 Welcome back everyone. Today we're going to start looking at how to do a very basic network traffic investigation. We'll talk a little bit about networks and how network traffic kind of works. And we will use two tools. One tool is called Wireshark that we will use to collect and analyze, do a basic analysis of the network traffic. And another tool that we will use is called Network Miner. Both of these tools are free. Network Miner has also a premium version, but the free version will work for what we're trying to do right now. So start to start with, we need to think about how we're actually going to collect network traffic. And right now I have my main workstation is a Linux workstation that's running Wireshark. And I have also a virtual machine or a guest system running Windows. And we are going to connect to a web page in Windows. And then we're going to capture that network traffic with Wireshark on the host or the local system. So the first thing we need to do, we need to think about how is the traffic actually flowing? Well, because I'm running a virtual machine, this virtual machine is configured to, if I can see the network settings, this network settings or the virtual machine, it's configured as a bridged adapter for the local wireless adapter in the main workstation. What that means is that if this Windows computer is making any type of network connection, then its data will be sent out of the wireless interface. So whenever we're trying to capture traffic, you have to think about the way that traffic flows both in and out of the network. So in this case, we actually have a single point where all of the traffic from Windows will flow through, and that is the wireless adapter of this local computer. But if we were trying to capture data on network traffic on an entire network, well, where does all of the traffic flow through? Most people have probably some sort of wireless access point at home. And for example, if you have multiple devices, they probably connect to the wireless access point. And then the wireless access point connects those devices to the internet. So if somebody can take over or place a device either before, maybe before, after the the wireless access point at your house, they could potentially capture all of the network traffic going out of your home network. Now, if you, if there was a device that was placed, for example, to capture all of the traffic coming out of your home network, but you had two computers talking to each other on the internal network, then they wouldn't be able to see the communication between those two computers on the internal network. They would only be able to see the data that's coming out of the network and to the internet. So placement of, I guess, monitoring tools or probes is very important. You have to really have to think about how is the network structured and where can I capture all of the data or as much data as I need to capture. Most of the time placing a probe on a gateway or close to a gateway, most of the traffic will go through that gateway. So in this case, all of the traffic for this Windows computer is going out of the wireless adapter of the local computer. So if we can monitor that wireless adapter, then we should be able to see all of the traffic. Okay, so I'm going to click okay. So going back to Wireshark, we're using Wireshark to capture the network traffic and then we'll do a little bit of basic analysis with it. So the wireless adapter was this WLP5S0. So if I double click on that, then we start to see data coming through. Now this is data, or network traffic that's being sent not only from the Windows computer, but also the local computer. So it's kind of like there's two computers on this network. You can think of it like that. The network traffic, of course, is just going to have one IP address and that is the IP address of the wireless adapter. Okay. And then other IP addresses will be other devices in the system. Okay. So now let's go to the Windows computer. So let's open up, I'm going to open up Google Chrome and we can do, let's go to www.halem.ac.kr, the school's website. And notice that the school's website, I'm loading a lot of different code in here. Maybe I can zoom out a little bit. Okay. So zoomed out, there's a lot of different code. I can see that that we've probably loaded quite a bit of JavaScript. We've loaded some images here, image, image, some background images, again, vote and some students sitting in a meeting, background images, things like that. So we've loaded actually quite a bit of code and a lot of pictures as well. Okay. So notice this picture down here. So now I'm just going to close or I'll just minimize it. It doesn't matter. Let's bring back up Wireshark and hit the stop button. Okay. So it's no longer recording. So we were recording before. It captured all of the different, all of the packets in, well, it captured a lot of different traffic that was being sent over the network. Now we want to analyze it. Now, what you'll notice is there's a couple of things we see right off the bat. For example, this thing that says TLS. Well, if we see TLS, that probably means some sort of secure sockets layer, or this is most likely trying to make an HTTPS connection because TLS usually involves some type of encryption. And what we want to find, what we want to find is HTTP traffic, HTTP traffic. So up in the display filter area, I can just type HTTP and Enter. And it will show me only, it will filter out all of the other traffic and show me only the HTTP traffic. Okay. So now I can see already very quickly, we have JPEG, JFIF images being sent over the network. And this is the data. We have some pings. We have some more JPEGs, HTTP data, some text. So really what I want to do is I want to check or look at all of this. So we'll click on text HTML. This should be some text or HTML that was sent. And if I click on, I go and look into the packets, this is actually the, let me move this up a little bit, this is actually the raw data that was sent over the network. Okay, so the raw data that was sent over the network. And it has a little analyzer or an analyzer. And we can look into the packet and understand what it actually means. So we have some sort of cookie set by the website. So yeah, different some information about what was being set. And then if we look at the line or text based data, well, what does this look like? Doc type HTML, language code left to right. This is the HTML, right? So this is actually the web page code that you would find that you would download and your browser would render. So maybe we want to see not only this individual page, we could just copy this out and we have a copy of the web page. But let's see if we can get more information. So all of this is actually data being transferred to use or to render the web page. Okay, well, let's