Re: [fw-wiz] Acqusition of time
From: Volker Tanger (volker.tanger@discon.de)
Date: 01/29/03
- Next message: Brian Monkman: "Re: RE: [fw-wiz] Acqusition of time"
- Previous message: Tina Bird: "RE: [fw-wiz] Acqusition of time"
- In reply to: dave: "RE: [fw-wiz] Acqusition of time"
- Next in thread: R. DuFresne: "Re: [fw-wiz] Acqusition of time"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Volker Tanger <volker.tanger@discon.de> To: firewall-wizards@honor.icsalabs.com Date: Wed Jan 29 11:44:01 2003
Greetings!
dave wrote:
> Actually a good attorney could tear up any log system even with perfect time
> stamps. All that need would need to be proved was the fact that it could
> have been faked.
Basically right. But if you have to explain why you think that "this"
could be the suspected entry and not the one three minutes earlier, an
answer like "because the new Sun machine usually lags a few minutes
behind the Compaq PC" will not be very convincing. There's quite some
difference between
"consistent, sound, but maybe fake"
and
"inconsistent, nonreproducable assumptions and maybe fake"
When trying to dissect problems log analysis will be a problem without
consistent timestamp. On higher traffic lines (Mbit/s area) you'll have
some tenthousand log entries per minute - which makes it practically
impossible to pinpoint a specific log entry if you do not know the exact
time as index.
Bye
Volker Tanger
IT-Security Consulting
-- discon gmbh Wrangelstraße 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger@discon.de http://www.discon.de/
- Next message: Brian Monkman: "Re: RE: [fw-wiz] Acqusition of time"
- Previous message: Tina Bird: "RE: [fw-wiz] Acqusition of time"
- In reply to: dave: "RE: [fw-wiz] Acqusition of time"
- Next in thread: R. DuFresne: "Re: [fw-wiz] Acqusition of time"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
