Firewall Wizards mailing list archives
RE: Acqusition of time
From: "dave" <dave () netmedic net>
Date: Wed, 29 Jan 2003 18:45:57 -0500
Actually it is true and maybe has happened. You are comparing physical evidence discovered by LEO/I and that followed the rules for evidentiary handling. Note, if just one bad seed "fruits of the poisonous tree" contaminates this, the whole of the evidence is no longer eligible. I will give you a "hypothetical" or "maybe not" situation involving say (just randomly picking here :) ) the audit trail of an e-mail server. Lets just say the crime happened 2 months ago, and was discovered by the IT auditor at the said business who spent another two weeks looking through logs, e-mails etc. until he found the "evidence" he was looking for. He then calls the proper authorities and says hey look what I found. This would be a field day for a good attorney. Could he prove that this auditor contaminated the evidence? And, if so in how many ways? I could think of a few, of course this is just my opinion, not saying I ever saw it happen or anything like that. Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: proberts () gargoyle users patriot net [mailto:proberts () gargoyle users patriot net] On Behalf Of Paul D. Robertson Sent: Wednesday, January 29, 2003 11:56 To: dave Cc: 'Noonan, Wesley'; 'Brian Monkman'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Acqusition of time On Wed, 29 Jan 2003, dave wrote:
Actually a good attorney could tear up any log system even with perfect
time
stamps. All that need would need to be proved was the fact that it could have been faked.
This simply isn't true. Just as physical evidence can be planted, photographic evidence could be faked, or forensics could be falsified, saying "it possibly could have been..." won't win you an instant acquittal. It takes lots of bumbling by the prosecution and its witnesses to give you a "Mark Furman" kind of out, even if you hire the dream team for your defense. Log files are admissable as machine records, and as such, they're valid evidence. While it'd be difficult to get a conviction on log files alone, it's not impossible, and really what you really want is enough to get the person to plea out anyway, it's much cheaper on the entire system. If you were to challenge the admissability, you'd have to show why they weren't admissable, and possibility isn't as strong in admissibility as it is in guilt. If I can show that the logs are normal, and how they produce their records, and what you would have done to make that happen, "they could be changed!" won't get you off any easier than "my PC was trojaned!" Which appears to be the new "dog ate my homework" excuse of note. Please note that for criminal cases (in .us anyway) the standard for not guilty is _reasonable_ doubt, not _any_ doubt. Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Acqusition of time Brian Monkman (Jan 29)
- Re: Acqusition of time R. DuFresne (Jan 29)
- Re: Acqusition of time Paul D. Robertson (Jan 29)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
- Re: Acqusition of time Luis Bruno (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
- Re: Acqusition of time Luis Bruno (Jan 29)
- <Possible follow-ups>
- RE: Acqusition of time Noonan, Wesley (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Paul D. Robertson (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Paul D. Robertson (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Tina Bird (Jan 29)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: RE: Acqusition of time Paul D. Robertson (Jan 29)
- Re: RE: Acqusition of time Joseph S D Yao (Jan 30)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Ben Nagy (Jan 30)