ISU Electrical and Computer Engineering Archives

Forensic Log Investigator (FLI) – a log analysis and visualization tool

Pham, Thieu (2007) Forensic Log Investigator (FLI) – a log analysis and visualization tool. Masters thesis, Iowa State University.

Full text available as:

PDF - Archive staff only - Requires Adobe Acrobat Reader or other PDF viewer.

Abstract

In a cyber crime investigation, investigators often have to examine and analyze log files, which contain valuable information – a history of actions, to reconstruct a chain of past events and ascertain whether or not a crime has been committed and the circumstances surrounding the crime. There exist many types of log files such as server logs, firewall logs, intrusion-detection logs, system logs, application logs, and phone logs. Due to the lack of standard format, they follow their own arbitrary formats which present a formidable challenge and complexity to analysis. Additionally, with these log files containing a huge number of log entries, it is difficult, overwhelming, and daunting to extract the relevant evidence, analyze, keep track, and make sense of the information efficiently and reliably. Since each log contains only a little information, a fragment of the whole, it is particularly beneficial for investigators to examine logs together. Visualization allows the investigator to correlate the information, see the patterns, and gain insight into the events under examination. This thesis provides the detailed design and implementation of FLI (Forensic Log Investigator). FLI is a powerful, advanced analysis and visualization tool built upon an enterprise infrastructure and the latest technologies to help computer forensics practitioners carry out investigations and perform analysis efficiently and effectively. FLI will do all the heavy work of processing, sorting, and searching of all the information and present the information to investigators in visual ways that investigators can easily understand, analyze, and extract relevant evidential information. Having FLI doing the heavy and tedious work allows investigators to devote more time to analysis and thereby results in solving the actual crime in a shorter time with fewer resources.

EPrint Type:Thesis (Masters)
Uncontrolled Keywords:log analysis
Subjects:Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Information Assurance
ID Code:404
Identification Number:Identification Number UNSPECIFIED
Deposited By:Thieu Pham
Deposited On:29 November 2007

Archive Staff Only: edit this record