Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the deep dive. Today. We're on a pretty
critical mission, really diving deep into network forensics. We're going
to travel through the whole stat I mean, from the
physical cable all the way up to encrypted data. Because
when data moves, it leaves clues. The question is how
deep do those clues go and how easy is it

(00:20):
to steal or impersonate that traffic.

Speaker 2 (00:23):
That is the core challenge, isn't it. If you want
to track an attacker, you first have to be fluent
in how systems talk to each other. You need to
understand the media, the devices, the protocols, and maybe more importantly,
know exactly where the weakest links are.

Speaker 1 (00:37):
Absolutely so, our goal today is to give you that
clear understanding of the common attack vectors and then the
forensic methods used to track them down. We're basically creating
a shortcut to understanding the entire communication pipeline, where.

Speaker 2 (00:49):
The holes are, and how to spot when something's wrong.

Speaker 1 (00:51):
Okay, let's unpack this. We should probably start at well,
literally the ground floor layer one, the physical hardware.

Speaker 2 (00:58):
Yeah, we get so focused on fancy encryption algorithms that
we forget security starts with stuff you can actually.

Speaker 1 (01:04):
Touch and these aren't just theoretical threats, right, not at all. Yeah.

Speaker 2 (01:08):
I mean with modern ethernet, you can get basic hardware taps,
things like the Throwing Star Land Tap Throwing Star, it's
just a name, but for forty or fifty bucks, you
can get a device that just sits on the cable
and duplicates everything it has ports for the original conversation,
and then read only ports that just siphon off a
copy of all the traffic. The original systems have no.

Speaker 1 (01:30):
Idea, And that leads us to probably the biggest physical
risk of all the data closet. Yeah, wiring closet.

Speaker 2 (01:37):
Oh absolutely. If an attacker gets physical access to that room,
to the punchdown blocks, it's game over.

Speaker 1 (01:45):
They're just on the network instantly bypassing everything exactly.

Speaker 2 (01:49):
The most famous case that shows this is Aaron.

Speaker 1 (01:52):
Schwartz right at MIT.

Speaker 2 (01:53):
Yeah, he didn't hack a firewall. He just broke into
a wiring closet, plugged a server directly into the network
and to downloading.

Speaker 1 (02:00):
And they only caught him because of a security camera
in the closet, not because of a digital trace.

Speaker 2 (02:05):
It's a huge lesson. Sometimes the lowest tech attack is
the most effective one.

Speaker 1 (02:09):
So when physical security fails, the next jump is usually
to the airwaves wireless, which is a forensic nightmare because
it's basically a hub, right, it's just broadcasting everything into
the open.

Speaker 2 (02:20):
Precisely, you're just shouting your data into the public domain.
Anyone in range can hear anything that's not encrypted, and.

Speaker 1 (02:27):
We tend to trust the numbers on the box. Like
Bluetooth has a range of what ten meters maybe sixty feet.

Speaker 2 (02:33):
That's the advertised range. But you know, way back in
two thousand and five, there's a demo of something called
the Bluetooth Sniper Gun. A sniper gun, yeah, and it
got a reliable connection from three quarters of a mile away.

Speaker 1 (02:44):
WHOA so much for that thirty foot security bubble.

Speaker 2 (02:47):
Relying on distance for wireless security is a huge mistake.

Speaker 1 (02:51):
It's interesting, though, you can make some small tweaks for security,
like with Wi Fi channels. In the US we use
channels one through eleven, right.

Speaker 2 (02:57):
But you could theoretically force your devices to use a
country code for say Japan, and use their channel fourteen.

Speaker 1 (03:06):
Which most standard US equipment won't even scan for.

Speaker 2 (03:08):
It's not real security, but it's a little bump, a
minor deterrent for a casual sniff.

Speaker 1 (03:13):
But the real weakness of wireless is how easy it
is to launch a denial of service attack.

Speaker 2 (03:18):
Oh, it's trivial. You don't need a botnet. You can
do it with a twenty dollars micro controller like an
ESP eighty two sixty six board.

Speaker 1 (03:25):
And what does it do.

