The increasing trend of computer crimes has intensified the relevance of cyber-forensics. In such a context, forensic analysis plays a major role by analyzing the evidence gathered from the crime scene and corroborating facts about the committed crime. In this paper, we propose a formal approach for the forensic log analysis. The proposed approached is based on the logical modelling of the events and the traces of the victim system as formulas over a modified version of the ADM logic[12]. In order to illustrate the proposed approach, the Windows auditing system[21] is studied. We will discuss the importance of the different features of such a system from the forensic standpoint (e.g. the ability to log accesses to specific files and registry keys and the abundance of information that can be extracted from these logs). Furthermore, we will capture logically: Invariant properties of a system, forensic hypotheses, generic or specific attack signatures. Moreover, we will discuss the admissibility of forensics hypotheses and the underlying verification issues.