IR AnalystSwitch roles in the top navigation to see different perspectives.

Preserve all relevant log sources before they are rotated, overwritten, or tampered with. Create forensic copies with integrity verification. This is especially critical when log retention may not cover the full investigation window.

Actions

  1. 1.Windows -- Export critical event logs: `wevtutil epl Security C:\case\Security.evtx`, `wevtutil epl System C:\case\System.evtx`, `wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\case\PowerShell.evtx`, `wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\case\Sysmon.evtx`.
  2. 2.Linux -- Preserve auth and system logs: `cp -p /var/log/auth.log* /var/log/syslog* /var/log/secure* /var/log/audit/audit.log* /case/logs/`. For journald: `journalctl --since "T_START" --until "T_END" -o json > /case/logs/journal_export.json`.
  3. 3.M365/Azure -- Export Azure AD sign-in and audit logs via PowerShell: `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge T_START" -All $true | Export-Csv azure_signins.csv`. Export UAL: `Search-UnifiedAuditLog -StartDate T_START -EndDate T_END -ResultSize 5000 | Export-Csv ual_export.csv`.
  4. 4.Network -- Capture firewall and proxy logs: copy running log files and request SIEM backup export for the investigation window. For cloud: `aws cloudtrail lookup-events --start-time T_START --end-time T_END > cloudtrail_events.json`.
  5. 5.Hash all preserved log files and create a manifest: `find /case/logs -type f -exec sha256sum {} \; > /case/logs/manifest_sha256.txt`. Store the manifest separately from the evidence.

Queries

index=_internal sourcetype=splunkd component=HotBucketRoller OR component=WarmToColdManager | stats latest(data_size) as current_size latest(max_size) as max_allowed by index | eval pct_used=round(current_size/max_allowed*100,1) | where pct_used > 80
// Velociraptor: collect all EVTX files from target host
SELECT FullPath, Size, Mtime FROM glob(globs="C:/Windows/System32/winevt/Logs/*.evtx") WHERE Size > 0 ORDER BY Mtime DESC
AzureActivity | summarize LogCount=count(), EarliestLog=min(TimeGenerated), LatestLog=max(TimeGenerated) by SourceSystem, CategoryValue | order by EarliestLog asc

Notes

  • Check SIEM license limits -- some organizations have ingestion caps that cause log dropping during high-volume incidents. Verify no data loss occurred during the investigation window.
  • For legal hold purposes, all preserved evidence must be stored on write-once media or in a tamper-evident container with documented chain of custody.

Common Blockers

Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics

Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.