Bit of newbie at the whole forensics stuff - but I'm trying to find out what I should have in place before an attack. While there is no end of material on the internet about forensics from seizure onwards, I'm trying to find out more about how I can make a secure record of events (specifically webserver logs) of adequate quality to be considered as evidence.
There are vague references to non-volatile media, hashing and signatures in the stuff I've read; these certainly provide a means for demonstrating a consistent snapshot - but do not intrinsically provide a mechanism for proving the data has not changed between initial capture and the snapshot, e.g. I could take today's log files and do a search/replace to overwrite the date with something else before committing the snapshot.
How does an electronic signature prove the data has not been tampered with between the initial capture and the signing - does it just support the signers assertion?
Must the integrity verification method be implemented in real-time? E.g. it's not very practical to write data directly to DVD, at best a track at a time is as near to real-time as you can get - but at a huge performance penalty.
Any pointers on content suitable for a non-lawyer? (pref with a EU/UK bias).