exchange): A protocol mainly used
in Novell NetWare systems for packet switching in networks.

Layer 4: Transport Layer

The Transport Layer (Layer 4) of the OSI model ensures reliable data
transfer between end systems using flow control, segmentation,
de-segmentation, and error control. It operates end-to-end and
enables communication between multiple applications through
multiplexing.
Key functions:
● Flow control: Managed via buffering (temporary memory) and
windowing (indicating how much data can be sent).
● Segmentation: Data is divided into smaller segments for
transmission and reassembled at the destination.
● Protocols: TCP (Transmission Requests connection termination.
● URG: montreal Protocol) and UDP (User
Datagram Protocol) use port numbers for multiplexing and
de-multiplexing.
● Acknowledgments: Positive (for successfully received data)
and negative (for missing or corrupted data) acknowledgments
ensure reliable transfer.

TCP Flags help manage connections and data transfer:

● SYN: Starts connection.
● ACK: Acknowledges receipt of data.
● FIN: arks urgent data.
● PSH: Pushes data immediately.
● RST: Resets connection.
● ECE, CWR, NS: Flags for congestion control and security
(experimental).

Layer 5: Session Layer

The fifth layer of the OSI creates, manages, and terminates sessions
between applications at each end. The Session Layer is responsible
for coordinating the service requests and responses between
applications and hosts. There are three types of connections in the
Session Layer –
• Simplex – One-way transmission only; here data only travels in a
single direction.
• Half Duplex – Data can travel in both directions but not at the
same
time.
• Full Duplex – Two-way communication at the same time. Simply,
it is two simplex connections.

Layer 6: Presentation Layer

The Presentation Layer is the sixth layer of the OSI model and is
responsible for data representation as it controls the formatting and
syntax of user data. The key features of this layer include data
representation, compression, and security. The Presentation Layer
enforces standards that have been developed for formatting data
types: that is,Rich Text Format (RTF), ASCII for Text, MIDI, and MP3
for Audio. This layer encrypts, compresses, and decrypts the data
sent and received over the network. The Presentation Layer is also
known as the syntax layer, due to its key role to employ appropriate
standard formats of data
.
Layer 7: Application Layer

This is the final and the topmost layer of the OSI model. This layer
provides an interface for the user to interact with the network with the
help of a software application. FTP, HTTP, and Telnet operate on the
Application Layer. Application services such as file transfer, email, net
surfing, and other such services are provided by the Application Layer.

Network Forensic Artifacts

Forensic artifacts that are related to networking and communication

fall under the category of Network Forensic artifacts. These artifacts
provide evidence or insights into network communication. It can be
generated from Dynamic Host Configuration Protocol (DHCP) servers,
Domain Name System (DNS) servers, Web Proxy Servers,
Intrusion Detection Systems (IDS), Intrusion Prevention System (IPS),
and firewalls.

1. Dynamic Host Configuration Protocol (DHCP):

Before sending any data on the network, the computer must contact the DHCP
server to assign it an IP address. DHCP logs can be an excellent
source of information, and the forensic investigator can determine
when a computer joined the network, when it was present on the
network, and the time frame when it left the network.
Chapter 6 Network Forensi
2. Network Time Protocol (NTP):
It provides accurate time services on the network and allows for consistency among computers
on a network.
3. Domain Name Server (DNS): DNS request/response traffic
provides valuable information about when communication with
a particular host began since the first step in the communication
process is to resolve the hostname to an IP address.
4. Web Proxy logs: They capture web traffic requests and response.
They also have cache copies of resources retrieved from the web
servers, which include copies of files, like malware, that was
retrieved from a web server.
5. Firewalls: Firewall perform packet inspection and make decisions
on what traffic should be forwarded, logged, and blocked.
Firewalls can be configured to log traffic at various levels of detail
based on the needs of the organization, and these logs can be
used by the forensic investigator for analysis.
6.Intrusion Detection System (IDS) and Intrusion Prevention
System (IPS):
Intrusion Detection System (IDS) monitors network traffic for
suspicious activity and logs alerts without intervening, while Intrusion
Prevention System (IPS) not only detects but also prevents and logs
potential attacks.
Network Forensic Artifacts include:
● Firewalls: Logs of dropped and denied IPs.
● Routers: Logs, ping requests, and device information. ●
Email Clients: Headers and email addresses for investigation.
These artifacts help forensic investigators trace and analyze
network security incidents.

