±Forensic Focus Partners
|New Today: 2||Overall: 35989|
|New Yesterday: 3||Visitors: 135|
Intrusion Detection System Logs as Evidence and legal aspectsBack to top Back to main Skip to menu
Intrusion Detection System Logs as Evidence and legal aspects
IDS's has become a part of every organization's security system now days. They reduce risks of intrusions and prevent serious attempts to attack a system by alerting the administrators. IDS are capable of detecting preambles to attacks and with this they help to document and present the risks and threats. IDS serve as a quality control mechanism of the security system of an organization providing diagnosis, causes and details about different aspects of the security system. Mell (n.d) "IDS can detect when an attacker has penetrated a system by exploiting an uncorrected or uncorrectable flaw. Furthermore, it can serve an important function in system protection, by bringing the fact that the system has been attacked to the attention of the administrators who can contain and recover any damage that results. IDSs verify, itemize, and characterize the threat from both outside and inside your organization's network, assisting you in making sound decisions regarding your allocation of computer security resources."
The first thing that needs to be considered is the legal dimension. While gathering and processing the IDS logs the legal dimensions of conducting forensic analysis needs to be considered thoroughly because it may cause problems later on. Turner (2002) says " The principles of 'chain of custody' or continuity of evidence and 'auditability' are well known in forensic circles, there remains a general lack of awareness of these principles within the computer security community. As a consequence the dangers of 'dirtying the data' remain prevalent. An additional issue that emerges during analysis concerns 'acontextual' presentation of individual entries in log files. This can lead to a misrepresentation of the significance or insignificance of individual entries and of the log file as a whole". Therefore, these things need to be carefully considered and practiced before using log files as forensic evidence.
Admissibility and validity
All forensic evidences have to overcome two tests. One of them is admissibility and the other is weight. According to turner (2002) "The USA - code title 28, section 1732 states that ' logs files are admissible as evidence if they are collected in the regular course of the business'. However, this principle of admissibility does not provide any guarantee that in any particular case log files will be deemed legally valid". There are other issues, which are inevitable to avoid. "The ability to identify, track, trace and analyze log files is central to forensic investigations where digital evidence is main source of data. However, the forensic computing perspective moves beyond these technical skills to develop sensitivity towards questions over the admissibility of evidence and legal validity of particular data sets" (Turner 2002). Therefore, from forensic perspective the log files need to be valid and admissible.
IDS logs have definitely got evidentiary value provided that the IDS have not been compromised at the system level. IDS logs fall into the category of documentary evidence. But there are debates about this. "The issues aligned to evidence, acquisition and the suitability of Intrusion Detection Systems (IDS) for preparing legally admissible evidence, reveals strong disagreement amongst technical and legal experts over the suitability of IDS as a tool for collecting, collating and presenting forensic evidence" (Turner 2002). There are some reasons behind this. The difference in legal systems has a lot to do with this debate. "In Continental Europe the criminal procedure sees investigations being carried out by a specialist judge - juge d'instruction - in countries like England, the US, Australia and many former members of the old British Empire, investigations are carried out by the police or other law enforcement agency, the decision to prosecute is made by a separate body -District Attorney in the US, Crown Prosecution Service in England, and at trial the role of the judge is as chairman of the proceedings and enunciator of law. Separate opposing legal teams represent the arguments of prosecution (the Crown, the People) and the defence. The trier of fact is a jury. The procedure, known as adversarial, has lead to the development of complex rules of evidence, describing what can and cannot be put before the court for its consideration of fact" Sommer (1998,1999). This is a fact that places a lot of challenge in front the network security and forensic investigator community. It also makes it difficult for the police and other organizations to prosecute criminals involved in an attacks or intrusions. The need for understanding the technical details can be well carried out by a specialist judge as in Europe. Juries/ judges/lawyers however, have little knowledge and understanding on technical matters. This makes the cases involving technical matters really challenging. IDS logs are generally recognised means of investigation based on a network /system traffic and they are potential legal proofs. Turner (2002) says "Admissibility and weight are the legal validity of evidence for a submission in a particular jurisdiction and the ability of the court to be convinced by its presentation". Therefore, there is a need for the legal system to set a baseline standard on the admissibility of evidence and the potential use of that evidence as legal proof. "The use of cyber-based evidence is becoming more important, and there is no reason to suppose that law enforcement agencies would not consider IDS logs as a potential source of cyber-based evidence" (Johnston).