Chapter 23 — Exercises
Thirty problems in seven groups (A–G), mixing concept checks, hands-on labs (decode a PCAP header by hand, analyze a capture, compute a beacon score and a label's entropy, build and fuse the network timeline, write a findings paragraph, hash a capture), and judgment questions. Hands-on labs assume a practice capture and the Wireshark /
tshark/ Zeek / Suricata toolset from Appendix J — Practice Images and Lab Setup. (answer in Appendix) = worked solution in Answers to Selected. ⭐ = stretch. Treat every PCAP as acquired evidence: hash it the moment you receive it and analyze a copy — the capture file is the original, and the second theme (the original is sacred) applies to it exactly as it does to a disk image.
Group A — The wire forgets (the network evidence model)
23.1 This chapter inverts the book's founding theme. (a) State the founding theme and explain, in two or three sentences, why it does not hold on the network. (b) What is the default state of network evidence, and what is the single decision that most determines whether any evidence exists at all — and when is that decision made relative to the incident? (c) Connect your answer to the order of volatility from Chapter 15 — Live Response and Triage: where does network state sit, and why can you never "image the past" of a link nobody was watching? (answer in Appendix)
23.2 Reproduce the network-evidence map from memory, ordering the sources from richest-but-rarest to leanest-but-longest-retained: full packet capture, IDS/IPS alerts, Zeek logs, proxy logs, DNS logs, firewall logs, NetFlow/IPFIX. For each, name in one phrase what it gives you and roughly how long it survives. Then state the investigative strategy the ordering implies — which end of the list you start from to find an event in time, and which end you pivot to in order to characterize it.
23.3 ⭐ "The absence of a record is not necessarily the absence of an event." (a) Restate this as the difference between the absence of a sensor and the absence of activity. (b) Give a concrete example in which writing "no exfiltration occurred" would be an error, and write the defensible sentence you would use instead. (c) Tie the principle to Locard's exchange principle expressed in packets — every contact leaves a trace — and explain why both statements can be true at once without contradiction.
23.4 A single HTTPS file upload travels from a workstation to a personal cloud account. (a) List every independent system that could witness it and leave a durable record (aim for at least six). For each, mark whether it records content or only metadata, and circle the one source on your list that could let you reconstruct the actual bytes that moved — and state the condition under which even that one cannot. (b) Now rank your six sources by likely retention, and explain why the source that can prove the most (content) is usually the one that survives the least time — the tension that shapes the order in which you work an investigation.
Group B — Capturing correctly (tcpdump, the PCAP format, filters, custody)
23.5 Build the minimum viable forensic capture command with tcpdump for interface eth0, writing to cap.pcap. State every flag you include and justify it in one clause. Your answer must address all three "field facts" from the chapter: the snapshot length, name resolution during capture, and file rotation for a long run. Then give the one-line dumpcap equivalent for a multi-day, high-rate capture and explain why dumpcap is the better engine for that job. (answer in Appendix)
23.6 The snaplen trap. (a) Define the snapshot length and explain what physically happens to each packet's payload when it is set too small. (b) For each captured packet below, state whether the application data is intact or amputated, and how you know:
packet incl_len orig_len
P1 74 74
P2 96 1514
P3 1514 1514
P4 68 590
(c) Your client asks you to "just re-capture the truncated traffic." Explain, in one sentence grounded in this chapter's central idea, why that request usually cannot be honored.
23.7 ⭐ Lab — decode a capture header by hand. A file begins with these bytes. Work entirely from the hex; do not open a tool until you have an answer to check against.
00000000 D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00
00000010 00 00 04 00 01 00 00 00 C0 A5 7E 66 20 A1 07 00
00000020 4A 00 00 00 4A 00 00 00 ...
