PART 8
(begin cross)
BZ: I just have a couple of questions for you this won't take long, in formulating your - your opinion is this computer was tampered with? is that correct?
GM: Yes, there was spoilation.
BZ: Spoilation...so is there a difference between tampered with and spoilation?
GM: Anytime I deem a computer's been touched - tactically its the same thing.
BZ: So if there's...there's a computer and its not received properly or not acquired properly - like if you don't do the thing to take the RAM out and...and then you go back and look at it and there's evidence that seems suspicious to you is that spoilation? is that a fair way to characterize it?
GM: No, I understand what you're trying to say...if the RAM - and there are times when you can't get the RAM, and you do the best that you can, you lose that live volatile data - you document it. If, once its in our custody, if anything has happened to that computer, whether the drive crashed, whether its the write-block is off and now we have file changes - I have to document that.
BZ: I think you moved away from the microphone a bit (GM adjusts position)...with a spoilation or tampering, that conclusion, what did you rely on - I think you said the fact that it was left on factored in there?
GM: Yes, I looked at the FBI report, I kind of looked at what's..I mean I work with the FBI, they do a phenomenal job, and I relied on their report, and then looked at how many files were altered...how many files were deleted. When I looked at the computer and did the imaging and so on - I could see that after the time it was in custody things were changed. That's an issue when you're doing forensics. Was it notated? I haven't seen any documentation - to me that's spoilation, and its a problem-
BZ: And then, so you have that evidence...what else helps you form that conclusion? I guess-
GM: Protocol, if theres no protocol in place - there should be policies and guidelines on how you do a forensic examination. There's standards out there - there's NEST, there's USDoJ...there's all the different associations out there that have standards: ethics, integrity, making sure at any given time that you're documenting everything you do - there's forms (looks over at defense) I don't know if you have any of those forms with you? if you - I brought a couple
BZ: Okay, okay...so to form this conclusion you looked at the altered and deleted stuff, the fact that you haven't seen any protocols...what else leads you to that conclusion? I just wanna - I just
GM: okay, I can run you through. What happens is that - let's say I'm going onsite to grab, let's say in this instance I'm working with Law Enforcement, one of the first things I'm going to do is take digital photographs of the scene-
BZ: And I don't need a list of protocols and how you think are appropriately done
GM: okay based on what I saw-
BZ: Yah what did you see?
GM: and based on what I heard, and what I saw: the files were altered. There was access to that computer after it was suppossedly - should have been, shut down...that didn't happen.
BZ: okay
GM: That was the biggest reason that I saw why files were altered. When we have metadata that's altered after the fact that's spoilation, and it can be considered tampering.
BZ: So is the altered data plus the lack of protocol and some of these facts that you heard around the case that equals tampering? or spoilation?
GM: spoilation-
BZ: spoilation is the word you want to use-
GM: yes
BZ: correct?
GM: (nods affirmative)
BZ: And when did you first get involved in this case?
GM: Thursday. I believe it was Thursday.
BZ: Welcome (laughing)
GM: pardon?
BZ: welcome
GM: Yah well I was sitting on the sidelines and every once in a while kind of looking at it, when I heard Jay testify and I was - you know, anyways - when I saw the data wasn't being done right and things weren't being handled right, as a forensic examiner...and I teach both law enforcement and non-law enforcement on following protocol - it bothered me.
BZ: okay
GM: and I felt like I needed to get involved.
BZ: okay
BZ: And um, Thursday - or whenever you got involved in this case, what ... did you look at an image copy of the defendent's hard drive from that laptop?
GM: not on Thursday
BZ: have you ever?
GM: I did.
BZ: okay and when did you do that?
GM: first time was Saturday. I had received a copy from the defense and more recently got a copy that was actually from the FBI through another forensic examiner.
BZ: I'm sorry...explain that?
GM: I received one copy from defense, I believe late Friday night
BZ: uh huh...
GM: kind of did a little bit of a preview, but then one...think it was Tuesday, I went to another forensic examiner who was holding all the data from the FBI.
BZ: and who is that?
GM: RMA
BZ: sorry, R M A?
GM: RMA, yes - its the name of the company
BZ: and who is the examiner there that was-
GM: Rusty Gilmore
BZ: okay
BZ: And um, did you ever have occasion - what did you look at to determine spoilation in the files and that sort of stuff, what...
GM: I looked at last-accessed
BZ: okay and
GM: and the dates
BZ: okay but more generally at that image hard drive
GM: yes, I did
BZ: did you ever look at any routers?
GM: I don't have access to any routers
BZ: did you ever look at any router logs?
GM: in the past? yes
BZ: for this case - sorry about
GM: oh - yes, briefly
BZ: you looked at router logs from this case?
GM: yes, briefly, recently
BZ: okay, and when did that happen?
GM: I believe...late Tuesday night? I believe it was Tuesday...there was a lot of data there.
BZ: okay
BZ: and nothing about that helped you form your conclusion of spoilation or tampering correct?
GM: I didn't have time to analyze that - I have other cases going on at the same time.
BZ: so your conclusion about tampering or spoilation is independent of those because you didn't have time to-
GM: correct, its all based on that Thinkpad and what I've seen.
BZ: And that defendent's exhibit 80...your honor could I approach?
JG: you may
BZ: (approaches witness and hands document) did you ever look at this?
GM: I believe no (reading)...no I looked at something different
BZ: and do you have some notes up there? I -
GM: (hands his report to BZ) oh, here
BZ: And going to your report, your report's-
GM: Its not even all there I believe
BZ: okay, the part of the report you wrote is 3 pages? is that correct?
GM: No there's a total of maybe 16 pages or more...I can't remember, I had 48 hours to write this report, and ah...it was intense.
BZ: (with defense report open) so you're saying that this doesn't include your entire report.
