is audit trails in legal proceedings as evidence

8/6/2019 Is Audit Trails in Legal Proceedings as Evidence

1/13

409

Information Systems AuditTrails in Legal Proceedings

as EvidenceCaroline Allinson

Information Security Section, Information Management Division, Queensland Police Service,GPO Box 1440, BRISBANE Qld 4001,Australia.

and

Research Student, Information Security Research Centre (ISRC), Queensland University of Technology,Brisbane. Queensland.Australia.

Keywords: Law enforcement, audit trails, evidence, investi-gation, expert witness, information security, policy, court, survey,computer.

Abstract

Australian State and Commonwealth Governmentsare interested in the collection, storage and presenta-tion of audit trail information, particularly within alegal framework. Law enforcement agencies have alegal obligation to keep audit records of all activityon information systems used within their opera-tions. Little to no research has been identified inrelation to the use of internal audit systems forevidentiary purpose.

A brief history of audit trails is given with require-ments for such audit trails beyond the year 2000.

The Queensland Police Service (QPS), Australia, isused as a major case study . Information on principles,techniques and processes used, and the reason for therecording, storing and releasing of audit informationfor evidentiary purposes have been studied.

To assist in determining current practice in theAustralian Commonwealth and State Governmentsthe results of an Australia wide survey of all govern-

ment departments are given and contrasted to themajor study for QPS.

Reference is also made to the legal obligations forauthorization of audit analysis, expert witnessing andlegal precedence in relation to court acceptance orrejection of audit information used in evidence.

It is shown that most organizations studied generateand retain audit trails but the approach is not consistentnor is it comprehensive. It is suggested that these mate-rials would not withstand a serious legal challenge.

1. IntroductionThis paper examines the status of computer basedinformation systems audit trails in relationship to theirpresentation in legal proceedings as evidence.

Over the past few decades audit has developed morethan one meaning. Traditionally it was used in

Computers & Security Vol.20, No.5, pp.409-421, 2001

Copyright 2000 Elsevier Science Limited

Printed in Great Britain. All rights reserved

0167-4048/01$20.00


2/13

Information Systems Audit Trails in Legal Proceedings as Evidence/Caroline Allinson

accounting for the checking of financial reliability ofa business. This has changed and audit has nowbecome a process where a record is maintained of aparticular ser ies of events in order to provide evidencein the case of a dispute, to ensure compliance withcertain rules and regulations, to check on the effec-tiveness of control systems, and to provide evidence inthe case of criminal activity. These records are com-monly known as audit trails or audit logs. [1]

This process has been extended to include informa-tion systems and significant work has been undertak-en by the Information Systems Audit and Control

Association (ISACA) in the development of guide-lines for the process of information systems audit. [2]

There is little research by academic, law enforcementand government institutions in relation to audit forevidentiary purpose. Organizations have employedbasic manual and semi automatic electronic processesfor a considerable amount of time without regard tothe rapid escalation of information technology andchanging business practice. Legislation is out datedand in some areas under review[3]. The Australianstandard for information security does not adequately

address audit trails.[4]

Due to attitudes within Information Technology(IT)divisions not all organizations have comprehensiveaudit systems in place and the majority of those thatdo, cater for technology implemented in the 1970sand 1980s only. In many cases there are no definedpolicy and procedure sets and very limited evaluationperformed. History shows that security has alwaysbeen an after thought but this is now beginning tochange.

Law enforcement agencies have a two fold interest

and legal obligation pertaining to audit trails. Thefirst is where audit trails are used by cr iminals in thecommission of crime, and the second is when audittrails are generated by the information systems usedby the officers themselves in support of the record-ing and investigation of crime. Little to no work hasbeen done in relation to the security required for theaudit trail as an entity. Research work undertaken todate has concentrated on the search and/or seizure

of digital evidence and not the securing of audittrails themselves. Audit trails are one component ofdigital evidence and in many cases are heavily reliedon during an investigation of computer crime or sys-tem misuse. Current procedures provide for thesecuring of digital evidence once it has been seizedwithout consideration as to the history of securitysurrounding its existence.