(a) From the first four bytes, name the format, the host byte order, and the timestamp resolution. (b) Give the file-format version and the decimal snaplen — and say whether this capture truncates packets. (c) Give the linktype number and what it means. (d) The 16-byte record header begins at offset 0x18: assemble ts_sec, convert it to a UTC date and time, decode ts_usec to microseconds, and compare incl_len to orig_len to confirm the first packet is whole. (answer in Appendix)
23.8 Identify each capture file from its first four bytes on disk, and state precisely what they tell you:
(a) A1 B2 C3 D4 (c) 0A 0D 0D 0A
(b) D4 C3 B2 A1 (d) 4D 3C B2 A1
For (c), name the block type those bytes open and the next field you would read to recover the byte order. These magic numbers also live in Appendix A — File Signatures Reference; explain why an examiner should be able to recognize a capture from its header even when the file extension is wrong or missing.
23.9 Capture filters versus display filters — the distinction with forensic consequences. (a) Name the two filter languages, the time each is applied, and which one discards non-matching packets versus which only hides them. (b) Convert each capture (BPF) filter to the equivalent Wireshark display filter: host 10.20.4.51 · tcp port 443 · udp port 53. (c) State the forensic rule that follows from theme #2 about which filter to prefer when you have the authority and the storage, and explain the one situation in which a narrow capture filter is nonetheless the correct (and lawful) choice.
23.10 Lab — acquire and authenticate a capture. You are handed cap.pcap. (a) Run capinfos -H cap.pcap and record the SHA-256, the packet count, and the capture duration. (b) List the seven facts you must enter on the chain-of-custody worksheet for a packet capture (think: host and clock, how the traffic was fed to the sensor, times, snaplen, filter, hash) — templates are in Appendix F — Chain of Custody and Report Templates. (c) A capture filter was applied during acquisition. Why must that be disclosed in the custody record, and what is it, in evidentiary terms, that a filter represents? (d) PCAPNG can carry an operator-comment block inside the file itself. Give one advantage and one risk of embedding a chain-of-custody note directly in the evidence file rather than only in a separate worksheet.
Group C — Full capture versus flow (the storage tradeoff)
23.11 Do the arithmetic that explains why nobody keeps full capture for long. (a) A 1 Gbps link is fully saturated. Show that this is 125 MB/s, and compute the full-capture volume per hour and per day. (b) At a realistic 10 percent average utilization, how much PCAP does that one link generate per day? (c) A rolling buffer holds 50 TB. At 10 percent utilization, how many days of full capture does it retain — and how does that compare to the months a flow collector keeps for the same link? Explain in one sentence why the ratio is so extreme. (answer in Appendix)
23.12 A NetFlow/IPFIX flow record. (a) List the five fields of the canonical 5-tuple plus three other fields a flow record carries. (b) State plainly the one category of information a flow record can never contain, and name the IETF standard that defines IPFIX. (c) Sampled flow (sFlow, or 1-in-1000 NetFlow) introduces a specific blind spot — name it, and the kind of exfiltration it will systematically miss.
23.13 ⭐ A junior analyst writes: "NetFlow shows 2.1 GB sent from 10.20.4.51 to a Dropbox IP at 3 a.m.; therefore the stolen CAD files were uploaded." (a) Identify exactly what the flow record does support and the two distinct over-claims in that sentence (one about content, one about attribution). (b) Rewrite it as a defensible finding. (c) Name the richer source you would pull to begin closing the content gap, and the source you would pull to begin closing the attribution gap.
