|
The Results of Your Labor and a Thank You, by Ray Beckerman, Esq. - Updated |
|
Sunday, March 04 2007 @ 04:37 AM EST
|
The online community now has an opportunity to see the fruits of its labor. Back in December, the Slashdot ("What Questions Would You Ask an RIAA "Expert"?") and Groklaw ("Another Lawyer Would Like to Pick Your Brain, Please") communities were asked for their input on possible questions to pose to the RIAA's "expert", Dr. Doug Jacobson of Iowa State University, who was scheduled to be deposed in February in UMG v. Lindor, for the first time in any RIAA case. Ms. Lindor's lawyers were flooded with about 1400 responses.
The deposition of Dr. Jacobson went forward on February 23, 2007, and the transcript is now available online (pdf). Ray Beckerman, one of Ms. Lindor's attorneys, had this comment: "We are deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers' responses.
Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy "investigation" and 'junk science' upon which the RIAA has based its litigation war against the people. The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense." Here is the deposition as text.
Update: The Jacobson exhibits are now online also.
***************************
1
1
2 UNITED STATES DISTRICT COURT
3 EASTERN DISTRICT OF NEW YORK
4 ---------------------------------------X
5 UMG RECORDINGS, INC., et al,
6
Plaintiffs, 05 CV 1095
7 (DGT)(RML)
vs.
8
9 MARIE LINDOR,
10 Defendant.
---------------------------------------X
11
12 February 23, 2007
13 9:30 a.m.
14
15 DEPOSITION of Expert Witness,
16 DR. DOUGLAS W. JACOBSON, held at the offices
17 of Vanderberg & Feliu, LLP, 110 East 42nd
18 Street, New York, New York, pursuant to
19 Notice, before ELIZABETH SANTAMARIA, a
20 Notary Public of the State of New York.
21
22
23
24 Reported by:
ELIZABETH SANTAMARIA
25 JOB NO. 54123
2
1
2 A p p e a r a n c e s :
3
4 HOLME ROBERTS & OWEN LLP
5 Attorneys for Plaintiffs
6 1700 Lincoln Street
7 Denver, Colorado 80203-4541
8 BY: RICHARD L. GABRIEL, ESQ.
9
10 VANDENBERG & FELIU, LLP
11 Attorneys for Defendant
12 110 East 42nd Street
13 New York, New York 10017
14 BY: RAY BECKERMAN, ESQ.
15
16
ALSO PRESENT: ZI MEI
17
18
19
20
21
22
23
24
25
3
1
2 --O0O--
3
4 IT IS HEREBY STIPULATED AND AGREED
5 that the filing and sealing of the within
6 deposition be, and the same are hereby
7 waived;
8
9 IT IS FURTHER STIPULATED AND AGREED
10 that all objections, except as to the form
11 of the question, be and the same are hereby
12 reserved to the time of the trial;
13
14 IT IS FURTHER STIPULATED AND AGREED
15 that the within deposition may be sworn to
16 before Notary Public with the same force and
17 effect as if sworn to before a Judge of this
18 Court;
19 IT IS FURTHER STIPULATED that the
20 transcript is to be certified by the
21 reporter.
22
23 --o0o--
24
25
4
1
2 D O U G L A S W. J A C O B S O N,
3 called as a witness, having been duly sworn
4 by the Notary Public, was examined and
5 testified as follows:
6 EXAMINATION BY
7 MR. BECKERMAN:
8 Q. Please state your name for the
9 record.
10 A. Dr. Douglas W. Jacobson.
11 Q. What is your business address?
12 A. 2215 Coover Hall, Iowa State
13 University, Ames, Iowa 50011.
14 Q. Dr. Jacobson, are you yourself an
15 engineer?
16 A. Yes.
17 Q. By what body are you certified as an
18 engineer?
19 A. By no professional society.
20 Q. No professional society? Is there
21 any organization that has certified you as an
22 engineer?
23 A. No.
24 Q. Are you part of any peer regulatory
25 body?
5
1 Jacobson
2 A. I don't quite understand what you
3 mean by --
4 Q. Are you part of any body the members
5 of which are peer-regulated?
6 A. Can you give me an example of what
7 you are --
8 Q. A lawyer, an architect, an
9 accountant.
10 I thought an engineer had to be
11 certified by a peer-regulated body.
12 A. To be called a professional engineer
13 they do.
14 Q. So are you not a professional
15 engineer?
16 A. I do not have a PE license.
17 Q. You are the founder of the Palisade
18 Systems?
19 A. That's correct.
20 Q. What other titles do you hold within
21 that organization?
22 A. Chief technology officer.
23 Q. And are you a member of the board of
24 directors?
25 A. Yes.
6
1 Jacobson
2 Q. Are you a shareholder?
3 A. Yes.
4 Q. What percentage of the shares of that
5 company do you own?
6 A. I believe it's about 3 percent.
7 Q. Palisade Systems sells software
8 products to universities, businesses and other
9 institutions that maintain networks; is that
10 correct?
11 A. Yes.
12 Q. Do these products include products
13 which are intended to combat file sharing through --
14 we are going to be using that term a lot.
15 Withdrawn.
16 These products include products that
17 are intended to combat peer-to-peer file sharing of
18 copyrighted works; is that correct?
19 MR. GABRIEL: Objection to form.
20 You can answer the question.
21 A. Yes.
22 Q. Is one of the reasons that these
23 organizations buy these products the avoidance of
24 lawsuits?
25 MR. GABRIEL: Objection to form.
7
1 Jacobson
2 Lack of foundation.
3 A. I don't -- since I'm not on the
4 marketing side, I really can't testify to why a
5 particular client buys the product.
6 Q. Have you been quoted in press
7 releases issued by the company as to reasons to buy
8 the product?
9 A. Yes.
10 Q. And in those press releases have you
11 stated that one of the reasons to buy the product is
12 to avoid lawsuits?
13 A. I very well could have. I do not --
14 without seeing one of the press releases.
15 Q. Is one of the reasons to buy these
16 products to avoid copyright infringement lawsuits?
17 MR. GABRIEL: Objection to form.
18 A. That would be a reason to buy one of
19 the products.
20 Q. And have you specifically referred to
21 lawsuits by the RIAA as one of the types of lawsuits
22 that they could avoid by buying these products?
23 A. To my recollection, I have not.
24 Q. Is it true that the RIAA backs the
25 software that was co-licensed between your company
8
1 Jacobson
2 and Audible Magic?
3 MR. GABRIEL: Objection to form.
4 Lack of foundation.
5 A. I do not know what arrangement
6 Audible Magic and the RIAA have entered into.
7 Q. Are you aware that an officer of
8 Audible Magic was introduced to government officials
9 in Washington by representatives of the RIAA?
10 A. No.
11 MR. BECKERMAN: I would like to
12 mark as Defendant's 1 a press release from
13 Palisade Systems, Inc. bearing the
14 headline "Peer-to-Peer File Sharing
15 Struggles Intensify in Universities."
16 (Defendant's Exhibit 1, press release
17 from Palisade Systems, Inc. bearing the
18 headline "Peer-to-Peer File Sharing
19 Struggles Intensify in Universities," marked
20 for identification, as of this date.)
21 Q. Is this press release genuine?
22 A. It was released by the company.
23 MR. BECKERMAN: I would like to
24 mark as Exhibit 2 a one-page press release
25 of Palisade Systems, Inc. dated April 21,
9
1 Jacobson
2 2004. The headline is "Instantly Stop
3 Illegal P2P With PacketSure 3."
4 (Defendant's Exhibit 2, one-page
5 press release of Palisade Systems, Inc.
6 dated April 21, 2004, marked for
7 identification, as of this date.)
8 Q. Is this press release genuine?
9 A. Yes. It was released by the company.
10 Q. Going down to the third paragraph,
11 which purports to have a quotation from you, would
12 you tell us if that quotation is accurate?
13 A. Yes.
14 MR. BECKERMAN: I would like to
15 mark as Exhibit 3 a two-page article dated
16 April 19, 2004 by David Chappelle entitled
17 "Newest PacketHound release eliminates
18 illegal trading of copyrighted files."
19 (Defendant's Exhibit 3, two-page
20 article by David Chappelle dated April 19,
21 2004, marked for identification, as of this
22 date.)
23 Q. Who is Steven Brown?
24 A. Steven Brown, what was his title? He
25 was our marketing individual at Palisade. I don't
10
1 Jacobson
2 remember his exact title.
3 Q. Was he authorized to speak for
4 Palisade Systems to the press?
5 A. Yes.
6 Q. I direct you to the fifth paragraph
7 and ask you whether that is an accurate statement of
8 something that was said by Steven Brown.
9 MR. GABRIEL: Objection. Lack of
10 foundation.
11 A. I have no way of knowing firsthand
12 that Steven Brown said that.
13 Q. Do you agree with the statement "Some
14 P2P applications can evade certain security tools"?
15 A. Yes.
16 Q. Do you agree with the statement of
17 Mr. Chappelle contained in the third paragraph that
18 "Detecting and stopping copyrighted materials from
19 being shared illegally eliminates the liability
20 faced by organizations associated with file
21 sharing"?
22 MR. GABRIEL: Objection to form.
23 Lack of foundation.
24 A. Can you repeat the question?
25 (Record read.)
11
1 Jacobson
2 A. Since I'm not a lawyer, I'm not sure
3 I can comment on being a liability and the absolute
4 elimination of it.
5 Q. I call your attention to the ninth
6 paragraph, starting with the word "instead."
7 A. Okay.
8 Q. Do you agree with that paragraph?
9 MR. GABRIEL: Objection to form.
10 Lack of foundation.
11 A. Yes, I would agree with that.
12 MR. BECKERMAN: I would like to
13 mark as Exhibit 4 an article dated
14 April 21, 2004, of C/net News.Com.,
15 entitled "New Tool Designed to Block Song
16 Swaps."
17 (Defendant's Exhibit 4, C/net
18 News.com article dated April 21, 2004,
19 marked for identification, as of this date.)
20 Q. Do you agree with the statement in
21 the second paragraph, the first paragraph that's not
22 in bold, which says that the song filtering software
23 is backed strongly by the Recording Industry
24 Association of America, RIAA?
25 MR. GABRIEL: Objection to form.
12
1 Jacobson
2 Lack of foundation.
3 A. I have no firsthand knowledge of
4 whether or not the RIAA has strongly backed Audible
5 Magic software.
6 Q. Do you have any reason to believe
7 that they have?
8 MR. GABRIEL: Object to the form.
9 A. Could you rephrase the question?
10 Q. What is the problem with the
11 question?
12 A. Restate the question and then I will
13 tell you.
14 Q. You said you had no firsthand
15 knowledge. Now I am asking you whether you have any
16 reason to believe that the RIAA did, in fact, back
17 the software strongly.
18 A. I have no firsthand knowledge that
19 they have.
20 Q. Did you ever see this article?
21 A. I don't recall seeing the article on
22 the web.
23 Q. Did you see any articles or press
24 releases saying that the RIAA backed the software
25 strongly?
13
1 Jacobson
2 A. I don't recall seeing any.
3 Q. So this is the first you've heard of
4 it? Is that your testimony?
5 MR. GABRIEL: I object to the form.
6 He said what he said.
7 A. I have no firsthand knowledge that
8 they have strongly backed -- I don't have any
9 firsthand knowledge that they strongly backed the
10 software, Audible Magic software.
11 Q. Do you have any other knowledge that
12 they backed it?
13 A. Not to my recollection.
14 Q. Going down to the second paragraph
15 that's not in bold and the sentences which purport
16 to quote you, would you tell me whether those are
17 accurate quotes.
18 A. Yeah.
19 Q. Now, going down to the fourth
20 paragraph starting with the word "during," is it
21 your testimony that you have no knowledge of RIAA
22 executives helping to guide Audible Magic CEO Vance
23 Ikezoye around federal government offices advocating
24 the song blocking technology as a tool for stopping
25 copyright infringement on file swapping networks?
14
1 Jacobson
2 MR. GABRIEL: Object to the form of
3 the question.
4 A. Could you please read the question
5 back again.
6 (Record read.)
7 A. I have no knowledge that that took
8 place.
9 Q. What is the relationship, if any,
10 between the RIAA and Palisade Systems, Inc.?
11 A. There is no relationship.
12 Q. Has Palisade Systems, Inc. had any
13 dealings with any agents of the Recording Industry
14 Association of America?
15 A. I believe that our chief operating
16 officer had discussions with the RIAA back in the
17 early 2000s.
18 MR. BECKERMAN: I would like to
19 mark as Exhibit 5 a press release from
20 ZDNet entitled "File-Swap Killer Grabs
21 Attention."
22 (Defendant's Exhibit 5, press release
23 from ZDNet entitled "File-Swap Killer Grabs
24 Attention," marked for identification, as of
25 this date.)
15
1 Jacobson
2 Q. Do you know what ZDNet is?
3 A. Yeah.
4 Q. What is ZDNet?
5 A. It is an online publication, is my
6 understanding.
7 Q. Have you ever used ZDNet for anything
8 other than reading?
9 A. Personally, not to my knowledge I
10 haven't.
11 Q. You've never downloaded any software
12 from ZDNet?
13 A. Not that I can recall.
14 Q. Have you never heard of ZDNet as a
15 source of software?
16 A. Not that I recall.
17 Q. And what is ZDNet News?
18 A. My understanding is it's an online
19 publication that I believe they send out to e-mails
20 to the subscribers.
21 Q. Have you ever had any dealings with
22 the University of Rochester?
23 A. Define the university.
24 Q. Excuse me?
25 A. I don't quite understand when you say
16
1 Jacobson
2 the university.
3 Q. Have you ever had any dealings with
4 officials of the University of Rochester?
5 A. Personally I have not, no.
6 Q. Has Palisade Systems?
7 A. Personally I have no knowledge of
8 that.
9 Q. What do you mean personally you have
10 no knowledge of that? Do you have some other kind
11 of secondhand knowledge of it?
12 A. Not that I recall, but I do not keep
13 close tabs of what the marketing or the sales force
14 does.
15 Q. Has Palisade Systems had any dealings
16 with the University of Rochester?
17 A. Not that I recall.
18 Q. Did the provost of the University of
19 Rochester attend a demonstration of the Audible
20 Magic software at RIAA headquarters in January of
21 2004?
22 A. Not that I know of, but ...
23 Q. Do you agree or disagree with the
24 statement that the RIAA has helped the company,
25 meaning Audible Magic, gain entree to official
17
1 Jacobson
2 Washington circles?
3 MR. GABRIEL: Object to form. Lack
4 of foundation.
5 A. I have no knowledge of what the RIAA
6 has done to help Audible Magic.
7 Q. Is it a fact that Audible Magic
8 entered into a cross-licensing agreement with
9 Palisade Systems, Inc.?
10 A. That's correct.
11 Q. What was the software designed to do?
12 A. What software?
13 Q. Song filtering software created by
14 Audible Magic, software that was mentioned in the
15 press releases I just showed you.
16 A. Audible Magic's software is designed
17 to examine audio data and determine if it matches a
18 database of copyrighted materials.
19 MR. BECKERMAN: Would you read back
20 the question.
21 (Record read.)
22 Q. Do you feel you have answered that
23 question?
24 A. I answered the question of what
25 Audible Magic software was designed to do.
18
1 Jacobson
2 Q. Is it song filtering software?
3 MR. GABRIEL: Object to the form.
4 A. Define what you mean by filtering.
5 Q. What is filtering? Withdrawn.
6 Is it your testimony here under oath
7 you do not know what the word "filtering" means?
8 MR. GABRIEL: Object to the form.
9 Argumentative.
10 A. The term has many different uses.
11 I'm trying to --
12 Q. Is the audio designed by Audible
13 Magic designed for song filtering?
14 MR. GABRIEL: Object to the form.
15 Lack of foundation.
16 A. Will you repeat the question.
17 (Record read.)
18 A. I can't testify to what their design
19 team chose to design their software to do.
20 Q. So is it your testimony that you do
21 not know if this software has any application to
22 blocking song trades on peer-to-peer file sharing
23 networks?
24 MR. GABRIEL: Object to the form.
25 That's a different question.
19
1 Jacobson
2 You can answer the question.
3 A. Which application?
4 Q. The same one we've just been talking
5 about. The application designed by Audible Magic,
6 which was cross-licensed to Palisade Systems.
7 A. The Audible Magic code that was
8 licensed by Palisade does not block traffic.
9 Q. What does it do?
10 A. It identifies traffic content.
11 Q. Is it able to identify song files?
12 A. It is able to identify -- it is able
13 to identify --
14 It is able to analyze files and
15 determine if those files match the signatures that
16 are stored in their database.
17 Q. And was it marketed by Palisade
18 Systems as something that could identify and stop
19 illegal file trades in real time without any
20 requirement for individual users to be identified?
21 A. Yes, their code coupled with our
22 code.
23 Q. And was it marketed by Palisade
24 Systems as something that could block specific
25 illegal file trades?
20
1 Jacobson
2 A. Yes.
3 Q. Now, you are the chief technology
4 officer of Palisade?
5 A. That's correct.
6 Q. So you would be knowledgeable about
7 technology work between your company and Audible
8 Magic, is that not true?
9 MR. GABRIEL: Object to the form.
10 A. Define what you mean by technology
11 work.
12 Q. Development of computer programs.
13 A. I am knowledgeable as to how our
14 software operates and how the application interfaced
15 between our software and Audible Magic software
16 operates.
17 Q. Did your company work jointly with
18 Audible Magic to develop the first network
19 appliances that identified copyrighted works on the
20 fly combined with the ability to block individual
21 trades?
22 A. Our company worked with Audible Magic
23 to develop a product to stop peer-to-peer traffic as
24 identified by Audible Magic's proprietary code.
25 Q. And you are testifying here today
21
1 Jacobson
2 that you have no idea how the RIAA reacted to this
3 work that you are doing?
4 A. That's correct.
5 Q. Have the press releases issued by
6 Palisade Systems referred to the RIAA?
7 MR. GABRIEL: I object to the form.
8 Lack of foundation.
9 A. I'm sure that some of our press
10 releases have probably mentioned the RIAA.
11 Q. In what capacity?
12 MR. GABRIEL: Same objections.
13 A. I don't recall any direct quotes out
14 of any of the press releases.
15 Q. Did you ever meet with the CEO of
16 Audible Magic?
17 A. I recall meeting him in just a short
18 meeting when he visited Palisade, but I was not part
19 of the negotiations.
20 Q. Did you discuss the software?
21 MR. GABRIEL: The question is
22 whether Dr. Jacobson talked to the CEO
23 about the software? I'm just clarifying
24 the question.
25 Q. Did you discuss the software?
22
1 Jacobson
2 MR. GABRIEL: I object to the form.
3 A. I can't recall whether I did or
4 didn't.
5 Q. Have you formed an opinion as to
6 whether Marie Lindor personally uploaded any
7 copyrighted files to anyone?
8 A. The computer whose IP address has
9 been identified as being registered to Ms. Lindor
10 has been shown to have made songs available,
11 copyrighted material available to the internet
12 community through peer-to-peer software.
13 MO MR. BECKERMAN: I move to strike the
14 answer as nonresponsive.
15 Would you read back the question.
16 (Record read.)
17 MR. GABRIEL: Is there a question
18 pending?
19 MR. BECKERMAN: Yes. I'm waiting
20 for an answer to the question. It calls
21 for a "yes" or "no" answer.
22 MR. GABRIEL: I object. It does
23 not. He answered the question.
24 MR. BECKERMAN: Are you directing
25 him not to answer the question?
23
1 Jacobson
2 MR. GABRIEL: No, no.
3 THE WITNESS: Would you repeat the
4 question.
5 (Record read.)
6 MR. GABRIEL: My objection was he
7 just answered.
8 You can answer it again.
9 A. Again, the computer registered to
10 Marie Lindor had made available songs through
11 peer-to-peer software, therefore making them
12 available.
13 MR. BECKERMAN: I am going to say
14 this once and I am not going to repeat it.
15 We are here, we have a limited
16 time. I am on page 1 of about 40 pages
17 of notes. If this kind of gamesmanship
18 is going to be continued, we will never
19 get through even a fraction of this
20 deposition and we will just have to
21 continue it. But I have no intention of
22 accepting that type of answer.
23 If that's the way you are going
24 to play this, then we will be here all
25 day. It calls for a "yes" or "no"
24
1 Jacobson
2 answer and there is no reason to be
3 playing games in answering a question
4 that was not asked. He will be asked
5 questions that may relate to what his
6 answer was, but he has not answered the
7 question that was asked of him and it
8 calls for a "yes" or "no" and I expect
9 an answer to it.
10 MR. GABRIEL: It is a nice speech,
11 Ray. The witness answered the question.
12 I object to the characterization of
13 gamesmanship. Because you don't like the
14 answer doesn't mean it is gamesmanship.
15 The witness has answered, he has his
16 opinions. And if you want to argue with
17 me or the witness, we will be here all day
18 or we will leave.
19 MR. BECKERMAN: I am going to ask
20 the question one more time and if I do not
21 get an answer to it, we will eventually
22 seek a ruling on that and we are going to
23 seek a ruling on all questions that we do
24 not receive answers to, all questions to
25 which we do not receive answers to, and
25
1 Jacobson
2 then we will have a continued deposition.
3 MR. GABRIEL: You reserve whatever
4 you want, Ray, and seek whatever rulings
5 you want. The witness answered the
6 question and I submit this is browbeating
7 the witness into trying to get the witness
8 by arguing with me. This is not serving
9 any purpose.
10 BY MR. BECKERMAN:
11 RL Q. Have you formed an opinion as to
12 whether Marie Lindor personally uploaded any
13 copyrighted files, "yes" or "no"?
14 MR. GABRIEL: Objection. Form.
15 Asked and answered twice.
16 Q. Dr. Jacobson, would you please answer
17 the question.
18 A. I have twice already answered the
19 question.
20 Q. Are you refusing to answer the
21 question?
22 MR. GABRIEL: Objection.
23 Argumentative. He answered the question.
24 MR. BECKERMAN: We will seek a
25 ruling on that.
26
1 Jacobson
2 RL Q. Have you personally formed an opinion
3 as to whether Marie Lindor personally downloaded any
4 copyrighted files?
5 A. The computer whose IP address who has
6 been identified as belonging to Marie Lindor made
7 copyrighted material available through peer-to-peer
8 software -- made the material available through
9 peer-to-peer software.
10 MR. BECKERMAN: We also will seek a
11 ruling on that and we will seek a ruling
12 on all follow-up questions which would
13 have resulted from a "yes" or "no" answer.
14 MO I move to strike the nonresponsive
15 answer that was given.
16 Q. Based upon your examination of the
17 hard drive which you examined, what evidence did you
18 find that inculpated Marie Lindor personally?
19 MR. GABRIEL: Object to the form.
20 Lack of foundation.
21 A. Would you please define the
22 second-to-last word.
23 Q. "Her"?
24 A. No, "inculpated." Would you please
25 define that for me.
27
1 Jacobson
2 Q. Do you not know what the word
3 "inculpated" means?
4 A. That's correct.
5 Q. Are you familiar with the word
6 "exculpate"?
7 A. No.
8 Q. What is your educational background?
9 A. Computer engineering.
10 Q. Well, which school did you attend?
11 Did you get a Bachelor's degree?
12 A. Yes.
13 Q. What school?
14 A. Iowa State University, science and
15 technology.
16 Q. When did you graduate?
17 A. With which degree?
18 Q. When did you get your Bachelor's
19 degree?
20 A. 1980.
21 Q. Do you have any other degrees?
22 A. I hold a Master of Science in
23 electrical engineering.
24 Q. When did you get that?
25 A. 1982.
28
1 Jacobson
2 Q. Any other degrees?
3 A. A Doctor of Philosophy, Ph.D., in
4 computer engineering.
5 Q. When was that?
6 A. 1985.
7 Q. And you are associate professor at
8 Iowa State University?
9 A. That is correct.
10 Q. And you do not know what the word
11 "exculpate" means?
12 A. That's correct.
13 Q. Based upon your examination of the
14 hard drive which you examined in this case, what
15 evidence did you find that supported or would
16 support a conclusion that Marie Lindor had
17 personally uploaded any files?
18 A. The hard drive that I examined showed
19 no evidence of any peer-to-peer software or MP3
20 music files.
21 Q. So is it correct to say that there
22 was nothing on the hard drive that tended to prove
23 that she had uploaded or downloaded anything?
24 A. There was nothing on the hard drive
25 that indicated there was any peer-to-peer software.