ICMP Attacks

ICMP or Internet Control Messaging Protocol belongs to the IP

protocol family. It is a connectionless protocol, and it does not use any
port number. It is used for diagnostics, error reporting, and querying a
web server. Since ICMP carries no data and usually carries messages
alerting errors and message reply reports, it is often ignored by the
firewall. Therefore, hackers use ICMP to send payloads. Here’s a
short summary of the attacks:
● ICMP Sweep Attack: Sends multiple ICMP requests to identify
active hosts on a network, often used to find targets for further
attacks. It can also be a form of Smurf attack, where ICMP
requests are broadcast to multiple destinations, causing network
congestion.
● Traceroute Attack: Uses the Traceroute tool to map network
routes by sending packets with increasing TTL values. This can
reveal network topology and help attackers identify vulnerabilities
in the route.
● Inverse Mapping Attack: Sends ICMP reply messages to a
range of IPs, bypassing firewalls or filters. The response can
reveal internal network details, such as unreachable hosts. ●
ICMP Smurf Attack: Spoofs the source address of ICMP echo
requests and broadcasts them to all devices on a network. This
results in a flood of responses, overwhelming the victim’s
network and causing a Denial of Service (DoS) attack. network
nodes to communicate with each other.
● OSPF (Open Shortest Path First): A link-state protocol used for
efficient routing by exchanging topology information.
● IPX (Internetwork Packet Exchange): A protocol mainly used
in Novell NetWare systems for packet switching in networks.

NETWORK FORENSIC ANALYSIS TOOLS

Network forensics has advanced significantly, driven by the need to analyze network devices
and software logs. Developers have created various tools, including open-source options like
Wireshark, Xplico, and Network Miner, to aid forensic investigations.

1.WIRESHARK

Wireshark is a popular open-source network protocol analyzer with a user-friendly GUI and
command-line utility, *tshark*. It inspects various protocols, captures packets, and supports VoIP
analysis. Features include powerful display filters and compatibility with multiple capture formats
like Pcap, tcpdump, and Cisco IDS iplog.

CASE STUDY

Using Wireshark for malware detection involves file carving to extract executables from a pcap
file (e.g., *filee.pcap*). A hex editor can then refine the extracted file by removing unwanted
ASCII characters.

2.NETWORK MINER

Developed by NETRESEC in 2007, Network Miner is an open-source network analysis tool for
detecting OS, open ports, and sessions without network traffic. It supports offline PCAP analysis
and file regeneration, with free and professional versions.

CASE STUDY

Using Network Miner on Security Onion (an open-source Linux distro for security monitoring),
we analyze real-time network traffic (*RM-07072011.pcap*) to investigate network activities.

3.XPLICO
Developed by Gianluca Costa and Andrea de Franceschi, Xplico extracts application data using
Port Independent Protocol Identification (PIPI). It efficiently parses PCAP files and presents data
in graphs and tables, aiding analysis.

**Example**: An investigator uses Xplico to analyze network logs and identify employees
misusing office internet for unnecessary downloads.
CASE STUDY

Using DEFT, a Linux-based distro with preinstalled forensic tools, Xplico analyzes live network
traffic stored in the *RM-07072011.pcap* file.

MOBILE FORENSICS

Mobile Forensics is a branch of Digital Forensics. It is about the acquisition and analysis
of mobile devices to recover digital evidence for forensics investigations.

ANDRIOD OPERATING SYSTEM

Android is an open source operating system based on Linux Kernel, developed by

Google for mobile devices. The T- Mobile G1 was the first Android handset the world
saw and since then Android has come a long way. Its releases are codenamed on
popular confection items such as Kit Kats, lollipops, ice cream sandwiches, etc. The
back end of Android programming is done in Java and applications are run in a Dalvik
virtual machine. Further, a unique id and key is provided to implement security
measures,and applications can access device storage only if authorized by the user.
User-granted permissions are used to restrict access to system features and user data.

