Somaiya Vidyavihar University

(Constituent College – K J Somaiya College of Engineering)

Batch: A Roll No.:16030724019

Experiment/assignment / tutorial
No. 3

Grade: AA / AB / BB / BC / CC / CD /DD

Signature of the Staff In-charge with date

Experiment No.: 3

Title: Network Forensics

Objectives:
1. Reconstruct Communication Sessions: Analyze captured packets to rebuild
communication between network endpoints.
2. File Extraction: Extract transmitted files (e.g., images, documents,
executables) from network traffic.
3. Identify Credentials: Recover login credentials or sensitive data transmitted in
clear text.
4. IP and Host Identification: Determine which IP addresses and hosts
communicate on the network.

Expected Outcome of Experiment:

CO .

1. Reconstruct Communication Sessions: Accurately rebuild and analyze

communication between network devices.
2. File Extraction: Recover files transmitted over the network for further
investigation.
3. Credential Discovery: Identify sensitive data such as plaintext usernames and
passwords.
4. Host and IP Identification: Detect and map out hosts and IP addresses
involved in network traffic.
5. Malware and Anomaly Detection: Identify suspicious files or abnormal
network behavior to detect potential security threats.

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Books/ Papers/Websites referred:

1. https://www.netresec.com/?page=NetworkMiner
2. https://www.geeksforgeeks.org/computer-network-tutorials/
3. https://www.youtube.com/watch?v=vo9tK3ABw8o

Pre Lab/ Prior Concepts:

1. Basic Networking: Understand TCP/IP, IP addresses, ports, and protocols.

2. PCAP Files: Familiarity with capturing and analyzing network traffic.
3. Network Forensics Basics: Goals of network forensics and tracing communication.
4. Operating Systems Knowledge: Understanding OS processes and file paths.
5. Security Protocols: Awareness of encryption (e.g., SSL/TLS) and its impact on
investigation.

Related Theory:
1. Network Forensics:
• Network forensics is a branch of digital forensics focusing on monitoring and
analyzing network traffic for evidence of cybercrime or unauthorized activities.
It helps identify the source and nature of incidents such as data breaches,
malware infections, or policy violations.
• The process typically includes capturing data, analyzing the traffic, and
reconstructing events or sessions to understand what transpired on a network.
2. Packet Capture and Analysis:
• Network packets are the smallest units of data transmitted over a network. Tools
like Wireshark and tcp dump capture these packets in PCAP files, allowing
forensic investigators to analyze them later.
• Packet analysis involves dissecting these packets to extract information such as
source/destination IP addresses, protocols, payloads (data carried in the packet),
and timestamps. These insights help reconstruct communication and trace the
movement of data across the network.

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• Network Miner is designed to simplify this process by automatically extracting

files, credentials, images, and sessions from packet captures, reducing the
manual effort required.
3. TCP/IP and Network Communication:
• The TCP/IP protocol suite governs how data is transmitted across the internet
and local networks. For network forensics, understanding TCP/IP helps
reconstruct fragmented packets (due to TCP segmentation) and investigate
communication over protocols such as HTTP, HTTPS, FTP, SMTP, and more.
• TCP/IP operates in layers:
o Transport Layer (TCP/UDP): Provides reliable data transmission.
o Internet Layer (IP): Handles the addressing and routing of packets
between devices.
o Application Layer (HTTP, FTP): Supports the data that end-users
interact with, like web pages or emails.
4. OSI Model:
• The OSI (Open Systems Interconnection) model is a theoretical framework used
to understand networking. It divides networking functions into seven layers,
each responsible for a specific task, such as physical data transmission (Layer 1)
or application interaction (Layer 7).
• Network Miner operates mainly with the upper layers:
o Layer 3 (Network Layer): Analyzes IP addresses and routing.
o Layer 4 (Transport Layer): Focuses on ports and session management.
o Layer 7 (Application Layer): Examines protocols like HTTP, FTP, and
reconstructs user data.
5. Data Extraction:
• A key function of Network Miner is to extract files, images, credentials, and
other artifacts from captured network traffic. This allows forensic investigators
to retrieve documents, photos, or even malware samples transferred over a
network during an attack.

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• The tool can also parse out sensitive information such as usernames and
passwords that might have been transmitted in plaintext, helping in credential
recovery and assessing network vulnerabilities.
6. Session Reconstruction:
• Network Miner helps rebuild entire sessions, which include a series of packets
exchanged between two endpoints (e.g., a client and a server). This allows
investigators to view web browsing activities, email exchanges, or chat
communications that took place on the network.
• Session reconstruction is crucial for investigating user behavior, tracing
unauthorized access, or determining the exfiltration of sensitive data.
7. Malware Analysis:
• Network Miner can identify and extract files transferred across a network,
including malware. By inspecting the payloads of network packets, it can detect
signatures of malicious files or abnormal traffic patterns that indicate a network
compromise.
• The ability to extract and analyze these files helps forensic experts reverse-
engineer malware and understand how it propagated through the network.
8. Digital Evidence Collection and Legal Compliance:
• The goal of network forensics is to gather legally admissible evidence. This
includes extracting and preserving data in a forensically sound manner. The
metadata and timestamps of network traffic, session logs, and extracted files are
often crucial in building a timeline of events for investigations.
• Tools like Network Miner assist in this process by presenting the data in a
structured and easy-to-understand format, making it suitable for legal
proceedings or internal investigations.
9. Passive Network Monitoring:
• Unlike active monitoring tools that probe the network and might interfere with
traffic, Network Miner is a passive tool, meaning it only analyzes captured
network data without interacting with live network traffic. This reduces the risk
of alerting attackers or affecting network performance during the investigation.

