3 minute read

If you work in cybersecurity, you are already familiar with the scale and complexity of audit data.

Cyberattacks continue to increase in frequency and sophistication, resulting in billions of dollars in losses each year. When incidents occur, one of the most critical sources of evidence for understanding what happened is the audit log.

Audit logs capture fine-grained system activity including file accesses, process creation, inter-process communication, and network connections. They are indispensable for incident response and forensic analysis. At the same time, they are voluminous: a single host can easily generate over one million log entries per day.

To manage this scale, many organizations now rely on cloud-based log storage, which can be significantly more cost-effective than on-premises solutions. However, this shift introduces a fundamental tension between security, privacy, and forensic utility.

The Decryption Dilemma

To comply with security best practices and standards such as those recommended by NIST, audit logs must be encrypted before leaving organizational control. Encryption is essential for protecting sensitive operational data from breaches, misuse, and insider threats.

However, this protection becomes problematic during incident response.

Investigating security incidents such as malware infections, data exfiltration, or insider abuse requires causality analysis: determining how events are related, which processes initiated specific actions, and how an attack propagated through the system.

In practice, performing such analysis on encrypted audit logs typically requires full decryption of the data.

This approach poses a serious privacy risk. Full decryption exposes large amounts of information unrelated to the incident under investigation, including user identities, internal workflows, proprietary data, and business-sensitive operations. When forensic analysis is outsourced to third-party investigators, organizations are effectively required to disclose far more information than is necessary to reconstruct the attack.

This leads to a fundamental question:

Can forensic investigations be performed while revealing only the data relevant to the incident—without sacrificing analytical accuracy?

Introducing FA-SEAL

In our paper, FA-SEAL: Forensically Analyzable Symmetric Encryption for Audit Logs, we address this problem directly.

FA-SEAL is a system designed to support full-fidelity forensic analysis on encrypted audit logs. Rather than decrypting entire log archives, FA-SEAL enables selective disclosure of only those log entries that are causally related to a security incident, while keeping all unrelated data encrypted.

FA-SEAL consists of two main phases: Ingestion and Analysis.

Ingestion

Instead of encrypting logs as a monolithic archive, FA-SEAL applies segmentation and clustering to partition audit logs into manageable units.

During ingestion, logs are:

  • Indexed for efficient access
  • Encoded to reduce redundancy
  • Encrypted using symmetric cryptography

This design supports near real-time ingestion and significantly reduces storage overhead. In our evaluation, FA-SEAL achieved an average 87.3% reduction in log size.

Privacy-Preserving Forensic Analysis

When an investigation is initiated, analysts query FA-SEAL rather than decrypting logs wholesale.

FA-SEAL performs recursive causal tracking over encrypted data:

  • When a suspicious object (e.g., a file) is identified, FA-SEAL locates the encrypted segment containing the relevant access event.
  • Only that segment is decrypted to identify the responsible process.
  • The system then follows the causal relationships forward and backward to determine the scope and impact of the activity.

This process continues until the complete attack path is reconstructed.

The result is a causal graph that is equivalent to what would be obtained through full decryption—without exposing unrelated audit data.

Evaluation and Implications

We evaluated FA-SEAL using audit logs containing embedded attack scenarios. Our results demonstrate that FA-SEAL achieves strong performance across scalability, accuracy, and privacy:

  • Scalability: Processed 30 GB of daily audit logs in 1 hour and 28 minutes
  • Accuracy: Generated causal graphs that were identical to those produced by fully decrypted baselines
  • Privacy: Exposed only 0.68% of audit log entries during forensic investigations

Taken together, these results demonstrate that forensic visibility and data privacy need not be a zero-sum trade-off. FA-SEAL shows that organizations can securely store audit logs in encrypted form, enable accurate and complete forensic investigations, and drastically limit the amount of sensitive information revealed, even when analysis is performed by third-party investigators.

As reliance on cloud infrastructure and external security services continues to grow, this capability becomes increasingly critical. FA-SEAL provides a practical foundation for conducting trustworthy forensic analysis without treating encrypted audit logs as forensic dead ends.

Learn More

If you’re interested in the technical details, cryptographic construction, or reproducing our experiments, the code and datasets are available on GitHub.

This work is based on the paper “FA-SEAL: Forensically Analyzable Symmetric Encryption for Audit Logs” by Basanta Chaulagain and Kyu Hyung Lee, University of Georgia.

Updated:

You may also enjoy