Chapter 11: Networking Basics

The Open Systems Interconnection Model and the TCP/IP Model serve as the primary lenses through which network functionality is examined, with detailed explanation of how each layer contributes to data transmission and reception across networks. The OSI Model's seven layers—spanning from physical signal transmission through application-level protocols—are mapped to the TCP/IP Model's more practical four-layer structure, giving investigators a complete picture of where evidence might exist within network systems. Internet Protocol addressing represents a critical competency for forensic work, distinguishing between IPv4 and IPv6 address schemes and differentiating public addresses from private ranges used within organizations. Network Address Translation emerges as a particularly important concept for forensic analysis, as it allows multiple devices to share a single public identity, complicating the attribution of network activity to specific machines. Subnetting and CIDR notation enable efficient IP space management and help investigators understand network segmentation within organizations. The chapter examines physical and logical network infrastructure including routers, switches, firewalls, and gateways, explaining how each device processes and forwards traffic. Port numbers function as critical identifiers directing traffic to specific applications, while fundamental protocols like Address Resolution Protocol enable the resolution of IP addresses to physical hardware addresses. Internet Control Message Protocol supports diagnostic operations such as ping commands used in network troubleshooting. Application-layer protocols including HTTP, HTTPS, FTP, SSH, DNS, and DHCP are explored for their forensic significance, as each leaves traces of network activity and user behavior. Understanding TCP handshake mechanisms and connectionless UDP communication provides investigators with insight into how different applications establish and maintain network sessions, ultimately revealing the digital footprints left by network-based criminal activity.