A management challenge in todays electronic worldis the monitoring, auditing and controlling of activ-ity in a maze of interconnected computer devicesknown as distributed computing. Security must be

built into all aspects of the systems and environ-ments.These information security systems must haveaccess and privilege controls, logging and audit con-trols, accountability controls, and monitoring andreporting controls in accordance with the level ofsensitivity of the electronically or digitally stored,transmitted and processed information. Neverbefore in the history of electronic information pro-cessing has the audit trail been as important as it istoday. Security against loss and/or damage of audittrail information to ensure the level of protectionwill satisfy legal requirements is a major issue and

one that has not been addressed adequately. In gen-eral, it is mostly assumed that the audit trail is secure,reliable and acceptable from a legal perspective.

This can be observed from research into digital evi-dence and written work produced as a result . Casey,Yancey, Gahtan, and law enforcement agencies havecompiled comprehensive information on work per-formed in relation to electronic evidence and bestpractice for discovery.Whilst this work is of excellentvalue for law enforcement agencies and legal profes-sionals there is a need for it to be extended toinclude security controls in existence for audit trails

when the evidence was seized or discovered.[5],[6],[7],[8].

Law enforcement and affiliated agencies also have alegal obligation to keep audit records of all user activi-ty performed on sensitive information systems that areprovided for law enforcement operational and supporttasks. This requirement to generate and retain audittrails is the motivation behind a decision taken to use

410


3/13

411

the Queensland Police Service(QPS) current systems asa major case study for the development of a securityframework for evidentiary purposes. In order toachieve this objective a survey of all AustralianCommonwealth and State Government organizationswas undertaken. The purpose of this paper is to pro-vide details of this survey with results and findings.

The ultimate aim is to determine legislative andsecurity requirements of audit material for evidentiarypurpose.

2. History of Audit TrailsAudit trails have been developed for and utilized byinformation systems since the inception of comput-ers. The definition and use of an audit trail haschanged over time to reflect the escalation and prolif-eration of computer systems and networks. In par-ticular the growth of distributed computing, usingpersonal computer based workstations, via data net-works has placed pressure on earlier definitions andprocedures related to audit trail collection and pre-sentation.

When the computer system was limited to numbercrunchingand data storageas a mainframe, audittrails were used as a method of verifying data input.These audit trails were stored for the verificationperiod and the time taken to process the data input.The audit trail for data input is still in existence but isnow more sophisticated.

Audit trails in the form of system journals and databasejournals are written for technical reasons. Audit trailshelp to ensure the integrity of the system itself bychecking that unauthorised changes to software havenot occurred, file access controls are properly set and

that the communications network has not changed.They also help to ensure that the organization is com-plying with regulatory controls and assist in the detec-tion of suspicious patterns of access such as log-onattempts outside normal hours of business. [9]

A system and/or a database crash can cause the loss ofdata. The journals reflect the modifications, additionsand deletions to the data and are used to restore the

system and/or database to its original state. Date in[10] explains the process of database recovery as verycomplex.

Design of database systems has always incorporated notonly a variety of checks and controls to reduce the likelihoodof failure, but also an extensive set of procedures for recover-ing from the failures that will inevitably occur despite thosechecks and controls. Recovery in a database system meansprimarily recovering the database itself. That is restoring thedatabase to a state that is known to be correct after some fail-ure has rendered the current state incorrect. Or at least suspect. There are many possible causes of such failure, pro-

gramming errors in an application or in the operating systemor database system itself. In all cases underlying principleson which recovery is based are quite simple and can besummed up in a single word: redundancy. That is, the wayto protect the database is to ensure that any given piece ofinformation in it can be reconstructed from some other infor-mation stored redundantly somewhere else in the system.

This is achieved by the following process.Periodically the entire database is copied or dumpedto archive storage.Every time a change is made to thedatabase, a record containing the old and new values

of the changed item is written to a special data setcalled the database journal/log. If a failure occurs andthe database itself is damaged then the database isrestored by loading it from the most recent archivecopy and then using the database journal/log to redoall changes made since that archive copy was taken. Ifthe database is not damaged but its contents are, thedatabase is restored to a correct state by using thedatabase journal/log to undo all unreliablechanges.The archive copy is not needed in this case.

There are many reasons why audit trails are used. Twoadditional and motivating factors for the introduction

and use of audit trails beyond the year 2000 areunethical/unauthorized behaviour and proof ofbusiness process. These two concerns includeexceeding access control rights, inappropriate andillicit release of information, correct adherence torequired business procedures and fraud prevention.With the prospect of litigation looming, and in manycountries a reality, the need to meet a challenge in acourt of law is very real for all organizations.

Computers & Security, Vol. 20, No. 5


4/13


2.1 The Audit Trail Beyond 2000

An audit trail written for confirmation of a transac-tion,whether it be for commerce or operational activ-ities as is the situation with law enforcement, must bea complete record of all activity; a snap shot in timewith ability to reconstruct all events.

When provided as evidence in a court of law, theaudit trail must be able to meet any challenge.Therefore it must be generated, retained and present-ed within an environment where a security frame-work has been implemented.

The main areas that must be considered for a securityframework are:

a) Positive identification of a user with the ability totightly couple the user to the audit trail for proof ofuse. In high confidentiality and integrity environ-ments this must be something the person is, not justwhat is known or possessed.

b) Integrity checking of audit trail information toensure no malicious or accidental changes have

occurred. Checksumming which incorporates theidentification of a user, hence,making it more difficultfor a change to be made.

c) Secure storage, sealing and responsibility for audittrails need to be in place with associated documenta-tion of processes and procedures.

d) A security infrastructure for the information sys-tem/s must exist with segregation of audit trail infor-mation from the databases and systems for which theyare generated. This is especially relevant in caseswhere intrusion has been detected and the court is

being asked to believe an audit trail that resides on asystem that has been compromised.

3. Major Case StudyOne of the first objectives was to fully examine theinformation systems and processes in place at theQPS, as an example of a leading law enforcementorganization. The principle aims were to:

obtain a background and full description of theprinciples and techniques used for audit and evi-dence presentation;

obtain an understanding of the organizational pro-cesses and procedures implemented by the QPS toaccommodate the legal obligations and politicalprinciples for audit trail analyses; and

to obtain full description of the configuration andtechnical implementation of information systems inuse by the QPS.

Information security for the QPS is centrally control-led. The Information Security Section(ISS) is a unitwithin the Information Management Division.The ISShas the responsibility for and is the Owner of all audittrails. All technical aspects of the system are provided bythe Information Systems Branch,also within the Infor-mation Management Division. For obvious securityreasons not all findings in relation to the QPS systemsare listed. Policy and procedures related to audit trailactivity is formed by and documented by the ISS. Thispolicy is subject to peer review inside the QPS.

The ISS provides assistance to operational policeinvestigations and internal investigations into inappro-priate use of QPS information systems. This assistanceis usually by way of audit trail searches.

Security officers from the Information Security Sectionare required to appear in court to give evidence in rela-tion to the process and the results of audit trail search-es. Court appearances number approximately ten(10)per year and this number is steadily increasing.

3.1 QPS Audit Systems

Since the inception of electronic based informationsystems for the QPS, it has been standard practiceto keep a full audit trail of all user activity againstthe QPS corporate and mainframe databases. Initially,auditing was developed to facilitate system and appli-cation programmers in determining errors.

The process of auditing involves full details of alluser queries, additions, modifications, deletions. Every

412


5/13

413

keystroke and action is written to an audit trail with asubset of the main criteria written to a command logor activity log. Due to the volume of data written tothe audit files, the command and activity logs are usedas an initial search facility and if necessary used as apointer into the main audit trail files.

The QPS receives over 400 requests per year for audittrail searches. The three main reasons for these requestsare technical, operational police investigations andinvestigations into possible misuse.

a) Requests are received from Information Systems

Branch technical staff requiring assistance with dataproblems, application problems and system failure.Ten percent of the requests for audit searches aretechnical.

b) Requests are received from operational police offi-cers wishing to clarify certain activity, e.g. clarifyingtimes transactions were done where time is importantto an offence such as drink driving, burglary, etc. Alsoidentifying transactions that were performed in the pastand that are now important is another request type e.g.vehicle or person subject of a routine search who may

now be a suspect in an offence. Thirty five percent ofthe requests for audit searches are operational.

c) Requests are received from the Criminal JusticeCommission1, Ethical Standards Command2 and QPScommissioned officers involved in investigation of sys-tem misuse i.e. unauthorised access and disclosure ofinformation. Fifty five percent (55%) of the requests foraudit searches are for investigations of possible misuse.

Other requests for audit searches are received forproactively analysing system activity and Freedom ofInformation.

