Chapter 21
Network Basics for Digital Investigators
Be aware of the reasons that digital investigators have to have a thorough understanding of
networks.
Be aware of the hardware and protocols that constitute a network.
Be aware of the various network technologies a digital investigator is likely to encounter.
Be aware of the tools that assist in network investigations.
Chapter Guide
All digital investigators require some understanding of networks since most computers we encounter are
connected to one. In fact, computers have become network-centered and it is no longer sufficient to only
think of digital evidence on storage media. To comprehend traces of Internet activities left on personal
computers and to establish continuity of offense, digital investigators require knowledge of evidence that
exists on surrounding networks. These sources include server logs, network devices, and traffic on both
wired and wireless networks.
connect to a remote system such as a backbone router as shown here:
On August 15 at 11:20 EDT, Telnet was used to connect from a Windows machine to a public
Internet router (see www.traceroute.org for a list of route servers).
C:\> telnet route-server.ip.tiscali.net
+———–———-———-———-————–———-—+
| |
| TISCALI International Network – Route Monitor |
| (AS3257) |
route-server.ip.tiscali.net>who
Line User Host(s) Idle Location
* 2 vty 0 idle 00:00:00
pool-141-157-94-144.balt.east.verizon.net
Interface User Mode Idle Peer Address
route-server.ip.tiscali.net>show log
In addition to demonstrating client-server interaction, this exercise gives routers and the Internet
backbone a tangible form that students may not otherw
that it is 16:30 Central European Time (GMT + 1) whereas the time according to the Windows host was
In addition, the Open System Interconnection (OSI) model is used in this chapter to give the reader an
understanding of the different functions of networks and the types of crime and associated evidence that
exist. The OSI model is comprised of seven layers summarized here:
# Name Summary
1 Physical Media that carries data (e.g., network cable)
2 Data-link Enables basic network connectivity between computers connected directly
by the same network technology (e.g., Ethernet)
Data in each layer are encapsulated by lower layers. For example, an e-mail message is encapsulated in an
IP datagram, which in turn is encapsulated in an Ethernet frame. Notably, the OSI model does not fit
Multiple Choice Questions
1. An understanding of networks helps with which of the following:
2. When a Windows system connects to a shared folder on another Windows machine on the
Internet, which of the following protocols are used?
3. Hosts that connect two or more networks are called:
4. Which of the following are Layer 7 protocols?
5. Which of the following is a wireless protocol?
6. Ethernet uses which of the following technologies?
7. Which of the following is a Layer 2 address?
8. Another name for a hub is:
9. Currently, the most widely used Internet protocols are:
10. The OSI reference model divides Internets into seven layers. Choose the correct order, by
layer.
11. The layer that actually carries data via cables or radio signals is the:
12. A hub joins hosts at the physical level whereas a switch joins them at the _____ layer.
13. The layer responsible for managing the delivery of data is the:
14. ___is a transport layer protocol.
15. Which of the following network technologies uses a fiber-optic medium?
True or False Questions
1. An understanding of networks is only necessary for investigating computer intrusions and
Denial Of Service attacks.
2. It is possible to reconstruct events surrounding a crime scene using only evidence on
3. Ethernet frames are encapsulated within IP datagrams.
4. A switch prevents eavesdropping on a network.
5. TCP connections only carry data in one direction.
6. Capturing network traffic at the physical layer gives investigators access to application
layer data such as web pages viewed and images downloaded.
7. TCP is a Layer 4 protocol.
8. TCP addresses can be used to track down an offender.
9. Every mobile telephone has a unique Electronic Serial Number (ESN) and Mobile ID
Number (MIN).
10. Mobile telephones can be used to locate the person using them.
11. TCP/IP enables computers using different network technologies to communicate.
13. MAC addresses are uniquely associated with an NIC whereas IP addresses can be
changed.
14. A single, prolonged NetBIOS connection can be made up of multiple TCP/IP
connections.
15. Individuals who can access the physical layer have unlimited access to all of the data on
the network unless it is encrypted.
Discussion Questions
1. Give an example of the type of digital evidence that can be found at each layer of the OSI
2. In Figure 21.13, identify each layer and describe its purpose.
3. Child pornographers are connecting to the home networks of innocent individuals via
insecure wireless access points. How can this help or hinder a digital investigation?
4. What Internet servers do you access regularly and what activities might those systems
record in log files?