Title: A comparative study of attributes for gathering admissible evidence in the investigation of distributed denial of service (DDoS) attacks

Authors: Joshua Ojo Nehinbe

Addresses: School of Computer Science and Electronic Engineering Systems, University of Essex, CO4 3SQ, Colchester, UK

Abstract: Global crises have widened the scope of criminal activities that intruders commit on computer networks. However, available litigations to charge intruders are ineffective because most electronic evidence obtained from intrusion logs are inadmissible in several courts of law. Therefore, this paper critically discusses the concept of admissible evidence in courts of law and how forensics experts can extract them from intrusion logs. This paper also discusses a model that adopts information theory to reclassify attributes of intrusions that are used to extract admissible evidence. Evaluations demonstrate that majority of the attributes of distributed denial of service attacks are less informative. The results suggest that type of service, TCP flags, TTL, length of packet, destination IP address, TCP acknowledgement and IP protocol are less informative while source addresses, destination port address and timestamp are informative attributes for forensics investigation of distributed denial of service attacks investigated in this paper.

Keywords: network forensics; intrusion logs; IDS; admissible evidence; e-criminals; online crime; distributed denial of service; DDoS attacks; information theory; digital forensics; intrusion detection systems.

DOI: 10.1504/IJITST.2012.047958

International Journal of Internet Technology and Secured Transactions, 2012 Vol.4 No.2/3, pp.121 - 138

Available online: 16 Jul 2012

Full-text access for editors Access for subscribers Purchase this article Comment on this article