SECURITY

fact and fiction about chain of evidence

Rafael Marty, who I already know is a very smart guy, had the guts and insight to say what no one else wants to say about chain-of-evidence and court admissibility of log data. He points out that “unaltered” is a totally fictitious requirement for maintaining admissibility of log data as evidence. Go Raffy! He promises followon posts about the details of why he says so.

But meanwhile I’ll take my own stab at why… basically, log data is recorded by computer programs. Often these computer programs call other programs to handle the actual log output – say syslog, or log4j – which themselves add timestamps, headers, etc. If a log management system of some type does further parsing on the output, as long as the log management system is automated and the logic can be examined, the resulting output is really no less “unaltered” than syslog’s output, is it?

The real admissibility problem is if the court can’t be satisfied that the output hasn’t been intentionally altered to hide the truth, or if there’s uncertainty about how the output of a message actually ties to real activity. Any potential for crackers or malicious insiders to intercept messages in their path from original action, through various programs, across the network, via direct filesystem access, etc. is an issue. Any lack of transparency or change control on any of the programs involved in handling log processing is also a problem.

Matching some sort of signed hash on a final “unaltered” archive log record with a signed hash that can reasonably be believed to have been captured early in the process is one technique for removing some of this uncertainty – but it’s only one. And keeping “original” messages around without reasonable safeguards against unauthorized changes is basically just a waste of disk space.

(I’ll also repeat Raffy’s disclaimer about not being a lawyer, etc.)

Splunk
Posted by

Splunk

Join the Discussion