Title :
Finding the Evidence in Tamper-Evident Logs
Author :
Sandler, Daniel ; Derr, Kyle ; Crosby, Scott ; Wallach, Dan S.
Author_Institution :
Rice Univ., Houston, TX
Abstract :
Secure logs are powerful tools for building systems that must resist forgery, prove temporal relationships, and stand up to forensic scrutiny. The proofs of order and integrity encoded in these tamper-evident chronological records, typically built using hash chaining, may be used by applications to enforce operating constraints or sound alarms at suspicious activity. However, existing research stops short of discussing how one might go about automatically determining whether a given secure log satisfies a given set of constraints on its records. In this paper, we discuss our work on Querifier, a tool that accomplishes this. It can be used offline as an analyzer for static logs, or online during the runtime of a logging application. Querifier rules are written in a flexible pattern-matching language that adapts to arbitrary log structures; given a set of rules and available log data, Querifier presents evidence of correctness and offers counterexamples if desired. We describe Querfier´s implementation and offer early performance results.
Keywords :
data recording; query processing; security of data; Querifier; flexible pattern-matching language; forensic scrutiny; hash chaining; secure log; suspicious activity; tamper-evident chronological records; tamper-evident logs; Business; Data structures; Digital forensics; Forgery; Humans; Law; Legal factors; Power engineering and energy; Resists; Runtime; hash chaining; predicate logic; query processing; secure logs; tamper evidence;
Conference_Titel :
Systematic Approaches to Digital Forensic Engineering, 2008. SADFE '08. Third International Workshop on
Conference_Location :
Oakland, CA
Print_ISBN :
978-0-7695-3171-7
DOI :
10.1109/SADFE.2008.22
