Chapter 07· 10 min read
Network Foundations
Reading as a guest
Sign up free to save your progress, highlight passages, and pick up where you left off.
You'll lose your reading position and notes if you leave without an account.
Every piece of digital evidence that travels over a network — an email, a login, a malware download — follows a strict set of rules. Understanding those rules tells you where to look for evidence and what you are looking at when you find it.
7.1The OSI Model — Seven Layers
The OSI (Open Systems Interconnection) model defines seven layers that describe how data is packaged and transmitted between devices. Each layer adds its own header to the data before passing it down — a process called encapsulation. Think of it like sending a letter: you write the content (Layer 7), address the envelope (Layer 3), hand it to the post office (Layer 2), and it travels on the physical road (Layer 1). At the destination, each layer unwraps its header in reverse until the original message reaches the application.
The mnemonic "All People Seem To Need Data Processing" gives the layers from top to bottom: Application, Presentation, Session, Transport, Network, Data Link, Physical.
Layer 7 — Application is what the user sees: HTTP, HTTPS, FTP, SMTP, DNS, and DHCP all live here. Application logs — web server logs, mail server logs, DNS query logs — are your richest evidence source at this layer.
Layer 6 — Presentation handles data format conversion, compression, and encryption/decryption. SSL/TLS is negotiated here. When traffic is encrypted, this layer makes content unreadable to a passive sniffer.
Layer 5 — Session establishes, manages, and terminates communication sessions between applications. Session tokens and login state belong conceptually here.
Layer 4 — Transport adds port numbers and manages end-to-end communication. TCP (Transmission Control Protocol) is reliable, ordered, and error-checked — it guarantees delivery. UDP (User Datagram Protocol) is faster but offers no delivery guarantee. Firewall logs record Layer 4 information: source IP, destination IP, source port, destination port, and protocol.
Layer 3 — Network handles IP addressing and routing. Each packet carries an IP header with source and destination IP addresses. Routers operate at this layer, consulting routing tables to forward packets. Raw packet captures (pcap files) expose Layer 3 headers directly.
Layer 2 — Data Link uses MAC addresses to deliver frames within a single network segment. Ethernet (IEEE 802.3) and Wi-Fi (IEEE 802.11) are Layer 2 technologies. Switches operate here, maintaining a MAC address table to send frames only to the correct port.
Layer 1 — Physical carries raw bits over copper cable, optical fibre, or radio. Hubs, modems, and physical cables live here. There is no addressing at this layer — just electrical signals or light pulses.
7.2TCP/IP Model
The TCP/IP model is the practical four-layer framework that actually governs internet communication. OSI is the conceptual reference; TCP/IP is what engineers implement. The layers map onto OSI as follows:
| TCP/IP Layer | Equivalent OSI Layers | Key Protocols |
|---|---|---|
| Application | 5 + 6 + 7 | HTTP, FTP, SMTP, DNS, DHCP |
| Transport | 4 | TCP, UDP |
| Internet | 3 | IP, ICMP, ARP |
| Network Access / Link | 1 + 2 | Ethernet, Wi-Fi |
TCP three-way handshake establishes a reliable connection before any data transfers. The sequence is:
- SYN — client sends a synchronise segment to the server.
- SYN-ACK — server acknowledges the SYN and sends its own synchronise.
- ACK — client acknowledges the server's SYN. Connection is open.
Forensic value: in a packet capture (pcap), a SYN with no SYN-ACK means the port is closed or filtered. Repeated SYNs to many different ports is the signature of a port scan. A flood of SYNs that never complete the handshake is a SYN flood denial-of-service attack.
TCP flags you must know for the exam:
- SYN — initiate connection
- ACK — acknowledge received data
- FIN — graceful close (waits for FIN-ACK before teardown)
- RST — abrupt reset (immediate teardown, no waiting)
- PSH — push data to application immediately without buffering
- URG — urgent data, process ahead of normal stream
UDP skips the handshake entirely. No acknowledgement, no ordering guarantee. DNS queries, VoIP calls, and video streams use UDP because speed matters more than delivery guarantee. Forensic note: because there is no handshake, an attacker can forge the source IP in a UDP packet — the server cannot verify the claimed sender.
7.3IP Addressing
IPv4 addresses are 32-bit numbers written as four decimal octets separated by dots — for example, 192.168.1.100. With 32 bits there are approximately 4.3 billion possible addresses. That pool is now exhausted globally.
IPv6 addresses are 128 bits written as eight groups of four hexadecimal digits separated by colons — for example, 2001:0db8:85a3::8a2e:0370:7334. The :: shorthand compresses one or more consecutive all-zero groups. The IPv6 address space is so vast that exhaustion is not a concern for the foreseeable future.
Private (RFC 1918) IPv4 ranges are reserved for internal networks and are not routable on the public internet:
| Range | CIDR | Typical Use |
|---|---|---|
| 10.x.x.x | 10.0.0.0/8 | Large enterprise networks |
| 172.16.x.x – 172.31.x.x | 172.16.0.0/12 | Medium-size networks |
| 192.168.x.x | 192.168.0.0/16 | Home and small office |
Loopback addresses refer to the local machine itself — 127.0.0.1 in IPv4 and ::1 in IPv6. Traffic to loopback never leaves the host.
NAT (Network Address Translation) lets multiple private-IP devices share one public IP. The router rewrites source IPs on outgoing packets and keeps a translation table to route replies back to the correct internal device. Forensic implication: the IP address in a server's access log is the NAT gateway, shared by everyone behind it. To identify the specific device, investigators need DHCP lease records or router logs showing which private IP was assigned to which device at the exact time of the event.
