<![CDATA[ICMP flooding is a denial-of-service attack that overwhelms a target with high-rate ICMP packets, degrading service availability. End-to-end network forensic reporting from identification to evidence presentation remains limited. This study applies the Digital Forensic Research Workshop (DFRWS) process model - Identification, Preservation, Collection, Examination, Analysis, and Presentation - to investigate ICMP flooding in a controlled virtualized environment. Primary artifacts consist of baseline PCAPs (5 runs) and attack PCAPs (5 runs) analyzed using capinfos to extract capture duration (T), packet count (N), average et rate (pps), and file size. Results indicate that the baseline traffic (normal system activity in the VM laboratory) at 9 pps over 58.91 s with approximately 66 kB file size, while attack traffic reaches 2,000 pps over 6.39 s with an average file size of approximately 18.2 MB. Comparison of both conditions yields a packet-rate amplification of F = 2000/9 = 222× and a file-size increase of approximately 280× (18.2 MB versus 66 kB). The extreme pps spike observed during the attack condition reflects a volumetric attack pattern that operationally correlates with resource exhaustion and reduced service availability, indicating that the PCAP artifacts support not only statistical anomaly detection but also event-level evidence of a denial-of-service incident. All attack runs exceed 1,000 pps (5/5; 100%), and all baseline runs remain stable at 9 pps (5/5; 100% [1]), indicating consistent volumetric evidence. Preservation procedures using read-only storage and SHA-256 hashing ensure artifact integrity and traceability, thereby supporting the admissibility of the PCAPs as valid digital evidence in controlled virtual machine experiments.]]>
Copyrights © 2026
