>>>>> On Thu, 12 Dec 2002 18:47:57 -0600, "Orin Kerr" <okerrat_private> said: OK> The only problem comes up when records are OK> not kept "in the course of a regularly conducted OK> business activity." Example: sysadmin sees an OK> intrusion and uses some commands to generate OK> logs about the intrusion. The sysadmin has OK> never actually used the commands before-- for OK> some reason, the particular logging is unusual. This has implications for systems that want to do a detection of "something happened" and having that automatically adjust the log level, or what is being logged. This would be an automated process creating a logging "profile" that might never have existed before. This has implications for all kinds of intrusion detection systems that incorporate active reponse to adjust monitoring criteria. OK> Now imagine that the government (in a criminal OK> case) or the victim (in a civil case) offers the logs OK> as evidence in court. If the logs are offered OK> under the business records exception, the OK> defense can counter that the logs were not kept OK> in the ordinary course of business, and should be OK> ruled inadmissible. "Your honor," he will say, "this OK> logging had never been performed before, and it OK> was not the ordinary practice of the victim to keep OK> such logs." In such a case, the court could rule OK> that the evidence could *not* be admitted under OK> the business records exception. Aha, that's the piece that was stuck in my mind. "In the ordinary course of business". OK, I've kept *every single log record* for every UNIX machine we own, since December 1996. 3.4 Billion of 'em. We keep complete, unfiltered logs in the normal course of business. Forever. In the hopes that if we ever really need them, they'll be admissible, hopefully the "easy way". If not, that's what *our* lawyers are for, and why we want to make sure that "our" lawyers are comfortable with digitial evidence... -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 16:21:42 PST