Speaker 2 (03:26):
It just sends out forged packets that trick everyone's devices
into thinking the access point kick them off. They can't reconnect.
It's a localized DAS attack that's incredibly effective and cheap
to pull off.

Speaker 1 (03:37):
So once we move past the physical layer, we get
into the digital world where everything is about identity, and
that usually means the MC address and the IP address exactly.

Speaker 2 (03:47):
The MC is your hardware fingerprint layer two, the ip's
your system fingerprint layer three.

Speaker 1 (03:53):
But here's the problem for an investigator. The MC address
can be changed.

Speaker 2 (03:57):
Right, trivial to change. There are tools like mac changer
that can spoof it in seconds.

Speaker 1 (04:03):
So if it's that easy to fake, how do you
ever track anyone?

Speaker 2 (04:06):
You look for the pattern, not the address, the pattern. Yeah,
So say you see some malicious activity from MAC address
A and IP address X for two hours, then it stops.
Five minutes later, the exact same activity starts up from
maac be an ipy ah.

Speaker 1 (04:22):
So it's the behavior that links them. It's the same
person just changing masks.

Speaker 2 (04:26):
That's a massive red flag, and it leads us to
the identifier that often cracks the case wide open the
host name.

Speaker 1 (04:34):
The host name.

Speaker 2 (04:34):
Why that because unlike the MAC or IP, changing the
host name properly system wide often requires a full reboot.

Speaker 1 (04:42):
But wouldn't a smart attacker just reboot?

Speaker 2 (04:45):
You'd think so, But forensics is usually about capitalizing on
human error. An attacker's under pressure. They change the MAC,
they change the IP, they see the traffic flowing again,
and they think they're safe.

Speaker 1 (04:54):
They don't want to risk a reboot, which is slow
and might trigger some other alert.

Speaker 2 (04:58):
Exactly, so they forget that they're The static host name
is being logged by every single server they touch. It
becomes this persistent, crucial link back to their machine that
is fascinating.

Speaker 1 (05:07):
The investigation hinges on and attackers impatients. Okay, so, speaking
of layers, let's quickly nail down the devices.

Speaker 2 (05:13):
Right At layer one, you have the hub, just a
dumb repeater.

Speaker 1 (05:17):
Layer two is the switch, which cares about those MSc
addresses we just talked about.

Speaker 2 (05:21):
Then layer three is the router moving traffic between networks
using IP addresses, and then generally the firewall works up
to layer four filtering based on port numbers.

Speaker 1 (05:30):
T thirt or UDP ports right, and.

Speaker 2 (05:33):
Those two protocols are fundamentally different. PCP is connection oriented.
It's all about guarantee delivery.

Speaker 1 (05:39):
It does the whole three way handshake, sends sequence numbers.
If a packet drops, TCP knows and resends.

Speaker 2 (05:46):
It yep, whereas UDP is the opposite. It's connectionless, fire and.

Speaker 1 (05:50):
Forget, which is why gamers love it.

Speaker 2 (05:52):
Right, less lag exactly faster, lower overhead. But if a
packet drops, you just see a glitch in the game.
For forensics, that's a problem, and an attacker using UDP
leaves a much messier, harder to follow a trail because
you lose all that sequence and flow information.

Speaker 1 (06:06):
Okay, let's talk deception. One of the biggest defenses most
networks have is GNAT network address translation.

Speaker 2 (06:12):
The poor man's proxy, that's a great way to put it.

Speaker 1 (06:15):
It takes a whole building full of internal IP addresses
and hides them behind one single public IPS.

Speaker 2 (06:22):
Which is a huge security benefit because if an attacker
on the outside tries to connect to a specific computer
on the inside, the NAT device gets the request and
just drops it. It has no map for that unsolicited traffic.

Speaker 1 (06:34):
So this is why almost all successful attacks are an
inside job. They're not breaking in from the outside exactly.

Speaker 2 (06:40):
The strategy has to be to trick an internal user
through a phishing email or a bad website to download
and run.

Speaker 1 (06:47):
Some code, and that code then calls home. It creates
an outbound tunnel.

Speaker 2 (06:52):
And that's the key. Outbound traffic is usually allowed, so
its sales right past the NAT device completely bypassing its protection.

