Forensic Chapter 5 - Network Forensic

1. Network Layers

  1. OSI 7 layers

OSI

  1. TCP/IP 4 layers

TCP/IP layers

  1. Usually used protocols in each layer
Application Layer FTP, SMTP, HTTP, HTTPS, DNS, DHCP
Presentation Layer N/A
Session Layer N/A
Transport Layer TCP, UDP
Network Layer IP, IPSec, ICMP, IGMP, ARP
Data Link Layer 802.11, MAC
Physical Layer N/A
  1. Differences between TCP and UDP
    1. TCP is a connection based protocol which means we can only communicate with one endpoint at one time (unicast).
    2. UDP could be used in multicast and broadcast scenaries.
    3. TCP is more secure than UDP because it makes sure all the messages are transmitted to the other side already.

2. Tools

  1. tcpdump -> a command line command used to check the stream of protocols.
  2. snort -> rule based network stream IDS (Intrusion detection system)
  3. wireshark -> GUI + tcpdump