A comparative study of attributes for gathering admissible evidence in the investigation of distributed denial of service (DDoS) attacks

Abstract

Global crises have widened the scope of criminal activities that intruders commit on computer networks. However, available litigations to charge intruders are ineffective because most electronic evidence obtained from intrusion logs are inadmissible in several courts of law. Therefore, this paper critically discusses the concept of admissible evidence in courts of law and how forensics experts can extract them from intrusion logs. This paper also discusses a model that adopts information theory to reclassify attributes of intrusions that are used to extract admissible evidence. Evaluations demonstrate that majority of the attributes of distributed denial of service attacks are less informative. The results suggest that type of service, TCP flags, TTL, length of packet, destination IP address, TCP acknowledgement and IP protocol are less informative while source addresses, destination port address and timestamp are informative attributes for forensics investigation of distributed denial of service attacks investigated in this paper.