These days it is not uncommon to encounter modern systems equipped with some form of event or activity monitoring software. This software may be implemented to assist with security, debugging, or compliance requirements. Whatever the situation, this veritable treasure trove of information can be, and commonly is, leveraged in all types of cyber investigations. A common issue with log analysis can be the huge amount of data one is required to sift through for the subset of interest. Through the recipes in this chapter, we will explore various logs with great evidentiary value and demonstrate ways to quickly process and review them. Specifically, we will cover:

• Converting different timestamp formats (UNIX, FILETIME, and so on) to human-readable formats
• Parsing web server access logs from an IIS platform
• Ingesting, querying, and exporting logs with Splunk's Python API
• Extracting drive usage information from macOS daily.out logs
• Executing our daily.out log parser from Axiom
• A bonus recipe for identifying files of interest with YARA rules