We present a post-mortem log analysis method based on Temporal Logic (TL), Event Processing Language (EPL), and reconstruction approach. After showing that the proposed method could be adapted to any misuse event or attack, we specifically investigate the case of web server misuses. To this end, we examine 5 different misuses on Wordpress web servers, and generate corresponding log files of these attacks for forensic analysis. Then we establish attack patterns and formalize them by means of a special case of temporal logic, i.e. many sorted first order metric temporal logic (MSFOMTL). Later on, we implement these attack patterns in the EPL, and performed experimental log analysis by using a time window mechanism sliding on sorted log records to evaluate effectiveness and efficacy of our proposed method. We found that our approach is potentially capable of providing a platform where investigators can define/store/share misuse patterns using a common language while providing fast and accurate forensic analysis on large log files