Even if the protocols of Android Forensics are similar to Computer Forensics, there are
many differences in the techniques employed, especially as Android supports different
file systems. From an Android device, we obtain data such as Call Data Records (CDR),
Contacts, Messages, Apps information, GPS locations, passwords, Wi-Fi networks, etc.
The Android directory can be explored by the ‘adb shell’ that we will use and
demonstrate. Android’s main partition is often partitioned as YAFFS2 (Yet Another Flash
File System), and this is designed keeping in mind embedded systems are mostly
smartphones. Android supports ext2, ext3, and ext4 file systems that are synonymous
to Linux; and it also supports vfat, which is used by Windows systems.
Manual Extraction

Manual extraction can be considered as the first line of techniques used in

forensic examination and remains the most noninvasive one. This is also a very
basic technique, which can be adopted by law enforcement officers or experts
who are not tech savvy. Experts can select what data they need and extract it as
per will, as it saves time and the complexity of imaging.AF Logical OSE by
NowSecure is a good tool for this.

1. Push AFLogical-OSE_1.5.2.apk via adb/USB connection/ OTG

drive on mobile device.
2. Install AF Logical OSE.
3. Open app and select parameters for extraction and select ‘OK.’
4. Find files in ‘forensics’ folder and export them on computer
system for analysis.

Call records, Contacts, and Messages exports are created in .csv format, which
is accessible via many applications. An info file can also be retrieved, which is in
.xml format and consists of data about the device and the applications stored in
it.
Manual extraction process

Here we are using the Santoku Operating system. Santoku is an open source
operating system for mobile forensics, analysis, and security.

And here we have used a Sony Xperia phone running on Jelly bean 4.2 apk for
demonstration.
1. Use adb devices command to list all the connected devices. ADB
drivers are built into the Santoku Operating System.
2. Download AFLogical OSE apk from https://github.com/
nowsecure/android-forensics/downloads. Push the apk
onto the device to install it on the device. To do that, type the
command:
adb –d install AFLogical-OSE_1.5.2.apk
3. We can see that AF Logical is installed on the Android device
4. Open the application and select the parameters for extraction.
Click on capture after selecting all the parameters.
5. Once data extraction is done, call records, Contacts, and Messages
exports are created in .csv format, which is accessible via many
applications. An info file can also be retrieved, which is in a .xml
format and consists of data about the device and the applications
stored in it. These files can be found in the File Manager ➤
sdcard ➤ forensics folder
Physical Acquisition

This is the second line of a forensic technique used in mobile forensics. The forensics
investigators use tools to acquire a forensic image of the mobile device.

Chip-Off
Chip-Off is considered the last resort. As the name suggests, it involves removing the
memory chip of the mobile device and planting it onto a specific hardware for data
acquisition and analyzing its contents. With the Chip-Off technique, examiners obtaina
binary image of the memory chip, which is analyzed by specialized software. This isan
advanced forensic method that even works for bricked and/or damaged devices. The
nonvolatile memory component is removed and placed on a hardware reader via which
data is acquired.

Here are the steps involved in Chip-Off forensic examination:

1. The memory chip is removed via de-soldering it.

2. The chip is cleaned and repaired (if necessary).

3. Memory chip is mounted on special hardware apparatus, and data is acquired.

Advantages:

• Useful for examination of devices in damaged condition.

• High probability of data acquisition if device is locked.

• Gives forensics investigators the freedom to craft data acquisition process.

Disadvantages:

• Heat and adhesive used to remove the memory chips may damage

the circuit board.

• Reassembly of the device after examination is very difficult and

mostly unsuccessful.

MICRO-RED

Micro-read examination involves the use of a high-powered electron microscope and

observes output at the gate level. The device memory chip is shaved in extremely thin
layers, and after that the data is read bit by bit from the source using an electron
microscope or other device. It is a highly sophisticated technique, and very few entities
offer Micro-read examination services. Use of this method is for high-value devices or
damaged memory chips. Being such a complicated, and expansive technique, it is
reserved for only high-profile cases.

