Acquiring digital evidence from Botnet attacks: procedures and methods
The botnet, a collection of compromised computers, is one of the latest technologies in the evolution of cybercrime. Cybercriminals, motivated by financial gain, use those infected computers as an equipment of cybercrime. For example, botnets are used in Distributed Denial of Service (DDoS) extortion scams, sending of spam, and running arbitrary network services for phishing. Therefore, digital forensic investigators need to forensically analysis and reconstruct those criminal activities. However, the writers of botnets have employed various stealth and deception techniques to hide the existence of their bots. They have also used new techniques such as rootkit and packing methods to hamper the botnet analysis. Even though the need for live forensic approaches has constantly increased for gathering valuable information that cannot be obtained by conventional digital forensic approaches, it is not only unrepeatable in normal situations, but also can damage the integrity of the digital evidence. For this reason, the main purpose of this study is to propose a forensic investigation approach to address those challenges. The proposed approach is mainly designed to increase repeatability of live forensic investigation and accuracy of digital evidence, which especially is focused on analysis of the memory image acquired from an infected host. In addition, the proposed approach uses various types of information to increase the effectiveness of botnet investigation. In order to evaluate the proposed approach, an experiment is conducted in two phases: malware collection and forensic investigation. In the malware collection phase, the researcher collects botnet samples from the Internet and builds a malware signature database by running a low interaction honeypot. After that, collected malware samples are submitted to some external analysis service providers to understand their behaviour. In the second phase, a forensic analysis is performed on a host infected by a botnet malware to identify and preserve the possible digital evidence. Afterwards, an analysis of the collected evidence is conducted with various types of information to reconstruct a botnet incident. An important contribution of this study is that the proposed approach shows that the most effective approach for the forensic investigation of a botnet incident is to combine internal and external information. The live forensic investigation on the infected system does not provide enough information for reconstruction. To make up for the weak points, the researcher uses existing external knowledge about the malware sample. The lack of explanation about the initial exploitation and propagation method is supplemented by analysing the log of a honeypot system. The details of sequential activities to infect the target machine are explained by the reports of sandbox analysis. Finally, the researcher is able to reconstruct the entire picture of the botnet incident with both internal and external information.