Eric Murray wrote:
> If you testified that you couldn't swear that the log file was correct,
> the prosecutors next question would be "to the best of your knowledge,
> did you or someone else modify the log file entries in question?". Unless
> you knew that you had, or that the machine had been hacked and the logs
> edited, you'd have to answer "no", making it acceptable as evidence[1].
>
Not at all -- I'd answer that I'd found log files that had clearly been
altered so many times that I would never assume they hadn't been. And that my log
files in particular were constantly in danger of being altered on a daily basis,
since the tool I use to view them is vi and it's more than easy to absentmindedly
delete or alter lines with a keystroke.
> 1: actually, I'd guess that a competent prosecutor would not even ask
> such a question that would cast doubt on logfile evidence, and that the
> defense wouldn't bother bringing up the subject, which a typical jury
> would find incomprehensible, unless there wasn't any better defense.
There's also the constant possibility that a user's account has been hacked,
and that someone else was using it. Impossible to prove that wasn't the case in
fact, and that the hacker might have been the fedz planting evidence. Especially
now that we have an admitted case of the FBI hacking a users account with the help
of Carnivore.
The law requires "proof beyond a reasonable doubt" --- when you are dealing
with digital bits and bytes, whose to say they weren't altered? That provides
reasonable doubt easily enough -- maybe the legal world needs educating on these
points.
--
Harmon Seaver, MLIS
CyberShamanix
Work 920-203-9633 [EMAIL PROTECTED]
Home 920-233-5820 [EMAIL PROTECTED]
