Paul: I certainly agree with your comments. However, I can also say that from many conversations I've had with customers and prospects, the perception is that syslog isn't good enough (for the many reasons noted). But they're not just coming from a trial standpoint, they're also being driven by regulations and standards as well as business drivers. More than just a collection mechanism, a solution must provide the capability to analyze the immense amount of data that's collected. That's always been the biggest challenge for us. I'd love to hear what you and the rest of the forum think about these other drivers. I think there's still a lot of fud on those as well, and some reality, too, and I'd like to understand these better to develop a better product. Todd x85260 -----Original Message----- From: Paul Robertson [mailto:probertsat_private] Sent: Tuesday, April 01, 2003 11:12 AM To: Todd E. Tucker Cc: loganalysisat_private Subject: RE: [logs] NetIQ Vigilant Log Analyzer? On Tue, 1 Apr 2003, Todd E. Tucker wrote: > What I am saying is that the syslog data would be easy to attack by > the defense. What Im saying is that it's about as attackable as any other evidence, and the non-repudiation and reliability issues really don't impact that very much at all. Admissibility is the *primary* "attackability" vector in this instance, since once admitted as a machine record, the defense is in an uphill battle to argue that while it's admissable, it's flawed- and they'd pretty much need supporting evidence of the flaw or a mistake in the investigation to make any serious headway. If you ever have a lawyer who doesn't challenge admissibility, but then tries to challenge veracity, I'd say it's time to switch lawyers. Think of it in terms of footprints on the scene, because that's about the same standard- a defense lawyer can *try* to argue that the prints which happen to match his client's shoe size were placed there by some third party, just as you could try to argue that the log entries were- that doesn't mean they're not submitted, and it doesn't mean that the client is going to get off because "anyone could have left size 12 Athena prints there." You'd not rely on footprints as primary evidence either, but if they stand up enough to get the warrant -and trust me, that's the goal with logs, getting the warrant(s) or subpoena(s)- then they "stand up in court." If it "wouldn't stand up in court," we'd see successful challenges of warrants and subpoenas under the 4th wouldn't we? There's all too much fear-mongering about admissibility and defense tactics going on in this arena. I've yet to have a judge turn down producing an order based on syslog-based logs- civil or criminal suits. Even in criminal cases, the prosecution has to draw the picture, and when you take things like logs, disk images, network access, and mix it all together, "the logs *can* be forged, so they *must be*" isn't as effective as "My PC was trojaned!," which is generally what last-ditch defense arguments have tried more of lately (right before their clients go to meet their new husbands.) > What my investigation and legal sources tell me is that they would > rarely use log data as the primary evidence, only as supporting. It's > too easy to (I'm my investigation source) That's my point- you wouldn't use a log as primary evidence *even if it had none of syslog's downsides*. So to suggest that replacing syslog is prosecutorially necessary isn't true under current caselaw. While it certainly doesn't hurt to do it, it's not a necessity for admission or to stand up against a defense challenge. Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 18:45:19 PST