Blog Details

Introduction

Logs are the memory of a system. When something goes wrong — a breach, a fraud, a regulator's question — the first thing anyone asks is what the logs say, and the very next thing is whether those logs can be trusted. SOC and SIEM teams, auditors and compliance officers all run into the same problem: a raw log file is easy to edit, and a screenshot proves nothing. A log integrity certificate closes that gap. It records a cryptographic hash for each log file, states a clear verification result, and seals the whole document so that any later change is detectable. This article explains what the certificate contains, where it is used, and how e-Dex (formerly Hash Calculator) produces one offline on your own machine.

What a Log Integrity Certificate Is

A log integrity certificate makes one narrow, powerful claim: that a named set of log files is bit-for-bit identical to the state in which it was captured. It does not interpret the logs, judge what happened, or replace your chain-of-custody paperwork. What it does is fix the integrity of the logs in time — once you have the certificate, you can hand the logs to a colleague, an auditor or a court months later and let them re-verify for themselves that nothing was touched. Because logs are just files on disk, the same hashing that protects a single document protects a whole batch of log files at once.

What's Inside the Certificate

The certificate is deliberately plain and reads top to bottom. A real e-Dex log integrity certificate contains:

Header and context — the template name (Log Integrity Certificate), the case or reference, an optional FIR number, the analyst's name and the organisation, so the certificate identifies the log source and who produced it.
Summary line — the file count, total size in bytes, and a tally of matches, mismatches and errors. In our sample that reads files=4, size=220200960, matches=4, mismatches=0, errors=0, covering the period of logs under review.
Annexure — one row per log file with its name, size and status, followed by its full SHA-256 hash. The sample lists syslog-1.log through syslog-4.log, each marked Verified with its own hash, giving a permanent file count plus hashes annexure.
Verification result — a single explicit line, here verified=4, failed=0, errors=0, so the outcome is visible at a glance.
Integrity SHA-256 seal — a hash computed over the certificate's own sealed content, so the document itself is tamper-evident, not just the logs it describes.
Declaration — a signed statement that the log files were processed with e-Dex, their hash values computed and, where an expected value existed, compared, and that the stated result accurately and completely reflects the integrity status of those logs.

Where Log Integrity Certificates Are Used

The certificate fits anywhere a log has to be trusted by someone who did not collect it. SOC 2 and ISO 27001 audits require organisations to retain audit logs and to show they are protected against tampering; a certificate gives the auditor a concrete artefact instead of a verbal assurance. In incident response, the certificate locks down the exact log set used to build a timeline, so the sequence of events cannot later be challenged as edited. For regulatory log retention — in finance, telecom, healthcare and similar regimes — it attaches to the archived logs as proof that what was retained is what was generated. In each case the certificate is the verifiable core that the rest of the evidence story rests on.

How e-Dex Generates It

Producing the certificate is a short, guided flow. Open the Certificate Generator in e-Dex and choose the Log Integrity template. Add the log files that make up the period you want to cover, then fill in the fields — case or reference, analyst, organisation and any expected hash values you are checking against. e-Dex computes the SHA-256 of each file, compares it where an expected value was recorded, and assembles the summary, annexure and verification result. You can then sign the certificate with a PAdES digital signature and apply an RFC-3161 timestamp, and finally export it as a PDF. The process mirrors the one described in our guide to signing and timestamping a forensic certificate with PAdES and RFC-3161, and the underlying integrity document is the same foundation covered in our evidence integrity certificate article.

Verifying It Offline

A certificate is only as good as the ability to re-check it, and that check needs no internet and no trust in us. Each log file carries its SHA-256 hash in the annexure, so a verifier recomputes the SHA-256 of each file and confirms it matches. The certificate also carries its own integrity seal, computed over its sealed lines, so the document itself can be confirmed unchanged by recomputing that hash. e-Dex performs both checks locally, but because the algorithm is a published standard, anyone with a SHA-256 tool can repeat them independently. For a full walkthrough, see our guide to verifying a digital evidence certificate offline.

Frequently Asked Questions

What is a log integrity certificate?
A log integrity certificate is a short, readable document that records the cryptographic hash of each log file in a set, along with an overall verification result and a signed declaration. It lets a SOC team, auditor or investigator prove that specific server, application or audit logs are bit-for-bit identical to the state in which they were collected, so the logs can be trusted as evidence.

Which logs can e-Dex certify?
e-Dex treats every log as a file, so it can certify any log you can save to disk: syslog and system logs, web and application server logs, firewall and SIEM exports, database audit trails, and access or authentication logs. You select the files that make up the period you want to cover, e-Dex computes a hash for each one, and the certificate lists them in an annexure with the overall verification result.

Does e-Dex need an internet connection to certify logs?
No. e-Dex runs fully offline on your own Windows machine. Reading the log files, computing their SHA-256 hashes, comparing them against recorded values and generating the log integrity certificate all happen locally, so your logs never leave your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

How do I verify a log integrity certificate later?
Each log file on the certificate carries its SHA-256 hash, and the certificate itself carries an integrity SHA-256 seal computed over its sealed content. To re-verify, recompute the SHA-256 of each log file and confirm it matches the value in the annexure, then recompute the seal over the sealed lines and confirm it equals the stated hash. If both checks pass, the logs and the certificate are unchanged. e-Dex performs these checks offline.

Is a log integrity certificate useful for SOC 2 or ISO 27001 audits?
Yes. Many control frameworks require organisations to retain audit logs and to show that those logs are protected against tampering. A log integrity certificate gives an auditor a concrete, verifiable artefact: per-file hashes, a verification result and a declaration, optionally signed and timestamped. It supports evidence of log retention and integrity, though how it is weighed always depends on your auditor and the framework in question.

Conclusion

Logs only count as evidence if you can show they have not been touched. A log integrity certificate turns that into a one-page, verifiable fact: named log files, a SHA-256 hash for each, a clear verification result, and a sealed declaration that anyone can re-check offline. For SOC and SIEM teams, auditors and compliance officers, it is the simplest way to make logs defensible. You can produce one in minutes, entirely offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start proving your logs are exactly what they should be.