Newsletter Announcement

Welcome to the second edition of Investigation Insight. This expansion of the Cyber Crime & Computer Forensics News focuses on broader issues relating to investigations, including forensics, analysis and fraud. You won't want to miss "From the Investigator's Notebook," which highlights the importance of log files in an electronic investigation. We hope you enjoy the newsletter.

	From the Investigator's Notebook: Log Files - Roadmap to Your Electronic Investigation
	News & Events

From the Investigator's Notebook: Log Files – Roadmap to Your Electronic Investigation

Computer forensic examiners search for digital "clues" when responding to a data security concern. A log file is an example of a type of clue that will assist in creating a timeline of events. A log file is, generally speaking, a text file that captures events such as when a computer is booted, shut down and/or how it is used throughout the day. For example, when a user logs into a server or into an application, that event will typically be recorded in a log file. The information recorded commonly includes the user name, date, time, success or failure of the attempt and so forth. Powerful information contained in a log file is often overlooked. For that reason, instead of treating the log file as a waste of precious disk space, a thoughtful investigator will view log files as a repository of important information.

It is essential to understand the various types of logs and the information contained therein when locating and capturing relevant log information. The content of a log file varies depending on the application that creates it and the amount of detail it is set to capture. Additionally, the information contained in the log file may vary based on the log's retention size or time period. Log files almost always have a size or time restraint that prevents them from growing indefinitely. This limitation prevents the log file from retaining older data once the size or time restraint has been reached; in other words, when capacity is reached the oldest data drops away first. Therefore, depending on the number and frequency of captured events, log information may be retained for days, hours, minutes or even seconds.

Additionally, the content contained within log files may vary based on its ordinary use in the organization. Generally, the most common use for log files includes use by the system or server administrators when responding to a system incident such as a server crash or an application performance problem. Most log files tend to be limited in size and events that must be tracked to respond to these types of incidents. Consequently, when responding to a system incident, the most valuable log files are those that were created most recently as they most likely detail the cause of a recent system incident.

However, when responding to other types of incidents, such as a network intrusion or data theft, it is important to maintain a longer history of events. The most valuable information relating to these types of incidents may lie in the creation of a timeline that outlines activities for the preceding months. For example, during a network intrusion you may need details regarding whether crucial company intellectual property was accessed or copied to removable media, along with who had access to the system during the weeks or months prior to the date the incident occurred. The more computer reliant our culture becomes, the more susceptible organizations are to network intrusions and data theft. To be proactive and prepared for possible future incidents, it is important to understand your internal logging technology and to modify your systems in the manner best suited for your needs. A few items to consider include:

• Which systems or applications have logging capability; including which are enabled and which may be disabled.
• For critical systems, review the log files to determine the level of detail and the period of time that they cover and adjust as necessary.
• Determine if any of your systems should have additional logging enabled or if the size should be increased to retain more information.
• Determine if the log files are being backed up so that past events may be recoverable if needed.
• Document a list of the logs available and those that your organization maintains.

The wealth of information contained in a system-generated log file can be extremely beneficial to the investigation of data security issues, such as a server crash, application performance problem, network intrusion or data theft. Precious time can be lost if preventive steps are not taken during the heat of an investigation. However, taking the time to understand the logging capabilities of your computer systems ahead of time can arm your response team with the tools it needs to respond quickly and effectively during the critical, early stages of an investigation.

Special thanks to John Connell, Kroll Ontrack Managing Consultant, for his contribution in writing this article. Mr. Connell specializes in assessing electronic discovery resources and creating processes and documentation to support repeatable and reliable electronic discovery procedures. Prior to joining Kroll Ontrack, he was an electronic discovery manager for a major U.S. financial institution. Mr. Connell can be reached at jconnell@krollontrack.com for questions or comments.

Back To Top

News & Events

Upcoming Webinar! The Golden Hour: When Every Minute Counts
Take this unique opportunity to hear from the experts during a one hour webinar focused on issues affecting data security in the healthcare industry. Healthcare facilities collect, utilize and maintain the most desirable elements of a patient's confidential
information � from personal health data to Social Security numbers and credit card information. In a setting where patients, visitors, volunteers, vendors, staff and others freely visit, a healthcare facility is ripe for information misuse. Additionally, the necessity for collaboration between departments, clinics and practitioners increases the chance of a data loss incident. While it may seem easier to ignore the risk, the risk will not ignore you. This presentation will provide you with practical guidance from experts in preparing for and dealing with a data breach in the healthcare industry. For more information and to register, please visit www.krollontrack.com/redir/feb09Healthweb-InvIns.asp.

Kroll Ontrack Offers Redesigned E-Discovery Certification Course for 2009
The industry's legal technology thought leader has revamped its E-Discovery Certification Course for 2009 with updated topics, additional speakers and dual track, customizable sessions to appeal to beginner, intermediate and advanced learners. The redesigned course curriculum is ideal for legal and technical professionals of all levels, including in-house counsel, law firm attorneys, litigation support professionals, paralegals, IT staff and members of the judiciary. For more information and to register for an upcoming course, visit www.krollontrack.com/certification-courses/.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcoming-events/ for more information on these events and others.

Back To Top

We Request Your Input

This newsletter was written by Regina Jytyla and Joni Shogren, Kroll Ontrack staff attorneys, with assistance from Kelly Kubacki and Meridith Socha, Kroll Ontrack law clerks. We value your input and feedback! Please send your questions or comments to Ms. Shogren at jshogren@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.