Share this page!

Robᵉʳᵗ Graham Profile picture
Twitter logo
25 Oct, 9 tweets, 2 min read
FYI: "audit" logs and "forensics" logs are different beasts.

Traditionally, an "audit" is when the auditor is trying to confirm something specific, like whether your numbers add up or you correctly followed procedures.

A "forensics" investigation is open-ended, indeterminate.
An audit starts with something is known, such as reporting quarterly results, and seeks to confirm that they are actually true.

A forensics results with an unsolved crime, and hopes to maybe find out what happened, and half the time, comes to no conclusion.
They do overlap. Forensic auditors seek to find money that people try to hide off books or embezzle, for example. Before computer logs, I'm not sure if there was an important distinction.
But with computers, the difference becomes important. Take, for example, the claims that election computers were connected to the Internet (from Maricopa, Arizona and Mesa, Colorado). These claims come not from "audit" logs but "forensics" logs, and that's important.
If an "audit" log, there would be a clear and unambiguous record of everything the computer connected to. Testing whether it was connected to the Internet would be a simple yes/no question an auditor could answer.
But we don't have that. We must instead do a forensics examination of the computer in order to search for clues. And what we find gives us unsatisfactory answers, some anomalies that might be explained by Internet connectivity.
In Dominion's election systems, standard practice eventually wipes the system logs but preserves the election audit trail. Trumpists claim that this means elections cannot be audited. Hence, this distinction becomes important.
Since Trumpists released the disk image of the Mesa (Colorado) system to the Internet, we can see for ourself. I've thoroughly forensicsed (sic) the image and can find no conclusion either way about what they say about Internet connectivity or hacking.
The point is that most of the time, nobody cares about the difference between "audit logs" and "forensics logs" -- until something like this happens and the difference becomes really important.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham

Robᵉʳᵗ Graham Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham Profile picture
21 Oct
My 9-year-old NAS RAID is having drives failing.

One drive failed completely. Another reported recoverable SMART read errors, so it, too. Now a third is reporting recoverable SMART errors.

I think maybe it's time to replace all the drives. With bigger ones of course.
For the non technical:
NAS = server on my local network
RAID = extra ("redudant") drives so that if one fails, it can be replaced without losing data
SMART = a feature of modern disk drives that record events, from temperatures, how many hours it's been on, and various errors
"Errors" can be recoverable -- the read head repeatedly reads the chunk of data until it gets back a valid chunk. But when they start happening, it means unrecoverable errors are likely to start happening.
Read 5 tweets
Robᵉʳᵗ Graham Profile picture
19 Oct
If your infosec programs consists of Magic Quadrant leading tools then you are morons.
It's not technical experts evaluating products that put them in the Magic Quadrant. It's marketing experts evaluating marketing messages that put them in Magic Quadrant.
Gartner's customers, those buying Magic Quadrant reports, aren't the techies in the trenches using them, but high-level management who'd prefer to listen to Gartner market analysts than their own techies.
Read 4 tweets
Robᵉʳᵗ Graham Profile picture
15 Oct
I went to the eye doctor today. I shouted (well raised my voice slightly) "you aren't listening to me".

I finally got my eyes diagnosed in ways that should've been done when I was a kid. My eyes have many small problem that have been ignored forever.
I can see the same confirmation bias that I see in my own industry, where evidence is simply pigeon holed into what they already know, so there's terrible inertia if something doesn't quite fit an existing pigeon hole.
I have three separate problems but they are all minor. But they mean that whenever I get glasses, they don't help much, which is why I don't wear glasses.
Read 7 tweets
Robᵉʳᵗ Graham Profile picture
15 Oct
Ok, let's turn this around and look at it from the Governor's point of view.

Anti-hacking laws are largely based upon trespassing laws. So let's look at it form that angle.
You've seen "no trespassing" signs like this one.
Prosecutor: did you see the sign?
Trespasser: yes, but the fence was so easy to climb over it posed no barrier
Prosecutor: but did you see the sign?
Trespasser: yes
Prosecutor: so you knew you were trespassing?
Trespasser: yes
Computer trespass works the same way:

Hacker: yes, but base64 isn't serious encryption and easily bypassed
Prosecutor: but you knew you weren't authorized to see that social-security number?
Hacker: yes, but...
Prosecutor: so you knew you were trespassing?
Hacker: yes, but
Read 15 tweets
Robᵉʳᵗ Graham Profile picture
15 Oct
A governor of a state sent the police to harass to a journalist who exposed embarrassing information. I'm not sure how that's not "pile-on" worthy. You don't need any technical knowledge to understand why this is a problem.
What techies understand is how when a website publishes something in a webpage, it's their fault for doing so, and that obfuscating it requiring extra steps to "decode" is not protection, and bypassing obfuscation is not a crime.
You untechies may be confused about this, but it's a principle techies have understood since the 1880s ("Kerckhoff's Principle"). This is not a typo. I didn't mean we've known since the 1980s, I mean it's a principle of the 1880s.
Read 4 tweets
Robᵉʳᵗ Graham Profile picture
15 Oct
One of the funny things about "view source" is that I don't actually do it anymore. It's useless for a lot of websites.

Instead, we have to inspect the DOM. You see that when you right-click, you have two options, "View Page Source" and "Inspect".
If you do this on Twitter, you see the that "View Source" is useless. It doesn't contain anything. That's because instead of displaying data, it uses dynamic requests to fill in pieces a little at a time.
A couple years back, Twitter made a change were requesting a URL doesn't get the tweet -- it only appears to get the tweet. A "View Source" on a URL with the tweet number gets JavaScript instead, which grabs a JSON version of the tweet, which then inserts into the HTML DOM.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(