29
1 Jacobson
2 Q. Hypothetically, had you discovered
3 KaZaA software and song files or remnants of KaZaA
4 software or song files resembling those that had
5 appeared in a screen shot, would that have tended to
6 support a finding that she had downloaded or
7 uploaded copyrighted files?
8 A. That would have supported a claim
9 that that computer was used to make files available.
10 Q. So it would have supported a finding
11 that the computer whose hard drive you examined had
12 been used for that purpose?
13 A. Correct.
14 Q. It would not have supported a
15 finding, would it, as to whether Marie Lindor
16 herself had used those programs or files?
17 MR. GABRIEL: Object to the form.
18 Lack of foundation.
19 THE WITNESS: Please read it back.
20 (Record read.)
21 A. That's correct.
22 Q. Hypothetically, had you discovered
23 substantial deletions, would that have supported a
24 finding that there had been the use of KaZaA file
25 sharing to download or upload copyrighted files?
30
1 Jacobson
2 MR. GABRIEL: Object to the form.
3 Lack of foundation.
4 A. Had I found substantial deletions of
5 the KaZaA software and music files, that would have
6 supported it.
7 Q. Had you discovered that the hard
8 drive had been entirely reformatted would that, in
9 your view, have supported a finding that the
10 computer had been used for uploading or downloading
11 copyrighted works?
12 MR. GABRIEL: Same objections.
13 A. Had the computer been reformatted,
14 there would have been no conclusion that I could
15 have drawn as to what was on the computer prior to
16 formatting.
17 Q. Hypothetically, had you discovered
18 substantial defragmentation of the hard drive, would
19 that have supported a finding that the computer had
20 been used to upload or download copyrighted works?
21 MR. GABRIEL: Same objection.
22 A. If that's all I had found, no, that
23 would not have supported.
24 Q. So you have concluded that the hard
25 drive that you examined was not used for KaZaA file
31
1 Jacobson
2 sharing; is that correct?
3 A. That's correct, as I testified or as
4 I -- in one of my documents, yes.
5 Q. Are you aware of any evidence of
6 anything that would point to Marie Lindor personally
7 having done something as opposed to any other
8 person?
9 MR. GABRIEL: Objection to the
10 form. Lack of foundation.
11 A. I have examined evidence that shows
12 that the computer registered to the IP address
13 belonging to Marie Lindor was used to share
14 copyrighted material.
15 Q. But other than that, other than the
16 fact that the computer was used, as you say, is
17 there any evidence to show what natural person, what
18 individual was the one who actually did it?
19 A. No.
20 Q. Do you know what processes and
21 procedures MediaSentry employed?
22 A. I do not know the inner works of
23 MediaSentry processes and procedures.
24 Q. Do you know what software they used?
25 A. No.
32
1 Jacobson
2 Q. Do you know if it was well known
3 off-the-shelf software or if it was proprietary
4 software?
5 A. Again, I do not know the inner
6 workings of MediaSentry's operations.
7 Q. Do you know if their software had
8 been peer-reviewed or published or anything like
9 that?
10 A. Not that I'm aware of.
11 Q. Have you ever testified as an expert
12 in a deposition?
13 A. No.
14 Q. Have you ever testified as an expert
15 in a trial?
16 A. No.
17 Q. Have you ever testified as an expert
18 in any other type of proceeding?
19 A. I testified in front of a school
20 board.
21 Q. As an expert?
22 A. Yes.
23 Q. On what subject?
24 A. A teacher was accused of viewing
25 pornography at school.
33
1 Jacobson
2 Q. There was no judge?
3 A. No.
4 Q. There was no arbitrator or judicial
5 type of person conducting it? It was just a school
6 board?
7 A. Yes.
8 Q. Has any judge or jury ever found your
9 methodology to be unreliable?
10 A. I've never been in front of a judge,
11 so no.
12 Q. Has any judge or jury ever found your
13 methodology to be reliable?
14 A. Again, I've never been in front of a
15 judge.
16 Q. Has anyone other than the RIAA ever
17 hired you to do a forensic examination of a hard
18 drive?
19 A. Yes.
20 Q. Who?
21 A. That school board. I'm currently
22 working on a --
23 MR. GABRIEL: Why don't you wait
24 until the ambulance passes.
25 MR. BECKERMAN: I don't think we --
34
1 Jacobson
2 MR. GABRIEL: It may take a while.
3 MR. BECKERMAN: This is New York,
4 Richard. This isn't Denver. We could be
5 here all day.
6 MR. GABRIEL: Just try to keep your
7 voice up.
8 A. I am currently working on two
9 forensic cases that are ongoing. I've done quite a
10 bit of forensic work for law enforcement which I do
11 pro bono.
12 Q. When were you first hired to do
13 forensic work on a hard drive?
14 MR. GABRIEL: Just for
15 clarification, when you say hired, does
16 that include the pro bono work he's
17 talking about?
18 MR. BECKERMAN: Yes.
19 A. On a hard drive, probably in the late
20 '80s.
21 Q. And who was that?
22 A. The Iowa State University. I've done
23 quite a bit of forensic work helping out various
24 individuals at the university.
25 Q. What law enforcement agency hired you
35
1 Jacobson
2 to do a forensic examination of a hard drive?
3 A. Again, I did it with no compensation.
4 I do all my forensic exams for law enforcement
5 through the Iowa State University police department.
6 However, they take in cases from other
7 jurisdictions. I don't always know the jurisdiction
8 that brought the case in.
9 Q. And they have never used you as a
10 witness?
11 A. No. We never -- they've always
12 settled.
13 Q. Apart for doing things for people at
14 Iowa State University how many times have you
15 been -- and apart from the RIAA, how many hard
16 drives have you done forensic examinations of?
17 A. By outside the university, do you
18 also mean outside the Iowa State Police Department?
19 Q. No.
20 A. I maybe misunderstood the question.
21 Can you restate the question or repeat the question?
22 Q. I will restate the question.
23 Apart from your work for the RIAA and
24 your work for people at Iowa State University, how
25 many hard drives have you been hired to do a
36
1 Jacobson
2 forensic examination of?
3 A. Probably half a dozen. It's been
4 over such a long period of time.
5 Q. What software did you use?
6 A. In the latest ones I've been using
7 EnCase.
8 Q. Which edition of EnCase?
9 A. I'm using 5.
10 Q. What did you use before?
11 A. I would use various Hex editors and
12 then -- before it was -- before we had sophisticated
13 software. Sometimes I would write software to
14 recover.
15 Q. When did you start using EnCase 5?
16 A. I don't remember the date that it
17 came out. Prior to that I was using version 4.
18 Q. When did you start using that?
19 A. Probably about three years ago.
20 Q. Has anyone other than the RIAA ever
21 hired you to opine on whether a particular computer
22 had been used for uploading or downloading
23 copyrighted works?
24 A. Copyrighted works?
25 Q. Yes.
37
1 Jacobson
2 A. No.
3 Q. How long have you been using your
4 present method of determining whether a particular
5 computer has been used for uploading or downloading
6 copyrighted works?
7 A. About a year and a half.
8 Q. When did you learn your present
9 method of determining whether a particular computer
10 has been used for uploading or downloading
11 copyrighted works? Or did you develop it yourself?
12 A. Clarification. Are you talking about
13 exams on the hard drives or just the process, the
14 entire process?
15 Q. Well, you have a method, do you not?
16 A. I have a method for examining hard
17 drives and I have a method for reviewing the
18 MediaSentry material.
19 Q. So these are two different things?
20 One isn't tied into the other?
21 A. They are two different processes.
22 Q. Okay. So let's break it down. Your
23 method of --
24 The MediaSentry materials are
25 gathered through the internet?
38
1 Jacobson
2 A. Yeah. MediaSentry gathers the
3 material through the internet.
4 Q. How did you learn your method of
5 interpreting -- withdrawn.
6 Are you able --
7 I am having a little difficulty with
8 this conceptually. You are breaking it down into
9 two separate processes. Is it your testimony that
10 there is a way to detect whether a computer has been
11 used for uploading or downloading copyrighted works
12 without both looking at the MediaSentry material and
13 the hard drive?
14 A. Yes.
15 Q. Let's break it down, then, into two
16 separate things.
17 How did you learn your method of
18 determining from the MediaSentry materials whether a
19 particular computer has been used for uploading or
20 downloading copyrighted works?
21 A. It was a process that I developed.
22 Q. You developed it on your own?
23 A. Yes.
24 Q. How did you learn your method of
25 determining from a hard drive whether a particular
39
1 Jacobson
2 computer has been used for uploading or downloading
3 copyrighted works?
4 A. Well, the forensic examination
5 process I learned through self-study and through the
6 forensic examiner's exam.
7 Q. Now, am I correct that you were doing
8 this for law enforcement before you were a certified
9 forensic examiner?
10 A. That's correct.
11 Q. And when did you become a certified
12 forensic examiner?
13 A. September '04.
14 Q. And why did you become a certified
15 forensic examiner?
16 A. Two reasons. One is to be able to
17 better work with the law enforcement and the other
18 is to help support our university's educational
19 mission, since we teach computer forensics.
20 Q. Wouldn't a third reason be that it
21 might give you standing to testify in a court of law
22 as to your forensic examinations of hard drives?
23 A. That I would tie in with the first
24 reason, to work better with law enforcement.
25 Q. What about your private work for the
40
1 Jacobson
2 recording industry of America?
3 A. I was a certified examiner before I
4 was engaged by the recording industry.
5 Q. Isn't it a fact that you were engaged
6 by the RIAA in 2002?
7 A. It was in September '05.
8 Q. You were not doing any work for them
9 in 2002?
10 A. No. My first work for them was in
11 the fall of 2005. I can't remember my first trip to
12 Kansas City.
13 Q. And you weren't doing any work for
14 them in 2003?
15 A. No.
16 Q. And you weren't doing any work for
17 them in 2004?
18 A. I started working with the law firm
19 in the fall of 2005.
20 MR. BECKERMAN: Off the record.
21 (Discussion off the record.)
22 Q. Has your method of determining from
23 the MediaSentry materials whether a particular
24 computer has been used for uploading or downloading
25 copyrighted works been tested by any testing body?
41
1 Jacobson
2 A. Not that I have submitted.
3 Q. Do you know anyone else that is using
4 your method, other than you?
5 A. Not that I'm aware of.
6 Q. Has your method of determining
7 through the MediaSentry materials whether a
8 particular computer has been used for uploading or
9 downloading copyrighted works been subjected to any
10 form of peer review?
11 A. Not that I'm aware of.
12 Q. Has your method of determining from
13 the MediaSentry materials whether a computer has
14 been used for uploading or downloading copyrighted
15 works been published?
16 A. No.
17 Q. Is there a known rate of error for
18 your method?
19 A. No.
20 Q. Is there a potential rate of error?
21 MR. GABRIEL: Object to the form.
22 A. I guess there is always a potential
23 of an error.
24 Q. Do you know of a rate of error?
25 A. To my process, no.
42
1 Jacobson
2 Q. Are there any standards and controls
3 over what you have done?
4 A. No.
5 Q. Have your methods been generally
6 accepted in the scientific community?
7 A. The process has not been vetted
8 through the scientific community.
9 Q. Have you had communications with
10 MediaSentry?
11 A. Not that I recall.
12 Q. Have MediaSentry's methods been
13 tested by any testing body?
14 A. I don't know.
15 Q. Have MediaSentry's methods been
16 subjected to any form of peer review?
17 A. I don't know.
18 Q. Have MediaSentry's methods been
19 published?
20 A. I don't know.
21 Q. It's a fact, is it not, that
22 MediaSentry's methods are secret?
23 MR. GABRIEL: Objection of lack of
24 foundation.
25 A. I don't know.
43
1 Jacobson
2 Q. Is there a known rate of error for
3 MediaSentry's methods?
4 A. Not that I'm aware of.
5 Q. So when you evaluate the MediaSentry
6 materials you are assuming them to be accurate?
7 A. Yes.
8 Q. Is there a potential rate of error
9 for MediaSentry's methods?
10 MR. GABRIEL: Object to the form.
11 A. There is always a potential for an
12 error.
13 Q. Are there any standards and controls
14 over MediaSentry's methods?
15 A. I don't know.
16 Q. Have MediaSentry's methods been
17 generally accepted in the scientific community?
18 MR. GABRIEL: Object to the form.
19 Lack of foundation.
20 A. Not that I know of.
21 Q. Is MediaSentry peer-regulated?
22 A. Not that I know of.
23 Q. Apart from your work on RIAA
24 litigations against owners of internet access
25 accounts, have you engaged in research on
44
1 Jacobson
2 determining whether specific individual computer
3 users engaged in copyright infringement through
4 peer-to-peer file sharing?
5 MR. GABRIEL: I'm sorry. I lost
6 the question. Could you repeat it,
7 please?
8 Q. Apart from your work on the RIAA
9 cases, have you engaged in any research on methods
10 of determining whether specific individual computer
11 users engaged in copyright infringement through the
12 use of P2P file sharing?
13 A. Yes.
14 Q. And what kind of research was that?
15 A. Obviously there was some research
16 done through Palisade as part of its product rollout
17 dealing with how to identify the individuals within
18 an organization. One of my grad students also
19 worked on the project to identify users of
20 peer-to-peer software, although that was focused
21 more on ibiblioography than it was copyright
22 material.
23 Q. I would like to leave aside research
24 that may have been done by others. I mean to ask
25 whether you personally have engaged in research.
45
1 Jacobson
2 A. Through Palisade as part of product
3 development.
4 Q. Is that something that is research
5 which is private and proprietary?
6 A. No. The piece I did is no longer
7 used as the technology, so it's not.
8 Q. Was it ever published?
9 A. No. At the time it was proprietary
10 to Palisade.
11 Q. And now it's been replaced by other
12 methods?
13 A. Yes.
14 Q. Apart from your work on the RIAA
15 cases, have you engaged in any research on methods
16 of determining whether specific computer hard drives
17 contained evidence of copyright infringement through
18 peer-to-peer file sharing?
19 A. No.
20 Q. Do any of your three reports -- by
21 "three reports" I'm referring to the April 7th
22 initial report, the December 19th declaration that
23 you signed and the October report which you did not
24 sign. Do any of those three reports discuss the
25 possibility of any alternate explanations other than
46
1 Jacobson
2 copyright infringement?
3 MR. GABRIEL: Object to form to the
4 extent that they speak for themselves.
5 You can answer the question.
6 A. Please read the question. I didn't
7 understand.
8 (Record read.)
9 A. Alternate explanations to?
10 Q. Your conclusions.
11 A. No.
12 I'm sorry. I said, "No."
13 Q. Did any of the three reports discuss
14 any alternate explanations other than KaZaA
15 appearing on a file owned by Marie Lindor?
16 MR. GABRIEL: Object to the form.
17 They speak for themselves.
18 A. What do you mean by KaZaA appearing
19 on a file?
20 Q. I'm sorry, I misspoke. Do any of
21 your three reports discuss the possibility of any
22 alternate explanations other than KaZaA appearing on
23 a computer owned by Marie Lindor?
24 A. No.
25 Q. Are you, as we sit here, capable of
47
1 Jacobson
2 thinking of some alternate explanations?
3 A. Yes.
4 Q. Can you think of any possible
5 infirmities in MediaSentry's methods as we sit here?
6 MR. GABRIEL: Object to form and
7 foundation. I'm sorry.
8 A. I don't have an inner knowledge of
9 their methods so I...
10 Q. Can you think of any possible
11 security vulnerabilities in the computer that was in
12 Marie Lindor's apartment?
13 MR. GABRIEL: Object to form and
14 foundation.
15 A. Repeat the question. Read it back.
16 (Record read.)
17 A. I didn't examine the hard drive that
18 was given to me for security vulnerabilities, so I
19 can't attest to what vulnerabilities may have been
20 present in that hard drive.
21 Q. As we sit here, can you think of any
22 possible security vulnerabilities in the computer
23 that was in Marie Lindor's apartment?
24 MR. GABRIEL: Objection to form.
25 Lack of foundation.
48
1 Jacobson
2 A. Read that back.
3 (Record read.)
4 A. Can you read it one more time.
5 (Record read.)
6 A. I'm sure the possibility exists there
7 were security vulnerabilities. Again, I don't know
8 which ones would apply to that particular computer.
9 Q. And did your report discuss any of
10 those possible security vulnerabilities?
11 A. No.
12 Q. Did you testify at an United States
13 Senate committee in September of 2003?
14 A. Yes.
15 Q. Did you make this statement?
16 "In summer of 2000 we introduced
17 PacketHound which is designed to detect, monitor and
18 block unauthorized peer-to-peer applications."
19 A. That sounds like -- that sounds like
20 a statement I made.
21 Q. Did you make this statement?
22 "There are no effective controls
23 regarding content provided on a peer-to-peer
24 network."
25 A. Again, that sounds like a statement I
49
1 Jacobson
2 made.
3 Q. And did you make this statement?
4 "Both the provider and the requester
5 of the file are not easily detected."
6 A. Again, that sounds like a statement
7 that was in that testimony. I don't have the
8 testimony in front of me, so I ...
9 Q. Did you make this statement?
10 "These technologies are not designed
11 for the home users."
12 A. Again, that sounds like a statement
13 that was in the testimony.
14 Q. Did you make this statement?
15 "This leaves individuals on their own
16 to solve the problems of peer-to-peer networking."
17 A. Again, that sounds like a statement
18 that was in the testimony.
19 Q. Did you make this statement?
20 "Which naturally leaves us to the
21 question, what is the homeowner to do?"
22 A. Again, that sounds like something
23 that was in that testimony.
24 Q. Did you make this statement?
25 "Unlike web filtering, where certain
50
1 Jacobson
2 sites can be blocked and web access can be
3 monitored, peer-to-peer traffic cannot be filtered
4 based on its content. This leaves a home user no
5 choice but to either allow peer-to-peer activity and
6 all of its associated risks or not allow any
7 peer-to-peer applications on their machines."
8 A. Again, that sounds like what was in
9 that testimony.
10 Q. Are you familiar with Steven Gottlieb
11 of the RIAA?
12 A. I've heard the name but that's it.
13 Q. Do you agree with this statement
14 which I will represent to you he made on
15 November 15, 2004 in comments he provided to the
16 Federal Trade Commission?
17 "P2P services often configure their
18 software to share content by default. What users
19 often do not know is that they may be sharing their
20 tax records, financial records, health records,
21 business records, e-mail and other personal and
22 private material."
23 Do you agree with that statement?
24 A. Oh, I'm sorry. Yes.
25 Q. Do you agree with this statement,
51
1 Jacobson
2 which I represent to you was made by Mr. Gottlieb?
3 "As an additional matter P2P software
4 may, upon installation, automatically search a
5 user's entire hard drive for content, files that
6 users have no intention of sharing may end up being
7 offered to the entire P2P network."
8 A. Yes.
9 Q. Do you agree with this statement
10 which I represent to you was made by Mr. Gottlieb?
11 "Continued sharing of personal
12 information is hard to avoid and is facilitated by
13 confusing and complicated instructions for
14 designating shared items."
15 A. Yes.
16 Q. Do you agree with this statement also
17 made by Mr. Gottlieb?
18 "A study by Nathaniel S. Good and
19 Aaron Krekelberg at HP Laboratories showed that the
20 majority of the users were unable to tell what files
21 they were sharing and sometimes incorrectly assumed
22 they were not sharing any files when in fact they
23 were sharing all files on their hard drive.
24 MR. GABRIEL: Object to the form.
25 Lack of foundation.
52
1 Jacobson
2 A. I guess I can't quantify some, most,
3 all. I'm sorry.
4 Q. Are you familiar with the report by
5 Nathaniel Good and Aaron Krekelberg at HP
6 Laboratories?
7 A. No.
8 MR. GABRIEL: When we get to a good
9 stopping point, can we take five? It's
10 been an hour and a half.
11 MR. BECKERMAN: Sure.
12 (Recess taken.)
13 Q. Your reports state your conclusions;
14 is that correct?
15 A. Yes.
16 Q. And they state that your conclusions
17 were based upon --
18 Withdrawn. I shouldn't lump the
19 three together.
20 The April report states that
21 conclusions were based upon the materials that had
22 been provided to you by MediaSentry plus a few other
23 documents; is that correct?
24 A. Yes.
25 Q. Does that report explain how you
53
1 Jacobson
2 formed your conclusions from those documents?
3 A. Not in any detail.
4 Q. How many reports have you issued for
5 the RIAA?
6 A. Maybe 200. I don't know, don't
7 recall the exact count.
8 MR. BECKERMAN: I would like to
9 leave a space in the record for that
10 number.
11 TO BE FURNISHED:____________________________________
12 ____________________________________________________
13 Q. How many of those reports concluded
14 that there was in fact downloading or uploading of
15 plaintiff's copyright files?
16 A. All of the -- yes, all of the
17 reports.
18 Q. How much time did you spend on each
19 report?
20 A. A typical report takes me about 45
21 minutes.
22 Q. And how much time did you spend on
23 the April 2006 report in this case?
24 A. Without seeing the billing records, I
25 can only guess but I think it was 45 minutes.
54
1 Jacobson
2 Q. How much time did you spend preparing
3 the unsigned October report?
4 A. That was -- not that one.
5 I'm sorry. I was pointing to
6 something on your desk. I probably shouldn't do
7 that.
8 MR. GABRIEL: After you looked at
9 the hard drive he is asking about.
10 THE WITNESS: Okay. Thank you.
11 Q. Would you like me to show you a copy?
12 A. No. I just wanted to clarify between
13 the two reports that --
14 Again, without looking at the billing
15 records, I would say probably two to four hours.
16 Q. And how much time did you spend on
17 the December 19th declaration?
18 A. Maybe 15 minutes.
19 Q. If a hard drive had been used for
20 peer-to-peer file sharing with KaZaA, would your
21 forensic inspection have allowed you to see whether
22 a file sharing program had been downloaded or
23 installed?
24 A. If the program was present on the
25 hard drive, a forensic examination would have shown
55
1 Jacobson
2 that.
3 Q. Similarly, if the hard drive had been
4 used for peer-to-peer file sharing with KaZaA, would
5 your forensic inspection have allowed you to see
6 whether there was a shared files folder on the
7 computer?
8 A. Yes.
9 Q. And, again, if the hard drive had
10 been used for peer-to-peer file sharing with KaZaA,
11 would your forensic inspection have shown you
12 whether there were audio files or remnants, or
13 evidence thereof, of the files that MediaSentry had
14 observed?
15 A. Yes.
16 Q. Under those same circumstances, would
17 your forensic inspection have allowed you to see
18 whether a party had attempted to delete file sharing
19 programs or other files?
20 A. Yes.
21 Q. Now, a dynamic IP address is
22 allocated very often for a short period of time; is
23 that not correct?
24 A. It depends how you define "short."
25 Q. Well, you yourself used that
56
1 Jacobson
2 technology, did you not?
3 A. Yes.
4 Q. So what is the shortest it could be?
5 There is no shortest, is there? It could be for a
6 split second?
7 A. A computer can request and release.
8 Q. It could be for hours or it could be
9 for seconds or --
10 A. It could be for days, yes.
11 Q. Would it be possible to have the same
12 dynamic IP address assigned to three people during
13 one minutes?
14 MR. GABRIEL: Object to the form.
15 A. It's possible.
16 Q. Now, the users of a peer-to-peer
17 network often think they are anonymous when they
18 distribute files. Isn't that true?
19 A. In my opinion, a lot of users feel
20 that they are anonymous.
21 Q. In your April 7th report you say that
22 in reality they can be identified using the IP
23 address. Is that not what you said in your report?
24 A. Yes, sir.
25 Q. That's not exactly true, is it?
57
1 Jacobson
2 A. I guess I'm not clear what you mean
3 by that.
4 Q. Well, it's true, is it not, that
5 there can be more than one computer operating under
6 a single IP address?
7 MR. GABRIEL: Object to the form.
8 A. As I talked about it in the report
9 with public IP addresses, in order for the internet
10 to function there can only be -- every public IP
11 address has to be globally unique within that window
12 of time.
13 Q. But there can be more than one
14 computer operating behind that IP address?
15 MR. GABRIEL: Same objection.
16 A. Every -- I don't understand what you
17 are asking. Every device connecting to the public
18 internet has to have a global unique address.
19 Q. And a device doesn't have to be a
20 computer, does it?
21 A. That's correct.
22 Q. It could be a router, correct?
23 A. Yes.
24 Q. It could be a wired router?
25 A. Yes.
58
1 Jacobson
2 Q. It could be a wireless router?
3 A. Yes.
4 Q. And if there is a firewall, under
5 most circumstances no one would know the various
6 computers or devices behind the router, would they?
7 MR. GABRIEL: Object to form.
8 A. It depends on the type of router.
9 Q. Is it possible for more than one
10 device to be operating behind a single IP address?
11 A. Yes.
12 Q. Now, when we get to the devices, some
13 of the devices are computers. Is that not correct?
14 A. Yes.
15 Q. And is it possible for a computer to
16 have more than one user?
17 A. Yes.
18 Q. So, in other words, when a person is
19 engaged in peer-to-peer file sharing, it's not the
20 person that could be identified by an IP address, is
21 it?
22 MR. GABRIEL: Object to the form.
23 Lack of foundation.
24 Q. Isn't it the MAC address that is
25 identified?
59
1 Jacobson
2 MR. GABRIEL: Object to form.
3 A. I don't understand the follow-on
4 statement.
5 Q. Do you know what a MAC address is?
6 A. Yes.
7 Q. Can a router have a MAC address?
8 A. Yes.
9 Q. If I had ten different companies
10 operating behind a router and I had a properly
11 functioning firewall or firewalls, would anybody in
12 the wide network actually know what was behind the
13 router with the properly functioning firewall?
14 MR. GABRIEL: Object to the form.
15 Lack of foundation.
16 A. It's possible to determine who is
17 behind that, so to say that there is no way to know
18 is not true.
19 Q. How could you find out?
20 A. Potentially based on the activity
21 coming out. There is lots of ways that attackers
22 could use to determine what is behind a firewall.
23 Q. But one method to identify that
24 person would not be the IP address. The IP address
25 alone would not tell you that, would it?
60
1 Jacobson
2 A. Would not tell you what?
3 Q. What individual was sharing files.
4 A. By "individual" do you mean
5 flesh-and-blood person?
6 Q. Yes.
7 A. The IP address tells you the identity
8 of the computer.
9 Q. It actually doesn't tell you the
10 identity of the computer. It tells you the identity
11 of the device.
12 A. That's correct.
13 Q. And it doesn't actually tell you the
14 identity of the device. It tells you a MAC address?
15 MR. GABRIEL: Objection to form.
16 A. IP address does not tell you a MAC
17 address.
18 Q. How could it tell you the identity of
19 the device? How would you identify a device other
20 than by a MAC address?
21 A. Every device in the public internet
22 is configured with an IP address.
23 Q. Which would link to what?
24 A. Which links to the device.
25 Q. And how do you identify the device on
61
1 Jacobson
2 the internet?
3 A. Again, every device is identified
4 through its IP address. The MAC address is only
5 valid from one local connection to another.
6 Q. What is the one thing unique about
7 each device?
8 MR. GABRIEL: Object to the form.
9 A. Unique to it or that uniquely tells
10 them apart?
11 Q. That tells them apart.
12 A. On the internet the only requirement
13 for uniqueness is the IP address.
14 Q. So when you say that in reality they
15 can be identified using the IP address, your
16 testimony is that it's not the user that can be
17 identified, it's a computer that can be identified?
18 Is that your testimony?
19 Or is your testimony that it is the
20 computer on the network device that is interfacing
21 with the wide network?
22 A. The IP address identifies the
23 computer or device that is connected to the wide --
24 to the internet.
25 Q. And the device might be a network
62
1 Jacobson
2 card?
3 A. Generally network card doesn't have
4 an IP address. The computer is what has the IP
5 address.
6 Q. The device might be a router?
7 A. That's correct.
8 Q. In that report you said that the IP
9 address of the computer can be captured by a user
10 during a search or file transfer. Now, you don't
11 exactly mean of the computer; you mean of the
12 computer or network device, right?
13 A. In the peer-to-peer file transfer the
14 device running -- the computer running the
15 peer-to-peer software reports its IP address
16 along with -- in addition to that, the IP address of
17 the -- if it is behind a router that separates
18 public and private addresses, then the IP address of
19 the public internet will also be shown.
20 Q. But when you said that the IP address
21 of the computer offering the files for distribution
22 can be captured by a user during a search or file
23 transfer, you didn't really mean the computer. You
24 meant the computer or network device?
25 A. In order for the peer-to-peer
63
1 Jacobson
2 software to work, you have to have the identity of
3 the machine holding the music or holding the data.
4 Q. Even if it's going through a router?
5 You're saying there is more than one IP address
6 going through a router?
7 A. The peer-to-peer software will
8 present an IP address within the data payload of the
9 IP packet.
10 Q. Well, what I'm trying to understand
11 is why in your report, referring to your April
12 report, it seems to me that when you were making
13 general descriptions of the technology involved, you
14 kept saying computer or network device but then when
15 you were coming to your conclusions about the
16 defendant, then you all of a sudden started talking
17 about computers and you left out network devices. I
18 was wondering why.
19 Do you agree with that, what I am
20 saying?
21 A. Yes.
22 Q. Why did you do that? Why did you
23 stop mentioning network devices?
24 A. Because in an examination of
25 MediaSentry data, I concluded that it was a computer
64
1 Jacobson
2 at that IP address.
3 Q. And how did you come to that
4 conclusion?
5 A. Through the MediaSentry traffic
6 captures which shows the IP address of the actual
7 computer and the IP address of the packet in transit
8 across the internet, and those two IP addresses were
9 both public and both matched.
10 Q. What is the document you are
11 referring to for MediaSentry?
12 A. I think it was the download.text file
13 or download log maybe they call it.
14 Q. The log for the user?
15 A. No.
16 MR. GABRIEL: Do you want to go off
17 the record for a minute and find it?
18 MR. BECKERMAN: No. We are on the
19 record.
20 Q. The Marie system log? Lindor, Marie
21 system log?
22 A. No. That's not the system log. It
23 could be the download record.
24 Q. This one (indicating)?
25 A. Yes.
65
1 Jacobson
2 MR. BECKERMAN: I would like to
3 mark as Exhibit 6 a printout of numbered
4 pages 36 to 45.
5 (Defendant's Exhibit 6, printout of
6 numbered pages 36 to 45, marked for
7 identification, as of this date.)
8 Q. So this tells you that there was no
9 router?
10 A. This tells me that there was -- yes.
11 There was no router.
12 Q. How does it tell you that there was
13 no router?
14 A. Through the two --
15 If you look at the second chunk down,
16 you will see the source address at the top and you
17 will see the KaZaA IP address midway through that,
18 and they match and they are both public IP
19 addresses.
20 Q. You said they match?
21 A. Uh-huh. The 141.155.57.198.
22 Q. That's the source?
23 A. And then down below you see the KaZaA
24 IP?
25 Q. Yes.
66
1 Jacobson
2 A. It's those two IP addresses.
3 Q. What does the first number indicate?
4 A. The first number of the IP address?
5 Q. Yes.
6 No. The second line of that chunk
7 that says "source." What does that indicate?
8 A. That is the source address. That is
9 where the packet came from.
10 Q. Now we go down to the next line you
11 referred to, it says "KaZaA IP." What does that
12 refer to?
13 A. That is the IP address that the KaZaA
14 software is running on, the IP address of the
15 computer that the KaZaA software is running on.
16 Q. What is the next line?
17 A. A supernode. That's the supernode
18 that KaZaA is connected to.
19 Q. So, in other words, this went in
20 directly through the supernode? So you are saying
21 this transmission went through the supernode?
22 MR. GABRIEL: Objection to form.
23 A. No. This packet just indicates
24 that -- where the supernode is that KaZaA is talking
25 to. The packet as shown by the second line is the
67
1 Jacobson
2 actual source address of the internet packet.
3 Q. What is the next line, the KaZaA IP?
4 A. Oh.
5 Q. The line down below where you say the
6 two numbers match, what is the meaning of that
7 number?
8 A. Which one? The KaZaA IP?
9 Q. You said it is the same number.
10 A. Right.
11 Q. Where it says "KaZaA IP" and there is
12 the same number.
13 A. As line 2, yes. That is the -- that
14 is the --
15 Q. What is the significance of that
16 line?
17 MR. GABRIEL: Let him ask the
18 question and then you answer. He asked
19 what is the significance of that line.
20 A. Of the line "KaZaA IP"?
21 Q. Yes.
22 A. That is the IP address that the KaZaA
23 software is using.
24 Q. And how is that determined?
25 A. It's determined by the KaZaA software
68
1 Jacobson
2 itself.
3 Q. Why wouldn't those two numbers always
4 be the same?
5 A. In the case of a router as you
6 described earlier that has private addresses on the
7 inside, you will see those numbers be different.
8 Q. So you are saying there can be
9 different IP addresses for different devices behind
10 the router?
11 A. Yes.
12 Q. What does the presence of the
13 supernode line indicate?
14 A. It indicates the supernode, that the
15 KaZaA software is used to perform the searches.
16 Q. So does this indicate that the
17 computer that's referred to on -- whose IP address
18 is referred to on the source line and the KaZaA IP
19 line is not a supernode?
20 A. It indicates that that computer is
21 communicating with that supernode in order to do the
22 searches.
23 Q. And how did MediaSentry determine
24 these numbers?
25 A. Line 2 of that section is the address
69
1 Jacobson
2 that is carried within the data packet as it
3 traverses across the internet. The line that starts
4 "X-KaZaA-IP" is part of the data payload within that
5 packet.
6 Q. And how do you know that? Didn't you
7 say you have never communicated with MediaSentry?
8 A. That's correct.
9 Q. So how do you know that?
10 A. Because I understand how KaZaA
11 operates.
12 Q. And how did you come to understand
13 how KaZaA operates?
14 A. Through researching protocol.
15 Q. Starting when?
16 A. I can't remember the exact date I
17 started researching KaZaA. It was all part of the
18 work Palisade did in the production of PacketHound.
19 Q. Are you familiar with the Ross
20 studies of KaZaA?
21 A. Not offhand.
22 Q. You never read them?
23 A. I don't recall without seeing one.
24 MR. BECKERMAN: I would like to
25 mark as Exhibit 7 a study entitled "The
70
1 Jacobson
2 KaZaA Overlay: A Measurement Study."
3 (Defendant's Exhibit 7, study
4 entitled "The KaZaA Overlay: A Measurement
5 Study," marked for identification, as of
6 this date.)
7 Q. So have you reviewed this report at
8 any time?
9 A. Yes, I have.
10 Q. I direct your attention to Page 17
11 and I call your attention to in the middle of the
12 page a sentence that starts with the words "later
13 versions." The statement says, "Later versions
14 (KMDV 2.0+ and KaZaA-Lite) employ dynamic port
15 numbers to evade firewalls."
16 Do you agree with that statement?
17 MR. GABRIEL: Objection. Lack of
18 foundation.
19 A. Yes.
20 Q. Going down to the end of that
21 paragraph, I will read you the last sentence and ask
22 if you agree with that sentence.
23 "Since the KaZaA port numbers are
24 dynamic, it is very difficult to block KaZaA
25 connections unless a very rigid filtering policy is
71
1 Jacobson
2 employed at the firewall." Do you agree with that
3 statement?
4 MR. GABRIEL: Object to form. Lack
5 of foundation.
6 A. Yes.
7 Q. Now I refer you to the first sentence
8 of the next paragraph.
9 "The reality of today's internet is
10 that a large fraction of peers reside behind NATs."
11 Do you agree with that statement?
12 MR. GABRIEL: Object to form. Lack
13 of foundation.
14 A. I don't have any way to know what
15 fraction.
16 Q. Do you agree that NATs exist?
17 A. Yes.
18 Q. What is a NAT?
19 A. The term stands for network address
20 translator. It is a router that on one side has a
21 public IP address and on the other side maintains or
22 has a set of what I want to refer to as private or
23 sometimes inside IP addresses, which are addresses
24 that are not allowed on the public internet.
25 Q. And do you agree that the existence
72
1 Jacobson
2 of a network address translator makes it difficult
3 to detect the IP address of specific computers
4 behind the router?
5 MR. GABRIEL: Objection to form.
6 Lack of foundation.
7 A. By router do you mean network address
8 translator?
9 Q. Yes.
10 A. Yes.
11 Q. And do you agree that KaZaA has used
12 a connection reversal in order to try to overcome
13 that?
14 MR. GABRIEL: Objection to form.
15 Lack of foundation.
16 A. I agree with the definition that they
17 specify in the article. I've never heard that
18 specific term.
19 MR. BECKERMAN: I would like to
20 mark as Exhibit 8 a one-page chart.
21 (Defendant's Exhibit 8, one-page
22 chart, marked for identification, as of this
23 date.)
24 Q. Can you identify what that displays?
25 MR. GABRIEL: Object to foundation.
73
1 Jacobson
2 He didn't draft it.
3 You can answer the question.
4 A. I don't know the intent of it but it
5 shows, as it's labeled, a cable modem connected to
6 the internet. And it shows a set of IP addresses,
7 all of which are the private -- designated as parts
8 of the private IP address range.
9 Q. Going back to the study, Exhibit 7, I
10 call your attention to Page 21, a paragraph bearing
11 number 7, and I'm going to the last two sentences
12 and I am going to ask if you agree with this
13 statement. "KaZaA uses dynamic port numbers along
14 with" --
15 A. I'm sorry. I am not finding it.
16 Q. Page 21, there is a paragraph number
17 7.
18 A. Okay. I'm sorry.
19 Q. I am asking if you agree with this
20 statement. "KaZaA uses dynamic port numbers along
21 with its hierarchical design to avoid firewall
22 blocking."
23 Do you agree with that?
24 MR. GABRIEL: Objection to form.
25 Lack of foundation.
74
1 Jacobson
2 A. I know KaZaA uses dynamic port
3 numbers. Whether that was the original design
4 intent to avoid firewalls would be a fair
5 assumption.
6 Q. The next sentence, do you agree with
7 that statement ?
8 "Furthermore, it uses connection
9 reversal to allow NATed peers to share files."
10 MR. GABRIEL: Objection to form.
11 Lack of foundation.
12 A. Yes.
13 Q. When you studied KaZaA, did you
14 familiarize yourself with the concept of pollution
15 on KaZaA?
16 A. No.
17 Q. Do you know what pollution is on
18 KaZaA?
19 A. My understanding is it is putting
20 things out into the network KaZaA that either
21 misrepresents the content or for some reason is not
22 what it says to be.
23 MR. BECKERMAN: I will mark this as
24 Exhibit 9. It is a paper entitled
25 "Pollution in P2P File Sharing Systems."
75
1 Jacobson
2 (Defendant's Exhibit 9, paper
3 entitled "Pollution in P2P File Sharing
4 Systems," marked for identification, as of
5 this date.)
6 Q. Going to the first page, the
7 right-hand column, the first full paragraph, the
8 first sentence starts with "One sabotage technique."
9 I will ask if you agree with this statement.
10 MR. GABRIEL: I'm sorry. Where are
11 you?
12 I got it.
13 Q. "One sabotage technique that is
14 particularly prevalent today is that of pollution."
15 Do you agree with that statement?
16 MR. GABRIEL: Objection to form.
17 Lack of foundation.
18 A. I don't have any knowledge that as
19 they define pollution it is prevalent on the
20 peer-to-peer systems.
21 Q. Are you aware that one of
22 MediaSentry's areas of business is pollution?
23 A. No.
24 Q. Are you aware that MediaSentry is in
25 the business of sending out decoy files?
76
1 Jacobson
2 MR. GABRIEL: Objection to form.
3 A. No.
4 MR. GABRIEL: Sorry. Belated
5 objection to the form.
6 Q. Excuse me?
7 A. No.
8 Q. I turn you to the second page, the
9 first full paragraph. About two-thirds of the way
10 down in the paragraph there is a sentence that
11 starts "We will see that." I call your attention to
12 that sentence and ask if you agree with this
13 statement.
14 "We will see that pollution is indeed
15 pervasive with more than 50 percent of the copies of
16 many popular recent songs being polluted in KaZaA
17 today." Do you agree with that?
18 MR. GABRIEL: Objection to form.
19 Lack of foundation.
20 A. I have no way of knowing if that's
21 true or false.
22 Q. So is it your testimony that you are
23 not knowledgeable about pollution?
24 MR. GABRIEL: Objection to form.
25 Q. Are you knowledgeable about
77
1 Jacobson
2 pollution?
3 A. Only to the extent that I know what
4 it is.
5 Q. And that's the sole extent of your
6 knowledge?
7 A. Yes.
8 Q. And are you familiar with the
9 distinction between content pollution and metadata
10 pollution?
11 A. I just now read their classification.
12 Q. Is it the first time you ever learned
13 of the distinction between those two terms?
14 A. Yes.
15 Q. So it would be fair to say that your
16 expertise does not extend to the nature and extent
17 and methods of pollution on KaZaA?
18 A. Yes.
19 Q. When you in your report refer to
20 analogizing an IP address to a return address and a
21 send address on a letter, would you say that analogy
22 is somewhat incorrect?
23 A. There is probably no perfect analogy
24 but it's a reasonable analogy to use for a lay
25 explanation.
78
1 Jacobson
2 Q. Is it fair to say that your postal
3 address is to your home whereas an IP address would
4 be more like an address to a timeshare that you
5 might occupy for a split second or for a minute?
6 MR. GABRIEL: Objection to form.
7 A. The IP address delivers to a device
8 or location.
9 Q. But not a person?
10 A. That's correct.
11 Q. And not for any given amount of time,
12 just as long as the internet connection stays on
13 line?
14 MR. GABRIEL: Objection to form.
15 A. Define what you mean by internet
16 connection.
17 Q. You don't know what I mean by an
18 internet connection?
19 A. There are multiple definitions.
20 Q. Why don't you give me the most common
21 meaning.
22 A. There is an application layer
23 connection which is used by individual applications
24 to communicate.
25 Q. With a dynamic IP address is the
79
1 Jacobson
2 person using it still using it after he's
3 disconnected from the internet?
4 MR. GABRIEL: Objection to form.
5 A. Depending on how they are connected,
6 the dynamic address may be dropped.
7 Q. You're saying they could end their
8 connection to the internet and still -- and the
9 dynamic IP address stays in effect and then if they
10 turn it back on, they could pick up the same exact
11 dynamic IP address? Is that your testimony?
12 MR. GABRIEL: Objection to form.
13 Lack of foundation.
14 A. If the device that issues the dynamic
15 address can detect the other device being turned
16 off, then the dynamic IP address can be released.
17 Otherwise, the dynamic address could still be
18 assigned to that device.
19 Q. Now, with a decentralized
20 peer-to-peer network, it's your statement in your
21 report that a request is sent to each neighbor and
22 each neighbor sends the request to the next neighbor
23 and so on. Did you mean that literally?
24 A. You said decentralized?
25 Q. Yes.
80
1 Jacobson
2 A. Yes.
3 Q. To neighbors? What do you mean by
4 neighbors?
5 A. The decentralized peer-to-peer
6 software referred to the peer-to-peer entities that
7 they talked directly to as neighbors.
8 Q. So you are using it figuratively to
9 describe other computers?
10 A. Yes.
11 Q. You say the semi-decentralized
12 peer-to-peer network uses a central index server.
13 Is that correct?
14 A. Yes.
15 Q. And that if one server node quits,
16 the other nodes can still function?
17 A. Yes.
18 Q. Now, when you access a screen shot,
19 are you accessing a file or are you accessing an
20 index of files?
21 A. When you query the server, what you
22 get is an index of the files.
23 Q. Now, is it your testimony that every
24 time you see a screen shot in KaZaA, you're seeing
25 files that are on a single ordinary node?
81
1 Jacobson
2 MR. GABRIEL: Objection to form.
3 A. There are many ways you can query
4 KaZaA, one of which is to ask all the files that are
5 contained on a particular machine.
6 Q. How would you frame such a query?
7 A. You frame the query with the address
8 of the machine that contains the information.
9 Q. And do you know how MediaSentry
10 queried?
11 A. I don't know the exact techniques
12 that they used.
13 Q. Now you said in your report that you
14 will demonstrate how defendant's internet account
15 and computer were used. Would you now demonstrate
16 for me how you can -- show me how you can
17 demonstrate that the defendant's computer was used?
18 A. Which line of the report are you?
19 Q. What?
20 A. Which line of the report are you
21 referring to?
22 Q. Paragraph 15.
23 A. Would you restate the question.
24 (Record read.)
25 A. Identifications through the IP
82
1 Jacobson
2 address to demonstrate which computer it is.
3 Q. No, I'm asking you to demonstrate it
4 now for me. You said, "I will testify to the
5 procedures and results obtained by MediaSentry
6 coupled with the information complied by defendant's
7 ISP to demonstrate the defendant's internet account
8 and computer were used to download and upload
9 copyrighted music from the internet using the KaZaA
10 peer-to-peer network."
11 Please demonstrate for me that
12 defendant's computer was used to download and upload
13 copyrighted music.
14 A. I can demonstrate through the
15 MediaSentry material.
16 Q. Okay.
17 A. I don't have the MediaSentry
18 material.
19 MR. BECKERMAN: We will mark as
20 Exhibit 10 a two-page printout, page
21 numbers 46 to 47.
22 (Defendant's Exhibit 10, two-page
23 printout of page numbers 46 to 47, marked
24 for identification, as of this date.)
25 MR. BECKERMAN: We will mark as
83
1 Jacobson
2 Exhibit 11 a printout, page numbers 49 to
3 187.
4 (Defendant's Exhibit 11, printout of
5 page numbers 49 to 187, marked for
6 identification, as of this date.)
7 MR. BECKERMAN: And you already
8 have Exhibit 6 and we have Exhibit 12,
9 which is a screen shot, pages 199 to 224.
10 (Defendant's Exhibit 12, printout of
11 pages 199 to 224, marked for identification,
12 as of this date.)
13 MR. BECKERMAN: And we will mark as
14 Exhibit 13 a one-page printout marked as
15 page number 48.
16 (Defendant's Exhibit 13, one-page
17 printout of page numbered 48, marked for
18 identification, as of this date.)
19 MR. BECKERMAN: And we will mark as
20 Exhibit 14 a printout of pages numbers 188
21 through 198.
22 (Defendant's Exhibit 14, printout of
23 pages numbers 188 through 198, marked for
24 identification, as of this date.)
25 Q. Now would you please demonstrate how
84
1 Jacobson
2 you can show that it's the defendant's computer that
3 was used.
4 MR. BECKERMAN: Off the record.
5 (Recess taken.)
6 Q. Please demonstrate that the
7 defendant's computer was used.
8 MR. GABRIEL: If I can ask you, if
9 you refer to an exhibit, please say what
10 the exhibit is.
11 THE WITNESS: Yes.
12 Q. Before we go into that, let me just
13 ask you something.
14 When you say "defendant's computer"
15 in your report, you're referring to the computer
16 that was accessed by MediaSentry; is that correct?
17 A. I'm referring to the -- yeah, the
18 computer with the IP address shown in Exhibit 6 that
19 we discussed earlier.
20 Q. And it's your contention that the
21 computer as to which you examined the hard drive is
22 a different computer than the one that was accessed
23 by MediaSentry; is that correct?
24 A. Yes.
25 Q. Now, going to the first computer, how
85
1 Jacobson
2 do you know that it was defendant's computer?
3 A. We don't have the Verizon information
4 in front of me. By using the subpoenaed records
5 from Verizon they show --
6 Q. They were asked --
7 I'm sorry. I cut you off.
8 They were asked to identify the owner
9 of an account that had used an IP address; is that
10 correct?
11 A. Yes.
12 Q. How would that tell you who owned the
13 computer?
14 A. It tells me the individual who has
15 the account that was associated with that IP
16 address; therefore, that computer at the time.
17 Q. Let's say -- not me, that would be
18 too improbable. Let's say you had a visitor at your
19 home and that visitor plugged into your internet
20 connection with his laptop. Would that make his
21 computer your computer?
22 A. Without knowing the configuration of
23 your home network, I couldn't.
24 Q. Let's say you had a wired internet
25 connection at your home, you had a cable modem and
86
1 Jacobson
2 someone was visiting who had a laptop, a friend of
3 yours or relative, and that person asked if they
4 could plug in their laptop and check their e-mail.
5 Okay?
6 Now, the IP address would show up as
7 your address, would it not? The dynamic IP address?
8 A. It depends.
9 Q. If I sent a query like the record
10 industry sent to Verizon, I would get you, right?
11 If you are the person who pays for the internet
12 access at your home.
13 A. If the ISP allows multiple devices
14 directly connected to their internet service.
15 Q. And it wouldn't have been your
16 computer, it would have been your friend's or
17 relative's computer. Correct?
18 MR. GABRIEL: Object to the form.
19 Lack of foundation.
20 A. The scenario you laid out. If the
21 ISP allowed multiple IP addresses, then it would
22 have associated an IP address with that particular
23 device.
24 Q. So when you say it was defendant's
25 computer, you don't actually have any knowledge as
87
1 Jacobson
2 to whether it was defendant's computer. All you
3 know is that the defendant's name is associated with
4 the internet access account; is that correct?
5 MR. GABRIEL: Objection to form.
6 A. I know that the -- yeah, the computer
7 associated with that user account, an IP address was
8 used.
9 Q. But you don't know whose computer it
10 actually was, do you?
11 A. No.
12 Q. But your report said it was
13 defendant's computer, so I think you will agree that
14 that's an imprecision in your report.
15 MR. GABRIEL: Objection to form.
16 Lack of foundation. Misstates the report.
17 A. The report states that I have
18 identified through the internet service provider the
19 account holder of the IP address.
20 Q. The report says that you will
21 demonstrate that it was defendant's computer that
22 was used. How can you demonstrate that the computer
23 belonged to the defendant? You don't know who it
24 belonged to.
25 MR. GABRIEL: Objection to form.
88
1 Jacobson
2 Lack of foundation.
3 Q. You are under oath.
4 A. It's my opinion that given the
5 information from MediaSentry and from Verizon, that
6 that IP address was associated with the defendant
7 and computers or at least in presence of the
8 defendant.
9 Q. There are two parts to your
10 statement. You say the defendant's internet account
11 and computer. Right now I'm not asking you about
12 the internet account. I'm asking about the
13 computer. You will agree, then, will you not, that
14 when you said computer that you don't actually know
15 if it was defendant's computer or not?
16 A. It is the computer associated with
17 the account of the defendant.
18 Q. But you don't know if it was
19 defendant's computer?
20 A. I know that the computer was
21 associated with the defendant's internet account.
22 Q. But you don't know if the defendant
23 owned it?
24 A. Nowhere is purchase information.
25 Q. And you do not know if the defendant
89
1 Jacobson
2 ever used it?
3 A. I know that the computer associated
4 with that address was used.
5 Q. Now, demonstrate how you know that
6 that computer was used to upload and download
7 copyrighted music from the internet.
8 A. Well, I know which computer through
9 Exhibit 6. That is the primary piece of evidence.
10 I know that material was downloaded
11 through Exhibit 10. I know music was made available
12 through Exhibits 10, 11, 12 and 14, and I know that
13 the music was downloaded through Exhibit 11.
14 MR. BECKERMAN: I would like to
15 mark as Exhibit 15 the undated October
16 report.
17 (Defendant's Exhibit 15, undated
18 October report, marked for identification,
19 as of this date.)
20 Q. When did you provide this report to
21 Mr. Gabriel?
22 A. October 25th.
23 Q. Why did you not sign it?
24 A. It's a draft.
25 Q. Why is it not dated?
90
1 Jacobson
2 A. It was a draft report.
3 Q. Have you ever submitted an unsigned
4 or undated draft to Mr. Gabriel before?
5 A. I could have. I don't recall.
6 Q. Have you ever submitted unsigned
7 drafts or undated drafts to anyone in Mr. Gabriel's
8 firm before?
9 A. Again, I could have. I don't recall.
10 Q. Is it your practice to submit
11 unsigned, undated drafts before submitting your
12 final reports to them?
13 A. The standard report goes in without
14 their review.
15 MR. GABRIEL: I would like the
16 record to reflect that there is a copying
17 issue in Exhibit 15. Page DJ0069 was
18 stamped "Draft." I note in the copying
19 the draft was too light to copy
20 apparently.
21 Q. Did Mr. Gabriel tell you not to issue
22 a final report, but to issue a draft instead?
23 A. Yes.
24 Q. Now, turning to Page DJ0071,
25 Paragraph 17, the second sentence, which says, "I
91
1 Jacobson
2 will testify based on the forensic examination of
3 the hard drive that was copied from the computer
4 owned by the defendant."
5 Now, are you saying there that the
6 second computer which you claim is different than
7 the first one was owned by the defendant also?
8 A. I'm lost in the second, first and --
9 Q. It's your words. It's your
10 testimony. It's your declaration, your unsigned
11 draft which Mr. Gabriel asked you to submit to him
12 so he could have input into the final. But this was
13 your wording I assume. Right?
14 A. Yes.
15 Q. This was wording that was not fed to
16 you by Mr. Gabriel?
17 A. Correct.
18 Q. So you say the computer owned by the
19 defendant. Now you are saying that the second
20 computer was owned by the defendant.
21 A. I'm saying the hard drive that I was
22 given to examine was reported to have been owned by
23 the defendant and I examined that hard drive and
24 came up with that conclusion.
25 Q. So is it your testimony that she
92
1 Jacobson
2 owned both computers?
3 MR. GABRIEL: Objection to form.
4 A. It's my testimony that the hard drive
5 contained no evidence of KaZaA and that hard drive
6 was reported to have belonged to the computer owned
7 by the defendant.
8 Q. What basis do you have for saying
9 that the computer was owned by the defendant?
10 A. Based on the chain of evidence
11 that -- the chain of custody that followed the
12 forensic disk.
13 Q. So it is your testimony that Marie
14 Lindor, who is a home health aide who has never even
15 used a computer, it is your testimony that she owns
16 two computers?
17 MR. GABRIEL: Objection to form.
18 Lack of foundation. Misstates testimony.
19 Q. Is that your testimony? She has
20 never even used a computer in her life, that she
21 owns not one, but two computers?
22 MR. GABRIEL: Same objection.
23 A. What I am stating is that the hard
24 drive I examined, which was reported to have come --
25 been owned by the defendant did not contain KaZaA or
93
1 Jacobson
2 any of the copyrighted or any music files.
3 MR. BECKERMAN: Let's mark as
4 Exhibit 16 your April report.
5 (Defendant's Exhibit 16, Dr. Douglas
6 W. Jacobson's April report, marked for
7 identification, as of this date.)
8 Q. Now, on Page DJ0006, Paragraph 19, in
9 the last line you use the words "being distributed."
10 A. Yes.
11 Q. Were you using "distributed" in the
12 legal sense of the word or in the generic sense of
13 the word?
14 MR. GABRIEL: Objection to form.
15 A. I'm not a lawyer so I don't know the
16 legal -- I guess I am not clear as to what
17 difference you are trying to make between the two
18 words.
19 Q. Where did you get the word
20 "distributed"?
21 A. In that paragraph I'm referring to
22 the fact that the files were on the peer-to-peer
23 network and by the nature of the peer-to-peer
24 network they are being distributed.
25 Q. Do you know of any instances in which
94
1 Jacobson
2 they were distributed to anyone other than
3 MediaSentry?
4 A. Given the nature of the peer-to-peer
5 system, there is a high probability that they
6 were -- well, strike that.
7 Distributed, they are being offered
8 for distribution by the fact that they were on the
9 peer-to-peer network.
10 Q. The question was whether they had
11 actually been distributed, not whether they had been
12 offered for distribution.
13 MR. GABRIEL: Objection to form.
14 A. The KaZaA program made those files
15 available through the supernode. Anybody --
16 Let me strike that and start over.
17 The KaZaA program made the files
18 available on her computer for distribution and given
19 the nature of the peer-to-peer network and the
20 number of users, there is a high probability that
21 songs were actually uploaded from that computer.
22 Q. Do you have any knowledge of any
23 specific instances of any uploads other than to
24 MediaSentry?
25 A. No.
95
1 Jacobson
2 Q. In Paragraph 21 you use the words
3 that the computer was registered to the defendant.
4 How does a computer get registered to a person?
5 A. Through the IP address it is
6 registered. Verizon indicated the subscriber.
7 Q. So you don't mean that the computer
8 was registered to the defendant. You mean the IP
9 address was identified by Verizon as having been on
10 the internet access account that was in the name of
11 the defendant. Is that correct?
12 A. The IP address of, was registered to
13 the defendant on said computer. So it says that the
14 IP address.
15 Q. Not the computer. The IP address was
16 registered?
17 A. That's what 21 states.
18 Q. 21 states that the computer that had
19 the IP address was registered to the defendant.
20 "I will testify based on all of the
21 information" --
22 A. Right, right.
23 Q. So you don't mean the computer was
24 registered, you mean the IP address was registered?
25 A. Yes.
96
1 Jacobson
2 Q. Now, in Paragraph 22 you state that
3 you could prove from the MediaSentry user log that
4 the music found on the defendant's computer was
5 downloaded from other users on the internet. How
6 would you have done that?
7 A. By using the metadata tags, in
8 particular the description tag. For example,
9 Page 0106.
10 MR. GABRIEL: What exhibit?
11 THE WITNESS: I'm sorry.
12 Exhibit 11.
13 A. Page 10106 indicates in the
14 description "ripped by" and had several -- several
15 cases "ripped by X7" and so on, and that's
16 throughout the document.
17 Q. A metadata is text, is it not?
18 A. Yes.
19 Q. Metadata can be changed, can it not?
20 A. Metadata can be changed and is not
21 present on original CD recordings.
22 Q. And it can be changed easily through
23 commonly available software, can it not?
24 A. Yes.
25 Q. And could it be changed through KaZaA
97
1 Jacobson
2 software?
3 A. Yeah. I believe KaZaA lets you edit
4 the metadata.
5 MR. BECKERMAN: I would like to
6 mark as Exhibit 17 a page of handwritten
7 notes.
8 (Defendant's Exhibit 17, page of
9 handwritten notes, marked for
10 identification, as of this date.)
11 Q. When were these notes prepared?
12 A. These notes were prepared prior to
13 the submission of the October -- let's see which
14 exhibit. Exhibit 15.
15 Q. Are there any other notes which you
16 jotted down which you did not preserve from the date
17 the hard drive was furnished to you?
18 A. No.
19 Q. What are the letters at the top
20 right?
21 A. DHCP name server.
22 Q. What are the three IP addresses below
23 that?
24 MR. GABRIEL: Objection to form.
25 A. Those are the IP addresses of the
98
1 Jacobson
2 name server that were on her computer.
3 Q. What does that mean?
4 A. The name server, my best analogy is a
5 giant phone book that converts names and IP
6 addresses. So when you type in www.google.com, you
7 get the IP address of Google.
8 Q. What is the entry at the bottom,
9 "7704 repaired"? What is that a reference to?
10 A. In examining the hard drive, it
11 appeared that there was some type of repair of the
12 Windows operating system on that date.
13 MR. BECKERMAN: I would like to
14 mark as Exhibit 18 a single-page document
15 which says "wireless router" at the top.
16 (Defendant's Exhibit 18, single-page
17 document bearing "wireless router" at the
18 top, marked for identification, as of this
19 date.)
20 Q. When was this prepared?
21 A. 3/14.
22 Q. Now, You say "wireless router?" and
23 then say, "No." How did you know there was no
24 wireless router?
25 A. Again, by looking at the information
99
1 Jacobson
2 on Exhibit 6.
3 Q. How does that show you that there is
4 no wireless router?
5 A. Again, as I testified earlier, here
6 at the source address and that the KaZaA IP address
7 matched.
8 Q. And that tells you that there was no
9 wireless router?
10 A. Again, those are all public IP
11 addresses on both the computer and the device that
12 put the IP packet onto the internet, both at the
13 same IP address.
14 Q. And that's your sole basis for your
15 conclusion?
16 A. Yes.
17 MR. BECKERMAN: I would like to
18 mark as Exhibit 19 a two-page letter from
19 Verizon.
20 (Defendant's Exhibit 19, two-page
21 letter from Verizon, marked for
22 identification, as of this date.)
23 Q. Is that the source for your
24 information as to whose access account it was?
25 A. Yes.
100
1 Jacobson
2 MR. BECKERMAN: I would like to
3 mark as Exhibit 20 a resume, a one-page
4 resume, page number DJ0076.
5 (Defendant's Exhibit 20, one-page
6 resume, page number DJ0076, marked for
7 identification, as of this date.)
8 A. It is a printout of a file that I
9 found on the hard drive that I examined. It was
10 described in Exhibit 15.
11 Q. Did you know who prepared this?
12 A. I know it was on the hard drive and
13 it in the directory of user Kathleen on the system.
14 Q. Do you know who typed it?
15 A. No.
16 Q. Now, what does it say next to the
17 word "e-mail" in this resume?
18 A. J-C-Q-L-L-I-N-E.
19 Q. What tools did you use to determine
20 that the hard drive had not been used for a KaZaA
21 account?
22 A. I used EnCase to examine the captured
23 hard drive.
24 Q. When you used EnCase, did you know
25 that this matter was in litigation and that you were
101
1 Jacobson
2 an expert witness in this case?
3 A. Yes.
4 Q. Did you not have screens? When you
5 used EnCase, didn't you look at a computer screen?
6 A. Yes.
7 Q. Did you save what was on that screen?
8 A. No.
9 Q. Did you generate reports?
10 A. No.
11 Q. Now I'm not asking you if you printed
12 out reports or saved reports. I'm asking you if you
13 generated reports.
14 A. No.
15 Q. So you did not document your findings
16 in EnCase at all, did you?
17 A. No.
18 Q. Did Mr. Gabriel tell you to do that?
19 A. No.
20 Q. So did you feel that you could just
21 review it on EnCase and then come and testify from
22 memory at a trial? Is that what you intended to do?
23 A. I examined the hard drive, found no
24 evidence of file sharing software or audio files,
25 and so there was nothing to document.
102
1 Jacobson
2 Q. So you didn't feel was any need to
3 create documentation of what your study had shown?
4 A. There was no files to document.
5 Q. Is that because it did not
6 corroborate Plaintiff's case in any way?
7 MR. GABRIEL: Objection to form.
8 Argumentative.
9 A. The testimony says I found no KaZaA
10 or MP3 files and, therefore, there was nothing to --
11 there were no screen shots to capture.
12 Q. Do you have any idea why the case
13 hasn't been dropped by now?
14 MR. GABRIEL: Objection to form.
15 Lack of foundation.
16 A. I don't get involved with -- so no.
17 MR. BECKERMAN: I would like to
18 mark as Exhibit 21 a one-page document
19 with a flowchart.
20 (Defendant's Exhibit 21, one-page
21 document with a flowchart, marked for
22 identification, as of this date.)
23 Q. Do you see item number 4?
24 A. You mean bullet number 4?
25 Q. Yes.
103
1 Jacobson
2 A. Yes.
3 Q. What does that say?
4 A. "Document findings."
5 Q. Did you know that you were going to
6 be giving sworn testimony in this case, including
7 your December declaration and possible deposition
8 and trial testimony?
9 A. Would you reread the question back.
10 (Record read.)
11 A. At the time I examined the hard drive
12 there were no scheduled depositions.
13 Q. So you thought it was okay not to
14 document your findings?
15 MR. GABRIEL: Objection to form.
16 A. I did document my findings, as shown
17 in Exhibit 17.
18 Q. When you say there were three user
19 names of interest, what did you mean by that?
20 A. In a Windows machine there are
21 default users that are created, like Administrator
22 and so on, that come with the installation of
23 Windows. So these were users that were added above
24 and beyond the default installation.
25 Q. So it doesn't actually tell you who
104
1 Jacobson
2 used the computer, does it? It just tells you the
3 user names?
4 A. Yes, these are user names for that
5 computer.
6 Q. And if someone was logged on under a
7 particular computer name and the computer was kept
8 on and another individual sat down and started using
9 the computer, you wouldn't know who that was, would
10 you, from the user name?
11 A. That's correct.
12 Q. Are you familiar with the declaration
13 that was given by the expert witnesses in the
14 Netherlands in the foundation case, the witness
15 statement of Henk Sips and Johan Pouwelse?
16 A. I would have to see the document.
17 MR. BECKERMAN: I would like to
18 mark this as Exhibit 22. It is a
19 three-page document entitled "Witness
20 statement of Henk Sips and Johan
21 Pouwelse."
22 (Defendant's Exhibit 22, three-page
23 document entitled "Witness Statement of Henk
24 Sips and Johan Pouwelse," marked for
25 identification, as of this date.)
105
1 Jacobson
2 MR. GABRIEL: I would like to
3 interpose a belated objection to the
4 characterization of the document as a
5 declaration.
6 MR. BECKERMAN: I agree. The
7 correct characterization should be as a
8 witness statement. So stipulated.
9 MR. GABRIEL: Thank you.
10 Q. Have you ever seen this document
11 before?
12 A. I've seen it.
13 Q. You have seen it?
14 A. I have seen it.
15 Q. In what context?
16 A. I believe my wife might have e-mailed
17 it and made a copy of it.
18 Q. Did anyone from the Plaintiff's law
19 firm send you a copy of it?
20 A. No.
21 Q. Did you ever access it yourself on
22 the internet?
23 A. Either she sent it to me directly or
24 a link to it, so I don't know if I got it as a
25 document or as a link to a document.
106
1 Jacobson
2 Q. Do you agree with the statement at
3 the bottom of Page 2 that detailed checks are,
4 therefore, required?
5 MR. GABRIEL: Objection to form.
6 Lack of foundation.
7 A. Would you read the question.
8 (Record read.)
9 A. I don't really know. They didn't
10 describe what they meant by detailed checks so I
11 can't -- I can't comment on that.
12 Q. We will turn to the next page. It
13 says, "We believe that the following procedure takes
14 the necessary precautions when trying to establish
15 if a user is making copyrighted works available for
16 download," and then they list certain procedures.
17 Do you agree that those procedures
18 take the necessary precautions?
19 MR. GABRIEL: Objection to form.
20 Lack of foundation.
21 A. The steps seem like reasonable
22 precautions.
23 Q. Going down a few paragraphs, there
24 are some terms. Do you agree that superpeer hopping
25 is a technical problem in trying to determine which
107
1 Jacobson
2 user might have violated copyright law?
3 MR. GABRIEL: Objection to form.
4 Lack of foundation.
5 A. They don't define what they mean by
6 superpeer hopping, so ...
7 Q. Don't you think they are referring to
8 the hopping from one supernode to another supernode,
9 shutting one down and starting another?
10 MR. GABRIEL: Objection to form.
11 Lack of foundation. Calls for
12 speculation.
13 Q. You are the expert. You have
14 indicated that you have studied KaZaA in depth.
15 Isn't it a fact that a single search on KaZaA can
16 hop from one supernode to another?
17 A. A search on KaZaA can prop you will
18 gate from one supernode to another.
19 Q. So don't you think that's what they
20 are referring to when they say superpeer hopping?
21 MR. GABRIEL: Objection to form.
22 Lack of foundation. Calls for
23 speculation.
24 A. I have not heard that term used, so I
25 don't know ...
108
1 Jacobson
2 Q. Would you agree that the fact that a
3 single search can switch from one supernode to
4 another to another to another would constitute a
5 technical problem in conducting such an
6 investigation?
7 MR. GABRIEL: Objection to form.
8 A. I would characterize it more as a
9 technical inconvenience than a problem.
10 Q. So you would agree that it is a
11 technical inconvenience that needs to be overcome?
12 A. I'm not saying that it hasn't been
13 overcome, if that's what your question is.
14 Q. My question is exactly what it said,
15 that it is a technical problem that needs to be
16 overcome.?
17 MR. GABRIEL: Technical
18 inconvenience. Let's be clear which
19 question you are asking, please.
20 Q. Is it a technical inconvenience that
21 needs to be overcome?
22 A. Yes.
23 Q. And you would agree that it requires
24 the taking of certain precautions?
25 MR. GABRIEL: Objection to form.
109
1 Jacobson
2 A. If by precautions you mean procedures
3 to understand that that can happen, yes.
4 Q. Would you agree that NAT translation
5 is a technical problem in conducting such an
6 investigation?
7 MR. GABRIEL: Objection to form.
8 Lack of foundation.
9 A. I would agree that that process --
10 procedures and processes need to be put in place to
11 handle NAT translation.
12 Q. And you agree that firewall relaying
13 is a technical problem that needs to be considered
14 during the process and procedure?
15 MR. GABRIEL: Objection to form.
16 A. I would agree that firewall relaying
17 is something that needs to be considered during the
18 process and procedure.
19 Q. In the next paragraph they refer to
20 pollution. Would you agree that pollution is a
21 problem that needs to be taken into account in
22 conducting such an investigation?
23 MR. GABRIEL: Objection to form.
24 Lack of foundation.
25 A. I think processes and procedures need
110
1 Jacobson
2 to be put in place to deal with the issue of
3 pollution.
4 Q. Does KaZaA have limitations in file
5 searching?
6 A. If by limitations you mean is one
7 user limited to the scope of where they can search
8 across the entire KaZaA network, yes.
9 Q. What is meant by the term "computer
10 hygiene precautions"?
11 MR. GABRIEL: Objection to form.
12 Lack of foundation.
13 A. It is my opinion what they are
14 talking about is it's possible to get data from
15 multiple locations for one file and if you don't
16 take care watching where those -- where the data
17 comes from and how much data is produced, that you
18 could end up marking IP addresses that have
19 transferred no data.
20 Q. What is multi-peer downloading
21 contamination?
22 MR. GABRIEL: Objection to form.
23 Lack of foundation.
24 A. That goes to what I was saying,
25 multiple peer nodes contributing to a single file.
111
1 Jacobson
2 Q. Does the fact that MediaSentry
3 observed the computer solely through the internet
4 and did not have physical access to the computer
5 itself limit its observational power?
6 MR. GABRIEL: Objection to form.
7 A. Obviously weren't able to physically
8 view the individual typing on the keyboard.
9 Q. Is the internet secure and safe and
10 reliable?
11 MR. GABRIEL: Objection to form.
12 A. I guess it depends on how you define
13 those terms. Secure? No. The end nodes on the
14 internet often are not secure. Safe? I guess I'm
15 not sure what you are talking about as far as
16 safety.
17 Q. Can people hack into other people's
18 systems?
19 A. Yes. I would wrap that under the
20 security umbrella.
21 Q. Isn't it a fact that you teach a
22 course on how to do that?
23 A. Yes.
24 Q. Isn't it a fact that you teach
25 students how to crack passwords?
112
1 Jacobson
2 A. Yes.
3 Q. And you teach them about spoofing?
4 A. Yes.
5 Q. What is spoofing?
6 A. Spoofing is pretending to be somebody
7 else.
8 Q. What is redirection?
9 A. Depends on where we are talking about
10 it, but redirection is typically forcing the traffic
11 to go somewhere else or forcing the user to go
12 somewhere else.
13 Q. Does the existence of a firewall
14 guarantee security?
15 A. No.
16 Q. Isn't it a fact that when you teach a
17 course in information warfare, most of the people
18 will find some vulnerabilities in the network that
19 is being attacked?
20 MR. GABRIEL: Objection to form.
21 A. In the course I teach, I set up a
22 corporate environment that has vulnerabilities
23 associated with it as part of the exercise.
24 Q. And the vulnerabilities that you
25 build in are not unheard of in the real world; is
113
1 Jacobson
2 that correct?
3 A. That's correct.
4 Q. So an IP address can be spoofed,
5 right?
6 A. Yes.
7 Q. And a MAC address?
8 A. Yes.
9 Q. Did you ever recover the registry
10 entries from either of the two computers that you
11 have been testifying about?
12 A. I recovered the register entries from
13 the hard drive that I examined.
14 Q. Well, if you recovered them, where
15 are they? How come you never turned them over to
16 me?
17 A. In EnCase you open them up as a file
18 viewer and you can examine them by just looking at
19 them.
20 Q. So you viewed them but didn't
21 preserve a record of it?
22 A. The hard drive image is still in my
23 possession.
24 Q. But when you viewed it in EnCase, you
25 didn't make any documentation of what you saw in the
114
1 Jacobson
2 registry entries?
3 A. I was looking for evidence of the
4 KaZaA program and found none.
5 Q. But you actually had the register
6 entries in front of you on the screen and you didn't
7 make any record of that?
8 A. There wasn't anything to make a
9 record of.
10 Q. There were no register entries?
11 A. There were register entries, but none
12 associated with KaZaA.
13 Q. You were told by Mr. Gabriel just to
14 look for things that incriminated the defendant?
15 MR. GABRIEL: Objection to form.
16 Lack of foundation. Argumentative.
17 Q. Is that your testimony? Were you
18 directed only to find things that helped the
19 plaintiffs win their case?
20 MR. GABRIEL: Same objections.
21 A. I was told to examine the hard drive
22 for evidence of file-sharing software and evidence
23 of MP3.
24 Q. That's all you were told to examine
25 it for? So you weren't told to examine it for
115
1 Jacobson
2 evidence as to whether it had been -- the hard drive
3 had been changed or anything like that?
4 A. I wasn't directed to do anything more
5 than that, although as part of the examination I
6 did -- as noted in Exhibit 17, I noted, for example,
7 that the operating system was repaired on July 7th
8 of '04.
9 RQ MR. BECKERMAN: I call for the
10 production of those register entries.
11 MR. GABRIEL: They don't exist.
12 The witness doesn't have a duty to create
13 them and you have your image of his hard
14 drive. You can produce them yourself.
15 Q. So EnCase has no way of backtracking
16 your project?
17 A. The only record it keeps is when you
18 specifically write something to a report file; when
19 you see something, you explicitly say, "Put this in
20 a report."
21 Q. So you were just looking in the
22 registry for evidence of KaZaA? That's it?
23 A. I was looking for the IP address and
24 as shown in Exhibit 17, I was looking for evidence
25 of dates about the system, so the date the system
116
1 Jacobson
2 was repaired.
3 Q. Do some users of KaZaA fool people
4 with fake content?
5 MR. GABRIEL: Objection to form.
6 A. I don't have any firsthand experience
7 with that.
8 Q. What is a MAC address?
9 A. A MAC address is referred to as the
10 physical address, which is the address used to
11 transfer data packets across local area network.
12 Q. Does the cable modem have a MAC
13 address?
14 A. Yes.
15 Q. Does a wired router have a MAC
16 address?
17 A. Yes.
18 Q. Does a wireless router have a MAC
19 address?
20 A. Yes.
21 Q. Does an ethernet card have a MAC
22 address?
23 A. Yes.
24 Q. Is a network card a synonym for
25 ethernet card or is it something else?
117
1 Jacobson
2 A. An ethernet card would probably be
3 considered a subset of a network card.
4 Q. Do other network cards also have MAC
5 addresses?
6 A. There would be networks that do not
7 use the concept of a MAC address.
8 Q. Does a DSL modem have a MAC address?
9 A. It has it on its -- on the subscriber
10 side.
11 Q. Is there a limit to the number of
12 devices behind a single router?
13 A. Theoretical or practical? The answer
14 is "yes" to both, I guess.
15 Q. And what factors would limit it?
16 A. The IP address space would be one
17 limiting factor and then the performance would be
18 more of a practical limiting factor.
19 Q. Can you have a router behind another
20 router?
21 A. Yes.
22 Q. What is the MAC address of the
23 computer that was accessed by MediaSentry?
24 A. There is no documentation to indicate
25 what the MAC address of that computer was.
118
1 Jacobson
2 Q. What is the MAC address of the
3 computer whose hard drive you examined?
4 A. Since I did not have the ethernet
5 card, I don't know.
6 Q. What type of internet service was
7 used by the computer that MediaSentry was
8 interacting with?
9 A. There wasn't enough information from
10 Verizon to indicate whether it was a cable modem or
11 a DSL.
12 Q. So you don't know?
13 A. No.
14 Q. Did that connect to the internet
15 directly or through another device's MAC address?
16 A. Did what connect?
17 Q. When that computer was on line with
18 or supposedly on line with MediaSentry, was it
19 directly or was it through another device's MAC
20 address?
21 MR. GABRIEL: Objection to form.
22 A. Every time a packet goes through a
23 cable modem, a router, a NAT, the MAC address is not
24 preserved; it is destroyed and recreated on the
25 other side.
119
1 Jacobson
2 Q. So the answer is?
3 A. Could you reread the original
4 question.
5 (Record read.)
6 A. Are you talking about which address
7 it presented to the ISP?
8 Q. You can't answer the question the way
9 it's asked?
10 A. I don't know where --
11 Again, as the packet moves through
12 the internet, every device that picks up the packet,
13 it retransmits and creates a new MAC address.
14 Q. Do you know whether it connected to
15 the internet directly or through another device's
16 MAC address? If you don't know you can say you
17 don't know.
18 MR. GABRIEL: Objection to form.
19 You can answer the question.
20 A. Stated the way it's stated, no, I
21 don't know.
22 Q. How many devices accessed the
23 internet through Marie Lindor's internet access
24 account?
25 A. I have evidence of one device with
120
1 Jacobson
2 the IP address that we have talked about in
3 Exhibit 6, that one device being connected to the
4 internet during the times as described in
5 Exhibit 16.
6 Q. How many MAC addresses have accessed
7 the internet through Marie Lindor's account?
8 A. I have no way of knowing.
9 Q. When is a MAC address assigned to a
10 computer?
11 A. MAC addresses are actually assigned
12 to the network cards by the network card vendor.
13 Q. And is that also true for any other
14 network device?
15 A. In the ethernet world, yes. MAC
16 addresses are assigned. Blocks are assigned to the
17 vendors and the vendors allocate individual
18 addresses.
19 Q. Did the computer which you examined
20 have a wireless card? The computer whose hard drive
21 you examined, did that have a wireless card?
22 A. All I received was the hard drive. I
23 did not receive the --
24 Q. So you don't know?
25 A. Correct.
121
1 Jacobson
2 Q. Can an ethernet card be removed from
3 one PC and put into another?
4 A. If it is an actual card as opposed
5 to -- connected to -- actually on the motherboard.
6 Q. If you were an internet pirate or
7 cracker who wanted to spoof a MAC address, could you
8 easily find the MAC address by, let's say, finding a
9 box that a cable modem had come in and just writing
10 down the MAC address from that?
11 MR. GABRIEL: Objection to form.
12 Lack of foundation.
13 A. I don't know if they write the MAC
14 addresses on the outside of cable modem shipping
15 boxes.
16 Q. You can manually reassign a new MAC
17 address, can you not?
18 A. In a lot of systems, yes.
19 Q. What is reprogramming a MAC address?
20 MR. GABRIEL: Objection to form.
21 A. I've never heard it quite put that
22 way, but my understanding would be that that would
23 be changing the MAC address of the device.
24 Q. Did you or MediaSentry ever actually
25 know the MAC address of either of the computers?
122
1 Jacobson
2 MR. GABRIEL: Objection to form.
3 Lack of foundation as to MediaSentry.
4 A. I did not know the MAC address. I
5 cannot testify to what MediaSentry knew in that
6 case.
7 Q. How would one spoof an IP address?
8 A. Can we go off the record for a
9 second? Am I allowed to say that?
10 MR. GABRIEL: You need to answer
11 his question first. If there is an issue
12 with the question, you can tell him.
13 A. Long version or short version?
14 Q. Short version.
15 A. Okay. Boy, there is no short
16 version.
17 Q. There are many ways to do it, is that
18 not correct?
19 A. Well, there is many ways and it
20 depends for what purpose as to whether those ways
21 would work.
22 Q. Okay. It's not necessary to really
23 go into detail.
24 A. Okay.
25 Q. There are many ways to spoof an IP
123
1 Jacobson
2 address?
3 A. Not all of which work. Correct.
4 Q. Did you personally verify the IP
5 number?
6 A. The IP address on the hard drive,
7 since it's DHCP, the IP address is not committed to
8 the hard drive.
9 Q. So the answer is no, you did not
10 verify the IP address?
11 A. Not on the hard drive.
12 Q. And how did MediaSentry get the IP
13 address?
14 MR. GABRIEL: Objection to the
15 extent it was asked and answered.
16 Go ahead.
17 A. I don't know the exact process and
18 procedures that MediaSentry used.
19 Q. So you couldn't test or verify the
20 procedures? You didn't know what they were?
21 A. Given the procedures, I could test
22 them. The method that I would use is, again, since
23 every packet --
24 Q. No. The question was -- I was asking
25 whether you verified the way that -- the method that
124
1 Jacobson
2 MediaSentry used.
3 A. No.
4 Q. Do you know what the IP address was
5 of the screen shot?
6 MR. GABRIEL: Objection to form.
7 A. The screen shot was a screen shot of
8 the files associated with the user.
9 Q. Well, they would have had to have
10 been a dynamic IP address assigned it that, would it
11 not have, to that connection?
12 MR. GABRIEL: Objection to form.
13 A. You have an IP -- you have an IP
14 connection to the supernode and then to transfer the
15 files, you make an IP connection to the machine that
16 has the -- that has the files.
17 Q. When you did the forensic examination
18 of the hard drive, other than telling you that they
19 wanted you to look for evidence of KaZaA, were there
20 any other instructions given to you?
21 A. Look for the -- any MP3 files and
22 then just a general look for anything that may be
23 associated with -- you know, with MediaSentry and my
24 testimony or my expert report. So things like IP
25 addresses, et cetera.
125
1 Jacobson
2 Q. You say it's not difficult to
3 determine whether a computer was connected with a
4 wireless router based on how IP's are assigned? How
5 could you possibly tell from the way IP's are
6 assigned whether or not it was connected to a
7 wireless router?
8 A. Again, back to Exhibit 6 where the
9 machine itself reports its IP address and so does
10 the device with the global internet address. A
11 wireless router is going to have an internal address
12 and then a public address, and so you will see a
13 discrepancy in those two IP addresses.
14 Q. How did you make that determination
15 in this case? I'm not sure I follow that.
16 You put in your declaration on
17 December 19th "Based on how IP's are assigned, it is
18 not difficult to determine whether a computer was
19 connected to the internet via a wireless router.
20 This computer was not." How did you determine that
21 that computer was not connected to the internet via
22 a wireless router?
23 MR. GABRIEL: Objection. Asked and
24 answered.
25 A. This computer had a public IP address
126
1 Jacobson
2 that matched the IP address that was in the packet
3 that was transmitted onto the internet from an entry
4 point into the internet. And so, therefore, since
5 the computer said it had the same address as the
6 packet ...
7 Q. I don't understand your testimony.
8 What do you mean by a public IP address?
9 A. The public IP space is divided into
10 address ranges. A majority of the addresses are to
11 be handed out for devices that are directly
12 connected to the public -- to the internet. Some of
13 the addresses have been reserved for private
14 addresses, addresses that cannot show up on the
15 internet. They will not be routed across the
16 internet. These are the addresses used by NATs and
17 wireless routers and so on as you have shown in
18 your --
19 Q. Don't look for the documents.
20 A. The image with the picture where you
21 had the 192168 addresses. Those, for example, are
22 private IP address space.
23 Q. So you are going to rely on what you
24 just said. That's the way you know it wasn't a
25 wireless router. Everything you have just said now
127
1 Jacobson
2 establishes that it was not a wireless router?
3 A. In my opinion, yes.
4 Q. Was KaZaA fully installed on the
5 first computer?
6 MR. GABRIEL: Objection to form.
7 A. If by the first computer you mean the
8 computer that MediaSentry reported on, that was
9 running a KaZaA client.
10 MR. BECKERMAN: Read back that
11 answer.
12 (Record read.)
13 Q. I asked you if it was fully installed
14 on the computer.
15 MR. GABRIEL: If that's a question,
16 I object.
17 A. The KaZaA application was installed
18 and running on that computer.
19 MR. GABRIEL: The record should
20 reflect that the document Dr. Jacobson was
21 looking for was Exhibit 8 with the 192IP
22 address. That's what he said, just for
23 clarity.
24 Q. Other than this two-page document
25 from Verizon which was sent to Jenner & Block law
128
1 Jacobson
2 firm, did you see anything else from Verizon?
3 A. No.
4 Q. Do you know what procedures Verizon
5 employed to link Ms. Lindor's name and address to
6 the alleged IP address?
7 A. No.
8 Q. Do you know who conducted the
9 research?
10 A. No.
11 Q. Do you know if the procedures were
12 accurately and competently followed?
13 A. I have no way of knowing that.
14 Q. Do you know if the search was free
15 from human and mechanical error?
16 A. I have no way of knowing.
17 Q. Have the ISP's ever misidentified a
18 subscriber?
19 MR. GABRIEL: Objection to form.
20 Lack of foundation.
21 A. I have no way of knowing.
22 Q. Have the ISP's ever identified a
23 customer who is not even a subscriber at the time of
24 the infringement?
25 MR. GABRIEL: Objection to form.
129
1 Jacobson
2 Lack of foundation.
3 A. I have no way of knowing.
4 Q. Did you see their logs?
5 A. All I saw from Verizon is what is
6 shown in Exhibit 19.
7 Q. Were MediaSentry's clocks
8 synchronized with Verizon's?
9 MR. GABRIEL: Objection to form.
10 Lack of foundation.
11 A. I have no way of knowing.
12 Q. How many people were assigned this IP
13 address during the 24 hours of August 7, 2004,
14 141.155.57.198?
15 A. The date you said was August 7th?
16 Q. August 7, 2004.
17 A. I have no way of knowing that.
18 Q. Is it true that the ISP keeps a log
19 of all IP address assignments?
20 MR. GABRIEL: Objection. Lack of
21 foundation.
22 A. I don't know how Verizon operates
23 internally.
24 Q. Does the log contain the name and
25 address of a subscriber or does it contain a MAC
130
1 Jacobson
2 address?
3 MR. GABRIEL: Same objection.
4 A. I have no idea what is in their
5 internal logs.
6 Q. How did Verizon link Ms. Lindor's
7 name to that IP address?
8 MR. GABRIEL: Same objection.
9 A. I have no knowledge about Verizon.
10 Q. So is it fair to say that all of your
11 reports are based on the assumption that the
12 information which you obtained from Verizon was
13 accurate?
14 A. Yes.
15 Q. And you have no idea how they
16 obtained that information; is that correct?
17 A. I have no firsthand knowledge of how
18 they obtained that information.
19 Q. Do you have some secondhand knowledge
20 of how they operated?
21 A. I could speculate as to how they
22 might do it.
23 Q. But you don't know? You just would
24 be speculating?
25 A. Yes.
131
1 Jacobson
2 Q. I am sure Mr. Gabriel wouldn't want
3 you to speculate. Did you make any attempt to
4 verify the information?
5 A. The Verizon information?
6 Q. Yes.
7 A. The only verification that I do is I
8 compare the Verizon subpoena response date, time, IP
9 to the subpoena itself to verify that they -- that
10 Verizon is reporting back on the same data that was
11 requested.
12 Q. Do you know if Ms. Lindor's apartment
13 has a wired router?
14 A. I don't know anything about
15 Ms. Lindor's apartment.
16 Q. So would you know if her apartment
17 had a wireless router?
18 A. Again, I don't know anything about
19 Ms. Lindor's residence.
20 Q. Would it have been possible to have
21 more than one router?
22 MR. GABRIEL: Objection to form.
23 A. It's possible to have any number of
24 routers. But given the IP address correlation,
25 given the IP address in the packet in the computer
132
1 Jacobson
2 are both republic.
3 Q. What is a wireless access point?
4 A. A wireless access point is the
5 wireless device that actually -- it is a device that
6 actually interfaces with the wireless devices, the
7 machines with wireless cards, so that actually is
8 the base station transmitter.
9 Q. How does that relate to a wireless
10 router?
11 A. That's part of a -- that's part of
12 the router. The access point we typically talk is
13 the wireless side.
14 Q. Didn't you say in your declaration
15 under penalty of perjury that your conclusion that
16 it was not connected to the internet via a wireless
17 router was based in part on the registry entries
18 recovered from the computer?
19 A. Yes.
20 Q. And you didn't feel it was important
21 to identify those registry entries?
22 A. Again, since I didn't find anything
23 there was nothing to document and since I can --
24 The hard drive is still in my
25 possession.
133
1 Jacobson
2 Q. Well, do you think you can now go
3 generate more reports after having gone through this
4 deposition and then come up with them at the trial
5 and surprise me with them?
6 MR. GABRIEL: Objection.
7 Argumentative. We are aware of what our
8 obligations are.
9 Q. You said in your declaration that
10 there was no internal IP address here. What did you
11 mean by that?
12 A. Which declaration are you reading?
13 Q. Your December 19th declaration. You
14 said there was no internal IP address here.
15 MR. GABRIEL: I don't believe you
16 marked it as an exhibit.
17 Q. Do you doubt that you put that in
18 your declaration?
19 MR. GABRIEL: Wait. He is talking
20 about your December declaration. He has
21 not marked it as an exhibit, if that is
22 what you are looking for.
23 Q. Well, do you doubt that that's what
24 you said? Let me quote.
25 "I base this on the data mentioned
134
1 Jacobson
2 above as well as on the registry entries recovered
3 from the computer and the fact that there was no
4 internal IP address here." Do you not know what
5 that statement means?
6 A. I know what that statement means. I
7 assume if you are reading it, it is indeed what I --
8 I don't remember verbatim what I said
9 without seeing the report.
10 MR. BECKERMAN: Please mark this as
11 Exhibit 23. It is a declaration dated
12 December 19, 2006.
13 (Defendant's Exhibit 23, declaration
14 dated December 19, 2006, marked for
15 identification, as of this date.)
16 Q. I refer you to Page 4, Paragraph 5,
17 second sentence, and ask you what you were talking
18 about.
19 Actually, let me go to this first.
20 When you say the registry entries were recovered,
21 they weren't recovered; you are just saying you saw
22 them and then kept them to yourself. Is that
23 correct? You didn't recover them?
24 MR. GABRIEL: Objection to form.
25 Argumentative.
135
1 Jacobson
2 Q. You read them and made no notation or
3 record or report of them; is that correct? So when
4 you say recovered --
5 A. In a Windows PC the registries
6 actually exist in several places and so to get a
7 view of all of them, you end up through EnCase
8 running their internal program which puts the
9 registries in a human, readable format. So that's
10 what I meant by the word "recovered."
11 Q. What did you mean when you said there
12 was no internal IP address here?
13 A. There was no evidence of an
14 internal -- of the internal addresses like the
15 192.168 addresses that you find when you have a
16 wireless router.
17 Q. So in preparing your analysis, you go
18 directly from the MediaSentry documents to the
19 report that you write for the RIAA lawyers and there
20 is no intermediate work papers or analysis sheets?
21 A. Yes. That's Exhibit 18.
22 Q. That's it? That's the only thing
23 that you prepare before preparing your report?
24 A. Yes.
25 (Recess taken.)
136
1 Jacobson
2 Q. If I was on the internet right now
3 and my IP address was 195.175.1.2, how would you
4 determine whether I was connected through a wireless
5 router or not?
6 A. We look at the -- if all I saw was a
7 single packet from you with no other data, I
8 couldn't make that determination. But if I saw a
9 payload that also reported your IP address, then I
10 could make that determination.
11 Q. So let's say I sent you an e-mail.
12 Would you be able to tell?
13 A. Not with every e-mail. There may be
14 configurations in which an e-mail would disclose
15 that information.
16 Q. Now, going back to what you said
17 about the packet, would you see the private IP?
18 A. If the application reported the
19 private IP as part of the payload, but not as part
20 of the IPV4 header.
21 Q. And how does it distinguish between
22 wireless and not wireless?
23 MR. GABRIEL: Objection to form.
24 A. You wouldn't be able to tell the
25 difference between a router with private addresses,
137
1 Jacobson
2 whether it was wireless or not wireless.
3 Q. Does the packet identify whether the
4 user is wireless or not?
5 A. It depends on which packet you see?
6 Q. How would a packet tell you that it's
7 wireless?
8 A. If I actually captured the wireless
9 packet, its MAC address is larger than the MAC
10 address of a -- on the wired side, along with the
11 frame format is different.
12 Q. The MAC address of a wireless is a
13 different type of MAC address?
14 A. Its layout is different.
15 Q. Is a MAC address visible outside of
16 the local network?
17 A. Not of the internal machines.
18 Q. So how would a packet on the public
19 internet have a MAC address header?
20 A. Every packet has some type of MAC
21 address header.
22 Q. Does NAT hide the private IP?
23 A. If by "hide" you mean that the
24 private IP does not show up in the IPV6 header, that
25 is correct.
138
1 Jacobson
2 Q. What is the name and model of the PC
3 whose hard drive image you examined?
4 A. I don't know.
5 Q. What is the MD5 hash of the hard
6 drive you examined?
7 A. I don't recall what that is.
8 Q. What is the SHA1 hash of the hard
9 drive image you examined?
10 A. I don't even recall looking at that.
11 Q. What kind of hashing does KaZaA use?
12 A. I don't remember the exact algorithm
13 that it uses.
14 Q. Would it refresh your recollection
15 for me to tell you that it uses UU Hash?
16 A. I have no reason to doubt that.
17 Q. Do you know why MediaSentry compiled
18 the list with the SH1 values instead of the UU Hash
19 values?
20 A. Which list?
21 Q. You are the person who is testifying
22 about the MediaSentry printouts.
23 MR. GABRIEL: I will object. He
24 didn't testify about hash values at all.
25 Q. Isn't it a fact that they have a list
139
1 Jacobson
2 of SHA1 hash values?
3 MR. BECKERMAN: Withdrawn. I
4 withdraw the question.
5 Q. Can multiple users of KaZaA have the
6 same user name?
7 A. Yes.
8 Q. Can users change their nickname in
9 KaZaA?
10 A. Yes.
11 Q. Do KaZaA nicknames uniquely identify
12 a person?
13 A. No.
14 Q. Could I create a user name
15 "Dr. Jacobson" at KaZaA?
16 A. Yes.
17 Q. Does KaZaA operate as a background
18 service?
19 MR. GABRIEL: Objection to form.
20 A. You can minimize KaZaA and have it
21 run out of the system tray.
22 Q. Is it possible that someone who has
23 the computer on and has KaZaA running might not even
24 know it's running?
25 A. It's possible.
140
1 Jacobson
2 Q. Is there a way through the internet
3 to remotely control someone else's computer?
4 MR. GABRIEL: Objection to form.
5 Lack of foundation.
6 A. It's possible.
7 Q. What is a zombie?
8 A. In reference to computer security, a
9 zombie is a program that is under control of some
10 other master program which is under control of some
11 individual.
12 Q. What is a cracker?
13 A. When I use the term, it is in
14 reference to either a person or process to break
15 passwords.
16 Q. What is a drone?
17 A. Again, in computer security
18 terminology that, again, would be a piece of
19 software that's under control by another individual.
20 Q. When you provide your investigations,
21 do you do anything to verify or to determine whether
22 or not the computer in question was under control by
23 an outside remote user?
24 A. No.
25 Q. Do you know who conducted the
141
1 Jacobson
2 MediaSentry investigation?
3 A. No.
4 Q. Do you know the qualifications and
5 training of anyone who conducted the investigation?
6 A. No.
7 Q. Are screen shots reliable evidence,
8 in your opinion?
9 MR. GABRIEL: Objection to form.
10 Lack of foundation. Calls for a legal
11 conclusion on its face.
12 A. I don't know what represents legal
13 evidence in a court of law.
14 Q. Do you consider screen shots
15 reliable?
16 MR. GABRIEL: Objection.
17 A. A screen shot is an image of the
18 application and the application data that is shown
19 on the screen at that time.
20 Q. Can it be subject to manipulation or
21 forgery?
22 MR. GABRIEL: Objection to form.
23 Calls for speculation.
24 A. Any image can be subject to
25 manipulation.
142
1 Jacobson
2 Q. Could it be altered in the graphics
3 editing program?
4 MR. GABRIEL: Same objections.
5 A. Any image can be altered in the
6 graphics editing program.
7 Q. Did you take any steps to verify the
8 authenticity of the screen shot?
9 A. No.
10 Q. Did you take any steps to verify that
11 the song files were genuine?
12 A. Other than what was reported through
13 MediaSentry and through the certificates of -- I
14 can't recall what they are called exactly, but
15 through the documents provided by the recording
16 industry.
17 Q. You yourself did nothing to verify
18 that they were genuine?
19 A. Other than through the documentation
20 I was provided.
21 Q. What did MediaSentry do to verify
22 that they were genuine?
23 MR. GABRIEL: Objection to form.
24 Lack of foundation.
25 A. I don't know what MediaSentry did.
143
1 Jacobson
2 Q. Did you verify that the IP address
3 had not been highjacked?
4 MR. GABRIEL: Objection to form.
5 A. I relied on the Verizon documentation
6 and so, no, I did not.
7 Q. Did you verify that the IP address
8 had not been faked?
9 MR. GABRIEL: Same objection.
10 A. I relied on the Verizon
11 documentation.
12 Q. Did you verify that the IP address
13 had not been spoofed?
14 MR. GABRIEL: I will object to the
15 form. Lack of foundation.
