Australian Digital Forensics Conference

Document Type

Conference Proceeding


School of Computer and Information Science, Edith Cowan University, Perth, Western Australia


This paper analyses data collected over a nine month period in a simple VoIP honeypot based on simple design initially put forward by Usken(2009). The honeypot collected 2083 events of malfeasant activity directed towards commonly used VoIP ports. These events resulted in a range of activity being recorded from simple enumeration to advanced probing and attempts to compromise the victim honeypot. The analysis involved traditional statistics from packet analysis, using customised scripts for extraction of data and graphical analysis using i2 Analyst Workstation. The analysis has uncovered an escalation of network activity directed towards the honeypot over a nine month period. Initial geographical IP resolutions also see the majority of traffic emanating from the Chinese IP space. There is strong evidence to suggest that there is a botnet or worm like malcode being directed or developed for VoIP routers.


8th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, November 30th 2010