The Kerf approach contributes five key components to the process of intrusion analysis. First, KerfÕs logging facility securely records log entries away from the client hosts that may be attacked. Second, the logs are stored in an indexed database for quick and sophisticated retrieval. Third, we designed a query language, called SawQL, for intrusion analysis; it allows the sysadmin to express analysis hypotheses to the Kerf tools. Fourth, a graphical user interface includes visualization modules that can display the results in a compact, meaningful view. Finally, the hypothesis engine helps to automate the process of generating, refining, expanding, extrapolating, and generalizing hypotheses.