Re: Acquisition of time

["W.C. Epperson" <epperson () alumni unc edu>]

   Have not read back through the entire thread or cross-referenced 
ones, but I've not seen anyone raise the issue of chain of custody.  The 
general idea is testimony authenticating the item of evidence and the 
lack of tampering during possession by each person in the chain.  If 
there's an issue of possible evidentiary use of a log file, we have two 
sysadmins seal a backup in an envelope immediately, sign the sealed 
flap, and have the accounting department vault it until needed.  In the 
face of a documented and attested chain of custody, it's the other 
side's burden to establish the probability that tampering occurred.

Also see the USDOJ page on acquisition of electronic evidence, 
especially the section "Authenticity and the Alteration of Computer 
Records".
http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards