IoT Botnet Forensics: A Comprehensive Digital Forensic Case Study on Mirai Botnet Servers

Internet of Things (IoT) bot malware is relatively new and not yet well understood forensically, despite its potential role in a broad range of malicious cyber activities. For example, it was abused to facilitate the distributed denial of service (DDoS) attack that took down a significant portion of the Internet on October 21, 2016, keeping millions of people from accessing over 1200 websites, including Twitter and NetFlix for nearly an entire day. The widespread adoption of an estimated 50 billion IoT devices, as well as the increasing interconnectivity of those devices to traditional networks, not to mention to one another with the advent of fifth generation (5G) networks, underscore the need for IoT botnet forensics. This study is the first published, comprehensive digital forensic case study on one of the most well known families of IoT bot malware - Mirai. Past research has largely studied the botnet architecture and analyzed the Mirai source code (and that of its variants) through traditional static and dynamic malware analysis means, but has not fully and forensically analyzed infected devices or Mirai network devices. In this paper, we set up a fully functioning Mirai botnet network architecture and conduct a comprehensive forensic analysis on the Mirai botnet server. We discuss forensic artifacts left on the attacker's terminal, command and control (CNC) server, database server, scan receiver and loader, as well as the network packets therefrom. We discuss how a forensic investigator might acquire some of these artifacts remotely, without direct physical access to the botnet server itself. This research provides findings tactically useful to forensic investigators, not only from the perspective of what data can be obtained (e.g., IP addresses of bot members), but also important information about which device they should target for acquisition and investigation to obtain the most investigatively useful information.