Abstract
Computer forensic analysis, intrusion detection and disaster recovery are all dependent on the existence of trustworthy log files. Current storage systems for such log files are generally prone to modification attacks, especially by an intruder who wishes to wipe out the trail he leaves during a successful break-in. In light of recent advances in storage capacity and sharp drop in prices of storage devices, as well as the demand for trustworthy storage systems, it is timely to design and develop fast storage systems that practically have no limit in capacity and admit "secure append-only" operations (namely data can only be appended to a storage device; once appended it can no longer be modified, and can be read out by authorized users only.) This paper reports some preliminary findings in our research into building a secure append-only storage system. It discusses a possible secure append-only storage architecture that could be used to detect and prevent deletion or modification by inside/outside attackers. A specific implementation of the architecture based on block device drivers and magnetic storage firmwares is alsopresented.