3.2 Audit Trail as Evidence

Many of the audit trail searches result in the securityofficers from ISS being required to give evidence incourt. Section 95 of The Queensland Evidence Act1977 is relied upon as the basis for many of the securi-ty procedures in place and the provision of evidence incourt.

In 1997 the Queensland Law Reform Commission(QLRC) commenced a review of this law in relationto the Courts receipt into evidence of informationthat is stored and/or conveyed using various electron-

ic and similar media. [3] Three of the seven issuesraised by QPS with the QLRC relate to informationsystems operation.

The Queensland Evidence Act 1977, Section 95Admissibility of statements produced by computers isrelied upon for the above mentioned assistance andcourt appearances. Several issues with respect to Sec-tion 95 have been raised by the QPS IT Management.

Section 95(2)(c) refers to operating properly;there is no definition as to what constitutes a com-

puter operating properly; no standards, procedures orsecurity and audit references are made. What consti-tutes operating properly in one organisation may notbe the same in another. If this were to be used as adefence, what is the courts expectation of operatingproperly for a Law Enforcement information pro-cessing environment?

Section 95(2)(b) & (d) refer to ordinary course;there is no definition as to what constitutes ordinarycourse. There needs to be clarification of ordinarycourse in relation to the computer staff performingcomputer related activities and the actual user base

performing operational activities.

Section 95(3) is very broad; All computers aretreated as one. In the current information technol-ogy environment this is not only inappropriate butincorrect. Network capabilities certainly give the onecomputer appearance but data and information can beshared and this could span several organizations eachunder different managerial and legal control. In this


1 The Criminal Justice Commission was established in 1989 by an Actof the Queensland Parliament - the Criminal Justice Act 1989 - on therecommendation of the commission of Inquiry into Possible IllegalActivities and Associated Police Misconduct (known as the FitzgeraldInquiry), chaired by Mr G E Fitzgerald QC.

2Ethical Standards Command commenced operation in 1997 andwas established within the Queensland Police Service Structure to pro-mote ethical behaviour,discipline and professional practice with the goalto ensure the community has full confidence in the QPS.


6/13


situation who is then considered to be the personoccupying a responsible position in relation tothe computer operation? Even if the system is notseveral organizations, the networked information tech-nology facilities are such that in large organizations it isnot possible for one person only to be knowledgeablein all areas.

3.2.1 Audit Trail Investigation ProcessRequests for audit trail investigation are acceptedfrom a commissioned officer or equivalent manager.When a request is received the security officer con-

ducts a search of the audit trails based on the searchcriteria given. A copy of the results of the search aregiven to the investigating officer, with assistance ifrequired. Results may be incorporated into therecord of interview.

If the audit trail is required in court, the security offi-cer prepares a statement and obtains a certificate undersection 95 of the Queensland Evidence Act 1977. Thecertificate requires the person occupying a respon-sible position to provide a statement that the com-puter systems were operating properly.

The security officer attends court with the originaldocuments. In many cases the copy provided to theinvestigating officer is admitted as evidence andbecomes the exhibit. This raises concerns about theability of the courts to deal with electronic evidence.There appears to be no concern or request to differ-entiate between the original and the copy.

A study of cases involving evidence given by QPSinformation security officers has shown that none ofthe evidence presented has ever been rejected or seri-ously challenged from a technical perspective.

The lack of competence of the legal profession forboth prosecution and defence in the presentation andchallenge of electronic evidence is strongly evident.This has been observed from the court room andthrough the investigation processes. It is also possiblywhy QPS evidence in relation to audit trailshas never been rejected or strongly contested andchallenged.

To assist in actual court proceedings, development of anew information system for QPS has provided a play-back facility. The new audit system captures auditinformation, stores the information in session fileswhich provides a facility to play the session back as ifthe person was sitting at the screen. The hardcopy ofthe audit trail is still required as the exhibit. The play-back facility is an in-court presentational aid only.

4. Policy Vs ControlsPast experience is indicative that policy is necessarybut does not provide evidence if there is an opera-

tional need to investigate system use or system misuse.

The Carter Enquiry, which was an investigation ofcases involving Queensland Police Officers, demon-strated this in Justice Carters report [11]. A recom-mendation was made to implement an audit trail forthe QPS internal e-mail system. QPS has policy toprint and retain copies of e-mails if they are consid-ered to be for official purposes. If the hard copye-mail is produced as evidence there is no back up ofproof to show the e-mail is valid. It is a simple pro-cess to reproduce an e-mail message by means of a

word processing facility.

