Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Detecting unauthorized changes or deletions to log files using cryptographic hashes, digital signatures, or write-once storage - so attackers can't erase their tracks in the audit trail.
Log Tamper Detection Definition: Detecting unauthorized changes or deletions to log files using cryptographic hashes, digital signatures, or write-once storage - so attackers can't erase their tracks in the audit trail.
Log tamper detection is the practice of identifying unauthorized modification or deletion of log records so that audit trails remain trustworthy. It uses cryptographic and architectural controls to prove whether logs are intact, ensuring that the evidence used for incident detection, investigation, and compliance has not been altered.
It typically works by binding integrity proofs to log data. Each entry or batch is hashed (for example with SHA-256), and entries can be chained so each record's hash incorporates the previous one, making any insertion or deletion detectable. HMACs or digital signatures add authentication so only the logging system can produce valid records. Architectural controls reinforce this: forwarding logs in near-real time to a remote, append-only SIEM, write-once-read-many (WORM) storage, and restricted permissions so an attacker on the source host cannot quietly rewrite history.
This matters because logs are the primary record of what happened during an attack, and erasing them is a standard attacker objective - the MITRE ATT&CK technique "Indicator Removal: Clear Logs" describes exactly this. If logs can be silently edited, an intruder can delete the entries showing their privilege escalation and lateral movement, defeating detection and breaking forensic investigations. Tamper detection guarantees integrity and non-repudiation, and is required by frameworks such as PCI DSS (which mandates protecting audit trail files from modification).
For example, a server hashes each log line into a chained sequence and ships entries to a central, append-only log store every few seconds. An attacker who compromises the server and deletes local entries to hide a malicious login cannot alter the copies already forwarded, and the broken hash chain on the host flags that records were removed. During the investigation, responders use the verified remote logs to reconstruct the full timeline the attacker tried to erase.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →