On Wed, 11 Dec 2002, Tom Perrine wrote: > [Hey! Erin! Where are you?] > > System logs are "hearsay" which is admitted under the "business > records exception". So there is at least a well--understood legal > methid to get them in. But, once you've got the logs in evidence, > THEN the fun begins. That's where each sides' expert witnesses > display dueling interpretations of what the logs actually mean. The article Tina references[1] squares with my understanding of the rules, I use "machine record" in place of "computer-generated" simply because it's the way the subject has usually been presented to me (and now that I think about it, 'machine record' is how I'd describe it if I had to testify because I think it's better language.) The "interesting" part is excepted here: -------------------------------------------------------------------------- B. Hearsay When a computer record contains only computer-generated data untouched by human hands, however, the record cannot contain hearsay. In such cases, the government must establish the authenticity of the record, but does not need to establish that a hearsay exception applies for the records to be admissible. ------------------------------------------------------------------------- This, I think, is the part that applies directly to the things which usually flow through syslogd. My non-lawyerly interpretation of this is "machine records beat business records" in terms of easy admissability (without the question of "do I have to generate reports, or is the storage of the data good enough for 'compilation?'" [snip] > In general, the original disks, often get intruduced into evidence. In the case of disks which are from attacked systems, yes. In the case of log files, most times it's a printout of the logs- but reading the article Tina references, it seems to me that we may be on shaky ground if we're producing printouts from a copy of a log- I'm really interested in what any of the lawyers think about the log file transferred (copied) to an admins machine for analysis and subsequent reporting versus the same log on the original logging machine (this is especially true of phone switch records, where imaging the switch is generally not acceptable.) > Not so often for cases where logs are the primary evidence, but in > *lots* of cases. In general, IIRC, the prosecution typically makes > one or more copies for its analysis, will provide copies to the > defense under discovery, but the original disks get admitted into > evidence, with both side stipulating that they accept that their > copies are "true" and acceptable for their analysis purposes. While I've recently begun asking folks to pull the disks out of their primary log servers with the intent of imaging those, I'm interested in what the lawyers have to say about it. Most places of any size haven't engineered well for log server downtime during significant attacks, which may make evidence collection "interesting" if a point incident becomes part of a larger scale, or longer-run attack (especially coordinated internal/external ones.) 6 hours of log server downtime to image the drive might just be too long... It certainly makes for an interesting argument for hot-swappable mirrored drives for syslog servers. Paul [1] http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm [Just to make sure it's in my inbox, outbox and bookmarks because I *know* I'll want to use it again, and it'll make the archives more useful.] ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 09:06:25 PST