Ensuring Data Integrity in Incident Response

Ensuring Data Integrity in Incident Response: Tools and Techniques for Forensically Sound Log Extraction

🎙️ Colin Meek, DFIR Consultant, Stroz Friedberg
📍 Presented at SANS DFIR Summit 2025

Logs are foundational to nearly all DFIR engagements, yet reliably extracting logs from sources such as network appliances, SaaS applications, and cloud environments can be challenging.

When standard UI-based exports fail, due to volume restrictions, technical limitations, or undocumented interfaces, investigators must turn to APIs for programmatic log collection.

This session will share practical tips for API-driven log extraction, including a detailed real-life case study involving extraction from an undocumented API of a proprietary client application. Additionally, we will discuss real-life cases where log data was discovered to be incomplete during collection and highlight the impact this could have had on investigative outcomes.
This presentation will also introduce an open-source log-analysis tool designed to assist DFIR professionals in quickly identifying potential issues in collected logs. The tool helps quickly highlight suspicious patterns, such as unexpected time gaps, duplicate events, suspiciously rounded event counts, JSON formatting errors, or indicators of potential redactions. Incorporating this tool into investigative workflows helps examiners proactively recognize potential data-quality concerns, supporting more informed decisions in high-stakes investigations.

View upcoming Summits: https://www.sans.org/u/DuS