Snort mailing list archives
RE: Snort logs as evidence in court
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Sat, 22 Dec 2001 11:42:55 +0200
Hello! I don't have any real-life experience on this, and ofcourse things will be very different in different countries. As far as US is concerned, I cite an excellent book "Digital Evidence and Computer Crime" by Eoghan Casey (Academic Press, 2000), from pages 46 and 47: "A memorandum, report, record, or data compilation, in any form, or acts, events, conditions, opinions or diagnoses, made at or near the time by, or from information transmitted by a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, unless the source of the information or the methon or circumstances of preparation indicate lack of trustworthiness. The term "business" as used in this paragraph include business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit. (US Federal Rules of Evidence)" and "These forms [those described in the USFROE] of evidence are acceptable because they portray events quite accurately and are easier to verify than other forms of hearsay. For instance, computer log files are created routinely and contain information about acts and events made at specific times by, or from information transmitted by, a person with knowledge. In fact, some computer-generated information has been seen as so reliable that it has been accepted as direct evidence. Direct evidence is usually something tangible that is presented to prove a fact. Under certain circumstances, a computer log file might be accepted as direct evidence. For both hearsay and direct evidence to be admissable, it must generally be proved that evidence is authentic and has not been modified. This is where forensic science is useful -- offering carefully tested methods for ensuring that evidence is trustworthy." Based on the above, I believe Snort logs could be used as evidence. It will make easier to prove the authenticy if your log daemon uses some kind of hashing. Check out http://www.linuxsecurity.com/tips/tip-26.html. Gathering information from a computer system in purpose of using it in court must be done very carefully -- as any investigation on a crime scene. It may be that the logs won't be accepted as evidence unless they are gathered directly from the system by a police investigator. I don't know about US, but at least in Finland it is illegal just to do a simple port scan. If I remember correctly scanning was "An attempted break-in to a computer system". It can be raported to the police, and in theory they will take actions against the attacker. In practice, if it's a small scan to ports 21, 80 and 139 I don't believe they would do anything... =) The US Federal Rules of Evidence can be found here: http://www.law.cornell.edu/rules/fre/overview.html Yours, Jyri -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rajkumar S. Sent: 21. joulukuuta 2001 20:55 To: Snort Users Subject: [Snort-users] Snort logs as evidence in court Hi all, Just wondering if we can present the snort logs as evidence in a court for attempted/break ins? Will law enforcement agencies take this logs as evidence and take action on the offenders? Any one with some experience in this? raj _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort logs as evidence in court Rajkumar S. (Dec 22)
- RE: Snort logs as evidence in court Jyri Hovila (Dec 22)
- RE: Snort logs as evidence in court Greg Herlein (Dec 22)
- RE: Snort logs as evidence in court Jyri Hovila (Dec 22)