In the preceding section, we got a good understanding of what logs are like and the kind of data contained in them. I am sure that like any good investigator, we have a gut feeling that these can be pretty important. Let's work towards discovering exactly why this is so.

As we saw in the previous section, a log entry reflects an event that occurred in an organization's network. A group of log entries make a log file. Many such log files are directly related to the security, while others may have some entries specific to security-related matters. Security-related logs could be generated by anti-virus tools, firewalls, intrusion detection and prevention systems (IDPS), operating system, networking equipment and applications, and so on.

The key factors to understand is that logs are a human-independent record of system and user activity in a network. This makes them particularly unbiased and allows for court admissibility as evidence, provided...