This document discusses network forensics and the role of forensic experts. It covers how networking works by breaking data into packets, how network penetration is possible by spoofing IP addresses, and defines cyber forensics as applying security practices to reduce damage from attacks. Forensic experts locate security threats, analyze practices, help implement responses to attacks, and prepare legally-sound evidence.

1. 1. How Networking Works
2. Network Penetration
3. Cyber Forensics
4. Forensic Evidence
5. Cyber Criminals
6. What do Forensic Experts do?

2. How Networking Works
 Networking is a technique of converting data into
electronic packets before transmission over a network
 Data is packaged into an IP (internet protocol) packet
and signed with the sender’s IP address as well as the
intended recipient’s IP address
 Routers/switches are used to route the data based
upon the sender and recipient addresses in the packet.

3. How Networking Works II
Source PC
IP: 192.168.0.5
Router
IP: 192.168.0.1
Destination
PC 1
IP: 192.168.0.6
Destination
PC 2
IP: 192.168.0.12
2
1
Consider a network setup as above. Where
would the data packet shown below travel, and
why?
Data Packet
Source IP: 192.168.0.5:29381
Destination IP: 192.168.0.6:80
Data: (some data)

4. Network Penetration
 Data in an IP packet is filled in by the sender – i.e. the
sender can alter the Source IP as required, thereby
‘spoofing’ the IP.
 MAC addresses are embedded into every network
device, but usually can be changed by software as well.
 If a spoofed IP packet is sent to any PC, tracing the
origin of the packet can be difficult.

5. Network Penetration II
Source PC
IP: 192.168.0.5
Router
IP: 192.168.0.1
Destination
PC 1
IP: 192.168.0.6
Destination
PC 2
IP: 192.168.0.12
Source PC spoofs PC 2’s IP address using the
data packet below. PC 1 assumes PC 2 sent the
packet, and sends a reply packet to PC 2.
Data Packet
Source IP: 192.168.0.12:29381
Destination IP: 192.168.0.6:80
Data: (some data)
To restrict such network
penetration, routers need to verify
the source and destination of all
packets traversing the network.

6. The Meaning of Forensics
 Network/Data security awareness has only lately
become of value, with billions worth of electronic
transactions going through the wide-open world of the
internet – a system that has zero in-built security
facilities.
 Cyber forensics is the application of information
technology and the vast know how of internet security
best practices to reduce damage, repair affected
systems, restore access and restrict vandalism – the
four great ‘R’s.

7. Forensic Evidence
 Forensics is the application of various sciences to
explain evidence in a legal scenario.
 Various legal environment have vastly different
practices for collection and presentation of evidence.
 Since Forensics essentially applies to a legal scenario,
‘evidence’ is an aspect that comes along with it. The
proper presentation of forensic evidence can be the
difference between a win and a loss in a court battle.

8. Cyber Criminals
 Usually are either seasoned professionals bitter with
the industry, or amateurs trying to make a show.
 Can use various penetration methods to access your
network
 Could use the internet as a medium for
sending/receiving information (and thus provide
another communication medium for terrorism)
 Essentially violate various privacy laws, piracy laws and
otherwise compromise data security

9. What do forensic experts do?
 Locate, identify and evaluate threats to network and
data security
 Analyze current security practices, and offer
recommendations on security best practices
 Help implement the 4 ‘R’s – reduce damage, repair
affected systems, restore access and restrict
vandalism – in the event of an attack
 Prepare forensic evidence in accordance with legal
requirements