Group D — Reading a PCAP (Wireshark and tshark)
23.14 Write the Wireshark display filter for each question. (a) all traffic to or from 10.20.4.51; (b) connection attempts only (SYN without ACK); (c) HTTP uploads (POST requests); (d) DNS TXT queries (a tunneling tell); (e) the TLS server name (SNI) field; (f) everything in TCP stream number 7. Then explain why filters (e) and (f) survive encryption — what each reveals about a session whose payload you cannot read. (answer in Appendix)
23.15 You must answer: which internal host pushed the most data to an external destination, and over which conversation? (a) Name the Wireshark Statistics view that ranks host pairs by bytes in each direction, and the specific column relationship you scan for. (b) Why is upload (outbound ≫ inbound) the opposite of the byte ratio you expect from ordinary web browsing? (c) Having found the conversation, which two Follow → … Stream options would you use to read it if it were (i) cleartext HTTP and (ii) TLS — and what do you get from the TLS case without the session keys? (d) A different Statistics view exposes DNS tunneling as a suspicious bulge in the protocol mix; name that view and explain what the bulge represents.
23.16 Lab — carve a file from the wire, then wear both hats. On a practice HTTP capture, run tshark -r cap.pcap --export-objects http,./out/ and hash every reconstructed object. (a) Verify one carved file by comparing its SHA-256 to a known original. (b) Explain how this operation is file carving (from Chapter 7 — File Carving) applied to a byte stream rather than a byte device. (c) State the same reconstructed object's meaning for a 💾 recovery technician versus a 🔍 forensic examiner — one sentence each — to capture the chapter's dual lens.
23.17 ⭐ Lab — packets into evidence at scale. Using tshark -T fields, flatten cap.pcap to a CSV with columns frame.time_epoch, ip.src, ip.dst, tcp.dstport, frame.len. Then, in pandas (illustrative — never executed), write the steps to (a) keep only internal→external traffic using ipaddress.ip_address(...).is_private; (b) sum frame.len per (ip.src, ip.dst) pair and sort descending; (c) bucket by UTC hour and surface transfers in the 00:00–06:00 window. State the one row of output that would be "the suspect's fingerprints," and why it still does not prove what moved. A hardened version lives in Appendix B — Python Forensics Toolkit.
Group E — DNS: the protocol that narrates the investigation
23.18 Beaconing. Two hosts each query one external domain repeatedly; the inter-arrival gaps (seconds) are:
Host X: 60, 60, 61, 59, 60, 60
Host Y: 12, 240, 5, 1830, 47, 600
(a) Compute the mean, population standard deviation, and coefficient of variation for Host X, showing your work. (b) Without full computation, argue from the spread which host is the C2 beacon and which is human browsing, and state the rule (low CV + high count) in one line. (c) Why is a metronome-steady interval something no human produces, and why does that make beaconing detectable even when the destination is otherwise unremarkable? (answer in Appendix)
23.19 DGA. (a) Compute the Shannon entropy (bits/character) of aaaa and of abcd, showing the formula H = -Σ p·log₂p. (b) Given that google scores ~2.6 and kq3v9zxr1p7m ~3.6 bits/char, explain why high entropy flags a domain as algorithmically generated but is not, by itself, sufficient. (c) Name the second DNS signature that, combined with high entropy, makes a DGA diagnosis nearly unambiguous — and the exact response code (rcode) that signature produces. (d) Beyond entropy and failed resolutions, name one volume/diversity metric per host (think: distinct second-level domains queried per minute) that strengthens the call, and explain why a single high-entropy lookup should never trigger an alert on its own.
23.20 DNS tunneling. A host sends thousands of queries like M3J2HGQZ1A7K…W9.tunnel.example-c2.net of type TXT. (a) List four signatures that distinguish tunneling from normal DNS (think: name length, record type, query volume to one domain, label entropy). (b) Why is DNS a favored covert channel even on tightly firewalled networks? (c) Where in Wireshark's Statistics → Protocol Hierarchy would tunneling betray itself, and what does that bulge represent?
23.21 ⭐ The encrypted-DNS blind spot. (a) Explain how DoH and DoT each blind the plaintext DNS analysis in this group, including the port and transport each uses. (b) When a host resolves via DoH, what exactly goes dark in your evidence, and what does the DNS log show instead? (c) Name three pivots that still work after DNS goes dark, and connect the whole answer to theme #4 (technology changes, principles don't): which part is the changing tool, and which part is the unchanged method?
