Firewall Wizards mailing list archives
RE: Acqusition of time
From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 29 Jan 2003 20:31:38 -0500 (EST)
On Wed, 29 Jan 2003, dave wrote:
Actually it is true and maybe has happened. You are comparing physical evidence discovered by LEO/I and that followed the rules for evidentiary handling. Note, if just one bad seed "fruits of the poisonous tree" contaminates this, the whole of the evidence is no longer eligible.
The same types of handling is done with log file evidence- and its discovery is just about akin to lots of physical evidence- it's discovered by the first person on the scene, who figures out a crime has happened, then calls in the right people (not always law enforcement up front.) Just as first responders to a shooting don't contaminate the phyiscal evidence beyond admissibility trying to do CPR on the victim, the mere chance something *could* have been disturbed doesn't make it inadmissable. I'd really encourage you to read the thread that Tina Bird referenced. One of the contributers to that thread wrote the DOJ analysis of admissability for the federal rules.
I will give you a "hypothetical" or "maybe not" situation involving say (just randomly picking here :) ) the audit trail of an e-mail server. Lets just say the crime happened 2 months ago, and was discovered by the IT auditor at the said business who spent another two weeks looking through logs, e-mails etc. until he found the "evidence" he was looking for. He then calls the proper authorities and says hey look what I found. This would be a field day for a good attorney. Could he prove that this auditor contaminated the evidence? And, if so in how many ways?
Once again, the possibility that someone *could* have contaminated the evidence does *NOT* taint it's admissibility. The first person on a murder scene often moves the victim to attempt recessatation, that doesn't invalidate the crime scene.
I could think of a few, of course this is just my opinion, not saying I ever saw it happen or anything like that.
Again, I'd refer you to the thread that was posted by Tina Bird. The major issue is admissability as evidence, and the rules and procedures for log files have been solidified quite a bit over the last few years. You'd have to show the logs weren't consistent with untampered logs to stop that. The law works in pretty obvious ways, if the evidence *was* tampered with, then it shouldn't be admissable. If it wasn't, or there's not a strong indication that it was, then it should be. Typcially, in your example, the auditor would testify to what he found, and the administrator of the system would testify to the validity of the data. A good investigator would provide correlation to other events, evidence and validate that the data was good well before we got to that place. Subpoenas/search warrants for access to collaborating data would be persued from the court in the very early stages of the game. I've written a few affidavits, it's not all that complex and it's not all that mysterious a process[1]. It's easy to make things better for admissability purposes, but just the fact that digital media can be altered won't save someone who's done something wrong. If they're counting on that, then they're going to be surprised. Log files (apologies for those who wade through this and aren't .us centric) are generally classified as "machine records" and therefore not subject to the hearsay provision- that's despite the fact that they generally exist on magnetic media that's subject to alteration. If a "good defense attorney" gets a client off due to the *potential* for change in logs then (a) the evidence wasn't all that good, (b) the investigator(s) messed up, and (c) the prosecutor really failed. I've spent a fair ammount of time going over evidence before presenting an analysis of it to law enforcement. I've had law enforcement get a warrant and go into someone's home based on log analysis and forensics I've done weeks after the fact, and I don't think that's all that uncommon in complex cases (heck, at one time the local FBI lab's wait time on analysis was over 30 days!.)
Actually a good attorney could tear up any log system even with perfecttimestamps. All that need would need to be proved was the fact that it could have been faked.
Once again, my issue here is that "proving" that a log file *could* have been faked doesn't automatically make it inadmissable. Once it's admitted, as a machine record, you're likely to lose the "dueling battle of expert witnesses" game with any competent prosecution expert, and any good investigator. Now, if we modify your statement above to match your scenerio some, where someone's dinked around for a couple weeks, it really, really depends on how "forensics friendly" an environment your theoretical auditor has dinked around in. If they've done a forensicly sound copy of the log disk, and they searched and played on a copy, then the original evidence is still absolutely good to go, and admissable as a machine record of events as they transpired (barring any really unusual issues.) If they've opened the primary logs in an editor, resaved them afterwards, then it's slightly more difficult (though really all we need is their testimony of what they did, especially if it's backed up with step-by-step notes of their actions.) Neither of those actions has negated the crime that's happend, so neither of them kills the evidence of the crime. Assuming e-mail logs, there's likely to be corroborating evidence in 3 or 4 more places, and all the prosecution really needs is a good analysis of one of those to slam dunk it. Paul [1] I'm still not a lawyer. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Acqusition of time, (continued)
- Re: Acqusition of time R. DuFresne (Jan 29)
- Re: Acqusition of time Paul D. Robertson (Jan 29)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
- Re: Acqusition of time Luis Bruno (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
- Re: Acqusition of time Luis Bruno (Jan 29)
- RE: Acqusition of time Noonan, Wesley (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Paul D. Robertson (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Paul D. Robertson (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Tina Bird (Jan 29)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: RE: Acqusition of time Paul D. Robertson (Jan 29)
- Re: RE: Acqusition of time Joseph S D Yao (Jan 30)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Ben Nagy (Jan 30)
- Re: Acqusition of time Martin Peikert (Jan 30)