The increasing trend of computer crimes has intensified the relevance of cyber-forensics. In such a context, forensic analysis plays a major role by analyzing the evidence gathered from the crime scene and corroborating facts about the committed crime. In this paper, we propose a formal approach for the forensic log analysis. The proposed approached is based on the logical modelling of the events and the traces of the victim system as formulas over a modified version of the ADM logic. In order to illustrate the proposed approach, the Windows auditing system is studied. We will discuss the importance of the different features of such a system from the forensic standpoint (e.g. the ability to log accesses to specific files and registry keys and the abundance of information that can be extracted from these logs). Furthermore, we will capture logically: Invariant properties of a system, forensic hypotheses, generic or specific attack signatures. Moreover, we will discuss the admissibility of forensics hypotheses and the underlying verification issues.
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
Tel.: +1 703 830 6300
Fax: +1 703 830 2300 email@example.com
(Corporate matters and books only) IOS Press c/o Accucoms US, Inc.
For North America Sales and Customer Service
West Point Commons
Lansdale PA 19446
Tel.: +1 866 855 8967
Fax: +1 215 660 5042 firstname.lastname@example.org