5.9. Data Sources for Investigations

💡 First Principle: Every system generates data that tells a story — think of it like a crime scene where logs, packets, and disk images are the forensic evidence. Forensic investigators and incident responders reconstruct attacks by reading these stories across multiple data sources. Knowing which data source answers which question is essential — the firewall log tells you who connected, the system log tells you what they did, and the application log tells you what data they accessed.

What happens when data sources are unavailable? The investigation stalls. If logging was disabled, there's no evidence. If logs weren't retained long enough, the evidence has been overwritten. If timestamps are inconsistent because NTP wasn't configured, the timeline is unreliable. Data source management directly determines investigation effectiveness.