GrAALF:Supporting Graphical Analysis of Audit Logs for Forensics
System-level audit logs often play a critical role in computer forensics. They capture low-level interactions between programs and users in much detail, making them a rich source of insight and provenance on malicious user activity. However, using these logs to discover and understand malicious activities when a typical computer generates more than 2.5 million system events hourly is both compute and time-intensive. We introduce a graphical system called GrAALF for efficiently loading, storing, processing, querying, and displaying system events to support computer forensics. In comparison to other related systems such as AIQL [13] and SAQL [12], GrAALF offers the flexibility of multiple backend storage solutions, easy-to-use and intuitive querying of logs, and the ability to trace back longer sequences of system events in (near) real-time to help identify and isolate attacks. Equally important, both AIQL and SAQL are not available for public use, whereas GrAALF is open-source. GrAALF offers the choice of compactly storing the logs in main memory, in a relational database system, in a hybrid main memory-database system, and a graph-based database. We compare the responsiveness of each of these options, using multiple huge system-call log files. Next, in multiple real-world attack scenarios, we demonstrate the efficacy and usefulness of GrAALF in identifying the attack and discovering its provenance. Consequently, GrAALF offers a robust solution for analysis of audit logs to support computer forensics.