@MASTERSTHESIS\{IMM2003-01667,
    author       = "K. G. Jensen and C. M. Larsen",
    title        = "Cybercrime forensics",
    year         = "2003",
    keywords     = "Cybercrime Forensics, DoS, DDoS, Virus, Spoofing, Forensic Investigation, Traceback, Pattern of Propagation (PP)",
    school       = "Informatics and Mathematical Modelling, Technical University of Denmark, {DTU}",
    address      = "Richard Petersens Plads, Building 321, {DK-}2800 Kgs. Lyngby",
    type         = "",
    url          = "http://www2.compute.dtu.dk/pubdb/pubs/1667-full.html",
    abstract     = "Attacks on computers occur more frequently than ever before and such attacks can be rather time-consuming and expensive to recover from. It would be desirable if it was possible to determine the actual attacker by making a forensic investigation, as this would help the process of stopping the attacks. Furthermore it would give the possibility of taking legal actions against the attacker. Today such investigations are difficult and time-consuming as they are often made {''}by-hand{'',} and it is not always possible to find the attacker due to lack of evidence.

In this Master's thesis we take a look at various issues concerning computer forensics. For instance the vulnerabilities exploited in some of the attacks categorised as Denial of Service (DoS), Distributed Denial of Service (DDoS) and virus, how an organisation as {DK-CERT} performs an investigation today, and already published proposals concerning traceback. Based on the knowledge collected while studying these issues we introduce a method to investigate viruses propagating through mail. The idea is to trace the originator by making a comparison of the patterns made by the virus on the outgoing servers. This pattern is referred to as Pattern of Propagation (PP).

Testing and verification of the method and its concepts are presented. These test are made on viruses propagating in a closed network. It is verified that a {PP} exists for the viruses tested, and the {PP} is recognisable blended with normal traffic. It is concluded that it would be possible to trace some viruses presuming, among other things, that the sender address is correct."
}