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

10. Encryption and Its Challenges:

• One challenge in modern network forensics is dealing with encrypted traffic,
such as HTTPS (SSL/TLS) sessions. Network Miner can analyze some
metadata in encrypted sessions (like source/destination IPs and port numbers),
but the actual payload (e.g., web page content) is hidden by encryption.
• In such cases, additional techniques such as SSL/TLS decryption, access to
private keys, or man-in-the-middle setups may be necessary to investigate fully
encrypted traffic.

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Implementation details:
Case-1:-

An employee, Ann Dercover, is suspected of being a secret agent

working for the competitor. An unexpected laptop briefly appeared

on the company wireless network. Staff hypothesize it may have

been someone in the parking lot, because no strangers were seen in

the building. Ann’s computer, used AOL Instant Messenger (using

the Oscar protocol) to send messages over the wireless network to

this computer.

• What IP address did Ann's computer have?

-Ann’s computer IP address is 192.168.1.158

• What IP address did the stranger's computer have?

-Stranger’s computer IP address is 192.168.1.159

• What operating system did the stranger's computer have?

-Stranger computer operating system is Window

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• What is the brand of the stranger's computer, if you trust the MAC address of his
wireless network card?

-Stranger computer brand name is Dell

• What is the filename of the file sent over IM to the wireless laptop?

-File sent over IM to wireless laptop filename is recipe[1].docx

• What type of information did the sent file contain?

-Text type of information sent file contain

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• What AOL messenger username does Ann's contact use?

-Ann’s contact use is Sec558user1

• Where do Ann and the external party plan to meet?

-Ann and the external party plan to meet at Hawaii

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Case-2:-

After being released on bail, Ann Dercover disappears!

Fortunately, investigators were carefully monitoring her

network activity before she skipped town. “We believe Ann may

have communicated with her secret lover, Mr. X, before she

left,” says the police chief. “The packet capture may contain

clues to her whereabouts.”

• What is Ann's email address?

-Ann’s email address is [email protected]

• What is the email address of Ann's secret lover?

-Ann’s secret lover email address is [email protected]

• What is Ann's email password?

-Ann’s email password is 558r00lz

• What two items did Ann tell her secret lover to bring?

-Ann tell her secret lover to Bring fake passport and a bathing suit

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• Where do Ann and her secret lover plan to meet up?

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Case :- 3

An employee named Steve Vogon is suspected of having illegal

contacts with external parties. Steve is believed to have used

his personal Linux laptop on the corporate network for his

suspicious activity.

• What IP address and hostname does Steve Vogon's Linux

computer have?

- IP address of system is 192.168.151.130 and Hostname is goldfinger

• What evidence do you have to assume that this computer is

running Linux?

-Operating System of the System is Linux, p0f (NetSA): Linux 2.6 (older, 6)
(possibly Mandriva 2010.x, Ubuntu 7.x) [Linux] (100.00%)

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• What Google searches did Steve Vogon perform?

-Google searches by Steve is Overseas credit card payment and hurricane

• What message did the email contain that Steve Vogon sent

from his Gmail account?

-Message sent by Steve is Hello,<br><br>Can you please tell me what the

minimum balance requirement is for opening an overseas account at your
bank?<br><br>Thank you,<br><br>Steve K. Vogon<br><br>

• How did Steve find the email address to which he sent his

email?

-Steve find email address from index.jsp.88CACD90.html

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• One web page opened by Steve contains a map, what region does the map
show?

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Case:-4

An old Sun Solaris machine (192.168.100.28), called "the victim

machine", was hacked through a vulnerability in the CDE Subprocess

Control Service on TCP port 6112.

• What IP address did the attack come from?

-The attacker IP address is 61.219.90.180

• After compromise, what files did the attacker download to the

compromised victim machine using FTP?

- ipv6sun

- dlp

- 111085-02.zip

- Solbnc

-Wget

• What usernames and passwords did the attacker use for his FTP

connections from the victim machine?

- Username: bobzz

Password: joka

- Username: anonymous

Password: [email protected]

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• Why did the attacker run FTP rather than HTTP to perform his initial
downloads?

- The compromised machine does not have an HTTP client.

• What file was later on downloaded using the HTTP protocol?

- sol.tar.gz.x-tar the file is downloaded using HTTP protocol.

• What web server brand is this HTTP server running?

- Apache (version 1.3.26) where the HTTP server is running

• What is the full DNS name of the IRC server to which the victim
machine connected?

- irc.stealth.net name of IRC server to which the victim machine is

connected.

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

• What Nick-name is the attacker using when connecting the victim

machine to the IRC server?

- Dj`bobz is the nike name of attacker using when connectiong to

victim machine to IRC server

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Conclusion:

Network Miner is a crucial tool in network forensics, enabling

investigators to passively analyze captured traffic, extract files, and
reconstruct communication sessions to trace malicious activities or gather
digital evidence. Its ability to identify hosts, recover credentials, and
analyze unencrypted data makes it highly effective in investigating security
incidents without interfering with live network traffic. While it faces
challenges with encrypted data, Network Miner still offers valuable
insights and supports efficient digital evidence collection, making it an
essential asset in forensic investigations.

Date: Signature of faculty in-charge

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024
 Somaiya Vidyavihar University
(Constituent College – K J Somaiya College of Engineering)

Department of Computer Engineering

Page No M.Tech.Comp CLab-1 Sem I / Aug 2024