Splunk for Felonies and Misdemeanors


We receive a lot of questions from our customers along the following lines:

  • “Is the data indexed by Splunk admissible as evidence in court?”
  • “What assurances can you provide that data indexed by Splunk is forensically sound?”
  • “What assurances can you provide that the data indexed by Splunk has not been tampered with?”
  • “What assurances can you provide that data exported from Splunk will be admissible as evidence in court?”

These are all great questions.  They indicate that the depth of value provided by IT data is actually far greater than at first glance.  Unfortunately, as with many things Splunk (and most things legal), the answer to each of these questions is “it depends.”

I intend to tackle these questions with two distinct Splunk blog posts:

  1. How you can use Splunk to help meet your legal requirements
  2. How you can use Splunk to help meet your information assurance requirements

Although I am not a forensics expert, I have worked with several Splunk customers to make sure that Splunk meets their forensic requirements as closely as possible.  I have also worked with several of our customers to configure Splunk to meet their information assurance requirements – more on that in part 2 of this post, forthcoming.

Each organization that I have worked with has had different legal requirements and associated IT data standards that must be met.  I strongly recommend that your organization’s council have the first and last say in terms of what you should and should not be doing with IT data that might someday have to be used as evidence – that kind of accountability is why they can bill you at those high hourly rates!


There are several definitions, delineations, and assumptions that we need to undertake before we can proceed.  These are intentionally brief and oversimplified in the interest of succinctness.

Jurisdiction – The territory or legal system under which legal power will be exercised.

The issue of jurisdiction is of primary importance.  Jurisdiction can be especially tricky with regard to cases wherein a party who resides in one jurisdiction broke the law on a system in another jurisdiction, especially when law enforcement is considered.  For simplicities’ sake, let us assume that the jurisdiction for this discussion is United States Federal Criminal Court.

Criminal Law – The portion of the law for a given jurisdiction that deals with crimes against the “corpus” of the state as well as punishment for said crimes.

Civil Law – Also known as “Torts”, this is the portion of the law for a given jurisdiction that deals with the resolution of personal disputes that occurred outside the context of a contract, as well as compensatory remediation of said disputes.  There is some ambiguous overlap between criminal law and civil law, to say the least.

Computer Fraud – Deception or concealment using computer equipment that is intended to result in unfair advantage or undue gains.

Computer Abuse – The use of a computer system in a manner that is expressly against the purpose or intent of said computer system.

In the past, most cases of computer fraud and abuse were not explicitly covered under US Criminal Law.  However, recent legislation, specifically Title 18 U.S.C. 1030, has changed the forum of cases involving “protected computers” to criminal court.

Protected Computers – Very generally, a computer owned or operated by the US Government, a Financial Institution, or involved in interstate or international commerce or communication.

Electronic Evidence – Any information submitted as evidence in court that is stored or transmitted electronically (i.e. not tangible or human-readable in its native form).

Hearsay – Evidence submitted by an individual within the context of the court that is based on statements or information gathered from another individual or individuals outside the context of the court.

Electronic evidence is sometimes cited as hearsay evidence in criminal court, which effectively lessens the efficacy of said evidence toward the end of a successful prosecution.  To become admissible in court, electronic evidence must fall under at least one common exception to the definition of traditional hearsay evidence.

In civil law, this same tactic has been recently challenged by changes to the Federal Rules of Civil Procedure regarding electronic discovery (more commonly called “eDiscovery”).

Electronic Discovery (eDiscovery) – The process by which any electronic information that may be submitted as evidence in a civil court is collected.

To date, the data most commonly collected by eDiscovery (email, voicemail, office documents) seldom if ever overlap with the IT data collected and indexed by Splunk.  That said, eDiscovery is a relatively new endeavor and changes in the field happen quickly.  For now, your council will have to keep you advised of the most recent trends and standards.

By now it should be clear why everyone always told me that I should be a lawyer – my propensity for the mundane!  Why didn’t I become a lawyer?  I noticed that none of the people telling me to go to law school had actually done so themselves!


Moving on quickly, the question remains: is the IT data indexed by Splunk admissible in court?  It turns out that there is perhaps a more apt question: what does an organization need to do increase the chances that the IT data indexed by Splunk will be able to be used as evidence in court?

Collect all the data, all the time, in the same place, using the same collection mechanism.

At this point, it is perfectly reasonable to think, “of course you want me to collect all the data using Splunk – more money for Splunk!”  You, ma’am and sir, make a good and reasonable point.  With all those smarts, perhaps you all should have become lawyers?   Hollow compliments aside, there is actually another valid reason to make sure that your organization is getting all the data in the same place using the same tool and/or process.

In talking to Splunk customers who have been in the unenviable position where their IT data became digital evidence, I discovered that one of the best ways to help avoid Hearsay claims is to collect all IT data as a standard part of normal business operations.  This constitutes a “business record exception”, otherwise characterized as invoking the “business entry rule”.  The effect of this and other hearsay exemptions is that the digital evidence better satisfies tests of trustworthiness, promoting admissability.

If your organization can demonstrate that you collect ALL your IT data (not just the data relevant to prosecuting the case in question) and that you collect it ALL THE TIME (not just around the time that the law was allegedly broken), then you have a fighting chance of getting the relevant electronic information admitted as evidence.

Of course, there are more layers to the discussion.  A common tactic against the business records exemption might be to demonstrate a failure to adhere to process.

Perform a daily log review process, including an accounting of all included systems, and perform an on-going audit of that process on paper.

I can hear some readers now: “I have to kill how many trees to cover my company’s a** in court?”  Yes, in some cases, it is the paper trail that can facilitate the admission of digital evidence as part of a business records exception.

I have worked with customers in some highly regulated industries that printed out logs fed to a terminal or screen shots of certain monitoring consoles.  In at least one case, the customer then signed this printed data over to a secure third-party for fulfillment of the chain of custody.

For most organizations, I would instead recommend that an audited daily log review process be implemented.  Splunk provides a daily log review process using event types and tags (check out the Splunk Wiki for more information).  To audit this process, the Splunk audit log and an list of all the devices, sources, and source types ( ‘|metadata type=hosts’ ) be printed out on a daily basis, signed and dated by the person or persons responsible for daily log review, and stored in a secure repository.

This printing and storing process might seem tedious.  One might feel annoyed at this seeming redoubling of work and recounting of information that Splunk already captures digitally.  But hey, we are talking about satisfying the requirements of the US Legal System, right?  From the makers of … the US Tax Code!

Until my national legal system makes further headway into the tedious tasks of classifying and standardizing the admission of electronic data, most of us are unfortunately stuck buying even more reams of printer paper from Dunder-Miflin Sabre Office Depot.

Retain personnel who are competent in computer forensics, specifically in regard to the proper transfer of digital evidence during a seizure.

Doesn’t this one seem like a no-brainer?  Nonetheless, there are still instances where due to improper handling of digital evidence, cases fail to go to trial due to insufficient evidence.  Engage an expert whose job it is to identify, collect, store, and analyze digital information, kind of like my buddy Vi told you the other week when she urged you to “Go Pro” with Splunk!


In part 2 of this blog entry, we will turn our attention to how Splunk can help with information assurance, a practice that can further increase the trustworthiness of ALL that IT data that you are going to be collecting ALL THE TIME – with Splunk, of course!

Alex Raitz

Posted by