Skip to content
My Docs

Network Forensics And Analysis

Category: Network Security
Type: Network Concepts
Generated on: 2025-07-10 09:07:52
For: Network Engineering, Administration & Technical Interviews

Network Forensics and Analysis Cheatsheet

Section titled “Network Forensics and Analysis Cheatsheet”

What is Network Forensics and Analysis?

Network forensics is the process of capturing, recording, and analyzing network traffic to investigate security incidents, performance issues, or policy violations. It’s essentially digital detective work on the network level.

Why is it important in networking?

  • Security Incident Response: Identify the scope, source, and impact of security breaches.

  • Intrusion Detection: Discover malicious activity and prevent future attacks.

  • Performance Monitoring: Identify bottlenecks and optimize network performance.

  • Compliance: Ensure adherence to security policies and regulations.

  • Troubleshooting: Diagnose and resolve network connectivity issues.

  • Legal Evidence: Provide evidence for legal proceedings.

  • Packet Capture (PCAP): Raw network traffic data saved to a file. The foundation of analysis.

  • Network Sniffing: Intercepting and logging network traffic.

  • Flow Data (NetFlow/sFlow): Summarized network traffic information (source/destination IPs, ports, protocols, etc.) - less detailed than PCAP but more scalable.

  • Intrusion Detection System (IDS): Monitors network traffic for malicious activity and alerts administrators.

  • Intrusion Prevention System (IPS): Like an IDS, but actively blocks malicious traffic.

  • SIEM (Security Information and Event Management): Centralized logging and analysis platform.

  • Deep Packet Inspection (DPI): Analyzing the contents of packets beyond the header.

  • Metadata: Data about data. Network metadata includes timestamps, IP addresses, port numbers, protocol types, and packet sizes.

  • Baseline: A normal network activity profile. Deviations from the baseline can indicate problems.

  • Anomaly Detection: Identifying unusual patterns in network traffic.

  • Correlation: Linking different events or pieces of information to identify patterns.

  • Volatility: How quickly data changes or is lost. Network data is inherently volatile.

  • Evidence Integrity: Maintaining the chain of custody and ensuring that evidence is not tampered with.

Basic Network Forensics Workflow:

1.  Identification:  Detect an anomaly or incident.
2.  Collection:  Capture network traffic (PCAP, logs, flow data).
3.  Examination:  Analyze the captured data using tools.
4.  Analysis:  Interpret the findings and identify the root cause.
5.  Reporting:  Document the findings and recommendations.
6.  Remediation:  Take action to mitigate the issue and prevent recurrence.

Simplified Packet Capture Diagram:

[Source Host] --(Packet)---> [Network Device (Hub/Switch/Mirror Port)] --(Packet)---> [Capture Device (Laptop/Server)]
                                                                                    |
                                                                                    v
                                                                           [PCAP File (e.g., capture.pcap)]

Network Flow Example:

Imagine a user is downloading a large file. NetFlow would record:

  • Source IP: User’s IP Address
  • Destination IP: File Server’s IP Address
  • Source Port: User’s ephemeral port (e.g., 50000)
  • Destination Port: 80 (HTTP) or 443 (HTTPS)
  • Protocol: TCP
  • Number of packets: Large
  • Total bytes: Large

Focusing on commonly analyzed protocols:

TCP (Transmission Control Protocol)

  • Header:

    • Source Port (16 bits)
    • Destination Port (16 bits)
    • Sequence Number (32 bits) - Tracks packet order
    • Acknowledgment Number (32 bits) - Acknowledges received packets
    • Data Offset (4 bits) - Header length
    • Reserved (3 bits)
    • Flags (9 bits): URG, ACK, PSH, RST, SYN, FIN, ECE, CWR, NS
    • Window Size (16 bits) - Receive window
    • Checksum (16 bits) - Error detection
    • Urgent Pointer (16 bits) - Urgent data offset
    • Options (Variable) - MSS, Window Scale, SACK
    • Padding (Variable)

  • TCP Handshake (Three-Way Handshake):

    Client                        Server
      | SYN                       |
      |------------------------->|
      |                           |
      | SYN-ACK                   |
      |<-------------------------|
      |                           |
      | ACK                       |
      |------------------------->|
      |                           |
      [Data Transfer]

  • Flags Significance:

    • SYN: Initiates a connection.
    • ACK: Acknowledges a received packet.
    • FIN: Closes a connection gracefully.
    • RST: Resets a connection abruptly.
    • PSH: Push data immediately.
    • URG: Urgent data.

HTTP (Hypertext Transfer Protocol)

  • Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

  • Status Codes:

    • 200 OK: Success
    • 301 Moved Permanently: Redirect
    • 400 Bad Request: Client error
    • 401 Unauthorized: Authentication required
    • 403 Forbidden: Access denied
    • 404 Not Found: Resource not found
    • 500 Internal Server Error: Server error

  • Headers: Host, User-Agent, Content-Type, Content-Length, Accept, Cookie, Set-Cookie

DNS (Domain Name System)

  • Query Types: A (Address), AAAA (IPv6 Address), CNAME (Canonical Name), MX (Mail Exchange), NS (Name Server), TXT (Text)
  • DNS Hierarchy: Root servers -> Top-level domain (TLD) servers (.com, .org, .net) -> Authoritative name servers
  • DNS Record Format: name TTL class type data (e.g., example.com 3600 IN A 192.0.2.1)

ICMP (Internet Control Message Protocol)

  • Used for diagnostic and control messages (e.g., ping).
  • Types: Echo Request (8), Echo Reply (0), Destination Unreachable (3), Time Exceeded (11)

Example: Analyzing a TCP Handshake in Wireshark

  1. Filter for tcp.flags.syn == 1 to find SYN packets.
  2. Follow the TCP stream to see the SYN, SYN-ACK, and ACK packets.
  3. Examine the sequence and acknowledgment numbers.
  • Malware Infection: Analyze network traffic to identify command-and-control (C&C) communication from infected machines. Look for unusual outbound traffic to known malicious IPs or domains.
  • Data Exfiltration: Detect large amounts of data being transferred out of the network. Look for unusual spikes in outbound traffic, especially to external storage services.
  • Denial of Service (DoS) Attack: Analyze network traffic to identify the source of the attack and the type of attack (e.g., SYN flood, UDP flood). Look for a high volume of traffic from a single source.
  • Compromised Credentials: Monitor for failed login attempts and then successful logins from a different IP address.
  • Ransomware: Investigate the network traffic after a ransomware attack to identify the initial entry point and the extent of the infection. Look for SMB traffic and file encryption patterns.

Example Scenario: Detecting a C&C Connection

  1. Alert: IDS detects traffic to a known malicious IP address.
  2. Capture: Capture network traffic from the affected host.
  3. Analysis: Analyze the traffic using Wireshark. Look for patterns of communication (e.g., regular intervals, specific protocols).
  4. Findings: Identify the malware family and the C&C server.
  5. Remediation: Isolate the infected host, remove the malware, and block the C&C server.
  • Large PCAP Files: Difficult to analyze. Use filters, summary statistics, and command-line tools.
  • Encrypted Traffic (HTTPS): Difficult to inspect the content. Requires SSL/TLS decryption (if possible) or focus on metadata analysis.
  • Missing Traffic: Ensure proper capture setup (SPAN port, TAP).
  • Time Synchronization: Ensure accurate timestamps across all devices.
  • Data Overload: Use flow data to identify patterns before diving into full packet capture.
  • False Positives: Fine-tune IDS and IPS rules to reduce false positives.
  • Privacy Concerns: Handle sensitive data responsibly and comply with privacy regulations.

Troubleshooting Example: Slow Network Performance

  1. Symptom: Users report slow network performance.
  2. Capture: Capture network traffic during the slow period.
  3. Analysis: Look for:
    • High latency (using ping or Wireshark).
    • Retransmissions (TCP retransmissions in Wireshark).
    • Network congestion (high utilization on network interfaces).
    • DNS resolution issues (slow DNS lookups).
  4. Findings: Identify the bottleneck (e.g., overloaded server, congested link).
  5. Remediation: Upgrade hardware, optimize network configuration, or address DNS issues.

Tcpdump (Linux/macOS):

  • Capture traffic on interface eth0 and save to capture.pcap:

    Terminal window
    sudo tcpdump -i eth0 -w capture.pcap

  • Capture traffic to or from a specific IP address:

    Terminal window
    sudo tcpdump -i eth0 host 192.168.1.100 -w capture.pcap

  • Capture traffic on a specific port:

    Terminal window
    sudo tcpdump -i eth0 port 80 -w capture.pcap

  • Capture only the first 100 bytes of each packet:

    Terminal window
    sudo tcpdump -i eth0 -s 100 -w capture.pcap

Tshark (Command-line Wireshark):

  • Read a PCAP file and display a summary:

    Terminal window
    tshark -r capture.pcap

  • Filter for HTTP traffic and display the HTTP request headers:

    Terminal window
    tshark -r capture.pcap -Y "http" -T fields -e http.request.line

Wireshark (GUI):

  • Capture Options: Specify interface, capture filter, and file size limits.
  • Display Filters: Use filters like tcp.port == 80, ip.addr == 192.168.1.1, http.request.method == "POST".
  • Follow TCP Stream: Right-click on a TCP packet and select “Follow TCP Stream” to view the entire conversation.
  • Statistics: Use the “Statistics” menu to generate summaries of network traffic.

