University of Twente Student Theses

Login

Finding Relations Between Botnet C&Cs for Forensic Purposes

Broenink, Ralph (2014) Finding Relations Between Botnet C&Cs for Forensic Purposes.

[img] PDF
940kB
Abstract:Botnets, large international networks of infected computers (so-called bots), play a central part in the digital underground economy, providing the infrastructure required for a multitude of malicious activities. To ensure a botnet keeps running, the botnet owner utilizes specialized technologies to send control messages to his bots, while keeping resilience against take down and stealth against detection from law enforcement agencies and rivals. Parties such as these are developing detection and take down methodologies. However, botnet owners are in the advantage: even after detection and take down, it is hard to trace the owner, who remains unpunished and can continue his criminal career. This proves to be a significant problem for law enforcement, as a confiscated machine may not provide direct leads. Often, it is not known which machine was managed by which miscreant or was part of which specific botnet infrastructure. In this research, we propose a novel approach in identifying the infrastructure and miscreant belonging to confiscated machines. We define a set of characteristics that can be applied to confiscated hard disks. These will then be used to extract clusters of machines with commonalities from large datasets. We will validate our approach by applying it to a test dataset of 104 different disk images, showing how experts would use this to gain insight in large datasets.
Item Type:Essay (Master)
Clients:
Landelijke Eenheid Politie, Driebergen, Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:https://purl.utwente.nl/essays/64998
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page