decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
The Results of Your Labor and a Thank You, by Ray Beckerman, Esq. - Updated
Sunday, March 04 2007 @ 04:37 AM EST

The online community now has an opportunity to see the fruits of its labor. Back in December, the Slashdot ("What Questions Would You Ask an RIAA "Expert"?") and Groklaw ("Another Lawyer Would Like to Pick Your Brain, Please") communities were asked for their input on possible questions to pose to the RIAA's "expert", Dr. Doug Jacobson of Iowa State University, who was scheduled to be deposed in February in UMG v. Lindor, for the first time in any RIAA case. Ms. Lindor's lawyers were flooded with about 1400 responses.

The deposition of Dr. Jacobson went forward on February 23, 2007, and the transcript is now available online (pdf). Ray Beckerman, one of Ms. Lindor's attorneys, had this comment: "We are deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers' responses.

Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy "investigation" and 'junk science' upon which the RIAA has based its litigation war against the people. The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense."

Here is the deposition as text.

Update: The Jacobson exhibits are now online also.

***************************

1



1

2 UNITED STATES DISTRICT COURT

3 EASTERN DISTRICT OF NEW YORK

4 ---------------------------------------X

5 UMG RECORDINGS, INC., et al,

6
Plaintiffs, 05 CV 1095
7 (DGT)(RML)
vs.
8

9 MARIE LINDOR,

10 Defendant.
---------------------------------------X
11

12 February 23, 2007

13 9:30 a.m.

14

15 DEPOSITION of Expert Witness,

16 DR. DOUGLAS W. JACOBSON, held at the offices

17 of Vanderberg & Feliu, LLP, 110 East 42nd

18 Street, New York, New York, pursuant to

19 Notice, before ELIZABETH SANTAMARIA, a

20 Notary Public of the State of New York.

21

22

23

24 Reported by:
ELIZABETH SANTAMARIA
25 JOB NO. 54123




2



1

2 A p p e a r a n c e s :

3

4 HOLME ROBERTS & OWEN LLP

5 Attorneys for Plaintiffs

6 1700 Lincoln Street

7 Denver, Colorado 80203-4541

8 BY: RICHARD L. GABRIEL, ESQ.

9

10 VANDENBERG & FELIU, LLP

11 Attorneys for Defendant

12 110 East 42nd Street

13 New York, New York 10017

14 BY: RAY BECKERMAN, ESQ.

15

16
ALSO PRESENT: ZI MEI
17

18

19

20

21

22

23

24

25




3



1

2 --O0O--

3

4 IT IS HEREBY STIPULATED AND AGREED

5 that the filing and sealing of the within

6 deposition be, and the same are hereby

7 waived;

8

9 IT IS FURTHER STIPULATED AND AGREED

10 that all objections, except as to the form

11 of the question, be and the same are hereby

12 reserved to the time of the trial;

13

14 IT IS FURTHER STIPULATED AND AGREED

15 that the within deposition may be sworn to

16 before Notary Public with the same force and

17 effect as if sworn to before a Judge of this

18 Court;

19 IT IS FURTHER STIPULATED that the

20 transcript is to be certified by the

21 reporter.

22

23 --o0o--

24

25




4



1

2 D O U G L A S W. J A C O B S O N,

3 called as a witness, having been duly sworn

4 by the Notary Public, was examined and

5 testified as follows:

6 EXAMINATION BY

7 MR. BECKERMAN:

8 Q. Please state your name for the

9 record.

10 A. Dr. Douglas W. Jacobson.

11 Q. What is your business address?

12 A. 2215 Coover Hall, Iowa State

13 University, Ames, Iowa 50011.

14 Q. Dr. Jacobson, are you yourself an

15 engineer?

16 A. Yes.

17 Q. By what body are you certified as an

18 engineer?

19 A. By no professional society.

20 Q. No professional society? Is there

21 any organization that has certified you as an

22 engineer?

23 A. No.

24 Q. Are you part of any peer regulatory

25 body?




5



1 Jacobson

2 A. I don't quite understand what you

3 mean by --

4 Q. Are you part of any body the members

5 of which are peer-regulated?

6 A. Can you give me an example of what

7 you are --

8 Q. A lawyer, an architect, an

9 accountant.

10 I thought an engineer had to be

11 certified by a peer-regulated body.

12 A. To be called a professional engineer

13 they do.

14 Q. So are you not a professional

15 engineer?

16 A. I do not have a PE license.

17 Q. You are the founder of the Palisade

18 Systems?

19 A. That's correct.

20 Q. What other titles do you hold within

21 that organization?

22 A. Chief technology officer.

23 Q. And are you a member of the board of

24 directors?

25 A. Yes.




6



1 Jacobson

2 Q. Are you a shareholder?

3 A. Yes.

4 Q. What percentage of the shares of that

5 company do you own?

6 A. I believe it's about 3 percent.

7 Q. Palisade Systems sells software

8 products to universities, businesses and other

9 institutions that maintain networks; is that

10 correct?

11 A. Yes.

12 Q. Do these products include products

13 which are intended to combat file sharing through --

14 we are going to be using that term a lot.

15 Withdrawn.

16 These products include products that

17 are intended to combat peer-to-peer file sharing of

18 copyrighted works; is that correct?

19 MR. GABRIEL: Objection to form.

20 You can answer the question.

21 A. Yes.

22 Q. Is one of the reasons that these

23 organizations buy these products the avoidance of

24 lawsuits?

25 MR. GABRIEL: Objection to form.




7



1 Jacobson

2 Lack of foundation.

3 A. I don't -- since I'm not on the

4 marketing side, I really can't testify to why a

5 particular client buys the product.

6 Q. Have you been quoted in press

7 releases issued by the company as to reasons to buy

8 the product?

9 A. Yes.

10 Q. And in those press releases have you

11 stated that one of the reasons to buy the product is

12 to avoid lawsuits?

13 A. I very well could have. I do not --

14 without seeing one of the press releases.

15 Q. Is one of the reasons to buy these

16 products to avoid copyright infringement lawsuits?

17 MR. GABRIEL: Objection to form.

18 A. That would be a reason to buy one of

19 the products.

20 Q. And have you specifically referred to

21 lawsuits by the RIAA as one of the types of lawsuits

22 that they could avoid by buying these products?

23 A. To my recollection, I have not.

24 Q. Is it true that the RIAA backs the

25 software that was co-licensed between your company




8



1 Jacobson

2 and Audible Magic?

3 MR. GABRIEL: Objection to form.

4 Lack of foundation.

5 A. I do not know what arrangement

6 Audible Magic and the RIAA have entered into.

7 Q. Are you aware that an officer of

8 Audible Magic was introduced to government officials

9 in Washington by representatives of the RIAA?

10 A. No.

11 MR. BECKERMAN: I would like to

12 mark as Defendant's 1 a press release from

13 Palisade Systems, Inc. bearing the

14 headline "Peer-to-Peer File Sharing

15 Struggles Intensify in Universities."

16 (Defendant's Exhibit 1, press release

17 from Palisade Systems, Inc. bearing the

18 headline "Peer-to-Peer File Sharing

19 Struggles Intensify in Universities," marked

20 for identification, as of this date.)

21 Q. Is this press release genuine?

22 A. It was released by the company.

23 MR. BECKERMAN: I would like to

24 mark as Exhibit 2 a one-page press release

25 of Palisade Systems, Inc. dated April 21,




9



1 Jacobson

2 2004. The headline is "Instantly Stop

3 Illegal P2P With PacketSure 3."

4 (Defendant's Exhibit 2, one-page

5 press release of Palisade Systems, Inc.

6 dated April 21, 2004, marked for

7 identification, as of this date.)

8 Q. Is this press release genuine?

9 A. Yes. It was released by the company.

10 Q. Going down to the third paragraph,

11 which purports to have a quotation from you, would

12 you tell us if that quotation is accurate?

13 A. Yes.

14 MR. BECKERMAN: I would like to

15 mark as Exhibit 3 a two-page article dated

16 April 19, 2004 by David Chappelle entitled

17 "Newest PacketHound release eliminates

18 illegal trading of copyrighted files."

19 (Defendant's Exhibit 3, two-page

20 article by David Chappelle dated April 19,

21 2004, marked for identification, as of this

22 date.)

23 Q. Who is Steven Brown?

24 A. Steven Brown, what was his title? He

25 was our marketing individual at Palisade. I don't




10



1 Jacobson

2 remember his exact title.

3 Q. Was he authorized to speak for

4 Palisade Systems to the press?

5 A. Yes.

6 Q. I direct you to the fifth paragraph

7 and ask you whether that is an accurate statement of

8 something that was said by Steven Brown.

9 MR. GABRIEL: Objection. Lack of

10 foundation.

11 A. I have no way of knowing firsthand

12 that Steven Brown said that.

13 Q. Do you agree with the statement "Some

14 P2P applications can evade certain security tools"?

15 A. Yes.

16 Q. Do you agree with the statement of

17 Mr. Chappelle contained in the third paragraph that

18 "Detecting and stopping copyrighted materials from

19 being shared illegally eliminates the liability

20 faced by organizations associated with file

21 sharing"?

22 MR. GABRIEL: Objection to form.

23 Lack of foundation.

24 A. Can you repeat the question?

25 (Record read.)




11



1 Jacobson

2 A. Since I'm not a lawyer, I'm not sure

3 I can comment on being a liability and the absolute

4 elimination of it.

5 Q. I call your attention to the ninth

6 paragraph, starting with the word "instead."

7 A. Okay.

8 Q. Do you agree with that paragraph?

9 MR. GABRIEL: Objection to form.

10 Lack of foundation.

11 A. Yes, I would agree with that.

12 MR. BECKERMAN: I would like to

13 mark as Exhibit 4 an article dated

14 April 21, 2004, of C/net News.Com.,

15 entitled "New Tool Designed to Block Song

16 Swaps."

17 (Defendant's Exhibit 4, C/net

18 News.com article dated April 21, 2004,

19 marked for identification, as of this date.)

20 Q. Do you agree with the statement in

21 the second paragraph, the first paragraph that's not

22 in bold, which says that the song filtering software

23 is backed strongly by the Recording Industry

24 Association of America, RIAA?

25 MR. GABRIEL: Objection to form.




12



1 Jacobson

2 Lack of foundation.

3 A. I have no firsthand knowledge of

4 whether or not the RIAA has strongly backed Audible

5 Magic software.

6 Q. Do you have any reason to believe

7 that they have?

8 MR. GABRIEL: Object to the form.

9 A. Could you rephrase the question?

10 Q. What is the problem with the

11 question?

12 A. Restate the question and then I will

13 tell you.

14 Q. You said you had no firsthand

15 knowledge. Now I am asking you whether you have any

16 reason to believe that the RIAA did, in fact, back

17 the software strongly.

18 A. I have no firsthand knowledge that

19 they have.

20 Q. Did you ever see this article?

21 A. I don't recall seeing the article on

22 the web.

23 Q. Did you see any articles or press

24 releases saying that the RIAA backed the software

25 strongly?




13



1 Jacobson

2 A. I don't recall seeing any.

3 Q. So this is the first you've heard of

4 it? Is that your testimony?

5 MR. GABRIEL: I object to the form.

6 He said what he said.

7 A. I have no firsthand knowledge that

8 they have strongly backed -- I don't have any

9 firsthand knowledge that they strongly backed the

10 software, Audible Magic software.

11 Q. Do you have any other knowledge that

12 they backed it?

13 A. Not to my recollection.

14 Q. Going down to the second paragraph

15 that's not in bold and the sentences which purport

16 to quote you, would you tell me whether those are

17 accurate quotes.

18 A. Yeah.

19 Q. Now, going down to the fourth

20 paragraph starting with the word "during," is it

21 your testimony that you have no knowledge of RIAA

22 executives helping to guide Audible Magic CEO Vance

23 Ikezoye around federal government offices advocating

24 the song blocking technology as a tool for stopping

25 copyright infringement on file swapping networks?




14



1 Jacobson

2 MR. GABRIEL: Object to the form of

3 the question.

4 A. Could you please read the question

5 back again.

6 (Record read.)

7 A. I have no knowledge that that took

8 place.

9 Q. What is the relationship, if any,

10 between the RIAA and Palisade Systems, Inc.?

11 A. There is no relationship.

12 Q. Has Palisade Systems, Inc. had any

13 dealings with any agents of the Recording Industry

14 Association of America?

15 A. I believe that our chief operating

16 officer had discussions with the RIAA back in the

17 early 2000s.

18 MR. BECKERMAN: I would like to

19 mark as Exhibit 5 a press release from

20 ZDNet entitled "File-Swap Killer Grabs

21 Attention."

22 (Defendant's Exhibit 5, press release

23 from ZDNet entitled "File-Swap Killer Grabs

24 Attention," marked for identification, as of

25 this date.)




15



1 Jacobson

2 Q. Do you know what ZDNet is?

3 A. Yeah.

4 Q. What is ZDNet?

5 A. It is an online publication, is my

6 understanding.

7 Q. Have you ever used ZDNet for anything

8 other than reading?

9 A. Personally, not to my knowledge I

10 haven't.

11 Q. You've never downloaded any software

12 from ZDNet?

13 A. Not that I can recall.

14 Q. Have you never heard of ZDNet as a

15 source of software?

16 A. Not that I recall.

17 Q. And what is ZDNet News?

18 A. My understanding is it's an online

19 publication that I believe they send out to e-mails

20 to the subscribers.

21 Q. Have you ever had any dealings with

22 the University of Rochester?

23 A. Define the university.

24 Q. Excuse me?

25 A. I don't quite understand when you say




16



1 Jacobson

2 the university.

3 Q. Have you ever had any dealings with

4 officials of the University of Rochester?

5 A. Personally I have not, no.

6 Q. Has Palisade Systems?

7 A. Personally I have no knowledge of

8 that.

9 Q. What do you mean personally you have

10 no knowledge of that? Do you have some other kind

11 of secondhand knowledge of it?

12 A. Not that I recall, but I do not keep

13 close tabs of what the marketing or the sales force

14 does.

15 Q. Has Palisade Systems had any dealings

16 with the University of Rochester?

17 A. Not that I recall.

18 Q. Did the provost of the University of

19 Rochester attend a demonstration of the Audible

20 Magic software at RIAA headquarters in January of

21 2004?

22 A. Not that I know of, but ...

23 Q. Do you agree or disagree with the

24 statement that the RIAA has helped the company,

25 meaning Audible Magic, gain entree to official




17



1 Jacobson

2 Washington circles?

3 MR. GABRIEL: Object to form. Lack

4 of foundation.

5 A. I have no knowledge of what the RIAA

6 has done to help Audible Magic.

7 Q. Is it a fact that Audible Magic

8 entered into a cross-licensing agreement with

9 Palisade Systems, Inc.?

10 A. That's correct.

11 Q. What was the software designed to do?

12 A. What software?

13 Q. Song filtering software created by

14 Audible Magic, software that was mentioned in the

15 press releases I just showed you.

16 A. Audible Magic's software is designed

17 to examine audio data and determine if it matches a

18 database of copyrighted materials.

19 MR. BECKERMAN: Would you read back

20 the question.

21 (Record read.)

22 Q. Do you feel you have answered that

23 question?

24 A. I answered the question of what

25 Audible Magic software was designed to do.




18



1 Jacobson

2 Q. Is it song filtering software?

3 MR. GABRIEL: Object to the form.

4 A. Define what you mean by filtering.

5 Q. What is filtering? Withdrawn.

6 Is it your testimony here under oath

7 you do not know what the word "filtering" means?

8 MR. GABRIEL: Object to the form.

9 Argumentative.

10 A. The term has many different uses.

11 I'm trying to --

12 Q. Is the audio designed by Audible

13 Magic designed for song filtering?

14 MR. GABRIEL: Object to the form.

15 Lack of foundation.

16 A. Will you repeat the question.

17 (Record read.)

18 A. I can't testify to what their design

19 team chose to design their software to do.

20 Q. So is it your testimony that you do

21 not know if this software has any application to

22 blocking song trades on peer-to-peer file sharing

23 networks?

24 MR. GABRIEL: Object to the form.

25 That's a different question.




19



1 Jacobson

2 You can answer the question.

3 A. Which application?

4 Q. The same one we've just been talking

5 about. The application designed by Audible Magic,

6 which was cross-licensed to Palisade Systems.

7 A. The Audible Magic code that was

8 licensed by Palisade does not block traffic.

9 Q. What does it do?

10 A. It identifies traffic content.

11 Q. Is it able to identify song files?

12 A. It is able to identify -- it is able

13 to identify --

14 It is able to analyze files and

15 determine if those files match the signatures that

16 are stored in their database.

17 Q. And was it marketed by Palisade

18 Systems as something that could identify and stop

19 illegal file trades in real time without any

20 requirement for individual users to be identified?

21 A. Yes, their code coupled with our

22 code.

23 Q. And was it marketed by Palisade

24 Systems as something that could block specific

25 illegal file trades?




20



1 Jacobson

2 A. Yes.

3 Q. Now, you are the chief technology

4 officer of Palisade?

5 A. That's correct.

6 Q. So you would be knowledgeable about

7 technology work between your company and Audible

8 Magic, is that not true?

9 MR. GABRIEL: Object to the form.

10 A. Define what you mean by technology

11 work.

12 Q. Development of computer programs.

13 A. I am knowledgeable as to how our

14 software operates and how the application interfaced

15 between our software and Audible Magic software

16 operates.

17 Q. Did your company work jointly with

18 Audible Magic to develop the first network

19 appliances that identified copyrighted works on the

20 fly combined with the ability to block individual

21 trades?

