TBird - Thanks for bringing the Kerr Report up I have been waiting for an opportunity to ask some "stupid questions" and make some commentary re the concept of Kerr's MLSS in todays data models. And Bill I was not slamming you for what you trained the 3000 cops to look for, its just that this world is moving so fast that 1 training is not enough. Especially as better Forensic and Audit Processes emerge. ----- Original Message ----- From: "Tina Bird" <tbird@precision-guesswork.com> To: "todd glassey" <todd.glasseyat_private> Cc: "Bill Spernow" <bill.spernowat_private>; "'jamie rishaw'" <jrishawat_private>; "'Log Analysis Mailing List'" <loganalysisat_private> Sent: Tuesday, December 18, 2001 3:24 PM Subject: Re: [logs] Data for Court > Actually, Todd, I read the report a little differently. Since > we're getting into this level of depth anyhow, what Kerr says > is that there's really three broad categories of "computer > data": Kerr may be stoned and looking at the world from the Mainframe and Appliance perspective and these dont exist really. So the report was obviously wrong - the physics dictate it. Read on about the flaw in how would you prove the content of the report. > > 1) Data that was created by a human and is stored on a computer, > which is subject to the same conditions of evidence as any other > human communication (that is, the hearsay issues -- was the > human an expert authority, was the comment reported accurately, > etc.) Is this to be data created with direct human User Interaction? OK The this is the case where there is human interactin in the collection or processing of the data. > > 2) Data that is generated by a computer, stored on a computer, > and is not touched by human hands -- this is subject to legal > questions about whether or not the program was running correctly, > but is >not< hearsay and is not subject to any of the case > law around human statements You mean DATA generated by an application, an application written by humans and running on this system. Computers don't generate anything other than heat and noise. And there are two issues to prove here. The first is what that particular program does when it runs correctly and the second is that it was running correctly at the time the audit snapshot was taken. As to the legal standing of this as hear-say - I personally volunteer to go before any court and explain why all computer generated reports or logs today without embedded IDS and other integrity checkpoints should be automatically considered Hear-Say until otherwise qualified. What the computer world offers that the Human World doesn't is that real computer testimony could be qualified as being beyond hear-say but human testimony cant. > > 3) Data that contains both human-generated and machine-generated > values, such as spreadsheets -- which is much more complicated, > big surprise, and is subject to all sets of conditions. I donty mean to be obtuse but - Kerr' never thought this s clearly the same as example #1, whether it happens on a distributed environment or not. The key issue Kerr failed to address is how to keep the Humans out of all of the data -and how to prove that the data is pristeen and untouched - i.e. by Systems Admins and the like. So in fact there is only one type of digital data at this point and what made it is irrelevent. Sometime in the future when there are provably ***NO HUMANS*** in the data collections or the operations of the systems, then there might be multiple forms of, or levels of computer data. Further with all the "uncertainty" behind TCP/IP (esp IPv4) based spoofing and the gross failure of Ethernet to do anything like being able to assure where and when certain datagrams enter or exit a systems farm, there is equally more uncertainty in anything that happens in distributed networking. > > There's nothing I read in Kerr's report that suggests that > purely machine generated data ever qualifies as hearsay, > whether or not someone is challenging their authenticity or > integrity. > > I would also argue that most courts don't have staff > biochemists who are capable of assessing the quality of a > DNA test, but that's why we have expert witnesses. > > t. > > Where did ThunderGal come from, anyhow? From your nick name "TBird" - There is an old Indian legend about the Thunder Goddess bringing truth and light to the world. > > On Tue, 18 Dec 2001, todd glassey wrote: > > > Bill - I disagree with much of what you said and I have no doubt that you > > have trained the 3000 law enforcement folks that you claim to have, I have > > run into a number of them I think in other workshops - but I gotta tell you > > that I think what you trained them in was wrong. > > > > Thanks Tina to the pointer > > http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm - in the first > > portion of the paragraph we have a statement of admissability - > > unfortunately it also requires the Court to make a finding of compentence in > > the capture and mainatence of the log data. > > Records of regularly conducted activity. A memorandum, report, record, or > > data compilation, in any form, of acts, events, conditions, opinions, or > > diagnoses, made at or near the time by, or from information transmitted by, > > a person with knowledge, if kept in the course of a regularly conducted > > business activity, and if it was the regular practice of that business > > activity to make the memorandum, report, record, or data compilation, all as > > shown by the testimony of the custodian or other qualified witness, unless > > the source of information or the method or circumstances of preparation > > indicate lack of trustworthiness. > > > > (BTW - who makes this analysis as to what is trustable - most Court's have > > not forensic's people competent to do this.) > > > > The term "business" as used in this paragraph includes business, > > institution, association, profession, occupation, and calling of every kind, > > whether or not conducted for profit. > > > > See, e.g., United States v. Cestnik, 36 F.3d 904, 909-10 (10th Cir. 1994); > > United States v. Moore, 923 F.2d 910, 914 (1st Cir. 1991); United States v. > > Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990); United States v. Catabran, 836 > > F.2d 453, 457 (9th Cir. 1988); Capital Marine Supply v. M/V Roland Thomas > > II, 719 F.2d 104, 106 (5th Cir. 1983). > > > > Applying this test, the courts have indicated that computer records > > generally can be admitted as business records if they were kept pursuant to > > a routine procedure for motives that tend to assure their accuracy. > > > > AND OTHERWISE THEY ARE HEAR-SAY since there is no other way to admit them. > > However most courts would just say that they are inadmissible. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 07:39:59 PST