Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep dive. You know, when we
talk about the Internet, it's so often described as the cloud.
It's this simple kind of ethereal concept. It really is,
but the reality is far more compelling. The Internet is
a massive, meticulously structured machine. It's a physical map of cables, routers, switches,

(00:20):
all speaking these very specific formalized languages scilicely.

Speaker 2 (00:23):
And if you're learning how to secure systems or know
how to perform network forensics, you have to treat the
Internet not as a cloud, but as a defined geographic space.

Speaker 1 (00:32):
Right.

Speaker 2 (00:33):
Our mission today is to become well master navigators of
this digital geography. We are going to map out the
foundational architecture, defining the entry points, the identities, and the
traffic rules.

Speaker 1 (00:44):
We want to give you a shortcut to understanding how
every single message you sent, whether it's an email or
just a web request, actually traverses this global system and crucially,
where it leaves a permanent trail of evidence. Yes, so
let's start with the geography itself. We have these zones
of connected that define the boundaries.

Speaker 2 (01:01):
Yes, and these boundaries are everything when it comes to security.
We begin small with the land, the local area network.

Speaker 1 (01:09):
So like my network at home or in the office.

Speaker 2 (01:11):
Exactly the network contained inside a single facility. It's the
most protected space.

Speaker 1 (01:16):
And when you start connecting those local networks across a
vast distances city to city or even continent to continent.

Speaker 2 (01:23):
So that scales up immediately to the whan or wide
area network. This is really the backbone of the Internet.
You know, networks spread across large geographic eras.

Speaker 1 (01:31):
I've also heard of things like can or Man. Yeah.

Speaker 2 (01:35):
So, while some documents still define specific mid sized zones
like the campus area network or a metropolitanary network, those
are increasingly less critical than understanding the primary security.

Speaker 1 (01:45):
Barrier, which brings us to I think the most vital
geographic concept for anyone interested in cybersecurity, the DMZ.

Speaker 2 (01:52):
The demilitarized zone.

Speaker 1 (01:54):
That name is no accident, not at all.

Speaker 2 (01:55):
It describes its function perfectly. The DMZ is a critical
buffer zone. It sits strategically between your highly trusted internal
land and the well the completely untrusted public Internet, the WWW.

Speaker 1 (02:07):
So if a company hosts its public website or its
email server, any service the public needs to access it
should live.

Speaker 2 (02:13):
There right Absolutely, those servers are inherently exposed, and you
design that DMZ architecture so that if an external thread
actor successfully breaches one of them, they are still contained.
They're in the buffer.

Speaker 1 (02:24):
They haven't immediately gained access to your protected internal corporate
data exactly. This sounds like a core forensic insight. Then,
if the DMZ is the first major internal target the
logs generated, there must be the goal standard for attribution,
even if the attacker gets.

Speaker 2 (02:41):
Deeper, they are critical. Understanding this architecture is foundational because
if an attacker compromises a DMZ server, their goal is
to use that server as a pivot point to move
laterally to jump through a secondary firewall and access the
protected land, and every step of that process leaves evidence
in the DMZ.

Speaker 1 (02:59):
Okay, So to me make that pivot, or even to
send the initial request, we need physical infrastructure. Let's break
down the anatomy of connection. What are the universal ingredients
of any network?

Speaker 2 (03:09):
There are three core components, and it's essential to understand
them as you know physical things. First, you have the medium.

Speaker 1 (03:16):
The path of data travels on right.

Speaker 2 (03:18):
This is either physical like COKEX twisted pair or fiber
optic cables, or its atmospheric think Wi Fi, Bluetooth, infrared.

Speaker 1 (03:28):
Okay medium first, what's second?

Speaker 2 (03:30):
Second, we have the Network interface card or nice This
is the physical hardware built into your computer that translates
digital data into a signal that can actually travel across
that medium.

Speaker 1 (03:41):
And finally, the devices themselves.

Speaker 2 (03:43):
We call those the nodes. The node is simply any
device connected via NICEE a server, a laptop, a printer.
When we talk about securing a network, what we're really
talking about is securing these nodes and controlling the traffic
between them and for.

Speaker 1 (03:57):
All these you know, disparate nodes and mediums to interact,
they have to follow a strict, standardized set of rules.
The protocols.

Speaker 2 (04:05):
Yes, protocols are the standardized language. They define exactly how
systems communicate. Whether you have a decades old mainframe talking
to a modern Linux box.

Speaker 1 (04:12):
It's a translation layer. It is.

Speaker 2 (04:15):
This communication needs formal rules, which are all documented under
the RFC's the Requests for comments. They are like the
Internet's constitution.

Speaker 1 (04:25):
Now that we have the architecture and the rules, how
do we establish digital identity? You mentioned nos are critical,
but how does the network know which node you are
and where you're going?

Speaker 2 (04:35):
So this brings us into the realm. Of the layered
network model, which is necessary to understand this distinction. We
have the MS address, which functions that layer two, the
data link layer. Okay, it is a lower level address.
It's usually permanent, physically burned into the NIC at the factory.
Think of it as the device's unchangeable physical serial number.

Speaker 1 (04:55):
But that physical serial number isn't what the public Internet
uses to route traffic. Is it? That seems too local?

Speaker 2 (05:01):
No, you're right, because traffic needs a routable logical address.
That's the IP address, which functions at layer three, the
network layer.

Speaker 1 (05:08):
Logical, meaning it can change exactly.

Speaker 2 (05:10):
It can be dynamically assigned, it changes frequently or statically assigned,
depending on the network configuration. The IP is what determines
the location within the global network.

Speaker 1 (05:20):
And we all know about the historical headache here we
ran out a room that pushed us from IPv four
to the massive expansion of IPv six.

Speaker 2 (05:28):
Right. IPv four uses thirty two bits, which we see
as four sets of numbers separated by dots. The four octets.
IV six was this dramatic, necessary expansion to one hundred
and twenty eight bits. It's a practically inexhaustible address space.

Speaker 1 (05:43):
And this is where it gets really interesting for security professionals. Right,
the underlying difference and security between the two.

Speaker 2 (05:47):
It is fundamental. The key security upgrade is that ip SEC,
the Internet Protocol Security Suite, is built directly into IPv six.

Speaker 1 (05:54):
It's required, but for IPv four it's just an add on.

Speaker 2 (05:57):
It's an optional add on that network adds have to
manually configure, which means most networks, well, they just don't
use it natively. In IPv six, you have native encryption
and authentication capabilities baked right in. It dramatically improves security
at the network layer from the start.

Speaker 1 (06:13):
That's a massive shift in trust. Yeah. Now let's briefly
touch on address classification. This still matters when you're looking
at old network logs. I assume it does.

Speaker 2 (06:21):
You don't need to memorize every range, but know the
categories class A, B and C define the available address space.
The important security note is that one twenty seven is
reserved for loopbeck testing, basically testing a device's own communication capabilities.

Speaker 1 (06:37):
Okay, so we've mentioned the difference be goe a private
IP and a public IP. How does the rest of
the world see me if I'm using a private IP
that isn't ratable across the public Internet.

Speaker 2 (06:45):
This is handled by NAT network address translation, and it's
a cornerstone of modern networking. Okay, the best analogy is
a phone system. Your entire office building might share one
public telephone number. That number comes into the central exchange
your router. That exchange then routes the call to your
specific internal extension.

Speaker 1 (07:04):
So the router is translating all those internal extension numbers,
the private ips, into that single public IP address when
they talk to the outside world.

Speaker 2 (07:12):
Exactly. That allows one public IP to serve as potentially
hundreds of private ips behind a router. It says, precious
IPv four space, and it adds a layer of security
by hiding the internal structure.

Speaker 1 (07:24):
Which is why forensically tracing an attack back to an
exact device behind a NAT can be so challenging.

Speaker 2 (07:31):
It can be yes without cooperation from the local network owner.

Speaker 1 (07:34):
And what about the subnet mask. That's what defines the
boundary of that internal network, right.

Speaker 2 (07:39):
It does, but it does so mathematically. The subnet mask
is a thirty two bit value that essentially works like
a dividing line. It separates the IP address into two parts,
the network ID and the host ID, so.

Speaker 1 (07:53):
It tells the computer this part of the address defines
our local neighborhood, and this other part is your unique
house number.

