Logs indicate successful and unsuccessful authentication attempts at application and system level. Logs should include the date and time, source, and a description of the event in question. Log files should include accesses to privileged system files such as system logs and password files as well as sources of protected information such as credit card information and personnel records. There are, of course, other items that might make the wish list, but these are the basics that forensics investigators will need in order to gain a clear picture of any footprint left behind by an intruder.”]
Source: https://www.csoonline.com/article/2117888/forensic-evidence-trail.html