Good points, Paul. I don't mean to say it would be inadmissable, just that it would stand the challenges. The primary factor that would potentially make log data inadmissable is if it were not collected in the normal course of business, which would cause it to be subject to the hearsay rule. Syslog is normally used in the normal course of business. What I am saying is that the syslog data would be easy to attack by the defense. What my investigation and legal sources tell me is that they would rarely use log data as the primary evidence, only as supporting. It's too easy to manipulate, modify, and delete. They would instead rely more on evidence from disk analysis, trap and trace, etc. using court-approved tools (like enCase or NTI). That's why I tell our prospects that a tool like VigilEnt Log Analyzer is used for discovery during a forensics investigation. These tools can help single out machines for a more thorough analysis, and can save time, which is so precious during an investigation. Regards, Todd Todd E. Tucker, CISSP, CISA Product Marketing Manager NetIQ Corporation Business: (713) 418-5260 Toll Free: (888) 400-2834 x85260 Fax: (928) 396-7174 mailto:todd.tuckerat_private PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD8CEEF2A PGP Fingerprint: 136D 7089 F9AC 5530 CD0D 3B27 9FCA 4739 D8CE EF2A http://www.netiq.com -----Original Message----- From: Paul D. Robertson [mailto:probertsat_private] Sent: Tuesday, April 01, 2003 7:22 AM To: Todd E. Tucker Cc: loganalysisat_private Subject: RE: [logs] NetIQ Vigilant Log Analyzer? On Mon, 31 Mar 2003, Todd E. Tucker watched Inspector Gadget and wrote: > data into a network syslog server, including Ntsyslog. It would not > hold up in a court of law. And Ntsyslog provides no analytical > capabilities like IMO, "It would not hold up in a court of law" is a specious claim, could you cite anywhere in, say the US Federal Rules of Evidence where this is explicitly said? (Hint: We've been over this topic on this list before.) I've not studied the rules of evidence for other countries too deeply at this point, but I'm pretty confident that syslog data would be admissable in most of them. What you're saying is like saying a footprint in mud wouldn't hold up in a court of law because anyone could go get any pair of shoes and track around- what's found at the scene is what's found at the scene, and the analysis of that is important, even absent non-repudiation. Plenty of judges have signed pleanty of orders based on syslog data in the discovery phase, which is where it tends to be most useful. You'd be no more likely to get a conviction based solely upon a lossless and cryptographically signed log as a sole source of evidence, and no less likely to recieve warrants or subponeas without it. Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 09:57:15 PST