1. Network Forensics

Network forensics is the process of analyzing network data and artifacts to determine what occurred on a computer network. To fully understand network forensics, we must first learn about computer networks and network protocols.

1.1 Computer Networks

In a general sense, a computer network consists of two or more computers connected to each other. A typical computer network consists of a modem, a router, and a few computers sometimes referred to as endpoints. A modem is a device that fosters communication between the internal network and the Internet at large. A router is a device that sends data over the network to and from the modem and the endpoints. A router also tries to ensure data arrives at the proper endpoints.

1.2 Protocols

In order for the components of the network to know where and how to send data, network protocols are used. Protocols define the structure of network packets, which are individual chunks of data sent over the network. Depending on the protocol, a packet may contain data from a web page on the Internet or data from a file transfer. It is not necessary to understand the exact structure of these protocols yet, just know that different types of data use different protocols. A few important protocols to know for this curriculum are TCP and HTTP. TCP, short for Transmission Control Protocol, is a widely used network protocol that ensures that a packet is received by the recipient before sending another packet. This is a very important feature for sensitive data that must be received in its proper order, such as encrypted messages. HTTP, or HyperText Transfer Protocol, is a sub-protocol of TCP that is used for Internet connections through web browsers. The HTTP protocol uses TCP to transfer data from one endpoint to another, but when the data arrives, HTTP is interpreted by the Internet browser.

Right-click here and select "Save as" to download WiresharkPortable.

To use WiresharkPortable, first unzip the folder by right-clicking on it and selecting “Extract all.” Once the folder is extracted, navigate to it and double-click the “WiresharkPortable.exe” file.

2. Wireshark and Network Traffic Analysis

Now that we understand network traffic and how to analyze it using Wireshark, it is time for some challenges!