Intrusion detection systems alert the system administrators of intrusions but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. We consider intrusions of file systems. Existing tools, like BackTracker, help the system administratorbacktrack from the detection point, which is a file with suspicious contents, to possible entry points of the intrusion by providing a graph containing dependency information between the various files and processes that could be related to the detection point. We improve such backtracking techniques by logging certain additional parameters of the file system during normal operations (real-time) and examining the logged informationduring the analysis phase. In addition, we use data flow analysis within the processes related to the intrusion to prune unwanted paths from the dependency graph. This results in significant reduction in search space, search time, and false pos...