Shedding Light on Log Correlation in Network Forensics Analysis
Presently, forensics analyses of security incidents rely largely on manual, ad-hoc, and very time-consuming processes. A security analyst needs to manually correlate evidence from diverse security logs with expertise on suspected malware and background on the configuration of an infrastructure to diagnose if, when, and how an incident happened. To improve the authors' understanding of forensics analysis processes, in this paper, they analyze the diagnosis of 200 infections detected within a large operational network. Based on the analyzed incidents, they build a decision support tool that shows how to correlate evidence from different sources of security data to expedite manual forensics analysis of compromised systems.