Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Logs and the Rules of Evidence

Logs and the Rules of Evidence

  • Comments 1

I quite frequently hear these questions:

1. My logs/log collection database aren't digitally signed, can I still use them in court?

2. My logs are in a text file that an admin can write to, can I still use them in court?

Our legal department would not like it if I gave legal advice, so I'm just going to point you to the US Department of Justice web site which settles these issues to my (lay) satisfaction.  I would also point out BIP 0008, chapter 5, for you folks in the UK.  Sorry I don't have worldwide links.  If you are seeking a legal opinion, you need to contact a lawyer.

2005-09-29 UPDATE: If you read through these docs, you'll notice that they do not  state that audit logs must be digitally signed, but do require some level of protection.  In Microsoft's opinion, Windows' audit log meets or exceeds these requirements.  Remember that Windows' audit log has been certified and will continue to be certified as compliant with the relevant Common Criteria standards.

 

Comments
Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post