Friday, March 03, 2006

On Litigation-quality Log Data

The subject of "court-admissibility" and "litigation-quality" of computer records, such as log data is long known to be controversial and ambiguous. And, it is well-known that only actual court case may be used to reliably establish the admissibility of a specific piece of evidence. Here is some fun discussion on whether only raw (i.e. unprocessed further) logs or also tokenized (parsed or stored in a database) logs may be used.

Raffy’s Computer Security Blog » Log Management Article - My Comments: "On the same topic of litigation quality data, the author suggest that a copy of the logs are save in the original, raw format while analysis is done on the other copy. I don’t agree with this. I know, in this matter my opinion does not really count and nobody is really interested in it, but I will have some proof soon that this is not required. I am not a lawyer, so I will not even try to explain the rational behind allowing the processing of the original logs and still maintaining litigation quality data. "

Here is a pointer that might shed some light on this subject: "Computer Records and the Federal Rules of Evidence". It summarized three challenges to the admissibility of log data. Namely:

"Challenges to the authenticity of computer records often take one of three forms.
First, parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.

Second, parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.

Third, parties may challenge the authenticity of computer-stored records by questioning the identity of their author."

To me ("I am not a lawyer, etc") it seems that Raffy is right the database storage should not endange the admisibility, in general. But if your parsing rules for stuffing records into a database are buggy (i.e. invoking the above reliability challenge!) - ah, now we are talking perverse fun and lawyer fees! :-)

Another person chimes in. Cfrln » Blog Archive » fact and fiction about chain of evidence: "The real admissibility problem is if the court can’t be satisfied that the output hasn’t been intentionally altered to hide the truth, or if there’s uncertainty about how the output of a message actually ties to real activity. Any potential for crackers or malicious insiders to intercept messages in their path from original action, through various programs, across the network, via direct filesystem access, etc. is an issue. Any lack of transparency or change control on any of the programs involved in handling log processing is also a problem."

This bit also points at the same direction: database by itself won't seem to be a problem, but fuzzy, unreliable and insecure code to stuff it might...

Dr Anton Chuvakin