RE: [logs] Log archival

From: Paul D. Robertson (probertsat_private)
Date: Wed Dec 11 2002 - 15:05:36 PST

  • Next message: Rene Pfeiffer: "Re: [logs] SDSC Secure Syslog"

    On Wed, 11 Dec 2002, Rainer Gerhards wrote:
    
    > However, I wonder if MD5 will acutally help in court as long it is not
    > protected inside a crypt sig - somebody out there with an opinion on
    > this?
    
    It's already used quite extensively in presenting the analysis of digital 
    evidence.  Both EnCase (probably the most widely used forensics tool on 
    the planet) and the Data<something> tool that's its main competition MD5 
    disks upon acquisition.  Also, most of us using these tools use the NIST 
    standard database (I think it's special database #5- I can check if it's 
    important) along with other sources to compare the MD5 of known-good 
    binaries to weed out things we shouldn't have to search through.  Since 
    that's pretty standard for the industry as a whole[1] I think you'll find 
    that the courts are reasonbly happy with our use of MD5- but it really 
    hasn't been seriously challenged as far as I can tell.
    
    So, I think "hold up in court" depends mostly upon usage (HMAC certainly 
    doesn't hurt things)-  but we've been establishing a fair ammount of 
    precedent in using MD5 for evidence presented in court over the last few 
    years, and it's accepted pretty well for where it's used by both sides.  
    
    One of the things that's important to understand is that things don't have 
    to be *perfect* to hold up, they just have to be *good enough*.  The 
    difference between good dental plaster for casting footprints and a 
    tracing doesn't make one not admissable, but when the forensic technicians 
    in the field all use one method, you have to be prepared to say why you're 
    using a different one.  Photographic "evidence" has been accepted in court 
    cases for decades- despite the ease of tampering anyone who owns a 
    darkroom knows is possible.  
    
    Probably the worst scenerio with MD5 would be the defense challenging it 
    and the prosecution's expert witness actually being able to explain the 
    math, and doing so ;)
    
    If I can show that the process that creates the checksum's integrity was 
    good, and I can show the data and the checksum match, then it can only 
    help.  If the process wich created it is suspect, then perhaps it doesn't 
    help- but it can't really hurt your case except in the noted instance 
    where someone tries to explain to a jury how it works ;)
    
    Also, understand that in the majority of cases, you want to present strong 
    enough evidence that the guilty party pleas out.  Checksums are sure to 
    help with that.
    
    Paul
    [1] Industry being both private firms that do computer forensics (their 
    own, or for others) as well as law enforcement.
    -----------------------------------------------------------------------------
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure Corporation
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 16:35:36 PST