When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation Pub Date : 2025-03-01 DOI:10.1016/j.fsidi.2025.301877

Johannes Olegård, Stefan Axelsson, Yuhong Li

{"title":"When is logging sufficient? — Tracking event causality for improved forensic analysis and correlation","authors":"Johannes Olegård, Stefan Axelsson, Yuhong Li","doi":"10.1016/j.fsidi.2025.301877","DOIUrl":null,"url":null,"abstract":"<div><div>It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of <em>causal information</em> in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"52 ","pages":"Article 301877"},"PeriodicalIF":2.0000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281725000162","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

It is generally agreed that logs are necessary for understanding cyberattacks post-incident. However, little is known about what specific information logs should contain to be forensically helpful. This uncertainty, combined with the fact that conventional logs are often not designed with security in mind, often results in logs with too much or too little information. Events in one log are also often challenging to correlate with events in other logs. Most previous research has focused on preserving, filtering, and interpreting logs, rather than addressing what should be logged in the first place. This paper explores logging sufficiency through the lens of Digital Forensic Readiness, and highlights the absence of causal information in conventional logs. To address this gap, we propose a novel logging system leveraging “gretel numbers” to track causal information—such as attacker movement—across multiple applications in a tamper-resistant manner. A prototype, implemented using the Extended Berkeley Packet Filter (EBPF) and an Nginx web server, shows that causality tracking imposes minimal resource overhead, though log size management remains critical for scalability.

查看原文本刊更多论文

什么时候记录就足够了？-跟踪事件因果关系，以改进法医分析和相关性

人们普遍认为，日志对于了解事件后的网络攻击是必要的。然而，很少有人知道日志应该包含哪些具体信息才能在法医上有所帮助。这种不确定性，再加上传统日志在设计时往往没有考虑到安全性这一事实，通常会导致日志信息过多或过少。一个日志中的事件通常也很难与其他日志中的事件相关联。大多数以前的研究都集中在保存、过滤和解释日志上，而不是首先解决应该记录什么。本文通过数字取证准备的视角探讨了日志记录的充分性，并强调了传统日志中因果信息的缺失。为了解决这个问题，我们提出了一种新的日志记录系统，利用“gretel number”以防篡改的方式跨多个应用程序跟踪因果信息（如攻击者的移动）。一个使用扩展伯克利包过滤器（EBPF）和Nginx web服务器实现的原型显示，因果关系跟踪施加了最小的资源开销，尽管日志大小管理仍然是可扩展性的关键。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