Speaker 2 (08:00):
It is the boundary definition. If you're communicating with an
IP address that shares the same network ID, the traffic
stays local. If the network idea is different, the data
has to go to the router to be sent out
to the world.

Speaker 1 (08:11):
That's the identity sorted. Once we know the source and destination,
the data needs a structured way to travel. Let's move
to the highway system itself.

Speaker 2 (08:19):
Ports right, Ports are best thought of not as pipes,
but as lanes on a massive digital highway. And that
highway has sixty five thousan five hundred and thirty five
possible lanes available.

Speaker 1 (08:30):
That's an immense number of lanes. Are they all used equally?

Speaker 2 (08:33):
No, not at all. Specific traffic types drive and reserve lanes.
For instance, secured web traffic HTTTS always travels in lane
four to forty three. FDP control traffic is reserved for
lane twenty one. These are the well known ports one
through ten.

Speaker 1 (08:48):
Twenty four reserved for common core services.

Speaker 2 (08:50):
Yes, and if your computer needs to initiate an outbound
connection to a web server. What kind of port does
it use?

Speaker 1 (08:56):
Uh? Something else? Right?

Speaker 2 (08:57):
It generally uses an ephemeral port, typically anything above ten
twenty four. These are dynamically assigned by the operating system
for temporary connections. In either case, services or demons on
Linux systems actively bind or attached to these ports, waiting
to receive or send data.

Speaker 1 (09:13):
When that data travels down the lanes, it's packaged up.
We use the analogy of the trailer carrying the data payload,
So the TCP header is the truck cab pulling it.

Speaker 2 (09:22):
A great way to think about it. The cab contains
everything needed for transport and coordination at layer four. This
includes the source and destination ports, which we just defined. Crucially,
it also includes sequence numbers and acknowledgment numbers, which.

Speaker 1 (09:35):
Are necessary for guaranteeing delivery and order.

Speaker 2 (09:37):
Yes, but notice what is not in that header The
IP addresses, Right, The IPA addresses aren't there. They're handled
at layer three by the IP protocol itself. The header's
job is just to ensure the integrity of the data
stream between the two applications, and.

Speaker 1 (09:52):
The most dynamic part of that header are the flags.
These are like the hand signals the truck driver uses
to signal.

Speaker 2 (09:58):
Intent exactly they govern the connection. Syn Synchronize is the
signal to start a connection. ACK acknowledge confirms receipt s.
Unfinished is the polite signal to close a connection.

Speaker 1 (10:10):
But the security team is usually most interested in the
less polite signals.

Speaker 2 (10:14):
Absolutely the RST reset flag is the abrupt ungraceful close.
It's like hanging up the phone without warning. If you
see a flood of RST packets, it can often indicate
an attacker trying to crash a.

Speaker 1 (10:25):
Service, or a scanner try to be sneaky right.

Speaker 2 (10:28):
And we also have the urgent pointer, which tells the
receiver that a certain number of subsequent packets are priority data.

Speaker 1 (10:34):
That distinction between a polite connection and an abrupt close
leads us right to the difference between the two main
highway systems. Yeah TCP versus UDP.

Speaker 2 (10:43):
This is really reliability versus speed TCP. The Transmission Control
Protocol is reliable and connection oriented. It requires a formal.

Speaker 1 (10:50):
Introduction the three way handshake.

Speaker 2 (10:52):
The three way handshake syn to request swyanak to accept,
an acknowledge, and a final ACK to confirm the connection
is established.

Speaker 1 (11:00):
This always happens and the close is just as polite,
involving four packets in the four way combo.

Speaker 2 (11:06):
Right, the polite shutdown requires both sides to agree. The
sender sends a FINAC, the receiver acknowledges it, Then the
receiver sends its own FINAC, and the center acknowledges that
final close.

Speaker 1 (11:16):
Wow. So that entire session just to start and politely
close requires seven packets of overheads.

Speaker 2 (11:23):
Seven packets three to start, four to close. That overhead
is the price of guaranteed reliability.

Speaker 1 (11:27):
That's a lot of overhead. So what about the unreliable
brother UDP.

Speaker 2 (11:31):
UDP or user datagram protocol is connectionless, It has no
handshake whatsoever. It is fire and forget. You send the
packet in well, you hope it gets there.

