Botnet Forensics Framework
In this section, we are discussing a generic framework for Botnet forensics based on the existing models and research.
The Botnet Forensic Framework comprises 5 stages –
1. Malware:
The first phase is the Malware phase. It involves propagation, infection, communication, and attack that will show the stages of the malware. IRC is the most common and widely used channel. This phase shows the type of malware whether it is a botnet or some other kind of malware.
2. Botnet Forensic Investigator:
This is the second phase of the Botnet Forensics Framework. This phase focuses on –
- Identifying whether the system is compromised or it is infected.
- In case the system is compromised, it will identify whether it is a bot attack or some other type of attack.
- It searches the bot through the reconnaissance of traffic, attribution, automotive passive, and malware sample.
- It also focuses on Attribution, Automotive passive, and Malware Sample.
3. Botnet Forensic Analyzer:
This is the third phase in the Botnet Forensics Framework. This phase includes –
- Analyzing the results generated from the identifier phase.
- It works to search after the criminal investigation.
- In case the identifier ensures malware, then the analyzer will seek what type of malware it is, and where it is infected.
- It finds out clues with the actual information and forwards all the details to the Botnet Evidence Phase.
- This phase includes stages like analysis, investigation, examination, collection, and preservation.
4. Botnet Evidence:
This is the fourth phase of the Botnet Forensics Framework. This stage collects all the information from all the previous stages and forwards it to the Incident Response Phase 3.
5. Incident Action:
This is the last phase of the Botnet Forensics Framework. This phase involves three activities- Containment, Eradication, and Recovery. This phase involves the following steps –
- Having gathered all the information and gained an understanding of the incident the IR team will begin to combat the threat.
- It includes taking actions to prevent further damage.
- Once the threat is resolved, the recovery step involves restoring systems to normal functionality, by taking actions like tightening network security, rebuilding systems, and replacing compromised files.
Botnet Forensics – An Introduction
Botnets are the programs that are executed by a malicious programmer known as a botmaster or botherder. Botherder sends the infection or viruses to the feeble user’s computer whose payload is a malicious application. It connects through the command and control server. Spammer purchase the services from the botherder and botherder then itself issues the updated command. Botnet forensic deals post mortem activities on botnet attacks and its associated vulnerabilities. Botnet forensics is of utmost importance nowadays, as it assists and prevents the organization from the outside and the inside network attacks.
In this article, we will cover the following topics:
- What is Botnet Forensics?
- Classification of Botnet Forensics.
- Botnet Forensics Framework.
- Challenges in Botnet Forensics Framework.
Let’s get started and cover each of these sections in detail.
What is Botnet Forensics?
Botnet forensics is the science that determines the scope of the breach and applies the methodology to find out the type of the infection. It is an investigation of the botnet attacks that includes a collection of activities like collection, identification, detection, acquisition, and attribution. The prime objective of botnet forensics is to measure the level of intrusions, investigate the intrusions, and provide information to recover from an intrusion so as to strengthen system security. The available information from the Botnet Forensics can be used to:
- Strengthen security tools.
- Understanding the modus of Operandi.
- In the future can be used to prevent a potential threat to network security.
Botnet forensics not only ensures network security but also facilitates law enforcement.