Rule #1 of a Forensic Investigator, actually learn what the logs show.
The logs were 100% accurate but did not contain the data that you
wanted, which would not have been very valid anyway.
The fact the bytes are unchanged does not indicate the content has not
changed.
The logs actually show the more useful data of the amount of data being
transferred.
If you want to make sure the “Source” is unchanged, dont look in log
files for the byte size of files, run frequent MD5 checks on the source
files.
I’m guessing this article is because he did a faulty job someplace where
he made faulty assumptions about what the data in the log showed and is
now trying to defend his own mistakes.
On 7/10/2012 9:06 AM, JayZie wrote:[color=blue]
http://blog.spiderlabs.com/2012/07/how_much_data.html[/color]
–
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
That’s really not the mystery they made it out to be… I’m no forensic
investigator, apache ninja or an ip flow wizard and I new right away the
larger byte number was with header data.
I mean, comeon’, computers don’t make stuff up.
Well, not Linux ones anyway. 
On 7/10/2012 8:06 AM, JayZie wrote:[color=blue]
http://blog.spiderlabs.com/2012/07/how_much_data.html[/color]