Log Forensics: 5 Tips for Investigators

Work Tips

Nowadays, almost any kind of device generates some type of logs. At any point a scheduled or user-triggered action occurs, some type of logs are usually generated.

Although the main purpose of logs is debugging and troubleshooting, analyzing logs can also be important for digital forensic experts as they attempt to untangle what’s behind an incident or a digital crime.

There are many types of logs:

  • OS logs
  • Application logs
  • Database logs
  • Network logs
  • etc.

Analyzing them reveals what action has occurred, at what time, and who was using the device at the time of the incident.

You can think of log forensics as a combination of log analytics and computer forensics.

Various purposes of log forensics can include:

  • Tracing a hacker
  • Detecting a vulnerability
  • Disaster recovery

As a digital forensics investigator, knowing the theoretical aspects of the subject matter is a good starting point.

Whereas, it’s not enough to just be equipped with the awareness, since it’s also important to put this knowledge to practice, and that’s why we’ve devised a practical guide to aid you during the investigation.

1. Focus on the primary objective


When focusing on log forensics investigation, it’s really easy to fall into the trap of “going down the rabbit hole” without a structured methodology.

To avoid it, just focus on collecting the essential information to keep on track with the goals.

1.Conserving your time and resources

In other words, collect the kind of logs that are in some way connected to the incident, which also ensures that you will be working with the most relevant information when it’s time to move to the analysis stages of digital forensic investigation, thus conserving your time and resources.

Of course, making the right judgement call can be a challenging task, especially if you lack the necessary experience in this field. However, you should adopt the mentality of laser-focusing on the objective at hand.

It’s all about maximizing your efficiency.


Maximizing time efficiency is an important factor in every investigation.

2. Avoid general logs and focus on the ones that have to do with a user’s actions

In general, it’s a good idea to focus on collecting any kind of logs that have to do with a user’s actions, but don’t forget about checking various errors, warnings, security alerts, and so forth (in essence, anything that has to do with security or system errors).

3. The right tools of the trade will make your job faster and easier

If you need a leg up in your digital forensics investigation, make sure to arm yourself with the right tools of the trade.

DRS  provided by SalvationDATA was designed to help you extract data from any computer with just a single click. Then, you can utilize its investigative capacity to quickly search for the exact type of data you’re looking for.

It even works when the hard drive has been damaged.

Have you downloaded your free trial yet?

2. Store the data collected in a manner that is secure and compliant with the regulatory body

Disk Scanning

If the logs get modified or damaged in any way, this could make the evidence inadmissible in court.

Therefore, it’s of vital importance to the log forensics investigation that you store the logs collected in a high-security environment protected by passwords and under a lock and key so no one can tamper with them.

In case you’ve decided to go wide and collect a wide batch of logs to analyze at a later point, do keep in mind that big data can occupy loads of HDD space, so make sure you have enough space to store them.

Otherwise, you might find yourself in a situation that calls for deleting some of the logs you’ve collected.

Log archiving – every country has a different regulatory body

Furthermore, you should also bear in mind that there might be a regulatory body that dictates how to go about archiving the logs.

To achieve it, always check for the presence of a relevant regulatory body in your country and make sure to stay compliant with their guidelines and policies.

  • It’s crucial to check whether the policy specifies any specific retention period and make your decision based on that.
  • Only choose the longer retention period if you have the resources to back up your decision. This is also a good option if you’re unsure how long the digital investigation process is going to take.

Another reason to pay close attention to how you store the logs you’ve extracted is to prove that they are genuine, which will make a lot of difference when the chain of custody has been taken care of.

To take name a few, encryption, time stamping, etc.

Regulatory Compliance

During the investigation, you must ensure full regulatory compliance.

3. Begin your log forensics investigation by following a clue


During the process of log forensics, there’s probably a giant pile of data in front of you, so don’t just check things mindlessly.

Instead, start with what you know and let the clues guide you.

