On Tue, 10 Feb 2004, Ron Sweeney wrote: > Recently, I have gone down the road of writing "engines" to grep on huge > amounts of log files and load them into a mysql instance to keep pertinent > data. It works out pretty slick this way for obvious reasons... > > My question to this list however, what are the legal ramifications of > storing data externally and not keeping the log files in their native > format? Does the validity of the exception in the log file get stunted > when removed from its native format? IANAL, but: It would seem to me that you're still creating a "machine record" and so have the exemption in-place. HOWEVER, I sure wouldn't want to have to defend such an entry in front of a jury. Defense would probably have a heck of a time that started with "Please explain database corruption...." You'd really want to spend some time documenting and proving that what starts out at point A ends up at point D, along with how, why and through what method. Validating the process before you have to use it should help significantly in loading up the expert witness pool with ammunition. "See, here's where we generated a million entries and validated them during our testing process..." I would also dump the database (raw, not to text) and produce a "report" so that you're creating a business report from the data, to hedge the admisability. If you can dump the original log lines seperately, that's a help, as you can feed them through the process and prove what came out was what came out. Obviously, checking with counsel is the best bet here, and maybe a local USA/AUSA. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@private which may have no basis whatsoever in fact." probertson@private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Feb 11 2004 - 13:09:48 PST