Re: [logs] Log archival

From: erinat_private
Date: Thu Dec 12 2002 - 10:49:17 PST

  • Next message: wayneat_private: "RE: [logs] Firewall One and Syslog"

    At 11:04 PM 12/11/2002 , Tina Bird wrote:
    ><much discussion cut for brevity, not for lack of interest>
    >On Wed, 11 Dec 2002, Tom Perrine wrote:
    > > [Hey!  Erin!  Where are you?]
    > >
    >Okay, Tom, you include your local lawyer, I'll include mine ;-), who
    >authored my favorite discussion of the use of computer data in court.
    >Group, meet Professor Orin Kerr.
    Okay, I'm stepping up to the chopping block..........
    First off, this is a great thread and rather than pull a 
    point-counterpoint, I'd suggest referencing an article I wrote that deals 
    with the subject:  (III.B.2., most 
    As for Professor Kerr's article, I read it when it first came out and it is 
    indeed an extremely insightful article......
    I'll try to address some of the issues/questions by reiterating some of 
    what I put forth in the aforementioned article as it pertains to judicial 
    approaches to reconciling the reliability of digital evidence (logs, in 
    this case) and the problem with hearsay and the business records exception 
    to digital evidence (logs, specifically):
    The threshold for authenticating computer-derived evidence is ambiguous and 
    largely only superficially addressed by some courts. Some recommend a 
    higher standard than that applied to photographs, whereas others give 
    judicial notice to the authenticity of computer-derived evidence under 
    F.R.E. 901(b)(9), which governs authentication of evidence describing a 
    process or system.
    To date, much computer-derived data have gained admission upon a 
    foundational showing that the computer process or system produces accurate 
    results when used and operated properly and that it was so employed when 
    the evidence was generated. Federal Rule of Evidence 901 affords a 
    presumption of authenticity to evidence such as x-rays, photographs, tape 
    recordings, computer-generated records or scientific surveys produced by an 
    automated process that is shown to render accurate results.  This 
    presumption of reliability has been commonly extended to software 
    performing data storage, collection or retrieval functions.
    Consequently, a majority of the cases considering the admissibility of such 
    evidence have done so in the context of computerized business records that 
    are maintained or prepared by electronic computing equipment.
    I advocate, however, that it is dangerous to immunize certain computer 
    records from the hearsay rule by likening them to the product of a 
    mechanical process that cannot produce hearsay. It would be persuasive to 
    argue that computer logs, for example, are merely the "tangible result of 
    the computer's internal operations" that do not rely on human observations 
    or reports, and are made contemporaneously with the capturing of data.
    Another standard to which courts have subjected computer-derived evidence 
    is the evidentiary prohibition against hearsay.  It is generally accepted 
    that computer programs violate the hearsay rule because they contain 
    out-of-court statements by declarants (computer operators, programmers, 
    data entry personnel) and are offered to prove the truth of the matter 
    asserted. Nonetheless, federal courts have applied the business records 
    exception (F.R.E. 803(6)) to a wide variety of computer-based information 
    and there is an abundance of case law allowing the introduction of 
    computer-based records under this exception.
    Alternatively, proponents of computer-derived evidence have bypassed 
    hearsay exception hurdles by convincing the court that such evidence 
    constitutes a product of a device performing pre-programmed tasks on 
    admissible data input, as with a radar gun or a calculator.  Computerized 
    printouts of phone traces, for example, were not hearsay in one case 
    because they did not rely on the assistance, observations, or reports of a 
    human declarant; the report of phone traces was contemporaneous with the 
    placement of the calls; and the printouts were "merely the tangible result 
    of the computer's internal operations."
    As with authentication and F.R.E. 702 (reliability) standards, the depth of 
    inquiry and threshold of proof needed to establish computer-derived 
    evidence as a business record are not always clear. One of the earlier 
    cases to address this issue, for example, held computer records 
    inadmissible as business records because of an insufficient foundation. The 
    testimony of a record keeper for the telephone company was insufficient to 
    establish a proper foundation of "trouble recorder cards" at issue because 
    no complete and comprehensive explanation of either their method of 
    preparation or their meaning was provided. This was despite the facts that 
    the witness testified to having direct supervision and control of all the 
    company's records, and that the cards were business records made in the 
    ordinary course of business at or about the times and dates indicated on 
    the cards.
    Unlike phone trace records and calculators, however, the software producing 
    logs (and log data) is programmed to capture and process data deemed to be 
    relevant to its programmed function from many computers over a network. 
    Questions about how complete the data capture is and how the logging 
    software decides what should be captured and processed can only be done by 
    examining the underlying source. To admit such evidence without uncovering 
    the assumptions that underlie its function would invite the resolution of 
    claims based on less than a modicum of reliable evidence.
    As for applying these legal standards and principles to the myriad of 
    digital scenarios, somehow I trust that there will be no shortage of issues 
    raised by this group ... looking forward to the dialogue.......
    Erin Kenneally, M.F.S., J.D.
    Forensic Analyst
    University of California San Diego
    San Diego Supercomputer Center
    Pacific Institute for Computer Security
    9500 Gilman Dr., La Jolla, CA 92093-0505
             Phone: (858) 822-0991
             Fax: (858) 534-5077
    >Orin, we're having a little chat about using computer logs in court.
    > > System logs are "hearsay" which is admitted under the "business
    > > records exception".  So there is at least a well--understood legal
    > > methid to get them in.  But, once you've got the logs in evidence,
    > > THEN the fun begins.  That's where each sides' expert witnesses
    > > display dueling interpretations of what the logs actually mean.
    > >
    >"Computer Records and the Federal Rules of Evidence"
    >in which Orin differentiates computer data consisting of stuff that humans
    >composed that happens to be stored on computers, from computer data
    >generated without human intervention (after the program was written).  he
    >discusses the whole hearsay argument; we've discussed it on the list
    >before, and i'm a little too backed up at the moment to recount it.  but
    >the article is >>fabulous<< and i heartily recommend it to anyone who's
    >interested in the case law regarding those annoying little bits of data
    >that we all know and love.
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 11:44:30 PST