Greg Broiles wrote:
> Hmm. Can you identify any problems with log files as evidence which aren't
> also present in, say, eyewitness testimony, audiotape recordings, video
> recordings, fingerprints, photographs, tool & die marks, paper records, and
> all of the other evidence which courts admit on a daily basis?
Of course -- the fact is that they *do* get altered, forged quite
frequently. I've altered my own logs for various reasons, I've cut and pasted
pieces of logs into email and other things, and I've had servers that I
admined get hacked and the logs altered. It's SOP for hackers to alter the
logs. So as a sysadmin, I'd have to testify that I could not possibly swear
that a log represented anything at all, one way or another. And any sysadmin
who would is a fool if not a liar.
The same does hold true for video and audio recordings, and photos, but
to a lesser extent. The technology now exiests to so easily counterfit images
-- look at the problems with currency. The difference is that these mediums
might not get forged well enough as to not leave a trace, and later, in-depth
inspection might we reveal the tampering. But a judge who just allows a photo
or a recording as evidence is pretty naive. Paper records, fingerprints --
some things get harder to alter -- but look how easy it is to forge a person's
signature, perfectly without a flaw. Just scan the real sig and use a plotter.
Not so with log files. I could totally delete and manufacture anew a
log file anyway I wished, and nobody could prove it. If they had router logs
from some other ISP that contradicted my logs, they might suspect something --
but the validity of all logs is pretty nebulous.
--
Harmon Seaver, MLIS
CyberShamanix
Work 920-203-9633 [EMAIL PROTECTED]
Home 920-233-5820 [EMAIL PROTECTED]
