The open systems interconnection (OSI), model is built for the network based digital communication and keeps flexibility and modularity in mind. The OSI model is a seven-layered design, starting from the physical layer and ending at the application layer. A high-level diagram of the OSI layers can be viewed as follows:

The seven layers are responsible for a variety of different communication standards as:

• At the physical layer, we are generally speaking about the cables, hubs, optical fibers, coaxial cables, and connectors, which are the actual physical carriers of data, and the data is represented in bits.
• At the data-link layer, we have 802.11, WI-MAX, ATM, Ethernet, Token Ring, PPTP, L2TP, and much more, which enables establishment and termination between the nodes. The data is represented in frames.
• At the network layer, we have the IPv4, IPv6, OSPF, ICMP, and IGMP sets of protocols, which manage logical, physical address mappings, routing, and frame fragmentations. The data is in the form of packets.
• At the transport layer, we have TCP and UDP, which allow message segmentation, message acknowledgment, host-to-host communication, and message-traffic control. The data is represented in segments.
• At the session layer, we have SAP, PPTP, RTP, and SOCKS. It is responsible for session establishment, maintenance, and termination.
• The presentation layer has SSL/TLS, WEP, WPA, Kerberos, MIME, and other implementations and is generally responsible for character-code translations, data conversation, compression, and encryption.
• At the application layer, we have DHCP, FTP, HTTP, IMAP, POP3, NTP, SSH, and TELNET, the end-user programs.

The OSI model and the TCP/IP model can be collectively viewed as follows:

The mapping of OSI model and TCP/IP model isn't perfect. SSL/TLS, for example, contains elements from both the presentation and session layers. From launching any of the application on your system which communicates with the outside world it all goes through the previously discussed layers. Consider a scenario where you want to browse to a particular website.

1. In this case, when you type a website's address into your browser, which is a layer 7 application, the domain name gets resolved to the IP address.
2. Once you have the IP address of the destination, the data is encapsulated within the TCP/UDP data structure consisting of TCP/UDP header and data is passed to the transport layer where the OS embeds the source and destination ports data into the packet structure.
3. Next, the structure is passed to network layer, where the source and destination IP address are embedded to the structure and is encapsulated within an IP packet.
4. The entire packet is changed into an Ethernet frame on layer 2 and then finally travels in the form of bits on the wire.
5. On the receiving end, the bits are first transformed into an Ethernet frame, and layer 2 information is removed and is sent to the network layer.
6. At the network layer, the packet is checked that if it is meant for the system and if it is, the system removes the layer 3 information, which is the IP packet header, and pushes it to layer 4 from where the OS identifies the port number it is meant to be delivered to.
7. From here, the OS identifies the port, removes the TCP header information, checks which program is listening on that port, and delivers the payload to the application.

However, when the information travels from one point to the other, it creates traces (logs) on various devices along the way. These devices can be firewalls, proxy servers, routers, switches, or application servers, and since we covered some basic packet-based network forensics in the previous chapter, let's look at the log-based evidence scenarios.