Identify Alternative Evidence When Primary Logs Are Missing

CollectionP260 min

🔒 Ransomware 🎣 Phishing 📤 Data Exfiltration 👤 Insider Threat 🌐 Web Application Compromise ☁️ Cloud & Identity Compromise 📧 Business Email Compromise 🔑 Credential Theft

IR AnalystSwitch roles in the top navigation to see different perspectives.

When expected logs are unavailable due to rotation, tampering, or configuration gaps, identify and collect alternative evidence sources. Volume Shadow Copies, NTFS journal entries, memory artifacts, and cloud telemetry can fill critical visibility gaps.

Actions

1.Identify which log sources are missing and the affected time window. Document the gap: source name, expected retention, actual available range, and suspected reason for absence.
2.For missing Windows Event Logs, check Volume Shadow Copies: `vssadmin list shadows` then mount and extract .evtx files from shadow copies. Also check `C:\Windows\System32\winevt\Logs` for partially overwritten logs that may contain older entries.
3.Harvest NTFS metadata as a timeline substitute: `MFTECmd.exe -f C:\$MFT --csv /case/output/` provides file creation/modification timestamps even when application logs are gone. The $UsnJrnl provides granular file change records.
4.Extract evidence from memory if a capture exists: Volatility `windows.filescan`, `windows.netscan`, `windows.pslist`, `windows.cmdline` can reveal process execution, network connections, and command history that logs would have recorded.
5.For cloud environments, check secondary log sources: Azure Resource Graph for historical state, Microsoft Graph API activity reports, Azure Storage analytics logs, and Cloud App Security alerts as alternative evidence.

Queries

SecurityEvent | where TimeGenerated > ago(90d) | summarize MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated), Count=count() by Computer, EventID | where MinTime > ago(30d) | project Computer, EventID, MinTime, GapDays=datetime_diff("day", now(), MinTime) | order by GapDays desc // Identify log coverage gaps

DeviceEvents | where Timestamp > ago(30d) | summarize EarliestEvent=min(Timestamp), LatestEvent=max(Timestamp), EventCount=count() by DeviceName | where EarliestEvent > ago(14d) | project DeviceName, EarliestEvent, CoverageDays=datetime_diff("day", LatestEvent, EarliestEvent) // Find devices with short log retention

index=* earliest=-90d | stats min(_time) as earliest max(_time) as latest count by sourcetype host | where earliest > relative_time(now(), "-30d") | table host sourcetype earliest latest count // SPL: Find hosts with recent-only logs

Notes

Document every alternative evidence source used and its limitations. This is critical for the investigation report and any legal proceedings.
NTFS $MFT timestamps can be timestomped by attackers. Cross-reference with $UsnJrnl and $LogFile entries which are harder to manipulate.

Where to Go Next

Alternative evidence collected, continue analysis

Analyze with available evidence

Lateral Movement

Memory capture available for analysis

Process memory evidence

Memory Capture

Related Artifacts

$MFT (Master File Table)

\\.\C:\$MFT

$UsnJrnl (USN Change Journal)

\\.\C:\$Extend\$UsnJrnl:$J

Volume Shadow Copies (VSS)

System Volume Information (accessed via vssadmin or mklink)

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical