On Wed, 11 Dec 2002, Marcus J. Ranum wrote: > >My current thoughts are : > > * they should be archived to tamper proof (write once) media, such as CD- > >or DVD-R. > > > Could anyone on the list comment about the feasibility/forensic > value of storing logs on spinning media and just burning complete > archives of checksums to CDs and storing the digital signatures > away? Paul? Imagine 12 of the silliest people you've ever worked with trying to understand that the checksums represent the data- think OJ and DNA if you don't consider this an issue. If it's _just_ the checksum you're left with, then you're working with an artifact of a machine record (in U.S. Law, a machine record is relatively easy to get introduced as evidence,) so there's not a huge stretch between 200 means "Page sent" in the logs and aa65d53121c7d135ce2f10c39a686385 means "127.0.0.1 - - [11/Dec/2002:16:09:53 -0500] "GET /~paul/good/pnut-fence.jpg HTTP/1.0" 200 182848" in terms of logic, but there may be in terms of getting a win in court. That said, it *may* give you enough for a plea agreement if you've got other good stuff to use- assuming you can reconstruct the logs from the disk- which is likely in most of the cases I've done. However, it's *much* easier to explain to a jury of laypeople "200" is the Web server's shorthand for "I delivered the page requested" and "that bunch of numbers and letters is the equiv. of exactly this log entry, assuming that the math works thusly...." > It strikes me that a few hundred gigs of logs is about $255.00 > worth of storage. I have 2 of those in my home MP3 server. ;) > But you can store a LOT of checksums on a CD-R. ;) Indeed, if > you're using a CD-R that allows write-updates, you'd be able > to incrementally add and I don't think it'd be arguable that > you'd be able to erase 'em later. Overall, I think we've been pretty lucky to get *copies of logs* introduced into evidence rather than only the original disks. I'm not sure that the legal system is quite ready to have a checksum as the only thing introduced. Checksums are fairly widely recognized, and it's pretty easy to make the case that collisions for a file sized object are fairly difficult to represent and will introduce a much, much different object. I'm not sure that single log lines make for as easy an explaination. If you're talking about introducing both the original media *and* the checksums into evidence- say checksumming as a checkpoint operation, then I think you have a stronger case. In that case, I think you're not too bad off- you've got the real logs to present (as a machine record of the event,) and you've got a reliable write-once audit trail of that record to provide a tamper-evident "proof" that the logs haven't been altered by either the attacker or whoever was the custodian of the evidence prior to its submission to the court. Multi-session CDs should be fine, and actually rewritable media won't kill your case, it'd just give a clueful defense attorney a slim chance to sow the seeds of doubt. Most times that means you've done something else silly-- on its own, it shouldn't be a cratering event[1]. A lot of precedent has been established with MD5 and SHA1 sums of files, disks and logs showing that "this is equal to that." If you're gonna checksum, you probably really want to start thinking SHA1 and MD5 at this point because NIST is starting to roll to SHA1 for things, and that'll make it hte most likely winner in precedent war overall (and SHA1 hasn't seen the collision worries that MD5 has yet,) but MD5 is widely used now, so doing both (despite the time delta) is probably the way to go for the next year or two. HTH, Paul [1] I'm still not a lawyer, I still don't play one on the 'Net, but I deal with them often enough in cases that I think I've got a good feel for things in the US, and a slight feel for them in some other parts of the world. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 15:19:26 PST