Chapter 25
Digital Evidence at the Network and Transport Layers
On completion of this chapter, the student will:
– Be aware of various network and transport layer protocols and how criminals use them.
– Be aware of the components that constitute an IP address.
– Recognize the reason for Domain Name System (DNS) tables and a correlation between a
DNS listing and IP addresses.
– Be aware of various tools that facilitate collecting digital evidence at the network and
transport layers.
Chapter Guide
This chapter expands on the overview provided in Chapter 21, describing TCP/IP in more detail and
demonstrating the usefulness of IP addresses in investigations. Because TCP/IP forms such an integral
part of the Internet, information related to these layers are too numerous to describe individually.
Extending the analogy on page 441, the glue that holds a network together gets stuck in many places for
digital investigators to recover. Case examples are
A simplified example of setting up a network and tracking down an offender is provided in Section 21.2.
Students can also be encouraged to explore the networks around them provided they do not cause any
harm.
Multiple Choice Questions
1. TCP is an abbreviation for:
2. What system is used to convert IP addresses to their associated names?
3. Which of the following is a Class A network?
4.
5. Which of the following logs record the IP addresses of computers accessing an FTP server?
6. In addition to the IP address of the sender, SMTP e-mail server logs contain which of the
following?
7. Which of the following servers maintain logs of when users accessed their e-mail?
8. IP Address Class B addresses start with 128.0.0.0 through:
9. IP address [ 10.40.3.2 ] is a ______, _______ network address:
10. _________ is a tool for querying DNS.
11. The IP software on each ______ contains a routing table that is used to determine where to send
information.
12. It is sometimes possible to obtain a list of all machines in the DNS belonging to a specific
organization by performing a _______.
13. To make large-scale internetworking more reliabl
also known as _________, to establish, maintain, and terminate connections between hosts.
14. VNC software:
15. The creator of the first Internet worm and one of the first individuals to be prosecuted under the
Computer Fraud and Abuse Act was:
True or False Questions
1. The UDP protocol will resend packets that were not received by the destination
computer.
2. The Internet is a packet-switched network.
3. TCP session hijacking can only be performed using a computer on the same network
segment as the client and/or server.
4. The Domain Name System can be used to obtain the names of people who are
responsible for a given computer.
5. Port 80 is generally associated with the Domain Name System.
6. It is sometimes possible to obtain a list of all machines in the DNS belonging to a specific
organization by performing a zone transfer.
7. IP spoofing establishes a bi-directional TCP
and the target.
8.
9. Network address translation (NAT) enables many computers to connect to the Internet
using only one IP address.
10. An IP address can only be assigned one name in the Domain Name System.
11. RADIUS and TACACS authentication servers keep logs of the IP addresses that were
assigned to user accounts connecting to the Internet.
12. All servers keep logs of the IP addresses of clients that connected to them.
13. ows systems, is a tool used for querying
DNS.
14. Any host, even a personal computer in some
Internet.
15. On a packet-switched network, computers are not connected using dedicated circuits.
Discussion Questions
1. Should Internet service providers be required to keep
2. When illegal activities are traced back to a particular house, how can you be sure that it is the
a search warrant and breaking down the door of
the house?
Scenario
A threatening message was sent from a web-based e-mail service. Information in the header indicates that
the sender connected to the web-based e-mail server through a proxy to conceal his/her actual IP address.