Botnet Forensics

  • R. C. Joshi
  • Emmanuel S. Pilli
Part of the Computer Communications and Networks book series (CCN)


Botnet is a network of compromised computers controlled by attackers. In this chapter botnet forensics with relevance to network forensics is discussed. To understand the botnet threat, the architectures, protocols, and life cycle of botnet network are discussed. The standard botnet forensic process and its various investigation techniques are discussed. The botnet forensics consists of acquisition, analysis, and attribution phases. The research challenges related to botnet forensics and its investigation are also discussed.


Forensic Investigation Super Peer Botnet Detection Static Code Analysis Forensic Environment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Wang P et al (2010) Honeypot detection in advanced botnet attacks. Int J Inf Comput Secur (IJICS) 4(1):30–51Google Scholar
  2. 2.
    Stevenson A (2014) Botnets infecting 18 systems per second, warns FBI. July 16, 2014 [cited 2015 9 March 2015]; Available from:, 31 Mar 2016
  3. 3.
    Rajab MA et al (2006) A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on internet measurement (IMC’06), ACM, Rio de Janeiro, BrazilGoogle Scholar
  4. 4.
    Grizzard JB et al (2007) Peer-to-peer botnets: overview and case study. In: Proceedings of first workshop on hot topics in understanding botnets (HotBots’07), USENIX Association, Cambridge, MA, pp 1–8Google Scholar
  5. 5.
    Rodríguez-Gómez RA, Maciá-Fernández G, García-Teodoro P (2013) Survey and taxonomy of botnet research through life-cycle. ACM Comput Surv (CSUR) 45(4):45CrossRefGoogle Scholar
  6. 6.
    Zhu Z et al (2008) Botnet Research Survey. In: 32nd annual IEEE international computer software and applications (COMPSAC’08)Google Scholar
  7. 7.
    Feily M, Shahrestani A, Ramadass S (2009) A survey of botnet and botnet detection. In: Third international conference on emerging security information, systems and technologies (SECURWARE’09). IEEEGoogle Scholar
  8. 8.
    Cooke E, Jahanian F, McPherson D (2005) The Zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the USENIX workshop on steps to reducing unwanted traffic on the internet (SRUTI ’05). Boston: USENIX Association, Berkeley, CAGoogle Scholar
  9. 9.
    Seungwon S et al (2012) A large-scale empirical study of conficker. IEEE Trans Inf Forensics Secur 7(2):676–690CrossRefGoogle Scholar
  10. 10.
    Fitzgibbon N, Wood M (2009) Conficker. C: a technical analysis. SophosLabs, Sophon IncGoogle Scholar
  11. 11.
    Cusack B (2014) Botnet forensic investigation techniques and cost evaluation. In: Proceedings of the conference on digital forensics, security and lawGoogle Scholar
  12. 12.
    Andriesse D, Rossow C, Bos H (2015) Reliable Recon in adversarial peer-to-peer botnetsGoogle Scholar
  13. 13.
    Rossow C et al (2013) SoK: P2PWNED – modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE symposium on security and privacy (SP)Google Scholar
  14. 14.
    Bacher P et al (2005) Know your enemy: tracking botnets. In: The Honeynet Project & Research AllianceGoogle Scholar
  15. 15.
    Cremonini M, Riccardi M (2009) The Dorothy project: an open botnet analysis framework for automatic tracking and activity visualization. In: European conference on computer network defense (EC2ND)Google Scholar
  16. 16.
    Provos N, Holz T (2007) Virtual honeypots: from botnet tracking to intrusion detection. Addison-Wesley ProfessionalGoogle Scholar
  17. 17.
    Provos N (2003) Honeyd-a virtual honeypot daemon. In: 10th DFN-CERT workshop, Hamburg, GermanyGoogle Scholar
  18. 18.
    An open architecture for distributed malware collection and analysis. (2010)Google Scholar
  19. 19.
    Zou CC, Cunningham R (2006) Honeypot-Aware advanced botnet construction and maintenance. In: International conference on dependable systems and networks (DSN ’06)Google Scholar
  20. 20.
    Barford P, Yegneswaran V (2007) An inside look at botnets. In: Christodorescu M et al (eds) Malware detection- advances in information security. Springer US, pp 171–191Google Scholar
  21. 21.
    Riccardi M et al (2010) A framework for financial botnet analysis. In: eCrime Researchers Summit (eCrime), 2010Google Scholar
  22. 22.
    Pathak A et al (2009) Botnet spam campaigns can be long lasting: evidence, implications, and analysis. ACMGoogle Scholar
  23. 23.
    Pitsillidis A et al. Botnet judo: fighting spam with itselfGoogle Scholar
  24. 24.
    Freiling F, Holz T, Wicherski G (2005) Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. Computer Security–ESORICS 2005, pp 319–335Google Scholar
  25. 25.
    Thomas K, Nicol DM. The Koobface botnet and the rise of social malware. IEEEGoogle Scholar
  26. 26.
    Passerini E et al (2008) Fluxor: detecting and monitoring fast-flux service networks. In: Detection of intrusions and Malware, and vulnerability assessment (DIMVA’08), Lecture Notes in Computer ScienceGoogle Scholar
  27. 27.
    Nazario J, Holz T (2008) As the net churns: fast-flux botnet observations. In: 3rd international conference on Malicious and unwanted software (MALWARE ’08), Alexandria, VAGoogle Scholar
  28. 28.
    Matrosov A, Rodionov E (2011) Festi botnet analysis & investigationGoogle Scholar
  29. 29.
    Masud MM et al (2008) Flow-based identification of botnet traffic by mining multiple log files. IEEE.Google Scholar
  30. 30.
    Dae-il J et al (2009) Analysis of HTTP2P botnet: case study waledac. In: Communications (MICC), 2009 IEEE 9th Malaysia International conference onGoogle Scholar
  31. 31.
    Dafan D et al (2008) Deep analysis of intending peer-to-peer botnet. In: Grid and cooperative computing, 2008. GCC ’08. Seventh international conference onGoogle Scholar
  32. 32.
    Mazzariello C (2008) IRC traffic analysis for botnet detection. IeeeGoogle Scholar
  33. 33.
    Karasaridis A, Rexroad B, Hoeflin D (2007) Wide-scale botnet detection and characterization. In: Proceedings of the first conference on first workshop on hot topics in understanding botnets. Cambridge, MAGoogle Scholar
  34. 34.
    Shahrestani A et al (2009) Architecture for applying data mining and visualization on network flow for botnet traffic detection. In: Computer technology and development, 2009. ICCTD ’09. International conference onGoogle Scholar
  35. 35.
    Thomas B et al (2011) An FPGA system for detecting malicious DNS network traffic advances in digital forensics VII. Springer, Boston, pp 195–207Google Scholar
  36. 36.
    Ramachandran A, Feamster N, Dagon D (2006) Revealing botnet membership using DNSBL counter-intelligence. In: Proceedings of the 2nd workshop on steps to reducing unwanted traffic on the internet (SRUTI’06), San Jose, California, USAGoogle Scholar
  37. 37.
    Dagon D, Zou C, Lee W (2006) Modeling botnet propagation using time zones. In: Proceedings of the 13th annual network and distributed system security symposium (NDSS 2006), San Diego, CA, ISOCGoogle Scholar
  38. 370.
    Law FYW et al (2010) A host-based approach to BotNet investigation? In: Goel S et al (eds) Digital forensics and cyber crime. Springer, Berlin/Heidelberg, pp 161–170Google Scholar
  39. 38.
    Ard C (2007) Botnet analysis. Int J Forensic Comput Sci 2(1):65–74CrossRefGoogle Scholar
  40. 39.
    de Graaf D, Shosha A, Gladyshev P (2013) BREDOLAB: shopping in the cybercrime underworld. In: Rogers M, Seigfried-Spellar K (eds) Digital forensics and cyber crime. Springer, Berlin/Heidelberg, pp 302–313Google Scholar
  41. 40.
    Vural I et al (2010) Mobile botnet detection using network forensics. In: Future internet – FIS. Springer, Berlin/Heidelberg, pp 57–67Google Scholar

Copyright information

© Springer-Verlag London 2016

Authors and Affiliations

  • R. C. Joshi
    • 1
  • Emmanuel S. Pilli
    • 2
  1. 1.Graphic Era UniversityDehradunIndia
  2. 2.Malaviya National Institute of TechnologyJaipurIndia

Personalised recommendations