22 A. Our company worked with Audible Magic

23 to develop a product to stop peer-to-peer traffic as

24 identified by Audible Magic's proprietary code.

25 Q. And you are testifying here today




21



1 Jacobson

2 that you have no idea how the RIAA reacted to this

3 work that you are doing?

4 A. That's correct.

5 Q. Have the press releases issued by

6 Palisade Systems referred to the RIAA?

7 MR. GABRIEL: I object to the form.

8 Lack of foundation.

9 A. I'm sure that some of our press

10 releases have probably mentioned the RIAA.

11 Q. In what capacity?

12 MR. GABRIEL: Same objections.

13 A. I don't recall any direct quotes out

14 of any of the press releases.

15 Q. Did you ever meet with the CEO of

16 Audible Magic?

17 A. I recall meeting him in just a short

18 meeting when he visited Palisade, but I was not part

19 of the negotiations.

20 Q. Did you discuss the software?

21 MR. GABRIEL: The question is

22 whether Dr. Jacobson talked to the CEO

23 about the software? I'm just clarifying

24 the question.

25 Q. Did you discuss the software?




22



1 Jacobson

2 MR. GABRIEL: I object to the form.

3 A. I can't recall whether I did or

4 didn't.

5 Q. Have you formed an opinion as to

6 whether Marie Lindor personally uploaded any

7 copyrighted files to anyone?

8 A. The computer whose IP address has

9 been identified as being registered to Ms. Lindor

10 has been shown to have made songs available,

11 copyrighted material available to the internet

12 community through peer-to-peer software.

13 MO MR. BECKERMAN: I move to strike the

14 answer as nonresponsive.

15 Would you read back the question.

16 (Record read.)

17 MR. GABRIEL: Is there a question

18 pending?

19 MR. BECKERMAN: Yes. I'm waiting

20 for an answer to the question. It calls

21 for a "yes" or "no" answer.

22 MR. GABRIEL: I object. It does

23 not. He answered the question.

24 MR. BECKERMAN: Are you directing

25 him not to answer the question?




23



1 Jacobson

2 MR. GABRIEL: No, no.

3 THE WITNESS: Would you repeat the

4 question.

5 (Record read.)

6 MR. GABRIEL: My objection was he

7 just answered.

8 You can answer it again.

9 A. Again, the computer registered to

10 Marie Lindor had made available songs through

11 peer-to-peer software, therefore making them

12 available.

13 MR. BECKERMAN: I am going to say

14 this once and I am not going to repeat it.

15 We are here, we have a limited

16 time. I am on page 1 of about 40 pages

17 of notes. If this kind of gamesmanship

18 is going to be continued, we will never

19 get through even a fraction of this

20 deposition and we will just have to

21 continue it. But I have no intention of

22 accepting that type of answer.

23 If that's the way you are going

24 to play this, then we will be here all

25 day. It calls for a "yes" or "no"




24



1 Jacobson

2 answer and there is no reason to be

3 playing games in answering a question

4 that was not asked. He will be asked

5 questions that may relate to what his

6 answer was, but he has not answered the

7 question that was asked of him and it

8 calls for a "yes" or "no" and I expect

9 an answer to it.

10 MR. GABRIEL: It is a nice speech,

11 Ray. The witness answered the question.

12 I object to the characterization of

13 gamesmanship. Because you don't like the

14 answer doesn't mean it is gamesmanship.

15 The witness has answered, he has his

16 opinions. And if you want to argue with

17 me or the witness, we will be here all day

18 or we will leave.

19 MR. BECKERMAN: I am going to ask

20 the question one more time and if I do not

21 get an answer to it, we will eventually

22 seek a ruling on that and we are going to

23 seek a ruling on all questions that we do

24 not receive answers to, all questions to

25 which we do not receive answers to, and




25



1 Jacobson

2 then we will have a continued deposition.

3 MR. GABRIEL: You reserve whatever

4 you want, Ray, and seek whatever rulings

5 you want. The witness answered the

6 question and I submit this is browbeating

7 the witness into trying to get the witness

8 by arguing with me. This is not serving

9 any purpose.

10 BY MR. BECKERMAN:

11 RL Q. Have you formed an opinion as to

12 whether Marie Lindor personally uploaded any

13 copyrighted files, "yes" or "no"?

14 MR. GABRIEL: Objection. Form.

15 Asked and answered twice.

16 Q. Dr. Jacobson, would you please answer

17 the question.

18 A. I have twice already answered the

19 question.

20 Q. Are you refusing to answer the

21 question?

22 MR. GABRIEL: Objection.

23 Argumentative. He answered the question.

24 MR. BECKERMAN: We will seek a

25 ruling on that.




26



1 Jacobson

2 RL Q. Have you personally formed an opinion

3 as to whether Marie Lindor personally downloaded any

4 copyrighted files?

5 A. The computer whose IP address who has

6 been identified as belonging to Marie Lindor made

7 copyrighted material available through peer-to-peer

8 software -- made the material available through

9 peer-to-peer software.

10 MR. BECKERMAN: We also will seek a

11 ruling on that and we will seek a ruling

12 on all follow-up questions which would

13 have resulted from a "yes" or "no" answer.

14 MO I move to strike the nonresponsive

15 answer that was given.

16 Q. Based upon your examination of the

17 hard drive which you examined, what evidence did you

18 find that inculpated Marie Lindor personally?

19 MR. GABRIEL: Object to the form.

20 Lack of foundation.

21 A. Would you please define the

22 second-to-last word.

23 Q. "Her"?

24 A. No, "inculpated." Would you please

25 define that for me.




27



1 Jacobson

2 Q. Do you not know what the word

3 "inculpated" means?

4 A. That's correct.

5 Q. Are you familiar with the word

6 "exculpate"?

7 A. No.

8 Q. What is your educational background?

9 A. Computer engineering.

10 Q. Well, which school did you attend?

11 Did you get a Bachelor's degree?

12 A. Yes.

13 Q. What school?

14 A. Iowa State University, science and

15 technology.

16 Q. When did you graduate?

17 A. With which degree?

18 Q. When did you get your Bachelor's

19 degree?

20 A. 1980.

21 Q. Do you have any other degrees?

22 A. I hold a Master of Science in

23 electrical engineering.

24 Q. When did you get that?

25 A. 1982.




28



1 Jacobson

2 Q. Any other degrees?

3 A. A Doctor of Philosophy, Ph.D., in

4 computer engineering.

5 Q. When was that?

6 A. 1985.

7 Q. And you are associate professor at

8 Iowa State University?

9 A. That is correct.

10 Q. And you do not know what the word

11 "exculpate" means?

12 A. That's correct.

13 Q. Based upon your examination of the

14 hard drive which you examined in this case, what

15 evidence did you find that supported or would

16 support a conclusion that Marie Lindor had

17 personally uploaded any files?

18 A. The hard drive that I examined showed

19 no evidence of any peer-to-peer software or MP3

20 music files.

21 Q. So is it correct to say that there

22 was nothing on the hard drive that tended to prove

23 that she had uploaded or downloaded anything?

24 A. There was nothing on the hard drive

25 that indicated there was any peer-to-peer software.




29



1 Jacobson

2 Q. Hypothetically, had you discovered

3 KaZaA software and song files or remnants of KaZaA

4 software or song files resembling those that had

5 appeared in a screen shot, would that have tended to

6 support a finding that she had downloaded or

7 uploaded copyrighted files?

8 A. That would have supported a claim

9 that that computer was used to make files available.

10 Q. So it would have supported a finding

11 that the computer whose hard drive you examined had

12 been used for that purpose?

13 A. Correct.

14 Q. It would not have supported a

15 finding, would it, as to whether Marie Lindor

16 herself had used those programs or files?

17 MR. GABRIEL: Object to the form.

18 Lack of foundation.

19 THE WITNESS: Please read it back.

20 (Record read.)

21 A. That's correct.

22 Q. Hypothetically, had you discovered

23 substantial deletions, would that have supported a

24 finding that there had been the use of KaZaA file

25 sharing to download or upload copyrighted files?




30



1 Jacobson

2 MR. GABRIEL: Object to the form.

3 Lack of foundation.

4 A. Had I found substantial deletions of

5 the KaZaA software and music files, that would have

6 supported it.

7 Q. Had you discovered that the hard

8 drive had been entirely reformatted would that, in

9 your view, have supported a finding that the

10 computer had been used for uploading or downloading

11 copyrighted works?

12 MR. GABRIEL: Same objections.

13 A. Had the computer been reformatted,

14 there would have been no conclusion that I could

15 have drawn as to what was on the computer prior to

16 formatting.

17 Q. Hypothetically, had you discovered

18 substantial defragmentation of the hard drive, would

19 that have supported a finding that the computer had

20 been used to upload or download copyrighted works?

21 MR. GABRIEL: Same objection.

22 A. If that's all I had found, no, that

23 would not have supported.

24 Q. So you have concluded that the hard

25 drive that you examined was not used for KaZaA file




31



1 Jacobson

2 sharing; is that correct?

3 A. That's correct, as I testified or as

4 I -- in one of my documents, yes.

5 Q. Are you aware of any evidence of

6 anything that would point to Marie Lindor personally

7 having done something as opposed to any other

8 person?

9 MR. GABRIEL: Objection to the

10 form. Lack of foundation.

11 A. I have examined evidence that shows

12 that the computer registered to the IP address

13 belonging to Marie Lindor was used to share

14 copyrighted material.

15 Q. But other than that, other than the

16 fact that the computer was used, as you say, is

17 there any evidence to show what natural person, what

18 individual was the one who actually did it?

19 A. No.

20 Q. Do you know what processes and

21 procedures MediaSentry employed?

22 A. I do not know the inner works of

23 MediaSentry processes and procedures.

24 Q. Do you know what software they used?

25 A. No.




32



1 Jacobson

2 Q. Do you know if it was well known

3 off-the-shelf software or if it was proprietary

4 software?

5 A. Again, I do not know the inner

6 workings of MediaSentry's operations.

7 Q. Do you know if their software had

8 been peer-reviewed or published or anything like

9 that?

10 A. Not that I'm aware of.

11 Q. Have you ever testified as an expert

12 in a deposition?

13 A. No.

14 Q. Have you ever testified as an expert

15 in a trial?

16 A. No.

17 Q. Have you ever testified as an expert

18 in any other type of proceeding?

19 A. I testified in front of a school

20 board.

21 Q. As an expert?

22 A. Yes.

23 Q. On what subject?

24 A. A teacher was accused of viewing

25 pornography at school.




33



1 Jacobson

2 Q. There was no judge?

3 A. No.

4 Q. There was no arbitrator or judicial

5 type of person conducting it? It was just a school

6 board?

7 A. Yes.

8 Q. Has any judge or jury ever found your

9 methodology to be unreliable?

10 A. I've never been in front of a judge,

11 so no.

12 Q. Has any judge or jury ever found your

13 methodology to be reliable?

14 A. Again, I've never been in front of a

15 judge.

16 Q. Has anyone other than the RIAA ever

17 hired you to do a forensic examination of a hard

18 drive?

19 A. Yes.

20 Q. Who?

21 A. That school board. I'm currently

22 working on a --

23 MR. GABRIEL: Why don't you wait

24 until the ambulance passes.

25 MR. BECKERMAN: I don't think we --




34



1 Jacobson

2 MR. GABRIEL: It may take a while.

3 MR. BECKERMAN: This is New York,

4 Richard. This isn't Denver. We could be

5 here all day.

6 MR. GABRIEL: Just try to keep your

7 voice up.

8 A. I am currently working on two

9 forensic cases that are ongoing. I've done quite a

10 bit of forensic work for law enforcement which I do

11 pro bono.

12 Q. When were you first hired to do

13 forensic work on a hard drive?

14 MR. GABRIEL: Just for

15 clarification, when you say hired, does

16 that include the pro bono work he's

17 talking about?

18 MR. BECKERMAN: Yes.

19 A. On a hard drive, probably in the late

20 '80s.

21 Q. And who was that?

22 A. The Iowa State University. I've done

23 quite a bit of forensic work helping out various

24 individuals at the university.

25 Q. What law enforcement agency hired you




35



1 Jacobson

2 to do a forensic examination of a hard drive?

3 A. Again, I did it with no compensation.

4 I do all my forensic exams for law enforcement

5 through the Iowa State University police department.

6 However, they take in cases from other

7 jurisdictions. I don't always know the jurisdiction

8 that brought the case in.

9 Q. And they have never used you as a

10 witness?

11 A. No. We never -- they've always

12 settled.

13 Q. Apart for doing things for people at

14 Iowa State University how many times have you

15 been -- and apart from the RIAA, how many hard

16 drives have you done forensic examinations of?

17 A. By outside the university, do you

18 also mean outside the Iowa State Police Department?

19 Q. No.

20 A. I maybe misunderstood the question.

21 Can you restate the question or repeat the question?

22 Q. I will restate the question.

23 Apart from your work for the RIAA and

24 your work for people at Iowa State University, how

25 many hard drives have you been hired to do a




36



1 Jacobson

2 forensic examination of?

3 A. Probably half a dozen. It's been

4 over such a long period of time.

5 Q. What software did you use?

6 A. In the latest ones I've been using

7 EnCase.

8 Q. Which edition of EnCase?

9 A. I'm using 5.

10 Q. What did you use before?

11 A. I would use various Hex editors and

12 then -- before it was -- before we had sophisticated

13 software. Sometimes I would write software to

14 recover.

15 Q. When did you start using EnCase 5?

16 A. I don't remember the date that it

17 came out. Prior to that I was using version 4.

18 Q. When did you start using that?

19 A. Probably about three years ago.

20 Q. Has anyone other than the RIAA ever

21 hired you to opine on whether a particular computer

22 had been used for uploading or downloading

23 copyrighted works?

24 A. Copyrighted works?

25 Q. Yes.




37



1 Jacobson

2 A. No.

3 Q. How long have you been using your

4 present method of determining whether a particular

5 computer has been used for uploading or downloading

6 copyrighted works?

7 A. About a year and a half.

8 Q. When did you learn your present

9 method of determining whether a particular computer

10 has been used for uploading or downloading

11 copyrighted works? Or did you develop it yourself?

12 A. Clarification. Are you talking about

13 exams on the hard drives or just the process, the

14 entire process?

15 Q. Well, you have a method, do you not?

16 A. I have a method for examining hard

17 drives and I have a method for reviewing the

18 MediaSentry material.

19 Q. So these are two different things?

20 One isn't tied into the other?

21 A. They are two different processes.

22 Q. Okay. So let's break it down. Your

23 method of --

24 The MediaSentry materials are

25 gathered through the internet?




38



1 Jacobson

2 A. Yeah. MediaSentry gathers the

3 material through the internet.

4 Q. How did you learn your method of

5 interpreting -- withdrawn.

6 Are you able --

7 I am having a little difficulty with

8 this conceptually. You are breaking it down into

9 two separate processes. Is it your testimony that

10 there is a way to detect whether a computer has been

11 used for uploading or downloading copyrighted works

12 without both looking at the MediaSentry material and

13 the hard drive?

14 A. Yes.

15 Q. Let's break it down, then, into two

16 separate things.

17 How did you learn your method of

18 determining from the MediaSentry materials whether a

19 particular computer has been used for uploading or

20 downloading copyrighted works?

21 A. It was a process that I developed.

22 Q. You developed it on your own?

23 A. Yes.

24 Q. How did you learn your method of

25 determining from a hard drive whether a particular




39



1 Jacobson

2 computer has been used for uploading or downloading

3 copyrighted works?

4 A. Well, the forensic examination

5 process I learned through self-study and through the

6 forensic examiner's exam.

7 Q. Now, am I correct that you were doing

8 this for law enforcement before you were a certified

9 forensic examiner?

10 A. That's correct.

11 Q. And when did you become a certified

12 forensic examiner?

13 A. September '04.

14 Q. And why did you become a certified

15 forensic examiner?

16 A. Two reasons. One is to be able to

17 better work with the law enforcement and the other

18 is to help support our university's educational

19 mission, since we teach computer forensics.

20 Q. Wouldn't a third reason be that it

21 might give you standing to testify in a court of law

22 as to your forensic examinations of hard drives?

23 A. That I would tie in with the first

24 reason, to work better with law enforcement.

25 Q. What about your private work for the




40



1 Jacobson

2 recording industry of America?

3 A. I was a certified examiner before I

4 was engaged by the recording industry.

5 Q. Isn't it a fact that you were engaged

6 by the RIAA in 2002?

7 A. It was in September '05.

8 Q. You were not doing any work for them

9 in 2002?

10 A. No. My first work for them was in

11 the fall of 2005. I can't remember my first trip to

12 Kansas City.

13 Q. And you weren't doing any work for

14 them in 2003?

15 A. No.

16 Q. And you weren't doing any work for

17 them in 2004?

18 A. I started working with the law firm

19 in the fall of 2005.

20 MR. BECKERMAN: Off the record.

21 (Discussion off the record.)

22 Q. Has your method of determining from

23 the MediaSentry materials whether a particular

24 computer has been used for uploading or downloading

25 copyrighted works been tested by any testing body?




41



1 Jacobson

2 A. Not that I have submitted.

3 Q. Do you know anyone else that is using

4 your method, other than you?

5 A. Not that I'm aware of.

6 Q. Has your method of determining

7 through the MediaSentry materials whether a

8 particular computer has been used for uploading or

9 downloading copyrighted works been subjected to any

10 form of peer review?

11 A. Not that I'm aware of.

12 Q. Has your method of determining from

13 the MediaSentry materials whether a computer has

14 been used for uploading or downloading copyrighted

15 works been published?

16 A. No.

17 Q. Is there a known rate of error for

18 your method?

19 A. No.

20 Q. Is there a potential rate of error?

21 MR. GABRIEL: Object to the form.

22 A. I guess there is always a potential

23 of an error.

24 Q. Do you know of a rate of error?

25 A. To my process, no.




42



1 Jacobson

2 Q. Are there any standards and controls

3 over what you have done?

4 A. No.

5 Q. Have your methods been generally

6 accepted in the scientific community?

7 A. The process has not been vetted

8 through the scientific community.

9 Q. Have you had communications with

10 MediaSentry?

11 A. Not that I recall.

12 Q. Have MediaSentry's methods been

13 tested by any testing body?

14 A. I don't know.

15 Q. Have MediaSentry's methods been

16 subjected to any form of peer review?

17 A. I don't know.

18 Q. Have MediaSentry's methods been

19 published?

20 A. I don't know.

21 Q. It's a fact, is it not, that

22 MediaSentry's methods are secret?

23 MR. GABRIEL: Objection of lack of

24 foundation.

25 A. I don't know.




43



1 Jacobson

2 Q. Is there a known rate of error for

3 MediaSentry's methods?

4 A. Not that I'm aware of.

5 Q. So when you evaluate the MediaSentry

6 materials you are assuming them to be accurate?

7 A. Yes.

8 Q. Is there a potential rate of error

9 for MediaSentry's methods?

10 MR. GABRIEL: Object to the form.

11 A. There is always a potential for an

12 error.

13 Q. Are there any standards and controls

14 over MediaSentry's methods?

15 A. I don't know.

16 Q. Have MediaSentry's methods been

17 generally accepted in the scientific community?

18 MR. GABRIEL: Object to the form.

19 Lack of foundation.

20 A. Not that I know of.

21 Q. Is MediaSentry peer-regulated?

22 A. Not that I know of.

23 Q. Apart from your work on RIAA

24 litigations against owners of internet access

25 accounts, have you engaged in research on




44



1 Jacobson

2 determining whether specific individual computer

3 users engaged in copyright infringement through

4 peer-to-peer file sharing?

5 MR. GABRIEL: I'm sorry. I lost

6 the question. Could you repeat it,

7 please?

8 Q. Apart from your work on the RIAA

9 cases, have you engaged in any research on methods

10 of determining whether specific individual computer

11 users engaged in copyright infringement through the

12 use of P2P file sharing?

13 A. Yes.

14 Q. And what kind of research was that?

15 A. Obviously there was some research

16 done through Palisade as part of its product rollout

17 dealing with how to identify the individuals within

18 an organization. One of my grad students also

19 worked on the project to identify users of

20 peer-to-peer software, although that was focused

21 more on ibiblioography than it was copyright

22 material.

23 Q. I would like to leave aside research

24 that may have been done by others. I mean to ask

25 whether you personally have engaged in research.




45



1 Jacobson

2 A. Through Palisade as part of product

3 development.

4 Q. Is that something that is research

5 which is private and proprietary?

6 A. No. The piece I did is no longer

7 used as the technology, so it's not.

8 Q. Was it ever published?

9 A. No. At the time it was proprietary

10 to Palisade.

11 Q. And now it's been replaced by other

12 methods?

13 A. Yes.

14 Q. Apart from your work on the RIAA

15 cases, have you engaged in any research on methods

16 of determining whether specific computer hard drives

17 contained evidence of copyright infringement through

18 peer-to-peer file sharing?

19 A. No.

20 Q. Do any of your three reports -- by

21 "three reports" I'm referring to the April 7th

22 initial report, the December 19th declaration that

23 you signed and the October report which you did not

24 sign. Do any of those three reports discuss the

25 possibility of any alternate explanations other than




46



1 Jacobson

2 copyright infringement?

3 MR. GABRIEL: Object to form to the

4 extent that they speak for themselves.

5 You can answer the question.

6 A. Please read the question. I didn't

7 understand.

8 (Record read.)

9 A. Alternate explanations to?

10 Q. Your conclusions.

11 A. No.

12 I'm sorry. I said, "No."

13 Q. Did any of the three reports discuss

14 any alternate explanations other than KaZaA

15 appearing on a file owned by Marie Lindor?

16 MR. GABRIEL: Object to the form.

17 They speak for themselves.

18 A. What do you mean by KaZaA appearing

19 on a file?

20 Q. I'm sorry, I misspoke. Do any of

21 your three reports discuss the possibility of any

22 alternate explanations other than KaZaA appearing on

23 a computer owned by Marie Lindor?

24 A. No.

25 Q. Are you, as we sit here, capable of




47



1 Jacobson

2 thinking of some alternate explanations?

3 A. Yes.

4 Q. Can you think of any possible

5 infirmities in MediaSentry's methods as we sit here?

6 MR. GABRIEL: Object to form and

7 foundation. I'm sorry.

8 A. I don't have an inner knowledge of

9 their methods so I...

10 Q. Can you think of any possible

11 security vulnerabilities in the computer that was in

12 Marie Lindor's apartment?

13 MR. GABRIEL: Object to form and

14 foundation.

15 A. Repeat the question. Read it back.

16 (Record read.)

17 A. I didn't examine the hard drive that

18 was given to me for security vulnerabilities, so I

19 can't attest to what vulnerabilities may have been

20 present in that hard drive.

21 Q. As we sit here, can you think of any

22 possible security vulnerabilities in the computer

23 that was in Marie Lindor's apartment?

24 MR. GABRIEL: Objection to form.

25 Lack of foundation.




48



1 Jacobson

2 A. Read that back.

3 (Record read.)

4 A. Can you read it one more time.

5 (Record read.)

6 A. I'm sure the possibility exists there

7 were security vulnerabilities. Again, I don't know

8 which ones would apply to that particular computer.

9 Q. And did your report discuss any of

10 those possible security vulnerabilities?

11 A. No.

12 Q. Did you testify at an United States

13 Senate committee in September of 2003?

14 A. Yes.

15 Q. Did you make this statement?

16 "In summer of 2000 we introduced

17 PacketHound which is designed to detect, monitor and

18 block unauthorized peer-to-peer applications."

19 A. That sounds like -- that sounds like

20 a statement I made.

21 Q. Did you make this statement?

22 "There are no effective controls

23 regarding content provided on a peer-to-peer

24 network."

25 A. Again, that sounds like a statement I




49



1 Jacobson

2 made.

3 Q. And did you make this statement?

4 "Both the provider and the requester

5 of the file are not easily detected."

6 A. Again, that sounds like a statement

7 that was in that testimony. I don't have the

8 testimony in front of me, so I ...

9 Q. Did you make this statement?

10 "These technologies are not designed

11 for the home users."

12 A. Again, that sounds like a statement

13 that was in the testimony.

14 Q. Did you make this statement?

15 "This leaves individuals on their own

16 to solve the problems of peer-to-peer networking."

17 A. Again, that sounds like a statement

18 that was in the testimony.

19 Q. Did you make this statement?

20 "Which naturally leaves us to the

21 question, what is the homeowner to do?"

22 A. Again, that sounds like something

23 that was in that testimony.

24 Q. Did you make this statement?

25 "Unlike web filtering, where certain




50



1 Jacobson

2 sites can be blocked and web access can be

3 monitored, peer-to-peer traffic cannot be filtered

4 based on its content. This leaves a home user no

5 choice but to either allow peer-to-peer activity and

6 all of its associated risks or not allow any

7 peer-to-peer applications on their machines."

8 A. Again, that sounds like what was in

9 that testimony.

10 Q. Are you familiar with Steven Gottlieb

11 of the RIAA?

12 A. I've heard the name but that's it.

13 Q. Do you agree with this statement

14 which I will represent to you he made on

15 November 15, 2004 in comments he provided to the

16 Federal Trade Commission?

17 "P2P services often configure their

18 software to share content by default. What users

19 often do not know is that they may be sharing their

20 tax records, financial records, health records,

21 business records, e-mail and other personal and

22 private material."

23 Do you agree with that statement?

24 A. Oh, I'm sorry. Yes.

25 Q. Do you agree with this statement,




51



1 Jacobson

2 which I represent to you was made by Mr. Gottlieb?

3 "As an additional matter P2P software

4 may, upon installation, automatically search a

5 user's entire hard drive for content, files that

6 users have no intention of sharing may end up being

7 offered to the entire P2P network."

8 A. Yes.

9 Q. Do you agree with this statement

10 which I represent to you was made by Mr. Gottlieb?

11 "Continued sharing of personal

12 information is hard to avoid and is facilitated by

13 confusing and complicated instructions for

14 designating shared items."

15 A. Yes.

16 Q. Do you agree with this statement also

17 made by Mr. Gottlieb?

18 "A study by Nathaniel S. Good and

19 Aaron Krekelberg at HP Laboratories showed that the

20 majority of the users were unable to tell what files

21 they were sharing and sometimes incorrectly assumed

22 they were not sharing any files when in fact they

23 were sharing all files on their hard drive.

24 MR. GABRIEL: Object to the form.

25 Lack of foundation.




52



1 Jacobson

2 A. I guess I can't quantify some, most,

3 all. I'm sorry.

4 Q. Are you familiar with the report by

5 Nathaniel Good and Aaron Krekelberg at HP

6 Laboratories?

7 A. No.

8 MR. GABRIEL: When we get to a good

9 stopping point, can we take five? It's

10 been an hour and a half.

11 MR. BECKERMAN: Sure.

12 (Recess taken.)

13 Q. Your reports state your conclusions;

14 is that correct?

15 A. Yes.

16 Q. And they state that your conclusions

17 were based upon --

18 Withdrawn. I shouldn't lump the

19 three together.

20 The April report states that

21 conclusions were based upon the materials that had

22 been provided to you by MediaSentry plus a few other

23 documents; is that correct?

24 A. Yes.

25 Q. Does that report explain how you




53



1 Jacobson

2 formed your conclusions from those documents?

3 A. Not in any detail.

4 Q. How many reports have you issued for

5 the RIAA?

6 A. Maybe 200. I don't know, don't

7 recall the exact count.

8 MR. BECKERMAN: I would like to

9 leave a space in the record for that

10 number.

11 TO BE FURNISHED:____________________________________

12 ____________________________________________________

13 Q. How many of those reports concluded

14 that there was in fact downloading or uploading of

15 plaintiff's copyright files?

16 A. All of the -- yes, all of the

17 reports.

18 Q. How much time did you spend on each

19 report?

20 A. A typical report takes me about 45

21 minutes.

22 Q. And how much time did you spend on

23 the April 2006 report in this case?

24 A. Without seeing the billing records, I

25 can only guess but I think it was 45 minutes.




54



1 Jacobson

2 Q. How much time did you spend preparing

3 the unsigned October report?

4 A. That was -- not that one.

5 I'm sorry. I was pointing to

6 something on your desk. I probably shouldn't do

7 that.

8 MR. GABRIEL: After you looked at

9 the hard drive he is asking about.

10 THE WITNESS: Okay. Thank you.

11 Q. Would you like me to show you a copy?

12 A. No. I just wanted to clarify between

13 the two reports that --

14 Again, without looking at the billing

15 records, I would say probably two to four hours.

16 Q. And how much time did you spend on

17 the December 19th declaration?

18 A. Maybe 15 minutes.

19 Q. If a hard drive had been used for

20 peer-to-peer file sharing with KaZaA, would your

21 forensic inspection have allowed you to see whether

22 a file sharing program had been downloaded or

23 installed?

24 A. If the program was present on the

25 hard drive, a forensic examination would have shown




55



1 Jacobson

2 that.

3 Q. Similarly, if the hard drive had been

4 used for peer-to-peer file sharing with KaZaA, would

5 your forensic inspection have allowed you to see

6 whether there was a shared files folder on the

7 computer?

8 A. Yes.

9 Q. And, again, if the hard drive had

10 been used for peer-to-peer file sharing with KaZaA,

11 would your forensic inspection have shown you

12 whether there were audio files or remnants, or

13 evidence thereof, of the files that MediaSentry had

14 observed?

15 A. Yes.

16 Q. Under those same circumstances, would

17 your forensic inspection have allowed you to see

18 whether a party had attempted to delete file sharing

19 programs or other files?

20 A. Yes.

21 Q. Now, a dynamic IP address is

22 allocated very often for a short period of time; is

23 that not correct?

24 A. It depends how you define "short."

25 Q. Well, you yourself used that




56



1 Jacobson

2 technology, did you not?

3 A. Yes.

4 Q. So what is the shortest it could be?

5 There is no shortest, is there? It could be for a

6 split second?

7 A. A computer can request and release.

8 Q. It could be for hours or it could be

9 for seconds or --

10 A. It could be for days, yes.

11 Q. Would it be possible to have the same

12 dynamic IP address assigned to three people during

13 one minutes?

14 MR. GABRIEL: Object to the form.

15 A. It's possible.

16 Q. Now, the users of a peer-to-peer

17 network often think they are anonymous when they

18 distribute files. Isn't that true?

19 A. In my opinion, a lot of users feel

20 that they are anonymous.

21 Q. In your April 7th report you say that

22 in reality they can be identified using the IP

23 address. Is that not what you said in your report?

24 A. Yes, sir.

25 Q. That's not exactly true, is it?




57



1 Jacobson

2 A. I guess I'm not clear what you mean

3 by that.

4 Q. Well, it's true, is it not, that

5 there can be more than one computer operating under

6 a single IP address?

7 MR. GABRIEL: Object to the form.

8 A. As I talked about it in the report

9 with public IP addresses, in order for the internet

10 to function there can only be -- every public IP

11 address has to be globally unique within that window

12 of time.

13 Q. But there can be more than one

14 computer operating behind that IP address?

15 MR. GABRIEL: Same objection.

16 A. Every -- I don't understand what you

17 are asking. Every device connecting to the public

18 internet has to have a global unique address.

19 Q. And a device doesn't have to be a

20 computer, does it?

21 A. That's correct.

22 Q. It could be a router, correct?

23 A. Yes.

24 Q. It could be a wired router?

25 A. Yes.




58



1 Jacobson

2 Q. It could be a wireless router?

3 A. Yes.

4 Q. And if there is a firewall, under

5 most circumstances no one would know the various

6 computers or devices behind the router, would they?

7 MR. GABRIEL: Object to form.

8 A. It depends on the type of router.

9 Q. Is it possible for more than one

10 device to be operating behind a single IP address?

11 A. Yes.

12 Q. Now, when we get to the devices, some

13 of the devices are computers. Is that not correct?

14 A. Yes.

15 Q. And is it possible for a computer to

16 have more than one user?

17 A. Yes.

18 Q. So, in other words, when a person is

19 engaged in peer-to-peer file sharing, it's not the

20 person that could be identified by an IP address, is

21 it?

22 MR. GABRIEL: Object to the form.

23 Lack of foundation.

24 Q. Isn't it the MAC address that is

25 identified?




59



1 Jacobson

2 MR. GABRIEL: Object to form.

3 A. I don't understand the follow-on

4 statement.

5 Q. Do you know what a MAC address is?

6 A. Yes.

7 Q. Can a router have a MAC address?

8 A. Yes.

9 Q. If I had ten different companies

10 operating behind a router and I had a properly

11 functioning firewall or firewalls, would anybody in

12 the wide network actually know what was behind the

13 router with the properly functioning firewall?

14 MR. GABRIEL: Object to the form.

15 Lack of foundation.

16 A. It's possible to determine who is

17 behind that, so to say that there is no way to know

18 is not true.

19 Q. How could you find out?

20 A. Potentially based on the activity

21 coming out. There is lots of ways that attackers

22 could use to determine what is behind a firewall.

23 Q. But one method to identify that

24 person would not be the IP address. The IP address

25 alone would not tell you that, would it?




60



1 Jacobson

2 A. Would not tell you what?

3 Q. What individual was sharing files.

4 A. By "individual" do you mean

5 flesh-and-blood person?

6 Q. Yes.

7 A. The IP address tells you the identity

8 of the computer.

9 Q. It actually doesn't tell you the

10 identity of the computer. It tells you the identity

11 of the device.

12 A. That's correct.

13 Q. And it doesn't actually tell you the

14 identity of the device. It tells you a MAC address?

15 MR. GABRIEL: Objection to form.

16 A. IP address does not tell you a MAC

17 address.

18 Q. How could it tell you the identity of

19 the device? How would you identify a device other

20 than by a MAC address?

21 A. Every device in the public internet

22 is configured with an IP address.

23 Q. Which would link to what?

24 A. Which links to the device.

25 Q. And how do you identify the device on




61



1 Jacobson

2 the internet?

3 A. Again, every device is identified

4 through its IP address. The MAC address is only

5 valid from one local connection to another.

6 Q. What is the one thing unique about

7 each device?

8 MR. GABRIEL: Object to the form.

9 A. Unique to it or that uniquely tells

10 them apart?

11 Q. That tells them apart.

12 A. On the internet the only requirement

13 for uniqueness is the IP address.

14 Q. So when you say that in reality they

15 can be identified using the IP address, your

16 testimony is that it's not the user that can be

17 identified, it's a computer that can be identified?

18 Is that your testimony?

19 Or is your testimony that it is the

20 computer on the network device that is interfacing

21 with the wide network?

22 A. The IP address identifies the

23 computer or device that is connected to the wide --

24 to the internet.

25 Q. And the device might be a network




62



1 Jacobson

2 card?

3 A. Generally network card doesn't have

4 an IP address. The computer is what has the IP

5 address.

6 Q. The device might be a router?

7 A. That's correct.

8 Q. In that report you said that the IP

9 address of the computer can be captured by a user

10 during a search or file transfer. Now, you don't

11 exactly mean of the computer; you mean of the

12 computer or network device, right?