Group F — Logs, IDS/IPS, and Zeek
23.22 Read this Squid proxy log line aloud, field by field:
1719545647.231 2891088 10.20.4.51 TCP_TUNNEL/200 2147500032 CONNECT www.dropbox.com:443 jrivera HIER_DIRECT/162.125.248.18 -
(a) Identify the authenticated user, the source workstation, the destination host and port, the HTTP method, and the bytes transferred. (b) The connection is HTTPS — state precisely what the proxy could not see, and what it nonetheless recorded that ties the activity to a named person. (c) Why is proxy-log attribution to a username stronger than "workstation 10.20.4.51 did it," and what is the one thing it still does not establish on its own? (answer in Appendix)
23.23 An IDS alert is a lead, not a finding. (a) Explain why Snort/Suricata signatures both false-positive and false-negative, and why an alert therefore cannot stand alone in a report. (b) Given a Suricata eve.json alert (signature_id 2014726, "Offsite File Backup in Use," on a flow to 162.125.248.18:443), name the three other independent sources you would consult to corroborate it before writing a conclusion. (c) Contrast two courtroom sentences — one that gets dismantled on cross and one that survives — to show what corroboration buys you (Chapter 27 — Expert Testimony).
23.24 Interpret this Zeek conn.log row:
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state history
1719545647.231 CwXmn21H8aT 10.20.4.51 51344 162.125.248.18 443 tcp ssl 2891.09 2147483648 18422 SF ShADadDfF
(a) Compute the orig_bytes-to-resp_bytes ratio and state what the asymmetry means about direction of transfer. (b) Decode the history string ShADadDfF letter by letter (which case is the originator, what each of S/h/A/a/D/d/F/f means) and say in one sentence what the connection did. (c) What does conn_state SF indicate? (d) Why does Zeek's service field (ssl) matter independently of the port (443) — what evasion does comparing the two expose? (answer in Appendix)
23.25 ⭐ The Zeek uid is the examiner's join key. (a) For connection uid CwXmn21H8aT, state what additional fact each of these logs contributes about the same connection: dns.log, ssl.log, files.log, conn.log, http.log. (b) Explain why pivoting on the uid "assembles the whole story of one connection across protocols," and why that is more defensible than reasoning from any single log in isolation. (c) If a transferred file appears in files.log with a SHA-256, name two distinct investigative uses of that hash — one that works even though the file was never saved to any disk you hold, and one that links the same file to a known case exhibit.
23.26 Firewall logs are flow with a verdict. (a) What does a firewall log line add beyond a bare flow record? (b) You see a burst of denied outbound connections from one internal host to many external IPs on an unusual port, repeating every few minutes. Give the two competing hypotheses and the next source you would check to decide between them. (c) Explain how the absence of an expected deny entry can itself be a finding — what it confirms about a path.
Group G — Exfiltration, the timeline, judgment, and the progressive project
23.27 The exfiltration signal stack. From the facts below, list which exfiltration signals are present, name the source that would carry each, and then state the one sentence about proof that the whole group rests on:
- A workstation sent 2.0 GiB and received 18 KB from an external IP in one session.
- The session began at 03:14 on a Saturday.
- The destination was www.dropbox.com (a sanctioned, allow-listed service).
- A Suricata signature fired on the flow.
- The proxy attributed the session to user jrivera.
