Algorithms
Secure audit logs to support computer forensics
ACM Transactions on Information and System Security (TISSEC)
System Administration: Secure Logging Over a Network
Linux Journal
Using encryption for authentication in large networks of computers
Communications of the ACM
Security problems in the TCP/IP protocol suite
ACM SIGCOMM Computer Communication Review
Introduction to Computer Security
Introduction to Computer Security
Tamper detection in audit logs
VLDB '04 Proceedings of the Thirtieth international conference on Very large data bases - Volume 30
Hi-index | 0.00 |
This research proposes a novel technique for authenticating and validating syslogs for forensic analysis. This technique uses a modification of the Needham Schroeder protocol, which uses nonces (numbers used only once) and public keys. Syslogs, which were developed from an event-logging perspective and not from an evidence-sustaining one, are system treasure maps that chart out and pinpoint attacks and attack attempts. Over the past few years, research on securing syslogs has yielded enhanced syslog protocols that focus on tamper prevention and detection. However, many of these protocols, though efficient from a security perspective, are inadequate when forensics comes into play. From a legal perspective, any kind of evidence found at a crime scene needs to be validated. In addition, any digital forensic evidence when presented in court needs to be admissible, authentic, believable, and reliable [4]. Currently, a patchy log on the server side and client side cannot be considered as formal authentication of a wrong doer [5]. This paper presents a method that ties together, authenticates, and validates all the entities involved in the crime scene---the user using the application, the system that is being used, and the application being used on the system by a user. This means that instead of merely transmitting the header and the message, which is the standard syslog protocol format, the syslog entry along with the user fingerprint, application fingerprint, and system fingerprint are transmitted to the logging server. The assignment of digital fingerprints and the addition of a challenge response mechanism to the underlying syslogging mechanism aim to validate generated syslogs forensically.