The purpose and use of log files have been a topic of discussion in most in-depth forensic articles I've read. To this end, I've called upon Mike Fowler, a master trainer at Guidance Software*, to speak on the topic of log files and forensics.
"What value do log files have to a forensic investigator using a forensic tool? In the case of EnCase Enterprise (Guidance Software's Enterprise tool), log files can be viewed regardless of whether or not they have been deleted or exist in allocated filespace. These details, commonly referred to as 'System Artifacts', assist the examiner in determining not only the breadth and scope of an investigation; but also allows them to target locations on the suspect drive that contain items of evidentiary value."
On the subject of performance sacrifice, Fowler continues, "Like any networked application, forensic tools will utilize as much bandwidth as the system administrator will allow it to accomplish its job. Performance is dependant more on network topology than on any bandwidth throttling issues."
Discussing the 'old school ' means of gathering evidence from the network, Fowler offers, "Logging is the cornerstone of any comprehensive security plan. The presence (and validity) of system logs can frequently mean the difference between suspect identification and suspect anonymity. Forensic tools are not meant to take the place of generating and maintaining system logs, they are intended to compliment and enhance that system, used in conjunction with the gleaned information. A forensic solution can track and correlate log reports of user activity on a given computer during simple or complex network investigations."
Also of note is the topic of scripting to perform investigations on a large scale network. Brought up as a possible solution to utilizing a forensic toolkit, customized scripts, coded by the IT sys. admin., have been talked about as a good alternative. While properly coded scripts are of great use to investigators in gathering data from unattended areas of the network, they are a compliment to, and not a fix for a good forensic solution.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.