±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36303
New Yesterday: 1 Visitors: 128

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forensic Documentation - BotNet infection

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

MindSmith
Senior Member
 

Forensic Documentation - BotNet infection

Post Posted: Jul 18, 07 12:41

Hi,

Has anyone have any documentation on Forensics investigation of a botnet infection?

The 'conventional-type' forensics reports - dont lend themselves to such a multi-faceted investigation, and with over 67 machines that were part of this botnet (in one organisation) doing a the traditional forensiscs investigation reports on all is not acheivable.

I have identified the botnet componenets, the 'master nodes' within the corp network and based on extensive packet analysis; i have determined the role/function assigned to of each of the machines, the Command and control server, samples of what data was 'extricated', etc, and some of the encrypted traffic used I believe to send instructions to teh 'master nodes' (unable to decrypt it) but putting all this together into a legally acceptable report is quiet challenge - anyone done anything similar or can offer any pointers with this regard?

Thanks & Regards,
_________________
#include <std.disclaimer.H> 
 
  

reverendlex
Member
 

Re: Forensic Documentation - BotNet infection

Post Posted: Jul 22, 07 01:02

Sounds like you've got your work cut out for you. I'm working on a network intrusion case myself that looks like bot behavior.

I'm not sure of which jurisdiction you're in, but a detailed workup of what you did and found and the basis for your conclusions should suffice.  
 
  

E5Pro
Senior Member
 

Re: Forensic Documentation - BotNet infection

Post Posted: Sep 25, 07 07:03

Would love to see an abstract of this report.  
 
  

kovar
Senior Member
 

Re: Forensic Documentation - BotNet infection

Post Posted: Sep 25, 07 07:36

Greetings,

I'm working a case that requires a couple of different investigations. I was structuring my reports as follows:

Case Report:
Network Report
System A Report
Media Report #1
Media Report #2
System B Report
Media Report #1
Media Report #2
Interview Report
...

So there's one master case report that describes the situation and summarizes my findings. It references reports on different components of the investigation.

This sort of style would also help if you've got a team of investigators focusing on individual specialties.

-David  
 
  

keydet89
Senior Member
 

Re: Forensic Documentation - BotNet infection

Post Posted: Sep 25, 07 15:36

- MindSmith

Has anyone have any documentation on Forensics investigation of a botnet infection?


...and...

- MindSmith

...but putting all this together into a legally acceptable report is quiet challenge - anyone done anything similar or can offer any pointers with this regard?


What is "legally acceptable" in your jurisdiction?

I would suggest that it sounds like you have everything you need...I do agree that such things are a bit more involved than, say a single system examination, but to be honest, it really sounds like you have all of your ducks in a row, as it were. If I were you, I'd suggest going back to your original post and start by using your "what I have" as a basic table of contents, and then including individual media analysis as appendices to the report.

To determine what is "legally acceptable" though, you'd most likely need the input of an attorney in or familiar with your jurisdiction.

H  
 

Page 1 of 1