Login | Register

Cyber-forensic log analysis

Title:

Cyber-forensic log analysis

Sakha, Assaad (2008) Cyber-forensic log analysis. Masters thesis, Concordia University.

[thumbnail of MR45501.pdf]
Preview
Text (application/pdf)
MR45501.pdf - Accepted Version
7MB

Abstract

Forensic examination of logs plays a big role in modern computer security. Due to the sheer amount of data involved and the evolving complexity of computer systems, the forensic examination of logs is a time consuming and daunting task. Information stored in logs of a computer system is of crucial importance to gather forensic evidence of investigated actions or attacks against the system. Analysis of this information should be rigorous and credible, hence it lends itself to formal methods. In this thesis, we propose a model checking approach to the formalization of the forensic log analysis. In order to provide a structure to the log events, we express each event as a term of a term algebra. The signature of the algebra is carefully chosen to include all relevant information necessary to conduct the analysis. Properties of the model are expressed as formulas of a logic having dynamic, linear, temporal, and modal characteristics. A tableau-based proof system is provided for this logic upon which a model checking algorithm can be developed. In order to illustrate the proposed approach, the Windows XP auditing system is utilized. The properties that we capture in our logic include invariant properties of a system, forensic hypotheses, and generic or specific attack signatures. Moreover, we discuss the admissibility of forensics hypotheses and the underlying verification issues. Throughout our research we realized the significance the Windows registry can provide when correlated with the logs. The registry, being a source of system and application information, provides a reference point when detecting anomalies in the logs. Correlating the registry with the logs leverages the forensic analysis adding evidence to the investigation. We present the method of the correlation as well as a proof-of-concept implementation of the correlation of logs with the registry.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Sakha, Assaad
Pagination:x, 162 leaves : ill. ; 29 cm.
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Institute for Information Systems Engineering
Date:2008
Thesis Supervisor(s):Debbabi, Mourad and Youssef, Amir
Identification Number:LE 3 C66I54M 2008 S25
ID Code:976153
Deposited By: Concordia University Library
Deposited On:22 Jan 2013 16:20
Last Modified:13 Jul 2020 20:09
Related URLs:
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top