Using Log Data as Forensic Evidence

Last updated at Sat, 19 Aug 2017 02:27:51 GMT

This is a guest post by Ed Tittel. Ed, a regular contributor to blog.logentries.com, has been writing about information security topics since the mid-1990s. He contributed to the first five editions of the CISSP Study Guide (Sybex, 6e, 2012, ISBN: 978-1-119-31427-3) and to two editions of Computer Forensics JumpStart (Sybex, 2e, 2011, ISBN: 978-0-470-93166-0), and still writes and blogs regularly on security topics for websites including Tom's IT Pro, GoCertify.com, CIO.com, and various TechTarget outlets including SearchSecurity.com. Learn more about or contact Ed through his website.

Working with computer logs is something of an ongoing adventure in discovery. The data from such logs is amenable to many uses and applications, particularly when it comes to monitoring and maintaining security. But even after a security breach or incident has occurred, log data can also provide information about how an attack was carried out, the IP address (or addresses) from which it originated, and other packet data from network communications that could be used to identify the source of attack and possibly also, the identity of the attacker. This means presenting log data in a court of law as evidence to support specific allegations or accusations. How does that work?

Documentary or Digital Evidence and the Hearsay Rule

In legal matters, a special consideration called the hearsay rule normally applies to evidence that may be admitted in court for a judge or a jury to consider in assessing or disproving the truth of various assertions, or in deciding guilt or innocence for an accused party. The hearsay rule states that “testimony or documents which quote persons not in court are not admissible.” This provision in the law is intended to prevent information provided by third parties who cannot be questioned about their testimony or documents, or whose credibility or veracity can be neither proven nor impeached, from affecting the outcome of a decision of guilt or innocence. For the layperson, it's clearly tied to the notion that the accused has the right to face and question those who accuse him or her in the courtroom as the legal process works to its final conclusion.

But what about digital evidence, then? Computer logs capture all kinds of information routinely, either at regular intervals or in response to specific events. Because an accused party cannot face or question software in the courtroom, does this mean that logs and other similar computer-generated data are not admissible as evidence? Absolutely not, but there are a few “catches” involved.

The Business Records Exception…

As is happens there are some kinds of information and documents that are NOT excluded by the hearsay rule as explained in the Federal Rule of Evidence 803(6). Most specifically, “Records of regularly conducted activity,” are excluded. These are defined in the afore-cited publication as “A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation, as shown by the testimony of the custodian or other qualified witness, …, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term ‘business' as used in this paragraph indicates business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.”

Whew! That's a lot to digest, but here is what it means: As long as the party that wishes to use log data as evidence can show that it routinely collected log records before (and during) the events or activities captured in those logs, they should be admissible as evidence in court. A responsible person would have to be able to truthfully testify that logging was already in use by that time, and that the log data presented as evidence is a true and faithful (that is, unaltered) copy of the original data logged at the time the alleged events or activities occurred for that evidence to stand. But because logs are designed to provide a record of events and activities it will be close to impossible for the other side of the case to argue such evidence as inadmissible per se. As long as you can produce one or more credible witnesses, with supporting documentation (memos, file dates, and so forth) to show that logging started some time before the alleged events or activities occurred, and can provide records to show that the log data presented in court is identical to what was originally captured and has not been altered since, your logs can indeed tell their story in the courtroom.

Note: my thanks to Neil Broom, President of the Technical Resource Center, and a regular forensics examiner and expert witness on digital forensics, and an author of Computer Forensics JumpStart for his clear and helpful guidance in explaining log data as legal evidence in the courtroom.

Logentries by Rapid7 makes it simple to collect, analyze and ensure the security of your log data. Start centralizing your log data today with a free 30-day Logentries trial. Click here to get started.