RE: Snort logs as evidence in court

["Jyri Hovila" <jyri.hovila () iki fi>]

Hello!

I don't have any real-life experience on this, and ofcourse things will
be very different in different countries. As far as US is concerned, I
cite an excellent book "Digital Evidence and Computer Crime" by Eoghan
Casey (Academic Press, 2000), from pages 46 and 47:

"A memorandum, report, record, or data compilation, in any form, or
acts, events, conditions, opinions or diagnoses, made at or near the
time by, or from information transmitted by a person with knowledge, if
kept in the course of a regularly conducted business activity, and if it
was the regular practice of that business activity to make the
memorandum, report, record, or data compilation, all as shown by the
testimony of the custodian or other qualified witness, unless the source
of the information or the methon or circumstances of preparation
indicate lack of trustworthiness. The term "business" as used in this
paragraph include business, institution, association, profession,
occupation, and calling of every kind, whether or not conducted for
profit.

(US Federal Rules of Evidence)"

and

"These forms [those described in the USFROE] of evidence are acceptable
because they portray events quite accurately and are easier to verify
than other forms of hearsay. For instance, computer log files are
created routinely and contain information about acts and events made at
specific times by, or from information transmitted by, a person with
knowledge. In fact, some computer-generated information has been seen as
so reliable that it has been accepted as direct evidence. Direct
evidence is usually something tangible that is presented to prove a
fact. Under certain circumstances, a computer log file might be accepted
as direct evidence.

For both hearsay and direct evidence to be admissable, it must generally
be proved that evidence is authentic and has not been modified. This is
where forensic science is useful -- offering carefully tested methods
for ensuring that evidence is trustworthy."


Based on the above, I believe Snort logs could be used as evidence. It
will make easier to prove the authenticy if your log daemon uses some
kind of hashing. Check out
http://www.linuxsecurity.com/tips/tip-26.html. Gathering information
from a computer system in purpose of using it in court must be done very
carefully -- as any investigation on a crime scene. It may be that the
logs won't be accepted as evidence unless they are gathered directly
from the system by a police investigator.


I don't know about US, but at least in Finland it is illegal just to do
a simple port scan. If I remember correctly scanning was "An attempted
break-in to a computer system". It can be raported to the police, and in
theory they will take actions against the attacker. In practice, if it's
a small scan to ports 21, 80 and 139 I don't believe they would do
anything... =)


The US Federal Rules of Evidence can be found here:
http://www.law.cornell.edu/rules/fre/overview.html


Yours,

Jyri


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rajkumar
S.
Sent: 21. joulukuuta 2001 20:55
To: Snort Users
Subject: [Snort-users] Snort logs as evidence in court


Hi all,

Just wondering if we can present the snort logs as evidence in a court
for
attempted/break ins? Will law enforcement agencies take this logs as
evidence and take action on the offenders?

Any one with some experience in this?

raj



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users