Analyzing multiple logs for forensic evidence

Digital Investigation

Volumn 4, Issue SUPPL., 2007, Pages 82-91

  Arasteh, Ali Reza ^a   Debbabi, Mourad ^a   Sakha, Assaad ^a   Saleh, Mohamed ^a  

^a University of Concordia   (Canada)

Author keywords

Forensic analysis; Formal methods; Log analysis; Log correlation; Logging systems; Model checking

Indexed keywords

ALGEBRA; ALGORITHMS; COMPUTER CRIME; FORMAL METHODS; MATHEMATICAL MODELS; MODEL CHECKING; SECURITY OF DATA;

FORENSIC ANALYSIS; LOG CORRELATION; LOGGING SYSTEMS;

COMPUTER SYSTEMS;

EID: 34447536428     PISSN: 17422876     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.diin.2007.06.013     Document Type: Article

References (27)

1. Adi K., Debbabi M., and Mejri M. A new logic for electronic commerce protocols. Int J Theor Comput Sci, TCS 291 3 (2003) 223-283
2. Cleaveland R. Tableau-based model checking in the propositional Mu-calculus. Acta Inform 27 8 (1990) 725-748
3. Cuppens F. Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th annual computer security applications conference, December 2001.
4. Cuppens F, Miege A. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE symposium on security and privacy, May 2003.
5. Debar H, Wespi A. Aggregation and correlation of intrusion-detection alerts. In: Recent advances in intrusion detection. LNCS 2212; 2001.
6. Gladyshev P., and Patel A. Finite state machine approach to digital event reconstruction. Digit Investig J 1 2 (2004)
7. Gladyshev P., and Patel A. Formalising event time bounding in digital investigations. Digit Investig J 4 2 (2005)
8. Hosmer C. Time lining computer evidence (1998). Available from: [Visited on May 22, 2007]
9. Julisch K. Clustering intrusion detection alarms to support root cause analysis. ACM Trans Inform Syst Secur 6 4 (Nov 2003) 443-471
10. Kruse W., and Heiser J. Computer forensics: incident response essentials (2002), Addison-Wesley, Boston, MA [Visited on May 22, 2007]
11. Leigland R., and Krings A.W. A formalization of digital forensics. Digit Investig J 3 2 (2004)
12. Monroe K., and Bailey D. System base-lining: a forensic perspective. Available from: (2003). [Visited on May 22, 2007]
13. Morin B, Debar H. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the sixth international conference on recent advances in intrusion detection (RAID'03), September 2003.
14. Morin B, Me L, Debar H, Ducasse M. M2D2: a formal data model for IDS alert correlation. In: Proceedings of the fifth international symposium on recent advances in intrusion detection (RAID 2002), 2002.
15. Ning P, Cui Y, Reeves DS. Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the nineth ACM conference on computer and communications security, Washington, DC, November 2002. p. 245-54.
16. Peikari C., and Chuvakin A. Security warrior (2004), O'Reilly
17. Porras P, Fong M, Valdes A. A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of the fifth international symposium on recent advances in intrusion detection (RAID 2002); 2002.
18. Stallard T, Levitt K. Automated analysis for digital forensic science: semantic integrity checking. In: 19th annual computer security applications conference, Las Vegas, NV, USA, December 2003.
19. Staniford S., Hoagland J., and McAlerney J. Practical automated detection of stealthy portscans. J Comput Secur 10 1/2 (December 2002) 105-136
20. Stephenson P. Modeling of post-incident root cause analysis. Int J Digit Evid 2 2 (2003)
21. Snort - sourcefire Inc. [Visited on May 22, 2007]
22. Tenable Network Security. [Visited on May 22, 2007]
23. Templeton S, Levitt K. A requires/provides model for computer attacks. In: Proceedings of new security paradigms workshop, September 2000.
24. Valdes A, Skinner K. Probabilistic alert correlation. In: Proceedings of the fourth international symposium on recent advances in intrusion detection (RAID 2001); 2001.
25. Wechler W. Universal algebra for computer scientists (1992), Springer
26. Xu D. Alert correlation through triggering events and common resources. [Visited on May 22, 2007]
27. Yegneswaran V, Barford P, Jha S. Global intrusion detection in the domino overlay system. In: Proceedings of the 11th annual network and distributed system security symposium (NDSS'04), Feburary 2004.