RE: [fw-wiz] Acqusition of time

From: dave (
Date: 01/29/03

From: "dave" <>
To: "'Paul D. Robertson'" <>
Date: Wed Jan 29 20:37:01 2003

Excellent responses.

Tina's URL's were right on the money.

I guess I will just have watch a few more of these cases pan out.

Maybe the other side was just weak and did not know what they were doing in
the one I watched unfold.

Thank you,


Dave Kleiman


-----Original Message-----
[] On Behalf Of Paul D. Robertson
Sent: Wednesday, January 29, 2003 20:32
To: dave
Cc: 'Noonan, Wesley'; 'Brian Monkman';;
Subject: RE: [fw-wiz] Acqusition of time

On Wed, 29 Jan 2003, dave wrote:

> Actually it is true and maybe has happened.
> You are comparing physical evidence discovered by LEO/I and that followed
> the rules for evidentiary handling. Note, if just one bad seed "fruits of
> the poisonous tree" contaminates this, the whole of the evidence is no
> longer eligible.

The same types of handling is done with log file evidence- and its
discovery is just about akin to lots of physical evidence- it's discovered
by the first person on the scene, who figures out a crime has happened,
then calls in the right people (not always law enforcement up front.)

Just as first responders to a shooting don't contaminate the phyiscal
evidence beyond admissibility trying to do CPR on the victim, the mere
chance something *could* have been disturbed doesn't make it inadmissable.
I'd really encourage you to read the thread that Tina Bird referenced.
One of the contributers to that thread wrote the DOJ analysis of
admissability for the federal rules.

> I will give you a "hypothetical" or "maybe not" situation involving say
> (just randomly picking here :) ) the audit trail of an e-mail server.
> Lets just say the crime happened 2 months ago, and was discovered by the
> auditor at the said business who spent another two weeks looking through
> logs, e-mails etc. until he found the "evidence" he was looking for. He
> then calls the proper authorities and says hey look what I found.
> This would be a field day for a good attorney. Could he prove that this
> auditor contaminated the evidence? And, if so in how many ways?

Once again, the possibility that someone *could* have contaminated the
evidence does *NOT* taint it's admissibility. The first person on a
murder scene often moves the victim to attempt recessatation, that doesn't
invalidate the crime scene.

> I could think of a few, of course this is just my opinion, not saying I
> saw it happen or anything like that.

Again, I'd refer you to the thread that was posted by Tina Bird. The
major issue is admissability as evidence, and the rules and procedures for
log files have been solidified quite a bit over the last few years. You'd
have to show the logs weren't consistent with untampered logs to stop

The law works in pretty obvious ways, if the evidence *was* tampered with,
then it shouldn't be admissable. If it wasn't, or there's not a strong
indication that it was, then it should be.

Typcially, in your example, the auditor would testify to what he found,
and the administrator of the system would testify to the validity of the

A good investigator would provide correlation to other events, evidence
and validate that the data was good well before we got to that place.
Subpoenas/search warrants for access to collaborating data would be
persued from the court in the very early stages of the game. I've written a
affidavits, it's not all that complex and it's not all that mysterious a

It's easy to make things better for admissability purposes, but just the
fact that digital media can be altered won't save someone who's done
something wrong. If they're counting on that, then they're going to be

Log files (apologies for those who wade through this and aren't .us
centric) are generally classified as "machine records" and therefore not
subject to the hearsay provision- that's despite the fact that they
generally exist on magnetic media that's subject to alteration.

If a "good defense attorney" gets a client off due to the *potential* for
change in logs then (a) the evidence wasn't all that good, (b) the
investigator(s) messed up, and (c) the prosecutor really failed.

I've spent a fair ammount of time going over evidence before presenting an
analysis of it to law enforcement. I've had law enforcement get a warrant
and go into someone's home based on log analysis and forensics I've done
weeks after the fact, and I don't think that's all that uncommon in
complex cases (heck, at one time the local FBI lab's wait time on
analysis was over 30 days!.)

> > Actually a good attorney could tear up any log system even with perfect
> time
> > stamps. All that need would need to be proved was the fact that it
> > have been faked.

Once again, my issue here is that "proving" that a log file *could* have
been faked doesn't automatically make it inadmissable. Once it's
admitted, as a machine record, you're likely to lose the "dueling battle
of expert witnesses" game with any competent prosecution expert, and any
good investigator.

Now, if we modify your statement above to match your scenerio some, where
someone's dinked around for a couple weeks, it really, really depends on
how "forensics friendly" an environment your theoretical auditor has
dinked around in. If they've done a forensicly sound copy of the log
disk, and they searched and played on a copy, then the original evidence
is still absolutely good to go, and admissable as a machine record of
events as they transpired (barring any really unusual issues.) If they've
opened the primary logs in an editor, resaved them afterwards, then it's
slightly more difficult (though really all we need is their testimony of
what they did, especially if it's backed up with step-by-step notes of
their actions.) Neither of those actions has negated the crime that's
happend, so neither of them kills the evidence of the crime. Assuming
e-mail logs, there's likely to be corroborating evidence in 3 or 4 more
places, and all the prosecution really needs is a good analysis of one of
those to slam dunk it.

[1] I'm still not a lawyer.
Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation