Evidence handling

["Andrew van der Stock" <ajv () e-secure com au>]

Hi there,

IANAL

Admissible evidence laws vary by country to country, and there are different
rules depending on what sort of evidence you are trying to introduce.

The Australian laws on this matter can be found here:
http://www.austlii.edu.au/cgi-bin/download.cgi/download/au/legis/cth/consol_
act/ea199580.txt

(my mailer is going to wrap that, so search for "EVIDENCE ACT 1995" on
http://www.austlii.edu.au

The relevant section is Part 2.2 Section 48 "Proof of contents of
documents", and section 50, which applies simply because logs are volumous,
sometimes inscrutable and verbose. And section 146 as the logs are generated
by machines. The whole act applies, so a good reading of the headings will
help. Also, as some logs will come from "foreign" hosts (ie non-Australian),
different rules of evidence and admissibility apply. This is the "Foreign
evidence act".

A good defence lawyer will always attack the providence of any introduced
evidence. If they don't at least try to inspire some doubt to their
authenticity and or accuracy, they aren't doing their jobs. They can aim at
the underlying syslog protocol, which being UDP based and unauthenticated,
could be considered unreliable if not properly locked down (which in a
criminal case, the prosecution needs to prove). Also, a good defence lawyer
will ask to exclude logs on the basis that they are confusing or misleading
(section 136), which can be rebutted by using expert witnesses. Again, I
draw your attention to the differences between criminal and civil
procedings; it's easier to succeed in civil case, but most of these dudes
will not have any wealth, and you'd be lucky to get $10/mth for a period of
their lives. If they live overseas, forget it.

Essentially, within the constraints of the act, which tries to allow as much
untainted evidence as possible, it's up the to persons introducing the
evidence to prove that the logs are what they are by showing good evidence
handling procedures, including a secure path for logging (ie syslog has to
be demonstrably secured). It's all too hard.

Andrew

-----Original Message-----
From: Uidam, T (Tim) [mailto:Tim.Uidam () SYD RABOBANK COM]
Sent: Wednesday, 13 June 2001 16:25
To: 'Andrew van der Stock'; incidents () securityfocus com
Subject: RE: How to stop a consistent cracker.


It was my understanding that the courts consider the evidence (IDS Logs,
etc) to be true and correct UNLESS the judge explicitly believes the logs
have been tampered with, or the Defense attourney can prove that they have
been.

But i'm happy to be proven wrong. This information was posted to a
security-focus list about 2 months ago by a person claiming to be a lawyer
specialising in IT&E cases.

Tim