GM: This right here (indicates what BZ is holding open) I don't think its an exact copy its just bits an pieces - I grabbed it off my desk...the reports actually 33 pages, but I just grabbed this one, may not be an exact copy - sure looks to be, it is.
BZ: okay the first 3 pages are something you wrote
GM: yes,
BZ: the next pages are Jay Ward's report and you put things in the margins?
GM: yeah
BZ: and that comprises everything that you've done in this case?
GM: no, I'm still working on the hard drive, reviewing it.
BZ: okay, with those items written in the margin did you write all of those? or did Mr. Kurtz write some of those?
GM: which? the boxes? myself
BZ: the boxes are all yours?
GM: that's my - that's all mine
BZ: and when you first received these hard drives, what were you told?
GM: That I need to pay particular attention to the IBM thinkpad, and they gave me the times to look at, dates, kind of an overview of the case...there was just a LOT of data. In the amount of time I had originally when I wrote this, I had very limited because they needed to get a report to you.
BZ: Yes sir, and when you looked at that image copy of the hard drive - that Saturday I guess which was 5 days ago, did you um - in terms of dates and times what dates and times were you told to look at?
GM: The um I believe the - July 11th-
BZ: okay, okay and were you told something like "we see some evidence of tampering can you confirm or deny that?"
GM: yes, I believe so
BZ: okay
GM: they wanted me to give my opinion on what I saw.
BZ and you were pointed to the specific times?
GM: pardon?
BZ: I mean you were pointed to the specific times they didn't
GM: yes I was pointed to the specific time, I need to know the parameters of my searches - what am I looking at,
BZ: sure because you're not going to look at
GM: I'm not going to look at-
BZ: like stuff from 2007-
GM: April I mean...
BZ: okay
GM: there's data on there from long ago
BZ: you talked a little bit about malware, um that doesn't appear anywhere in your report does it?
GM: I think I mentioned, um , where ... (skimming through report) I did mention a finding ... 3 files - actually there were 4 files. On a forensic workstation we have symantic one point and I have a business license for those and so many licenses, and we have them at our workstations because, in the past you know, it seems like a good majority of hard drives we get on cases have malware. They're infected with viruses and so on. So we have that on there so we can detect it and document it, and in this case there was actually 4 that popped up.
BZ: okay, and do you recall what those were?
GM: the one was...let me see (reading) I apologize - beagle? I think a beagle dot 32, which is a trojan - there is an email trojan on there as well, I'd have to look at the ah - let me see here if I can find it...I think when I wrote that (to defense) when did I send that in there? I apologize - I put that in one of my reports...(flipping pages) don't see it in this report...I told the defense-
BZ: okay, are there any other documents that you've made in this case?
GM: I've made an EnCase eo1 file image, and indexed the hard drive and FTK. And I can tell you actually what versions I used.
BZ: okay, I guess have you made other reports I mean
GM: not yet, I'm documenting what I'm doing.
BZ: okay, but you haven't completed it yet
GM: No, I haven't, there's just so much data to go through and I like to make sure I'm researching everything I'm doing - so this way I can testify to the truthfullness of what I'm finding.
BZ: and um, I think you said "we" a couple times...
GM: its a habit, because I'm a company - I apologize to that, I know I put that in my notes, and its just a habit...
BZ: it wasn't - was somebody else helping you with the analysis?
GM: no, nobody else was helping me on the analysis just myself - believe me...
BZ: you mentioned Rusty Gilmore earlier, was he doing anything for your-
GM: not for me, I don't know what he did exactly previous to me
GM: I've been pretty much consumed by this case...
(long pause)
BZ: I apologize...Mr. Masucci, and just to be clear, on the - you haven't had a chance to go through those routers correct?
GM: I don't have any actual routers- I wish I did.
BZ: okay
GM: and that was one of my other questions..I don;t have...I would love to see the router logs because the only logs I am seeing are the event logs that are from the IBM Thinkpad, I can't validate or verify anything if I don't have those logs. That event log can say anything it wants, but if I can't validate it against a router - I'm not doing my job.
BZ: well, then, so you've had a chance to look at those event logs.
GM: just briefly...
BZ: just briefly?
GM: I mean theres a lot of data there to sift through, it would take me at least a week to do that and corelate that to see if I can find any corelation.
BZ: but you have the, I guess my question is with those logs they're all contained on that image hard drive correct?
GM: they should be on there, um - they pulled them out, I haven't looked at those I've got-
HK: Objection your honor - I'd just like some clarification here since Mr. Masucci doesn't even know about the newest provided logs that I -
BZ: I didn't object during his voir dire
HK: I'm saying there's a disk we just got that Mr. Masucci doesn't even know about yet, that contains event logs
BZ: (to GM) regardless of whether there's any disk floating out there, event logs exist on these image hard drives, correct?
GM: I haven't looked for them yet, potentially yes
BZ: but, I mean...
GM: potentially, yes - I mean they could be gone
BZ: okay
GM: I actually have to see and validate that
BZ: And this is all part of an investigation you're doing that started last Thursday correct?
GM: I hate the term investigation because the ah, certain department of justice and the state doesn't like us to term it as an investigation unless you're a private investigator.
BZ: okay
GM: so its part of the "forensic exam". Depending on what is the perimeters of the search, what I'm asked to do - that's what I'll do. I will not go outside the perimeters of the search unless I'm told to.
BZ: And you said "what they provided" right before Mr. Kurtz objected who is "they" that your referr-
GM: the defense.
BZ: do you know where "they" got those logs from?
GM: I believe the FBI? I can't recall exactly.
BZ: okay
GM: actually the prosecution - it would be you I believe?
BZ: okay - thank you sir I don't have anything else.
-----------------------------------------------------END CROSS-----------------------------------------------------