On Mon, Apr 30, 2001 at 12:13:01AM -0400, Phillip H. Zakas wrote:
> i agree...unless you're specifically directed to do so, maintaining log
> files is completely optional. there are no regs requiring isps or websites
> or mail providers to do so, other than the standard 'you need to comply with
> a court order or search warrant, etc.'
>From recent experience, LE provides us with an order to preserve
certain logged information. The order is in advance of obtaining
a search warrant, and specifies what information will be requested
in the warrant. In an incident earlier this year, we received the
order six weeks before the warrant was issued. The existance of
the order was sealed.
We keep email transaction logs for seven days based on disk
considerations. Each of our popmail machines (45000 users) generates
350MB of compressed logs per week.
Until a warrant is received we don't turn over anything.
> as for the 'encrypt it' or 'store it overseas' method, i'd be concerned that
> a court would force the isp to produce the key or produce the decrypted or
> stored log files. would prefer to see no log files or daily deleted log
> files (which is good enough for most ids needs anyway.)
Actually, seven days works out well for us. Sometimes it takes
several days for a user to report a problem.
> if one doesn't collect log files at all, i wonder if LE could force an isp
> to turn on logging for all users (then munge the results) or if the isp
> would be allowed to selectively log only the information sought in an
> investigation. plus, what happens to the entire log files turned over in an
> investigation? do the unrelevant entries get destroyed, or does munging a
> file destroy the cyber forensics value?
When we turn over information persuant to a warrant, we only turn over
that specific information, not entire logfiles. We do keep the logs
the information was extracted from, in case there is some question
of the validity of the information.
--
Kevin L. Prigge
Internet Services
U of MN, Twin Cities