Which single signal, if any, is "proof" on its own — and what makes the combination a finding where no element is? Finally, name the one signal in this stack that a sophisticated adversary can most easily defeat (think of the deliberately allow-listed destination), and explain why that does not weaken the stack as a whole. (answer in Appendix)
23.28 ⭐ Lab — build and fuse the timeline (UTC). Assemble these events into one sourced, chronological timeline, every entry in UTC, with the source named in brackets:
Opened TurbineHousing_v7.sldprt from E: (USB) Fri 19:04 [DISK: LNK/Jump List, Ch.16]
DNS A query www.dropbox.com -> 162.125.248.18 Fri 19:18 [NET: dns.log]
TLS Client Hello, SNI www.dropbox.com Fri 19:19 [NET: ssl.log]
Proxy CONNECT www.dropbox.com:443, user jrivera,
2,147,500,032 bytes uploaded Sat 03:14 [NET: proxy access.log]
Zeek conn.log: orig 2.0 GiB / resp 18 KB, SF Sat 03:14 [NET: conn.log, same uid]
IDS alert sid 2014726 Sat 03:14 [NET: Suricata eve.json]
File sent to Recycle Bin Sat 09:12 [DISK: $I metadata, Ch.16]
CCleaner run #3 (wipe free space) Sat 09:14 [DISK: Prefetch, Ch.16]
(a) Which lines were recorded by infrastructure the suspect never controlled, and why does that matter? (b) The war story in the chapter turned on a 47-second NTP drift on the proxy that made the upload appear to precede the file-open. Explain how you would detect and document such skew, and why "the clock is evidence too." (c) Flag every line whose limit you must state in the report (content-unknown-because-encrypted; IP-not-person; coverage gaps).
23.29 ⭐ Counsel wants you to write "the engineer stole the turbine-housing design and sent it to Dropbox." Your network evidence: flow + Zeek showing a 2.1 GB outbound TLS session; a proxy line attributing it to user jrivera; a DNS query and SNI naming www.dropbox.com; a fired IDS signature. You have no session keys, so you never read the encrypted content. (a) What can you ethically and defensibly assert? (b) Separate the finding, the inference, and the legal conclusion into three boxes, and say which box "stole" belongs in and why it is not yours to assert. (c) Address the attribution wall explicitly: what would have to be true for the IP→person link to be sound, and how does the authenticated proxy username change (and not change) that analysis? (answer in Appendix)
23.30 Progressive project — the network-evidence layer. Add this chapter's evidence to your Forensic Case File (begun in Chapter 5 — The Forensic Process). Your package includes a PCAP plus exported proxy, DNS, and flow logs (Appendix J). (1) Acquire and authenticate: hash the PCAP with capinfos -H, record it in your chain-of-custody worksheet, note the snaplen and whether any packets are truncated, and work only on a copy. (2) Generate structured logs: run the capture through Zeek (zeek -r cap.pcap) and Suricata (suricata -r cap.pcap); hash and log each output. (3) Hunt the exfiltration: using tshark/zeek-cut and the Python sketches from this chapter, answer four questions and cite the exact source (log + field) behind each — which internal host sent the most outbound data and how much; what the destination was (DNS + SNI) and who the authenticated user was (proxy); whether there is beaconing or DNS tunneling (interval/entropy analysis); whether any IDS signature fired and whether the flow/proxy/Zeek records corroborated it. (4) Extract and hash any transferred files (tshark --export-objects http,./out), noting matches to known case files. (5) Build the network timeline, normalized to UTC, recording each source's clock offset, then fuse it with your Windows-artifact timeline from Chapter 16, flagging every finding whose limit you must state. Save every log, CSV, extracted object, and timeline into the case-file folder; the capstone in Chapter 38 — The Capstone Investigation assembles the whole file. List the files you generated and their hashes in your submission.
Self-check. You have mastered this chapter when you can take a single capture and a pile of logs and, without guessing, answer four questions with cited sources — who talked to whom, how much moved, in which direction, and attributable to which user — and when you instinctively separate flow volume from content, an IDS alert from a finding, and an IP address from a person, normalizing every clock to UTC before you fuse anything. If you can build the fused timeline in Group G and state each line's limit the way an opposing expert would force you to, you are ready for Chapter 24 — Mobile Device Forensics, where the investigation leaves the wire for the most personal — and most locked-down — device a person owns.