Computer & OS Fundamentals · beginner · ~10 min
Explain what logs record, why timestamps and time zones matter, and the defensive/forensic angle.
Logs record system, auth, and application events, each timestamped. Time zone and format (prefer ISO 8601 / UTC / Unix epoch) matter for correlation, which is why NTP sync exists. Logs drive both attack detection and forensic timelines.
Defenders catch attacks and build incident timelines from logs; testers must remember their actions are logged and that log tampering is out of scope and destroys evidence. Correct, synced timestamps are what make cross-system correlation possible.
Log sources. System, auth, application/web. ISO 8601 / UTC. Unambiguous timestamps; epoch is the machine form. NTP. Keeps clocks aligned for correlation. Detection. Anomalies in logs reveal attacks. Integrity. Never tamper — evidence and scope.
Logs are the system's memory of what happened. They are central to both attack detection and incident investigation.
/var/log/, Windows Event Log): service start/stop, auth attempts, errors.Every log line is stamped with a time. Two things to respect:
2026-06-11T14:30:00Z) is unambiguous; many formats aren't.Z/UTC vs local time. Correlating events across systems requires a common time base — which is why NTP (time sync) matters. Unix epoch time (seconds since 1970-01-01 UTC) is the machine-friendly form.Logs are timestamped records of activity that power both detection and forensics; ISO 8601/UTC and NTP keep them correlatable. Testers respect that logs capture their actions and leave them intact.