On Wed, May 02, 2001 at 12:34:50AM -0500, Harmon Seaver wrote:
> Greg Broiles wrote:
>
> > Hmm. Can you identify any problems with log files as evidence which aren't
> > also present in, say, eyewitness testimony, audiotape recordings, video
> > recordings, fingerprints, photographs, tool & die marks, paper records, and
> > all of the other evidence which courts admit on a daily basis?
>
> Of course -- the fact is that they *do* get altered, forged quite
> frequently. I've altered my own logs for various reasons, I've cut and pasted
> pieces of logs into email and other things, and I've had servers that I
> admined get hacked and the logs altered. It's SOP for hackers to alter the
> logs. So as a sysadmin, I'd have to testify that I could not possibly swear
> that a log represented anything at all, one way or another. And any sysadmin
> who would is a fool if not a liar.
But we all know that while it's trivial to modify a log file with the
correct knowledge and tools, the vast majority of log files are not
modified. Same with a (written) signature-- with the correct knowledge
and tools it's easy to forge, yet the vast majority of signatures are
not forged.
If you testified that you couldn't swear that the log file was correct,
the prosecutors next question would be "to the best of your knowledge,
did you or someone else modify the log file entries in question?". Unless
you knew that you had, or that the machine had been hacked and the logs
edited, you'd have to answer "no", making it acceptable as evidence[1].
The legal system deals with questionable evidence all the time.
Applying an infosec mindest to legal questions does not work. People get
convicted on flimsy evidence all the time-- heck, look at today's paper,
where some guy got convicted of a church bombing 32 years ago based
on 32 year old FBI recordings of (purported) conversations the accused
held with his wife and informants, where he said "bomb" a couple times,
once close to the word "church". Compared to the evidence in that case,
a logfile is pretty solid.
1: actually, I'd guess that a competent prosecutor would not even ask
such a question that would cast doubt on logfile evidence, and that the
defense wouldn't bother bringing up the subject, which a typical jury
would find incomprehensible, unless there wasn't any better defense.
Eric
