Retrieving knowledge from auditing log‐files for computer and network forensics and accountability

Abstract

AbstractThis paper analyzes and simulates the complexity of searching a particular database called a computer or network auditing log database. In order to observe behaviors of users in a computer or a computer network, system authorities in a particular domain first keep logs of all the actions conducted by the users. In general, we can grasp the users' actions by analyzing their actions in a computer system, or messages in a computer network, especially analyzing headers of packets in a particular network protocol. From this bunch of data (database), we can retrieve particular knowledge according to some requirements for computer and network forensics and accountability. For example, in a computer or network system, if at some point the fact that the content of a secret file is leaking has been already known, to figure out the reasons of the leaking, we can search partial or entire log‐files to find out direct or indirect accesses to the file; since a user who accessed the secret before may send messages containing the secret to other users (the secret is leaking due to indirect accesses) via packets in a computer network, or via pipe/FIFO/Message‐Queue in a computer system, finding the reasons of the leaking is not a trivial task. In this paper, we analyze and simulate the complexity of retrieving knowledge from the computer and network auditing log database for forensics and accountability. Copyright © 2008 John Wiley & Sons, Ltd.