DF-LogGraph: An Explainable GraphRAG-Based Framework for Digital Forensic Log Analysis 


Vol. 14,  No. 12, pp. 1022-1029, Dec.  2025
10.3745/TKIPS.2025.14.12.1022


PDF
  Abstract

In digital forensics, logs serve as critical evidence for reconstructing the timing of incidents and the activities of actors. Previous studies have mainly focused on anomaly detection or single-event explanations, without extending toward actor-centric timeline reconstruction or legally admissible explainable analyses that preserve temporal continuity and session context. To address these limitations, we propose DF-LogGraph, a framework that normalizes logs into Actor, Action, Target, Time, and Session slots, and transforms them into a log-graph to enable structured narrative modeling. In the query stage, DF-LogGraph applies GraphRAG with temporal and session constraints to selectively retrieve relevant sessions and subgraphs. In the generation stage, it enforces line ID/session citations, Minimal Sufficient Evidence Sets (MSES), and counterfactual validation to mitigate hallucinations and logical contradictions. Experiments on the LogHub–HDFS and UNSW-NB15 datasets show that DF-LogGraph consistently outperforms BM25 (keyword-based) and a Hybrid baseline (BM25 ∪ TF-IDF) in terms of Evidence F1@10 and Session Accuracy@10, while maintaining practical mean latency for interactive analysis. Moreover, it improves evidence coverage, reduces hallucination rates, and ensures causal consistency through counterfactual validation. These results demonstrate that DF-LogGraph goes beyond improving retrieval accuracy: it enhances actor-centric timeline reconstruction, reinforces session and temporal coherence, and ensures explainability with legal reliability positioning itself as a next-generation framework for digital forensic log analysis.

  Statistics
  Cite this article

[IEEE Style]

J. I. Lee and M. Min, "DF-LogGraph: An Explainable GraphRAG-Based Framework for Digital Forensic Log Analysis," The Transactions of the Korea Information Processing Society, vol. 14, no. 12, pp. 1022-1029, 2025. DOI: 10.3745/TKIPS.2025.14.12.1022.

[ACM Style]

Jeong In Lee and Moohong Min. 2025. DF-LogGraph: An Explainable GraphRAG-Based Framework for Digital Forensic Log Analysis. The Transactions of the Korea Information Processing Society, 14, 12, (2025), 1022-1029. DOI: 10.3745/TKIPS.2025.14.12.1022.

Forms

Search
(IN TITLE, AUTHOR, ABSTRACT,KEYWORDS)

Advanced Search

POPULAR KEYWORDS
(TOP 10 KEYWORDS)

Recent Publications
(LAST 3 YEARS)

Old Journals

Indexing

All publications of TKIPS is indexed in DOI, EBSCO, Google Scholar, Crossref, and CrossCheck.

TKIPS is also selected as the Journal for Accreditation by NRF (National Research Foundation of Korea).

Related Journals