Beta 1


Title Cybercrime forensics
Author Jensen, Kim Gaard
Larsen, Cecilie Marie
Supervisor Sharp, Robin (Department of Informatics and Mathematical Modeling, Technical University of Denmark, DTU, DK-2800 Kgs. Lyngby, Denmark)
Institution Technical University of Denmark, DTU, DK-2800 Kgs. Lyngby, Denmark
Thesis level Master's thesis
Year 2003
Abstract Attacks on computers occur more frequently than ever before and such attacks can be rather time-consuming and expensive to recover from. It would be desirable if it was possible to determine the actual attacker by making a forensic investigation, as this would help the process of stopping the attacks. Furthermore it would give the possibility of taking legal actions against the attacker. Today such investigations are difficult and time-consuming as they are often made "by-hand", and it is not always possible to find the attacker due to lack of evidence. In this Master's thesis we take a look at various issues concerning computer forensics. For instance the vulnerabilities exploited in some of the attacks categorised as Denial of Service (DoS), Distributed Denial of Service (DDoS) and virus, how an organisation as DK-CERT performs an investigation today, and already published proposals concerning traceback. Based on the knowledge collected while studying these issues we introduce a method to investigate viruses propagating through mail. The idea is to trace the originator by making a comparison of the patterns made by the virus on the outgoing servers. This pattern is referred to as Pattern of Propagation (PP). Testing and verification of the method and its concepts are presented. These test are made on viruses propagating in a closed network. It is verified that a PP exists for the viruses tested, and the PP is recognisable blended with normal traffic. It is concluded that it would be possible to trace some viruses presuming, among other things, that the sender address is correct.
Imprint Department of Informatics and Mathematical Modeling, Technical University of Denmark, DTU : DK-2800 Kgs. Lyngby, Denmark
Keywords Cybercrime Forensics; DoS; DDoS; Virus; Spoofing; Forensic Investigation; Traceback; Pattern of Propagation (PP)
Fulltext
Original compressed Postscript imm1667.zip (0.56 MB)
Derived PDF eksproj2e.pdf (0.64 MB)
Original Postscript eksproj2e.ps (20.07 MB)
Admin Creation date: 2006-06-22    Update date: 2012-12-20    Source: dtu    ID: 58627    Original MXD