Evidence Collection

Modeling System Activity Logging for Evidence Collection

ABSTRACT

System activity logs create an ongoing history of chronologically ordered records that describe events taking place in a computing system. Although system activity logs were originally designed for performance monitoring and troubleshooting, they can be used to collect forensic evidence.  This paper develops a generic ‘technology-independent’ model of an event reporting service. The paper finds three key features that determine data collection capability – ‘event detection’, ‘event selection’ and ‘event description’. Design constraints in each of these features typically found in mainstream operating systems are identified and the limitations imposed on the forensic evidence collection capability of modern operating systems are discussed.

Published In

Volume 12, Issue 1

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Keywords

(

2

3

4

8

9

A
AI
APT

a

B

C
C2
C2S
CDX
CIA
CIP
CPS

D
DNS
DoD
DoS

E

e

F

G

H

I
IA
ICS

i

J

K

L

M

N

O

P

Q

R

S
SOA

T

t

U

V

W

X
XRY

Y

Z

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

Registered Agent and Mailing Address

  • Journal of Information Warfare
  •  ArmisteadTEC
  • Dr Leigh Armistead, President
  • 1624 Wakefield Drive
  • Virginia Beach, VA 23455

 757.510.4574

 JIW@ArmisteadTec.com