13 A. In the peer-to-peer file transfer the

14 device running -- the computer running the

15 peer-to-peer software reports its IP address

16 along with -- in addition to that, the IP address of

17 the -- if it is behind a router that separates

18 public and private addresses, then the IP address of

19 the public internet will also be shown.

20 Q. But when you said that the IP address

21 of the computer offering the files for distribution

22 can be captured by a user during a search or file

23 transfer, you didn't really mean the computer. You

24 meant the computer or network device?

25 A. In order for the peer-to-peer




63



1 Jacobson

2 software to work, you have to have the identity of

3 the machine holding the music or holding the data.

4 Q. Even if it's going through a router?

5 You're saying there is more than one IP address

6 going through a router?

7 A. The peer-to-peer software will

8 present an IP address within the data payload of the

9 IP packet.

10 Q. Well, what I'm trying to understand

11 is why in your report, referring to your April

12 report, it seems to me that when you were making

13 general descriptions of the technology involved, you

14 kept saying computer or network device but then when

15 you were coming to your conclusions about the

16 defendant, then you all of a sudden started talking

17 about computers and you left out network devices. I

18 was wondering why.

19 Do you agree with that, what I am

20 saying?

21 A. Yes.

22 Q. Why did you do that? Why did you

23 stop mentioning network devices?

24 A. Because in an examination of

25 MediaSentry data, I concluded that it was a computer




64



1 Jacobson

2 at that IP address.

3 Q. And how did you come to that

4 conclusion?

5 A. Through the MediaSentry traffic

6 captures which shows the IP address of the actual

7 computer and the IP address of the packet in transit

8 across the internet, and those two IP addresses were

9 both public and both matched.

10 Q. What is the document you are

11 referring to for MediaSentry?

12 A. I think it was the download.text file

13 or download log maybe they call it.

14 Q. The log for the user?

15 A. No.

16 MR. GABRIEL: Do you want to go off

17 the record for a minute and find it?

18 MR. BECKERMAN: No. We are on the

19 record.

20 Q. The Marie system log? Lindor, Marie

21 system log?

22 A. No. That's not the system log. It

23 could be the download record.

24 Q. This one (indicating)?

25 A. Yes.




65



1 Jacobson

2 MR. BECKERMAN: I would like to

3 mark as Exhibit 6 a printout of numbered

4 pages 36 to 45.

5 (Defendant's Exhibit 6, printout of

6 numbered pages 36 to 45, marked for

7 identification, as of this date.)

8 Q. So this tells you that there was no

9 router?

10 A. This tells me that there was -- yes.

11 There was no router.

12 Q. How does it tell you that there was

13 no router?

14 A. Through the two --

15 If you look at the second chunk down,

16 you will see the source address at the top and you

17 will see the KaZaA IP address midway through that,

18 and they match and they are both public IP

19 addresses.

20 Q. You said they match?

21 A. Uh-huh. The 141.155.57.198.

22 Q. That's the source?

23 A. And then down below you see the KaZaA

24 IP?

25 Q. Yes.




66



1 Jacobson

2 A. It's those two IP addresses.

3 Q. What does the first number indicate?

4 A. The first number of the IP address?

5 Q. Yes.

6 No. The second line of that chunk

7 that says "source." What does that indicate?

8 A. That is the source address. That is

9 where the packet came from.

10 Q. Now we go down to the next line you

11 referred to, it says "KaZaA IP." What does that

12 refer to?

13 A. That is the IP address that the KaZaA

14 software is running on, the IP address of the

15 computer that the KaZaA software is running on.

16 Q. What is the next line?

17 A. A supernode. That's the supernode

18 that KaZaA is connected to.

19 Q. So, in other words, this went in

20 directly through the supernode? So you are saying

21 this transmission went through the supernode?

22 MR. GABRIEL: Objection to form.

23 A. No. This packet just indicates

24 that -- where the supernode is that KaZaA is talking

25 to. The packet as shown by the second line is the




67



1 Jacobson

2 actual source address of the internet packet.

3 Q. What is the next line, the KaZaA IP?

4 A. Oh.

5 Q. The line down below where you say the

6 two numbers match, what is the meaning of that

7 number?

8 A. Which one? The KaZaA IP?

9 Q. You said it is the same number.

10 A. Right.

11 Q. Where it says "KaZaA IP" and there is

12 the same number.

13 A. As line 2, yes. That is the -- that

14 is the --

15 Q. What is the significance of that

16 line?

17 MR. GABRIEL: Let him ask the

18 question and then you answer. He asked

19 what is the significance of that line.

20 A. Of the line "KaZaA IP"?

21 Q. Yes.

22 A. That is the IP address that the KaZaA

23 software is using.

24 Q. And how is that determined?

25 A. It's determined by the KaZaA software




68



1 Jacobson

2 itself.

3 Q. Why wouldn't those two numbers always

4 be the same?

5 A. In the case of a router as you

6 described earlier that has private addresses on the

7 inside, you will see those numbers be different.

8 Q. So you are saying there can be

9 different IP addresses for different devices behind

10 the router?

11 A. Yes.

12 Q. What does the presence of the

13 supernode line indicate?

14 A. It indicates the supernode, that the

15 KaZaA software is used to perform the searches.

16 Q. So does this indicate that the

17 computer that's referred to on -- whose IP address

18 is referred to on the source line and the KaZaA IP

19 line is not a supernode?

20 A. It indicates that that computer is

21 communicating with that supernode in order to do the

22 searches.

23 Q. And how did MediaSentry determine

24 these numbers?

25 A. Line 2 of that section is the address




69



1 Jacobson

2 that is carried within the data packet as it

3 traverses across the internet. The line that starts

4 "X-KaZaA-IP" is part of the data payload within that

5 packet.

6 Q. And how do you know that? Didn't you

7 say you have never communicated with MediaSentry?

8 A. That's correct.

9 Q. So how do you know that?

10 A. Because I understand how KaZaA

11 operates.

12 Q. And how did you come to understand

13 how KaZaA operates?

14 A. Through researching protocol.

15 Q. Starting when?

16 A. I can't remember the exact date I

17 started researching KaZaA. It was all part of the

18 work Palisade did in the production of PacketHound.

19 Q. Are you familiar with the Ross

20 studies of KaZaA?

21 A. Not offhand.

22 Q. You never read them?

23 A. I don't recall without seeing one.

24 MR. BECKERMAN: I would like to

25 mark as Exhibit 7 a study entitled "The




70



1 Jacobson

2 KaZaA Overlay: A Measurement Study."

3 (Defendant's Exhibit 7, study

4 entitled "The KaZaA Overlay: A Measurement

5 Study," marked for identification, as of

6 this date.)

7 Q. So have you reviewed this report at

8 any time?

9 A. Yes, I have.

10 Q. I direct your attention to Page 17

11 and I call your attention to in the middle of the

12 page a sentence that starts with the words "later

13 versions." The statement says, "Later versions

14 (KMDV 2.0+ and KaZaA-Lite) employ dynamic port

15 numbers to evade firewalls."

16 Do you agree with that statement?

17 MR. GABRIEL: Objection. Lack of

18 foundation.

19 A. Yes.

20 Q. Going down to the end of that

21 paragraph, I will read you the last sentence and ask

22 if you agree with that sentence.

23 "Since the KaZaA port numbers are

24 dynamic, it is very difficult to block KaZaA

25 connections unless a very rigid filtering policy is




71



1 Jacobson

2 employed at the firewall." Do you agree with that

3 statement?

4 MR. GABRIEL: Object to form. Lack

5 of foundation.

6 A. Yes.

7 Q. Now I refer you to the first sentence

8 of the next paragraph.

9 "The reality of today's internet is

10 that a large fraction of peers reside behind NATs."

11 Do you agree with that statement?

12 MR. GABRIEL: Object to form. Lack

13 of foundation.

14 A. I don't have any way to know what

15 fraction.

16 Q. Do you agree that NATs exist?

17 A. Yes.

18 Q. What is a NAT?

19 A. The term stands for network address

20 translator. It is a router that on one side has a

21 public IP address and on the other side maintains or

22 has a set of what I want to refer to as private or

23 sometimes inside IP addresses, which are addresses

24 that are not allowed on the public internet.

25 Q. And do you agree that the existence




72



1 Jacobson

2 of a network address translator makes it difficult

3 to detect the IP address of specific computers

4 behind the router?

5 MR. GABRIEL: Objection to form.

6 Lack of foundation.

7 A. By router do you mean network address

8 translator?

9 Q. Yes.

10 A. Yes.

11 Q. And do you agree that KaZaA has used

12 a connection reversal in order to try to overcome

13 that?

14 MR. GABRIEL: Objection to form.

15 Lack of foundation.

16 A. I agree with the definition that they

17 specify in the article. I've never heard that

18 specific term.

19 MR. BECKERMAN: I would like to

20 mark as Exhibit 8 a one-page chart.

21 (Defendant's Exhibit 8, one-page

22 chart, marked for identification, as of this

23 date.)

24 Q. Can you identify what that displays?

25 MR. GABRIEL: Object to foundation.




73



1 Jacobson

2 He didn't draft it.

3 You can answer the question.

4 A. I don't know the intent of it but it

5 shows, as it's labeled, a cable modem connected to

6 the internet. And it shows a set of IP addresses,

7 all of which are the private -- designated as parts

8 of the private IP address range.

9 Q. Going back to the study, Exhibit 7, I

10 call your attention to Page 21, a paragraph bearing

11 number 7, and I'm going to the last two sentences

12 and I am going to ask if you agree with this

13 statement. "KaZaA uses dynamic port numbers along

14 with" --

15 A. I'm sorry. I am not finding it.

16 Q. Page 21, there is a paragraph number

17 7.

18 A. Okay. I'm sorry.

19 Q. I am asking if you agree with this

20 statement. "KaZaA uses dynamic port numbers along

21 with its hierarchical design to avoid firewall

22 blocking."

23 Do you agree with that?

24 MR. GABRIEL: Objection to form.

25 Lack of foundation.




74



1 Jacobson

2 A. I know KaZaA uses dynamic port

3 numbers. Whether that was the original design

4 intent to avoid firewalls would be a fair

5 assumption.

6 Q. The next sentence, do you agree with

7 that statement ?

8 "Furthermore, it uses connection

9 reversal to allow NATed peers to share files."

10 MR. GABRIEL: Objection to form.

11 Lack of foundation.

12 A. Yes.

13 Q. When you studied KaZaA, did you

14 familiarize yourself with the concept of pollution

15 on KaZaA?

16 A. No.

17 Q. Do you know what pollution is on

18 KaZaA?

19 A. My understanding is it is putting

20 things out into the network KaZaA that either

21 misrepresents the content or for some reason is not

22 what it says to be.

23 MR. BECKERMAN: I will mark this as

24 Exhibit 9. It is a paper entitled

25 "Pollution in P2P File Sharing Systems."




75



1 Jacobson

2 (Defendant's Exhibit 9, paper

3 entitled "Pollution in P2P File Sharing

4 Systems," marked for identification, as of

5 this date.)

6 Q. Going to the first page, the

7 right-hand column, the first full paragraph, the

8 first sentence starts with "One sabotage technique."

9 I will ask if you agree with this statement.

10 MR. GABRIEL: I'm sorry. Where are

11 you?

12 I got it.

13 Q. "One sabotage technique that is

14 particularly prevalent today is that of pollution."

15 Do you agree with that statement?

16 MR. GABRIEL: Objection to form.

17 Lack of foundation.

18 A. I don't have any knowledge that as

19 they define pollution it is prevalent on the

20 peer-to-peer systems.

21 Q. Are you aware that one of

22 MediaSentry's areas of business is pollution?

23 A. No.

24 Q. Are you aware that MediaSentry is in

25 the business of sending out decoy files?




76



1 Jacobson

2 MR. GABRIEL: Objection to form.

3 A. No.

4 MR. GABRIEL: Sorry. Belated

5 objection to the form.

6 Q. Excuse me?

7 A. No.

8 Q. I turn you to the second page, the

9 first full paragraph. About two-thirds of the way

10 down in the paragraph there is a sentence that

11 starts "We will see that." I call your attention to

12 that sentence and ask if you agree with this

13 statement.

14 "We will see that pollution is indeed

15 pervasive with more than 50 percent of the copies of

16 many popular recent songs being polluted in KaZaA

17 today." Do you agree with that?

18 MR. GABRIEL: Objection to form.

19 Lack of foundation.

20 A. I have no way of knowing if that's

21 true or false.

22 Q. So is it your testimony that you are

23 not knowledgeable about pollution?

24 MR. GABRIEL: Objection to form.

25 Q. Are you knowledgeable about




77



1 Jacobson

2 pollution?

3 A. Only to the extent that I know what

4 it is.

5 Q. And that's the sole extent of your

6 knowledge?

7 A. Yes.

8 Q. And are you familiar with the

9 distinction between content pollution and metadata

10 pollution?

11 A. I just now read their classification.

12 Q. Is it the first time you ever learned

13 of the distinction between those two terms?

14 A. Yes.

15 Q. So it would be fair to say that your

16 expertise does not extend to the nature and extent

17 and methods of pollution on KaZaA?

18 A. Yes.

19 Q. When you in your report refer to

20 analogizing an IP address to a return address and a

21 send address on a letter, would you say that analogy

22 is somewhat incorrect?

23 A. There is probably no perfect analogy

24 but it's a reasonable analogy to use for a lay

25 explanation.




78



1 Jacobson

2 Q. Is it fair to say that your postal

3 address is to your home whereas an IP address would

4 be more like an address to a timeshare that you

5 might occupy for a split second or for a minute?

6 MR. GABRIEL: Objection to form.

7 A. The IP address delivers to a device

8 or location.

9 Q. But not a person?

10 A. That's correct.

11 Q. And not for any given amount of time,

12 just as long as the internet connection stays on

13 line?

14 MR. GABRIEL: Objection to form.

15 A. Define what you mean by internet

16 connection.

17 Q. You don't know what I mean by an

18 internet connection?

19 A. There are multiple definitions.

20 Q. Why don't you give me the most common

21 meaning.

22 A. There is an application layer

23 connection which is used by individual applications

24 to communicate.

25 Q. With a dynamic IP address is the




79



1 Jacobson

2 person using it still using it after he's

3 disconnected from the internet?

4 MR. GABRIEL: Objection to form.

5 A. Depending on how they are connected,

6 the dynamic address may be dropped.

7 Q. You're saying they could end their

8 connection to the internet and still -- and the

9 dynamic IP address stays in effect and then if they

10 turn it back on, they could pick up the same exact

11 dynamic IP address? Is that your testimony?

12 MR. GABRIEL: Objection to form.

13 Lack of foundation.

14 A. If the device that issues the dynamic

15 address can detect the other device being turned

16 off, then the dynamic IP address can be released.

17 Otherwise, the dynamic address could still be

18 assigned to that device.

19 Q. Now, with a decentralized

20 peer-to-peer network, it's your statement in your

21 report that a request is sent to each neighbor and

22 each neighbor sends the request to the next neighbor

23 and so on. Did you mean that literally?

24 A. You said decentralized?

25 Q. Yes.




80



1 Jacobson

2 A. Yes.

3 Q. To neighbors? What do you mean by

4 neighbors?

5 A. The decentralized peer-to-peer

6 software referred to the peer-to-peer entities that

7 they talked directly to as neighbors.

8 Q. So you are using it figuratively to

9 describe other computers?

10 A. Yes.

11 Q. You say the semi-decentralized

12 peer-to-peer network uses a central index server.

13 Is that correct?

14 A. Yes.

15 Q. And that if one server node quits,

16 the other nodes can still function?

17 A. Yes.

18 Q. Now, when you access a screen shot,

19 are you accessing a file or are you accessing an

20 index of files?

21 A. When you query the server, what you

22 get is an index of the files.

23 Q. Now, is it your testimony that every

24 time you see a screen shot in KaZaA, you're seeing

25 files that are on a single ordinary node?




81



1 Jacobson

2 MR. GABRIEL: Objection to form.

3 A. There are many ways you can query

4 KaZaA, one of which is to ask all the files that are

5 contained on a particular machine.

6 Q. How would you frame such a query?

7 A. You frame the query with the address

8 of the machine that contains the information.

9 Q. And do you know how MediaSentry

10 queried?

11 A. I don't know the exact techniques

12 that they used.

13 Q. Now you said in your report that you

14 will demonstrate how defendant's internet account

15 and computer were used. Would you now demonstrate

16 for me how you can -- show me how you can

17 demonstrate that the defendant's computer was used?

18 A. Which line of the report are you?

19 Q. What?

20 A. Which line of the report are you

21 referring to?

22 Q. Paragraph 15.

23 A. Would you restate the question.

24 (Record read.)

25 A. Identifications through the IP




82



1 Jacobson

2 address to demonstrate which computer it is.

3 Q. No, I'm asking you to demonstrate it

4 now for me. You said, "I will testify to the

5 procedures and results obtained by MediaSentry

6 coupled with the information complied by defendant's

7 ISP to demonstrate the defendant's internet account

8 and computer were used to download and upload

9 copyrighted music from the internet using the KaZaA

10 peer-to-peer network."

11 Please demonstrate for me that

12 defendant's computer was used to download and upload

13 copyrighted music.

14 A. I can demonstrate through the

15 MediaSentry material.

16 Q. Okay.

17 A. I don't have the MediaSentry

18 material.

19 MR. BECKERMAN: We will mark as

20 Exhibit 10 a two-page printout, page

21 numbers 46 to 47.

22 (Defendant's Exhibit 10, two-page

23 printout of page numbers 46 to 47, marked

24 for identification, as of this date.)

25 MR. BECKERMAN: We will mark as




83



1 Jacobson

2 Exhibit 11 a printout, page numbers 49 to

3 187.

4 (Defendant's Exhibit 11, printout of

5 page numbers 49 to 187, marked for

6 identification, as of this date.)

7 MR. BECKERMAN: And you already

8 have Exhibit 6 and we have Exhibit 12,

9 which is a screen shot, pages 199 to 224.

10 (Defendant's Exhibit 12, printout of

11 pages 199 to 224, marked for identification,

12 as of this date.)

13 MR. BECKERMAN: And we will mark as

14 Exhibit 13 a one-page printout marked as

15 page number 48.

16 (Defendant's Exhibit 13, one-page

17 printout of page numbered 48, marked for

18 identification, as of this date.)

19 MR. BECKERMAN: And we will mark as

20 Exhibit 14 a printout of pages numbers 188

21 through 198.

22 (Defendant's Exhibit 14, printout of

23 pages numbers 188 through 198, marked for

24 identification, as of this date.)

25 Q. Now would you please demonstrate how




84



1 Jacobson

2 you can show that it's the defendant's computer that

3 was used.

4 MR. BECKERMAN: Off the record.

5 (Recess taken.)

6 Q. Please demonstrate that the

7 defendant's computer was used.

8 MR. GABRIEL: If I can ask you, if

9 you refer to an exhibit, please say what

10 the exhibit is.

11 THE WITNESS: Yes.

12 Q. Before we go into that, let me just

13 ask you something.

14 When you say "defendant's computer"

15 in your report, you're referring to the computer

16 that was accessed by MediaSentry; is that correct?

17 A. I'm referring to the -- yeah, the

18 computer with the IP address shown in Exhibit 6 that

19 we discussed earlier.

20 Q. And it's your contention that the

21 computer as to which you examined the hard drive is

22 a different computer than the one that was accessed

23 by MediaSentry; is that correct?

24 A. Yes.

25 Q. Now, going to the first computer, how




85



1 Jacobson

2 do you know that it was defendant's computer?

3 A. We don't have the Verizon information

4 in front of me. By using the subpoenaed records

5 from Verizon they show --

6 Q. They were asked --

7 I'm sorry. I cut you off.

8 They were asked to identify the owner

9 of an account that had used an IP address; is that

10 correct?

11 A. Yes.

12 Q. How would that tell you who owned the

13 computer?

14 A. It tells me the individual who has

15 the account that was associated with that IP

16 address; therefore, that computer at the time.

17 Q. Let's say -- not me, that would be

18 too improbable. Let's say you had a visitor at your

19 home and that visitor plugged into your internet

20 connection with his laptop. Would that make his

21 computer your computer?

22 A. Without knowing the configuration of

23 your home network, I couldn't.

24 Q. Let's say you had a wired internet

25 connection at your home, you had a cable modem and




86



1 Jacobson

2 someone was visiting who had a laptop, a friend of

3 yours or relative, and that person asked if they

4 could plug in their laptop and check their e-mail.

5 Okay?

6 Now, the IP address would show up as

7 your address, would it not? The dynamic IP address?

8 A. It depends.

9 Q. If I sent a query like the record

10 industry sent to Verizon, I would get you, right?

11 If you are the person who pays for the internet

12 access at your home.

13 A. If the ISP allows multiple devices

14 directly connected to their internet service.

15 Q. And it wouldn't have been your

16 computer, it would have been your friend's or

17 relative's computer. Correct?

18 MR. GABRIEL: Object to the form.

19 Lack of foundation.

20 A. The scenario you laid out. If the

21 ISP allowed multiple IP addresses, then it would

22 have associated an IP address with that particular

23 device.

24 Q. So when you say it was defendant's

25 computer, you don't actually have any knowledge as




87



1 Jacobson

2 to whether it was defendant's computer. All you

3 know is that the defendant's name is associated with

4 the internet access account; is that correct?

5 MR. GABRIEL: Objection to form.

6 A. I know that the -- yeah, the computer

7 associated with that user account, an IP address was

8 used.

9 Q. But you don't know whose computer it

10 actually was, do you?

11 A. No.

12 Q. But your report said it was

13 defendant's computer, so I think you will agree that

14 that's an imprecision in your report.

15 MR. GABRIEL: Objection to form.

16 Lack of foundation. Misstates the report.

17 A. The report states that I have

18 identified through the internet service provider the

19 account holder of the IP address.

20 Q. The report says that you will

21 demonstrate that it was defendant's computer that

22 was used. How can you demonstrate that the computer

23 belonged to the defendant? You don't know who it

24 belonged to.

25 MR. GABRIEL: Objection to form.




88



1 Jacobson

2 Lack of foundation.

3 Q. You are under oath.

4 A. It's my opinion that given the

5 information from MediaSentry and from Verizon, that

6 that IP address was associated with the defendant

7 and computers or at least in presence of the

8 defendant.

9 Q. There are two parts to your

10 statement. You say the defendant's internet account

11 and computer. Right now I'm not asking you about

12 the internet account. I'm asking about the

13 computer. You will agree, then, will you not, that

14 when you said computer that you don't actually know

15 if it was defendant's computer or not?

16 A. It is the computer associated with

17 the account of the defendant.

18 Q. But you don't know if it was

19 defendant's computer?

20 A. I know that the computer was

21 associated with the defendant's internet account.

22 Q. But you don't know if the defendant

23 owned it?

24 A. Nowhere is purchase information.

25 Q. And you do not know if the defendant




89



1 Jacobson

2 ever used it?

3 A. I know that the computer associated

4 with that address was used.

5 Q. Now, demonstrate how you know that

6 that computer was used to upload and download

7 copyrighted music from the internet.

8 A. Well, I know which computer through

9 Exhibit 6. That is the primary piece of evidence.

10 I know that material was downloaded

11 through Exhibit 10. I know music was made available

12 through Exhibits 10, 11, 12 and 14, and I know that

13 the music was downloaded through Exhibit 11.

14 MR. BECKERMAN: I would like to

15 mark as Exhibit 15 the undated October

16 report.

17 (Defendant's Exhibit 15, undated

18 October report, marked for identification,

19 as of this date.)

20 Q. When did you provide this report to

21 Mr. Gabriel?

22 A. October 25th.

23 Q. Why did you not sign it?

24 A. It's a draft.

25 Q. Why is it not dated?




90



1 Jacobson

2 A. It was a draft report.

3 Q. Have you ever submitted an unsigned

4 or undated draft to Mr. Gabriel before?

5 A. I could have. I don't recall.

6 Q. Have you ever submitted unsigned

7 drafts or undated drafts to anyone in Mr. Gabriel's

8 firm before?

9 A. Again, I could have. I don't recall.

10 Q. Is it your practice to submit

11 unsigned, undated drafts before submitting your

12 final reports to them?

13 A. The standard report goes in without

14 their review.

15 MR. GABRIEL: I would like the

16 record to reflect that there is a copying

17 issue in Exhibit 15. Page DJ0069 was

18 stamped "Draft." I note in the copying

19 the draft was too light to copy

20 apparently.

21 Q. Did Mr. Gabriel tell you not to issue

22 a final report, but to issue a draft instead?

23 A. Yes.

24 Q. Now, turning to Page DJ0071,

25 Paragraph 17, the second sentence, which says, "I




91



1 Jacobson

2 will testify based on the forensic examination of

3 the hard drive that was copied from the computer

4 owned by the defendant."

5 Now, are you saying there that the

6 second computer which you claim is different than

7 the first one was owned by the defendant also?

8 A. I'm lost in the second, first and --

9 Q. It's your words. It's your

10 testimony. It's your declaration, your unsigned

11 draft which Mr. Gabriel asked you to submit to him

12 so he could have input into the final. But this was

13 your wording I assume. Right?

14 A. Yes.

15 Q. This was wording that was not fed to

16 you by Mr. Gabriel?

17 A. Correct.

18 Q. So you say the computer owned by the

19 defendant. Now you are saying that the second

20 computer was owned by the defendant.

21 A. I'm saying the hard drive that I was

22 given to examine was reported to have been owned by

23 the defendant and I examined that hard drive and

24 came up with that conclusion.

25 Q. So is it your testimony that she




92



1 Jacobson

2 owned both computers?

3 MR. GABRIEL: Objection to form.

4 A. It's my testimony that the hard drive

5 contained no evidence of KaZaA and that hard drive

6 was reported to have belonged to the computer owned

7 by the defendant.

8 Q. What basis do you have for saying

9 that the computer was owned by the defendant?

10 A. Based on the chain of evidence

11 that -- the chain of custody that followed the

12 forensic disk.

13 Q. So it is your testimony that Marie

14 Lindor, who is a home health aide who has never even

15 used a computer, it is your testimony that she owns

16 two computers?

17 MR. GABRIEL: Objection to form.

18 Lack of foundation. Misstates testimony.

19 Q. Is that your testimony? She has

20 never even used a computer in her life, that she

21 owns not one, but two computers?

22 MR. GABRIEL: Same objection.

23 A. What I am stating is that the hard

24 drive I examined, which was reported to have come --

25 been owned by the defendant did not contain KaZaA or




93



1 Jacobson

2 any of the copyrighted or any music files.

3 MR. BECKERMAN: Let's mark as

4 Exhibit 16 your April report.

5 (Defendant's Exhibit 16, Dr. Douglas

6 W. Jacobson's April report, marked for

7 identification, as of this date.)

8 Q. Now, on Page DJ0006, Paragraph 19, in

9 the last line you use the words "being distributed."

10 A. Yes.

11 Q. Were you using "distributed" in the

12 legal sense of the word or in the generic sense of

13 the word?

14 MR. GABRIEL: Objection to form.

15 A. I'm not a lawyer so I don't know the

16 legal -- I guess I am not clear as to what

17 difference you are trying to make between the two

18 words.

19 Q. Where did you get the word

20 "distributed"?

21 A. In that paragraph I'm referring to

22 the fact that the files were on the peer-to-peer

23 network and by the nature of the peer-to-peer

24 network they are being distributed.

25 Q. Do you know of any instances in which




94



1 Jacobson

2 they were distributed to anyone other than

3 MediaSentry?

4 A. Given the nature of the peer-to-peer

5 system, there is a high probability that they

6 were -- well, strike that.

7 Distributed, they are being offered

8 for distribution by the fact that they were on the

9 peer-to-peer network.

10 Q. The question was whether they had

11 actually been distributed, not whether they had been

12 offered for distribution.

13 MR. GABRIEL: Objection to form.

14 A. The KaZaA program made those files

15 available through the supernode. Anybody --

16 Let me strike that and start over.

17 The KaZaA program made the files

18 available on her computer for distribution and given

19 the nature of the peer-to-peer network and the

20 number of users, there is a high probability that

21 songs were actually uploaded from that computer.

22 Q. Do you have any knowledge of any

23 specific instances of any uploads other than to

24 MediaSentry?

25 A. No.




95



1 Jacobson

2 Q. In Paragraph 21 you use the words

3 that the computer was registered to the defendant.

4 How does a computer get registered to a person?

5 A. Through the IP address it is

6 registered. Verizon indicated the subscriber.

7 Q. So you don't mean that the computer

8 was registered to the defendant. You mean the IP

9 address was identified by Verizon as having been on

10 the internet access account that was in the name of

11 the defendant. Is that correct?

12 A. The IP address of, was registered to

13 the defendant on said computer. So it says that the

14 IP address.

15 Q. Not the computer. The IP address was

16 registered?

17 A. That's what 21 states.

18 Q. 21 states that the computer that had

19 the IP address was registered to the defendant.

20 "I will testify based on all of the

21 information" --

22 A. Right, right.

23 Q. So you don't mean the computer was

24 registered, you mean the IP address was registered?

25 A. Yes.




96



1 Jacobson

2 Q. Now, in Paragraph 22 you state that

3 you could prove from the MediaSentry user log that

4 the music found on the defendant's computer was

5 downloaded from other users on the internet. How

6 would you have done that?

7 A. By using the metadata tags, in

8 particular the description tag. For example,

9 Page 0106.

10 MR. GABRIEL: What exhibit?

11 THE WITNESS: I'm sorry.

12 Exhibit 11.

13 A. Page 10106 indicates in the

14 description "ripped by" and had several -- several

15 cases "ripped by X7" and so on, and that's

16 throughout the document.

17 Q. A metadata is text, is it not?

18 A. Yes.

19 Q. Metadata can be changed, can it not?

20 A. Metadata can be changed and is not

21 present on original CD recordings.

22 Q. And it can be changed easily through

23 commonly available software, can it not?

24 A. Yes.

25 Q. And could it be changed through KaZaA




97



1 Jacobson

2 software?

3 A. Yeah. I believe KaZaA lets you edit

4 the metadata.

5 MR. BECKERMAN: I would like to

6 mark as Exhibit 17 a page of handwritten

7 notes.

8 (Defendant's Exhibit 17, page of

9 handwritten notes, marked for

10 identification, as of this date.)

11 Q. When were these notes prepared?

12 A. These notes were prepared prior to

13 the submission of the October -- let's see which

14 exhibit. Exhibit 15.

15 Q. Are there any other notes which you

16 jotted down which you did not preserve from the date

17 the hard drive was furnished to you?

18 A. No.

19 Q. What are the letters at the top

20 right?

21 A. DHCP name server.

22 Q. What are the three IP addresses below

23 that?

24 MR. GABRIEL: Objection to form.

25 A. Those are the IP addresses of the




98



1 Jacobson

2 name server that were on her computer.

3 Q. What does that mean?

4 A. The name server, my best analogy is a

5 giant phone book that converts names and IP

6 addresses. So when you type in www.google.com, you

7 get the IP address of Google.

8 Q. What is the entry at the bottom,

9 "7704 repaired"? What is that a reference to?

10 A. In examining the hard drive, it

11 appeared that there was some type of repair of the

12 Windows operating system on that date.

13 MR. BECKERMAN: I would like to

14 mark as Exhibit 18 a single-page document

15 which says "wireless router" at the top.

16 (Defendant's Exhibit 18, single-page

17 document bearing "wireless router" at the

18 top, marked for identification, as of this

19 date.)

20 Q. When was this prepared?

21 A. 3/14.

22 Q. Now, You say "wireless router?" and

23 then say, "No." How did you know there was no

24 wireless router?

25 A. Again, by looking at the information




99



1 Jacobson

2 on Exhibit 6.

3 Q. How does that show you that there is

4 no wireless router?

5 A. Again, as I testified earlier, here

6 at the source address and that the KaZaA IP address

7 matched.

8 Q. And that tells you that there was no

9 wireless router?

10 A. Again, those are all public IP

11 addresses on both the computer and the device that

12 put the IP packet onto the internet, both at the

13 same IP address.

14 Q. And that's your sole basis for your

15 conclusion?

16 A. Yes.

17 MR. BECKERMAN: I would like to

18 mark as Exhibit 19 a two-page letter from

19 Verizon.

20 (Defendant's Exhibit 19, two-page

21 letter from Verizon, marked for

22 identification, as of this date.)

23 Q. Is that the source for your

24 information as to whose access account it was?

25 A. Yes.




100



1 Jacobson

2 MR. BECKERMAN: I would like to

3 mark as Exhibit 20 a resume, a one-page

4 resume, page number DJ0076.

5 (Defendant's Exhibit 20, one-page

6 resume, page number DJ0076, marked for

7 identification, as of this date.)

8 A. It is a printout of a file that I

9 found on the hard drive that I examined. It was

10 described in Exhibit 15.

11 Q. Did you know who prepared this?

12 A. I know it was on the hard drive and

13 it in the directory of user Kathleen on the system.

14 Q. Do you know who typed it?

15 A. No.

16 Q. Now, what does it say next to the

17 word "e-mail" in this resume?

18 A. J-C-Q-L-L-I-N-E.

19 Q. What tools did you use to determine

20 that the hard drive had not been used for a KaZaA

21 account?

22 A. I used EnCase to examine the captured

23 hard drive.

24 Q. When you used EnCase, did you know

25 that this matter was in litigation and that you were




101



1 Jacobson

2 an expert witness in this case?

3 A. Yes.

4 Q. Did you not have screens? When you

5 used EnCase, didn't you look at a computer screen?

6 A. Yes.

7 Q. Did you save what was on that screen?

8 A. No.

9 Q. Did you generate reports?

10 A. No.

11 Q. Now I'm not asking you if you printed

12 out reports or saved reports. I'm asking you if you

13 generated reports.

14 A. No.

15 Q. So you did not document your findings

16 in EnCase at all, did you?

17 A. No.

18 Q. Did Mr. Gabriel tell you to do that?

19 A. No.

20 Q. So did you feel that you could just

21 review it on EnCase and then come and testify from

22 memory at a trial? Is that what you intended to do?

23 A. I examined the hard drive, found no

24 evidence of file sharing software or audio files,

25 and so there was nothing to document.




102



1 Jacobson

2 Q. So you didn't feel was any need to

3 create documentation of what your study had shown?

4 A. There was no files to document.

5 Q. Is that because it did not

6 corroborate Plaintiff's case in any way?

7 MR. GABRIEL: Objection to form.

8 Argumentative.

9 A. The testimony says I found no KaZaA

10 or MP3 files and, therefore, there was nothing to --

11 there were no screen shots to capture.

12 Q. Do you have any idea why the case

13 hasn't been dropped by now?

14 MR. GABRIEL: Objection to form.

15 Lack of foundation.

16 A. I don't get involved with -- so no.

17 MR. BECKERMAN: I would like to

18 mark as Exhibit 21 a one-page document

19 with a flowchart.

20 (Defendant's Exhibit 21, one-page

21 document with a flowchart, marked for

22 identification, as of this date.)

