15 Things You Need to Know About Maintaining The Logs

x32x01
  • by x32x01 ||
15 Things You Need to Know About Maintaining The Logs
15 Things You Need to Know About Maintaining The Logs
The following are some of the legal issues involved with creating and using logs that organizations and investigators must keep in mind:
  • Logs must be created reasonably contemporaneously with the event under investigation.
  • Log files cannot be tampered with.
  • Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record therefore reflects the a priori knowledge of the programmer and system administrator.
  • Logs must be kept as a regular business practice.
  • Random compilations of data are not admissible.
  • Logs instituted after an incident has commenced do not qualify under the business records exception; they do not reflect the customary practice of an organization.
  • If an organization starts keeping regular logs now, it will be able to use the logs as evidence later.
  • A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the programmer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced.
  • A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software.
  • A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence.
  • If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect.
  • In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization.
  • An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order.
  • The original copies of any log files are preferred.
  • A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped computers that have USB or SCSI interfaces.
 

Similar Threads

x32x01
TypeScript: Enhancing JavaScript with Strong Typing
  • x32x01
Replies
0
Views
132
x32x01
x32x01
x32x01
Keylogger In Just 10 Lines of Python
  • x32x01
Replies
0
Views
586
x32x01
x32x01
x32x01
Firefox Addons for Pentesting
  • x32x01
Replies
0
Views
234
x32x01
x32x01
x32x01
64-bit Linux Assembly and Shellcoding
  • x32x01
Replies
0
Views
187
x32x01
x32x01
x32x01
Red Teaming Toolkit
  • x32x01
Replies
0
Views
355
x32x01
x32x01
TAGs: Tags
legal issues

Register & Login Faster

Forgot your password?

Latest Posts

Latest Resources

Forum Statistics

Threads
517
Messages
518
Members
45
Latest Member
Tacola
Back
Top