Solving Crimes: Admissible Access Control Logs?

Access control records are commonly admitted into court cases to prove/ disprove where people are when crimes are committed.

For example, the high-profile Annie Le murder case, Access Control records played a key role in convicting the murderer:

"Electronic Trail

Cops also made use of a secure system where they could track the suspect and victim’s movements throughout the building.

Electronic key-card records reveal Clark traveling in unusual patterns throughout the building during the 10 days leading up to Le’s disappearance. Rooms inside the secure part of the lab are only accessible by key card.

Clark was the only one to access Room G22 during the time of the suspected crime, the warrant states.

The key card records, and the DNA evidence on the lab coat, bloody sock and the green pen were enough to establish probable cause that Clark was the killer, Brafuhr wrote."

...and this case is just one of many where prosecution hinged on access system logs.

With a disproportionate amount of scrutiny applied to video surveillance admissibility (ie: watermarking, chain-of-custody, CODEC) there is almost no mention of similar criteria for access control records.

It seems to me that tampering with access records would be dramatically less complex than frames of video, identity can be spoofed (or cards can be misused by others), and the vulnerability of time/date falling out of sync is real.

Do you know of any court admissibility standards for access control records?

In one of my cases, the access records proved a person could not have been there. Charges were dropped before it ever got to court.

That is what happens in most cases in my opinion. Most cases, criminal or civil don't ever get to a jury. They are settled one way or another before that happens. That is one reason security professionals have such a hard time proving the value of the investment to the client. There is little actual case law.

That's interesting.

Do you think it would be difficult for a semi-knowledgable expert to create 'reasonable doubt' that whatever activity logs reveal could be inaccurate?

People can enter buildings outside the system via Tailgating or door propping. Cards can be used (and even cloned) by strangers. PINs can be brutally insecure.

Even when exporting system log files or reports, they are done in free-text or editable doc files. There is no common method of 'watermarking' exported report data. Maybe exporting .pdfs have some sort of security here?

If a defender can discredit 'DNA evidence' due to sloppy handling in the lab, couldn't the same effort be applied to information technology?

Of course they could do it. The question is not whether they can or not, the question is why would they? That is where a judge comes in. That is why I like judges far more than juries. Judges examine the likelihood by a preponderance of the evidence. Any and every security professional is expected to use "customary and reasonable care" when handling or evaluating any kind of evidence. If you ever get called on to testify about anything, remember those two words. Customary and reasonable.

That is why we have forensic specialist. I read in an earlier post that cards "could" be cloned. Well yes they can. I am not aware of anyone acutally gaining access to any building, but yes it could happen. But how many acutally possess the knowledge, equipment and requisite intent? That is a very small sampling.