On Sat, 22 Feb 2003, Cameron Simpson wrote: > | As such, there can be proof that a file had not been modified since a > | certain date. > > This is not. Remember that implication is not equivalence.
Very true. In fact, for something to be repudiated, all you need to do is: 1. Break the chain of custody. 2. Call into question the accuracy of the time-stamping. 3. Show possible gaps in access/authentication controls. 4. Show that logs/files are kept on mutable media after the alleged electronic event. I haven't really been following the whole thread, but it seems like the question is "how do you prove a file hasn't been modified?" A computer forensics person would need to show that the system was keeping accurate time all along, and that the file shown is the original file with a chain of custody going back to the original event, with adequate controls in place to prevent unauthorized and unauthenticated transactions. This is why computer records are usually not considered "proof," but merely corroborating evidence to back up expert opinion. IANAL, so people should consult their resident ambulance-chaser for currest case law relating to rules of evidence and so forth. -- "Of course I'm in shape! Round's a shape, isn't it?" -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list