Before we develop our skills on network forensics, we need to have certain basic fundamentals in place.
A network, in general parlance, is a group of computers/devices that are connected to each other. The connection could be wired or wireless. Every device on the network has a unique network address. This can be temporary (session specific) or permanent. Addresses are numeric quantities that are easy for computers to work with; however, they are not for humans to remember. These are known as IP addresses. For example 206.166.240.9
. Consider the following diagram:
To make these numeric addresses easy for humans to remember, they are stored as textual addresses as Domain Name Server (DNS) records. DNS servers are responsible for translating textual Internet addresses into numeric Internet addresses.
While numeric IP addresses identify a specific host machine working on a network, a numeric port number is used to identify specific processes that are running on a host machine. The number of ports is not functionally limited. Some of the common ports are as follows:
Port number |
Application |
---|---|
20 |
FTP |
21 |
FTP |
23 |
Telnet |
25 |
SMTP (mail) |
79 |
Finger |
80 |
HTTP |
110 |
POP3 (mail) |
443 |
HTTPS |
When devices are connected to each other; they can communicate. The mode of communication between devices is via exchange of data. Data is transferred using packet switching. Messages are broken into packets and transmitted over the network. Each of these packets have a specified maximum size, and are split in to a header and data area. As each packet is being sent from a source computer to a destination computer or device, their addresses and the information that is necessary to properly sequence the packets at the reconstruction stage is included in the header.
Communications between two connected computers on a network are governed by rules known as protocols.
Protocols define the following:
Protocol design is based on a layered architecture model such as the Open Systems Interconnection (OSI) reference model.
This is also known as the seven-layer model.
As the name suggests, this model consists of seven layers. Each of these are explained in the following:
As the data travels between layers, each layer adds or removes its header to the data unit. At the destination, each added header is removed one-by-one until the receiving application gets the data that is intended for it.
The TCP/IP model consists of only four layers. These are application, transport, internet, and network.
These layers are shown in the following table:
Layer Name |
Description |
---|---|
Application |
This is responsible for applications and processes running on the network |
Transport |
This provides end-to-end data delivery |
Internet |
This makes datagrams and handles data routing |
Network |
This allows access to the physical network |
Let's take a look at each of these one by one, starting from the network interface layer and working our way upwards.
The following image depicts both models in graphic form. It also shows their interrelation:
In 1966, the Defense Advanced Research Project Agency Network, implemented a research network of networks. This consisted of connecting several computer networks based on different protocols.
This threw up a unique problem of having to define a common interconnection protocol on top of the local protocols. The Internet Protocol (IP) plays this role by defining unique addresses for a network device and host machines. The following diagram depicts this interconnection of devices using IP routing:
Whenever we see a stranger that we want to speak to, it always helps if we speak the same language. In computer world, the language of communication is called a protocol. IP is one of the languages that multiple computers use to communicate with each other as a part of the layered architecture model.
On top of the IP, there are TCP, UDP, and some others.
There are two versions of the IP being used, as follows:
The Internet Protocol has the following two main functions:
How does it work?
It splits or breaks up the initial data (that is to be sent) into datagrams. Each datagram will have a header, including the IP address and the port number of the destination. Datagrams are then sent to selected gateways, that is, IP routers. These routers are connected to the local network and to an IP service provider network at the same time. These routers start the relay process, wherein datagrams are transferred from gateway to gateway until they arrive at their final destination.
The following diagram illustrates this concept in a simple-to-understand manner:
Whenever two hosts communicate with each other using the Internet Protocol, there is no need for a continuous connection. One host sends the data to another via a data packet. Each packet header contains the source destination addresses as well as the sequence number and is treated as an independent unit of data. The TCP is responsible for reading the packet headers and putting the packets in the correct sequence so that the message is readable.
Today, the most widely used version of IP is the IPv4. However, IPv6 is also beginning to be supported. IPv6 was introduced when it was realized that IPv4 addresses were running out. The exponential increase in the number of devices connected to the Internet resulted in the anticipation of IPv4 address exhaustion. IPv6 provides for much longer addresses and also the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets.
Let's take a look at the following structure of an IP packet:
Normally, the application layer sends the data that is to be transmitted to the transport layer. The transport layer adds a header and sends it to the Internet layer. The Internet layer adds its own header to this and sends it to the network layer for physical transmission in the form of an IP datagram. The network layer adds its own frame header and footer and then physically transmits it over the network.
At the other end, when the datagram is received, this process is reversed and the different headers are stripped as the data moves from layer to layer. The following diagram represents how headers are added and removed as we move from layer to layer:
IP packets are a basic service that do not guarantee safe delivery. TCP remedies this by adding the following elements:
Before sending the data, TCP requires the computers that are communicating to establish a connection with each other:
Whereas IP is limited to sending 64-kb data streams, large data streams can be sent as one big stream of data using TCP. TCP does this by breaking up the data stream into separate data packets. Each packet is numbered and its sequence number is stored in the header. On arrival, these disparate packets are reassembled using sequence and sequence acknowledgement numbers. TCP specifies the port numbers. This improves the capabilities over IP. Every TCP/IP machine can communicate using 65,536 different ports or sockets.
All data in a TCP packet is accompanied by a header. The header contains information related to the source port, destination port, sequence number, sequence acknowledgement number, and some miscellaneous header data.
Similar to the TCP, the UDP is also built on top of the IP. It has the same packet-size limit (64 kb) as IP; however, it allows specifying port numbers. This provides 65,536 different ports, which is the same as TCP. Therefore, every machine has two sets of 65,536 ports: one for TCP and the other for UDP.
The difference between the two is that UDP is a connection-less protocol, without any error detection facility. It only provides support for data transmission from one end to other without any verification. As it does not do any further verification, UDP is very fast. This is its main feature and it is extremely useful in sending small and repetitive data at a very high speed. Some examples of this are audio and video streaming, games, time information that is continuously streamed, and so on.
On top of the TCP/IP layers is the application layer. The Internet Engineering Task Force (IETF) definition document for the application layer in the Internet protocol suite is RFC 1123. The application layer's role is to support network applications by the means of application protocols.
Some of the application protocols include the following:
Newer applications can also spawn additional application protocols such as BitTorrent, Bitcoin, eDonkey, and so on.
3.145.172.56