RE: [fw-wiz] Acqusition of time
From: dave (dave@netmedic.net)
Date: 01/29/03
- Next message: Duncan Sharp: "Re: [fw-wiz] Content Switch as security device?"
- Previous message: Paul Robertson: "Re: [fw-wiz] The New Security Threat: Lawyers?"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] Acqusition of time"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Acqusition of time"
- Reply: Paul D. Robertson: "RE: [fw-wiz] Acqusition of time"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "dave" <dave@netmedic.net> To: "'Paul D. Robertson'" <proberts@patriot.net> Date: Wed Jan 29 19:29:01 2003
Actually it is true and maybe has happened.
You are comparing physical evidence discovered by LEO/I and that followed
the rules for evidentiary handling. Note, if just one bad seed "fruits of
the poisonous tree" contaminates this, the whole of the evidence is no
longer eligible.
I will give you a "hypothetical" or "maybe not" situation involving say
(just randomly picking here :) ) the audit trail of an e-mail server.
Lets just say the crime happened 2 months ago, and was discovered by the IT
auditor at the said business who spent another two weeks looking through
logs, e-mails etc. until he found the "evidence" he was looking for. He
then calls the proper authorities and says hey look what I found.
This would be a field day for a good attorney. Could he prove that this
auditor contaminated the evidence? And, if so in how many ways?
I could think of a few, of course this is just my opinion, not saying I ever
saw it happen or anything like that.
Dave Kleiman
dave@netmedic.net
www.netmedic.net
-----Original Message-----
From: proberts@gargoyle.users.patriot.net
[mailto:proberts@gargoyle.users.patriot.net] On Behalf Of Paul D. Robertson
Sent: Wednesday, January 29, 2003 11:56
To: dave
Cc: 'Noonan, Wesley'; 'Brian Monkman'; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Acqusition of time
On Wed, 29 Jan 2003, dave wrote:
> Actually a good attorney could tear up any log system even with perfect
time
> stamps. All that need would need to be proved was the fact that it could
> have been faked.
This simply isn't true. Just as physical evidence can be planted,
photographic evidence could be faked, or forensics could be falsified,
saying "it possibly could have been..." won't win you an instant
acquittal. It takes lots of bumbling by the prosecution and its witnesses
to give you a "Mark Furman" kind of out, even if you hire the dream team
for your defense.
Log files are admissable as machine records, and as such, they're valid
evidence. While it'd be difficult to get a conviction on log files alone,
it's not impossible, and really what you really want is enough to get the
person to plea out anyway, it's much cheaper on the entire system.
If you were to challenge the admissability, you'd have to show why they
weren't admissable, and possibility isn't as strong in admissibility as it
is in guilt.
If I can show that the logs are normal, and how they produce their
records, and what you would have done to make that happen, "they could be
changed!" won't get you off any easier than "my PC was trojaned!" Which
appears to be the new "dog ate my homework" excuse of note. Please note
that for criminal cases (in .us anyway) the standard for not guilty is
_reasonable_ doubt, not _any_ doubt.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Duncan Sharp: "Re: [fw-wiz] Content Switch as security device?"
- Previous message: Paul Robertson: "Re: [fw-wiz] The New Security Threat: Lawyers?"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] Acqusition of time"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Acqusition of time"
- Reply: Paul D. Robertson: "RE: [fw-wiz] Acqusition of time"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