Speaker 1 (06:59):
So when an attacker is doing reconnaissance, one of the
first steps is port scanning.

Speaker 2 (07:03):
Right, you have sixty five, five hundred and thirty six
ports for TCP and the same for UDP, A huge number.

Speaker 1 (07:09):
But most scanning tools only check what the top two thousand.

Speaker 2 (07:12):
Or so, and for good reason. Doing a full scan
of all sixty five thousand ports takes forever, and it
can actually knock a network over. It's a risk for
a self inflicted denial of service attack.

Speaker 1 (07:21):
I can actually vouch for that. I've seen a pen
tester run a full scan, not the default, and the
sheer volume of connection requests just crashed the client's firewall.

Speaker 2 (07:32):
It happens the legacy hardware just can't handle the traffic storm.
It proves that sometimes volume is a bigger threat than
some complex exploit.

Speaker 1 (07:41):
Now, if the attacker is already inside the network, we
have to talk about ARP.

Speaker 2 (07:45):
Poisoning, the classic internal attack. It's purely local. The attacker
basically lies to the network.

Speaker 1 (07:52):
They tell the gateway, hey, I'm the client computer, and
they tell the client computer, hey, I'm the gateway, and just.

Speaker 2 (07:57):
Like that, they've inserted themselves in the middle of the conversation.
All traffic now flows through the attacker's machine.

Speaker 1 (08:03):
Man in the middle. They can see everything.

Speaker 2 (08:05):
And what's wild is how easy it is to stop.
You just enable port security on the switch, which locks
a physical port to a single MC address, But so
many organizations just don't do it.

Speaker 1 (08:17):
We should probably also talk about that classic TV hacking trope,
the idea that someone can remotely spoof their IP and
have a perfect interactive session with a server.

Speaker 2 (08:26):
Yeah, that's almost impossible in the real world.

Speaker 1 (08:29):
Because of the reset packet.

Speaker 2 (08:30):
Right exactly, if an attacker spoofs their IP to talk
to a server. The server send its reply back to
the real IP.

Speaker 1 (08:37):
Address, and that real, innocent machine gets a packet it
wasn't expecting.

Speaker 2 (08:41):
And it immediately sends back a reset packet an RST,
which just kills the connection instantly.

Speaker 1 (08:47):
So any remote attack has to be blind. The attacker's
just guessing.

Speaker 2 (08:51):
Right, So spoofing is mostly used in big doss attacks,
not for control, but just to create chaos in the logs,
a fog of war to slow down the investigation.

Speaker 1 (09:00):
Okay, let's talk about hardening. What are the big ports
people need to lock down?

Speaker 2 (09:04):
Number one Telnet on port twenty three. It should just
be gone. It sends usernames and passwords and plaintext.

Speaker 1 (09:10):
Unbelievable that it's still around. The replacement is SSH on
port twenty two, which is encrypted right.

Speaker 2 (09:16):
And another huge one is SNMP ports one sixty one
and one sixty two Simple Network Management Protocol.

Speaker 1 (09:23):
And this should never ever be accessible from the Internet.

Speaker 2 (09:26):
Never because it often uses a default community string, which
is basically a plain text password. If an attacker guesses public,
they can get a full dump of your servers, configuration,
running processes, user accounts, everything.

Speaker 1 (09:40):
It's like handing them a blueprint of your entire network.

Speaker 2 (09:43):
Yeah, and speaking of ports, it's also good to know
that malware often uses memorable non standard ports.

Speaker 1 (09:49):
You mean like sixty sixty six or one three three seven.

Speaker 2 (09:53):
Exactly, or three one three three seven for leat one
two three four five five four three two one. If
you see traffic on those, it's an immediate red flag.

Speaker 1 (10:01):
So when a breach happens, the forensic team has to
find the trail. If it's an external attack, you're looking
at the router and firewall logs, and.

Speaker 2 (10:08):
If it's internal, you're looking at switches, servers, and points. Yeah,
the problem is the sheer volume.

Speaker 1 (10:13):
Of data, which is where SIMS tools come in. Security
information and event management indispensable.

