A distributed denial-of-service attack, also known as a DDoS attack, is a malicious attempt to disrupt a targeted server's, service's, or network's regular traffic by flooding the target or its surrounding infrastructure with Internet traffic.

DDoS attacks are carried out with networks of Internet-connected machines. These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group of bots is called a botnet. Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot. When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult. (2022)

With the normalization of technology throughout the years, the number of users has increased.

Figure 1:(shows the number of internet users over the years)

From https://financesonline.com/number-of-internet-users/

The above picture shows the number of people from 2006 to 2020 has increased from 1.1 million people to 5.1 million people. DDOS attacks have been increasing. According to a survey by Cloudflare, ransom DDoS attacks increased by almost a third between 2020 and 2021 and jumped by 175% in the final quarter of 2021 compared to the previous three months. (DDoS attacks that come combined with extortion demands are on the rise, 2022)

Sample Case

From (2022)

Source of Evidence

One source of evidence regarding the DDOS attack by Mr Rakshan can be found from his ten email addresses used to facilitate the offence, which was used to email the victims that have posted information regarding his 2013 criminal conviction in Canada, MR. Rakshan would also send emails bragging about successfully DDOS attacking the victims and would threaten additional attacks on the victims. By using the email addresses, we can find out the IP address of Mr Rakshan, which we can be found by matching the IP addresses. The private IP address found with the emails can be used so that the authorities can ask the ISP for Mr Rakshan’s location. Authorities/cyber security are then able to get a search warrant.

Another source of evidence can be found on the internet history of Mr Rakshan’s computer, after the seizing of Mr Rakshan’s computer; They can find out what Mr Rakshan was searching for and what tools he used/bought by looking at the sites visited and internet searches he did. As stated above they were able to find out that Mr Rakshan bought and used booster services which are ItsFluffy and RageBooster to DDOS attack the victims.

Collection of Evidence

Although not specified in the article, we can theorize that the collection of the evidence of the DDOS attacks by tracing back the email addresses of all the victims' email addresses by looking at the long head of the email, which the forensic experts would look at the IP address of the sender. After looking at all of the email addresses and matching the IP address of all of the sender’s email addresses, they can prove that the email addresses that emailed the victims to harass and threaten were from the same place. Verification from the ISP for the IP address will let the forensic experts know they have the address of the user of that IP address for that time.

Figure 2 (Shows the long head of the email)

A way to collect Mr Rakshan’s internet use is to use a browser forensic, with the use of the cache and cookies we can use a browser forensic tool to see what website Mr Rakshan has opened, downloaded.

Figure 3 (how cache view works)

Protection of Evidence

As the forensic experts have seized the computer of Mr Rakshan, they must first keep the computer in an isolated chamber which will prevent any connection to the network. Not only do they need to do this, but as stated “In the chain of custody, the names, titles, and contact information of the individuals who identified, collected, and acquired the evidence should be documented, as well as any other individuals the evidence was transferred to, details about the evidence that was transferred, the time and date of transfer, and the purpose of the transfer”. (Cybercrime Module 6 Key Issues: Handling of Digital Evidence, 2022)

Another step in protecting the evidence is by “imaging” also known as. “Digital forensic imaging is defined as the processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. This copy doesn't just include files, which are visible to the operating system, but every bit of data, every sector, partition, files, folders, master boot records, deleted files, and unallocated spaces. The image is an identical copy of all the drive structures and contents” .(Digital Forensic Imaging: Types & Examples, 2022) “Forensic imaging is the court of law accepted standard for the preservation of computer-based evidence. As per section 65 (B) of the Indian Evidence Act, 1872, it is admissible in the court of law provided that it is not being tampered.”(KNOWLEDGE, GK and Javaid, 2022)

Conclusion

References

2022. [online] Available at: <https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/> [Accessed 4 June 2022].

ZDNet. 2022. DDoS attacks that come combined with extortion demands are on the rise. [online] Available at: <https://www.zdnet.com/article/ddos-attacks-that-come-combined-with-extortion-demands-are-on-the-rise/> [Accessed 5 June 2022].

KNOWLEDGE, G., GK, C. and Javaid, A., 2022. What is Forensic Cloning? Can deleted data from your mobile phone be recovered through this method?. [online] Jagranjosh.com. Available at: <https://www.jagranjosh.com/general-knowledge/forensic-cloning-of-the-digital-devices-1601965064-1> [Accessed 7 June 2022].

2022. [online] Available at: <https://www.justice.gov/usao-ndtx/pr/man-receives-maximum-sentence-ddos-attack-legal-news-aggregator> [Accessed 4 June 2022].

Unodc.org. 2022. Cybercrime Module 6 Key Issues: Handling of Digital Evidence. [online] Available at: <https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/handling-of-digital-evidence.html> [Accessed 7 June 2022].

Study.com. 2022. Digital Forensic Imaging: Types & Examples. [online] Available at: <https://study.com/academy/lesson/digital-forensic-imaging-types-examples.html#:~:text=Digital%20forensic%20imaging%20is%20defined,conducting%20investigations%20and%20gathering%20evidence.> [Accessed 7 June 2022].