The Sherlock Holmes of France, Dr. Edmond Locard, was a pioneer in the field of forensic science. A criminologist and teacher, Locard developed techniques and methodologies that still inform forensic science today. One principle for which he is well known is Locard's exchange principle. This principle states that when a suspect interacts with a crime scene, they leave traces behind. In the physical world, this can include hair, fibers from clothing, blood, or skin, which is left on the various surfaces and objects within the crime scene. The crime scene itself also leaves traces on the suspect. Fibers from the carpet, dust, metal fragments, or glass from a broken window may make its way onto the suspect. Forensic science has developed more and more sophisticated practices and technology to find more and more minute traces.

Locard's work was centered on the physical world, well before computers were even a reality. Having said this, the principle that every action by the actor at a crime scene leaves traces is just as applicable in digital forensics as it is in the physical world. For example, an adversary or adversaries compromise a system and configure a command-and-control infrastructure on a web server. In doing so, they will leave trace evidence, in the form of firewall log entries. The execution of malware on the web server may leave traces in the running memory, event log entries, and malicious code on the storage device. Throughout the chain of events, the adversary will leave traces of their presence on the various devices with which they come into contact.

Previous chapters have discussed the various locations and techniques that can be leveraged by responders in uncovering these traces from memory, hard drives, and network traffic. One location that provides a wealth of data that can be leveraged is that of log files. Actions are logged across a wide range of hardware and software. What is needed is for responders to understand how to acquire these logs, how to examine them, and what they detail. In doing so, they may be able to ascertain a good deal about the root cause of an incident.

In this chapter, the discussion will focus on logs and log management, the use of log aggregation tools such as a security information and event management system, the Windows event logs, and—finally— analyzing Windows event logs. It is hoped that, through a discussion of some of these techniques, responders will be able to articulate how logs are critical to an incident investigation, while also being able to examine them as part of a larger incident investigation.

We will cover the following topics in this chapter:

• Logs and log management
• Security information and event management
• Windows event logs
• Windows event log analysis