Analysis of the report by the Independent CommissionAgainst Corruption (ICAC) into New South WalesPolice Service [12] showed inadequacies in the abilityto audit and monitor information systems. A recom-mendation was made to introduce audit trails.

The QPS access control systems and audit systemshave been reviewed and the relationship between thetwo is very loosely coupled and the inability tosecurely identify a user is evident. Usersare authen-ticated and recorded by user-identification codeand

password alone but an individual cannot be posi-tively and uniquely identified at the time of access,e.g. user identity and password may have beencaptured by a third party, etc.

4.1 Government Policy

A Protective Security Manual(PSM)[14] has beendeveloped for Australian Commonwealth Government

414


7/13

415

departments. It outlines that governments protectivesecurity policies, principles, standards and proceduresin relation to information technology systems and pro-cesses. Part VI,Section 6.40 of the PSM addresses audittrails. It provides for both generation and content.However, there is nothing relating to the safe andsecure handling of the audit files themselves. AustralianCommunications-Electronic Security Instructions33(ACSI 33) [17] section 17 does provide moredetailed instruction in relation to the handling of audittrails and logs. This relates to intrusion detection.

The Queensland Government has produced an infor-

mation standard [15] for information security. Thereis no specific section on auditing.

The Australian and New Zealand Standard for Infor-mation Security Management[4] section 7.7 providesguidance for monitoring system access and use. Thissection does not provide for the handling of audittrails and the security mechanisms required to protectand secure them.

The Commonwealth Privacy Act in Principle 4Storage and security of personal information part a)

states: A record-keeper who has possession or control of arecord that contains personal information shall ensure:

a) That the record is protected, by such security safeguards asit is reasonable in the circumstances to take, against loss,against unauthorized access, use, modification or disclusure,and against other misuse.

The words against unauthorized access, use,modification or disclosure would imply that anaudit trail record needs to be kept; incorporating boththe part of usage and the users of the data.

4.2 Law Pertaining to ForensicComputing

The International Association of ComputerInvestigative Specialists(IACIS) sets the policy andprocedure for forensic computing. This policy andprocedure has been analysed and set out in a com-prehensive form by the United States Justice

Department. It is important to relate the internalrequirements for electronic evidence in the form ofaudit trails to the requirements set down for theforensic computing environment. In particular thesepolicies and procedures dictate the use of checksumtechniques for record integrity, sealing of total filecontents for original and working copies and require-ment for expert examiners who also provideexpert witness.

4.3 Other Related WorkIn 1994 Canada appeared to be leading the way with

a comprehensive paper Computer-produced recordsin court proceedings produced at the Uniform LawConference of Canada in 1994[13]. Although thisdoes not deal specifically with audit trail informationit does address many of the issues which need to beresearched.

5. Government SurveyTo obtain a better understanding of the current secu-rity and audit practices of other organizations andprovide a base from which comparison could be

made, a survey was developed. The survey was inter-ested only in traditional information systemsinvolving computers and data networks.

All Australian government organizations were chosenas the population size. The number of responsesbecame the sample size. It was not intended thatcomplex statistical methods would be used.Frequency analysis and percentages, with some crosstabulation only, were required.

5.1 Materials and Method

Three hundred and ninety organizations were iden-tified as the population. Twenty surveys were sent toCommonwealth departments and related depart-ments and 370 were sent to State GovernmentDepartments and related Departments throughoutAustralia (see table 1). The addresses were obtainedfrom the Brisbane telephone directory and theQueensland State Library. Not all the relateddepartments were included.



8/13


A sample size of 118 was determined by the res-ponses received(see table 2). A 30% sample sizewas considered more than adequate as most statisti-cal analysis is done on a sample size of 10 to 20percent.

5.2 The Survey

To assist in the development of a framework the sur-vey was divided into five sections.

