Greg Broiles wrote: > > Is this risk (that investigators may be deliberately fabricating or > altering evidence) a particularly serious or important one? > > It's my impression that existing adversarial/legal systems cope with > this risk by allowing for impeachment of witnesses for bias, and by > correlating (or failing to correlate) evidence across witnesses or > forensic artifacts - e.g., it's one thing for one investigator to say > he saw evidence in one logfile or one one hard disk, and another (less > likely circumstance) for a team of investigators, perhaps from > different agencies or departments, to agree to falsify testimony and > evidence about coordinated evidence (e.g., perpetrator's record of mail > sent matches the mail logs of two intervening ISP's which also matches > mail received on victim's computer). However, these issues have a great deal of bearing outside of the courtroom. While the authenticity may be in some global way protected by laws and common sense of judge and juries, during an investigative phase, deliberate tampering by anyone could be an issue. Of course, if replicas exist elsewhere such as in your last example this is less of an issue, but if the evidence is tampered with prior to or during the investigative phase, when conclusions are being formed, it could well lead to untrue statements from very truthful persons. It almost feels like you're arguing that authenticity of evidence is somehow not important because falsehoods will be weeded out by common sense (which I'm sure is not the case anyways, but I feel a desire to respond anyways). Even though that may serve to protect the innocent in many cases, it doesn't help to deal with the guilty. And what of those persons who deal with the data before it ever reaches the courtroom? Rarely in real-life do you have the same people dealing with the entire process from start to finish - in many legal/financial/etc organizations this may be the case as large budgets have been allocated to computer incident response, but in many other organizations a lot of it simply falls to one or two people on the technical forensics side who then report to a general counsel or inspector general's office or somesuch. I should note - I'm jumping out into an area here where I have little expertise, as I work solely on the technical side of systems security, but this is the view from my little corner of the world. /* * * Matt Harris - Senior UNIX Systems Engineer * Smithsonian Institution, OCIO * */ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:25:20 PST