GrAALF:Supporting Graphical Analysis of Audit Logs for Forensics

TL;DR

GrAALF is an open-source graphical system that efficiently processes and visualizes system audit logs for computer forensics, enabling real-time attack analysis and provenance tracing across various storage backends.

Contribution

It introduces a flexible, open-source platform supporting multiple storage options for forensic analysis of large-scale system logs, with real-time querying and attack traceability.

Findings

GrAALF outperforms existing systems in responsiveness across storage options.

It effectively identifies and traces attacks in real-world scenarios.

Open-source availability encourages wider adoption and customization.

Abstract

System-level audit logs often play a critical role in computer forensics. They capture low-level interactions between programs and users in much detail, making them a rich source of insight and provenance on malicious user activity. However, using these logs to discover and understand malicious activities when a typical computer generates more than 2.5 million system events hourly is both compute and time-intensive. We introduce a graphical system called GrAALF for efficiently loading, storing, processing, querying, and displaying system events to support computer forensics. In comparison to other related systems such as AIQL [13] and SAQL [12], GrAALF offers the flexibility of multiple backend storage solutions, easy-to-use and intuitive querying of logs, and the ability to trace back longer sequences of system events in (near) real-time to help identify and isolate attacks. Equally important, both AIQL and SAQL are not available for public use, whereas GrAALF is open-source. GrAALF offers the choice of compactly storing the logs in main memory, in a relational database system, in a hybrid main memory-database system, and a graph-based database. We compare the responsiveness of each of these options, using multiple huge system-call log files. Next, in multiple real-world attack scenarios, we demonstrate the efficacy and usefulness of GrAALF in identifying the attack and discovering its provenance. Consequently, GrAALF offers a robust solution for analysis of audit logs to support computer forensics.