The OSI Model and Protocols for Network Investigators

The OSI model was published by the International Organization for Standardization in 1984. It describes seven distinct layers of abstraction through which data passes when two systems communicate. In a forensic context, the model is a map: it tells the investigator which layer produced the evidence they are looking at and therefore which tool and method is appropriate for extraction.

In practice, investigators work most often at Layers 2 through 7. Layer 1 analysis requires specialised radio frequency or cable-tap equipment and arises in wireless eavesdropping cases. Layers 2 and 3 are where device and network identity artifacts live: MAC addresses identify hardware interfaces, IP addresses identify logical hosts, and ARP tables show which MAC was associated with which IP at a given time. Layers 4 and 7 are where connection and content evidence lives.

The Internet Protocol (IP) at Layer 3 provides the addressing that routes packets between networks. Each IP packet header contains a source IP address, a destination IP address, a Time-To-Live (TTL) value, and a protocol identifier (6 for TCP, 17 for UDP). The TTL decrements by 1 at each router hop; its value when captured can indicate approximately how many hops remain from source, which helps investigators estimate the geographic or network distance of the origin. IP fragmentation flags appear when large packets are split across links with smaller maximum transmission units.

TCP at Layer 4 adds port numbers, sequence numbers, acknowledgment numbers, and control flags. Source and destination port numbers identify the service: port 80 is HTTP, port 443 is HTTPS, port 25 is SMTP, port 53 is DNS (over UDP by default, TCP for large responses). The TCP three-way handshake produces three packets with precise timestamps. In an investigation timeline, the SYN packet timestamp is when the client initiated the connection, which can be correlated with user activity logs, authentication events, or system clock artifacts.

TCP sequence numbers allow reconstruction of the byte stream from out-of-order or fragmented captures. Tools like Wireshark perform this reassembly automatically and present the application-layer payload as a readable stream. This is how an investigator can extract a file download, a form submission, or an email body from a packet capture even if the underlying packets arrived in a non-sequential order. UDP provides no equivalent reassembly mechanism; UDP-based protocols either handle ordering in the application layer or accept potential loss.

DNS (Domain Name System) translates human-readable domain names into IP addresses. Nearly every internet connection is preceded by a DNS query, which makes DNS logs a near-complete record of a device's outbound connection attempts. A DNS query contains the querying IP address, the domain name requested, the query type (A for IPv4, AAAA for IPv6, MX for mail servers, TXT for text records), and a timestamp. The response contains the IP address returned and the Time-To-Live, which indicates how long the resolver caches the result.

DNS logs are maintained by several different systems and each has a different retention policy and legal access pathway. The authoritative name servers for a domain are operated by the domain owner. The recursive resolver is typically operated by the user's ISP or by a third-party resolver (Cloudflare 1.1.1.1, Google 8.8.8.8). Enterprise networks often run internal recursive resolvers with centralised logging. In an investigation, obtaining DNS logs from the internal corporate resolver is often faster and produces more detail than approaching the ISP.

DNS tunnelling is a technique used to exfiltrate data or establish covert command-and-control channels by encoding data inside DNS query and response fields. An attacker controls a domain and its authoritative name server. The malware on the victim machine sends DNS queries for subdomains that encode exfiltrated data: for example, base64-encoded file chunks as successive subdomains of attacker-controlled.com. The responses carry encoded instructions. Detection signatures include: unusually long subdomains, high query frequency to a single domain, low TTL values, and TXT or NULL record type queries. Zeek (formerly Bro) network monitoring software includes DNS analysis modules specifically designed to flag tunnelling patterns.

HTTP (Hypertext Transfer Protocol) operates at Layer 7 and is the primary protocol for web communication. An HTTP request contains: the method (GET, POST, PUT, DELETE), the URL path, the HTTP version, the Host header identifying the target domain, the User-Agent header identifying the client software and version, Cookie headers carrying session tokens, and in POST requests, the message body which may contain form data, file uploads, or API payloads. The server response includes a status code, content-type, and the response body. All of these fields are plaintext in unencrypted HTTP traffic and are directly readable in a packet capture.

HTTPS adds TLS encryption between the TCP layer and the HTTP application layer. The TLS handshake, which occurs after the TCP handshake, is visible in a packet capture: it includes the ClientHello (containing the supported cipher suites and, critically, the SNI hostname extension), the ServerHello, and the server certificate chain. The certificate reveals the server's identity, the issuing certificate authority, and validity dates. Once the handshake completes, the HTTP request and response content are encrypted and not readable without the session keys.

Investigators use several approaches when HTTPS encryption blocks content access. In controlled environments (corporate networks or endpoint forensics), TLS session keys can be extracted from browser memory or from a SSLKEYLOGFILE log maintained by the browser, and these keys can be loaded into Wireshark to decrypt captures. Network proxy logs (from devices that perform TLS inspection) record the decrypted HTTP fields on the proxy side. Web server access logs record the same request fields on the server side. When none of these are available, investigators work with the metadata: connection endpoints, data transfer volume, timing, and SNI values.

Email protocols generate artifacts that trace message paths across multiple systems. SMTP (Simple Mail Transfer Protocol, port 25 or 587) is used between mail servers and from mail clients to outgoing servers. Each SMTP server that handles a message prepends a Received header to the message, creating a chain that records the IP address and hostname of each mail transfer agent and the timestamp at each hop. These Received headers are not encrypted and are included in the raw message source, which investigators can obtain from the receiving mail server.

FTP (File Transfer Protocol) uses two separate TCP connections: a control channel on port 21 for commands and responses, and a data channel (port 20 in active mode, or an ephemeral port in passive mode) for file content. FTP credentials and commands are transmitted in plaintext on the control channel. SFTP (SSH File Transfer Protocol) and FTPS (FTP over TLS) encrypt these fields; the underlying connection metadata (IP addresses, port numbers, connection timestamps) remains visible. SMB (Server Message Block), used for Windows file sharing on ports 445 and 139, records file access events that appear in Windows Security Event Logs as well as in packet captures.

IMAP (Internet Message Access Protocol, port 143 or 993 over TLS) and POP3 (port 110 or 995 over TLS) are used by email clients to retrieve messages from mail servers. IMAP keeps messages on the server and is common in enterprise environments; POP3 downloads and optionally deletes them, making the server-side copy unreliable after retrieval. In investigations involving cloud email (Microsoft 365, Google Workspace), investigators typically obtain records via lawful process to the provider rather than from packet captures, because the traffic is encrypted and the provider's audit logs contain more structured data than a network capture would yield.

Network traffic capture requires legal authority in every jurisdiction. In the United States, the Electronic Communications Privacy Act (ECPA) and the Wiretap Act (18 U.S.C. Chapter 119) govern real-time interception of network traffic, with separate provisions for stored communications under the Stored Communications Act. A pen register order authorises collection of metadata (IP addresses, port numbers, connection times) without a full wiretap warrant. In the United Kingdom, the Investigatory Powers Act 2016 governs both targeted interception and bulk collection, with oversight by the Investigatory Powers Commissioner. In the European Union, the General Data Protection Regulation (GDPR) and the e-Privacy Directive impose constraints on the retention and processing of traffic data. In India, the Information Technology Act 2000 as amended authorises interception under Sections 69 and 69B, with the Digital Personal Data Protection Act 2023 adding further constraints on data handling.

Chain of custody for packet captures begins at acquisition. The investigator must document the interface from which traffic was captured, the tool used (including version), the exact capture filter applied if any, the start and end timestamps, and the hash value (SHA-256) of the resulting PCAP file. Wireshark and tcpdump both record capture start time in the PCAP global header. Any analysis that modifies the file, such as applying a display filter in Wireshark and saving a filtered copy, must be documented as a derivative work, with the original PCAP preserved separately.

Log records obtained from ISPs, corporate network devices, or cloud providers are typically produced in response to a court order or equivalent legal process. The legal standards differ: metadata (connection logs, DNS query logs) often requires a lower threshold than content (intercepted payloads). Investigators working across borders must account for mutual legal assistance treaty (MLAT) requirements when the network device or server is in a different country from the investigation. The Legal and Jurisdictional Frameworks topic covers the procedural requirements in detail.