Re: Acqusition of time

[Volker Tanger <volker.tanger () discon de>]

Greetings!

dave wrote:
> Actually a good attorney could tear up any log system even with perfect time
> stamps.  All that need would need to be proved was the fact that it could
> have been faked.

Basically right. But if you have to explain why you think that "this" 
could be the suspected entry and not the one three minutes earlier, an 
answer like "because the new Sun machine usually lags a few minutes 
behind the Compaq PC" will not be very convincing. There's quite some 
difference between
        "consistent, sound, but maybe fake"
and
        "inconsistent, nonreproducable assumptions and maybe fake"

When trying to dissect problems log analysis will be a problem without 
consistent timestamp. On higher traffic lines (Mbit/s area) you'll have 
some tenthousand log entries per minute - which makes it practically 
impossible to pinpoint a specific log entry if you do not know the exact 
time as index.

Bye

Volker Tanger
IT-Security Consulting

--
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger () discon de
http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards