Methodologies presently in use to perform forensic analysis of web applications are decidedly
lacking. Although the number of log analysis tools available is exceedingly large, most only employ
simple statistical analysis or rudimentary search capabilities. More precisely these tools were not
designed to be forensically capable. The threat of online assault, the ever growing reliance on the
performance of necessary services conducted online, and the lack of efficient forensic methods in this
area provide a background outlining the need for such a tool. The culmination of study emanating
from this thesis not only presents a forensic log analysis framework, but also outlines an innovative
methodology of analyzing log files based on a concept that uses regular expressions, and a variety
of solutions to problems associated with existing tools. The implementation is designed to detect
critical web application security flaws gleaned from event data contained within the access log files
of the underlying Apache Web Service (AWS).
Of utmost importance to a forensic investigator or incident responder is the generation of an event
timeline preceeding the incident under investigation. Regular expressions power the search capability
of our framework by enabling the detection of a variety of injection-based attacks that represent
significant timeline interactions. The knowledge of the underlying event structure of each access log
entry is essential to efficiently parse log files and determine timeline interactions. Another feature
added to our tool includes the ability to modify, remove, or add regular expressions. This feature
addresses the need for investigators to adapt the environment to include investigation specific queries
along with suggested default signatures. The regular expressions are signature definitions used to
detect attacks toward both applications whose functionality requires a web service and the service
itself. The tool provides a variety of default vulnerability signatures to scan for and outputs resulting
detections.