Digital Forensics: Network Monitoring, Packet Capture and Network Investigation

This thirty-question FACT-style mock walks the network-monitoring and network-investigation unit of the digital forensics paper end to end. It covers live packet capture with Wireshark and tcpdump including the Berkeley Packet Filter capture-filter grammar and the dotted display-filter grammar, the PCAP and PCAPng file formats, the difference between promiscuous mode on wired Ethernet and monitor mode on 802.11 wireless interfaces, and the role of Tshark as the command-line sibling of Wireshark. It steps through the OSCAR methodology of Davidoff and Ham, the catch-it-as-you-can versus stop-look-and-listen acquisition strategies, NetFlow and IPFIX metadata records, and the placement of SPAN mirror ports and inline TAP appliances for sensor visibility on switched networks.

The mock then turns to network intrusion detection with Snort, Suricata, and Zeek, contrasting signature-based and anomaly-based detection. Event-log analysis covers Windows Security channel logon events 4624 and 4625, Linux journald and rsyslog, and SQL-injection patterns visible from web access logs. Router and switch evidence covers Cisco IOS show logging, show ip route, show running-config, and the switch CAM or MAC address-table. Traffic analysis covers top-talkers, Deep Packet Inspection, JA3 and JA3S TLS fingerprinting, honeypots and honeynets including Cowrie and The Honeynet Project, NTP-disciplined log correlation, 802.11 frame types for wireless forensics, and what a passive observer can see in an encrypted VPN tunnel.

It suits MSc Cyber Forensics aspirants, NFSU MSc applicants, FACT candidates, and working SOC analysts preparing for GCIA or GCFE.

Topics covered:

• Wireshark capture filters in BPF syntax and display filters in dotted grammar
• tcpdump and Tshark command-line capture and analysis
• PCAP and PCAPng file format differences
• Promiscuous mode on wired Ethernet versus 802.11 monitor mode
• OSCAR methodology and catch-it-as-you-can versus stop-look-and-listen
• NetFlow and IPFIX metadata, SPAN mirror ports, and inline TAP appliances
• Snort, Suricata, and Zeek network intrusion detection
• Router and switch evidence, JA3 fingerprinting, honeypots, and VPN traffic visibility

Work through every question, read each explanation carefully, and revisit weak areas before reattempting. Allow 30 minutes.