On Mon, 2004-02-02 at 18:36, Bernd Petrovitsch wrote:
> On Mon, 2004-02-02 at 20:55, Greg Freemyer wrote:
> [...]
> > Part of my company does computer forensics. As part of that our
> > forensics team might testify in court that
> >
> > "Rob created a flat file export of the Customer Database on Dec 15, 03.
> > He accessed this flat file at 2pm, Feb 2, 04. This is 2 hours after he
> > was notified that he was being fired, so it is possible that he was
> > making an improper copy to use outside the company."
> >
> > Obviously the above is not rock-solid evidence of IP theft, but it is
> > far stronger than if the access time was not available.
>
> Given the possibilities to fake that info it is[0] (for usage in court
> or similar) probably better to actually have no atime.
>
I don't do the forensic work myself but I know our examiners try to use
the access time (and create/modify).
FYI: About 10 years ago I was working at a company were a manager
inadvertently corrupted some important files. For some reason, he did
not want to accept responsibility. As you said, he manipulated the
files and the access times to make it look like one of the consultants
did it.
The data was important enough that a small internal investigation was
done and shell history logs for everyone with access to the data was
reviewed.
It turned out the manager did not clean up his shell history file so all
of his activities became obvious. He did not have a job for much
longer.
> > I know our forensic team wishes that all computers would maintain a much
> > better history of access times than just the most recent.
>
> But if you (or someone) wants to use it in court (or similar) it should
> not be easy to fake[0]. So this rules almost all computer-related stuff
> completely out.
I recently heard that 50% of all new FBI cases have a computer forensics
portion. Those results are definately reported in court. I believe our
main examiner testifies a couple times a month.
FYI: I don't know the source of the 50% number, so treat it as rumor.
>
> > I guess what I'm saying is, if you are maintaining valuable info on a
> > computer and the possibility of having to litigate about its use exists,
> > then having access times available to a computer forensic examiner is a
> > good idea.
>
> Yes. But time info on an a computers harddisk is far from "valuable"
> because it is quite easy to manipulate it[0].
I was talking to company several months ago in the "web-hosting"
business. They claimed to get 5 or more FBI requests per week to
preserve server hard-disks.
The assumption in turn is that the FBI analyses the harddisks. I
suspect they like having date/time info on there.
That is doubly true if only the web-hosting personnel have shell
accounts.
FYI: As I understand it, the preservation request does not require a
court order. Actual analysis of the data does.
> Sorry for OT ....
> Bernd
>
> [0]: Yes, this depends on circumstances etc.
Greg
|