Jump to content

DNS network forensic analysis


Recommended Posts


I am studying a postgraduate degree of digital forensic computing and my professor have asked me to do a network forensic analysis of DNS protocol. He have asked us the following:

Asked us to setup Virtual server using VMware workstation and virtual client. It should not be connected to internet and do DNS forensic analysis by extracting the digital evidence in relation to DNS protocol

Now I have already setup a virtual server of Windows Server 2012 R2 having Active Directory and Active Directory integrated DNS Server and a virtual client of Windows 7 Professional which is joined to this domain. I have also installed Wireshark on this client computer but the problem is for me how to perform steps of extracting digital evidence and how to explain the wireshark logs in words

If anybody can provide me help in this regard I shall be grateful

Thanks & regard,


Link to comment
Share on other sites

If we give you an answer that turns out to be wrong and you go with it without verifying the info, this will count as part of your grade, and as such, may not help you in the long run. Maybe try some things, explain what you're doing and ask for pointers about stuff you have you want better explained, which honestly, (and it's a cliche but still important), google for what you are doing and the info you want to dissect. I have a feeling you will not only get a better understanding of what it is you are asking, but you probably already know most of it since you are in a networking class that should have some fundamentals of how the protocols work, OSI layers, etc. Good luck.

Edited by digip
Link to comment
Share on other sites

I have not studied digital forensics but if it were me i would teach myself by capturing a pcap of multiple different scenarios:

- client requests private ip name resolution

- client requests public ip reverse look up

- client requests public host name resolution

- client requests resolution of an ip that the dns server contains a record for

- client requests resolution of an ip that the server does not have a record for

- client requests requests different types of records ie mx records.

now open up each of the captures and strip them down to just the dns request..(add dns specific filters eg. udp). Now ask yourself, If i were a detective, what information might be important to me?

- time of the request

- time of the response

- time between the request and response

- source ip of the request

- destination ip of the request

- type of request

- size of the request

- what was the data in the request? where was the user trying to go (right click follow udp stream)

- what what was the servers response

- what was the mac address in the request? (this can give you the last hop and give an idea of the network route taken)

- source and destination port used.

google searching will provide the how to's on where to find the answer to the above questions in the packets. you could also now go a step further

- what third party tools can you hand the pcaps to in order to provide automated reports? xplico? etc

- was there a tcp handshake after the dns request completed to say the user actually went ahead with the connection?

Edited by Isolot
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...