It surprises me how many tools companies use for cyber security are just logging tools. Sure, logging should be one part of your security posture, but it is unwise to rely on logging for the total solution.
So, if logging from tools like Splunk, LogRhythm and AlienVault were valuable from a forensic standpoint, why is the logging that is collected so often inadmissible in court? The reason is that chain of custody cannot be proven. Once a server is hacked, the hacker controls the information on the server, including logging. They can delete, add, or change logs at will. If your vendor moves your logging into their cloud, then you really have a problem proving chain of custody.
The only way to admit logs in court is to prove chain of custody. This can be accomplished by monitoring the meta data of logs…what they are doing, who is accessing what and where…. which has nothing to with the log itself but is an attribute of its activity in the environment.
The law basically states that a defendant has the right to confront his accuser. You cannot convict an individual on hearsay. That’s the rub. The criminal is not there to defend themselves.
The catch here is the Business Records Exception. There are some types of data NOT excluded by the hearsay rule…. specifically, “Records of regular conducted activity”.
Definition: “A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation, as shown by the testimony of the custodian or other qualified witness, …, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term business as used in this paragraph indicates business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.”
Whew! That's a lot to digest, but here is what it means: As long as the party that wishes to use log data as evidence can show that it routinely collected log records before (and during) the events or activities captured in those logs, they should be admissible as evidence in court. The rub comes in if a judge or legal counsel objects to the lack of proof for chain of custody. It is a risk.
If you would like to talk more, just use the link below to schedule some time in my calendar.