The importance of ports

What are ports?

Simply put, they are connections. It is how the computer can reach external devices, such as a printer.

The following ports are of significant interest in a digital forensic investigation:

Port 80

this is the port that the server listens to. It is used for internet activity and works on the TCP protocol. 

In an investigation the internet explorer process should be visible on port 80; if it is on a different port then we know something is of suspicion.

Similarly, processes may use this port to listen in. We can easily see these.

Here we can see that process 796 is connecting to port 89, which is on the end. This is suspicious as it turns out the process id 796 matches internet explorer on this machine. We also notice port 443 is used, which is the port for HTTPs.

Port 20 and 21

These ports are used for the File Transfer Protocol (FTP). This allows peer-to-peer sharing of files. A client will contact a server at port 21, it will then establish a connection. With this connection, remote access is allowed. This means files can be sent from the computer to a remote computer. 

In a forensic case, the FTP leaves logs. These can be useful for cases where investigators want to see how files were exchanged, and with who. in 2013, Russian hackers managed to infiltrate the FTP server of the BBC, giving them the potential to deal significant damage. 

Port 53

This is the Domain Name Server (DNS). So rather than an ip address, the site is displayed.

Now, if malware were to change the ip address, the individual would have no clue that they have connected and logged in to a fake bank, rather than their bank.