[logs] Re: Log integrity handling on central logsystem

From: Taneli Otala (taneli@private)
Date: Thu Aug 31 2006 - 19:41:26 PDT


Marcus J. Ranum wrote:
>> But, at the same time -- you are collecting evidence TODAY, that will be 
>> used two years from today... and in that time the regulations will change.
>>     
>
> Logs are, like any other evidence, going to have to be presented as part of
> a complete case. I doubt very much that you'd get a conviction out of any
> jury, with JUST a log-file as evidence -- there would have to be some kind of
> corroborating evidence.
>
> That's why, for at least the next decade, I don't think log-signing is going
> to be that big a deal. If you care, buy a satellite clock for your log-server
> and have the log-server's backups retained offsite by a service that can
> give you a _copy_ of them on demand. It'd be really hard for someone to
> explain to a jury how the logs were altered at both your facility and on
> tapes locked in someone else's vault, in exactly the same way at the
> same time.
>
>   

I agree with Marcus... log signing [alone] is not going to make or break 
a court case -- it [alone] might almost be asking for trouble.

As I pointed out later in my earlier response, the big deal is to get 
all possible logs, even if they don't appear relevant to the particular 
matter -- so you can show the trace, other anomalies (or lack of other 
anomalies).

For those, who have done forensics on a 
break-in/intrusion/bad-thing-that-happened...
- You start with an observed problem, i.e. the tip of the iceberg
- You look at the origin, and you follow it one step at the time -- sort 
of like connecting-the-dots
- At almost every phase (step/dot), you end up looking at yet another 
log (if the attack was any good)

To present a good case, you show the entire track.
...and then you settle it out of court.

Nobody wants to go to court, when a larger organization finds a problem, 
they want to keep it under the wraps, and settle it -- their reputation 
is far more at risk, for having allowed a break-in -- and there's 
(usually) precious little to gain from the perpetrator.


The more evidence you have, the more able you are to put the pieces 
together.
(Disk space is cheap, collect it all, and start today)

The more you can prove that you have the "chain of custody" the better 
the story sounds (whether this is via an offsite storage, or digital 
signing, or both).

At the end, if you have the full story, and hard-to-refute chain of 
custody...
...then the other side will settle it before it ever hits a court.

So, the lesson I learned was that you want to crank up all the knobs -- 
both collection, and chain-of-custody -wise.

TaO

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu Aug 31 2006 - 20:01:37 PDT