Section one addressed audit trail generation andretention:

Retention period

Existence of a single audit facility

Consistently implemented

The way in which they are written or generated

Application driven

Office systems and e-mail

Ability to inhibit

Recording of system use

Legislative requirement

Section two addressed storage and backup of audittrails

How they are stored

Enhanced security mechanisms employed

Type and number of backups

Section three addressed the purpose and use of audittrails

Reconstruction of activity performed

Produced as evidence in a court of law

Purpose and use

Section four addressed responsibility and control foraudit trails

Who is responsible

Is responsibility in job description Protection from IT technical support activity

Policy and procedure

Section five addressed the organization

Type of organization

Size of organization

416

Commonwealth Departments 20

State Governments Identified

Tasmania 6

Victoria 1

South Australia 7

Western Australia 13

New South Wales 11

Northern Territory 7

Queensland 7

Unidentified 46

Total 118

Table 2. Survey Sample

Commonwealth Departments 20State Governments

Tasmania 17

Victoria 22

South Australia 31

Western Australia 43

New South Wales 77

Northern Territory 30

Queensland 150

Total 390

Table 1. Survey Population


9/13

417

6. Discussion

A good cross representation of organizational size wasreceived. One third representation from small, medi-um and large organizations. (see table 3,Appendix 1)

Of the 118 responses received 100 said they generateaudit trails. Of these 100, 96 said they retain them.Thirty percent retain indefinitely, with a further thir-ty percent retained between 5 to 10 years. It is rea-sonable to say that from these results, governmentorganizations in Australia have a need and/or arerequired to generate and retain audit trails for a sig-

nificant period of time. (see Table 4,Appendix 1)

Although required to generate and retain audit trailsthe manner by which this is done is inconsistent.Eighty six organizations said they do not have a sin-gle audit trail facility implemented and 64 of these donot implement their audit trails consistently.

There is a very strong reliance on in-house devel-oped, application driven audit trails.

Where used Microsoft Corporations Windows NT

is relied on for audit trail generation for office sys-tems. A larger number of organizations than expect-ed are generating audit trails for office systems. Thenumber for audit trails for e-mail was also greater thanexpected. This is significant given most e-mail sys-tems do not have full auditing capability built in.

The ability to inhibit audit trails was high. This rais-es concerns over the ability to prove if an audit trailsystem was operating at a given time.

Recording of system use and activity is inconclusiveas 13 only record every keystroke; 31 record every

query but in section 3, 64 said they could reconstructall activity performed on a data element. It is not pos-sible to reconstruct all activity unless queries havebeen recorded. (See Table 4 & 6,Appendix 1).

It is interesting to note that finance and audit legislationis still the main legislative driver for audit trails. Oneonly organization said they keep audit trails for privacylegislative reasons. (See table 4,Appendix 1).

There is very little segregation of audit trails, andenhanced security mechanisms such as check sum-ming and encryption are rarely used. Backup is takena little more seriously with 50% implementing twocopies with one copy off site.Thirty one percent ofthese organizations secure one copy as the original.(See Table 5, Appendix 1).

Twenty eight organizations have been required toproduce their audit trails as evidence in court.Sixteen of these organizations indicated they were lawenforcement or law enforcement affiliated or part ofthe criminal justice system. This would indicate that

there is a need for other organizations to have securi-ty consistent with law enforcement for evidentiarypurposes. (See Table 6,Appendix 1).

Whilst the requirement to produce their audit trails incourt is moderate to low 50% of organizationskeep audit trails for business/operational purposes. Itis predictable that the electronic business and com-merce direction of information technology will causethis requirement to increase and the need to produceaudit trails in court to increase also.

The 50% for business/operational purposes and the58% for system misuse are similar and consistent withthe need and use of audit trails for the QPS. (SeeTable 6,Appendix 1)

The responsibility and control for audit trails is verypoor from a security perspective. The results forSection four show that the technical information sys-tems staff are responsible for audit trails. More than halfhave no responsibilities written in job descriptions;45% have no clear lines of segregation;47% do not pro-tect or monitor technical support staff; and 33% onlyhave a policy for Audit Trails. (See Table 7,Appendix 1).

7. ConclusionIt has been shown that most organizations studied gen-erate and retain audit trails. When compared to themain areas that must be considered for a security frame-work mentioned in section 2.1, the current practicesemployed by Australian government organizations arenot consistent nor comprehensive. It is suggested that



10/13


if tested in a court of law the Audit Trails would notwithstand a serious legal challenge.