16 You can answer.
17 A. Only that I can say that it was an IP
18 address that was within Verizon's domain.
19 Q. Is a log file a text file?
20 A. It can be.
21 Q. Were these log files text files?
22 A. The originals I believe came that
23 way. When I receive them, they are .PDF documents.
24 Q. Can text files be easily altered?
25 MR. GABRIEL: Objection to form.
144
1 Jacobson
2 A. Yes.
3 Q. In your report you said the lack of
4 user-created files and e-mail leads you to believe
5 that this computer wasn't used very much. What did
6 you mean by user-created files?
7 A. When I looked through the hard drive
8 there were very few files that were created by
9 user-run applications, like documents.
10 Q. Is it possible to use a computer for
11 extended periods without creating any user files?
12 MR. GABRIEL: Objection to form.
13 A. It's possible.
14 Q. If you were, let's say, surfing the
15 internet and clearing the cache, would there be any
16 user-created files from that?
17 A. As long as you didn't download
18 anything.
19 Q. If you were listening to any CD's,
20 would there be any user-created files?
21 A. No.
22 Q. If you were playing Minesweeper or
23 Solitaire, would there be any user-created files?
24 A. I believe Solitaire you can save a
25 game.
145
1 Jacobson
2 Q. If you were just playing Minesweeper
3 or Solitaire, would there be any user-generated
4 files?
5 A. No.
6 Q. If a user used web-based e-mail such
7 as Hotmail, Yahoo or Gmail, would any of those
8 e-mails be stored on the hard drive?
9 A. They don't have to be.
10 Q. Can you tell how many people used the
11 computer from which the hard drive came that you
12 examined?
13 A. I can tell how many accounts were on
14 the hard drive, how many user accounts.
15 Q. But you can't say how many people
16 used it?
17 A. Living, breathing people? No.
18 Q. During your hard drive inspection,
19 what files did you find in the deleted sectors of
20 the disk?
21 A. Very few, and none that matched the
22 profile of KaZaA or MP3 files.
23 MR. BECKERMAN: Let's take a short
24 break.
25 (Recess taken.)
146
1 Jacobson
2 Q. Did you examine the system registry
3 for the computer that had the hard drive?
4 A. I examined the registry from the hard
5 drive.
6 Q. Did it show that any other hard drive
7 had ever existed in that computer?
8 A. I didn't specifically look for that.
9 I don't recall that there was an indication of that.
10 Q. So you have no reason to think that
11 the hard drive was replaced?
12 A. Not -- no.
13 Q. And it is a fact, is it not, that the
14 system registry would have disclosed that if it had
15 taken place?
16 A. If you would have rebuilt the system
17 from scratch and copied the data files over to new
18 hard drive, the system registry would have only
19 shown the creation date or installation date of the
20 operating system.
21 Q. Isn't it a fact that the system
22 registry contains information about each hard drive
23 that's ever been connected to the computer,
24 including the manufacturer, the size of the hard
25 drive and in some instances the serial number?
147
1 Jacobson
2 A. Of all hard drives connected while
3 that system registry was on that hard drive, if you
4 pull out the hard drive that had that system
5 registry and plugged a brand new one into the
6 machine and rebuilt the operating system, there
7 would be no evidence of that original hard drive you
8 pulled out.
9 Q. Was there any evidence that that had
10 taken place here on or after August 7, 2004?
11 A. No.
12 Q. Does every internet packet contain a
13 MAC address?
14 A. No.
15 Q. Does a MAC address tell you if a
16 device is wired or wireless?
17 A. If you can see the MAC address of the
18 transmitting device you could see whether that
19 device was wired or wireless.
20 Q. Now, if it was a computer going
21 through a wireless router, would you see the MAC
22 address of the computer?
23 A. Where am I looking for the MAC
24 address?
25 Q. Where you say it exists.
148
1 Jacobson
2 A. MAC address exists between any two
3 nodes -- some type of physical address exists
4 between every pair of communicating nodes on the
5 internet.
6 Q. How would you see the MAC address of
7 a transmitting device?
8 A. I'd have to have a monitoring device
9 on the media -- median that the transmitting device
10 was using.
11 Q. And did you have such a monitoring
12 device?
13 A. No.
14 Q. Does an IP address tell you if the
15 device is wired or wireless?
16 A. No.
17 MR. BECKERMAN: I have no further
18 questions.
19 MR. GABRIEL: I think I just have
20 three clarification questions.
21 MR. BECKERMAN: Then I might have
22 some clarifying questions of my own then.
23 MR. GABRIEL: I understand.
24 EXAMINATION BY
25 MR. GABRIEL:
149
1 Jacobson
2 Q. Dr. Jacobson, Mr. Beckerman asked you
3 some questions about the processes that you used
4 both when you did your first report and also when
5 you reviewed the hard drive, and you gave testimony
6 about that. Do you recall?
7 A. Yes.
8 Q. With respect to the processes that
9 you used, is it your view that reasonable experts in
10 your fields use the same processes?
11 A. Yes.
12 Q. Is there any other way to do what you
13 did, to your knowledge?
14 A. The hard drive examination could have
15 been done with any one of a number of tools, but all
16 of those tools behave in roughly the same way.
17 Q. Mr. Jacobson, with respect to the
18 reports in the declaration that you did and
19 Mr. Beckerman asked you about, he asked you whether
20 you had discussed any alternative explanations for
21 the conclusions you reached. Do you recall him
22 asking you that?
23 A. Yes.
24 Q. You did talk about the absence of a
25 router.
150
1 Jacobson
2 MR. BECKERMAN: Objection.
3 Leading.
4 Q. Yes?
5 A. Yes.
6 Q. Mr. Beckerman had asked you questions
7 about the instructions that I or my firm gave you in
8 terms of what you were supposed to look for on the
9 hard drive, correct?
10 A. Yes.
11 Q. And your testimony will speak for
12 itself. I think you said look for KaZaA, look for
13 MP3 files, anything associated with your expert
14 report. Do you recall giving that general
15 testimony?
16 A. Yes.
17 Q. Did we also ask you to look if
18 anything was deleted?
19 A. I believe you did.
20 Q. And did you do that?
21 A. Yes.
22 Q. Mr. Beckerman asked you a lot of
23 questions today about what you relied on and he
24 asked you whether you had verified different things.
25 For example, the Verizon information was one of the
151
1 Jacobson
2 things he asked you if you verified. Do you
3 remember just being asked those questions?
4 A. Yes.
5 Q. With respect to the various data you
6 relied on from MediaSentry or Verizon, do you have
7 any information sitting here today, Dr. Jacobson, to
8 suggest that any of that is not correct?
9 A. No.
10 Q. Do you have an opinion as to whether
11 a reasonable expert in your field would rely on
12 information like that?
13 MR. BECKERMAN: Objection. He
14 hasn't shown himself qualified to give an
15 opinion on something like that.
16 Q. You can answer.
17 A. I believe that a person in my field
18 would use the same information.
19 Q. Last question. Would you look at
20 Exhibit 8, please.
21 A. Yes. I found it.
22 Q. A couple of times today you alluded
23 to this exhibit and referred to it or you talked
24 about -- and the record speaks for itself, I'm just
25 trying to get us in the same place -- an internal IP
152
1 Jacobson
2 address and 192. Does the number 192 here somehow
3 correlate with an internal IP address?
4 A. Yes. The internet registration
5 authority, which is basically the governing body of
6 IP addresses, has allocated three address ranges
7 that are to be used internally only, they are not to
8 show up on the internet, and the 192.168 is one of
9 those blocks of addresses.
10 Q. And with respect to the IP -- the
11 public IP address that you talked about a lot today
12 relating to this case, was that within one of the
13 ranges for internal addresses?
14 A. No.
15 MR. GABRIEL: That's all I have.
16 MR. BECKERMAN: I have no further
17 questions.
18 MR. GABRIEL: Thank you for your
19 courtesy. We are going to run out and
20 make a plane.
21 --o0o--
22 (Time noted: 2:28 p.m.)
23
24
25
153
1
2 C A P T I O N
3
4 The Deposition of DR. DOUGLAS W. JACOBSON, taken in the
5 matter, on the date, and at the time and place set
6 out on the title page hereof.
7
8 It was requested that the deposition be taken by
9 the reporter and that same be reduced to
10 typewritten form.
11
12 It was agreed by and between counsel and the
13 parties that the Deponent will read and sign the
14 transcript of said deposition.
15
16 --o0o--
17
18
19
20
21
22
23
24
25
154
1
2 C E R T I F I C A T E
3 STATE OF _____________________________________:
4 COUNTY/CITY OF____________________________________:
5
6
7 Before me, this day, personally appeared
8 DR. DOUGLAS W. JACOBSON, who, being duly sworn, states
9 that the foregoing transcript of his
10 Deposition, taken in the matter, on the date, and
11 at the time and place set out on the title page
12 hereof, constitutes a true and accurate transcript
13 of said deposition.
14
15 ______________________________________
16 DR. DOUGLAS W. JACOBSON
17
18 SUBSCRIBED and SWORN to before me this ____
19 day of___________, 2007, in the
20 jurisdiction aforesaid.
21
22
23 ______________________ ______________________
24 My Commission Expires Notary Public
25
155
1
2 DEPOSITION ERRATA SHEET
3 RE:
FILE NO.
4 CASE CAPTION: UMG V. LINDOR
5 DEPONENT: DR. DOUGLAS W. JACOBSON
DEPOSITION DATE: 2/23/07
6
7 To the Reporter:
I have read the entire transcript of my Deposition
8 taken in the captioned matter or the same has been
read to me. I request for the following changes
9 be entered upon the record for the reasons
indicated.
10 I have signed my name to the Errata Sheet and the
appropriate Certificate and authorize you to
11 attach both to the original transcript.
___________________________________________________
12 ___________________________________________________
___________________________________________________
13 ___________________________________________________
___________________________________________________
14 ___________________________________________________
___________________________________________________
15 ___________________________________________________
___________________________________________________
16 ___________________________________________________
___________________________________________________
17 ___________________________________________________
___________________________________________________
18 ___________________________________________________
___________________________________________________
19 ___________________________________________________
___________________________________________________
20 ___________________________________________________
___________________________________________________
21 ___________________________________________________
___________________________________________________
22 ___________________________________________________
23
24 SIGNATURE:___________________ DATE:________________
25 DR. DOUGLAS W. JACOBSON
156
1
2 I N D E X
3 WITNESS EXAMINATION BY PAGE
4 DR. DOUGLAS W. JACOBSON MR. BECKERMAN 4
5 MR. GABRIEL 149
6
7 --------------- INFORMATION REQUESTS ------------------
8 DIRECTIONS: None
9 RULINGS: 25, 26
10 TO BE FURNISHED: 53
11 REQUESTS: 115
12 MOTIONS: 22, 26
13
14 E X H I B I T S
15 DEFENDANT'S Page
for Iden.
16
1 Press release from Palisade Systems, Inc. 8
17 bearing the headline "Peer-to-Peer
File Sharing Struggles Intensify
18 in Universities"
19 2 One-page press release of Palisade 9
Systems, Inc. dated April 21, 2004
20
3 Two-page article by David Chappelle 9
21 dated April 19, 2004
22 4 C/net News.com article dated 11
April 21, 2004
23
5 Press release from ZDNet entitled 14
24 "File-Swap Killer Grabs Attention"
25 6 Printout of numbered pages 36 to 45 65
157
1
2 7 Study entitled "The KaZaA Overlay: 70
A Measurement Study"
3
8 One-page chart 72
4
9 Paper entitled "Pollution in P2P 75
5 File Sharing Systems"
6 10 Two-page printout of page numbers 82
46 to 47
7
11 Printout of page numbers 49 to 187 83
8
9
12 Printout of pages 199 to 224 83
10
13 One-page printout of page numbered 48 83
11
14 Printout of pages numbers 188 through 198 83
12
15 Undated October report 89
13
16 Dr. Douglas W. Jacobson's April report 93
14
17 Page of handwritten notes 97
15
18 Single-page document bearing 98
16 "wireless router" at the top
17 19 Two-page letter from Verizon 99
18 20 One-page resume, page number DJ0076 100
19 21 One-page document with a flowchart 102
20 22 Three-page document entitled 104
"Witness Statement of Henk Sips
21 and Johan Pouwelse"
22 23 Declaration dated December 19, 2006 134
23
24
February 23, 2007
25 New York, New York
158
1
2 C E R T I F I C A T E
3 STATE OF NEW YORK )
) ss.:
4 COUNTY OF RICHMOND)
5
6 I, ELIZABETH SANTAMARIA, a Registered
7 Professional Reporter and Notary Public of
8 the State of New York, do hereby certify
9 that the foregoing Deposition is, of the
10 witness, DR. DOUGLAS W. JACOBSON, taken at
11 the time and place aforesaid, is a true and
12 correct transcription of my shorthand notes.
13 I further certify that I am not
14 neither counsel for nor related to any party
15 to said action, nor in any way interested in
16 the result or outcome thereof.
17 IN WITNESS WHEREOF, I have hereunto
18 set my hand this day of March, 2007
19
20 _____________________________
21 ELIZABETH SANTAMARIA
22
23
24
25
|
|
Authored by: The Cornishman on Sunday, March 04 2007 @ 05:26 AM EST |
In case a friendly editor has time to incorporate them!
---
(c) assigned to PJ[ Reply to This | # ]
|
|
Authored by: The Cornishman on Sunday, March 04 2007 @ 05:28 AM EST |
It helps very much if you make clickable links - follow the guidance in red on
the Post a Comment page.
---
(c) assigned to PJ[ Reply to This | # ]
|
- RIAA Comic - from Foxtrot - Authored by: Anonymous on Sunday, March 04 2007 @ 09:31 AM EST
- Accidentally funny - Authored by: Anonymous on Sunday, March 04 2007 @ 10:52 AM EST
- OT: Tomorrow's hearing - Authored by: Peter H. Salus on Sunday, March 04 2007 @ 11:43 AM EST
- Interesting bug, or defective web site? - Authored by: tiger99 on Sunday, March 04 2007 @ 07:10 PM EST
- Newspicks - "Novell's earnings on Microsoft life support" - Authored by: Brian S. on Sunday, March 04 2007 @ 08:32 PM EST
- "It is not so important to have an open mind, as to have an active mind." --Ayn Rand - Authored by: Aladdin Sane on Sunday, March 04 2007 @ 10:33 PM EST
- SCO "Supeaners" PJ - Authored by: ThrPilgrim on Monday, March 05 2007 @ 09:04 AM EST
- Off-Topic Thread - Help! - Authored by: GriffMG on Monday, March 05 2007 @ 09:52 AM EST
- Benchslapped (?) - Authored by: Griffin3 on Monday, March 05 2007 @ 10:56 AM EST
- The worst government money can buy? - Authored by: Anonymous on Monday, March 05 2007 @ 01:07 PM EST
- Interesting Read - Authored by: MDT on Monday, March 05 2007 @ 02:40 PM EST
- Dirty lawyer tricks (reminds me of what SCO would like to do) - Authored by: Anonymous on Monday, March 05 2007 @ 02:42 PM EST
- Ahem!! Monday hearing anyone??? - Authored by: Anonymous on Monday, March 05 2007 @ 03:29 PM EST
- And the RIAA FINALLY GETS SUED - Authored by: Anonymous on Monday, March 05 2007 @ 04:16 PM EST
- Digital evidence/vaults..... - Authored by: Anonymous on Monday, March 05 2007 @ 04:54 PM EST
- Microsoft "patches" Xbox 360? - Authored by: Brian S. on Monday, March 05 2007 @ 07:45 PM EST
- More secure, yep, that's more secure alright... - Authored by: MDT on Monday, March 05 2007 @ 08:12 PM EST
|
Authored by: jmc on Sunday, March 04 2007 @ 05:44 AM EST |
I don't know what stuns me most
- Jacobson's
incompetence
- His ignorance of the most basic details of IPs
etc
- His slapdash 45 minute research
- His
evasiveness
- RIAA's obvious dishonesty using him
RIAA's
conduct here makes SCO look like innocent little lambs.
[ Reply to This | # ]
|
- I like this bit...... - Authored by: tiger99 on Sunday, March 04 2007 @ 06:51 AM EST
- That's how it looks, but technically he's accurate. - Authored by: Anonymous on Sunday, March 04 2007 @ 07:11 AM EST
- Technically correct - Authored by: Anonymous on Sunday, March 04 2007 @ 09:17 AM EST
- Faulty logic - Authored by: Anonymous on Sunday, March 04 2007 @ 09:28 AM EST
- RIAA incompetence - Authored by: Anonymous on Sunday, March 04 2007 @ 10:01 AM EST
- A bit more on dynamic allocation - Authored by: Anonymous on Sunday, March 04 2007 @ 10:54 AM EST
- Or No IP - Authored by: Anonymous on Sunday, March 04 2007 @ 11:45 AM EST
- I like this bit...... - Authored by: tknarr on Sunday, March 04 2007 @ 01:04 PM EST
- I like this bit...... - Authored by: AJWM on Sunday, March 04 2007 @ 01:32 PM EST
- I like this bit...... - Authored by: Anonymous on Sunday, March 04 2007 @ 09:16 PM EST
- Stunning! - Authored by: Anonymous on Sunday, March 04 2007 @ 07:05 AM EST
- "...somewhere where the defendant got it wrong?" - Authored by: tiger99 on Sunday, March 04 2007 @ 07:33 AM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 07:46 AM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 08:15 AM EST
- still hard to believe ... - Authored by: AntiFUD on Sunday, March 04 2007 @ 08:51 AM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 10:34 AM EST
- proof? - Authored by: Anonymous on Sunday, March 04 2007 @ 06:00 PM EST
- proof? - Authored by: Anonymous on Sunday, March 04 2007 @ 08:17 PM EST
- proof? - Authored by: Simon G Best on Sunday, March 04 2007 @ 10:39 PM EST
- proof? - Authored by: Anonymous on Sunday, March 04 2007 @ 10:55 PM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 12:03 PM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 12:56 PM EST
- still hard to believe ... - Authored by: Toon Moene on Sunday, March 04 2007 @ 02:17 PM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 04:00 PM EST
- You have the facts wrong - Authored by: Anonymous on Sunday, March 04 2007 @ 04:12 PM EST
- still hard to believe ... - Authored by: Anonymous on Sunday, March 04 2007 @ 05:47 PM EST
- NOT hard to believe at all - Authored by: DannyB on Monday, March 05 2007 @ 11:41 AM EST
- Phones - Authored by: archonix on Tuesday, March 06 2007 @ 05:11 AM EST
- still hard to believe ... - Authored by: Ray Beckerman on Thursday, March 08 2007 @ 12:34 AM EST
- Stunning! - Authored by: Anonymous on Sunday, March 04 2007 @ 10:06 AM EST
- Stunning! - Authored by: trs on Sunday, March 04 2007 @ 10:14 AM EST
- Stunning! - Authored by: Anonymous on Sunday, March 04 2007 @ 11:40 AM EST
- Stunning! - Authored by: dht on Sunday, March 04 2007 @ 12:15 PM EST
- Stunning! - Authored by: Anonymous on Sunday, March 04 2007 @ 02:32 PM EST
- Stunning! - Authored by: Anonymous on Sunday, March 04 2007 @ 03:09 PM EST
- Stunning! - Authored by: dht on Sunday, March 04 2007 @ 03:35 PM EST
- Stunning! - Authored by: dht on Sunday, March 04 2007 @ 03:23 PM EST
- Counting - Authored by: Ted Powell on Sunday, March 04 2007 @ 05:50 PM EST
- Stunning! - Authored by: Anonymous on Monday, March 05 2007 @ 08:18 AM EST
- Stunning! - Authored by: Anonymous on Monday, March 05 2007 @ 06:57 AM EST
- Mine - Authored by: Arker on Monday, March 05 2007 @ 07:31 AM EST
- Does UMG have a responsibility to collect quality evidence? - Authored by: Anonymous on Sunday, March 04 2007 @ 07:21 AM EST
- It was his "cute" answers that won my heart - Authored by: Anonymous on Sunday, March 04 2007 @ 07:36 AM EST
- Another funny bit - Authored by: Anonymous on Sunday, March 04 2007 @ 09:32 AM EST
- Rate of error - Authored by: Anonymous on Sunday, March 04 2007 @ 11:25 AM EST
- Stunning! - Authored by: SpaceLifeForm on Sunday, March 04 2007 @ 10:43 AM EST
- Stunning! (or not so stunning) - Authored by: Anonymous on Sunday, March 04 2007 @ 03:15 PM EST
- He has been coached on answers to IP stuff. - Authored by: Anonymous on Sunday, March 04 2007 @ 07:19 PM EST
- Stunning! and junky! - Authored by: Anonymous on Sunday, March 04 2007 @ 09:53 PM EST
- So this computer had no Firewall/router? - Authored by: Anonymous on Monday, March 05 2007 @ 09:03 AM EST
- Kazaa IP does not equal computer IP. - Authored by: Artiken on Tuesday, March 06 2007 @ 04:11 AM EST
|
Authored by: achurch on Sunday, March 04 2007 @ 06:11 AM EST |
There is just so much wrong with this that I can't even laugh.
Take:
Q. So you did not document your findings in EnCase at all,
did you?
A. No.
Q. Did Mr. Gabriel tell you to do
that?
A. No.
Q. So did you feel that you could just review it on
EnCase and then come and testify from memory at a trial? Is that what you
intended to do?
A. I examined the hard drive, found no evidence of file
sharing software or audio files, and so there was nothing to
document.
"Nothing to document"? You document the fact that
there was nothing to document, and how you found that. Even I know that
much!
(I do have to admit the questions seemed a little overbearing at
times, though. I didn't know "inculpate" either, and though I could probably
have guessed at it from "exculpate", it might have taken a moment to make the
connection. Reading back his qualifications and then making a snide remark about
vocabulary, especially for a word that hardly sees everyday use, just doesn't
strike me as constructive.) [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 07:48 AM EST |
I think jmc unfairly characterises Dr Jacobson in Stunning!
I've been in a similar situation where the UK
police used me to do initial expert recovery and examination of a server from a
data-centre, and they do seem to expect pro-bono work and have no realistic
understanding of the days or weeks it might take to produce a legally tight
report.
Also, they often have no idea of how difficult it can be to
absolutely determine real events from data on a drive - after all,
anything can the written to drives with any
timestamp, etc., so as an expert you are always assuming based on
normal usage - and by definition when an investigation is
warranted you should be looking for abnormal usage.
It is
pretty clear from Dr Jacobson's testimony that he does a lot of these kinds of
examinations for RIAA, and from the time he allocates it looks pretty much like
RIAA pay a fixed amount per examination, so he's not going to have time to do
much more than a cursory investigation.
It sounds like these are what I'd
term exploratory investigations to determine if there is something
to follow-up on.
As he says, since he found nothing he reported that, and
at that time had no expectation of the matter reaching court, or being
deposed.
If something were found, and the RIAA takes the matter to court,
I'd then expect them to commission a more expensive, in-depth, investigation of
the drive with full reports.
So the incompetence here is, if anyone's,
RIAAs.
I don't see any evidence for your assertion of "His ignorance
of the most basic details of IPs etc".
He appears to have a good grasp of
IPs and how certain configurations can be inferred from the IP packet and the
Kazzaa meta-data, as reported by MediaSentry.
It does seem as if the
Defendant's lawyer, Mr Beckerman, had been misled by the 'community assistance'
into trying to use MAC addresses to derail Dr Jacobson's testimony - and to me
made the defence look incompetent since if they'd consulted their own 'expert'
they'd have been told the MAC address is only visible on the same (un-routed)
physical segment of a network, and isn't generally available across the
Internet.
Dr Jacobson does seem evasive and initially it does make his
testimony less credible, especially his deliberately trying to obfuscate how an
IP address cannot, of itself, show the 'Natural Person' (human being) using or
in control of the device having the IP.
As an expert witness (at least in
the UK) your duty is to the court, and you shouldn't be swayed by the aims of
the party that engages you.
But that said, at the time he produced this
report, and the other 200-or-so reports he mentions, there was no court action
so his reports would follow the lines directed by his client RIAA, via the law
firm Holme Roberts & Owen.
His expert testimony is
that:
- MediaSentry screenshots and Verizon logs seem to show that the
Defendant's account (and if DSL/cable, presumably home address) was the location
from which MediaSentry was receiving data.
- The hard drive he examined
didn't appear to have been used with Kazaa
I agree that he
appears to be being misused by RIAA, and it does tend to highlight their
arrogance in not having a well-designed and executed procedure for the technical
investigations - after all, it is the mainstay of almost every accusation RIAA
has made against individuals.
