Data Transmission Basics for Digital Investigations
2 Objectives Understand the OSI and TCP models Understand the basics of how data is transmitted on networks
3 OSI Model Standard was needed for companies to communicate with each other via their computer systems OSI model released in 1984 Created by the International Organization for Standardization (ISO) OSI model breaks down complexity of data communications into a simple layered approach
4 OSI Model (Cont.) Advantages of layered approach: Different hardware/software vendors have a standard to follow for designing products Collaboration between companies to develop network components is easier Changes in one layer are not carried over into other layers Network design is broken down into smaller, more manageable parts Problem resolution is easier because problems are usually confined to a single layer
5 OSI Model (Cont.) Layer 7: Application layer provides services to applications such as or Internet browsers Allows access to network services that support applications Handles network access, flow control, and error recovery Layer 6: Presentation layer ensures the data formats from the application layer of one computer can be read by the application layer of another computer Converts all formats into a common uniform format Protocol conversion Encryption/decryption
6 OSI Model (Cont.) Layer 5: Session layer provides services to the presentation layer by creating a communication link between two hosts Establishes identification to exclude non-communicating hosts Establishes checkpoints Manages data transmit times and length Layer 4: Transport layer segments data and prepare these segments for transport across a network. Also reassembles those segments on the receiving side. Regulates flow control Uses acknowledgements Enables error handling
7 OSI Model (Cont.) Layer 3: Network layer functions (Connectivity and path selection between two hosts on a network) Logical addressing (IP addressing) Translating logical addresses to physical addressing Packet switching Routing
8 OSI Model (Cont.) Layer 2: Data link layer functions (physical addressing across a network) Conversion of packets into raw bits Error correction Flow control Layer 1: Physical layer functions (physical connectivity issue in a network) Defines hardware standards Transmits raw data over different mediums Defines protocols on how to transmit raw data over different mediums
9 OSI Model (Cont.) Data flow in the OSI model Protocols that function at each layer on Host A communicate with the corresponding layer on Host B Protocol data units (PDUs) are used to include header information on the packet being sent from host to host Each layer depends on the layer below it for services, and each layer above adds PDUs via encapsulation
10 higher level protocols lower level protocols or network services higher level protocols lower level protocols or network services Physical Layer Data Link Layer Network Layer Transport Layer Session Layer Presentation Layer Application Layer END USER AEND USER B Physical Layer Data Link Layer Network Layer Transport Layer Session Layer Presentation Layer Application Layer PHYSICAL MEDIUM End user functions Network functions OSI Reference Model
11 TCP/IP Model Also called the Internet Protocol Suite Set the communications protocols for the Internet and other similar networks. TCP – Transmission Control ProtocolTransmission Control Protocol IP – Internet ProtocolInternet Protocol De facto standard for communications Direct result of the Department of Defense efforts to require a protocol that could survive wartime situations and still communicate with other hosts via different communication mediums Has only four (five) layers as compared to seven layers of OSI model
TCP/IP vs. OSI Model
13 TCP/IP Model (Cont.) How data transports in the network Switching networks Packet switching Circuit switching
Typical Scenario We have a source machine A We have a destination machine B A has some application specific data stored as a file. An example might be a web page stored as an html file on a web server. The user on machine B launches a web browser (Application layer) and types in the URL to the web page on machine A and hits GO!
Typical Scenario cont. (APPLICATION LAYER) An http request (Application Layer) with URL is generated by the browser and sent down the stack to the Transport layer. (TCP LAYER) The transport layer “wraps” the application layer data with TCP headers. TCP header provides information for end-to-end service, such as end host port numbers, Sequence number and Acknowledgement Number for tracking and delivery confirmation.
Typical Scenario cont. (IP LAYER) Once the Transport layer has added its headers, it transfers the growing set of data to the IP Layer. The Network layer wraps the TCP segment with IP headers. IP headers give the receiving counterpart information on source and destination IP addresses, next layer protocol, fragmentation information, etc.
