Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

Signals

•Oldest event timestamp in the log is newer than the suspected compromise date
•Log file sizes are at their configured maximum with no archived copies available
•SIEM shows a gap in ingested events for the relevant source during the incident window

Pivot Actions

1.Check for SIEM or log-aggregation copies -- data may already be indexed even if the source file rotated
2.Search Volume Shadow Copies (vssadmin list shadows) for earlier versions of overwritten log files
3.Collect USN Journal and $MFT to recover file-creation and rename timestamps that survive log rotation
4.Contact backup administrators to restore log directories from the nearest backup snapshot before the rotation
5.Examine any forwarded syslog/rsyslog copies on a central collector that may retain longer history

Alternate Evidence Sources

•SIEM indexed data (Splunk, Sentinel, Elastic) that ingested logs before rotation
•Volume Shadow Copy snapshots containing older EVTX or flat-file logs
•Filesystem metadata ($MFT, USN Journal) providing file-level event reconstruction
•Cloud-based audit trails (Azure Activity Log, CloudTrail) that mirror on-prem activity

Related Procedures

Log Preservation and Snapshot

preserve

Bound the Investigation Timeframe

triage

EDR Telemetry Collection

collect