RE: Acqusition of time

["dave" <dave () netmedic net>]

Actually it is true and maybe has happened.

You are comparing physical evidence discovered by LEO/I and that followed
the rules for evidentiary handling.  Note, if just one bad seed "fruits of
the poisonous tree" contaminates this, the whole of the evidence is no
longer eligible.

I will give you a "hypothetical" or "maybe not" situation involving say
(just randomly picking here :) ) the audit trail of an e-mail server.


Lets just say the crime happened 2 months ago, and was discovered by the IT
auditor at the said business who spent another two weeks looking through
logs, e-mails etc. until he found the "evidence" he was looking for.  He
then calls the proper authorities and says hey look what I found.

This would be a field day for a good attorney.  Could he prove that this
auditor contaminated the evidence? And, if so in how many ways?

I could think of a few, of course this is just my opinion, not saying I ever
saw it happen or anything like that. 


 

Dave Kleiman
dave () netmedic net
www.netmedic.net

 

-----Original Message-----
From: proberts () gargoyle users patriot net
[mailto:proberts () gargoyle users patriot net] On Behalf Of Paul D. Robertson
Sent: Wednesday, January 29, 2003 11:56
To: dave
Cc: 'Noonan, Wesley'; 'Brian Monkman'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Acqusition of time

On Wed, 29 Jan 2003, dave wrote:

> Actually a good attorney could tear up any log system even with perfect
time
> stamps.  All that need would need to be proved was the fact that it could
> have been faked.

This simply isn't true.  Just as physical evidence can be planted, 
photographic evidence could be faked, or forensics could be falsified, 
saying "it possibly could have been..." won't win you an instant 
acquittal.  It takes lots of bumbling by the prosecution and its witnesses 
to give you a "Mark Furman" kind of out, even if you hire the dream team 
for your defense.

Log files are admissable as machine records, and as such, they're valid 
evidence.  While it'd be difficult to get a conviction on log files alone, 
it's not impossible, and really what you really want is enough to get the 
person to plea out anyway, it's much cheaper on the entire system.  

If you were to challenge the admissability, you'd have to show why they 
weren't admissable, and possibility isn't as strong in admissibility as it 
is in guilt.  

If I can show that the logs are normal, and how they produce their 
records, and what you would have done to make that happen, "they could be 
changed!" won't get you  off any easier than "my PC was trojaned!"  Which 
appears to be the new "dog ate my homework" excuse of note.  Please note 
that for criminal cases (in .us anyway) the standard for not guilty is 
_reasonable_ doubt, not _any_ doubt.

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards