Log Preservation and Snapshot
Preserve all relevant log sources before they are rotated, overwritten, or tampered with. Create forensic copies with integrity verification. This is especially critical when log retention may not cover the full investigation window.
Actions
- 1
Windows -- Export critical event logs: `wevtutil epl Security C:\case\Security.evtx`, `wevtutil epl System C:\case\System.evtx`, `wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\case\PowerShell.evtx`, `wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\case\Sysmon.evtx`.
- 2
Linux -- Preserve auth and system logs: `cp -p /var/log/auth.log* /var/log/syslog* /var/log/secure* /var/log/audit/audit.log* /case/logs/`. For journald: `journalctl --since "T_START" --until "T_END" -o json > /case/logs/journal_export.json`.
- 3
M365/Azure -- Export Azure AD sign-in and audit logs via PowerShell: `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge T_START" -All $true | Export-Csv azure_signins.csv`. Export UAL: `Search-UnifiedAuditLog -StartDate T_START -EndDate T_END -ResultSize 5000 | Export-Csv ual_export.csv`.
- 4
Network -- Capture firewall and proxy logs: copy running log files and request SIEM backup export for the investigation window. For cloud: `aws cloudtrail lookup-events --start-time T_START --end-time T_END > cloudtrail_events.json`.
- 5
Hash all preserved log files and create a manifest: `find /case/logs -type f -exec sha256sum {} \; > /case/logs/manifest_sha256.txt`. Store the manifest separately from the evidence.
- 6
Preserve Windows registry hives for offline forensic analysis (they contain crucial evidence beyond event logs): `reg save HKLM\SYSTEM C:\case\SYSTEM`, `reg save HKLM\SOFTWARE C:\case\SOFTWARE`, `reg save HKLM\SAM C:\case\SAM`, `reg save HKLM\SECURITY C:\case\SECURITY`, and `reg save HKU\.DEFAULT C:\case\DEFAULT`. Also copy each user NTUSER.DAT and UsrClass.dat.
- 7
Capture key forensic database files that supplement event logs: Prefetch (`C:\Windows\Prefetch\*.pf`), AmCache (`C:\Windows\appcompat\Programs\Amcache.hve`), SRUM (`C:\Windows\System32\sru\SRUDB.dat`), and the $MFT (`extracting via raw disk access or KAPE`). These artifacts provide execution, network, and filesystem evidence independent of event log retention.
Queries
index=_internal sourcetype=splunkd component=HotBucketRoller OR component=WarmToColdManager | stats latest(data_size) as current_size latest(max_size) as max_allowed by index | eval pct_used=round(current_size/max_allowed*100,1) | where pct_used > 80
// Velociraptor: collect all EVTX files from target host SELECT FullPath, Size, Mtime FROM glob(globs="C:/Windows/System32/winevt/Logs/*.evtx") WHERE Size > 0 ORDER BY Mtime DESC
AzureActivity | summarize LogCount=count(), EarliestLog=min(TimeGenerated), LatestLog=max(TimeGenerated) by SourceSystem, CategoryValue | order by EarliestLog asc
index=wineventlog sourcetype=WinEventLog:Security host=TARGET_HOST earliest=T_START latest=T_END | stats count earliest(_time) as earliest_event latest(_time) as latest_event by sourcetype, host | eval span_hours=round((latest_event-earliest_event)/3600,1)
index=_internal source=*metrics.log group=per_index_thruput earliest=-7d | stats sum(kb) as total_kb by series | eval total_GB=round(total_kb/1048576,2) | sort -total_GB | head 20
Notes
Check SIEM license limits -- some organizations have ingestion caps that cause log dropping during high-volume incidents. Verify no data loss occurred during the investigation window.
For legal hold purposes, all preserved evidence must be stored on write-once media or in a tamper-evident container with documented chain of custody.