At 12:34 AM 5/2/2001 -0500, Harmon Seaver wrote:
>Greg Broiles wrote:
>
> > Hmm. Can you identify any problems with log files as evidence which aren't
> > also present in, say, eyewitness testimony, audiotape recordings, video
> > recordings, fingerprints, photographs, tool & die marks, paper records, and
> > all of the other evidence which courts admit on a daily basis?
>
> Not so with log files. I could totally delete and manufacture anew a
>log file anyway I wished, and nobody could prove it.
You are making unreasonable assumptions about (a) evidentiary law and
practice and (b) current capabilities regarding computer/electronic
forensics, and those unreasonable assumptions are apparently limiting your
ability to reason further.
You might see if you can find a copy of _Evidentiary Foundations_ by Edward
Imwinkelried at a local law school's library, for part (a); and newspaper
articles concerning the investigations and prosecutions of Aldrich Ames,
Robert Hanssen, or CJ Parker for part (b). Or take a look at the materials
collected regarding the investigation and prosecution (and conviction, and
losing appeal) of Randal Schwartz (yeah, the Perl guy), the canonical "I'm
a smart computer guy, you stupid cops don't know nothin'" case, at
<http://www.lightlink.com/spacenka/fors/>.
This is not an area of the law where reasonable people differ. This is easy
black-letter stuff that's only mysterious or controversial to people who
aren't familiar with the field.
If you are trying to make the argument that a few hundred years' worth of
evidence law ought to be discarded, your argument will probably be more
favorably received if you can show that you at least understand that which
you're trying to replace.
The mere possibility of tampering or fabrication is nowhere near sufficient
to render evidence inadmissible - in fact, it's not even a start. Most
trials feature conflicting evidence, all of which was admitted under oath,
which cannot all simultaneously be accurate. Life goes on, and the jury or
judge (as appropriate) pick out the bits of truth they choose to rely upon,
discarding the rest.
You're arguing about admissibility when you ought to be arguing about
credibility - but even if you make that shift, what you're not seeing is
that the "you can't trust evidence which might conceivably be false"
argument is a big loser, practically speaking. Sure, you can make it - just
like CJ did, as did Jim Bell, twice. That argument is 0-for-3, in recent
cypherpunk experience. Maybe Keith Henson tried it too, I don't know - but
it's a dead end, especially without a plausible explanation for the
fabrication/modification. (Not only is it unconvincing, it shifts the
defense away from a "was a crime actually committed?" argument onto a "a
crime was committed, but the defendant isn't the guy who did it" argument,
which is frequently harder to make .. especially if the defendant looks and
acts like the sort of person who would do the sort of thing they're accused
of. The rest of the defense's case has got to fit that theory, too - you
can't mix "no crime occurred" and "it wasn't me" and "it was an accident"
in front of a jury ..)
I don't care - believe what you want. But the "mutability of electronic
evidence" argument is not going to keep anyone's butt out of jail, no
matter how many sysadmins you put on the witness stand. If you can show
actual tampering with evidence in a specific case - sure, that's
interesting. If not, look for a better issue to fight over.
--
Greg Broiles
[EMAIL PROTECTED]
"Organized crime is the price we pay for organization." -- Raymond Chandler