Forensic Documentat...
 
Notifications
Clear all

Forensic Documentation - BotNet infection

5 Posts
5 Users
0 Likes
349 Views
(@mindsmith)
Posts: 174
Estimable Member
Topic starter
 

Hi,

Has anyone have any documentation on Forensics investigation of a botnet infection?

The 'conventional-type' forensics reports - dont lend themselves to such a multi-faceted investigation, and with over 67 machines that were part of this botnet (in one organisation) doing a the traditional forensiscs investigation reports on all is not acheivable.

I have identified the botnet componenets, the 'master nodes' within the corp network and based on extensive packet analysis; i have determined the role/function assigned to of each of the machines, the Command and control server, samples of what data was 'extricated', etc, and some of the encrypted traffic used I believe to send instructions to teh 'master nodes' (unable to decrypt it) but putting all this together into a legally acceptable report is quiet challenge - anyone done anything similar or can offer any pointers with this regard?

Thanks & Regards,

 
Posted : 18/07/2007 12:41 pm
(@reverendlex)
Posts: 23
Eminent Member
 

Sounds like you've got your work cut out for you. I'm working on a network intrusion case myself that looks like bot behavior.

I'm not sure of which jurisdiction you're in, but a detailed workup of what you did and found and the basis for your conclusions should suffice.

 
Posted : 22/07/2007 1:02 am
E5Pro
(@e5pro)
Posts: 69
Trusted Member
 

Would love to see an abstract of this report.

 
Posted : 25/09/2007 7:03 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

I'm working a case that requires a couple of different investigations. I was structuring my reports as follows

Case Report
Network Report
System A Report
Media Report #1
Media Report #2
System B Report
Media Report #1
Media Report #2
Interview Report

So there's one master case report that describes the situation and summarizes my findings. It references reports on different components of the investigation.

This sort of style would also help if you've got a team of investigators focusing on individual specialties.

-David

 
Posted : 25/09/2007 7:36 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Has anyone have any documentation on Forensics investigation of a botnet infection?

…and…

…but putting all this together into a legally acceptable report is quiet challenge - anyone done anything similar or can offer any pointers with this regard?

What is "legally acceptable" in your jurisdiction?

I would suggest that it sounds like you have everything you need…I do agree that such things are a bit more involved than, say a single system examination, but to be honest, it really sounds like you have all of your ducks in a row, as it were. If I were you, I'd suggest going back to your original post and start by using your "what I have" as a basic table of contents, and then including individual media analysis as appendices to the report.

To determine what is "legally acceptable" though, you'd most likely need the input of an attorney in or familiar with your jurisdiction.

H

 
Posted : 25/09/2007 3:36 pm
Share: