Brian Cusack


Botnets are responsible for a large percentage of damages and criminal activity on the Internet. They have shifted attacks from push activities to pull techniques for the distribution of malwares and continue to provide economic advantages to the exploiters at the expense of other legitimate Internet service users. In our research we asked; what is the cost of the procedural steps for forensically investigating a Botnet attack? The research method applies investigation guidelines provided by other researchers and evaluates these guidelines in terms of the cost to a digital forensic investigator. We conclude that investigation of Botnet attacks is both possible and procedurally feasible for a forensic investigator; but that scope management is critical for controlling the cost of investigation. We recommend quantifying Botnet investigations into five levels of cost based on time, complexity and technical requirements.


Botnets; Cybercrime; Investigating; Techniques; Costs; Research

Full Text:



Adelstein, F. (2006). Live forensics: Diagnosing your system without killing it first. Communications of the ACM, 49(2), 63-66.

Aquilina, J. M., Casey, E., & Malin, C. H. (2008). Malware Forensics: Investigating and Analyzing Malicious Code. Burlington, MA: Syngress.

Ard, C. (2007). Botnet analysis. The International Journal of Forensic Computer Science, 2(1), 65-74.

Baar, R., Alink, W., & Ballegooij, A. (2008). Forensic memory analysis: Files mapped in memory. Digital Investigation, 5(Supplement 1), S52-S57.

Bächer, P., Holz, T., Kötter, M., & Wicherski, G. (2008). Know your enemy: Tracking botnets. Retrieved October 01, 2013 from

Baecher, P., Koetter, M., Holz, T., Dornseif, M., & Freiling, F. (2006). The Nepenthes platform: An efficient approach to collect malware. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID 2006), Hamburg, Germany. doi:10.1007/11856214_9

Bailey, M., Cooke, E., Jahanian, F., Xu, Y., & Karir, M. (2009). A survey of Botnet technology and defenses. Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security. Doi:10.1109/CATCH.2009.40

Balas, E., & Viecco, C. (2005). Towards a third generation data capture architecture for honeynets. Retrieved 11 October 2013 from

Barford, P., Yegneswaran, V. (2007). An inside look at Botnets. Advances in Information Security. 27, 171-191.

Chiang, K., & Lloyd, L. (2007). A case study of the Rustock rootkit and spam bot. Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA. Retrieved from

Choo, K. (2007). Zombies and Botnets. Canberra: Australian Institute of Criminology. Retrieved from

Cooke, E., Jahanian, F., & McPherson, D. (2005). The Zombie roundup: understanding, detecting, and disrupting botnets. Proceedings of the Steps to Reducing Unwanted Traffic on the Internet (SRUTI '05), Cambridge, MA.

Correia, P., Rocha, E., Nogueira, A., & Salvador, P. (2012). Statistical characterization of the Botnets C&C traffic. Procedia Technology, 1, 158-166.

Daswani, N., & Stoppelman, M. (2007). The anatomy of Clickbot.A. Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA.

Feily, M., Shahrestani, A., & Ramadass, S. (2009). A survey of Botnet and Botnet detection. Proceedings of the Emerging Security Information, Systems and Technologies Conference, 2009. SECURWARE '09.

Freiling, F. C., Holz, T., & Wicherski, G. (2005). Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. Computer Security–ESORICS 2005 319-335. Retrieved from

Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B., & Dagon, D. (2007). Peer-to-peer Botnets: overview and case study. Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA.

Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008). Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. Proceedings of the 17th USENIX Security Symposium, San Jose, CA.

Hay, B., Bishop, M., & Nance, K. (2009). Live analysis: progress and challenges. IEEE Transactions on Security & Privacy, 7(2), 30-37.

Hoagland, J., Ramzan, Z., & Satish, S. (2008). Bot networks. In M. Jakobsson & Z. Ramzan (Eds.), Crimeware: Understanding New Attacks and Defenses, 183-227. Addison-Wesley Professional.

Holz, T., Gorecki, C., Rieck, K., Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS' 08), San Diego, CA.

Ianelli, N. & Hackworth, A. (2007). Botnets as a vehicle for online crime. The International Journal of Forensic Computer Science, 2(1), 19-39.

Ligh, M. H., Adair, S., Hartstein, B., & Richard, M. (2010). Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. New York, NY: Wiley.

Mell, P., Kent, K., & Nusabaum, J. NIST. Guide to malware incident prevention and handling. Special Publication 800-83. National Institute of Standards and Technology, Washington DC, USA.

Provataki, A., & Katos, V. (2013). Differential malware forensics. Digital Investigation, 10, 311-322.

Provos, N., Mavrommatis, P., Rajab, M. A., & Monrose, F. (2008). All your iFRAMEs point to Us, San Jose, CA: Wiley.

Rajab, M. A., Zarfoss, J., Monrose, F., & Terzis, A. (2006). A multifaceted approach to understanding the botnet phenomenon. Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, Rio de Janeriro, Brazil.

Rrushi, J., Mokhtari, E., Ghorbani, A. (2011). Estimating botnet virulence within mathematical models of botnet propagation dynamics. Computers & Security, 30(8), 791-802.

Schiller, C., Binkley, J., Evron, G., Willems, C., Bradley, T., & Harley, D. (2007). Botnets: The Killer Web App. Burlington, MA: Syngress.

Stepan, A. (2006). Improving proactive detection of packed malware. Retrieved 28 September, 2012, from

Symantec Security Response. (2010). Symantec global internet security threat report: Trends for 2009 (Technical Report): Symantec Corporation. Retrieved from xv_04-2010.en-us.pdf

Tabish, S., Shafiq, M., & Farooq, M. (2009). Malware detection using statistical analysis of byte-level file content. Retrieved October 2013 from

The Honeynet Project. (2007). Know your enemy: Fast-flux service networks. Retrieved 15 September, 2012, from

Ullah, I., Khan, N., & Aboalsamh, H. (2013). Survey on BOTNET: Its architecture, detection, prevention and mitigation. IEEE Transactions on Forensics and Security, 660-665.

Wang, P., Sparks, S., & Zou, C. (2007). An advanced hybrid peer-to-peer Botnet. Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA.

Wang, S. & Kao, D. (2007). Internet forensics on the basis of evidence gathering with Peep attacks. Computer Standards & Interfaces, 29(4), 423-429.

Zahid, M., Belmekki, A., & Mezrioui, A. (2012). A new architecture for detecting DDoS/Brute force attack and destroying the botnet behind. IEEE Transactions in Forensics and Security, 1-5.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law