Retrieving knowledge from auditing log-files for computer and network forensics and accountability

This paper analyzes and simulates the complexity of searching a particular database called a computer or network auditing log database. In order to observe behaviors of users in a computer or a computer network, system authorities in a particular domain first keep logs of all the actions conducted by the users. In general, we can grasp the users' actions by analyzing their actions in a computer system, or messages in a computer network, especially analyzing headers of packets in a particular network protocol. From this bunch of data (database), we can retrieve particular knowledge according to some requirements for computer and network forensics and accountability. For example, in a computer or network system, if at some point the fact that the content of a secret file is leaking has been already known, to figure out the reasons of the leaking, we can search partial or entire log-files to find out direct or indirect accesses to the file; since a user who accessed the secret before may send messages containing the secret to other users (the secret is leaking due to indirect accesses) via packets in a computer network, or via pipe/FIFO/Message-Queue in a computer system, finding the reasons of the leaking is not a trivial task. In this paper, we analyze and simulate the complexity of retrieving knowledge from the computer and network auditing log database for forensics and accountability. Copyright © 2008 John Wiley & Sons, Ltd.