Eventually, this will guide you down the road of discovery as you uncover the cause of the incident.

Ask questions like:

  • When did the incident occur?
  • If there are multiple devices involved, do you know which one you should check first?
  • What clues do you currently have? The username, IP address…?

Write them down.

If, for example, you have an exact time window of the attack, you can simply rule out all the logs that don’t match the criteria and narrow down your search to the valid ones.

If you know the username, that’s another filter you can use to narrow down your search even further.

4. Stick to a workflow


Optimizing the process of digital forensics comes down to creating a workflow that lets you focus on the essentials and not lose time trying to overthink things. This will lead you to the right answers in the quickest and most efficient manner possible.

Let’s make an assumption.

  1. Have you received a report to guide you? This can give you some initial hints as to where you should begin your search.
  2. If you uncover a clue, let it guide you and investigate further.
  3. Think of it as developing your own system and refining it based on new variables that come into play.
  4. Keep doing this until you get a clear overall picture of:
    • How the incident happened
    • Who’s behind it
    • What devices were involved
    • etc.

To better understand, let’s say you identified a user who had no business using a device:

  • Step 1: Follow the trail.
  • Step 2: Review everything they did
  • Step 3: If you lose the path in front of you, check whether the same user has an account on another device.
  • Step 4: Don’t forget to check all logs pertaining to that user, including system logs, security logs, and others.
  • Step 5: See if the same user compromised other devices too.

Account Login

Focus your efforts on tracking down a suspicious user’s actions.

5. Stick to the best practices of writing an incident report


Before the log forensics investigation is complete, you’re going to need to write an incident report. While doing so, it’s important to follow the best industry practices and make sure to list every relevant piece of information you’ve discovered during the cyber forensics process.

This will allow you to present all the specifics to those who have the right to be in the know. At the same time, having an incident report on hand is an important step to take if you want to make sure the court renders the evidence admissible.

You also have the option of sharing the report with those affected by the incident so they can identify the point of attack and bolster their cyber security defenses to ensure nothing similar ever happens again.

Don’t know how to write an incident report or don’t have the time to do it? If you need help, you can have it auto-generated by the right software such as SalvationDATA’s DRS that’s fully compliant with the legal standards.

By doing so, you will be able to utilize the manpower you have available to solve more cases rather than having to spend countless hours on bureaucracy.

Having the right log forensics tool can make all the difference


When you’re in the middle of a log forensics investigation, you don’t want to find yourself in a situation where you’d have to spend too much time and resources collecting and analyzing everything manually.

Wouldn’t it be nice if there was a way to automate the computer forensics process?

With DRS  Data Recovery Sytem, you will not only find the exact logs you’re looking for in a matter of seconds, but also be able to:

  • Extract the logs with a single click
  • Automatically search almost every type of computer, smart device, or storage device
  • Enjoy a free trial to test it out at your leisure
  • Perform the log extraction in a forensically sound manner
  • Generate a report that is fully admissible in court
  • Recover data even if the hard drive is damaged
  • Fully scan all file systems, including FAT32, NTFS, HFS, EXT2/3/4, etc.
  • Diagnose the state of the drive
  • Efficiently search all types of storage media, including memory sticks, voice recorders, USB flash drives, etc.
  • Utilize a cutting-edge log forensics tool that works on Windows, Mac, and Linux
  • Get dedicated 24/7 support to answer all of your queries

Here you can see the software in action:

You’ll be pleased to know that DRS is much more cost-effective than all of the competing digital forensics solutions on the market.

So what are you waiting for?

Just gain your free trial now and evaluate the software thoroughly during your cases.


Just like any other digital forensic process model, log forensics is a discipline that takes practice.

By sticking to a proven workflow and following the best industry practices, you’re going to uncover the answers in the most time-efficient manner possible.

Throw some specialized digital forensics software into the mix, and it’s only a matter of time before you get to shine some light on the truth.