FAL: A Forensics Aware Language for Secure Logging Shams Zawoad zawoad@cis.uab.edu University of Alabama at Birmingham Marjan Mernik marjan.mernik@uni-mb.si University of Maribor Ragib Hasan ragib@cis.uab.edu University of Alabama at Birmingham Abstract—Trustworthy system logs and application logs are crucial for digital forensics. Researchers have proposed different security mechanisms to ensure the integrity and confidentiality of logs. However, applying current secure logging schemes on heterogeneous formats of logs is tedious. Here, we propose FAL, a domain-specific language (DSL) through which we can apply a secure logging mechanism on any format of logs. Using FAL, we can define log structure, which represents the format of logs and ensures the security properties of a chosen secure logging scheme. This log structure can be later used by FAL to serve two purposes: it can be used to store system logs securely, and it will help application developers for secure application logging by generating required source code. Keywords-DSL, Secure Logging, Audit Trail, Digital Forensics I. I NTRODUCTION I N RECENT years, digital crime case has increased tremen- dously. An annual report of the Federal Bureau of Inves- tigation (FBI) states that the size of average digital forensic case is growing 35% per year in the United States. From 2003 to 2007, it increased from 83 GB to 277 GB [1]. Various logs, e.g., network log, process log, file access logs, audit trail of application play vital role in a successful digital forensics investigation. System and application logs record crucial events, such as, user activity, program execution status, system resource usage, network usage, and data changes through which some important attacks can be identified, e.g., network intrusion, malicious software, unauthorized access to software, and many more. Log is also important to ensure the auditability of a system and auditability is a vital issue to make a system compliant with the regulatory acts, e.g., Sarbanes-Oxley (SOX) [2] or The Health Insurance Portability and Accountability Act (HIPAA) [3]. Keeping system audit trails and reviewing them in a consistent manner is recommended by NIST as one of the good principles and practices for securing computer systems [4]. While the necessity of logs and application audit trail are indisputable, the trustworthiness of this evidence will remain questionable if we do not take proper measures to secure them. In many real-world applications, sensitive information is kept in log files on an untrusted machine. As logs are crucial for identifying an attacker, attackers often attack the logging system to hide the trace of their presence in the attack or to frame an honest user. Very often, experienced attackers first attack the logging system [5], [6]. Malicious insider users colluding with the attacker can also tamper with logs. Moreover, forensics investigators can also alter evidence before presenting to court. To protect logs from these possible attacks, we must need a secure logging mechanism. Researchers have already proposed several secure logging schemes [7]–[9], which are designed to defend such attacks. However, ensuring the privacy and integrity of the logs is costly given that it requires special knowledge and skill of developers. To implement a secure logging scheme, we need to give complete access of the logs to application developers. Providing full access of sensitive logs to developers definitely increases the attack surface. They can violate the privacy, sell sensitive business or personal information, and most importantly can keep a back door for future attack. Adding secure application audit trail can also be burdensome for developers, and increases the application development cost. On the other hand, system admins, who have access to network logs, process logs may not have sufficient knowledge for developing a securing logging scheme. In this paper, we propose a DSL [10] to assist system admins and application developers for maintaining system logs and application audit trail securely, which is crucial for digital forensics investigation. A DSL is designed for a particular domain and has great advantages over general-purpose language for that specific domain. DSLs provide higher productivity by its greater expressive power, the ease of use, easier verification and optimization [10]–[12]. Using our proposed DSL FAL, system admins can define log structure and parse a log file according to the structure. They can also define the security parameters to preserve the integrity and confidentiality of logs. To accomplish this, they only need their domain knowledge related with system logs. Using FAL, a software security analyst can define the required audit trail structure and can generate code for a generic purpose language (GPL), e.g., Java, C# to store the audit logs securely. Contribution. The contribution of this work is two-fold: • We propose the first domain-specific language FAL, which can be used to ensure the security of system logs, and application audit logs. • We show all the DSL development processes, which can be served as a guideline for future DSL development. Proceedings of the 2013 Federated Conference on Computer Science and Information Systems pp. 1567–1574 978-1-4673-4471-5/$25.00 c  2013, IEEE 1567