Forensic Documentat...
 
Notifications
Clear all

Forensic Documentation - BotNet infection  

  RSS
MindSmith
(@mindsmith)
Active Member

Hi,

Has anyone have any documentation on Forensics investigation of a botnet infection?

The 'conventional-type' forensics reports - dont lend themselves to such a multi-faceted investigation, and with over 67 machines that were part of this botnet (in one organisation) doing a the traditional forensiscs investigation reports on all is not acheivable.

I have identified the botnet componenets, the 'master nodes' within the corp network and based on extensive packet analysis; i have determined the role/function assigned to of each of the machines, the Command and control server, samples of what data was 'extricated', etc, and some of the encrypted traffic used I believe to send instructions to teh 'master nodes' (unable to decrypt it) but putting all this together into a legally acceptable report is quiet challenge - anyone done anything similar or can offer any pointers with this regard?

Thanks & Regards,

Quote
Posted : 18/07/2007 1:41 pm
reverendlex
(@reverendlex)
New Member

Sounds like you've got your work cut out for you. I'm working on a network intrusion case myself that looks like bot behavior.

I'm not sure of which jurisdiction you're in, but a detailed workup of what you did and found and the basis for your conclusions should suffice.

ReplyQuote
Posted : 22/07/2007 2:02 am
E5Pro
(@e5pro)
Member

Would love to see an abstract of this report.

ReplyQuote
Posted : 25/09/2007 8:03 am
kovar
(@kovar)
Senior Member

Greetings,

I'm working a case that requires a couple of different investigations. I was structuring my reports as follows

Case Report
Network Report
System A Report
Media Report #1
Media Report #2
System B Report
Media Report #1
Media Report #2
Interview Report

So there's one master case report that describes the situation and summarizes my findings. It references reports on different components of the investigation.

This sort of style would also help if you've got a team of investigators focusing on individual specialties.

-David

ReplyQuote
Posted : 25/09/2007 8:36 am
keydet89
(@keydet89)
Community Legend

Has anyone have any documentation on Forensics investigation of a botnet infection?

…and…

…but putting all this together into a legally acceptable report is quiet challenge - anyone done anything similar or can offer any pointers with this regard?

What is "legally acceptable" in your jurisdiction?

I would suggest that it sounds like you have everything you need…I do agree that such things are a bit more involved than, say a single system examination, but to be honest, it really sounds like you have all of your ducks in a row, as it were. If I were you, I'd suggest going back to your original post and start by using your "what I have" as a basic table of contents, and then including individual media analysis as appendices to the report.

To determine what is "legally acceptable" though, you'd most likely need the input of an attorney in or familiar with your jurisdiction.

H

ReplyQuote
Posted : 25/09/2007 4:36 pm
Share: