Re: [logs] Data for Court

From: todd glassey (todd.glasseyat_private)
Date: Tue Dec 18 2001 - 06:27:23 PST

  • Next message: ALMEIDA Antonio Jose: "[logs] Backup"

    ThunderGal - Tina
    
    ----- Original Message -----
    From: "Tina Bird" <tbird@precision-guesswork.com>
    To: "Bill Spernow" <bill.spernowat_private>
    Cc: "'jamie rishaw'" <jrishawat_private>; "'Log Analysis Mailing List'"
    <loganalysisat_private>
    Sent: Monday, December 17, 2001 8:32 AM
    Subject: RE: [logs] Data for Court
    
    
    > Logs do >not< fall under the hearsay exception unless they
    > contain data manually entered by a human.  According to the
    > Justice Department report I quoted, hearsay is specifically
    > designed as information provided by a person, not information
    > automatically generated by a machine -- so different rules
    > apply.
    
    "Hear-say is any evidence that cannot be directly substantiated by first
    hand testimony."  I.e. evidence that one "potentially not credible source"
    would enter into the record. Up until now it has been tradtionally human
    generated or rendered but...
    
    As to why Computer Testimony is Hear-Say - Computers have exactly this same
    problem especially with Ethernet interconnects. The problem is that the
    Courts do not know how to audit these systems and becuase of that are making
    all sorts of funny decisions at the lower offices of the court that are
    being refuted at appeal.
    
    >
    > Read the report!
    >
    
    - I have and a third year law student could punch major holes in it.
    
    > t.
    >
    > "I was being patient, but it took too long." -
    >                                 Anya, "Buffy the Vampire Slayer"
    >
    > Log Analysis: http://www.counterpane.com/log-analysis.html
    > VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
    >
    > On Sun, 16 Dec 2001, Bill Spernow wrote:
    >
    > > I am a little late to this discussion, so forgive me if I am restating
    > > previous issues, but given I have had some practical experience in this
    > > arena, and have trained well over 3,000 cops worldwide on cyber
    > > investigative techniques, let me add:
    > >
    > > (1)  Any log data that can be printed out can be successfully introduced
    as
    > > evidence in a US court trial (assuming the Attorney is competent).
    > >
    > > (2)  Any log maintained in the "normal course of business" falls under
    the
    > > hearsay exception and can easily be admitted into evidence.
    > >
    > > (3)  Any log evidence that is created/acquired as a "result" of an
    > > investigation into the source of a compromise can be challenged, but (as
    > > mentioned) if there no indications that the original document/log file
    > > created (or a true and accurate copy) was not tampered with, then it
    will be
    > > difficult from keeping it being introduced as evidence.
    > >
    > > (4)  Most challenges to any forensic computer data pivot on the chain of
    > > custody and the methodology used to gather/discover it, as opposed to
    the
    > > original data itself.
    > >
    > > Until then...
    > >
    > > Bill Spernow, CISSP
    > > Chief Information Security Officer
    > > Georgia Student Finance Commission
    > > (w) 770-724-9328   (f) 770-724-9004
    > > cisoat_private (business)
    > > bill.spernowat_private (personal)
    > >
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: jamie rishaw [mailto:jrishawat_private]
    > > Sent: Sunday, December 16, 2001 4:13 PM
    > > To: Tina Bird
    > > Cc: Log Analysis Mailing List
    > > Subject: Re: [logs] Data for Court
    > >
    > >
    > > On Sat, Dec 15, 2001 at 04:11:13AM -0600, Tina Bird wrote:
    > > > Hi all -- I've spent some of my time on airplanes reading
    > > > the US Dept. of Justice report on Evidence Quality Computer
    > > > Data (the link is on the Web site).  I won't go into great
    > > > detail (I'm >loving< European central heating), but the thing
    > > > I found the most interesting is that, despite all the great
    > > > discussions about how easy it is to modify log data,
    > > > >unless< there's reasonable proof that logs have been
    > > > modified, they can be admitted as evidence.
    > > >
    > > > Even better, they're generally held to be reliable evidence
    > > > if the business submitting them collects them as part of
    > > > normal practice and relies upon their information for its
    > > > day-to-day activity.
    > >
    > > Exactly.
    > >
    > > What's important (from what I'm learning from @Stake, an imho great
    > > security organization) is that the company has what's recognized as a
    > > baseline of what's "normal".
    > >
    > > One @stake staffer wrote to me in an e-mail on this exact topic:
    > >
    > > --snip--
    > > The first goal any conscious
    > > security professional should achieve is a aperture database. An aperture
    > > into your technical and corporate environment, that is captured by a
    matrix
    > > of what a corporation has and the "cause" (function) vs. "reaction"  for
    > > each of the respective assets.  In doing so one has established a
    baseline
    > > for what normal is. On a network, a high level example would be ...2
    > > exchange mail servers : pop mail protocol (110) , internal and external
    > > uses. For auditing purposes, one can accumulate 12 months of logs
    filtered
    > > on the mail server that outline only port 110 was used from the
    following
    > > internal IP addresses over the course of the last year. As you have
    defined
    > > what is normal, then justified the statement with substantial evidence
    > > (time stamped logs that were protected and uncorrupted {the security
    > > measure put in place to protect the logging server was ample}), now when
    an
    > > incident happens and one is scrubbing through sanitized data and
    isolates
    > > an invalid IP address that accessed the mail server on port 22 at the
    same
    > > time that your router's logs, firewalls, etc...noticed anomalies
    compared
    > > to your aperture...the information is painted in a different light.
    > > --snip--
    > >
    > > Hope this helps a little.
    > >
    > > jamie
    > >
    > > --
    > > jamie rishaw <jamieat_private>
    > > sr. wan/unix engineer/ninja // playboy enterprises inc.
    > > [opinions stated are mine, and are not necessarily those of the bunny]
    > >
    > > "UNIX was not designed to stop people from doing stupid things, because
    > >  that would also stop them from doing clever things." -- Doug Gwyn
    > >
    > > ---------------------------------------------------------------------
    > > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > > For additional commands, e-mail: loganalysis-helpat_private
    > >
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    >
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 11:04:28 PST