A Formal Approach for the Forensic Analysis of Logs

Authors:
Ali Reza Arasteh;Mourad Debbabi;Assaad Sakha
Affiliations:
Computer Security Laboratory, Concordia University, Montreal, Quebec, Canada, a_araste@encs.concordia.c;Computer Security Laboratory, Concordia University, Montreal, Quebec, Canada, debbabi@ciise.concordia.ca;Computer Security Laboratory, Concordia University, Montreal, Quebec, Canada, a_sakha@encs.concordia.ca
Venue:
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Year:
2006

Citing 15
Cited 0

A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
Computer forensics: incident response essentials

Computer forensics: incident response essentials
Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
Practical automated detection of stealthy portscans

Journal of Computer Security
A new logic for electronic commerce protocols

Theoretical Computer Science - Special issue: Algebraic methodology and software technology
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Clustering intrusion detection alarms to support root cause analysis

ACM Transactions on Information and System Security (TISSEC)
Automated Analysis for Digital Forensic Science: Semantic Integrity Checking

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Security Warrior

Security Warrior
The Windows Server 2003 Security Log Revealed

The Windows Server 2003 Security Log Revealed
A mission-impact-based approach to INFOSEC alarm correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Finite state machine approach to digital event reconstruction

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

The increasing trend of computer crimes has intensified the relevance of cyber-forensics. In such a context, forensic analysis plays a major role by analyzing the evidence gathered from the crime scene and corroborating facts about the committed crime. In this paper, we propose a formal approach for the forensic log analysis. The proposed approached is based on the logical modelling of the events and the traces of the victim system as formulas over a modified version of the ADM logic[12]. In order to illustrate the proposed approach, the Windows auditing system[21] is studied. We will discuss the importance of the different features of such a system from the forensic standpoint (e.g. the ability to log accesses to specific files and registry keys and the abundance of information that can be extracted from these logs). Furthermore, we will capture logically: Invariant properties of a system, forensic hypotheses, generic or specific attack signatures. Moreover, we will discuss the admissibility of forensics hypotheses and the underlying verification issues.