Re: [logs] Data for Court

From: todd glassey (todd.glasseyat_private)
Date: Wed Dec 19 2001 - 06:41:24 PST

  • Next message: jamie rishaw: "Re: [logs] Data for Court"

    TBird  - Thanks for bringing the Kerr Report up I have been waiting for an
    opportunity to ask some "stupid questions" and make some commentary re the
    concept of  Kerr's MLSS in todays data models.
    
    And Bill I was not slamming you for what you trained the 3000 cops to look
    for, its just that this world is moving so fast that 1 training is not
    enough. Especially as better Forensic and Audit Processes emerge.
    
    ----- Original Message -----
    From: "Tina Bird" <tbird@precision-guesswork.com>
    To: "todd glassey" <todd.glasseyat_private>
    Cc: "Bill Spernow" <bill.spernowat_private>; "'jamie rishaw'"
    <jrishawat_private>; "'Log Analysis Mailing List'"
    <loganalysisat_private>
    Sent: Tuesday, December 18, 2001 3:24 PM
    Subject: Re: [logs] Data for Court
    
    
    > Actually, Todd, I read the report a little differently.  Since
    > we're getting into this level of depth anyhow, what Kerr says
    > is that there's really three broad categories of "computer
    > data":
    
    Kerr may be stoned and looking at the world from the Mainframe and Appliance
    perspective and these dont exist really. So the report was obviously wrong -
    the physics dictate it. Read on about the flaw in how would you prove the
    content of the report.
    
    >
    > 1) Data that was created by a human and is stored on a computer,
    > which is subject to the same conditions of evidence as any other
    > human communication (that is, the hearsay issues -- was the
    > human an expert authority, was the comment reported accurately,
    > etc.)
    
    Is this to be data created with direct human User Interaction? OK The this
    is the case where there is human interactin in the collection or processing
    of the data.
    
    >
    > 2) Data that is generated by a computer, stored on a computer,
    > and is not touched by human hands -- this is subject to legal
    > questions about whether or not the program was running correctly,
    > but is >not< hearsay and is not subject to any of the case
    > law around human statements
    
    You mean DATA generated by an application, an application written by humans
    and running on this system.  Computers don't generate anything other than
    heat and noise. And there are two issues to prove here. The first is what
    that particular program does when it runs correctly and the second is that
    it was running correctly at the time the audit snapshot was taken.
    
    As to the legal standing of this as hear-say - I personally volunteer to go
    before any court and explain why all computer generated reports or logs
    today without embedded IDS and other integrity checkpoints should be
    automatically considered Hear-Say until otherwise qualified. What the
    computer world offers that the Human World doesn't is that real computer
    testimony could be qualified as being beyond hear-say but human testimony
    cant.
    
    
    >
    > 3) Data that contains both human-generated and machine-generated
    > values, such as spreadsheets -- which is much more complicated,
    > big surprise, and is subject to all sets of conditions.
    
    I donty mean to be obtuse but - Kerr' never thought this s clearly the same
    as example #1, whether it happens on a distributed environment or not.
    
    The key issue Kerr failed to address is how to keep the Humans out of all of
    the data -and how to prove that the data is pristeen and untouched -  i.e.
    by Systems Admins and the like. So in fact there is only one type of digital
    data at this point and what made it is irrelevent. Sometime in the future
    when there are provably ***NO HUMANS*** in the data collections or the
    operations of the systems,  then there might be multiple forms of, or levels
    of computer data.
    
    Further with all the "uncertainty" behind TCP/IP (esp IPv4) based spoofing
    and the gross failure of Ethernet to do anything like being able to assure
    where and when certain datagrams enter or exit a systems farm, there is
    equally more uncertainty in anything that happens in distributed networking.
    
    >
    > There's nothing I read in Kerr's report that suggests that
    > purely machine generated data ever qualifies as hearsay,
    > whether or not someone is challenging their authenticity or
    > integrity.
    >
    > I would also argue that most courts don't have staff
    > biochemists who are capable of assessing the quality of a
    > DNA test, but that's why we have expert witnesses.
    >
    > t.
    >
    > Where did ThunderGal come from, anyhow?
    
    From your nick name "TBird" - There is an old Indian legend about the
    Thunder Goddess bringing truth and light to the world.
    
    >
    > On Tue, 18 Dec 2001, todd glassey wrote:
    >
    > > Bill - I disagree with much of what you said and I have no doubt that
    you
    > > have trained the 3000 law enforcement folks that you claim to have, I
    have
    > > run into a number of them I think in other workshops - but I gotta tell
    you
    > > that I think what you trained them in was wrong.
    > >
    > > Thanks Tina to the pointer
    > > http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm - in the
    first
    > > portion of the paragraph we have a statement of admissability -
    > > unfortunately it also requires the Court to make a finding of
    compentence in
    > > the capture and mainatence of the log data.
    > >   Records of regularly conducted activity. A memorandum, report, record,
    or
    > > data compilation, in any form, of acts, events, conditions, opinions, or
    > > diagnoses, made at or near the time by, or from information transmitted
    by,
    > > a person with knowledge, if kept in the course of a regularly conducted
    > > business activity, and if it was the regular practice of that business
    > > activity to make the memorandum, report, record, or data compilation,
    all as
    > > shown by the testimony of the custodian or other qualified witness,
    unless
    > > the source of information or the method or circumstances of preparation
    > > indicate lack of trustworthiness.
    > >
    > >   (BTW - who makes this analysis as to what is trustable - most Court's
    have
    > > not forensic's people competent to do this.)
    > >
    > >   The term "business" as used in this paragraph includes business,
    > > institution, association, profession, occupation, and calling of every
    kind,
    > > whether or not conducted for profit.
    > >
    > > See, e.g., United States v. Cestnik, 36 F.3d 904, 909-10 (10th Cir.
    1994);
    > > United States v. Moore, 923 F.2d 910, 914 (1st Cir. 1991); United States
    v.
    > > Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990); United States v. Catabran,
    836
    > > F.2d 453, 457 (9th Cir. 1988); Capital Marine Supply v. M/V Roland
    Thomas
    > > II, 719 F.2d 104, 106 (5th Cir. 1983).
    > >
    > > Applying this test, the courts have indicated that computer records
    > > generally can be admitted as business records if they were kept pursuant
    to
    > > a routine procedure for motives that tend to assure their accuracy.
    > >
    > > AND OTHERWISE THEY ARE HEAR-SAY since there is no other way to admit
    them.
    > > However most courts would just say that they are inadmissible.
    >
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    >
    >
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 07:39:59 PST