If I understand you question correctly, then the following quote from "Computer Records and the Federal Rules of Evidence" by Orin S. Kerr is responsive: http://www.cybercrime.gov/usamarch2001_4.htm (to the effect : "Absent specific evidence of tampering, allegations that computer records have been altered go to their weight, not their admissibility") <quote> 1. Authenticity and the Alteration of Computer Records Computer records can be altered easily, and opposing parties often allege that computer records lack authenticity because they have been tampered with or changed after they were created. For example, in United States v. Whitaker, 127 F.3d 595, 602 (7th Cir. 1997), the government retrieved computer files from the computer of a narcotics dealer named Frost. The files from Frost's computer included detailed records of narcotics sales by three aliases: "Me" (Frost himself, presumably), "Gator" (the nickname of Frost's co-defendant Whitaker), and "Cruz" (the nickname of another dealer). After the government permitted Frost to help retrieve the evidence from his computer and declined to establish a formal chain of custody for the computer at trial, Whitaker argued that the files implicating him through his alias were not properly authenticated. Whitaker argued that "with a few rapid keystrokes, Frost could have easily added Whitaker's alias, 'Gator' to the printouts in order to finger Whitaker and to appear more helpful to the government." Id. at 602. The courts have responded with considerable skepticism to such unsupported claims that computer records have been altered. Absent specific evidence that tampering occurred, the mere possibility of tampering does not affect the authenticity of a computer record. See Whitaker, 127 F.3d at 602 (declining to disturb trial judge's ruling that computer records were admissible because allegation of tampering was "almost wild-eyed speculation . . . [without] evidence to support such a scenario"); United States v. Bonallo, 858 F.2d 1427, 1436 (9th Cir. 1988) ("The fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness."); United States v. Glasser, 773 F.2d 1553, 1559 (11th Cir. 1985) ("The existence of an air-tight security system [to prevent tampering] is not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it would become virtually impossible to admit computer-generated records; the party opposing admission would have to show only that a better security system was feasible."). Id. at 559. This is consistent with the rule used to establish the authenticity of other evidence such as narcotics. See United States v. Allen, 106 F.3d 695, 700 (6th Cir. 1997) ("Merely raising the possibility of tampering is insufficient to render evidence inadmissible."). Absent specific evidence of tampering, allegations that computer records have been altered go to their weight, not their admissibility. See Bonallo, 858 F.2d at 1436. </quote> Duncan C. Kinder, JD, CCNA dckinderat_private ----- Original Message ----- From: "Hall, Andrew" <andrew.hallat_private> To: <FORENSICSat_private> Sent: Sunday, April 08, 2001 7:23 PM Subject: Court Admissible Evidence > Was wondering what other people are doing out there regarding the validation > of archived log entries. > > Given a situation where there is a remote box logging traffic, which then > has these logs pulled back to a central location where the logs are > permanently stored on CD-R, the challenge is to be able at a later date to > prove that the CD you have in your hand was the CD burnt back at that day in > question, and that individual log files are unaltered copies of the original > data. > > You can possibly prove the first challenge by generating a checksum of the > entire CD image, and printing this checksum to a continuous line printer > feed, as well as storing this on the CD. > > However, the ability to validate each individual sensor files is more of a > challenge. ie you can checksum the file before the central location pulls > the file, and then checksum it again to compare ... but how do you > permanently store the original checksum? It is probably not feasible to have > another line printer on every remote box. > > Suggestions? Has anyone had a similar situation to prove in court? >
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 21:15:46 PDT