Network Event Logs

Painting a Broader Picture

By Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA

Digital Fingerprints 

Digital forensics is a vital facet of most fraud examinations today. In certain cases, network event logs will yield more evidence contained within the trail of information left by a user’s online activity than any other technical resource.

Whether we’re analyzing the contents of a hard drive, removable media, or mobile device, electronic evidence provides the fraud examiner with a broader picture of events.
(Be sure to work with a certified digital forensics examiner to ensure you won’t nullify or spoil any evidence.)


Network event logs track a user’s Internet activities, such as visited Web sites, communications, and e-mailed documents. Two key pieces of digital information – the timestamp and the Internet Protocol (IP) address – will help the fraud examiner tie events together.

Timestamps on individual log entries denote the time at which the device’s logging system recorded the event. It’s critical to make sure the clock in the system generating the log is synchronized to a centralized time server. Most internal time servers use the Network Time Protocol or a variant of it. Any deviance in time might lead to incorrect assumptions.

An IP address, a unique numeric identifier assigned to devices and systems participating in a network, can be either public or private, and dynamically or statically assigned. A unique public IP address must be assigned to every computer or device that connects to the Internet. But, in certain cases, it might be unpractical and unnecessary to assign a public IP address to computers on a corporate or home network.

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.