Preliminary findings, which are the subject of thispaper,were presented at the Security in GovernmentConference 1999 in Canberra Australia and the IFIPWG 9.6/11.7 Working Conference on Security andControl of IT in Society-II (SCITS-II) in Bratislava2001.

References[1] T. Parker and C. Sundt, Information Security Handbook

ICL, International Computers Limited, England, 1993.

[2] Information Systems Audit and Control Foundation ResearchBoard. CobiT Audit Guidelines, Sept 1996.

[3] Queensland Law Reform Commission. Some Notes AboutThe Queensland Law reform Commissions Evidence andTechnology Reference, Oct 1997.

[4] Australian/New Zealand Standard (AS4444:1996)Information Security Management.

[5] E.Casey,Digital Evidence and Computer Crime,AcademicPress, Cambridge, 2000.

[6] W. Yancey, Electronic Evidence and Records Retention,http://www.willyancey.com/electronic_evidence.htm

[7]A.Gahtan,Electronic Evidence, Carswell, Sept 1999.http://www.gahtan.com.cyberlaw/electronic_Evidence/

[8] International Association of Chiefs of Police, Best Practicesfor Seizing Electronic Evidence, http://wwwtreas.gov/usss/index.htm?electronic_evidence.htm&1

[9] W. Caelli, D. Longley and Michael Shain, InformationSecurity Handbook, Macmillan Publishers Ltd, Great Britain,1991.

[10] C. J. Date, An Introduction to Database Systems Volume I

Fourth Edition, Addison-Wesley Publishing Company Inc.,United States of America, 1986.

[11] Hon.W J Carter QC, Criminal Justice Commission. Policeand Drugs: A Report of an Investigation of Cases InvolvingQueensland Police Officers, Oct 1997.

[12] Hon Justice JRT Wood, Royal Commission into the NewSouth Wales Police Service, Final Report Volume II: Reform.May 1997.

[13] K Chasse, Electronic Evidence: Computer-Produced

Records in Court Proceedings, Uniform Law conference ofCanada Proceedings of the 1994 Annual Meeting, TorontoOntario Canada, June 1994.

[14] Protective Security Manual. Commonwealth Governmentof Australia. Edition 3, 1998.

[15] Information Standard 18 - Information Security,Queensland Government, 1998.

[16] Queensland Evidence Act 1977

[17] Defence Signals Directorate, Australian Communications-Electronic Security Instructions 33(ACSI 33);Security Guidelinesfor Australian Government IT Systems. April 1998.

Acknowledgements

This paper has been edited and reviewed by ProfessorWilliam Caelli, Head of School of DataCommunications, Queensland University ofTechnology (QUT), Brisbane,Australia.

This paper has also been reviewed and approved forrelease by Mr Richard Warry, Deputy Chief Executive(Resource Management), Queensland Police Service,Brisbane, Australia.

Appendix 1. General Results

418

Frequency Percent

Less than 100 31 27.0

100 to 499 22 19.1

500 to 999 17 14.8

1000 to 4999 29 25.2

5000 to 9999 6 5.2

10000 or more 9 7.8

Not applicable 1 0.9

Frequency Missing = 3

Section five: The Organization

Table 3: Size of Organizations


11/13

419


Question Area (Using sample 100) Frequency Percent

Audit trail generation Yes 100 85.5

No 17 14.5

Missing 1

Audit trail retention Yes 96 81.4

No 4 3.4

Retention period < 5 Yrs 24 20.5

5-7 Yrs 28 23.9

8-10 Yrs 6 5.1

Indefinitely 33 28.2

Other 7 6.0

Existence of a single audit facility Yes 7 5.9

No 86 72.9

Unsure 6 5.1

N/A 19 16.1

Consistently implemented Yes 21 17.8No 64 54.2

Unsure 7 5.9

N/A 26 22.0

The way in which they are written or generated

Application system driven Yes 87 73.7

Operating system driven Yes 50 42.4

Database journals Yes 49 41.5

Network/comms node driven Yes 20 16.9

System journals Yes 35 29.7

Other = Manual Yes 2 1.7

Application driven - how?

