>>>>> On Wed, 11 Dec 2002 17:42:56 -0500 (EST), "Paul D. Robertson" <probertsat_private> said: PDR> If it's _just_ the checksum you're left with, then you're working with an PDR> artifact of a machine record (in U.S. Law, a machine record is relatively PDR> easy to get introduced as evidence,) so there's not a huge stretch between PDR> 200 means "Page sent" in the logs and aa65d53121c7d135ce2f10c39a686385 PDR> means "127.0.0.1 - - [11/Dec/2002:16:09:53 -0500] "GET /~paul/good/pnut-fence.jpg HTTP/1.0" 200 PDR> 182848" in terms of logic, but there may be in terms of getting a win in PDR> court. That said, it *may* give you enough for a plea agreement if you've PDR> got other good stuff to use- assuming you can reconstruct the logs from PDR> the disk- which is likely in most of the cases I've done. [Hey! Erin! Where are you?] System logs are "hearsay" which is admitted under the "business records exception". So there is at least a well--understood legal methid to get them in. But, once you've got the logs in evidence, THEN the fun begins. That's where each sides' expert witnesses display dueling interpretations of what the logs actually mean. From the defense side, there are several ways to attack logs as evidence: 1) inadmissible on legal technical grounds - e.g. improperly gathered, stored, should have had a different kind of court order than was used, etc. 2) logs are incorrect, due to being incomplete, or through system failure 3) logs are incorrect, due to malicious activity of government, system admin, etc 4) logs are incorrect, due to malicious or inadvertent activity of "person or persons unknown" 5) logs are correct, but interpretation by prosecution's expert witness is incorrect 6) ... Its all about getting to "reasonable doubt". <...> PDR> Overall, I think we've been pretty lucky to get *copies of logs* PDR> introduced into evidence rather than only the original disks. I'm not PDR> sure that the legal system is quite ready to have a checksum as the only PDR> thing introduced. Checksums are fairly widely recognized, and it's pretty PDR> easy to make the case that collisions for a file sized object are fairly PDR> difficult to represent and will introduce a much, much different object. PDR> I'm not sure that single log lines make for as easy an explaination. In general, the original disks, often get intruduced into evidence. Not so often for cases where logs are the primary evidence, but in *lots* of cases. In general, IIRC, the prosecution typically makes one or more copies for its analysis, will provide copies to the defense under discovery, but the original disks get admitted into evidence, with both side stipulating that they accept that their copies are "true" and acceptable for their analysis purposes. I'm not a lawyer either, and I'm hoping that Erin (CC'ed) will step in and set us both straight. --tep _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 22:53:33 PST