<![CDATA[The global transition to IPv6 has introduced new attack surfaces within core network protocols, particularly the Neighbor Discovery Protocol (NDP). One of the most critical yet often overlooked threats is the Neighbor Advertisement (NA) Flood attack. Unlike conventional volumetric DDoS attacks aimed at saturating network bandwidth, NA Flood exploits the Stateless Address Autoconfiguration (SLAAC) mechanism to trigger resource exhaustion on target devices. Investigating such incidents presents unique forensic challenges, as attack traces in volatile memory are often lost when using traditional dead forensics methods. This study implements a real-time forensic investigation approach by integrating Live Forensics methods with the Digital Forensic Framework for Reviewing and Investigating Cyber Attack (D4I). This method is applied to acquire crucial volatile artifacts during the attack and reconstruct the modus operandi through Cyber Kill Chain (CKC) mapping and Chain of Artifacts (CoA) construction. Experimental results demonstrate that NA Flood attacks possess dangerous asymmetric characteristics: generating low network traffic (4.71 Mbps) while causing a CPU surge of up to 50% and a memory increase of 89.5 MB on the target server. The novelty of this study lies in the integration of Live Forensics with the D4I framework to acquire volatile data in real-time and systematically transform raw artifacts into a comprehensive forensic conclusion. This approach successfully reconstructs the 5W1H (Who, What, Where, When, Why, How) elements of the incident and visualizes the shift of the point of failure from the network infrastructure to the endpoint, offering a robust model for investigating protocol-based resource exhaustion attacks.]]>
Copyrights © 2026