Typical Scenario cont. (DATA LINK LAYER) Once the IP Layer has added its headers, it transfers the still growing set of data to the Data Link layer. The Data Link Layer wraps the IP packet with frame header. The frame header is just more bytes of data that specifies source and destination physical MAC addresses of the current hop (the whole path may contain multiple hops). Run “tracert” in Windows.
Typical Scenario cont. (PHYSICAL LAYER) A completed Frame ready to be placed on the wire and sent to its destination. The wire is the physical layer and it accommodates the physical transfer of the frame to its destination.
Network Devices 21
Network Interface Card
Also known as NIC, network card or network adapter Works in OSI Layers 1 and 2 Has a unique MAC (Media Access Control) or physical address (12-digit hexadecimal) ipconfig/all in Windows Command Prompt Connects to other network devices, e.g. routers or switches, via network cables or wireless connections
Network Cables
Category 5 cable CAT-5 twisted pair cables are mostly used for 100 mbps 4 pairs (8)of twisted wires are connected to the 8 pins of a RJ-45 plug Each pair of wires has specific functions, such as sending and receiving data signal Crossover cables are good for direct communication between two computers or same type of devices. Crossover cables Needs n(n-1)/2 cables for n computers (too many cables!)
Network Hubs
Work in Layer 1 (Physical Layer) Not capable of making use of MAC or IP addresses Same as connecting all wires together Broadcast every single bit onto all the links Have NO Media Access Control Can cause traffic conflicts from different computers; performance degrades when more computers are connected Not very fast speed, e.g. 10mbps ~ 100mbps
Network Switches
Mainly work in Layer 2 (Data Link Layer) Make use of MAC addresses Have Media Access Control Do not look into traffic type or other details like routers do Not capable of making use of IP addresses Support high data rate, e.g. 100 mbps or 1 Gbps Good for high speed communications among computers in a LAN
Routers
Also called Layer 3 switches Work in Layer 3 (Network Layer) Make use of IP addresses Decide a path in the networks for data Interconnect separate logical networks, often different types of networks Not as fast as switches, e.g., 100mbps
32 Data Network Types Local Area Network A network configuration designed for a limited space or geographic area such as a series of offices in the same building Two common types of LANs are the campus area network (CAN) and the metropolitan area network (MAN) Wide Area Network A group of smaller LANs connected logically or physically WANs can combine other subnetworks such as intranets, extranets, and virtual private networks (VPNs) to provide enhanced network capabilities
33 Data Network Types cont. Internet The Internet is an interconnection of different-sized networks (LANs) around the world Intranet An intranet is a local or wide area network based on TCP/IP, but with firewalls that limit the network’s access to the Internet An intranet is more secure than the Internet because it has a restricted user community and local control Extranet An extranet is an intranet that allows select users outside of the firewalls to access the site
34 Firewalls Firewalls typically run monitoring software to detect and thwart external attacks on the site and protect the internal corporate network Firewalls are an essential device for network security Many of the architectures needed for security rely on one or more firewalls within an intelligent design
35 Firewalls cont. Application-Level Gateway Firewall Allows the network administrator to implement stricter security policies than packet-filtering routers can manage Requires special-purpose code (a proxy service) for each desired application The proxy code can be configured to support only acceptable features of an application Users are permitted access to the proxy services, but may not log in to the application-level gateway itself Application-level gateways allow information to flow between systems but do not allow the direct exchange of data
36 Firewalls cont. Benefits of Application-Level Gateways The network manager has complete control over each service and permitted services It has the ability to support strong user authentication and provide detailed logging information The filtering rules are much easier to configure and test
37 Firewalls cont. Limitations of Application-Level Gateways It requires either that users modify their behavior or that specialized software be installed on each system that accesses proxy services
38 Summary OSI model standardized the method of transmitting data on a network using a seven- layer approach Application, presentation, session, transport, network, data link, and physical
39 Summary (Cont.) TCP/IP model consists of four layers: Application, transport, Internet, network interface De facto standard on the Internet Two address schemes are used to transmit data across networks Logical addressing Physical addressing