If you tell enough stories, perhaps the moral will show up.

2006-10-02

Chain, chain chain

I've been collecting MTA logs from one of our Exchange servers. They're one of my favourite logs -- a little forbidding at first, but yielding mountains of information if you put in the time. I forgive them for breaking the mapping between text line and event. Browse them on the tracking.log share, and view in a decent text editor with word wrap off.

Now these logs are valuable, at the moment. That's why I'm collecting them -- they may be required to prove a point in court. So I want to copy them off the share and put them in a safe place. But that's not enough. What's to stop me editing them after the fact to show anything I want to show? Enough care with dates and formatting would make it the devil's own job to prove that I'd fabricated the record, and it's that capacity to make a perfect forgery that lies at the heart of the problem with computer evidence.

What courts want is swearing, and plenty of it. Each step of the chain needs a claim that can be fairly made, on oath, that the data passed on, is the data received.

The traditional method would be to print out the file and sign and date every page. That signature isn't the oath that would be made in court, but it's the basis on which you could swear that oath: "yes -- I signed it that day, so that must be the printout I had on that day." If you didn't sign it, how could you be confident enough to swear? After all, one printout looks much like another. Computer people laugh at this as a defence against forgery -- if you were planning to fake it, surely you can lie about the date too? but in fact courts are using an important tool here. It's consistency that makes lying difficult and it's inconsistency that lawyers concerned about the quality of opposing evidence seek to expose. By signing and dating, you are offering up a hostage to fortune, secure in the knowledge that no inconsistency can arise because this is actually what did happen.

Now these log files are a hundred thousand events long and I am not printing them out a) because it would be nonsensical and b) because it wouldn't help anyone. Whoever's going to check?

This is what cryptographically secure hashes are for. If I can vouch not for the file, but for the hash value, the chance of a subsequent modification being meaningful and preserving the hash value is negligible. So, every day I use Microsoft File Checksum Integrity Verifier -- FCIV. In a command shell, I run:

FCIV -sha1 \\EX1\tracking.log
(this prints a line of hash for every archive)
copy \\EX1\tracking.log\*.* h:\myarchive
FCIV -sha1 h:\myarchive
(will give the same values above)

Then I print off the transcript and sign and date it, transforming a bunch of editable files into a record that is set as if in stone. Anyone who cares can take my copy of the data and check it against the printout theselves in a minute or so. All the colossal contingencies boil down to a single question: did I fake my signature? and if so how is that to be shown? Since I didn't fake it, I should be OK, and so will my evidence.

No comments: