Finding Relations between Botnet C&cs for Forensic Purposes

Botnets, large international networks of infected computers (so-called bots), play a central part in the digital underground economy, providing the infrastructure required for a multitude of malicious activities. To ensure a botnet keeps running, the botnet owner utilizes specialized technologies to send control messages to his bots, while keeping resilience against take down and stealth against detection from law enforcement agencies and rivals. Parties such as these are developing detection and take down methodologies. However, botnet owners are in the advantage: even a er detection and take down, it is hard to trace the owner, who remains unpunished and can continue his criminal career. ¿is proves to be a signi cant problem for law enforcement, as a con scated machine may not provide direct leads. O en, it is not known which machine was managed by which miscreant or was part of which speci c botnet infrastructure. In this research, we propose a novel approach in identifying the infrastructure and miscreant belonging to con scated machines. We de ne a set of characteristics that can be applied to con scated hard disks. ¿ese will then be used to extract clusters of machines with commonalities from large datasets.We will validate our approach by applying it to a test dataset of 104 di erent disk images, showing how experts would use this to gain insight in large datasets.