Authenticity of Logs

[oznoG]

I often hear that a logfile has the same value than a testimony.
Some people say a solution to proof the authenticity of a logfile is to sign every logfile with a key.

Do you know how to use public/private keys to sign a log or other ways to prrof the authenticity of a logilfe?

oznoG

[Juridian]

There are a few factors to this to make the logs valid. I would recommend looking up forensic techniques and so on in google as well as going to http://www.sans.org and checking out their reading room.

Security focus also has some related articles such as - http://www.securityfocus.com/infocus/1639

[tampabay420]

tripwire and similar applications keep track of important files...
keeping checksums could help...

[noODle]

Interesting subject.

I often hear that a logfile has the same value than a testimony.

Do you know how to use public/private keys to sign a log or other ways to prrof the authenticity of a logilfe?

Like mentioned tripwire and similar application use checksums to verify code. However, if a system is compromised these programs might as well be.

Logfiles are important in a investigation but I feel they are circumstantial evidence.
Log files can be manipulated.

You should definatly keep your eye on the log files but they are not testimonial.

[Juridian]

Actually most computer evidence is viewed as hearsay I believe. It can be used in cases but you have to prove that due dilligence was done in the collection of the data, handling, etc. As I said before a quick search of google can provide a ton of information on this subject. http://www.sans.org also has quite a bit of info as well as a class (which i went to last summer, it's pretty good) on business law and computer security.


One link from google - http://www-staff.mcs.uts.edu.au/~jim...l/ComEvid.html