23 Q. Do you see item number 4?

24 A. You mean bullet number 4?

25 Q. Yes.




103



1 Jacobson

2 A. Yes.

3 Q. What does that say?

4 A. "Document findings."

5 Q. Did you know that you were going to

6 be giving sworn testimony in this case, including

7 your December declaration and possible deposition

8 and trial testimony?

9 A. Would you reread the question back.

10 (Record read.)

11 A. At the time I examined the hard drive

12 there were no scheduled depositions.

13 Q. So you thought it was okay not to

14 document your findings?

15 MR. GABRIEL: Objection to form.

16 A. I did document my findings, as shown

17 in Exhibit 17.

18 Q. When you say there were three user

19 names of interest, what did you mean by that?

20 A. In a Windows machine there are

21 default users that are created, like Administrator

22 and so on, that come with the installation of

23 Windows. So these were users that were added above

24 and beyond the default installation.

25 Q. So it doesn't actually tell you who




104



1 Jacobson

2 used the computer, does it? It just tells you the

3 user names?

4 A. Yes, these are user names for that

5 computer.

6 Q. And if someone was logged on under a

7 particular computer name and the computer was kept

8 on and another individual sat down and started using

9 the computer, you wouldn't know who that was, would

10 you, from the user name?

11 A. That's correct.

12 Q. Are you familiar with the declaration

13 that was given by the expert witnesses in the

14 Netherlands in the foundation case, the witness

15 statement of Henk Sips and Johan Pouwelse?

16 A. I would have to see the document.

17 MR. BECKERMAN: I would like to

18 mark this as Exhibit 22. It is a

19 three-page document entitled "Witness

20 statement of Henk Sips and Johan

21 Pouwelse."

22 (Defendant's Exhibit 22, three-page

23 document entitled "Witness Statement of Henk

24 Sips and Johan Pouwelse," marked for

25 identification, as of this date.)




105



1 Jacobson

2 MR. GABRIEL: I would like to

3 interpose a belated objection to the

4 characterization of the document as a

5 declaration.

6 MR. BECKERMAN: I agree. The

7 correct characterization should be as a

8 witness statement. So stipulated.

9 MR. GABRIEL: Thank you.

10 Q. Have you ever seen this document

11 before?

12 A. I've seen it.

13 Q. You have seen it?

14 A. I have seen it.

15 Q. In what context?

16 A. I believe my wife might have e-mailed

17 it and made a copy of it.

18 Q. Did anyone from the Plaintiff's law

19 firm send you a copy of it?

20 A. No.

21 Q. Did you ever access it yourself on

22 the internet?

23 A. Either she sent it to me directly or

24 a link to it, so I don't know if I got it as a

25 document or as a link to a document.




106



1 Jacobson

2 Q. Do you agree with the statement at

3 the bottom of Page 2 that detailed checks are,

4 therefore, required?

5 MR. GABRIEL: Objection to form.

6 Lack of foundation.

7 A. Would you read the question.

8 (Record read.)

9 A. I don't really know. They didn't

10 describe what they meant by detailed checks so I

11 can't -- I can't comment on that.

12 Q. We will turn to the next page. It

13 says, "We believe that the following procedure takes

14 the necessary precautions when trying to establish

15 if a user is making copyrighted works available for

16 download," and then they list certain procedures.

17 Do you agree that those procedures

18 take the necessary precautions?

19 MR. GABRIEL: Objection to form.

20 Lack of foundation.

21 A. The steps seem like reasonable

22 precautions.

23 Q. Going down a few paragraphs, there

24 are some terms. Do you agree that superpeer hopping

25 is a technical problem in trying to determine which




107



1 Jacobson

2 user might have violated copyright law?

3 MR. GABRIEL: Objection to form.

4 Lack of foundation.

5 A. They don't define what they mean by

6 superpeer hopping, so ...

7 Q. Don't you think they are referring to

8 the hopping from one supernode to another supernode,

9 shutting one down and starting another?

10 MR. GABRIEL: Objection to form.

11 Lack of foundation. Calls for

12 speculation.

13 Q. You are the expert. You have

14 indicated that you have studied KaZaA in depth.

15 Isn't it a fact that a single search on KaZaA can

16 hop from one supernode to another?

17 A. A search on KaZaA can prop you will

18 gate from one supernode to another.

19 Q. So don't you think that's what they

20 are referring to when they say superpeer hopping?

21 MR. GABRIEL: Objection to form.

22 Lack of foundation. Calls for

23 speculation.

24 A. I have not heard that term used, so I

25 don't know ...




108



1 Jacobson

2 Q. Would you agree that the fact that a

3 single search can switch from one supernode to

4 another to another to another would constitute a

5 technical problem in conducting such an

6 investigation?

7 MR. GABRIEL: Objection to form.

8 A. I would characterize it more as a

9 technical inconvenience than a problem.

10 Q. So you would agree that it is a

11 technical inconvenience that needs to be overcome?

12 A. I'm not saying that it hasn't been

13 overcome, if that's what your question is.

14 Q. My question is exactly what it said,

15 that it is a technical problem that needs to be

16 overcome.?

17 MR. GABRIEL: Technical

18 inconvenience. Let's be clear which

19 question you are asking, please.

20 Q. Is it a technical inconvenience that

21 needs to be overcome?

22 A. Yes.

23 Q. And you would agree that it requires

24 the taking of certain precautions?

25 MR. GABRIEL: Objection to form.




109



1 Jacobson

2 A. If by precautions you mean procedures

3 to understand that that can happen, yes.

4 Q. Would you agree that NAT translation

5 is a technical problem in conducting such an

6 investigation?

7 MR. GABRIEL: Objection to form.

8 Lack of foundation.

9 A. I would agree that that process --

10 procedures and processes need to be put in place to

11 handle NAT translation.

12 Q. And you agree that firewall relaying

13 is a technical problem that needs to be considered

14 during the process and procedure?

15 MR. GABRIEL: Objection to form.

16 A. I would agree that firewall relaying

17 is something that needs to be considered during the

18 process and procedure.

19 Q. In the next paragraph they refer to

20 pollution. Would you agree that pollution is a

21 problem that needs to be taken into account in

22 conducting such an investigation?

23 MR. GABRIEL: Objection to form.

24 Lack of foundation.

25 A. I think processes and procedures need




110



1 Jacobson

2 to be put in place to deal with the issue of

3 pollution.

4 Q. Does KaZaA have limitations in file

5 searching?

6 A. If by limitations you mean is one

7 user limited to the scope of where they can search

8 across the entire KaZaA network, yes.

9 Q. What is meant by the term "computer

10 hygiene precautions"?

11 MR. GABRIEL: Objection to form.

12 Lack of foundation.

13 A. It is my opinion what they are

14 talking about is it's possible to get data from

15 multiple locations for one file and if you don't

16 take care watching where those -- where the data

17 comes from and how much data is produced, that you

18 could end up marking IP addresses that have

19 transferred no data.

20 Q. What is multi-peer downloading

21 contamination?

22 MR. GABRIEL: Objection to form.

23 Lack of foundation.

24 A. That goes to what I was saying,

25 multiple peer nodes contributing to a single file.




111



1 Jacobson

2 Q. Does the fact that MediaSentry

3 observed the computer solely through the internet

4 and did not have physical access to the computer

5 itself limit its observational power?

6 MR. GABRIEL: Objection to form.

7 A. Obviously weren't able to physically

8 view the individual typing on the keyboard.

9 Q. Is the internet secure and safe and

10 reliable?

11 MR. GABRIEL: Objection to form.

12 A. I guess it depends on how you define

13 those terms. Secure? No. The end nodes on the

14 internet often are not secure. Safe? I guess I'm

15 not sure what you are talking about as far as

16 safety.

17 Q. Can people hack into other people's

18 systems?

19 A. Yes. I would wrap that under the

20 security umbrella.

21 Q. Isn't it a fact that you teach a

22 course on how to do that?

23 A. Yes.

24 Q. Isn't it a fact that you teach

25 students how to crack passwords?




112



1 Jacobson

2 A. Yes.

3 Q. And you teach them about spoofing?

4 A. Yes.

5 Q. What is spoofing?

6 A. Spoofing is pretending to be somebody

7 else.

8 Q. What is redirection?

9 A. Depends on where we are talking about

10 it, but redirection is typically forcing the traffic

11 to go somewhere else or forcing the user to go

12 somewhere else.

13 Q. Does the existence of a firewall

14 guarantee security?

15 A. No.

16 Q. Isn't it a fact that when you teach a

17 course in information warfare, most of the people

18 will find some vulnerabilities in the network that

19 is being attacked?

20 MR. GABRIEL: Objection to form.

21 A. In the course I teach, I set up a

22 corporate environment that has vulnerabilities

23 associated with it as part of the exercise.

24 Q. And the vulnerabilities that you

25 build in are not unheard of in the real world; is




113



1 Jacobson

2 that correct?

3 A. That's correct.

4 Q. So an IP address can be spoofed,

5 right?

6 A. Yes.

7 Q. And a MAC address?

8 A. Yes.

9 Q. Did you ever recover the registry

10 entries from either of the two computers that you

11 have been testifying about?

12 A. I recovered the register entries from

13 the hard drive that I examined.

14 Q. Well, if you recovered them, where

15 are they? How come you never turned them over to

16 me?

17 A. In EnCase you open them up as a file

18 viewer and you can examine them by just looking at

19 them.

20 Q. So you viewed them but didn't

21 preserve a record of it?

22 A. The hard drive image is still in my

23 possession.

24 Q. But when you viewed it in EnCase, you

25 didn't make any documentation of what you saw in the




114



1 Jacobson

2 registry entries?

3 A. I was looking for evidence of the

4 KaZaA program and found none.

5 Q. But you actually had the register

6 entries in front of you on the screen and you didn't

7 make any record of that?

8 A. There wasn't anything to make a

9 record of.

10 Q. There were no register entries?

11 A. There were register entries, but none

12 associated with KaZaA.

13 Q. You were told by Mr. Gabriel just to

14 look for things that incriminated the defendant?

15 MR. GABRIEL: Objection to form.

16 Lack of foundation. Argumentative.

17 Q. Is that your testimony? Were you

18 directed only to find things that helped the

19 plaintiffs win their case?

20 MR. GABRIEL: Same objections.

21 A. I was told to examine the hard drive

22 for evidence of file-sharing software and evidence

23 of MP3.

24 Q. That's all you were told to examine

25 it for? So you weren't told to examine it for




115



1 Jacobson

2 evidence as to whether it had been -- the hard drive

3 had been changed or anything like that?

4 A. I wasn't directed to do anything more

5 than that, although as part of the examination I

6 did -- as noted in Exhibit 17, I noted, for example,

7 that the operating system was repaired on July 7th

8 of '04.

9 RQ MR. BECKERMAN: I call for the

10 production of those register entries.

11 MR. GABRIEL: They don't exist.

12 The witness doesn't have a duty to create

13 them and you have your image of his hard

14 drive. You can produce them yourself.

15 Q. So EnCase has no way of backtracking

16 your project?

17 A. The only record it keeps is when you

18 specifically write something to a report file; when

19 you see something, you explicitly say, "Put this in

20 a report."

21 Q. So you were just looking in the

22 registry for evidence of KaZaA? That's it?

23 A. I was looking for the IP address and

24 as shown in Exhibit 17, I was looking for evidence

25 of dates about the system, so the date the system




116



1 Jacobson

2 was repaired.

3 Q. Do some users of KaZaA fool people

4 with fake content?

5 MR. GABRIEL: Objection to form.

6 A. I don't have any firsthand experience

7 with that.

8 Q. What is a MAC address?

9 A. A MAC address is referred to as the

10 physical address, which is the address used to

11 transfer data packets across local area network.

12 Q. Does the cable modem have a MAC

13 address?

14 A. Yes.

15 Q. Does a wired router have a MAC

16 address?

17 A. Yes.

18 Q. Does a wireless router have a MAC

19 address?

20 A. Yes.

21 Q. Does an ethernet card have a MAC

22 address?

23 A. Yes.

24 Q. Is a network card a synonym for

25 ethernet card or is it something else?




117



1 Jacobson

2 A. An ethernet card would probably be

3 considered a subset of a network card.

4 Q. Do other network cards also have MAC

5 addresses?

6 A. There would be networks that do not

7 use the concept of a MAC address.

8 Q. Does a DSL modem have a MAC address?

9 A. It has it on its -- on the subscriber

10 side.

11 Q. Is there a limit to the number of

12 devices behind a single router?

13 A. Theoretical or practical? The answer

14 is "yes" to both, I guess.

15 Q. And what factors would limit it?

16 A. The IP address space would be one

17 limiting factor and then the performance would be

18 more of a practical limiting factor.

19 Q. Can you have a router behind another

20 router?

21 A. Yes.

22 Q. What is the MAC address of the

23 computer that was accessed by MediaSentry?

24 A. There is no documentation to indicate

25 what the MAC address of that computer was.




118



1 Jacobson

2 Q. What is the MAC address of the

3 computer whose hard drive you examined?

4 A. Since I did not have the ethernet

5 card, I don't know.

6 Q. What type of internet service was

7 used by the computer that MediaSentry was

8 interacting with?

9 A. There wasn't enough information from

10 Verizon to indicate whether it was a cable modem or

11 a DSL.

12 Q. So you don't know?

13 A. No.

14 Q. Did that connect to the internet

15 directly or through another device's MAC address?

16 A. Did what connect?

17 Q. When that computer was on line with

18 or supposedly on line with MediaSentry, was it

19 directly or was it through another device's MAC

20 address?

21 MR. GABRIEL: Objection to form.

22 A. Every time a packet goes through a

23 cable modem, a router, a NAT, the MAC address is not

24 preserved; it is destroyed and recreated on the

25 other side.




119



1 Jacobson

2 Q. So the answer is?

3 A. Could you reread the original

4 question.

5 (Record read.)

6 A. Are you talking about which address

7 it presented to the ISP?

8 Q. You can't answer the question the way

9 it's asked?

10 A. I don't know where --

11 Again, as the packet moves through

12 the internet, every device that picks up the packet,

13 it retransmits and creates a new MAC address.

14 Q. Do you know whether it connected to

15 the internet directly or through another device's

16 MAC address? If you don't know you can say you

17 don't know.

18 MR. GABRIEL: Objection to form.

19 You can answer the question.

20 A. Stated the way it's stated, no, I

21 don't know.

22 Q. How many devices accessed the

23 internet through Marie Lindor's internet access

24 account?

25 A. I have evidence of one device with




120



1 Jacobson

2 the IP address that we have talked about in

3 Exhibit 6, that one device being connected to the

4 internet during the times as described in

5 Exhibit 16.

6 Q. How many MAC addresses have accessed

7 the internet through Marie Lindor's account?

8 A. I have no way of knowing.

9 Q. When is a MAC address assigned to a

10 computer?

11 A. MAC addresses are actually assigned

12 to the network cards by the network card vendor.

13 Q. And is that also true for any other

14 network device?

15 A. In the ethernet world, yes. MAC

16 addresses are assigned. Blocks are assigned to the

17 vendors and the vendors allocate individual

18 addresses.

19 Q. Did the computer which you examined

20 have a wireless card? The computer whose hard drive

21 you examined, did that have a wireless card?

22 A. All I received was the hard drive. I

23 did not receive the --

24 Q. So you don't know?

25 A. Correct.




121



1 Jacobson

2 Q. Can an ethernet card be removed from

3 one PC and put into another?

4 A. If it is an actual card as opposed

5 to -- connected to -- actually on the motherboard.

6 Q. If you were an internet pirate or

7 cracker who wanted to spoof a MAC address, could you

8 easily find the MAC address by, let's say, finding a

9 box that a cable modem had come in and just writing

10 down the MAC address from that?

11 MR. GABRIEL: Objection to form.

12 Lack of foundation.

13 A. I don't know if they write the MAC

14 addresses on the outside of cable modem shipping

15 boxes.

16 Q. You can manually reassign a new MAC

17 address, can you not?

18 A. In a lot of systems, yes.

19 Q. What is reprogramming a MAC address?

20 MR. GABRIEL: Objection to form.

21 A. I've never heard it quite put that

22 way, but my understanding would be that that would

23 be changing the MAC address of the device.

24 Q. Did you or MediaSentry ever actually

25 know the MAC address of either of the computers?




122



1 Jacobson

2 MR. GABRIEL: Objection to form.

3 Lack of foundation as to MediaSentry.

4 A. I did not know the MAC address. I

5 cannot testify to what MediaSentry knew in that

6 case.

7 Q. How would one spoof an IP address?

8 A. Can we go off the record for a

9 second? Am I allowed to say that?

10 MR. GABRIEL: You need to answer

11 his question first. If there is an issue

12 with the question, you can tell him.

13 A. Long version or short version?

14 Q. Short version.

15 A. Okay. Boy, there is no short

16 version.

17 Q. There are many ways to do it, is that

18 not correct?

19 A. Well, there is many ways and it

20 depends for what purpose as to whether those ways

21 would work.

22 Q. Okay. It's not necessary to really

23 go into detail.

24 A. Okay.

25 Q. There are many ways to spoof an IP




123



1 Jacobson

2 address?

3 A. Not all of which work. Correct.

4 Q. Did you personally verify the IP

5 number?

6 A. The IP address on the hard drive,

7 since it's DHCP, the IP address is not committed to

8 the hard drive.

9 Q. So the answer is no, you did not

10 verify the IP address?

11 A. Not on the hard drive.

12 Q. And how did MediaSentry get the IP

13 address?

14 MR. GABRIEL: Objection to the

15 extent it was asked and answered.

16 Go ahead.

17 A. I don't know the exact process and

18 procedures that MediaSentry used.

