Are there any workarounds to the US business record exception to the hearsay rule, that states records must be kept within the course of normal business in order to be admissible as evidence in court?
What can people do to make digital evidence admissible in court in the these situations
1. A server is compromised, and you want to capture network traffic with a packet sniffer to collect additional data to help with Incident Response and be used as evidence in court.
2. You suspect an employee of breaking the law or your security policy, and you want to setup additional monitoring/surveillance by enabling the auditing of files and/or surreptitiously installing software like Dameware, VNC or a keylogger.
I'm also curious as to how data collected from Incident Response such as network connections, running programs, open files, etc. can be admitted as evidence. By definition, according to SANS, an incident is a deviation from the norm where harm has occurred, or there was intent to do harm.
So if you have an Incident Response Disk, which by definition is not normally used, it doesn't seem like that would fall under the business record exception to the hearsay rule, so how is that evidence admissible?
Let the attorneys worry about it. That is why they get the big bucks.