If they had one, and followed it, it would
'weed out' these kinds of cases well before they got anywhere close to a
courtroom.
I've seen other reports where RIAA base their accusations
based on file-names, and claim that proves copyright material is being
shared.
I also read that RIAA or their members apparently pay some
companies to 'pollute' the file-sharing networks with files that carry names of
copyright materials but whose content is garbage.
Given that practice,
I'd think any court would throw out any evidence based on MediaSentry
print-outs, and that a well-formed investigation would focus on the
content of files downloaded from the host. [ Reply to This | # ]
|
- Thank you - Authored by: Anonymous on Sunday, March 04 2007 @ 07:52 AM EST
- RIAA incompetence, not Dr Jacobson's - Authored by: jmc on Sunday, March 04 2007 @ 07:56 AM EST
- RIAA incompetence, not Dr Jacobson's - Authored by: Anonymous on Sunday, March 04 2007 @ 09:37 AM EST
- RIAA incompetent, Dr Jacobson is too - Authored by: Anonymous on Sunday, March 04 2007 @ 09:39 AM EST
- Further examination - *Poooffff* - Authored by: Anonymous on Sunday, March 04 2007 @ 10:30 AM EST
- RIAA incompetence, not Dr Jacobson's - Authored by: Anonymous on Sunday, March 04 2007 @ 10:54 AM EST
- Some thoughts - Authored by: Anonymous on Sunday, March 04 2007 @ 11:00 AM EST
- Some thoughts - Authored by: dht on Sunday, March 04 2007 @ 01:01 PM EST
- Some thoughts - Authored by: Anonymous on Sunday, March 04 2007 @ 05:41 PM EST
- Some thoughts - Authored by: WhiteFang on Sunday, March 04 2007 @ 01:32 PM EST
- Some thoughts - Authored by: Anonymous on Sunday, March 04 2007 @ 01:56 PM EST
- Some thoughts - Authored by: Anonymous on Sunday, March 04 2007 @ 02:26 PM EST
- WhiteFang said. . . - Authored by: tyche on Sunday, March 04 2007 @ 06:33 PM EST
- Some thoughts - Authored by: Anonymous on Monday, March 05 2007 @ 01:05 PM EST
- Some thoughts - Authored by: Anonymous on Monday, March 05 2007 @ 03:31 PM EST
- Some thoughts - Authored by: micheal on Sunday, March 04 2007 @ 08:47 PM EST
- Some thoughts - Authored by: Anonymous on Monday, March 05 2007 @ 06:19 AM EST
- RIAA incompetence, not Dr Jacobson's - Authored by: dht on Sunday, March 04 2007 @ 02:36 PM EST
- RIAA incompetence, not Dr Jacobson's - Authored by: Anonymous on Sunday, March 04 2007 @ 04:17 PM EST
- Agreed. But MACs are important. - Authored by: Anonymous on Monday, March 05 2007 @ 12:24 PM EST
- Half a Dozen Drives - Authored by: Anonymous on Wednesday, March 07 2007 @ 08:17 PM EST
|
Authored by: Anonymous on Sunday, March 04 2007 @ 07:56 AM EST |
The bulk of the testimony seams to indicate that Mrs. Lindor had a Cable
Modem. However, Dr. Jacobson testified he wasn't certain if she had a cable
modem or a DSL modem. If you look at the tracert log you see the
line:
15.
a3-0-0-1728.dsl-rtr10.ny325.verizon-gni.net
This would lead
me to believe that this is likely a DSL address. It is a pretty major detail
could really weaken the RIAA case. The exhibit is at: http://www.ilrweb.com/viewILRPDF.asp?filename=umg_
lindor_070223JacobsonEx13
You can run a tracert and find out if you
are connected via that router by typing this at the Windows XP command
line:
tracert
slashdot.org
or
tracert
141.155.57.198
It would be really interesting to know if
any New York customers connecting through
a3-0-0-1728.dsl-rtr10.ny325.verizon-gni.net are running DSL or Cable
Modems. It might really help the case.
[ Reply to This | # ]
|
|
Authored by: Blrfl on Sunday, March 04 2007 @ 09:10 AM EST |
A couple of things I noticed:
Page 142, Lines 18-21: Technically, his statement about every packet having
some kind of MAC header is incorrect. There are a number of transport
mechanisms you'd find on a large ISP's network that don't have anything
analogous to a MAC. In any case, MAC addresses are meaningless here, because
either end is only going to see MACs for devices that are electrically connected
(i.e., on the same Ethernet segment).
Page 142, Lines 22-25: Verizon does not offer IPV6 to residential customers.
Page 148, Lines 2-5: Again, incorrect about MACs. Any two nodes communicating
on the Internet identify each other using *IP* addresses.
I do hope this case works out, because it would set precedent that you can't
make the jump from an IP address to a living, breathing person without
additional evidence.
--Mark
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 09:45 AM EST |
The witness makes repeated assertions that because the X-KaZaA-IP field in the
packet matched the source address that indicates that NAT was not done. This is
untrue in the case that the NAT implementation is aware of Kazaa packets and can
replace that field with the real external IP address in which case they would
match.[ Reply to This | # ]
|
|
Authored by: The Cornishman on Sunday, March 04 2007 @ 09:52 AM EST |
The transcript is a superb job of reproducing the pdf exactly, but it's a bit
hard on the eye, and a nightmare for screen readers, so as I read, I edited. A
reformatted edition is here
without line numbers and using single spacing.
Jonathan --- (c) assigned
to PJ [ Reply to This | # ]
|
- An easier read? - Authored by: Anonymous on Sunday, March 04 2007 @ 10:54 AM EST
|
Authored by: Anonymous on Sunday, March 04 2007 @ 10:39 AM EST |
Ray Beckerman has posted replies to comments on the "RIAA's 'Expert' Witness Testimony Now
Online" article on Slashdot.org
Look for comments from "NewYorkCountryLawyer
(912032)" [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 10:46 AM EST |
*uffff* I read it. [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 11:17 AM EST |
In this deposition it is clear that in spots the lawer asking the questions to
the 'expert' sometimes does not appear to have a real grasp of the topic. Not
that he should, being a lawyer.
So would permitted to have the deposition of the 'expert' done by an experst and
only supervised by a lawyer so that the anwers being given by the 'expert'
expert bering deposed can be properly reacted to.[ Reply to This | # ]
|
|
Authored by: Red rob on Sunday, March 04 2007 @ 11:26 AM EST |
I don't think that John came out looking as expert as he went in.
Could his testimony be dismissed on the basis of him not proving his expertise,
and using methods which have not been proven to be valid or accurate?
There are a few things that I didn't see mentioned:
*No mention of internet connection sharing.
Possible that other computers/routers were connected to this computer.
*Issues with testimony about internet use:
It is possible to find out how much use of the web has occured by looking at
the cache, history etc.
*No questioning about how easy and why a user might change IP address.
For instance, change from a wireless NAT to a wired ISP assigned IP
address.
(Might be v. lileley if probelms were occuring due to the wireless network
being used by an unknown computer infected with viruses, or doing high bandwidth
P2P)
*No questioning about Verizon's method of dynamic IP assignment.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 11:29 AM EST |
11 Q. Would it be possible to have the same
12 dynamic IP
address assigned to three people during
13 one minutes?
14 MR. GABRIEL:
Object to the form.
15 A. It's possible.
...and a matter
of seconds later...
4 Q. Well, it's true, is it not, that
5
there can be more than one computer operating under
6 a single IP
address?
7 MR. GABRIEL: Object to the form.
8 A. As I talked about it in
the report
9 with public IP addresses, in order for the internet
10 to
function there can only be -- every public IP
11 address has to be
globally unique within that window
12 of time.
[ Reply to This | # ]
|
|
Authored by: davcefai on Sunday, March 04 2007 @ 12:46 PM EST |
I'd be bemused.
1. There is presumably some unarguable evidence linking the IP address to Ms
Lindor's account.
2. There is "evidence" that, at that IP address, copyrighted files
were shared. Or isn't there? As a juror I'd want to see filenames, hear the
songs and hear evidence that they really were copyrighted by the plaintiffs.
3. On the other side of the connection there is evidence of a hard disc which
shows no traces of copyrighted files or file sharing software.
How can Ms Lindor be found guilty of anything? Even if everything Jacobsen said
about networking were true and correct, at the end of the forensic trail there
is NOTHING.
Not guilty your honour.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 01:19 PM EST |
Everything here relies on the fact that MediaSentry identified the offending IP
address, but we have no idea how MediaSentry works. As for as we know it
generates purely random IP addresses. The software has not been vetted or peer
reviewed by an independent authority. Its just a black box with data in and
data out. And you know what they say, garbage in, garbage out.[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 02:43 PM EST |
20 Q. When you provide your investigations,
21 do you do
anything to verify or to determine whether
22 or not the computer in
question was under control by
23 an outside remote user?
24 A.
No
The defendents lawyers showed that Dr. Doug Jacobson made no
effort to look for zombies. I know that spammers use zombies a lot. What about
illegal file sharers? Do they sometimes use zombies to hide the origin of files
being distributed illegally?
--------------------
Steve
Stites
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 03:06 PM EST |
Isn't it time to bankrupt the RIAA, with a class action suit brought by the
defendents? Could be a slam dunk for
an enterprising attorney.[ Reply to This | # ]
|
- Class action anyone? - Authored by: Anonymous on Sunday, March 04 2007 @ 03:59 PM EST
- Ricco maybe? - Authored by: Anonymous on Sunday, March 04 2007 @ 07:40 PM EST
- Rico maybe? - Authored by: Anonymous on Monday, March 05 2007 @ 06:25 AM EST
|
Authored by: Anonymous on Sunday, March 04 2007 @ 03:52 PM EST |
I noticed in the testimony that Dr. Jacobson wasn't questioned about the
computer he used to conduct his investigation. Was it compromised? Is it
connected to the internet? Does anyone besides himself have access to it when
he is not around?
[ Reply to This | # ]
|
|
Authored by: ikocher on Sunday, March 04 2007 @ 03:57 PM EST |
A couple things I really don't understand how they can fly in this case:
- blackbox mediasentry stuff. The whole world _must_ asume that these reports
are true and correct, with no way to trace their "investigation",
methods, and tests. How can this be? There was a case in Florida about an
alcohol monitor that the local police used, with "dubious" methods to
reports the alcohol level of a person.
-The "expert" did not document anything on the hard drive. Is he an
expert? That should have been documented, but it only starts there: If the
hard drive is from Ms Lindor, and is supposed to be the offending one, why there
are no traces of kazaa in it? Only this question is complex enough to
investigate much further, why no kazaa in the drive. Could it be that there is
another program that caused it. About the IP address reported by verizon,
windos boxes _do_store_ the last IP address a dhcp server offered, and the
"expert" didn't check this? Maybe if he did, he could have checked
that the verizon report is wrong, IPs doesn't correspond. Also is there some
botnet/virus/spyware/etc program in the drive?
That mediasentry says kazaa is the program, doesn't mean that is was, just the
protocol! Also, if he didn't find anything, could it be due to a complete new
windows re-install? He doesn't specify that.
- The expert didn't gave a clear definition of NAT. NAT=network address
tranlation and that is it, not all the things that can happen there. Sort of
leaves the door way open.
- The expert doesn't even know which kind of connection the defendant has.
Shame on him, he is the expert, the forensic expert!!! The case has been going
for too long for he not to know this simple thing.
-There is no report about the time sincronization between the verizon logs and
the mediasentry logs, I have seen offsets of days between servers that have no
ntp sincronization. The expert doesn't mention this, neither the plaintiffs,
they just asume it is correct, and bad luck to the defendant. By now if those
servers are in sync, would be no news, but back then? Maybe there is no way to
probe it now.
- Another thing is the report verizon provided. They asume it is true to the
heart. Can't it be that another customer had the IP address before, went
offline (turn off the PC), and then a another windows asumed the IP can be used
without asking the dhcp server? I have seen this buggy behavoir in windowses.
Apart, the thing that the expert is not a proffesional engineer, is not critical
in my view, he is computer sciences engineer. Also that he does not know
certian words is nothing new. It is obvious that he has not a single minute
experience as expert witness, and shame on the plaintiffs to use him, but maybe
is the _only_ option they have, sort of the only one that wants to play this
game.
Also, the defendant lawyer seems to have some sort of confusion about MAC
addresses and IP addresses. MAC are used only in the local network, be it wifi,
wired ethernet, fddi, token ring, whatever. On the other hand IP is global. IP
doesn't care about MACs beyond local network, so there is no way normally to
know a MAC address beyond a router.
I found this site
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL
?rev=HEAD&content-type=text/vnd.viewcvs-markup
and has some sort of explanation on the fasttrak protocol that kazaa uses.
Some questions come up about the mediasentry report:
-is the offending IP (141.155.57.198) is a supernode or just client node
-which files it was offering
-which files it asked for searching
-which files it tried to download
-which username reported to the supernode
Maybe if at least some files could match in name... but this is not reported.
Is there some site where one can se the testimonies about this report?
Ivan
[ Reply to This | # ]
|
|
Authored by: Richard George on Sunday, March 04 2007 @ 04:36 PM EST |
The key point to help here is that an IP address is *NOT A UNIQUE* identifier
of a computer.
There is such a thing as Network Address Translation. (NAT) This provides a
many-to-one mapping from computers to IP addresses as a convenience, in
much the same way that a 4-way adaptor allows you to plug multiple
appliances into the same wall socket, or a switch-desk can redirect phone
calls.
Verizon is therefore not the sole, authoritive source of information for
mapping a particular IP address back to a particular computer, let alone
showing that a particular person was using a particular computer.
In addition to an IP address, there is a second parameter called a "port
number". Every IP address has approximately 65,000 ports available for
concurrent use, of which only a small fraction will be engaged at any one
time. Both a router and a computer can be asked to forward communications
on an unused port of one IP address on behalf of another.
This is a useful, frequently-used technique. Windows comes with this
technology built in via the 'Home Network Wizard', and there are many free
programs on the Internet that provide the facility of port-forwarding.
There are certian IP addresses that are *designed* to be duplicated across
many computers in this way, on the assumption that another computer or
router will then provide the Network Address Translation by port forwarding.
for instance, any IP address beginning 10.x.x.x or 192.168.x.x is designated
as requiring translation by an upstream computer or router.
If the defendant had a wireless router, it would be trivial to get this piece of
hardware to forward requests that would masquerade as the defendant if
Verizon's logs were inspected.
If the defendant's computer were compromised or misconfigured, it would be
trivial to make Lindor's machine behave as a router itself and relay file-
sharing requests on behalf of another, unknown third party.
It is also possible to trick a router into believing that an unknown machine
owns a particular IP address by recording and then replaying the MAC
address of the true owner at a time when the true owner has their machine
turned off.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 05:34 PM EST |
Mr. Beckerman presented the possibility that a visitor might plug a laptop into
an internet connection. That laptop would use the IP that had been assigned to
the connection. Even when Jacobson had been forced to admit that an IP address
does not uniquely identify a computer or the person using it, he still insisted
in talking as though there was such a link.
Jacobson teaches his students how to break security. Even though Jacobson
admitted that IP addresses and MACs could be spoofed he still talked as though
an IP address could identify a computer.
If you tell a big lie often enough, people will believe it.[ Reply to This | # ]
|
|
Authored by: Alan(UK) on Sunday, March 04 2007 @ 06:21 PM EST |
See April 12, 2006, Expert Witness Report of Dr. Doug
Jacobson, items 15 to 23.
The man cannot even write a simple report -
how did he write his PhD thesis?
It is just so careless. This section
represents the only part of the 35 page report that contains material particular
to the case. It seems to be entirely based on hearsay evidence.
I also note
that the defendant has to ask for the documents essential to the plaintiff's
case: Defe
ndant's Request for Documents. If the defendant had failed to ask the
plaintiff for evidence that they had standing to bring the case, would the
plaintiff be able to bring this up in court? --- Microsoft is nailing up
its own coffin from the inside. [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 06:41 PM EST |
The RIAA intentionally targets those with little ability to challenge the threat
of a lawsuit. Since few, if any, have the resources to go one-on-one with the
RIAA, much less afford a **REAL** expert of their own, it really doesn't
matter.
It is the ability to abuse the legal system that matters to the RIAA, not the
merits of their claims.
May their day in court come at the pearly gates.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 07:17 PM EST |
The most astonishing bit isn't about ips, macs or wireless...
Q.
What is the MD5 hash of the hard
6 drive you examined?
7 A. I don't
recall what that is.
8 Q. What is the SHA1 hash of the hard
9 drive
image you examined?
10 A. I don't even recall looking at
that.
Let me tell how a forensic works. The CSI (don't know
in USA, here any investigation must be done by the police) get the drive, get a
md5 signature of the disk and make other copies (bit to bit). Working with a
copy, they make signatures of all the files of the disk. They have to document
and procedure all the work, maintaining the integrity of the disk.
Is the
disk the original one? if it is and the police didn't do anything with it, not
only should it be discarded as proof, you should be able to accuse them for
fakeing proofs and extortion because they could have just made up all the case
planting the "evidences" after getting the disk. If it's a copy, how was managed
the trust chain, where , when and who made the signatures. A report without
following a standard isn't evidence is a fake, although you can always redo it
from a trusted disk/copy.
Of course how was done the job by MediaSentry
and the procedures of Verizon seem tainted too.
[ Reply to This | # ]
|
|
Authored by: brian on Sunday, March 04 2007 @ 07:54 PM EST |
From the deposition (cleaned up for clarity):
"Q. But when you viewed it in EnCase, you didn't make any
documentation of what you saw in the registry entries?
A. I was looking for evidence of the KaZaA program and
found none.
Q. But you actually had the register entries in front of
you on the screen and you didn't make any record of that?
A. There wasn't anything to make a record of.
Q. There were no register entries?
A. There were register entries, but none associated with
KaZaA.
Q. You were told by Mr. Gabriel just to look for things
that incriminated the defendant?
MR. GABRIEL: Objection to form.Lack of foundation.
Argumentative.
Q. Is that your testimony? Were you directed only to find
things that helped the plaintiffs win their case?
MR. GABRIEL: Same objections.
A. I was told to examine the hard drive for evidence of
file-sharing software and evidence of MP3.
Q. That's all you were told to examine it for? So you
weren't told to examine it for evidence as to whether it
had been -- the hard drive had been changed or anything
like that?
A. I wasn't directed to do anything more than that,
although as part of the examination I did -- as noted in
Exhibit 17, I noted, for example, that the operating
system was repaired on July 7th of '04.
RQ MR. BECKERMAN: I call for the production of those
register entries.
MR. GABRIEL: They don't exist. The witness doesn't have a
duty to create them and you have your image of his hard
drive. You can produce them yourself.
Q. So EnCase has no way of backtracking your project?
A. The only record it keeps is when you specifically write
something to a report file; when you see something, you
explicitly say, "Put this in a report."
Q. So you were just looking in the registry for evidence
of KaZaA? That's it?
A. I was looking for the IP address and as shown in
Exhibit 17, I was looking for evidence of dates about the
system, so the date the system was repaired."
Here you have a case of a negative finding and this expert
decides unilaterally to not record that fact?!?! To make
matters worse, you have the RIAA lawyer stating that they
don't have a duty to preserve evidence or to produce that
evidence in discovery...
"They don't exist. The witness doesn't have a duty to
create them and you have your image of his hard drive. You
can produce them yourself."
This appears to me to be a classic case of burying
evidence prejudicial to your case.
As an aside, does anybody here have any experience
with "EnCase"?
B.
---
#ifndef IANAL
#define IANAL
#endif[ Reply to This | # ]
|
|
Authored by: elhaard on Sunday, March 04 2007 @ 08:03 PM EST |
Some questions I wish Dr. Jacobson had been asked:
Q:
Would it be possible to have a router or similar device
- wired or wireless - that would assign to a local
computer the same IP address that it itself got from the
ISP?
A:
I am not aware of any such use.
[Question repeated]
It would be possible, but uncommon.
Q:
If using such a router or similar device, is it true that
different computers connected to this router or similar
device at diferent times possible could be assigned the
same, public address
A:
That would be the case, yes.
Q:
Would it be possible to construct routers using NAT while
being aware of application-level protocols - thus having
the capability to not only do Network Address
Translation, with regards to the IP package headers but
also changing the payload of the packages accordingly?
A:
In theory, that might be possible.
Q:
Do there, to your knowledge, exist any such
application level aware routers?
A:
I am not aware of any specific product.
[Question repeated]
There might be some...
Q:
Would it be possible to have such a router change the
IP-address in the payload of packages used for Kazaa
traffic?
A:
I have no personal knowledge of such products.
[Question repeated]
It could be possible...
Q:
Considering this, are you absolutely sure that no router
or similar device has been used?
A:
Yes.
[Question repeated]
No.
Q:
And are you still absolutely sure that the computer
identified by MediaSentry belongs to Ms. Lindon?
A:
My report identifies Ms. Lindon...
[Question repeated]
Nowhere is purchase information.
[Question repeated]
The IP address is shown to...
[Question repeated]
No.
-elhaard
---
This comment is licensed under a Creative Commons License (Attribution 2.0).
Share & enjoy![ Reply to This | # ]
|
- Future questions - Authored by: Anonymous on Sunday, March 04 2007 @ 10:09 PM EST
- Future questions - Authored by: Anonymous on Tuesday, March 06 2007 @ 11:30 PM EST
|
Authored by: Anonymous on Sunday, March 04 2007 @ 08:34 PM EST |
The "evidence" that there was no router seemed to be that the Kaaza
software was sending "the" machine IP as data in a packet. It it were
to ship a 192.168... address it would be pointless - it may as well send out
127.0.0.1.
I imagine that if Kaaza actually sends an IP address in a data packet for some
real reason, it would have to be the effective public address. Such an address
can easily be automatically found by the software (like whatismyipaddress.com).
The "agreement" of IP addresses would occur every time whether or not
the computer running Kaaza was behind a NAT router, or wireless router etc.
[ Reply to This | # ]
|
|
Authored by: akStan on Sunday, March 04 2007 @ 09:16 PM EST |
14 Q. Dr. Jacobson, are you yourself an
15 engineer?
16 A.
Yes.
IEEE-USA position on Use of the
Title Engineer
All jurisdictions protect the titles Professional
Engineer, .... some jurisdictions protect the title, Engineer, with no
qualifying words added. ... Generally, the public interprets the term,
Engineer, to mean ....
It is our position that the title, Engineer,
and its derivatives should be reserved for those individuals whose education and
experience qualify them to practice in a manner that protects public safety.
1. In New York
State, who can practice professional engineering/land surveying?
Engineers with striped bib-overalls and caps are hardly of concern
here :-)
but use of engineer for achieving stature or qualification
as to some level of expertise is of concern.
A case study by the NSPE
Board of Ethical Review illustrates the level of acceptable practice involved.
[ Reply to This | # ]
|
|
Authored by: grouch on Sunday, March 04 2007 @ 09:30 PM EST |
Mr. Beckerman:
Thank you for your work and for this follow-up. It is both
encouraging and enlightening. The way the deposition was conducted is very
informative by itself, even without considering the content.
It couldn't
have been an easy job to distill all of the stuff in the Groklaw discussion into
the concise form of the deposition. That's assuming that those questions which
somewhat match the ones suggested by various people in the discussion back in
December actually came from there. It's kinda nice to think we (collectively)
might have helped in the battle to force the RIAA to use facts instead of
economic terrorism in their campaigns.
--- -- grouch
http://edge-op.org/links1.html
[ Reply to This | # ]
|
|
Authored by: Simon G Best on Sunday, March 04 2007 @ 10:19 PM EST |
As I read through, I note the following.
Page 40, line 22 to
page 42, line 8: Jacobson's own hard drive examination methods haven't been
independently checked, peer-reviewed, or anything like that. He doesn't even
know the error rate of his
methods:-
41
...
17 Q. Is there a known rate
of error for
18 your method?
19 A. No.
20 Q. Is there a
potential rate of error?
21 MR. GABRIEL: Object to the form.
22
A. I guess there is always a potential
23 of an error.
24 Q. Do
you know of a rate of error?
25 A. To my process,
no.
Seems to me that he can't even testify that his own
methods are reliable.
Page 42, line 9 to page 43, line 22:
Jacobson seems similarly unable to testify to the reliability of MediaSentry's
methods. In particular, on page 43, lines 5 to 7, there's
this:-
5 Q. So when you evaluate the MediaSentry
6
materials you are assuming them to be accurate?
7 A.
Yes.
He's "assuming them to be
accurate"?!? So, when it comes to his examination, review, or whatever
it was, of MediaSentry's investigation, he's actually starting off with the
assumption that their methods are accurate?!? Incredible.
Unbelievable.
Page 45, line 20 to page 48, line 11: Jacobson
reveals that he had not taken possible computer security vunerabilities into
account:-
45
...
20 Q. Do any of your three
reports -- by
21 "three reports" I'm referring to the April
7th
22 initial report, the December 19th declaration that
23 you
signed and the October report which you did not
24 sign. Do any of those
three reports discuss the
25 possibility of any alternate explanations
other than
46
1 Jacobson
2 copyright
infringement?
3 MR. GABRIEL: Object to form to the
4 extent that
they speak for themselves.
5 You can answer the question.
6 A.
Please read the question. I didn't
7 understand.
8 (Record
read.)
9 A. Alternate explanations to?
10 Q. Your
conclusions.
11 A. No.
12 I'm sorry. I said,
"No."
...
47
...
10 Q. Can you think of any
possible
11 security vulnerabilities in the computer that was
in
12 Marie Lindor's apartment?
13 MR. GABRIEL: Object to form
and
14 foundation.
15 A. Repeat the question. Read it
back.
16 (Record read.)
17 A. I didn't examine the hard drive
that
18 was given to me for security vulnerabilities, so I
19
can't attest to what vulnerabilities may have been
20 present in that
hard drive.
21 Q. As we sit here, can you think of any
22
possible security vulnerabilities in the computer
23 that was in Marie
Lindor's apartment?
24 MR. GABRIEL: Objection to form.
25 Lack
of foundation.
48
1 Jacobson
2 A. Read
that back.
3 (Record read.)
4 A. Can you read it one more
time.
5 (Record read.)
6 A. I'm sure the possibility exists
there
7 were security vulnerabilities. Again, I don't know
8
which ones would apply to that particular computer.
9 Q. And did your
report discuss any of
10 those possible security
vulnerabilities?
11 A. No.
Page 57, lines
17 and 18: Jacobson refers to "the public internet". Not exactly significant,
but it amused me. Some might know why.
Page 128, line 4 to
page 131, line 11: Jacobson is, again, unable to testify to the reliability of
Verizon's procedures for determining who the relevant IP address was assigned to
at the relevant times. Indeed, on page 130, lines 10 to 14, there's
this:-
10 Q. So is it fair to say that all of
your
11 reports are based on the assumption that the
12
information which you obtained from Verizon was
13 accurate?
14
A. Yes.
Page 140, lines 20 to 24: In his
investigations, Jacobson did nothing to determine whether or not the computer in
question might have been compromised:-
20 Q. When you
provide your investigations,
21 do you do anything to verify or to
determine whether
22 or not the computer in question was under control
by
23 an outside remote user?
24 A.
No.
Page 140, line 25 to page 144, line 2: Again,
Jacobson's done very little indeed to check the reliability of the stuff he
looked at. Again, he seems unable to testify to the reliability of stuff from
MediaSentry and Verizon. There's nice stuff about how easy it is to edit and
modify screen shots and log files.
Finally, page 152, lines 18
to 20: Mr Gabriel and Dr Jacobson have decided to make a quick
getaway:-
18 MR. GABRIEL: Thank you for your
19
courtesy. We are going to run out and
20 make a
plane.
Well done, Mr Beckerman, on showing so
clearly that Dr Jacobson had done very little indeed to actually verify the
stuff he was testifying about. Well done!
:-)
--- "Public
relations" is a public relations term for propaganda. [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, March 04 2007 @ 10:22 PM EST |
This is great, it's like the emperor (RIAA/MPAA) is FINALLY being told at long
last he wears no clothes after a long embarassing period of flashing (of not
much substance) by the plaintiff.
Kind of unfortunate (like in SCO v. IBM, etal.) that it is so painfully slow,
and costly for the defendants. I really pray for countersuits with damages (I
wish treble). I really hope it's not only RIAA who falls like this, and that
MPAA is not far behind.
Finally, this is so historic it's almost glorious to watch. Kind of feels like
a David v Goliath thing.[ Reply to This | # ]
|
|
Authored by: rsteinmetz70112 on Sunday, March 04 2007 @ 10:54 PM EST |
Based in depositions I've done he seems remarkably well prepared, repeating the
same answer to similar question verbatim.
I also would have, at times, liked to have had an attorney protecting me as well
as he was protected.
Many of the objections seem invalid and designed only to throw the questioner
off and consume time.
I still haven't gotten through the whole thing, it's hard to read.
---
Rsteinmetz - IANAL therefore my opinions are illegal.
"I could be wrong now, but I don't think so."
Randy Newman - The Title Theme from Monk
[ Reply to This | # ]
|
- Huh? - Authored by: PeteS on Tuesday, March 06 2007 @ 04:46 PM EST
|
Authored by: dht on Sunday, March 04 2007 @ 11:58 PM EST |
I'd like to suggest that the legal team (and even many of us here) could do
with some advice from some REAL networking experts. Perhaps one or some of the
people from the
netfilter.org
team could be persuaded to take an interest. They know this
stuff cold, and off the top of their head(s).
Perhaps someone with the
stature of
Rusty Russell?
[ Reply to This | # ]
|
|
Authored by: toads_for_all on Monday, March 05 2007 @ 12:01 AM EST |
...I can say it takes some doing to convince your ISP that no, you really
*didn't* send that porn spam at 2:00AM, due to the fact that while your DSL
modem might have been on, your computer wasn't, and you were asleep. And don't
even try to blame my 75-year-old mother.
Actually, it was either spoofing, or someone managed to hack the wireless. I
turn my modem off nowadays when I'm not using it.
FWIW, EnCase seems to be a decent program. I used it to try out Evidence
Eliminator once. EE failed to delete everything it was supposed to. (No, not
the porn spam, some innocent test files)[ Reply to This | # ]
|
|
Authored by: mobrien_12 on Monday, March 05 2007 @ 12:33 AM EST |
I must say, I am impressed. I always thought the RIAAs cases were flimsy...
the more I read about this one, the more I was convinced about it.
Now this... I read this, and I am very negatively impressed with Dr. Jacobson.
All that stuff which he didn't document, because he wasn't looking for it, but
wasn't he the one who read the personal documents on her hard disk, including a
resume, which he did doucment? I would have loved to hear him explain how that
comes under forensics of Kazaa usage!
Oh yeah... this little gem:
"9 Q. And they have never used you as a
10 witness?
11 A. No. We never -- they've always
12 settled."
Wow... go figure. Makes one wonder if that was the RIAA strategy all along,
doesn't it?
Also, it looks like Mr. Beckerman got some good technical knowledge here to
question Dr. Jacobson. It seems at least some of the stuff from Slashdot and
Groklaw was helpful.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 05:24 AM EST |
Could the NAT router have been incorrectly set up incorrectly in this way?
The defendant's husband is not an expert at setting up networks. The defendant's
husband connected to the Internet directly the first time, and got the IP
address assigned to the computer by reverse look-up on the Internet, or by using
a tool to look up the network address the computer interface was using. He
writes this IP address down for reference.
The defendant's husband then goes out and buys a NAT firewall-router (or sets up
a firewall-router built into the DSL modem). Not being an expert on firewalls,
he thinks this is the IP address that the computer must always have, and sets up
either DHCP on the LAN to allocate this to the computer's ethernet interface, or
sets up that IP address as a static address on the computer interface. He using
his limited knowledge, he enables NAT on the firewall-router and fiddles around
with the LAN subnet address and netmask on the NAT router until it works.
He now has the network interface on his computer set to one of the IP addresses
in the ISP's IP address pool, and this is translated to the (different) IP
address allocated by the ISP at that time to the interface on the Internet side
DSL router.
The RIAA's expert Mr Jacobson examines the hard drive and finds no private IP
numbers on the hard drive. He may also find one IP address on the computer that
matches one of the IP addresses in the ISP's DHCP IP pool. He concludes that the
computer must have been connected directly, but he is wrong. What is more the
Internet IP address found on the computer that matches those associated with
illegal file copying would at the same time have been allocated to someone else
on the Internet, who is the real illegal downloader and not the defendant.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 07:04 AM EST |
Each machine can have a different time.
The ISP server could have a different time then your PC.
In addition the PC monitoring so called illegal activity could have a different
time from everyone else.
So how do you tie the ISP server log time with time on the monitoring PC and
anyone elses PC?
You can't without knowing that at least the ISP's Server and the monitoring PC
are locked to the same time perferably via a hardware clock using an atomic
radio signal (quite expensive).
Because if you do the time sync via the internet you can can have quite a large
time difference depending on the load on the timer server and internet traffic
as well as distance (number of nodes) from the time server...
So ask them to __prove__ the times are the same.
DBLD[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 07:31 AM EST |
PJ, MathFox, I think this is one of those cases that bears more permanent
following. Clearly it could benefit from community scrutiny of the kind that
SCO
vs IBM has had at Groklaw, and very possibly has the potential for broader
and
more lasting societal impact. We should consider whether we can add this
one
to the official set of cases we watch in detail.
J
[ Reply to This | # ]
|
|
Authored by: pajamian on Monday, March 05 2007 @ 08:11 AM EST |
First off, IANAL and IANAE (I am not an expert) (ok, it's possible that I might
be considered an expert in some capacity, but don't rely on that).
These have been pointed out already, but I thought I would recap them myself in
case they are missed:
Primary point: Expert contends that the public IP address shown by Media Sentry
indicates that a NAT router was not used.
Rebuttal: I can only speculate as to why Kazza supplies a secondary IP address
in the data packets, but perhaps this will help.
Kazaa and other P2P apps work by transferring a data payload directly between
two peers. The peers need an IP address in order to know what computer to
connect to to get the data for a file on the internet. Kazaa most likely
supplies the address of the computer it's running on for this purpose.
Now supplying an internal private network IP address is utterly useless because
no computer on the internet can connect to it except for those that are also on
the same internal network. Kazza, however, can't know that it is running on a
computer behind a NAT firewall and so will likely, in its default configuration
supply such a private IP address, which would show up in the Media Sentry logs
and indicate that the computer resides behind a NAT router. The expert here
contends that because this supplied IP address is the same public IP as the one
that is in the packet headers then the computer must not be behind a NAT router.
THIS IS NOT TRUE!
The Kazaa supplied IP address can likely be manually set (via some configuration
option) to be the same as the public IP address (I do not know this to be the
case absolutely, but it would make sense that it can be to overcome the problem
of locating a computer on the internet that is behind a NAT router). Even in
the event that Kazaa itself does not have this option, one or more of the many
Kazaa clone programs probably can. Also note that as others have stated, this
could also be changed by a smart router that can recognize a Kazaa packet and
change this IP address on the fly.
Point 2: The "Expert" states that by his examination of the Media
Sentry logs, Kazaa was definitely running on the computer at that IP address.
I would venture into this further, there are several Kazaa clone programs that
can operate on the Kazaa network and appear as Kazaa to other programs on the
network. Does this expert know for a fact that the program was indeed Kazaa and
not one of the clones? If so, how? If not, how can he be certain that subtle
differences between the way that Kazaa works and the clone works might not
affect the data gathered from Media Sentry? Specifically how can he be sure
that the clone program might not report the actual public IP instead of the
private one if the computer were behind a NAT router?
3rd point: This is just educational and may help your understanding of dynamic
IPs. It has also been discussed at length by others, but I'm re-iterating it
here just in case my summary can help.
A dynamic IP is simply any IP address issued by an ISP or some other host entity
that is subject to change at any time. Depending on the ISP the IP address can
last for seconds, or hours or days or even years. As an example, I know of ISPs
who reset all DSL connections and re-assign IP addresses on a daily basis. In
contrast my own ISP defines my IP as dynamic, but it hasn't changed in the
several months that I have been with that ISP, despite several resets of my DSL
router (they tell me that the IP is really 99% static, but they call it dynamic
so that they can legally change it without notice if some pressing technical
reason presents itself for that).
My point is that "dynamic" can really mean lots of things in terms of
how often an IP address changes and you really can't know for sure without
checking with the ISP itself.
I think that for this and other reasons it may be worth while to depose someone
from the ISP in this case. I say "may" because it is possible that
the records and testimony you get from them could strengthen the RIAA case.
Good luck and I hope that these points help.
---
Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack
perspective.[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 09:13 AM EST |
Jacobson is using information provided by MediaSentry to base his findings.
Throughout this deposition he repeatedly states that he has no knowledge of
MediaSentry's methods for gathering their data.
Anyone can create a text file containing data that looks like a KaZaa log
showing the downloads of files. Screen shots can be faked as well.
Is there someone from MediaSentry who will testify on how they produced their
data that Jacobson is drawing his conclusions from? [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 09:29 AM EST |
It took a while to read this and it was very interesting.
It seems to me that the US legal system has a problem.
There is no technical threshold that needs to be passed
to even start a case against an individual. Its like
suing your neighbor because the rain storm flooded your
garden and you saw your neighbor dancing in his yard
just befor the storm came. There really needs to be a
rigrous technical review by technically competent
individuals of any "evidence" before the perspective
plaintiff is allowd to even start impacting the life of
a perspective defendant through legal proceedings.
This deposition really demonstrates how sorry the US
legal system has become. RIAA had no techincally correct
reason to go after Ms. Linder.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 12:09 PM EST |
The very first thing you do is TAPE everything with a camcorder from opening the
package with the HD image (and breaking the seals) to view and reporting.
Basically, not having done any of it, I would say his deposition is simply
"hearsay" and has no legal validity.
I hope that the whole thing will be thrown out and the guy will start learning
how to do his "expert" job.[ Reply to This | # ]
|
|
Authored by: pgmer6809 on Monday, March 05 2007 @ 12:25 PM EST |
IANAL but it looks to me as if there is no 'verifiable' chain of evidence here.
If this were a drug case, say, where the various pieces of evidence were
collected that sloppily, I would guess that much of it would be thrown out.
There is no way of verifying Verizon, MediaSentry, which computer was used,
which person was using the computer, even which residence the IP was assigned
to, or whether it was spoofed.
What good is it to have an 'expert chemist' testify that yes the stuff in the
bag is cocaine, when you cannot prove where the bag came from, whether it was
planted, who touched it after you seized it, who it belonged to when you found
it buried in the back yard.[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 01:11 PM EST |
It appears that Mrs. Lindor was using a cable modem, going by the DHCP servers
listed on Exhibit 17. These DHCP addresses are from CableVision, a cable company.
Exhibit 13 clearly shows a MediaSentry tracert to a DSL connection at
Verizon, a phone company.
There is no way that Mrs. Lindor was going to be
using DSL to download anything over a cable modem. From this, I see why Dr.
Jacobson said the following:
Q. What type of internet service
was used by the computer that MediaSentry was interacting with?
A. There
wasn't enough information from
Verizon to indicate whether it was a cable modem
or
a DSL.
Q. So you don't know?
A. No.
Thanks to
the New Yorkers that helped out with me earlier post. In all probability, Mrs.
Lindor did not even have the correct equipment in her house to connect to
Verizon.
[ Reply to This | # ]
|
|
Authored by: Marc Mengel on Monday, March 05 2007 @ 02:47 PM EST |
Gee, my combo wired/wireless router at home lets me designate one
computer to get 1:1 mapping -- it gets the same IP address as the router has,
and maps all the ports through, any other system in the house gets a 192
address, and gets address translation applied. It also reports the MAC address
of my desktop up to the ISP, so I didn't have to re-register with
my ISP when I
set it up.
So if someone has taken over the defendant's wireless router and
configured it that way, the packet trace would look as he describes, yet the
system being used could be next door, or accross the street (or further, with
the right antenna). [ Reply to This | # ]
|
|
Authored by: Wardo on Monday, March 05 2007 @ 04:30 PM EST |
From: cvs.berlios.de
(which I found in the Fast Track Protocol" on Wikipedia) detailing some
packet information about the protocol used by KaZaA. Find out what the packets
were, if you can see the whole packet capture and identify which packet types
were captured and which addresses were passed in the data payload.
For
instance, in packet type 0x0D Push Request, multiple addresses are passed in the
packet payload. What sort of examination was made of the packets by the network
monitoring people. IIRC the good doctor was relying on the logs from the
MediaSentry software to connect the dots between the end user and the file
sharing.
And the winner is packet type 0x2C, defined in that webpage as
"your globally-visible IP address", which implies that it's not the private
192.x.x.x address.
Any chance the exhibits are going to be released (or have
been released) to the public? Out of idle curiosity I would like to look at the
logs used in this case.
Wardo --- Wardo = new user();
Wardo.lawyer = FALSE;
Wardo.badTypist = TRUE; //don't bother to point out tyops
Wardo.badSpeller = TRUE; //or spelling misteaks [ Reply to This | # ]
|
|
Authored by: ChefBork on Monday, March 05 2007 @ 07:34 PM EST |
Page 38
24 Q. How did you learn your method of
25
determining from a hard drive whether a particular
Page 39
1
Jacobson
2 computer has been used for uploading or downloading
3
copyrighted works?
4 A. Well, the forensic examination
5 process I
learned through self-study and through the
6 forensic examiner's exam.
7
Q. Now, am I correct that you were doing
8 this for law enforcement before
you were a certified
9 forensic examiner?
10 A. That's correct.
11
Q. And when did you become a certified
12 forensic examiner?
13 A.
September '04.
14 Q. And why did you become a certified
15 forensic
examiner?
16 A. Two reasons. One is to be able to
17 better work with
the law enforcement and the other
18 is to help support our
university's educational
19 mission, since we teach computer
forensics.
Did anybody else suppress a shudder at
the thought of this guy teaching droves of students that how he does his own
forensics is the "right and proper" way to do things? If not, then why did
he do it this way?
If I was a member of the Iowa State Education
Certifications Board, and I saw this deposition, I'd be interested in seeing
what it was they were actually teaching, and possibly rescinding Iowa State's
certification to teach computer forensics.
If I were a student in the
Iowa State computer forensics course, I'd be wondering whether I'm learning the
proper methods and if this deposition becoming public knowledge might cause me
to become unhirable at graduation.
--- If two heads are better than
one, then why are liars two-faced and being of two minds indecisive? [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 09:07 PM EST |
<blockquote>7 Q. Were MediaSentry's clocks
8 synchronized with Verizon's?
9 MR. GABRIEL: Objection to form.
10 Lack of foundation.
11 A. I have no way of knowing.
12 Q. How many people were assigned this IP
13 address during the 24 hours of August 7, 2004,
14 141.155.57.198?
15 A. The date you said was August 7th?
16 Q. August 7, 2004.
17 A. I have no way of knowing that.</blockquote>
This is very important stuff. One of many examples of the very weak evidence on
RIAA's part.[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, March 05 2007 @ 11:05 PM EST |
This expert indirectly disputes the log evidence that was collected
He has examined the defendants computer and
----------------------------------
13 Q. Based upon your examination of the
14 hard drive which you examined in this case, what
15 evidence did you find that supported or would
16 support a conclusion that Marie Lindor had
17 personally uploaded any files?
18 A. The hard drive that I examined showed
19 no evidence of any peer-to-peer software or MP3
20 music files.
21 Q. So is it correct to say that there
22 was nothing on the hard drive that tended to prove
23 that she had uploaded or downloaded anything?
24 A. There was nothing on the hard drive
25 that indicated there was any peer-to-peer software.
--------------------------------------------
So according to the expert this computer was not running P2P software and never
had any MP3 files on it to share in any case.
So what is the easier explanation
a) they identified the wrong computer
b) the entire system was rebuild and all the dates faked before being seized
Unfortunately his credibility is pretty much shot but hey. If they want to use
him. According to him this computer is clean and was never used for P2P software
or storage of MP3.
All that exists is an uncertified, untraceable, unverifiable, untested log.
I would be pileing on the damage counter claims.[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, March 06 2007 @ 12:18 AM EST |
I note that Ray asked them to produce their EnCase case file and he said that he
didn't save anything because he didn't find anything.
Be that as it may, one of the things you probably *can* ask for is the set of
scripts he used to search the drive. You see, EnCase allows you to create
custom scripts and hashes of files that it will look for (e.g. I'm sure he has
one for Kazaa files), among other things (such as showing you all the deleted
files on the drive).
So even if he can argue that his non-findings aren't relevant, what he
*searched* for probably is relevant. Although it may or may not do you much
good without a copy of EnCase because I don't have it or know how it stores the
files. In other words, if you ask them to produce that, make sure you get
printouts or human readable versions unless you have a copy of EnCase to use.
And please note that I'm basing this on second hand knowledge. I've never
actually used EnCase, but I remembered reading about it in my copy of _Cyber
Crime Investigator's Field Guide_ by Bruce Middleton (ISBN 0-8493-1192-6) which
was published in 2002. EnCase is discussed on pages 53-66, complete with
low-res screenshots.
Glad I remembered I even had that book; it was waaaay down in the bottom corner
of my bookshelf.
Hope this helps![ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, March 06 2007 @ 11:36 AM EST |
Is it just me, or is anyone else appalled at the lack of morals of Dr. Jacobson.
He cannot be unaware that the RIAA is using the reports he produces to brow beat
people into making settlements, and with a degree in computer forensics, he
should be well aware that his 'evidence' is dodgy at best.
This attitude of "give me some money, and I will do whatever you want"
will be the downfall of western society. The formal name for it is prostitution.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, March 06 2007 @ 11:54 AM EST |
Just a question for all those who might know more than me. If I wanted to
connect to an Internet Provider via DSL or Cable I would NEED a Cable or DSL
modem, or not? I am currently only aware of very few PCI cards that are Cable or
DSL modems, requiring NO external box.
If I the defendant did not have such a PCI card (could be read out of the
registry) but connected via the standard Ethernet card, it would
"prove" an external Cable or DSL modem.
Now, how many DSL / Cable modems have you seen that do not have more than one
Ethernet port? how many don't have a wireless connection ability?
My logic: Either the defendant had a fairly new modem with firewall and/or
wireless then, it is impossible to pinpoint what PC was using that modem (could
have been any as the hard drive does not prove anything). If she did not have an
external modem but a PCI modem then she would have needed a firewall software on
the PC... did she?
[ Reply to This | # ]
|
|
Authored by: PeteS on Tuesday, March 06 2007 @ 04:54 PM EST |
I (amongst others here) have been an expert witness in court, in the USA. The
key thing for many to realise is that expert witnesses live and die by their
credibility.
Mr. Beckerman has [apparently] effectively shot any credibility of Dr. Jacobsen,
and he doesn't seem a strong witness (although I have never met him and can't
say for sure, obviously).
To me it merely shows the incredibly weak case they have; Dr. Jacobsen did the
best he could while staying legally honest, but I can see some hay making in
this deposition.
PeteS
---
Only the truly mediocre are always at their best[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, March 06 2007 @ 06:05 PM EST |
i know this should be evident from knowledge of the kazaa protocol, but the
problem i have is why kazaa would want the secondary ip address. no consumer
router that i know of does kazaa packet inspection to determine where to route
an incoming packet once it's past the wan interface. and for that second address
to have any usefulness, something in the router has to recognize the second
address and direct the packet to the appropriate internal node.
the only situation where i think that second address might come in handy is if
the lan side of the router is a hub instead of a switch, and so the kazaa client
itself can pick out kazaa traffic that's relevant... but that can't be very
effecient, and seems contrary to best practices.
so, i'm missing something. that secondary address might be useful in some
situations, or maybe is one way to indicate the potential presence of an
intermediate device, but i don't think it would be used in a typical NAT.
guess i'll have to check the kazaa protocol as to why it would be situated like
that. once i know why, then it's reasonable to surmise whether it tells us
anything at all in this case...
as far as a reason why there might be a secondary address for the supernode..
well, i think kazaa has the ability to work behind a proxy. that's where i can
send packets directly OR through the proxy, but can only receive packets sent to
the proxy. if the secondary address in the kazaa protocol is for allowing a
proxy to be used, then the "expert"'s theory is blown completely out
of the water. that secondary address would normally default to the WAN or public
address, regardless of router or not, and the existence or lack of a NAT router
could not be proven by looking at the individual packets and whether or not the
secondary address matches the source.
i'll look a little bit, but if someone wants to enlighten me, post back.
[ Reply to This | # ]
|
- reality checked. - Authored by: Anonymous on Tuesday, March 06 2007 @ 06:35 PM EST
|
|
|
|