Re: Integrity of Log Files

From: comphelp@xxxxxxxxx (Todd H.)
Date: Sun, 05 Oct 2008 13:45:48 -0500

John Miller <this_address@xxxxxxxxxx> writes:

Let's assume police were accusing somebody of having downloaded illegal
content from a web server that has been seized -- in a log file they
found an IP address that could unequivocally be related to him by his
ISP.

How could this person argue if he actually did not do what he is accused
of? Could he claim that the log file may be incorrect with chances of
success?

One of the perennial difficulties of prosecuting cybercrime is putting
hands behind a keyboard at the time it was committed.

If you're asking on behalf of a possible defendant, CONSULT AN
ATTORNEY THAT'S EXPERIENCED IN DEFENDING IN CYBERCRIME CASES. NOW.

Generally speaking, though, among the things that prevent police from
successfully prosecuting is the fact an IP address is in a log file by
no means gets you down to a person behind a keyboard. No matter what
an ISP says.

The client computer could have been infected by a bot or unwittingly
running a proxy used by someone else. In such a case, yes, the
originating IP address logged on the web server will be the address of
the infected computer, but that's not the person who downloaded the
file. Another option, someone else (neighbor kid) could've been on an
open access point at the residence associated with that IP address.
Server side, the log files may not be reliable -- has chain of custody
been maintained on the web server involved? If the web server was
infected enough to have illegal content, can its logs be trusted? Has
chain of custody been maintained on the seized computer?

Also, I imagine the lawyer will advise the defendant of the difference
in the threshold of a civil vs a criminal case. The bar is gernally
lower in civil cases (preponderance of evidence vs beyond a resonable
doubt).

Most general attorneys dont' know jack about technology. This really
takes a specialist to defend adequately.

If the person you're asking for is indeed innocent, best of luck to
them.

Best Regards,
--
Todd H.
http://www.toddh.net/
.

References:
- Integrity of Log Files
  - From: John Miller

Prev by Date: Re: Integrity of Log Files
Next by Date: New email encryption website
Previous by thread: Re: Integrity of Log Files
Next by thread: New email encryption website
Index(es):
- Date
- Thread

Relevant Pages

Re: File deletion problem
... > one of my servers some process is writing a log file and ... > up with is to use fstat to find all the open files inodes and then to ... > Unfortunately this is a large web server with lots of files. ... along with info on the process holding the fd. ...
(freebsd-questions)
using php local file include vulnerabilities for command execution
... statement the are -- if they contain a valid php statement. ... and in a second step simply use the already existent local file vuln ... to read and the server's log file and this way execute the code. ... the web server has to log referer strings and the log files must ...
(Bugtraq)
Re: suggestions invited
... monitoring data and formats it appropriately for human consumption. ... status to a remote syslogd, perhaps on your web server, and parse the ... log file for the status data. ...
(comp.lang.python)
Re: Update Performance
... that your transaction log file is on. ... >I have a stored procedure that is executed on every web request that we ... > On the web server, I get about 50 Requests a second. ... > If I comment out this line, I get about 350 Requests a second. ...
(microsoft.public.sqlserver.programming)