On Sat, 22 Feb 2003, Cameron Simpson wrote:
> | As such, there can be proof that a file had not been modified since a
> | certain date.
>
> This is not. Remember that implication is not equivalence.
Very true. In fact, for something to be repudiated, all you need to do is:
1. Break the chain of custody.
2. Call into question the accuracy of the time-stamping.
3. Show possible gaps in access/authentication controls.
4. Show that logs/files are kept on mutable media after the
alleged electronic event.
I haven't really been following the whole thread, but it seems like the
question is "how do you prove a file hasn't been modified?" A computer
forensics person would need to show that the system was keeping accurate
time all along, and that the file shown is the original file with a chain
of custody going back to the original event, with adequate controls in
place to prevent unauthorized and unauthenticated transactions.
This is why computer records are usually not considered "proof," but
merely corroborating evidence to back up expert opinion. IANAL, so people
should consult their resident ambulance-chaser for currest case law
relating to rules of evidence and so forth.
--
"Of course I'm in shape! Round's a shape, isn't it?"
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
