Re: [logs] Log archival

• Previous message: Tom Perrine: "Re: [logs] Log archival"
• In reply to: Orin Kerr: "Re: [logs] Log archival"
• Next in thread: Paul D. Robertson: "Re: [logs] Log archival"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>under the business records exception.  In my
>experience, judges just expect it, and as long as
>no one makes a fuss, they'll admit the records.
>Practically speaking, you just want the records
>*in*, and you don't care what theory a judge buys
>as to why it should be admitted.  If the court
>wants to admit the records under the business
>records exception, then by all means, let them.

I agree wholeheartedly, but I was going down the road to perdition, so to 
speak, wrt the use of the business records exception in the eventual case 
where 'someone makes a fuss' and the judge is forced to peel beyond that 
first layer and get to the core of that exception as applied to digital log 
evidence.  And, that will occur when enough is at stake and the lawyers for 
a defendant juggernaut (MSFT, for instance) are not going to sit idly when 
it comes to ushering in damaging logfile evidence.

>The trouble is, there's absolutely no reason why
>whether computer logs are kept in the ordinary
>course of business should matter to their
>admissibility.  In the hearsay context, the
>"ordinary course of business" helps assure that
>the person who took the records wasn't fudging

Agree, but that has become the check-box threshold... which is not to say 
that it should be thrown-out entirely in this context, but perhaps another 
metric should be used instead of or complementary to the "ordinary course 
of business" standard.  If courts rely on 'use in everyday business' as the 
circumstantial guarantee of trustworthiness that allows them to make the 
inferential leap to reliability, they may be bypassing the core issue of 
whether or not the function works correctly and produced accurate results.

>
>as business records.  When not, try to admit
>them as business records, but then be ready to
>argue that actually there's no hearsay at all, and
>that the proper question is authenticity, not
>hearsay.

Getting to the latter argument, it becomes a question of what are the 
circumstantial guarantees of trustworthiness of log evidence in the digital 
environment?

Erin

Erin Kenneally, M.F.S., J.D.
Forensic Analyst
University of California San Diego
San Diego Supercomputer Center
Pacific Institute for Computer Security
9500 Gilman Dr., La Jolla, CA 92093-0505
	Phone: (858) 822-0991
      	http://security.sdsc.edu 		
	Fax: (858) 534-5077




_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tina Bird: "[logs] Announcing http://www.loganalysis.org"
• Previous message: Tom Perrine: "Re: [logs] Log archival"
• In reply to: Orin Kerr: "Re: [logs] Log archival"
• Next in thread: Paul D. Robertson: "Re: [logs] Log archival"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 16:47:20 PST