It is very difficult to find commercial tools for Micro-read. This might be a more
approachable technique in the near future.

Challenges in Mobile Forensics

With smartphones evolving at a staggering rate mobile forensics is more challenging

than ever. Every Android version release comes with updated features and security
improvements, which many times impede with the forensic process. As a new Android
version is released, the forensic tools used in forensic examination often become
redundant.
Apart from the software, with such a vast number of players in the market, a forensics
examiner may encounter different types of hardware. Device specifications have
become complex and vary among companies. This adds to the prep work of a forensic
examiner as they need proper tools to access the hardware. For example, we have
seen the rise of USB Type–C connectors now being used by manufacturers with many
devices.

Encryption in devices has gained critical momentum after data leak scandals around the
world. People have become aware of their privacy rights and feel a need to protect their
data. Manufacturers have started to strengthen their security modules, which is
appreciated by the consumer. Such a high level of security has become a huge obstacle
for forensic examiners as it becomes very difficult to bypass security of the device.While
mobile devices running older Android version are still accessible via a bunch of
techniques, newer devices often have no support from even commercial tools.

Not all the data is on the device, as cloud storage has become a popular and preferred
option for smartphone users. Manufacturers offer very tempting packages so that users
store their data on the cloud, and users find it most convenient, too. All this again is a
hurdle at the time of data extraction; if account credentials are present with the forensic
experts, then data can be obtained or else there is no access to it.

Apart from Logical and Physical Acquisition, the advanced forensics techniques such as
JTAG, Chip-Off and Micro-read are highly invasive and require meticulous knowledge
and specialized training. These methods are also very expensive and are not accessible
to everyone as very few companies offer these services. Researchers have expressed
their concern about the growing complexities of breaking through the encryption of the
devices. Chip-off offers a 90% success rate as many hardware manufacturers are
making it difficult for examiners to perform a thorough examination.

iOS Operating System

iOS is a mobile operating system created and developed by Apple Inc. that presently
powers many of the company's mobile devices, such as iPhone, iPad, and iWatch. The
iPhone firmware operating system is based on Mac OS X. Every iOS device combines
hardware, software, and services designed to work together for maximum security.iOS
protects the device and its data at rest (i.e., data is not moving from device to device or
network to network), including everything users do locally, on networks, and with key
internet services.
iOS devices provide advanced security features and they are easy to use. Many of
these features are enabled by default, and key security features like device encryption
aren’t configurable, so that users can’t disable them by mistake. Other features, such as
Face ID and Touch ID, enhance the user experience by making it simpler and more
intuitive to secure the device.

iOS Device Boot Process

Bootrom allows the device to boot and initialize all the peripherals of iOS and some
hardware components. There are three different modes for the boot processes for iOS
devices:

• Normal boot process

• Recovery mode

• DFU mode

Normal Boot Process

In a normal boot process, the Bootrom will run and check the signature of the Low-
Level Bootloader (LLB) and executes it if the signature is matched. After executing LLB,
it will check the signature of iBoot (Apple stage 2 bootloader for all iOS devices) before
handing it over to the iBoot, which in turn checks the kernel signature and executes
it.The kernel is signed in order to stop any unsigned code to be executed.

Recovery Mode

When the iOS device is set to the “Recovery Mode,” the Bootrom is executed first; it
checks the iBoot signature and if it matches, it will execute it. After that, iTunes sends
Apple’s signed “kernel” and “Ramdisk” to the device, and then the restore process is
initiated. Process no unsigned code can be executed during any part of the “Recovery
Mode.”

DFU Mode

In Device Firmware Upgrade (DFU) Mode, the Bootrom is loaded and then the iBSS (a
stripped-down version of iBoot) is sent to the iOS device. Then the iBSS signature is
checked and executed by the Bootrom. After that, Apple’s signed kernel and restore disk
are sent to the device and executed by iBSS after a signature check. Once this is done,
the restore process is initiated. Process no unsigned code can be executed during any
part of the “DFU Mode.”