In-house developed Yes 61 51.7

Proprietary software Yes 52 44.1

Both Yes 22

Office systems and E-Mail Word processing Yes 19 16.1

Spreadsheet applications Yes 17 14.4

Internal e-mail systems Yes 42 35.6

Internet e-mail systems Yes 45 38.1

Ability to inhibit

No ability Yes 35 29.7

System level Yes 51 43.2

Transaction level Yes 9 7.6

User level Yes 9 7.6

Data level Yes 10 8.5

Other = Outsourced & table Yes 5 4.2

Recording of system use

Every keystroke Yes 13 11.0

Particular types of data Yes 40 33.9

Particular systems Yes 55 46.6

Other = CICS, sensitivity Yes 7 5.9

Activity recorded

Every addition Yes 77 65.3

Every deletion Yes 74 62.7

Every modification Yes 84 71.2

Every query Yes 31 26.3

Legislative requirement Yes 31 26.7

No 69 57.8

Finance and audit 25

Archives 3

Privacy 1

Table 4: Results for section one: Audit trail generation and retention:


12/13


420

Question Area (Using sample 118) Frequency PercentAudit trail storage

Magnetic tape Yes 59 50.0

Separate files on same server as data Yes 44 37.3

Separate server Yes 21 17.8

In the same database Yes 28 23.7

Other = CD and hardcopy Yes 8 6.8

Enhanced security mechanisms

Not Used Yes 80 67.8

Encryption at file level Yes 4 3.4

Encryption at data level Yes 2 1.7

Record checksumming Yes 2 1.7

Session checksumming Yes 3 2.5

Other = Unsure Yes 8 6.8

Audit trail backup 1 copy only 34 28.8

2 copies on site 5 4.21 on site 1 off 54 45.8

> 2 copies 7 5.9

If two copies kept is one secured as the original Yes 37 31.6

No 26 22.2

N/A 54 46.2

Table 5: Results for section two: Storage and backup of audit trails


Reconstruction of all activity performed

On a nominated data element Yes 64 54.2

From a particular location Yes 25 21.2

From a nominated computer terminal Yes 22 18.6

By a nominated user Yes 55 46.6

Produced as evidence in a court of law 0 71 60.7

< 5 18 15.4

between 5 & 10 3 2.6

> 10 2 1.7

> 5 times per year 5 4.3

Purpose and use of the audit trails

Technical Yes 74 62.7

Business/operational Yes 59 50.0

System misuse Yes 69 58.5

Evidence in court Yes 16 13.7

Criminal action Yes 11 9.4

Civil action Yes 7 5.9

Expert witness Yes 3 2.5

Pro-active monitoring Yes 57 48.3

Freedom of information requests Yes 18 15.3

Table 6: Results for section three: Purpose and use of audit trails


13/13

421



Responsibility for audit trails

Information security department Yes 14 11.9

Audit department Yes 10 8.5

Information systems department Yes 55 46.6

Systems administrator Yes 48 40.7

Other = Business owner, Outsourced Yes 17 14.4

Responsibilities in job sescriptions Yes 22 18.6

No 66 55.9

Unsure 12 10.2

N/A 18 15.3

Clear lines of segregation Yes 34 28.8

No 53 44.9

Unsure 13 11.0

N/A 18 15.3

Protect from IT technical support Yes 28 23.7

No 56 47.5

Unsure 16 13.6

N/A 18 15.3

Policy exists for audit trails Yes 39 33.1

No 48 40.7

Unsure 13 11.0

N/A 18 15.3

Table 7: Results for section four: Responsibility and control for audit trails

Caroline Allinson is employed as Manager Information Security for the

Queensland Police Service (QPS) in Brisbane,Australia.

This position involves management of information security policy develop-ment, information systems access control, assisting with investigations whichinclude evidence in court, security auditing and security advice and consul-tancy.

In September 1994, Ms Allinson was awarded the Courier-Mail Police schol-arship and travelled internationally to research and study InformationSecurity and Computer Crime.

Ms Allinson is a Certified Information Systems Auditor, is a Bachelor ofBusiness (computing), a Master of Information Technology, and is currently

studying for her Doctorate. Her thesis is titled Legislative and SecurityRequirements of Audit Material for Evidentiary Purpose.

She is a member of the Australian Institute of Management, the AustralianComputer Society and The Information Systems Audit and Control Association.

Ms Allinson has worked as a guest lecturer and tutor in Information Technologyat the Queensland University of Technology, Brisbane,Australia and is a mem-ber of the Faculty of Information Technologys Advisory Committee.

is audit trails in legal proceedings as evidence

Documents