I Introduction
From the traces left by criminals, detectives and computer forensic specialists figure out critical evidence of the crimes. In auditing log file investigations, the data examined may not contain the contents but just discloses activities that were electronically conducted by the criminals. In this paper, our primary concerns mostly address the auditing log files, that is, we are only concerned with users' activities and determine the meaning of the sequence of the activities indirectly. Indeed, only retrieving the user's malicious activities from the auditing log files is very challenging, but the use of these techniques is very practical in criminal investigations. Many related work can be referred to [1]–[59].