RE: Acqusition of time

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 29 Jan 2003, dave wrote:

> Actually it is true and maybe has happened.
>
> You are comparing physical evidence discovered by LEO/I and that followed
> the rules for evidentiary handling.  Note, if just one bad seed "fruits of
> the poisonous tree" contaminates this, the whole of the evidence is no
> longer eligible.

The same types of handling is done with log file evidence- and its 
discovery is just about akin to lots of physical evidence- it's discovered 
by the first person on the scene, who figures out a crime has happened, 
then calls in the right people (not always law enforcement up front.)

Just as first responders to a shooting don't contaminate the phyiscal 
evidence beyond admissibility trying to do CPR on the victim, the mere 
chance something *could* have been disturbed doesn't make it inadmissable.  
I'd really encourage you to read the thread that Tina Bird referenced.  
One of the contributers to that thread wrote the DOJ analysis of 
admissability for the federal rules.

> I will give you a "hypothetical" or "maybe not" situation involving say
> (just randomly picking here :) ) the audit trail of an e-mail server.
>
>
> Lets just say the crime happened 2 months ago, and was discovered by the IT
> auditor at the said business who spent another two weeks looking through
> logs, e-mails etc. until he found the "evidence" he was looking for.  He
> then calls the proper authorities and says hey look what I found.
>
> This would be a field day for a good attorney.  Could he prove that this
> auditor contaminated the evidence? And, if so in how many ways?

Once again, the possibility that someone *could* have contaminated the 
evidence does *NOT* taint it's admissibility.  The first person on a 
murder scene often moves the victim to attempt recessatation, that doesn't 
invalidate the crime scene.

> I could think of a few, of course this is just my opinion, not saying I ever
> saw it happen or anything like that. 

Again, I'd refer you to the thread that was posted by Tina Bird.  The 
major issue is admissability as evidence, and the rules and procedures for 
log files have been solidified quite a bit over the last few years.  You'd 
have to show the logs weren't consistent with untampered logs to stop 
that.  

The law works in pretty obvious ways, if the evidence *was* tampered with, 
then it shouldn't be admissable.  If it wasn't, or there's not a strong 
indication that it was, then it should be.  

Typcially, in your example, the auditor would testify to what he found, 
and the administrator of the system would testify to the validity of the 
data.  

A good investigator would provide correlation to other events, evidence 
and validate that the data was good well before we got to that place.  
Subpoenas/search warrants for access to collaborating data would be 
persued from the court in the very early stages of the game.  I've written a few 
affidavits, it's not all that complex and it's not all that mysterious a 
process[1].  

It's easy to make things better for admissability purposes, but just the 
fact that digital media can be altered won't save someone who's done 
something wrong.  If they're counting on that, then they're going to be 
surprised.  

Log files (apologies for those who wade through this and aren't .us 
centric) are generally classified as "machine records" and therefore not 
subject to the hearsay provision- that's despite the fact that they 
generally exist on magnetic media that's subject to alteration.  

If a "good defense attorney" gets a client off due to the *potential* for 
change in logs then (a) the evidence wasn't all that good, (b) the 
investigator(s) messed up, and (c) the prosecutor really failed.

I've spent a fair ammount of time going over evidence before presenting an 
analysis of it to law enforcement.  I've had law enforcement get a warrant 
and go into someone's home based on log analysis and forensics I've done 
weeks after the fact, and I don't think that's all that uncommon in 
complex cases (heck, at one time the local FBI lab's wait time on 
analysis was over 30 days!.)

> > Actually a good attorney could tear up any log system even with perfect
> time
> > stamps.  All that need would need to be proved was the fact that it could
> > have been faked.

Once again, my issue here is that "proving" that a log file *could* have 
been faked doesn't automatically make it inadmissable.  Once it's 
admitted, as a machine record, you're likely to lose the "dueling battle 
of expert witnesses" game with any competent prosecution expert, and any 
good investigator.  

Now, if we modify your statement above to match your scenerio some, where 
someone's dinked around for a couple weeks, it really, really depends on 
how "forensics friendly" an environment your theoretical auditor has 
dinked around in.  If they've done a forensicly sound copy of the log 
disk, and they searched and played on a copy, then the original evidence 
is still absolutely good to go, and admissable as a machine record of 
events as they transpired (barring any really unusual issues.)  If they've 
opened the primary logs in an editor, resaved them afterwards, then it's 
slightly more difficult (though really all we need is their testimony of 
what they did, especially if it's backed up with step-by-step notes of 
their actions.)  Neither of those actions has negated the crime that's 
happend, so neither of them kills the evidence of the crime.  Assuming 
e-mail logs, there's likely to be corroborating evidence in 3 or 4 more 
places, and all the prosecution really needs is a good analysis of one of 
those to slam dunk it.


Paul
[1] I'm still not a lawyer.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards