Bill - I disagree with much of what you said and I have no doubt that you have trained the 3000 law enforcement folks that you claim to have, I have run into a number of them I think in other workshops - but I gotta tell you that I think what you trained them in was wrong. Thanks Tina to the pointer http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm - in the first portion of the paragraph we have a statement of admissability - unfortunately it also requires the Court to make a finding of compentence in the capture and mainatence of the log data. Records of regularly conducted activity. A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. (BTW - who makes this analysis as to what is trustable - most Court's have not forensic's people competent to do this.) The term "business" as used in this paragraph includes business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit. See, e.g., United States v. Cestnik, 36 F.3d 904, 909-10 (10th Cir. 1994); United States v. Moore, 923 F.2d 910, 914 (1st Cir. 1991); United States v. Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990); United States v. Catabran, 836 F.2d 453, 457 (9th Cir. 1988); Capital Marine Supply v. M/V Roland Thomas II, 719 F.2d 104, 106 (5th Cir. 1983). Applying this test, the courts have indicated that computer records generally can be admitted as business records if they were kept pursuant to a routine procedure for motives that tend to assure their accuracy. AND OTHERWISE THEY ARE HEAR-SAY since there is no other way to admit them. However most courts would just say that they are inadmissible. ----- Original Message ----- From: "Bill Spernow" <bill.spernowat_private> To: "'jamie rishaw'" <jrishawat_private>; "'Tina Bird'" <tbird@precision-guesswork.com> Cc: "'Log Analysis Mailing List'" <loganalysisat_private> Sent: Sunday, December 16, 2001 4:49 PM Subject: RE: [logs] Data for Court > I am a little late to this discussion, so forgive me if I am restating > previous issues, but given I have had some practical experience in this > arena, and have trained well over 3,000 cops worldwide on cyber > investigative techniques, let me add: > > (1) Any log data that can be printed out can be successfully introduced as > evidence in a US court trial (assuming the Attorney is competent). And the other lawyer is incompetent. My key problem with the above paragraph is that you make the Blanket Statement that "the evidence will be accepted" and more and more that just is not true I think. > > (2) Any log maintained in the "normal course of business" falls under the > hearsay exception and can easily be admitted into evidence. depending on how it was kept - i.e. Until who and how it was created by is called into question by opposing counsel. Then it is up to the testimony of the person administering the system and their veractiy. > > (3) Any log evidence that is created/acquired as a "result" of an > investigation into the source of a compromise can be challenged, but (as > mentioned) if there no indications that the original document/log file > created (or a true and accurate copy) was not tampered with, then it will be > difficult from keeping it being introduced as evidence. See, the burden of proof has been wrongly placed on the person refuting the logging data. The fact of the matter is mechnically that ***any*** passively produced log data should be easily refutable in court by a smart and savvy enough counsel. > > (4) Most challenges to any forensic computer data pivot on the chain of > custody and the methodology used to gather/discover it, as opposed to the > original data itself. yes - this is true - but courts are becoming more conscious to what originally created it as well. Especially if there is only one Logging Server that is being submitted for testimony. > > Until then... > > Bill Spernow, CISSP > Chief Information Security Officer > Georgia Student Finance Commission > (w) 770-724-9328 (f) 770-724-9004 > cisoat_private (business) > bill.spernowat_private (personal) > > > > > -----Original Message----- > From: jamie rishaw [mailto:jrishawat_private] > Sent: Sunday, December 16, 2001 4:13 PM > To: Tina Bird > Cc: Log Analysis Mailing List > Subject: Re: [logs] Data for Court > > > On Sat, Dec 15, 2001 at 04:11:13AM -0600, Tina Bird wrote: > > Hi all -- I've spent some of my time on airplanes reading > > the US Dept. of Justice report on Evidence Quality Computer > > Data (the link is on the Web site). I won't go into great > > detail (I'm >loving< European central heating), but the thing > > I found the most interesting is that, despite all the great > > discussions about how easy it is to modify log data, > > >unless< there's reasonable proof that logs have been > > modified, they can be admitted as evidence. > > > > Even better, they're generally held to be reliable evidence > > if the business submitting them collects them as part of > > normal practice and relies upon their information for its > > day-to-day activity. > > Exactly. > > What's important (from what I'm learning from @Stake, an imho great > security organization) is that the company has what's recognized as a > baseline of what's "normal". > > One @stake staffer wrote to me in an e-mail on this exact topic: > > --snip-- > The first goal any conscious > security professional should achieve is a aperture database. An aperture > into your technical and corporate environment, that is captured by a matrix > of what a corporation has and the "cause" (function) vs. "reaction" for > each of the respective assets. In doing so one has established a baseline > for what normal is. On a network, a high level example would be ...2 > exchange mail servers : pop mail protocol (110) , internal and external > uses. For auditing purposes, one can accumulate 12 months of logs filtered > on the mail server that outline only port 110 was used from the following > internal IP addresses over the course of the last year. As you have defined > what is normal, then justified the statement with substantial evidence > (time stamped logs that were protected and uncorrupted {the security > measure put in place to protect the logging server was ample}), now when an > incident happens and one is scrubbing through sanitized data and isolates > an invalid IP address that accessed the mail server on port 22 at the same > time that your router's logs, firewalls, etc...noticed anomalies compared > to your aperture...the information is painted in a different light. > --snip-- > > Hope this helps a little. > > jamie > > -- > jamie rishaw <jamieat_private> > sr. wan/unix engineer/ninja // playboy enterprises inc. > [opinions stated are mine, and are not necessarily those of the bunny] > > "UNIX was not designed to stop people from doing stupid things, because > that would also stop them from doing clever things." -- Doug Gwyn > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 10:53:47 PST