Log Analysis and Forensic Implications: The Importance of SOC and DFIR Departments in Corporate Cybersecurity and Related Case Study

In recent years, cybersecurity has assumed a strategic and essential role for public and private organizations and is no longer seen simply as an added value, as it was in the past. This paper analyzes the importance of the Security Operation Center (SOC) and Digital Forensics and Incident Response (DFIR) departments in corporate cybersecurity, highlighting their contribution to the prevention, detection, and management of security incidents. The paper is divided into three main sections: a first theoretical section dedicated to the historical and technological evolution of defense and analysis tools (EDR, XDR, SIEM, SOAR); a second section describes the evolution of DFIR and provides a regulatory overview, focusing on the issues of Cloud Forensics; and, in the end, the applied section describes an example of forensic analysis. The theoretical path describes the evolution of log analysis: from the first approaches based on pattern matching and rule-based detection to modern anomaly detection and machine learning models. The analysis also delves into the impact of Artificial Intelligence and generative AI in improving response times and reducing false positives. It also highlights how the interaction between SIEM, XDR, and SOAR today represents an integrated and dynamic ecosystem, capable of enabling automation and advanced event correlation within modern Security Operation Centers. The section dedicated to DFIR explores the role of digital forensics within the SOC, its evolution from manual post-event analysis to DFIR-as-a-Service models, and the new challenges related to cloud forensics and cross-border data management. The experimental part aims to demonstrate how a forensic investigation can be conducted and what information can be retrieved using open-source forensic tools such as KAPE, Hayabusa, Zimmerman Tools, and Timeline Explorer. These tools were selected for their interoperability, accuracy, and speed of analysis, allowing for the construction of a complete and reproducible forensic timeline of events, according to DFIR best practices. The combined use of these tools demonstrates the feasibility of a realistic incident response workflow.