Forensic readiness — logs + tools

Description

What this control does

Control objective

What auditing this proves

Demonstrate that the organization maintains comprehensive, protected logs with adequate retention and has deployed forensic tools and procedures to support timely and legally defensible incident investigations.

Associated risks

Risks this control addresses

• Attackers delete or modify logs to conceal intrusion activities, resulting in inability to determine scope or method of compromise
• Insufficient log retention periods cause critical evidence to be overwritten before investigations commence, preventing root-cause determination
• Lack of time synchronization across systems prevents accurate correlation of events during multi-stage attacks spanning multiple assets
• Absence of pre-deployed forensic tools forces responders to install analysis software on compromised systems, contaminating evidence and alerting adversaries
• Inadequate logging scope omits security-relevant events (authentication failures, privilege escalations, configuration changes), leaving investigative blind spots
• Evidence integrity cannot be proven due to missing chain-of-custody procedures or lack of cryptographic log protection, rendering findings inadmissible in legal proceedings
• Insufficient storage allocation for logs causes premature rotation or logging failures during high-volume security events when visibility is most critical

Testing procedure

How an auditor verifies this control

1. Obtain and review the organization's log retention policy, forensic readiness procedure, and inventory of systems generating security-relevant logs.
2. Select a representative sample of 8-12 critical systems (domain controllers, firewalls, databases, privileged access workstations) and verify each forwards logs to the centralized SIEM or log repository.
3. Review the log source configurations to confirm security-relevant events are captured including authentication events, privileged actions, configuration changes, network connections, and file access on sensitive systems.
4. Verify time synchronization by comparing timestamps across at least five geographically or logically separated systems against an authoritative NTP source, confirming drift is within acceptable tolerance (typically <1 second).
5. Examine log storage configuration to verify write-once, append-only, or cryptographic signing mechanisms prevent tampering, and confirm retention periods meet policy requirements (minimum 90 days for most compliance frameworks, 1+ year for critical systems).
6. Request demonstration of forensic tool availability by identifying the location and accessibility of disk imaging software, memory capture tools, network packet analyzers, and malware analysis sandboxes, including verification of current licenses and tool versions.
7. Review access controls on forensic tools and log repositories to confirm only authorized incident response personnel have access, and that privileged access is logged and monitored.
8. Test forensic readiness by requesting retrieval of logs from a specific date 60+ days prior for a sampled system, verifying the logs are complete, readable, and include all expected event categories with intact timestamps and source attribution.

Where this control is tested

Audit programs including this control