On Mon, 2004-02-02 at 20:55, Greg Freemyer wrote:
[...]
> Part of my company does computer forensics. As part of that our
> forensics team might testify in court that
>
> "Rob created a flat file export of the Customer Database on Dec 15, 03.
> He accessed this flat file at 2pm, Feb 2, 04. This is 2 hours after he
> was notified that he was being fired, so it is possible that he was
> making an improper copy to use outside the company."
>
> Obviously the above is not rock-solid evidence of IP theft, but it is
> far stronger than if the access time was not available.
Given the possibilities to fake that info it is[0] (for usage in court
or similar) probably better to actually have no atime.
> I know our forensic team wishes that all computers would maintain a much
> better history of access times than just the most recent.
But if you (or someone) wants to use it in court (or similar) it should
not be easy to fake[0]. So this rules almost all computer-related stuff
completely out.
> I guess what I'm saying is, if you are maintaining valuable info on a
> computer and the possibility of having to litigate about its use exists,
> then having access times available to a computer forensic examiner is a
> good idea.
Yes. But time info on an a computers harddisk is far from "valuable"
because it is quite easy to manipulate it[0].
Sorry for OT ....
Bernd
[0]: Yes, this depends on circumstances etc.
--
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
Embedded Linux Development and Services
|