Speaker 1 (11:40):
Why would anyone use an unreliable protocol for anything important?

Speaker 2 (11:45):
Because for many modern applications, speed absolutely trump's reliability. Think
about streaming video Netflix live feeds. While your initial login
might happen over a secure PCP connection, the actual video
data is broke get into millions of tiny bursts, often
sent rapidly over UDP.

Speaker 1 (12:03):
Ah. So if you drop a packet of video data,
the stream just jitters for a millisecond.

Speaker 2 (12:09):
It just jitters slightly. It doesn't interrupt the whole session
to re request that one tiny piece of data, which
would be a far worse experience. So UDP sacrifices perfection
for a continuous, high speed flow.

Speaker 1 (12:20):
Which is exactly what streaming needs. And often that data
isn't even coming from Netflix dot Com. It's coming from
some giant cloud provider exactly.

Speaker 2 (12:27):
They're utilizing UDP to maximize speed and throughput.

Speaker 1 (12:30):
Okay, we need to quickly cover the supporting cast of
protocols that make this entire system legible. First, ICMP.

Speaker 2 (12:37):
ICMP, the Internet Control Message Protocol is vital for air
control and diagnostics. Think of the common pin command. It
helps find the best route across the network and reports
back when things go wrong.

Speaker 1 (12:48):
And two more pillars DSHP and DNS.

Speaker 2 (12:52):
DHP Dynamic Host Configuration Protocol is the service that automatically
assigns and configures your IP address and everything else every
time you connect, and DNS the Domain Name system is
the crucial address book. It translates human friendly names like
website URLs into those logical IP addresses that routers actually need.

Speaker 1 (13:12):
Okay, we've mapped the geography define the language, analyze the
traffic flow. Let's bring it all together for the cybersecurity context.
How does knowing this architecture give us the edge when
tracing a thread actor?

Speaker 2 (13:24):
It tells us exactly where the evidence resides. When we
visualize that attack on the DMZ from the Internet through
the perimeter, into the buffer and then pivoting inward, we
are looking at a chain of eight distinct points that
generate evidentiary logs.

Speaker 1 (13:37):
It's a huge trail of breadcrumbs, but I'm guessing the
quality of those breadcrumbs varies absolutely.

Speaker 2 (13:42):
Think about the difference between the perimeter router logs and
the logs on the compromised DMZ server itself. The router
gives us the source IP and connection data, syn packets
ports used, which is valuable.

Speaker 1 (13:54):
That's just the start.

Speaker 2 (13:55):
But the logs on the compromised DMZ server tell us
what the attacker did after gaining entry, the commands they executed,
the files they access, the evidence of the pivot attempt.
That server side evidence is often far more rich for
forensic attribution.

Speaker 1 (14:09):
So understanding those flags, the difference between TCP and UDP,
the public and private EPs, that helps an analyst prioritize
which logs to pull first. That's the power of this
deep dive.

Speaker 2 (14:20):
It is every component we discussed. MA addresses, IP addresses
the seven packets of TCP. Overhead is logged somewhere within
those eight points, assuming logging is enabled correctly.

Speaker 1 (14:31):
We covered a tremendous amount of grand today defining the zones,
the identity layers, and the rules that govern all data transmission.

Speaker 2 (14:37):
So if we accept that the reliable connection of TCP
is modeled on polite human dialogue, you know, three steps
to start, four steps to politely finish. What does the connectionless,
fire and forget nature of UDP tell us about the
priority of modern digital communication. Does the relentless pursuit of
speed and uninterrupted flow imply that instant delivery is now
inherently more valuable than guaranteed perfection.

Speaker 1 (15:01):
That's a provocative question to chew on and to reinforce
what we've learned about the anatomy of connection. Here is
a final exercise for you. Think about the three main
physical components of a network, the medium, the nic in
the node. If you are setting up a brand new
network today, why is fiber optic cable a type of medium?
Generally considered a much more secure choice than standard Ethernet

(15:23):
or twisted pair for protecting data transmission inside a building.
Will leave you tom all over the physical interception methods
that would make one medium less secure than the other

All Episodes

Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 13 - Network Forensics | Episode 2: Architecture, Protocols (TCP/UDP), and Evidentiary Value