Operating Systems

Modeling System Activity Logging for Evidence Collection

ABSTRACT

System activity logs create an ongoing history of chronologically ordered records that describe events taking place in a computing system. Although system activity logs were originally designed for performance monitoring and troubleshooting, they can be used to collect forensic evidence.  This paper develops a generic ‘technology-independent’ model of an event reporting service. The paper finds three key features that determine data collection capability – ‘event detection’, ‘event selection’ and ‘event description’. Design constraints in each of these features typically found in mainstream operating systems are identified and the limitations imposed on the forensic evidence collection capability of modern operating systems are discussed.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Keywords

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

  • Journal of Information Warfare
    114 Ballard Street
    Yorktown, VA
    23690
  • 757.234.6664
  • jiw@gbpts.com