Port numbers identify services on a host. They are 16-bit values (0–65535). Well-known ports (0–1023) are assigned to standard services:
| Port | Protocol | Forensic Relevance |
|---|---|---|
| 21 | FTP | File transfers, often unencrypted — credentials visible in pcap |
| 22 | SSH | Encrypted remote login — look for brute-force attempts in auth logs |
| 25 / 587 | SMTP | Email sending — check mail server logs |
| 53 | DNS | Name resolution — DNS logs reveal every domain queried |
| 80 / 443 | HTTP / HTTPS | Web traffic — proxy logs, web server logs |
| 3389 | RDP | Windows Remote Desktop — common ransomware entry point |
7.4Subnetting & CIDR
CIDR (Classless Inter-Domain Routing) replaced the old fixed-class system. A CIDR address like 192.168.1.0/24 means the first 24 bits identify the network and the remaining 8 bits identify hosts within it. The slash number is called the prefix length.
Common prefix lengths and their host counts:
| CIDR | Subnet Mask | Total Addresses | Usable Hosts |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 |
| /16 | 255.255.0.0 | 65,536 | 65,534 |
| /24 | 255.255.255.0 | 256 | 254 |
| /26 | 255.255.255.192 | 64 | 62 |
| /28 | 255.255.255.240 | 16 | 14 |
| /30 | 255.255.255.252 | 4 | 2 |
A /24 is the most common subnet in small and medium networks. A /30 is used for point-to-point links between routers (only 2 usable addresses needed).
DHCP (Dynamic Host Configuration Protocol) automatically gives a joining device its IP address, subnet mask, default gateway, and DNS server. The DHCP server maintains lease records — a log of which MAC address received which IP at which time. In an investigation, DHCP logs are often the only path from a dynamic IP address back to a specific physical device. Always request DHCP logs together with router and firewall logs when pursuing a logged IP address.
7.5LAN, MAN, WAN & Network Devices
Networks are classified by geographic scale:
LAN (Local Area Network) covers a single building or campus. Most LANs use Ethernet (IEEE 802.3) for wired connections and Wi-Fi (IEEE 802.11) for wireless, with speeds from 100 Mbps to 10 Gbps. Evidence from a LAN investigation comes from switch logs, ARP tables, DHCP records, and wireless access point association logs.
MAN (Metropolitan Area Network) spans a city. ISPs build MANs using fibre backbone to connect multiple LANs. A university spread across a city or a bank's branch offices in one city would use MAN infrastructure.
WAN (Wide Area Network) connects geographically separated locations across cities, countries, or continents. The internet is the largest WAN. Corporate WANs use leased lines, MPLS circuits, or VPN tunnels. Evidence at the WAN level typically requires ISP records obtained by court order.
Network devices and their forensic significance:
A hub operates at Layer 1 and broadcasts every frame to every connected port. All devices on a hub segment see all traffic — passive sniffing requires nothing more than a laptop in promiscuous mode. Hubs are obsolete in real networks but appear frequently in exam questions.
A switch operates at Layer 2 and maintains a MAC address table. When a frame arrives, the switch looks up the destination MAC and delivers the frame only to the correct port. A device on a switched network sees only its own traffic and broadcasts. To sniff on a switched network, an attacker must first poison the ARP cache to redirect traffic through their machine.
A router operates at Layer 3 and connects different networks, forwarding IP packets based on a routing table. Routers log connection attempts, DHCP leases, and NAT translations. Firewall functionality is often built into edge routers.
A firewall filters traffic using ACLs (Access Control Lists) based on IP address, port, protocol, and connection state. Stateful firewalls track TCP state — they know whether a packet belongs to an established, permitted connection. Firewall logs are primary evidence in intrusion investigations, recording allowed and blocked traffic with source/destination IP, port, protocol, and timestamp.
A proxy server sits between internal clients and the internet, intercepting HTTP/HTTPS requests on behalf of clients. Corporate proxies log every URL accessed per internal IP address. These logs are a rich evidence source when investigating employee misconduct or malware command-and-control traffic.
MAC Address
A 48-bit hardware address assigned to every network interface card at manufacture time. Written as six pairs of hexadecimal digits separated by colons, for example 00:1A:2B:3C:4D:5E. The first three bytes (OUI — Organisationally Unique Identifier) identify the manufacturer. Switches use MAC addresses to deliver frames to the correct port on a local segment. MAC addresses can be changed in software (MAC spoofing), so they are not irrefutable proof of device identity, but they remain a useful investigative starting point when combined with other evidence.
OSI 7 layers top to bottom: "All People Seem To Need Data Processing" — Application, Presentation, Session, Transport, Network, Data Link, Physical.
TCP = reliable — three-way handshake SYN → SYN-ACK → ACK. UDP = fast, no guarantee — used for DNS, VoIP, streaming. SYN flood = many SYNs, no ACK to complete handshake.
Private IPv4 ranges (RFC 1918): 10.x.x.x · 172.16–31.x.x · 192.168.x.x — none are routable on the public internet.
Well-known ports: FTP=21 · SSH=22 · SMTP=25/587 · DNS=53 · HTTP=80 · HTTPS=443 · RDP=3389.
/24 = 254 usable hosts (256 total − network address − broadcast address).
DHCP logs map IP to device at a given time — always subpoena alongside router logs when chasing a dynamic IP in server access logs.
Switch uses MAC address table — direct delivery per port, not broadcast. ARP poisoning is required to sniff on a switched network.
NAT = shared public IP — server logs show the gateway, not the individual device. DHCP lease records are needed to go further.
Don't lose your place
Save this chapter and the rest of Cyber & Digital Forensics.
A free ForensicSpot account remembers which chapters you've read, lets you highlight passages, take notes and resume from any device.