Forensic analysis of logs: Modeling and verification

Information stored in logs of a computer system is of crucial importance to gather forensic evidence of investigated actions or attacks against the system. Analysis of this information should be rigorous and credible, hence it lends itself to formal methods. We propose a model checking approach to the formalization of the forensic analysis of logs. The set of logs of a certain system is modeled as a tree whose labels are events extracted from the logs. In order to provide a structure to these events, we express each event as a term of a term algebra. The signature of the algebra is carefully chosen to include all relevant information necessary to conduct the analysis. Properties of the model are expressed as formulas of a logic having dynamic, linear, temporal, and modal characteristics. Moreover, we provide a tableau-based proof system for this logic upon which a model checking algorithm can be developed. In order to illustrate the proposed approach, the Windows auditing system is studied. The properties that we capture in our logic include invariant properties of a system, forensic hypotheses, and generic or specific attack signatures. Moreover, we discuss the admissibility of forensics hypotheses and the underlying verification issues.

[1]  Rance Cleaveland,et al.  Tableau-based model checking in the propositional mu-calculus , 1990, Acta Informatica.

[2]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[3]  Ahmed Patel,et al.  Formalising Event Time Bounding in Digital Investigations , 2005, Int. J. Digit. EVid..

[4]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[5]  Axel W. Krings,et al.  A Formalization of Digital Forensics , 2004, Int. J. Digit. EVid..

[6]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[7]  Randy Franklin Smith The Windows Server 2003 Security Log Revealed , 2007 .

[8]  Cyrus Peikari,et al.  Security Warrior , 2004 .

[9]  Peng Ning,et al.  Alert correlation through triggering events and common resources , 2004, 20th Annual Computer Security Applications Conference.

[10]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[11]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[12]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[13]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[14]  C. Hosmer Time-lining computer evidence , 1998, 1998 IEEE Information Technology Conference, Information Environment for the Future (Cat. No.98EX228).

[15]  Peter Stephenson Modeling of Post-Incident Root Cause Analysis , 2003, Int. J. Digit. EVid..

[16]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[18]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[19]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[20]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[21]  Mourad Debbabi,et al.  A new logic for electronic commerce protocols , 2000, Theor. Comput. Sci..

[22]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[24]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[25]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.