Re: [logs] Log archival

From: Orin Kerr (okerrat_private)
Date: Thu Dec 12 2002 - 16:47:57 PST

  • Next message: Tom Perrine: "Re: [logs] Log archival"

    Hey, glad you like the piece I wrote.  
    
    A few thoughts.  First, if the question is what 
    strategy a lawyer should take to try to make sure 
    logs etc. are admitted, a good strategy in federal 
    court is first to try to have the records admitted 
    under the business records exception.  In my 
    experience, judges just expect it, and as long as 
    no one makes a fuss, they'll admit the records. 
    Practically speaking, you just want the records 
    *in*, and you don't care what theory a judge buys 
    as to why it should be admitted.  If the court 
    wants to admit the records under the business 
    records exception, then by all means, let them.
    
    The only problem comes up when records are 
    not kept "in the course of a regularly conducted 
    business activity."  Example: sysadmin sees an 
    intrusion and uses some commands to generate 
    logs about the intrusion.  The sysadmin has 
    never actually used the commands before-- for 
    some reason, the particular logging is unusual. 
    
    Now imagine that the government (in a criminal 
    case) or the victim (in a civil case) offers the logs 
    as evidence in court.  If the logs are offered 
    under the business records exception, the 
    defense can counter that the logs were not kept 
    in the ordinary course of business, and should be 
    ruled inadmissible. "Your honor," he will say, "this 
    logging had never been performed before, and it 
    was not the ordinary practice of the victim to keep 
    such logs." In such a case, the court could rule 
    that the evidence could *not* be admitted under 
    the business records exception.  
    
    The trouble is, there's absolutely no reason why 
    whether computer logs are kept in the ordinary 
    course of business should matter to their 
    admissibility.  In the hearsay context, the 
    "ordinary course of business" helps assure that 
    the person who took the records wasn't fudging 
    to produce a record that could help the party 
    offering the document.  People have an incentive 
    to play it straight when they keep the records in 
    the "ordinary course of business."  However, 
    computers don't fudge-- unlike people, they just 
    do whatever they're instructed to do.  So a 
    function that is used correctly should produce 
    accurate results. What matters is whether the 
    function works, and was used correctly, not 
    whether it was used in the ordinary course of 
    business.  As I see it, these are questions of 
    authentication, not hearsay. 
    
    Here's a practical approach: when you want a 
    court to admit documents that are in fact kept in 
    the ordinary course of business, try to admit them 
    as business records.  When not, try to admit 
    them as business records, but then be ready to 
    argue that actually there's no hearsay at all, and 
    that the proper question is authenticity, not 
    hearsay.
    
    Orin 
    
    Orin S. Kerr
    Associate Professor 
    George Washington University Law School
    okerrat_private
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 16:00:30 PST