I think that the original question, "Gee, how do we know that these logs haven't been altered?", can never be answered in the absolute affirmative. Even if a checksum of a hard drives' contents is computed at the time of seizure, the court must still rely upon the word of the person who collected the drive... That is, until we discover some means of persuading criminals to compute checksums of their own drives after committing crimes. The validity of any piece of evidence rests on a court's belief that the evidence is valid. The lab in which I work uses strict chain-of-custody procedures (i.e., you're fired if you fail to properly control evidence), coupled with EnCase, to provide some degree of support for our claims that we have not tampered with evidence. We photograph our work from the moment FedEx delivers the package up until the drive has been acquired, and depend on EnCase's checksums to ensure that our analysis has not changed the data. Even so, we could be lying the whole time. It's theoretically possible that the lab writes new data to the drive or erases critical evidence before we compute the checksums. The real guarantee of validity lies in the reputation of both our firm and the partners who testify on our behalf. I, the office peon, do not walk into a courtroom and provide testimony as to the validity of our procedures and evidence. My boss, a former Secret Service agent with years of experience in computer crime investigations, does that. And yes, the opposing counsel could claim that even she has participated in some kind of mass conspiracy to tamper with evidence... But generally, those kind of claims don't fly in court (there are exceptions--a certain ex-football player, for instance). Not even the police, who regularly present forensic evidence in court, can avoid this issue. How does the court know that the bag of cocaine on the prosecutor's table is, in fact, the same bag found in the defendant's home? Because the officers, the lab workers, and the forensics experts will all swear by it, and these peoples' reputations are (generally) trusted. This is the first time I've written in to this list, so I'm not entirely sure if something this philosophical is really appropriate, but I think it's an important point. I'm hardly an expert in the field, so I'd appreciate it if anyone can correct any mistakes in my reasoning. ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:00:27 PDT