[ale] [OT] Preserving docs for future use as proof [Was: Re: OT got my first job as a Computer Professional *kinda*]

Greg Freemyer greg.freemyer at gmail.com
Wed Jul 14 20:40:04 EDT 2010


This turned into a long email.  Sorry about that, but I hope many at
least find it interesting.

On Tue, Jul 13, 2010 at 9:02 AM, Mike Harrison <cluon at geeklabs.com> wrote:
>
> Greg,
>
> You are obviously a professional with a lot of experience
> with real evidence and proper process.

Remember IANAL, but I have testified as an expert on the handling of
electronic evidence and (sadly to me) I'm a Private Detective licensed
by the State of Georgia.

I say this to lend credibility to the below.

==> fyi:
If you or your company sell services related to evidence handling or
preparing reports for court, my reading of the GA law is you have to
have a PD license.

I think a lot of IT security firms ignore that law when they
participate in incident response situations.  It's a misdemeanor, so
not that big a deal.  But I can say at least one very large firm is
paying close attention and using only licensed individuals in GA to
actually work hands on with the evidence during incident response
situations.

==> back to this answer, see below

> I'll contend that if your snapshots and casual notetaking of jobs done
> ever get to court, you have already lost. You have lost valuable time and
> money, and a relationship with the employer/jobber. In a case where what
> you are doing is less than many thousands of dollars, it's usually not
> worth going after.

100% agreed, its too expensive for many situations to bother with.

> Taking a few pictures is a good first step, worth doing,
> and will often enhance or re-enforce existing communications.
> It's good "CYA" practice and may help you get paid for such jobs.

Totally agree.

> But as I am not a lawyer, or judge, or law enforcement professional...
> I have no idea how it would be properly admissible evidence
> and would only hope that it would never have to go that far.

Since you're none of the above, perfect, pretty much everything you
want admitted is admissible!

The primary reason evidence is ruled inadmissible is that
constitutional rights were violated in the collection of the evidence.
 ie. If the FBI hacks your email account without a warrant and gets
incriminating evidence, its inadmissible.

If your estranged wife does it, she broke the law and can go to jail,
but the evidence is still likely admissible because her actions are
not covered by the constitution.

fyi: If the FBI tells your wife to simply forward them your
incriminating email from a shared email account, she becomes an agent
of the FBI, and the evidence may or may not be admissible.  It gets
tricky when you have shared accounts, etc.

==> Enough of admissibility, credibility is the real issue for most of
us non-government types.

If you're worried about future court use of docs / pictures, the real
question you need to consider is credibility, especially as it relates
to open format OSS documents.

By default in a CIVIL case, business records are accepted and
considered credible, and the burden of proof related to manipulation
falls on the opposing party.  But let's assume the opposing party is
able to raise enough doubt that the burden has shifted to you to prove
your docs are credible.

==> How to show your docs are credible:

Have you ever seen linux/UNIX server logs modified?  I have, so why in
particular should I / the court trust them to not have been
manipulated an hour before you turned them over?

Have you ever seen Windows Event Logs modified?  I have not, so I
trust them much more.  (If I had to testify to that effect, I'd have
to do some research to see how easy / hard it is to do.)

Emails edited after the fact?  I have, so again why should I / the
court trust them?

etc.

So, ask yourself as a IT knowledgeable person, what would it take to
convince yourself that documents / pictures / emails are what they
claim to be and that they have not been manipulated, especially
recently?

Assume that you have specific reason to not trust the person producing
the files.

Which would you trust more:

A typical OSS email maintained in plaintext (such as a EML) on a workstation?

That same email in a proprietary Exchange Server EDB file?

I assume you'll agree the OSS solution in being so open/simple makes
it trivial to edit/change, and thus its originality is less credible
than the same email maintained inside a Exchange server EDB.

(fyi: I know how to manipulate even the email in the Exchange Repo, so
even it may not be credible in my case.  ie. The knowledge / skills of
the person maintaining the potential evidence relates directly to how
credible the evidence they maintain is.  Fortunately, the persons
reputation, etc. also positively impact on credibility.)

So if you are going to use open formats and want/need to establish a
high level of credibility in the eyes of the court that they have not
been manipulated, then you need to take extra steps.

The zero-cost option proposed by Michael Potter was to create a gmail
account and email significant documents / pictures to it so that the
Internet Email internal headers can be used to substantiate the date
and time at which the picture / document existed.   Thus any
manipulation would of had to take place prior to that date/time.
Effectively the Internet headers become part of the chain of custody.

Then, if and when that ESI (electronically stored information) becomes
critical to a court case that warrants the expense, hire a
uninterested party (expert) to go to gmail (via your normal login) and
retrieve the documents including the email headers.  The email headers
have date/time stamps that are hard to edit as they sit on.

As I sit here and try to come up with a way to circumvent that, IMAP
comes to mind.  I don't know the answer, but can someone manipulate an
email in part or in whole by utilizing imap?

Good question that I don't know the answer to, and the answer will
talk directly to the credibility of documents "entrusted" to gmail for
"secure" storage.

So now you know the kinds of things a computer expert on evidence has
yo consider from time-to-time.

And a question to the group is how a PGP etc. key can be used to
authenticate a record complete with datestamp?  If that can be done,
that is a much better solution than sending an email to a gmail
account.

Look at that, I actually wrapped up with a on-topic question!

Greg


More information about the Ale mailing list