see if we can actually get all of the data at the same time. We can do that by right clicking right click on the packet that you're interested in and then do follow TCP stream. So this is the entire conversation, all of the data that was being sent over the network at the time. Okay, so we can see, for example, the data in the web page, we can see the web page has been downloaded or at least the code for the web page that's being downloaded. We can also see any other files that were downloaded. So for example, this some sort of attachment, for example, what exactly is being sent, not exactly sure, but it was split up. So there's a lot of different data that's being sent down here and we can see all of it. But we really want to be able to extract, especially images or reconstruct web pages fairly easily. And you can do that. So in this network traffic, think about all of the data that's sent over the network, it could be things like passwords, it could be things like encryption keys, messages, chats, things like that. And if those are not encrypted, then you can just see the data very, very clear, well, let's say plain text. So let me go back here. If we click on this text, let's look at the actual data. We can say, okay, meta name, viewport content, this is the actual web page, right? So if we sent a password or some sort of secret information without encrypting it, then whoever's looking at the traffic could potentially pull that out and be able to read it directly. Now, if you send that data encrypted, then somebody would have to try to break the encryption to be able to extract passwords and things like that. It's not impossible necessarily to break most of the encryption or try to get around the encryption. But it is very difficult. So basically, you should be trying make sure that you're using encryption, make sure that you're using HTTPS and things like that. But whenever we're trying to analyze network traffic, HTTP or other plain text, unencrypted channels usually give us quite a bit of information. Now, encrypted channels can also give us quite a bit of information, but we might not be able to see the contents. So if this web page was sent over HTTPS, then we wouldn't be able to see the web page contents here. Now, we want to be able to extract data and images from this. And we could go through, for example, we can see that this is JPEG information right here. We could go through and try to pull out the JPEG data manually, but lucky for us, there's a lot of programs that do this for us. So let's try to do that. Let's go now we have to save the data that we've collected. So the network traffic that we've collected, we need to save it. So save as, and then I'm going to save it into my downloads folder and call it, I'll call it test, and give it an extension or test one. And I'll give it an extension of pcap. pcap ng requires different software. So I'll use pcap, test pcap and pcap is kind of a standard way to save network traffic data, save it, and then minimize that. And we're pretty much done with Wireshark. We can go back in and analyze the data manually if we want. But we are going to use network minor, network minor, and I'll give the links to these network minor to be able to analyze our data. So we can go to file, open. And then in the downloads folder, I can do test, select test one, click open. And then now it's loading all of that network traffic. And you see these IP addresses popping up. And those IP addresses are all of the different addresses that were communicating or basically talking to each other while we were monitoring the traffic. Okay, so now, even though maybe we're not monitoring anymore, we can still save network traffic for later and analyze it for later. So yeah, okay. So whenever we go through this, we can see a couple different things. So for example, we can see that this is a TP Link router inside, which is the gateway for this network. We can see a couple of them have addresses. So this 1463 is the Hallam website. And googlecode.kr, we can see all of these different IP addresses. All of these are computers or systems. They could very well be access points or gateways or something like that. On this 10.1.0 network, this is the local network. And then anything like 216, 203, 174, 64, those are outside of the local network. Okay, so we can get a little bit of information about individual computers. So if you know that somebody is using, for example, an iPhone, then it would probably show up or you could get information that would make you think that this is an iPhone from the network hosts file. If we go into files, then it gives us a list of all of the files that were downloaded. And it's mostly certifications and things like that. We also see some JPEGs, PNGs. But what we want to do, yeah, so something that might be interesting, the port that the data was sent over and to basically, so it was sent, the source port was 443 or port 80, which is 443 should be basically encrypted. Port 80 is not encrypted. It's HTTPS. And then the destination port is over here. We want to go to images, however, and see what we can pull out. So from our network traffic, we're able to extract all of the images that the user saw. So whoever was using the Windows computer to browse the internet, we can potentially if we get their network traffic, see all of the images that they download and reconstruct them. So for example, you might remember at the bottom of the web page was this vote. Let me see if I can go back to it. So at the bottom of the web page was this vote. And we pulled that out of the network traffic. There's also this kind of conference. Let's see if we can find the conference picture. Conference picture. Yeah. So this is the conference picture. And this is the high res version. So we downloaded all of the network traffic that the user saw. Now, this is really powerful for investigations, but also a bit concerning whenever it comes to privacy. So all of these government agencies that are collecting massive amounts of network traffic. Once that traffic is collected, they can potentially go back and analyze the traffic anytime, right? So yeah, this massive traffic collection, especially of unencrypted data and a lot of data is still sent unencrypted, it has potential privacy concerns, but we're focusing mostly on it from an investigation point of view. So we want to know things like what was the user actually looking for, what websites do they go to, things like that. And we can find the websites, we can find images, we can find even videos that were downloaded from the network traffic itself. So that's a very quick and basic network traffic analysis using Wireshark to collect the data, and then Network Miner to quickly analyze and pull out some interesting information from that data. That's it for today. Thank you very much.