Regardless of an existing computer forensic tool installed on the network, what can be audited on every system are its log files. Time consuming and difficult to synthesize in massive amounts, log files have always been available to sys. admins. for customization, long before the advent of computer forensics. This is where the perceived "evils" of computer forensics must be addressed. The ways and means to monitor workflow and information exchange on computers has been there since their inception, on every system and with every user. Most companies employ some sort of log file audit process of their own. As with forensics, actions and events are chosen to be log-worthy. Trying to log every event on a system would adversely affect performance and isn't practical. As for inferred human rights violations and or privacy violations of computer forensics, there isn't anything magical or nefarious about the process other than it's been made much easier to find critical data and it's been automated.

The purpose and use of log files have been a topic of discussion in most in-depth forensic articles I've read. To this end, I've called upon Mike Fowler, a master trainer at Guidance Software*, to speak on the topic of log files and forensics.

"What value do log files have to a forensic investigator using a forensic tool? In the case of EnCase Enterprise (Guidance Software's Enterprise tool), log files can be viewed regardless of whether or not they have been deleted or exist in allocated filespace. These details, commonly referred to as 'System Artifacts', assist the examiner in determining not only the breadth and scope of an investigation; but also allows them to target locations on the suspect drive that contain items of evidentiary value."

On the subject of performance sacrifice, Fowler continues, "Like any networked application, forensic tools will utilize as much bandwidth as the system administrator will allow it to accomplish its job. Performance is dependant more on network topology than on any bandwidth throttling issues."


Discussing the 'old school ' means of gathering evidence from the network, Fowler offers, "Logging is the cornerstone of any comprehensive security plan. The presence (and validity) of system logs can frequently mean the difference between suspect identification and suspect anonymity. Forensic tools are not meant to take the place of generating and maintaining system logs, they are intended to compliment and enhance that system, used in conjunction with the gleaned information. A forensic solution can track and correlate log reports of user activity on a given computer during simple or complex network investigations."

Customized Scripts

Also of note is the topic of scripting to perform investigations on a large scale network. Brought up as a possible solution to utilizing a forensic toolkit, customized scripts, coded by the IT sys. admin., have been talked about as a good alternative. While properly coded scripts are of great use to investigators in gathering data from unattended areas of the network, they are a compliment to, and not a fix for a good forensic solution.