Sanjivani Rural Education Society’s

Sanjivani College of Engineering, Kopargaon-423 603

(An Autonomous Institute, Affiliated to Savitribai Phule Pune University, Pune)
NAAC ‘A’ Grade Accredited, ISO 9001:2015 Certified

Department of Computer Engineering

(NBA Accredited)

Subject- Digital Forensics (DF) [CO 315A)]

Unit 4 :- Network Forensic

Prof. Abhijit S. Bodhe

Assistant Professor
Department of Computer Engineering
E-mail :
[email protected]
Contact No: 7709 340 570
 Unit 1:- Introduction to Digital Forensics

• Digital Forensics: Definition, Process,

• Locard’s Principle of Exchange,
• Branches of Digital Forensics,
• Handling Digital Crime Scene,
• Important documents and Electronic Evidence,
• Introduction to Evidence Acquisition: Identification, Acquisition,
Labeling and Packaging, Transportation, Chainof-Custody.
• Structure of storage media/devices: windows/Macintosh/ Linux --
registry,
• boot process, file systems, file metadata.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 2

 Unit 2:-Data recovery and Digital evidence controls
• Data recovery: identifying hidden data,
• Encryption/Decryption, Steganography,
• recovering deleted files.
• Digital evidence controls: uncovering attacks that evade Detection
by Event Viewer,
• Task Manager, and other Windows GUI tools,
• data acquisition, disk imaging, re
• covering swap files, temporary &cache files.
• Data Privacy, Data privacy usages, Data privacy usages tools.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 3

 Unit 3:- Computer Forensics analysis and validation
• Computer Forensics analysis and validation: Determining what
data to collect and analyse, validating forensic data, addressing data-
hiding techniques.
• Network Forensics: Network forensics overview, performing live
acquisitions, developing standard procedures for network forensics,
using network tools, examining the honeynet project.
• Computer Forensic tools(Case Study): Encase, Helix, FTK,
Autopsy, Sleuth kit Forensic Browser, FIRE, Found stone Forensic
ToolKit, WinHex, Linux dd and other open source tools

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 4

 Computer Forensic tools
1. Encase 1 to 16
2. Helix 17-30
3. FTK 31-54
4. Autopsy 56-81
5. Sleuth kit Forensic Browser 85-114
6. FIRE 116-135
7. WinHex 138-149

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 5

 Computer Forensic tools-Case Study
Min 5 pages description on each tool by allocated roll numbers.
1.Tools support & details in which OS,hardware,software any other
2.Description of tool
3.Use of tool
4.Application of tool (Th)
5.Real time application of tool (possibly demo)
6.Advangage/limitation/risk of tool
7.Comparision with any other one tool (complusory)
8.Summary of tool in brief (min 1 page)
9.Reference link/websites
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 6
 Unit 4:-Network Forensic
• Network Forensic: Collecting and analyzing network-based evidence,
• reconstructing web browsing,
• e-mail activity, and windows registry changes,
• intrusion detection, tracking offenders.
• Mobile Network Forensic: Introduction,
• Mobile Network Technology,
• Investigations, Collecting Evidence,
• Where to seek Digital Data for further Investigations,
• Interpretation of Digital Evidence on Mobile Network.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 7

 Network Forensic
• Network forensic concerns the gathering, monitoring and analyzing of
network activities to uncover the source of attacks, viruses, intrusions or
security breaches that occur on a network or in network traffic.
• With the help of network forensics, the entire data of crime scene can be
retrieved from the any type of network or networks, data includes
messages, file transfers, e-mails, and, web browsing history, and
reconstructed to expose the original transactions.
• For identifying the attacks on network, investigators must understand
and have the in depth knowledge of the network protocols and
applications such as web protocols, Email protocols, Network protocols,
file transfer protocols, etc.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 8

 Processes involved in network forensics
1. Identification: In this process, investigators identify and evaluate the incident based
on the network pointers.
2. Safeguarding: In this process, the investigators preserve and secure the data so that
the tempering can be prevented.
3. Accumulation: In this step, a detailed report of the crime scene is documented and
all the collected digital shreds of evidence are duplicated.
4. Observation: In this process, all the visible data is tracked along with the metadata.
5. Investigation: In this process, a final conclusion is drawn from the collected shreds
of evidence.
6. Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 9

Major challenges in network forensics

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 10

 Advantages of Network Forensics
• Advantages:
1.Network forensics helps in identifying security threats and vulnerabilities.
2.It analyzes and monitors network performance demands.
3.Network forensics helps in reducing downtime.
4.Network resources can be used in a better way by reporting and better planning.
5.It helps in a detailed network search for any trace of evidence left on the network.
• Disadvantage:
• The only disadvantage of network forensics is that It is difficult to implement.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 11

 Collecting and analyzing network-based evidence
• What is network based evidence?:- Network-based digital evidence is a type of
digital evidence which arises as product of the communications over a network.
• Network evidence collection should proceed by making exact copies (forensic
images) of relevant data sources, such as traffic logs, firewall configurations, and
packet captures.
• Collecting network evidence forensically means following a systematic and rigorous
process that preserves the integrity, authenticity, and admissibility of the evidence.
• Example:-This can include taking screenshots of affected desktops and any
applications that were running at the time of the crime. Additionally, it is
recommended to perform a network status audit in order to gather details regarding
the network.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 12

 Types & Techniques of Network-based Evidence Collection
A. Passive Network-based Evidence Collection: involves the collection of evidence from
network traffic without actively affecting the network. can provide information about
network activity and potentially relevant evidence.
B. Active Network-based Evidence Collection:involves the collection of evidence from
network devices and infrastructure by actively interacting with the network. can provide
more detailed information about network activity and potentially relevant evidence.
•A. Network Packet Capture: involves capturing and analyzing individual network packets.
can provide detailed information about network traffic and potentially relevant evidence.
•B. Network Device and Infrastructure Analysis: involves analyzing network devices and
infrastructure for evidence of malicious activity. can provide information about network
security and potentially relevant evidence

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 13

 Analyzing network-based evidence
• Network forensic analysis concerns the gathering, monitoring and
analyzing of network activities to uncover the source of attacks,
viruses, intrusions or security breaches that occur on a network or in
network traffic.
• we introduce a methodology to follow during network forensic
investigations called OSCAR, which consists of steps to be executed
in sequence.
• These steps are: Obtain information, strategize, collect evidence,
analyze and finally report.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 14

 Network forensics tool
• NetFlow Analyzer is a comprehensive network forensics analysis tool that
can: Monitor top talkers of the network by application, IP address, and
device. Detect IP addresses accessing your network. Maintain the quality of
your network with service-level agreement (SLA) monitoring.
• NetFlow Analyzer is a real-time NetFlow traffic analysis tool that provides
visibility into the network bandwidth performance
• NetFlow Analyzer is one of the best free network traffic monitoring
tools that provides a holistic view of your network traffic. With our network
analyzer, you can quantify your network use pattern and purpose.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 15

Reconstructing web browsing

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 16

e-mail activity, and windows registry changes

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 17

intrusion detection, tracking offenders.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 18

 Unit 5:- Software Reverse Engineering
• Software Reverse Engineering: Defend against software targets for
viruses,
• worms and other malware,
• improving third party software library,
• identifying hostile codes-buffer overflow,
• provision of unexpected inputs.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 19

 Unit 6:- Computer crime and Legal issues
• Computer crime and Legal issues: Intellectual property.
• privacy issues.
• Criminal Justice system for forensic.
• audit/investigative.
• situations and digital crime procedure/standards for extraction,
preservation, and deposition of legal evidence in a court of law.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 20