Log File Analysis in Digital Forensics — Reading the System’s Activity Record

Log files are the system’s diary. Every operating system, web server, network device, and security tool generates logs that record activity — logins, file access, network connections, errors, and security events.

For forensic investigators, logs provide timeline evidence that can place users at specific times, document unauthorized access, and establish the sequence of events in an incident.

Windows Event Logs

Windows maintains structured event logs in EVTX format, accessible via Event Viewer or forensic tools. Key logs:

Security Log: Authentication events, account management, policy changes, and privilege use. This is typically the most valuable log in an investigation.

System Log: OS events, service starts and stops, driver failures, hardware events.

Application Log: Application-generated events from installed software.

Microsoft-Windows-PowerShell/Operational: PowerShell execution with script content (when script block logging is enabled). Critical for detecting PowerShell-based attacks.

Microsoft-Windows-TerminalServices: Remote Desktop login attempts and session events.

Critical Windows Event IDs

These event IDs appear most commonly in forensic investigations:

| Event ID | Meaning |
|—|—|
| 4624 | Successful logon — includes account name, logon type, source IP |
| 4625 | Failed logon attempt — shows brute force patterns |
| 4648 | Logon with explicit credentials (runas) |
| 4672 | Special privileges assigned at logon (admin login) |
| 4720 | User account created |
| 4726 | User account deleted |
| 4732 | Member added to security group |
| 4776 | Credential validation |
| 4778 | Remote Desktop session reconnect |
| 4779 | Remote Desktop session disconnect |
| 7045 | Service installed (malware persistence) |
| 4698 | Scheduled task created |

Logon types in Event 4624:

Log Retention and Gaps

Windows Event Logs have a configurable maximum size. When full, the log either stops recording new events (rare) or overwrites the oldest events. Default sizes are often inadequate — a system under active investigation may have logs that roll over in hours.

Investigating log gaps:

Web Server Logs

Apache, Nginx, IIS, and other web servers log every HTTP request. Key fields:

Web server logs are used to:

Authentication and Access Logs on Linux/Unix

syslog / journald: General system log. Authentication events recorded in `/var/log/auth.log` (Debian/Ubuntu) or `/var/log/secure` (RHEL/CentOS).

lastlog / last / lastb: Commands and files recording successful and failed login history.

bash_history: Each user’s command history file at `~/.bash_history`. Not a formal log but forensically valuable. Can be cleared but artifacts remain in memory if cleared during an active session.

audit daemon (auditd): When configured, provides detailed system call logging — file access, network connections, user actions. The forensic gold standard for Linux logging, but not enabled by default.

Firewall and Network Device Logs

Firewall logs record allowed and denied network connections with source/destination IPs, ports, and timestamps. Combined with server access logs, these establish:

FAQ: Log File Analysis

Q: Can log files be falsified?
A: Yes, with sufficient access. An attacker with root/admin access can modify or delete logs. This is why security best practice involves shipping logs to a remote, access-controlled log aggregator immediately. Logs that have left the compromised system can’t be modified retroactively.

Q: How long are Windows Event Logs retained by default?
A: Default maximum sizes are small — 20MB for Security, 20MB for Application, 20MB for System. At typical logging volume, this can be filled in hours to days. Enterprise environments should use centralized log management with extended retention.

Q: Can we tell who logged in if the username is just “Administrator”?
A: The logon event shows the account name (Administrator) and the source IP or workstation name. Combining the source IP with DHCP lease records or network logs can identify the specific device that logged in, which may identify the person.

Q: How long does a typical forensic examination take?
A: Timelines vary based on data volume and case complexity. A single device may take one to three days; multi-device investigations can span weeks.

Q: What certifications should a digital forensics examiner hold?
A: Common certifications include EnCE, CFCE, CCE, and GCFE. Relevance depends on the examination type and the jurisdiction’s expectations.

Case Example

In a civil dispute, one party alleged digital evidence had been altered after a preservation obligation arose. The forensic examiner compared file system metadata against the litigation timeline and found several files modified after the preservation letter was received. A system cleanup utility had been run during the same period. The examiner documented the specific artifacts indicating post-preservation modifications, distinguishing between routine system operations and deliberate user actions, providing the court with a factual basis for evaluating the spoliation claim.

Practitioner Takeaways

• Verify forensic images with cryptographic hashing before analysis.
• Document every examination step for reproducibility.
• Cross-reference findings across multiple artifact types.
• Note tool versions used — behavior changes between versions affect reproducibility.
• Distinguish facts from inferences in your report.

See also: File Carving | Registry Analysis | Browser History Analysis