Hi there, IANAL Admissible evidence laws vary by country to country, and there are different rules depending on what sort of evidence you are trying to introduce. The Australian laws on this matter can be found here: http://www.austlii.edu.au/cgi-bin/download.cgi/download/au/legis/cth/consol_ act/ea199580.txt (my mailer is going to wrap that, so search for "EVIDENCE ACT 1995" on http://www.austlii.edu.au The relevant section is Part 2.2 Section 48 "Proof of contents of documents", and section 50, which applies simply because logs are volumous, sometimes inscrutable and verbose. And section 146 as the logs are generated by machines. The whole act applies, so a good reading of the headings will help. Also, as some logs will come from "foreign" hosts (ie non-Australian), different rules of evidence and admissibility apply. This is the "Foreign evidence act". A good defence lawyer will always attack the providence of any introduced evidence. If they don't at least try to inspire some doubt to their authenticity and or accuracy, they aren't doing their jobs. They can aim at the underlying syslog protocol, which being UDP based and unauthenticated, could be considered unreliable if not properly locked down (which in a criminal case, the prosecution needs to prove). Also, a good defence lawyer will ask to exclude logs on the basis that they are confusing or misleading (section 136), which can be rebutted by using expert witnesses. Again, I draw your attention to the differences between criminal and civil procedings; it's easier to succeed in civil case, but most of these dudes will not have any wealth, and you'd be lucky to get $10/mth for a period of their lives. If they live overseas, forget it. Essentially, within the constraints of the act, which tries to allow as much untainted evidence as possible, it's up the to persons introducing the evidence to prove that the logs are what they are by showing good evidence handling procedures, including a secure path for logging (ie syslog has to be demonstrably secured). It's all too hard. Andrew -----Original Message----- From: Uidam, T (Tim) [mailto:Tim.Uidamat_private] Sent: Wednesday, 13 June 2001 16:25 To: 'Andrew van der Stock'; incidentsat_private Subject: RE: How to stop a consistent cracker. It was my understanding that the courts consider the evidence (IDS Logs, etc) to be true and correct UNLESS the judge explicitly believes the logs have been tampered with, or the Defense attourney can prove that they have been. But i'm happy to be proven wrong. This information was posted to a security-focus list about 2 months ago by a person claiming to be a lawyer specialising in IT&E cases. Tim
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 07:05:16 PDT