I am sure by now everybody heard about this
UBS case, mostly due to a sneaky "he is a hacker" defense tactics ("@Stake had employed
hackers [
oh, horror - AC :-)] and Adams questioned several witnesses about whether hackers could be trusted with critical evidence...").
But there is another less well-covered aspect of this: logs. Here is an example: "Faulkner testified Wednesday that logs of
any kind are poor forensics evidence. " I suspect he is talking about "logs=hearsay" argument, which might or might not fly.
Moreover, it gets deeper: "Faulkner said the
logs can't be trusted as a form of evidence because too many of them can be edited by a root user. And he added that there are different means of access, for example, that aren't recorded in a specific log. Faulkner said user history logs can be edited by a root user, as can SU logs and command logs, which record what commands were made on the system. ''The logs are more for accounting,'' he told the jury. ''They're not designed for investigative purposes because they don't log everything.''
It makes little if any sense to me. From what I read (yeah, I know, IANAL, etc) just saying that something
can be done does not invalidate the use of logs. Yes, UDP
can be be spoofed, injected and intercepted, but that clearly doesn't lead to all syslogs being thrown out all the time. Yes, files
can be modified, but it doesnt' mean they actually
were.
So, what logs specifically were used: "VPN logs, WTMP logs [...] and SU (Switch User) logs." Are they guaranteed to always be bad evidence? Definitely not!
Here are some
more interesting comments on the same case (and, not, I didn't write
them :-))
