The following are some of the legal issues involved with creating and using logs that organizations and investigators
must keep in mind:
- Logs must be created reasonably contemporaneously with the event under investigation.
- Log files cannot be tampered with.
- Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record therefore reflects the a priori knowledge of the programmer and system administrator.
- Logs must be kept as a regular business practice.
- Random compilations of data are not admissible.
- Logs instituted after an incident has commenced do not qualify under the business records exception; they do not reflect the customary practice of an organization.
- If an organization starts keeping regular logs now, it will be able to use the logs as evidence later.
- A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the programmer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced.
- A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software.
- A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence.
- If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect.
- In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization.
- An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order.
- The original copies of any log files are preferred.
- A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped computers that have USB or SCSI interfaces.