At the heart of log analysis is the assumption that actions by an adversary will leave a trace. Just as in the physical world, responders' ability to see these traces is based upon the tools and techniques that are used. This chapter explored the foundational elements of logs and log management, provided tools such as SIEM to aggregate and review these logs, and finally, looked at the tools and techniques to examine the most prevalent logs that originate from the Windows OS. This chapter has really only scratched the surface with regard to how logs play an integral part in an incident investigation.
In keeping with the theme of understanding the traces of an adversary attack, the next chapter will examine the role that malware analysis plays in incident response.