The thesis has investigated the problem of information logging and storage from a forensic standpoint; and the study has been carried out towards a company which cannot be named for confidential reasons. what information should be logged and what has to be logged according to the Swedish law, and for how long time should the logs be saved. The problem here is to find out what in general should be saved into a log file so it can be applied to as many systems as possible. The thesis has also investigated when to do a forensic investigation and what to log in Microsoft server environment (webserver, firewall and exchange server).
I intend to solve the problem by describing what needs to be saved in general and find out if there is a law that demands information to be logged. I intend to find out what needs to be saved from a forensic point of view. I am going to find out what should be logged on Microsoft server applications: webserver, firewall and exchange server.
The method used to solve the problem was with practical study and literature study. Practical study where made on a Microsoft server 2012 on webserver, firewall and exchange server where I looked at the log files and what information that were saved to them.
The report finds out what should be saved in a log file from a forensic point of view and what needs to be saved according to Swedish law. The report finds how long time the log files have to be saved. The report finds when to do a forensic investigation and what to investigate.