Study of Peer-to-Peer Network
Based Cybercrime Investigation:
Application on Botnet
Technologies
by
Mark Scanlon, B.A. (Hons.), M.Sc.
A thesis submitted to University College Dublin
for the degree of Ph.D. in the College of Science
October 2013
School of Computer Science and Informatics
Mr. John Dunnion, M.Sc. (Head of School)
Under the supervision of
Prof. M-Tahar Kechadi, Ph.D.
DEDICATION
This thesis is dedicated to my wife, Joanne, who has supported, encouraged
and motivated me throughout the last nine years and has been especially
patient and thoughtful throughout my research. This thesis is also dedicated
to my parents, Philomena and Larry Scanlon.
i
CONTENTS
Acknowledgements viii
List of Tables ix
List of Figures x
List of Abbreviations xiii
Abstract xvii
List of Publications xix
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Research Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Contribution of this Work . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Limitations of this Work . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Digital Forensic Investigation; State of the art 7
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Computer Forensic Investigation . . . . . . . . . . . . . . . . . . 8
2.2.1 Network Forensic Investigation . . . . . . . . . . . . . . 9
2.3 Network Investigation Tools . . . . . . . . . . . . . . . . . . . . 10
2.3.1 TCPDump/WinDump . . . . . . . . . . . . . . . . . . . 10
2.3.2 Ethereal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
ii
2.3.3 Network Forensic Analysis Tools . . . . . . . . . . . . . 12
2.3.4 Security Incident and Event Manager Software . . . . . 12
2.4 Packet Inspection Hardware . . . . . . . . . . . . . . . . . . . . 12
2.5 Evidence Storage Formats . . . . . . . . . . . . . . . . . . . . . . 13
2.5.1 Common Digital Evidence Storage Format . . . . . . . 14
2.5.2 Raw Format . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5.3 Advanced Forensic Format . . . . . . . . . . . . . . . . 15
2.5.4 Generic Forensic Zip . . . . . . . . . . . . . . . . . . . . 15
2.5.5 Digital Evidence Bag (QinetiQ) . . . . . . . . . . . . . . 15
2.5.6 Digital Evidence Bag (WetStone Technologies) . . . . . 16
2.5.7 EnCase Format . . . . . . . . . . . . . . . . . . . . . . . 17
2.6 Evidence Handling . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.6.1 What does “Forensically Sound” really mean? . . . . . 18
2.7 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . 19
2.7.1 Collision Resistance . . . . . . . . . . . . . . . . . . . . . 20
2.7.2 Avalanche Effect . . . . . . . . . . . . . . . . . . . . . . . 21
2.7.3 Overview of Common Hashing Algorithms . . . . . . . 21
2.8 Court Admissible Evidence . . . . . . . . . . . . . . . . . . . . . 25
2.8.1 Daubert Test . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.9 Legal Considerations of Network Forensics . . . . . . . . . . . . 27
2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3 Peer-to-Peer File-Sharing 29
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.1.1 Financial Impact on Content Producing Industry . . . . 30
3.2 Legislative Response to Online Piracy . . . . . . . . . . . . . . . 31
3.3 Peer-to-Peer File-sharing System Design . . . . . . . . . . . . . 33
3.3.1 Centralised Design . . . . . . . . . . . . . . . . . . . . . 33
3.3.2 Decentralised Design . . . . . . . . . . . . . . . . . . . . 35
3.3.3 Hybrid Design . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4 Peer-to-Peer File-sharing Networks . . . . . . . . . . . . . . . . 38
3.4.1 Napster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.2 Gnutella . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.3 eDonkey . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
iii
3.4.4 BitTorrent . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5 Anti-Infringement Measures . . . . . . . . . . . . . . . . . . . . 45
3.5.1 Attacks on Leechers . . . . . . . . . . . . . . . . . . . . . 45
3.5.2 Pollution . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.6 Forensic Process/State of the Art . . . . . . . . . . . . . . . . . . 46
3.6.1 Network Crawling . . . . . . . . . . . . . . . . . . . . . 46
3.6.2 Deep Packet Inspection . . . . . . . . . . . . . . . . . . . 47
3.6.3 Identifying Copyrighted Content . . . . . . . . . . . . . 47
3.7 Forensic Counter-measures . . . . . . . . . . . . . . . . . . . . . 48
3.7.1 Anonymous Proxies . . . . . . . . . . . . . . . . . . . . 48
3.7.2 Encrypted Traffic . . . . . . . . . . . . . . . . . . . . . . 49
3.7.3 IP Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.8 Malware Risks on P2P Networks . . . . . . . . . . . . . . . . . . 49
3.9 Summary and Discussion . . . . . . . . . . . . . . . . . . . . . . 51
3.9.1 Weaknesses of Current Investigative Approaches . . . 51
4 Botnet Investigation 52
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2 Botnet Architectures . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.2.1 Client/Server Botnet Design . . . . . . . . . . . . . . . . 55
4.2.2 P2P Design . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.2.3 Hybrid Design . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3 Botnet Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3.1 Spreading and Infection Phase . . . . . . . . . . . . . . 63
4.3.2 Secondary Code Injection Phase . . . . . . . . . . . . . . 64
4.3.3 Command and Control Phase . . . . . . . . . . . . . . . 65
4.3.4 Attack Phase . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.3.5 Update and Maintenance Phase . . . . . . . . . . . . . . 66
4.4 Underground Economy . . . . . . . . . . . . . . . . . . . . . . . 67
4.4.1 Valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.4.2 Spamming . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.4.3 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.4.4 Scamming the Scammers . . . . . . . . . . . . . . . . . . 70
4.5 Botnet Powered Attacks . . . . . . . . . . . . . . . . . . . . . . . 71
iv
