In operation of computing systems, log files provide diagnostic information about the operation of one or more software programs and often provide information about the activities of users who access the computing system. Since log files maintain a record of past activity, these files are commonly used in computer forensics and auditing to identify malfunctions in the operation of software programs and to identify the presence and activities of intruders if a computing system is attacked. Providing information about the current and past states of systems, audit logs are invaluable parts of system security. The forensic value of audit logs makes them an attractive target for attackers. For instance, an active attacker controls a logging machine that can read and/or modify log messages related to the past and erase records of the previous break-in attempts from the attacker.
Protection of the integrity and authentication of audit logs to valid parties while preventing access or corruption of the logs in the presence of active attackers is important during forensic analysis of a computing system. Due to their significant forensic value, the confidentiality of audit logs is also very important and should be protected against the active adversaries. In particular, the ability to perform searches on audit logs without compromising their privacy, authentication, and integrity, even in the presence of active attacker is highly desirable but very challenging research task. Consequently, improvements to the generation and access of audit logs in computing systems would be beneficial.