19 Q. So you couldn't test or verify the

20 procedures? You didn't know what they were?

21 A. Given the procedures, I could test

22 them. The method that I would use is, again, since

23 every packet --

24 Q. No. The question was -- I was asking

25 whether you verified the way that -- the method that




124



1 Jacobson

2 MediaSentry used.

3 A. No.

4 Q. Do you know what the IP address was

5 of the screen shot?

6 MR. GABRIEL: Objection to form.

7 A. The screen shot was a screen shot of

8 the files associated with the user.

9 Q. Well, they would have had to have

10 been a dynamic IP address assigned it that, would it

11 not have, to that connection?

12 MR. GABRIEL: Objection to form.

13 A. You have an IP -- you have an IP

14 connection to the supernode and then to transfer the

15 files, you make an IP connection to the machine that

16 has the -- that has the files.

17 Q. When you did the forensic examination

18 of the hard drive, other than telling you that they

19 wanted you to look for evidence of KaZaA, were there

20 any other instructions given to you?

21 A. Look for the -- any MP3 files and

22 then just a general look for anything that may be

23 associated with -- you know, with MediaSentry and my

24 testimony or my expert report. So things like IP

25 addresses, et cetera.




125



1 Jacobson

2 Q. You say it's not difficult to

3 determine whether a computer was connected with a

4 wireless router based on how IP's are assigned? How

5 could you possibly tell from the way IP's are

6 assigned whether or not it was connected to a

7 wireless router?

8 A. Again, back to Exhibit 6 where the

9 machine itself reports its IP address and so does

10 the device with the global internet address. A

11 wireless router is going to have an internal address

12 and then a public address, and so you will see a

13 discrepancy in those two IP addresses.

14 Q. How did you make that determination

15 in this case? I'm not sure I follow that.

16 You put in your declaration on

17 December 19th "Based on how IP's are assigned, it is

18 not difficult to determine whether a computer was

19 connected to the internet via a wireless router.

20 This computer was not." How did you determine that

21 that computer was not connected to the internet via

22 a wireless router?

23 MR. GABRIEL: Objection. Asked and

24 answered.

25 A. This computer had a public IP address




126



1 Jacobson

2 that matched the IP address that was in the packet

3 that was transmitted onto the internet from an entry

4 point into the internet. And so, therefore, since

5 the computer said it had the same address as the

6 packet ...

7 Q. I don't understand your testimony.

8 What do you mean by a public IP address?

9 A. The public IP space is divided into

10 address ranges. A majority of the addresses are to

11 be handed out for devices that are directly

12 connected to the public -- to the internet. Some of

13 the addresses have been reserved for private

14 addresses, addresses that cannot show up on the

15 internet. They will not be routed across the

16 internet. These are the addresses used by NATs and

17 wireless routers and so on as you have shown in

18 your --

19 Q. Don't look for the documents.

20 A. The image with the picture where you

21 had the 192168 addresses. Those, for example, are

22 private IP address space.

23 Q. So you are going to rely on what you

24 just said. That's the way you know it wasn't a

25 wireless router. Everything you have just said now




127



1 Jacobson

2 establishes that it was not a wireless router?

3 A. In my opinion, yes.

4 Q. Was KaZaA fully installed on the

5 first computer?

6 MR. GABRIEL: Objection to form.

7 A. If by the first computer you mean the

8 computer that MediaSentry reported on, that was

9 running a KaZaA client.

10 MR. BECKERMAN: Read back that

11 answer.

12 (Record read.)

13 Q. I asked you if it was fully installed

14 on the computer.

15 MR. GABRIEL: If that's a question,

16 I object.

17 A. The KaZaA application was installed

18 and running on that computer.

19 MR. GABRIEL: The record should

20 reflect that the document Dr. Jacobson was

21 looking for was Exhibit 8 with the 192IP

22 address. That's what he said, just for

23 clarity.

24 Q. Other than this two-page document

25 from Verizon which was sent to Jenner & Block law




128



1 Jacobson

2 firm, did you see anything else from Verizon?

3 A. No.

4 Q. Do you know what procedures Verizon

5 employed to link Ms. Lindor's name and address to

6 the alleged IP address?

7 A. No.

8 Q. Do you know who conducted the

9 research?

10 A. No.

11 Q. Do you know if the procedures were

12 accurately and competently followed?

13 A. I have no way of knowing that.

14 Q. Do you know if the search was free

15 from human and mechanical error?

16 A. I have no way of knowing.

17 Q. Have the ISP's ever misidentified a

18 subscriber?

19 MR. GABRIEL: Objection to form.

20 Lack of foundation.

21 A. I have no way of knowing.

22 Q. Have the ISP's ever identified a

23 customer who is not even a subscriber at the time of

24 the infringement?

25 MR. GABRIEL: Objection to form.




129



1 Jacobson

2 Lack of foundation.

3 A. I have no way of knowing.

4 Q. Did you see their logs?

5 A. All I saw from Verizon is what is

6 shown in Exhibit 19.

7 Q. Were MediaSentry's clocks

8 synchronized with Verizon's?

9 MR. GABRIEL: Objection to form.

10 Lack of foundation.

11 A. I have no way of knowing.

12 Q. How many people were assigned this IP

13 address during the 24 hours of August 7, 2004,

14 141.155.57.198?

15 A. The date you said was August 7th?

16 Q. August 7, 2004.

17 A. I have no way of knowing that.

18 Q. Is it true that the ISP keeps a log

19 of all IP address assignments?

20 MR. GABRIEL: Objection. Lack of

21 foundation.

22 A. I don't know how Verizon operates

23 internally.

24 Q. Does the log contain the name and

25 address of a subscriber or does it contain a MAC




130



1 Jacobson

2 address?

3 MR. GABRIEL: Same objection.

4 A. I have no idea what is in their

5 internal logs.

6 Q. How did Verizon link Ms. Lindor's

7 name to that IP address?

8 MR. GABRIEL: Same objection.

9 A. I have no knowledge about Verizon.

10 Q. So is it fair to say that all of your

11 reports are based on the assumption that the

12 information which you obtained from Verizon was

13 accurate?

14 A. Yes.

15 Q. And you have no idea how they

16 obtained that information; is that correct?

17 A. I have no firsthand knowledge of how

18 they obtained that information.

19 Q. Do you have some secondhand knowledge

20 of how they operated?

21 A. I could speculate as to how they

22 might do it.

23 Q. But you don't know? You just would

24 be speculating?

25 A. Yes.




131



1 Jacobson

2 Q. I am sure Mr. Gabriel wouldn't want

3 you to speculate. Did you make any attempt to

4 verify the information?

5 A. The Verizon information?

6 Q. Yes.

7 A. The only verification that I do is I

8 compare the Verizon subpoena response date, time, IP

9 to the subpoena itself to verify that they -- that

10 Verizon is reporting back on the same data that was

11 requested.

12 Q. Do you know if Ms. Lindor's apartment

13 has a wired router?

14 A. I don't know anything about

15 Ms. Lindor's apartment.

16 Q. So would you know if her apartment

17 had a wireless router?

18 A. Again, I don't know anything about

19 Ms. Lindor's residence.

20 Q. Would it have been possible to have

21 more than one router?

22 MR. GABRIEL: Objection to form.

23 A. It's possible to have any number of

24 routers. But given the IP address correlation,

25 given the IP address in the packet in the computer




132



1 Jacobson

2 are both republic.

3 Q. What is a wireless access point?

4 A. A wireless access point is the

5 wireless device that actually -- it is a device that

6 actually interfaces with the wireless devices, the

7 machines with wireless cards, so that actually is

8 the base station transmitter.

9 Q. How does that relate to a wireless

10 router?

11 A. That's part of a -- that's part of

12 the router. The access point we typically talk is

13 the wireless side.

14 Q. Didn't you say in your declaration

15 under penalty of perjury that your conclusion that

16 it was not connected to the internet via a wireless

17 router was based in part on the registry entries

18 recovered from the computer?

19 A. Yes.

20 Q. And you didn't feel it was important

21 to identify those registry entries?

22 A. Again, since I didn't find anything

23 there was nothing to document and since I can --

24 The hard drive is still in my

25 possession.




133



1 Jacobson

2 Q. Well, do you think you can now go

3 generate more reports after having gone through this

4 deposition and then come up with them at the trial

5 and surprise me with them?

6 MR. GABRIEL: Objection.

7 Argumentative. We are aware of what our

8 obligations are.

9 Q. You said in your declaration that

10 there was no internal IP address here. What did you

11 mean by that?

12 A. Which declaration are you reading?

13 Q. Your December 19th declaration. You

14 said there was no internal IP address here.

15 MR. GABRIEL: I don't believe you

16 marked it as an exhibit.

17 Q. Do you doubt that you put that in

18 your declaration?

19 MR. GABRIEL: Wait. He is talking

20 about your December declaration. He has

21 not marked it as an exhibit, if that is

22 what you are looking for.

23 Q. Well, do you doubt that that's what

24 you said? Let me quote.

25 "I base this on the data mentioned




134



1 Jacobson

2 above as well as on the registry entries recovered

3 from the computer and the fact that there was no

4 internal IP address here." Do you not know what

5 that statement means?

6 A. I know what that statement means. I

7 assume if you are reading it, it is indeed what I --

8 I don't remember verbatim what I said

9 without seeing the report.

10 MR. BECKERMAN: Please mark this as

11 Exhibit 23. It is a declaration dated

12 December 19, 2006.

13 (Defendant's Exhibit 23, declaration

14 dated December 19, 2006, marked for

15 identification, as of this date.)

16 Q. I refer you to Page 4, Paragraph 5,

17 second sentence, and ask you what you were talking

18 about.

19 Actually, let me go to this first.

20 When you say the registry entries were recovered,

21 they weren't recovered; you are just saying you saw

22 them and then kept them to yourself. Is that

23 correct? You didn't recover them?

24 MR. GABRIEL: Objection to form.

25 Argumentative.




135



1 Jacobson

2 Q. You read them and made no notation or

3 record or report of them; is that correct? So when

4 you say recovered --

5 A. In a Windows PC the registries

6 actually exist in several places and so to get a

7 view of all of them, you end up through EnCase

8 running their internal program which puts the

9 registries in a human, readable format. So that's

10 what I meant by the word "recovered."

11 Q. What did you mean when you said there

12 was no internal IP address here?

13 A. There was no evidence of an

14 internal -- of the internal addresses like the

15 192.168 addresses that you find when you have a

16 wireless router.

17 Q. So in preparing your analysis, you go

18 directly from the MediaSentry documents to the

19 report that you write for the RIAA lawyers and there

20 is no intermediate work papers or analysis sheets?

21 A. Yes. That's Exhibit 18.

22 Q. That's it? That's the only thing

23 that you prepare before preparing your report?

24 A. Yes.

25 (Recess taken.)




136



1 Jacobson

2 Q. If I was on the internet right now

3 and my IP address was 195.175.1.2, how would you

4 determine whether I was connected through a wireless

5 router or not?

6 A. We look at the -- if all I saw was a

7 single packet from you with no other data, I

8 couldn't make that determination. But if I saw a

9 payload that also reported your IP address, then I

10 could make that determination.

11 Q. So let's say I sent you an e-mail.

12 Would you be able to tell?

13 A. Not with every e-mail. There may be

14 configurations in which an e-mail would disclose

15 that information.

16 Q. Now, going back to what you said

17 about the packet, would you see the private IP?

18 A. If the application reported the

19 private IP as part of the payload, but not as part

20 of the IPV4 header.

21 Q. And how does it distinguish between

22 wireless and not wireless?

23 MR. GABRIEL: Objection to form.

24 A. You wouldn't be able to tell the

25 difference between a router with private addresses,




137



1 Jacobson

2 whether it was wireless or not wireless.

3 Q. Does the packet identify whether the

4 user is wireless or not?

5 A. It depends on which packet you see?

6 Q. How would a packet tell you that it's

7 wireless?

8 A. If I actually captured the wireless

9 packet, its MAC address is larger than the MAC

10 address of a -- on the wired side, along with the

11 frame format is different.

12 Q. The MAC address of a wireless is a

13 different type of MAC address?

14 A. Its layout is different.

15 Q. Is a MAC address visible outside of

16 the local network?

17 A. Not of the internal machines.

18 Q. So how would a packet on the public

19 internet have a MAC address header?

20 A. Every packet has some type of MAC

21 address header.

22 Q. Does NAT hide the private IP?

23 A. If by "hide" you mean that the

24 private IP does not show up in the IPV6 header, that

25 is correct.




138



1 Jacobson

2 Q. What is the name and model of the PC

3 whose hard drive image you examined?

4 A. I don't know.

5 Q. What is the MD5 hash of the hard

6 drive you examined?

7 A. I don't recall what that is.

8 Q. What is the SHA1 hash of the hard

9 drive image you examined?

10 A. I don't even recall looking at that.

11 Q. What kind of hashing does KaZaA use?

12 A. I don't remember the exact algorithm

13 that it uses.

14 Q. Would it refresh your recollection

15 for me to tell you that it uses UU Hash?

16 A. I have no reason to doubt that.

17 Q. Do you know why MediaSentry compiled

18 the list with the SH1 values instead of the UU Hash

19 values?

20 A. Which list?

21 Q. You are the person who is testifying

22 about the MediaSentry printouts.

23 MR. GABRIEL: I will object. He

24 didn't testify about hash values at all.

25 Q. Isn't it a fact that they have a list




139



1 Jacobson

2 of SHA1 hash values?

3 MR. BECKERMAN: Withdrawn. I

4 withdraw the question.

5 Q. Can multiple users of KaZaA have the

6 same user name?

7 A. Yes.

8 Q. Can users change their nickname in

9 KaZaA?

10 A. Yes.

11 Q. Do KaZaA nicknames uniquely identify

12 a person?

13 A. No.

14 Q. Could I create a user name

15 "Dr. Jacobson" at KaZaA?

16 A. Yes.

17 Q. Does KaZaA operate as a background

18 service?

19 MR. GABRIEL: Objection to form.

20 A. You can minimize KaZaA and have it

21 run out of the system tray.

22 Q. Is it possible that someone who has

23 the computer on and has KaZaA running might not even

24 know it's running?

25 A. It's possible.




140



1 Jacobson

2 Q. Is there a way through the internet

3 to remotely control someone else's computer?

4 MR. GABRIEL: Objection to form.

5 Lack of foundation.

6 A. It's possible.

7 Q. What is a zombie?

8 A. In reference to computer security, a

9 zombie is a program that is under control of some

10 other master program which is under control of some

11 individual.

12 Q. What is a cracker?

13 A. When I use the term, it is in

14 reference to either a person or process to break

15 passwords.

16 Q. What is a drone?

17 A. Again, in computer security

18 terminology that, again, would be a piece of

19 software that's under control by another individual.

20 Q. When you provide your investigations,

21 do you do anything to verify or to determine whether

22 or not the computer in question was under control by

23 an outside remote user?

24 A. No.

25 Q. Do you know who conducted the




141



1 Jacobson

2 MediaSentry investigation?

3 A. No.

4 Q. Do you know the qualifications and

5 training of anyone who conducted the investigation?

6 A. No.

7 Q. Are screen shots reliable evidence,

8 in your opinion?

9 MR. GABRIEL: Objection to form.

10 Lack of foundation. Calls for a legal

11 conclusion on its face.

12 A. I don't know what represents legal

13 evidence in a court of law.

14 Q. Do you consider screen shots

15 reliable?

16 MR. GABRIEL: Objection.

17 A. A screen shot is an image of the

18 application and the application data that is shown

19 on the screen at that time.

20 Q. Can it be subject to manipulation or

21 forgery?

22 MR. GABRIEL: Objection to form.

23 Calls for speculation.

24 A. Any image can be subject to

25 manipulation.




142



1 Jacobson

2 Q. Could it be altered in the graphics

3 editing program?

4 MR. GABRIEL: Same objections.

5 A. Any image can be altered in the

6 graphics editing program.

7 Q. Did you take any steps to verify the

8 authenticity of the screen shot?

9 A. No.

10 Q. Did you take any steps to verify that

11 the song files were genuine?

12 A. Other than what was reported through

13 MediaSentry and through the certificates of -- I

14 can't recall what they are called exactly, but

15 through the documents provided by the recording

16 industry.

17 Q. You yourself did nothing to verify

18 that they were genuine?

19 A. Other than through the documentation

20 I was provided.

21 Q. What did MediaSentry do to verify

22 that they were genuine?

23 MR. GABRIEL: Objection to form.

24 Lack of foundation.

25 A. I don't know what MediaSentry did.




143



1 Jacobson

2 Q. Did you verify that the IP address

3 had not been highjacked?

4 MR. GABRIEL: Objection to form.

5 A. I relied on the Verizon documentation

6 and so, no, I did not.

7 Q. Did you verify that the IP address

8 had not been faked?

9 MR. GABRIEL: Same objection.

10 A. I relied on the Verizon

11 documentation.

12 Q. Did you verify that the IP address

13 had not been spoofed?

14 MR. GABRIEL: I will object to the

15 form. Lack of foundation.

16 You can answer.

17 A. Only that I can say that it was an IP

18 address that was within Verizon's domain.

19 Q. Is a log file a text file?

20 A. It can be.

21 Q. Were these log files text files?

22 A. The originals I believe came that

23 way. When I receive them, they are .PDF documents.

24 Q. Can text files be easily altered?

25 MR. GABRIEL: Objection to form.




144



1 Jacobson

2 A. Yes.

3 Q. In your report you said the lack of

4 user-created files and e-mail leads you to believe

5 that this computer wasn't used very much. What did

6 you mean by user-created files?

