A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack


Jisun Kim, Eulhan Jo, Sungwon Lee, Taenam Cho, Journal of Information Processing Systems Vol. 17, No. 4, pp. 772-786, Aug. 2021  

https://doi.org/10.3745/JIPS.03.0162
Keywords: Active Directory, Digital Forensics, Elastic Stack, Microsoft Windows Log, Security, Shared Folder
Fulltext:

Abstract

The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.


Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from November 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.




Cite this article
[APA Style]
Kim, J., Jo, E., Lee, S., & Cho, T. (2021). A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack. Journal of Information Processing Systems, 17(4), 772-786. DOI: 10.3745/JIPS.03.0162.

[IEEE Style]
J. Kim, E. Jo, S. Lee, T. Cho, "A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack," Journal of Information Processing Systems, vol. 17, no. 4, pp. 772-786, 2021. DOI: 10.3745/JIPS.03.0162.

[ACM Style]
Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Cho. 2021. A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack. Journal of Information Processing Systems, 17, 4, (2021), 772-786. DOI: 10.3745/JIPS.03.0162.