Speaker 2 (10:18):
A SIMS tool pulls in logs from hundreds of different devices, routers, firewalls,
servers and puts them all into one single, standardized database.

Speaker 1 (10:25):
And that standardization is the magic, right, It's.

Speaker 2 (10:28):
Everything, because now you can search for patterns across your
whole network. You can say, show me where this malicious
IP appeared, and you'll see it hit the firewall. Then
two minutes later an internal server tried to connect to it.

Speaker 1 (10:41):
You can see the whole narrative of the attack.

Speaker 2 (10:43):
A story you could never piece together by looking at
hundreds of separate log.

Speaker 1 (10:47):
Files and for looking at the conversations themselves. You've got
protocol analyzers like wireshark.

Speaker 2 (10:53):
Right, which works at layer two. If the traffic isn't encrypted,
you can literally just read the data, carve out passwords, commands.

Speaker 1 (11:00):
And even if it is encrypted, you still get the
metadata who is talking to who, when and how much
data was sent.

Speaker 2 (11:06):
Another critical tool is netstap. He shows you all the
active connections on a system and which process is using
which port.

Speaker 1 (11:13):
But there's a massive warning that comes.

Speaker 2 (11:15):
With netstack, oh, a huge one. You never read it
on the original evidence. Never the act of running the
command changes the system. It's contamination. You only read it
on a memory dump or on a virtual machine copy
of the system.

Speaker 1 (11:27):
And when you're looking at the output, you have to
check what the process is bound to.

Speaker 2 (11:32):
That is such a critical point. If you see a
service like a database bound to one twenty seven points
zero point h one.

Speaker 1 (11:39):
One, that's local host it can only be accessed from
the machine itself safe.

Speaker 2 (11:44):
But if you see it bound to point zero and
points zero.

Speaker 1 (11:47):
That means it's listening on all network interfaces. It's exposed
to the.

Speaker 2 (11:51):
World, and that's often an accidental, massive security hole.

Speaker 1 (11:54):
You know, through all of this, from physical taps to
software tools, the one piece of data that seems most
import orton is the timestamp.

Speaker 2 (12:02):
It is the most relevant piece of forensic data, period
and we tend to trust the time stamps on network
devices more than on a compromised computer.

Speaker 1 (12:10):
Because they're harder for an attacker to change across the board, right, And.

Speaker 2 (12:13):
This is why having an NTPE server network time Protocol
server is non negotiable for any serious organization.

Speaker 1 (12:19):
It synchronizes the clocks on all your devices.

Speaker 2 (12:22):
If all your logs are synced to within a few seconds,
the investigation is smooth. If they're not, your team will
waste days, even weeks just trying to figure out the
time offsets between devices. It's a nightmare.

Speaker 1 (12:34):
What a journey, I mean, from a forty dollars wire
tap all the way to why the host name can
be an attacker's fatal mistake and how SIMS tools stitch
that whole story together. Network forensics really is just about
understanding the path data is supposed to take and then
spotting when it deviates.

Speaker 2 (12:52):
And that concept of the path is always the key,
even with something super advanced like towort onion routing.

Speaker 1 (12:58):
Right with its three layers of incl ryption.

Speaker 2 (13:00):
Yeah, but at the end of that path is an
exit relay, and that relay has to decrypt the traffic
to send it to the final destination. If the final
connection isn't encrypted, or if an adversary controls.

Speaker 1 (13:10):
That exit relay, the traffic is exposed. It always comes
back to the path.

Speaker 2 (13:13):
It always comes back to the path.

Speaker 1 (13:14):
That is a perfect way to bring it all together.
So here's a final thought for you to take away
from this deep dive. We talked about how NAT forces
an attacker to use a call home technique to tunnel
out of a network. So thinking about that, Describe a
scenario where an attacker might choose to use a UDP
protocol for that call home tunnel instead of TCP, and
what immediate forensic challenge would that choice present to an investigator.

(13:37):
Think about that. It connects the purpose of GNAT, the
core differences between TCP and UDP, and the very real
limits of forensic analysis

All Episodes

Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 13 - Network Forensics | Episode 1: Fundamentals, Attack Vectors, and Digital Tracing