SPAN Port/Port Mirroring (Cisco):

configure terminal
monitor session 1 source interface GigabitEthernet0/1 both  // Monitor traffic on Gi0/1 (both directions)
monitor session 1 destination interface GigabitEthernet0/2  // Send mirrored traffic to Gi0/2
end

NetFlow Configuration (Cisco):

configure terminal
ip flow ingress  // Enable NetFlow ingress on the interface
ip flow egress   // Enable NetFlow egress on the interface
flow exporter EXPORTER-NAME
  destination <NetFlow Collector IP Address>
  transport udp 2055
  template data timeout 60
flow record RECORD-NAME
  match ipv4 source address
  match ipv4 destination address
  match transport source-port
  match transport destination-port
  match protocol ip protocol
  collect counter bytes
  collect counter packets
flow monitor MONITOR-NAME
  exporter EXPORTER-NAME
  record RECORD-NAME
  cache timeout active 60
  cache timeout inactive 15
interface GigabitEthernet0/1
  ip flow monitor MONITOR-NAME input
  ip flow monitor MONITOR-NAME output
end

General Network Forensics:

  • Q: What is network forensics, and why is it important?

    • A: (See Quick Overview)

  • Q: What tools do you use for network forensics?

    • A: Wireshark, tcpdump, Tshark, Nmap, NetFlow collectors (SolarWinds, PRTG), SIEM systems (Splunk, QRadar), Intrusion Detection/Prevention Systems (Snort, Suricata).

  • Q: What is the difference between network sniffing and network forensics?

    • A: Sniffing is simply capturing network traffic. Forensics is the analysis of that captured traffic to investigate an event.

  • Q: What is a PCAP file?

    • A: A packet capture file. It contains raw network traffic data captured from a network interface.

  • Q: What are the key steps in a network forensics investigation?

    • A: Identification, Collection, Examination, Analysis, Reporting, Remediation. (See How It Works)

Protocol Analysis:

  • Q: Explain the TCP three-way handshake.

    • A: (See Protocol Details - TCP)

  • Q: What are common TCP flags, and what do they signify?

    • A: (See Protocol Details - TCP)

  • Q: How can you identify a SYN flood attack using network forensics tools?

    • A: Look for a high volume of SYN packets without corresponding ACK packets. Use Wireshark to filter for tcp.flags.syn == 1 && tcp.flags.ack == 0.

  • Q: What is DNS tunneling, and how can you detect it?

    • A: DNS tunneling is using DNS queries to transmit data. Detect it by looking for unusually large DNS queries or responses, frequent DNS requests to unusual domains, or unusual data encoded within DNS records.

  • Q: How can you analyze HTTP traffic for malicious activity?

    • A: Look for suspicious URLs, unusual user agents, unexpected HTTP methods (e.g., PUT, DELETE), and large data transfers.

Practical Skills:

  • Q: How would you capture network traffic on a Linux server?

    • A: Use tcpdump or tshark (See Configuration Examples).

  • Q: How would you analyze a PCAP file to identify the source of a DDoS attack?

    • A: Use Wireshark to filter for the attack traffic and identify the source IP addresses. Look for a high volume of traffic from multiple sources to a single destination. Analyze the packet sizes and protocols used in the attack.

  • Q: How would you identify a malware infection based on network traffic?

    • A: Look for communication with known malicious IP addresses or domains, unusual outbound traffic patterns, and traffic to unexpected ports.

  • Q: How would you determine if sensitive data is being exfiltrated from a network?

    • A: Monitor outbound traffic for large file transfers to unknown destinations. Inspect the traffic for clear-text sensitive data. Use DPI to identify specific data patterns (e.g., credit card numbers, social security numbers).

Security Concepts:

  • Q: What is NetFlow, and how is it used in network forensics?

    • A: (See Key Concepts). NetFlow provides summarized network traffic information, which can be used for anomaly detection, capacity planning, and security monitoring.

  • Q: What is the difference between an IDS and an IPS?

    • A: (See Key Concepts).

  • Q: What is a SIEM, and how does it help with network forensics?

    • A: (See Key Concepts). A SIEM provides centralized logging and analysis, which can help to correlate events and identify security incidents.

  • Digital Forensics: Broader field encompassing computer forensics, mobile device forensics, and network forensics.

  • Incident Response: The process of handling security incidents, including detection, analysis, containment, eradication, and recovery.

  • Penetration Testing: Simulating attacks to identify vulnerabilities.

  • Vulnerability Management: Identifying and mitigating security vulnerabilities.

  • Security Auditing: Evaluating security controls and practices.

  • Data Loss Prevention (DLP): Preventing sensitive data from leaving the organization.

  • Threat Intelligence: Gathering and analyzing information about potential threats.

  • Machine Learning for Security: Using machine learning to detect anomalies and predict security incidents.

Further Reading:

This cheatsheet provides a solid foundation for understanding and practicing network forensics and analysis. Remember to practice with real-world scenarios and continuously expand your knowledge. Good luck!