Towards More Trustable Log Files for Digital Forensics by Means of Trusted Computing

Trustable log data is essential in digital forensic investigations in order to allow reliable reconstruction of events. Existing solutions do not provide adequate protection, exposing the log-producing application to software-based attacks. In this paper we provide a solution based on Trusted Computing using a Trusted Platform Module (TPM) and AMD’s Secure Virtual Machine technology (SVM). While current solutions only protect against manipulation of existing logs, we go one step further by establishing hardware-based trust in the log producing application. Our solution ensures confidentiality, integrity and non-repudiation during creation, storage and transmission of log data.