Research Article
A Host-Based Approach to BotNet Investigation?
@INPROCEEDINGS{10.1007/978-3-642-11534-9_16, author={Frank Law and K. Chow and Pierre Lai and Hayson Tse}, title={A Host-Based Approach to BotNet Investigation?}, proceedings={Digital Forensics and Cyber Crime. First International ICST Conference, ICDF2C 2009, Albany, NY, USA, September 30-October 2, 2009, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={5}, keywords={BotNet memory forensics network investigation malware}, doi={10.1007/978-3-642-11534-9_16} }- Frank Law
K. Chow
Pierre Lai
Hayson Tse
Year: 2012
A Host-Based Approach to BotNet Investigation?
ICDF2C
Springer
DOI: 10.1007/978-3-642-11534-9_16
Abstract
Robot Networks (BotNets) are one of the most serious threats faced by the online community today. Since their appearance in the late 1990’s, much effort has been expended in trying to thwart their unprecedented growth. However, with robust and advanced capabilities, it is very difficult for average users to avoid or prevent infection by BotNet malware. Moreover, whilst BotNets have increased in scale, scope and sophistication, the dearth of standardized and effective investigative procedures poses huge challenges to digital investigators in trying to probe such cases. In this paper we present a practical (and repeatable) host-based investigative methodology to the collection of evidentiary information from a Bot-infected machine. Our approach collects digital traces from both the network and physical memory of the infected local host, and correlates this information to identify the resident BotNet malware involved.