But let's not forget that log evidence still has to be tied to a particular person. Authentication, preservation, and credibility are valid points but by themselves logs do not prove that John Doe was in the chat room selling credit cards. I am not a lawyer but it has been my experience that you have to be able to prove that at the time the log was generated, in fact it was John Doe and not someone who has gotten his username/password. Excuses I have heard range from 'someone stole my wallet and that had my passwords in it' to 'I gave Sally my password to copy a file and she must have done it'. Lee. -----Original Message----- From: Jonathan A. Zdziarski To: mstevensonat_private; forensicsat_private Sent: 6/18/02 9:22 PM Subject: RE: Audit Logs as submissible evidence. It all comes down to the credibility/reliability of the data and the authentication of that data. Evidence such as tape recordings and server logs must be authenticated to be admitted into court, and the authentication always turns out to be your burden. If the data is credible enough, the judge may allow it but if there is doubt, it will most likely be argued as hearsay (The logs told me this...the sysadmin told me that...) Thank You, Lee Kelly, CISSP Manager, Assessment Services Fortrex Technologies kellylat_private 1-877-Fortrex - Office 1-301-906-6269 - Cell ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 11:04:28 PDT