Logs and the Rules of Evidence
I quite frequently hear these questions:
1. My logs/log collection database aren't digitally signed, can I still use them in court?
2. My logs are in a text file that an admin can write to, can I still use them in court?
Our legal department would not like it if I gave legal advice, so I'm just going to point you to the US Department of Justice web site which settles these issues to my (lay) satisfaction. I would also point out BIP 0008, chapter 5, for you folks in the UK. Sorry I don't have worldwide links. If you are seeking a legal opinion, you need to contact a lawyer.
2005-09-29 UPDATE: If you read through these docs, you'll notice that they do not state that audit logs must be digitally signed, but do require some level of protection. In Microsoft's opinion, Windows' audit log meets or exceeds these requirements. Remember that Windows' audit log has been certified and will continue to be certified as compliant with the relevant Common Criteria standards.
Comments
- Anonymous
March 13, 2007
PingBack from http://winblogs.security-feed.com/2005/08/25/logs-and-the-rules-of-evidence/