We turn to forensics when it’s necessary to investigate activity on a system. Logfiles do not always capture information relevant to answering questions. They may capture data like “When and from what IP address did a user access a system?” but may not be able to answer questions like “What files have been executed or deleted?” or “Were these files accessed when the user logged in?” We need tools and techniques to recover or deduce this kind of information, especially if logfiles have been erased by an attacker trying to cover their tracks.
The activity under investigation need not be malicious or illegal. It may be ...