7 A. When I looked through the hard drive

8 there were very few files that were created by

9 user-run applications, like documents.

10 Q. Is it possible to use a computer for

11 extended periods without creating any user files?

12 MR. GABRIEL: Objection to form.

13 A. It's possible.

14 Q. If you were, let's say, surfing the

15 internet and clearing the cache, would there be any

16 user-created files from that?

17 A. As long as you didn't download

18 anything.

19 Q. If you were listening to any CD's,

20 would there be any user-created files?

21 A. No.

22 Q. If you were playing Minesweeper or

23 Solitaire, would there be any user-created files?

24 A. I believe Solitaire you can save a

25 game.




145



1 Jacobson

2 Q. If you were just playing Minesweeper

3 or Solitaire, would there be any user-generated

4 files?

5 A. No.

6 Q. If a user used web-based e-mail such

7 as Hotmail, Yahoo or Gmail, would any of those

8 e-mails be stored on the hard drive?

9 A. They don't have to be.

10 Q. Can you tell how many people used the

11 computer from which the hard drive came that you

12 examined?

13 A. I can tell how many accounts were on

14 the hard drive, how many user accounts.

15 Q. But you can't say how many people

16 used it?

17 A. Living, breathing people? No.

18 Q. During your hard drive inspection,

19 what files did you find in the deleted sectors of

20 the disk?

21 A. Very few, and none that matched the

22 profile of KaZaA or MP3 files.

23 MR. BECKERMAN: Let's take a short

24 break.

25 (Recess taken.)




146



1 Jacobson

2 Q. Did you examine the system registry

3 for the computer that had the hard drive?

4 A. I examined the registry from the hard

5 drive.

6 Q. Did it show that any other hard drive

7 had ever existed in that computer?

8 A. I didn't specifically look for that.

9 I don't recall that there was an indication of that.

10 Q. So you have no reason to think that

11 the hard drive was replaced?

12 A. Not -- no.

13 Q. And it is a fact, is it not, that the

14 system registry would have disclosed that if it had

15 taken place?

16 A. If you would have rebuilt the system

17 from scratch and copied the data files over to new

18 hard drive, the system registry would have only

19 shown the creation date or installation date of the

20 operating system.

21 Q. Isn't it a fact that the system

22 registry contains information about each hard drive

23 that's ever been connected to the computer,

24 including the manufacturer, the size of the hard

25 drive and in some instances the serial number?




147



1 Jacobson

2 A. Of all hard drives connected while

3 that system registry was on that hard drive, if you

4 pull out the hard drive that had that system

5 registry and plugged a brand new one into the

6 machine and rebuilt the operating system, there

7 would be no evidence of that original hard drive you

8 pulled out.

9 Q. Was there any evidence that that had

10 taken place here on or after August 7, 2004?

11 A. No.

12 Q. Does every internet packet contain a

13 MAC address?

14 A. No.

15 Q. Does a MAC address tell you if a

16 device is wired or wireless?

17 A. If you can see the MAC address of the

18 transmitting device you could see whether that

19 device was wired or wireless.

20 Q. Now, if it was a computer going

21 through a wireless router, would you see the MAC

22 address of the computer?

23 A. Where am I looking for the MAC

24 address?

25 Q. Where you say it exists.




148



1 Jacobson

2 A. MAC address exists between any two

3 nodes -- some type of physical address exists

4 between every pair of communicating nodes on the

5 internet.

6 Q. How would you see the MAC address of

7 a transmitting device?

8 A. I'd have to have a monitoring device

9 on the media -- median that the transmitting device

10 was using.

11 Q. And did you have such a monitoring

12 device?

13 A. No.

14 Q. Does an IP address tell you if the

15 device is wired or wireless?

16 A. No.

17 MR. BECKERMAN: I have no further

18 questions.

19 MR. GABRIEL: I think I just have

20 three clarification questions.

21 MR. BECKERMAN: Then I might have

22 some clarifying questions of my own then.

23 MR. GABRIEL: I understand.

24 EXAMINATION BY

25 MR. GABRIEL:




149



1 Jacobson

2 Q. Dr. Jacobson, Mr. Beckerman asked you

3 some questions about the processes that you used

4 both when you did your first report and also when

5 you reviewed the hard drive, and you gave testimony

6 about that. Do you recall?

7 A. Yes.

8 Q. With respect to the processes that

9 you used, is it your view that reasonable experts in

10 your fields use the same processes?

11 A. Yes.

12 Q. Is there any other way to do what you

13 did, to your knowledge?

14 A. The hard drive examination could have

15 been done with any one of a number of tools, but all

16 of those tools behave in roughly the same way.

17 Q. Mr. Jacobson, with respect to the

18 reports in the declaration that you did and

19 Mr. Beckerman asked you about, he asked you whether

20 you had discussed any alternative explanations for

21 the conclusions you reached. Do you recall him

22 asking you that?

23 A. Yes.

24 Q. You did talk about the absence of a

25 router.




150



1 Jacobson

2 MR. BECKERMAN: Objection.

3 Leading.

4 Q. Yes?

5 A. Yes.

6 Q. Mr. Beckerman had asked you questions

7 about the instructions that I or my firm gave you in

8 terms of what you were supposed to look for on the

9 hard drive, correct?

10 A. Yes.

11 Q. And your testimony will speak for

12 itself. I think you said look for KaZaA, look for

13 MP3 files, anything associated with your expert

14 report. Do you recall giving that general

15 testimony?

16 A. Yes.

17 Q. Did we also ask you to look if

18 anything was deleted?

19 A. I believe you did.

20 Q. And did you do that?

21 A. Yes.

22 Q. Mr. Beckerman asked you a lot of

23 questions today about what you relied on and he

24 asked you whether you had verified different things.

25 For example, the Verizon information was one of the




151



1 Jacobson

2 things he asked you if you verified. Do you

3 remember just being asked those questions?

4 A. Yes.

5 Q. With respect to the various data you

6 relied on from MediaSentry or Verizon, do you have

7 any information sitting here today, Dr. Jacobson, to

8 suggest that any of that is not correct?

9 A. No.

10 Q. Do you have an opinion as to whether

11 a reasonable expert in your field would rely on

12 information like that?

13 MR. BECKERMAN: Objection. He

14 hasn't shown himself qualified to give an

15 opinion on something like that.

16 Q. You can answer.

17 A. I believe that a person in my field

18 would use the same information.

19 Q. Last question. Would you look at

20 Exhibit 8, please.

21 A. Yes. I found it.

22 Q. A couple of times today you alluded

23 to this exhibit and referred to it or you talked

24 about -- and the record speaks for itself, I'm just

25 trying to get us in the same place -- an internal IP




152



1 Jacobson

2 address and 192. Does the number 192 here somehow

3 correlate with an internal IP address?

4 A. Yes. The internet registration

5 authority, which is basically the governing body of

6 IP addresses, has allocated three address ranges

7 that are to be used internally only, they are not to

8 show up on the internet, and the 192.168 is one of

9 those blocks of addresses.

10 Q. And with respect to the IP -- the

11 public IP address that you talked about a lot today

12 relating to this case, was that within one of the

13 ranges for internal addresses?

14 A. No.

15 MR. GABRIEL: That's all I have.

16 MR. BECKERMAN: I have no further

17 questions.

18 MR. GABRIEL: Thank you for your

19 courtesy. We are going to run out and

20 make a plane.

21 --o0o--

22 (Time noted: 2:28 p.m.)

23

24

25




153



1

2 C A P T I O N

3

4 The Deposition of DR. DOUGLAS W. JACOBSON, taken in the

5 matter, on the date, and at the time and place set

6 out on the title page hereof.

7

8 It was requested that the deposition be taken by

9 the reporter and that same be reduced to

10 typewritten form.

11

12 It was agreed by and between counsel and the

13 parties that the Deponent will read and sign the

14 transcript of said deposition.

15

16 --o0o--

17

18

19

20

21

22

23

24

25




154



1

2 C E R T I F I C A T E

3 STATE OF _____________________________________:

4 COUNTY/CITY OF____________________________________:

5

6

7 Before me, this day, personally appeared

8 DR. DOUGLAS W. JACOBSON, who, being duly sworn, states

9 that the foregoing transcript of his

10 Deposition, taken in the matter, on the date, and

11 at the time and place set out on the title page

12 hereof, constitutes a true and accurate transcript

13 of said deposition.

14

15 ______________________________________

16 DR. DOUGLAS W. JACOBSON

17

18 SUBSCRIBED and SWORN to before me this ____

19 day of___________, 2007, in the

20 jurisdiction aforesaid.

21

22

23 ______________________ ______________________

24 My Commission Expires Notary Public

25




155



1

2 DEPOSITION ERRATA SHEET

3 RE:
FILE NO.
4 CASE CAPTION: UMG V. LINDOR

5 DEPONENT: DR. DOUGLAS W. JACOBSON
DEPOSITION DATE: 2/23/07
6

7 To the Reporter:
I have read the entire transcript of my Deposition
8 taken in the captioned matter or the same has been
read to me. I request for the following changes
9 be entered upon the record for the reasons
indicated.
10 I have signed my name to the Errata Sheet and the
appropriate Certificate and authorize you to
11 attach both to the original transcript.
___________________________________________________
12 ___________________________________________________
___________________________________________________
13 ___________________________________________________
___________________________________________________
14 ___________________________________________________
___________________________________________________
15 ___________________________________________________
___________________________________________________
16 ___________________________________________________
___________________________________________________
17 ___________________________________________________
___________________________________________________
18 ___________________________________________________
___________________________________________________
19 ___________________________________________________
___________________________________________________
20 ___________________________________________________
___________________________________________________
21 ___________________________________________________
___________________________________________________
22 ___________________________________________________

23

24 SIGNATURE:___________________ DATE:________________

25 DR. DOUGLAS W. JACOBSON




156



1

2 I N D E X

3 WITNESS EXAMINATION BY PAGE

4 DR. DOUGLAS W. JACOBSON MR. BECKERMAN 4

5 MR. GABRIEL 149

6

7 --------------- INFORMATION REQUESTS ------------------

8 DIRECTIONS: None

9 RULINGS: 25, 26

10 TO BE FURNISHED: 53

11 REQUESTS: 115

12 MOTIONS: 22, 26

13

14 E X H I B I T S

15 DEFENDANT'S Page
for Iden.
16
1 Press release from Palisade Systems, Inc. 8
17 bearing the headline "Peer-to-Peer
File Sharing Struggles Intensify
18 in Universities"

19 2 One-page press release of Palisade 9
Systems, Inc. dated April 21, 2004
20
3 Two-page article by David Chappelle 9
21 dated April 19, 2004

22 4 C/net News.com article dated 11
April 21, 2004
23
5 Press release from ZDNet entitled 14
24 "File-Swap Killer Grabs Attention"

25 6 Printout of numbered pages 36 to 45 65




157



1

2 7 Study entitled "The KaZaA Overlay: 70
A Measurement Study"
3
8 One-page chart 72
4
9 Paper entitled "Pollution in P2P 75
5 File Sharing Systems"

6 10 Two-page printout of page numbers 82
46 to 47
7
11 Printout of page numbers 49 to 187 83
8

9
12 Printout of pages 199 to 224 83
10
13 One-page printout of page numbered 48 83
11
14 Printout of pages numbers 188 through 198 83
12
15 Undated October report 89
13
16 Dr. Douglas W. Jacobson's April report 93
14
17 Page of handwritten notes 97
15
18 Single-page document bearing 98
16 "wireless router" at the top

17 19 Two-page letter from Verizon 99

18 20 One-page resume, page number DJ0076 100

19 21 One-page document with a flowchart 102

20 22 Three-page document entitled 104
"Witness Statement of Henk Sips
21 and Johan Pouwelse"

22 23 Declaration dated December 19, 2006 134

23

24
February 23, 2007
25 New York, New York




158



1

2 C E R T I F I C A T E

3 STATE OF NEW YORK )
) ss.:
4 COUNTY OF RICHMOND)

5

6 I, ELIZABETH SANTAMARIA, a Registered

7 Professional Reporter and Notary Public of

8 the State of New York, do hereby certify

9 that the foregoing Deposition is, of the

10 witness, DR. DOUGLAS W. JACOBSON, taken at

11 the time and place aforesaid, is a true and

12 correct transcription of my shorthand notes.

13 I further certify that I am not

14 neither counsel for nor related to any party

15 to said action, nor in any way interested in

16 the result or outcome thereof.

17 IN WITNESS WHEREOF, I have hereunto

18 set my hand this day of March, 2007

19

20 _____________________________

21 ELIZABETH SANTAMARIA

22

23

24

25





  


The Results of Your Labor and a Thank You, by Ray Beckerman, Esq. - Updated | 529 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here please
Authored by: The Cornishman on Sunday, March 04 2007 @ 05:26 AM EST
In case a friendly editor has time to incorporate them!

---
(c) assigned to PJ

[ Reply to This | # ]

Off-Topic Thread
Authored by: The Cornishman on Sunday, March 04 2007 @ 05:28 AM EST
It helps very much if you make clickable links - follow the guidance in red on
the Post a Comment page.

---
(c) assigned to PJ

[ Reply to This | # ]

Stunning!
Authored by: jmc on Sunday, March 04 2007 @ 05:44 AM EST

I don't know what stuns me most

  1. Jacobson's incompetence
  2. His ignorance of the most basic details of IPs etc
  3. His slapdash 45 minute research
  4. His evasiveness
  5. RIAA's obvious dishonesty using him

RIAA's conduct here makes SCO look like innocent little lambs.

[ Reply to This | # ]

Wow. Just...wow.
Authored by: achurch on Sunday, March 04 2007 @ 06:11 AM EST

There is just so much wrong with this that I can't even laugh. Take:

Q. So you did not document your findings in EnCase at all, did you?

A. No.

Q. Did Mr. Gabriel tell you to do that?

A. No.

Q. So did you feel that you could just review it on EnCase and then come and testify from memory at a trial? Is that what you intended to do?

A. I examined the hard drive, found no evidence of file sharing software or audio files, and so there was nothing to document.

"Nothing to document"? You document the fact that there was nothing to document, and how you found that. Even I know that much!

(I do have to admit the questions seemed a little overbearing at times, though. I didn't know "inculpate" either, and though I could probably have guessed at it from "exculpate", it might have taken a moment to make the connection. Reading back his qualifications and then making a snide remark about vocabulary, especially for a word that hardly sees everyday use, just doesn't strike me as constructive.)

[ Reply to This | # ]

RIAA incompetence, not Dr Jacobson's
Authored by: Anonymous on Sunday, March 04 2007 @ 07:48 AM EST

I think jmc unfairly characterises Dr Jacobson in Stunning!

I've been in a similar situation where the UK police used me to do initial expert recovery and examination of a server from a data-centre, and they do seem to expect pro-bono work and have no realistic understanding of the days or weeks it might take to produce a legally tight report.

Also, they often have no idea of how difficult it can be to absolutely determine real events from data on a drive - after all, anything can the written to drives with any timestamp, etc., so as an expert you are always assuming based on normal usage - and by definition when an investigation is warranted you should be looking for abnormal usage.

It is pretty clear from Dr Jacobson's testimony that he does a lot of these kinds of examinations for RIAA, and from the time he allocates it looks pretty much like RIAA pay a fixed amount per examination, so he's not going to have time to do much more than a cursory investigation.

It sounds like these are what I'd term exploratory investigations to determine if there is something to follow-up on.

As he says, since he found nothing he reported that, and at that time had no expectation of the matter reaching court, or being deposed.

If something were found, and the RIAA takes the matter to court, I'd then expect them to commission a more expensive, in-depth, investigation of the drive with full reports.

So the incompetence here is, if anyone's, RIAAs.

I don't see any evidence for your assertion of "His ignorance of the most basic details of IPs etc".

He appears to have a good grasp of IPs and how certain configurations can be inferred from the IP packet and the Kazzaa meta-data, as reported by MediaSentry.

It does seem as if the Defendant's lawyer, Mr Beckerman, had been misled by the 'community assistance' into trying to use MAC addresses to derail Dr Jacobson's testimony - and to me made the defence look incompetent since if they'd consulted their own 'expert' they'd have been told the MAC address is only visible on the same (un-routed) physical segment of a network, and isn't generally available across the Internet.

Dr Jacobson does seem evasive and initially it does make his testimony less credible, especially his deliberately trying to obfuscate how an IP address cannot, of itself, show the 'Natural Person' (human being) using or in control of the device having the IP.

As an expert witness (at least in the UK) your duty is to the court, and you shouldn't be swayed by the aims of the party that engages you.

But that said, at the time he produced this report, and the other 200-or-so reports he mentions, there was no court action so his reports would follow the lines directed by his client RIAA, via the law firm Holme Roberts & Owen.

His expert testimony is that:

  1. MediaSentry screenshots and Verizon logs seem to show that the Defendant's account (and if DSL/cable, presumably home address) was the location from which MediaSentry was receiving data.
  2. The hard drive he examined didn't appear to have been used with Kazaa

I agree that he appears to be being misused by RIAA, and it does tend to highlight their arrogance in not having a well-designed and executed procedure for the technical investigations - after all, it is the mainstay of almost every accusation RIAA has made against individuals.

If they had one, and followed it, it would 'weed out' these kinds of cases well before they got anywhere close to a courtroom.

I've seen other reports where RIAA base their accusations based on file-names, and claim that proves copyright material is being shared.

I also read that RIAA or their members apparently pay some companies to 'pollute' the file-sharing networks with files that carry names of copyright materials but whose content is garbage.

Given that practice, I'd think any court would throw out any evidence based on MediaSentry print-outs, and that a well-formed investigation would focus on the content of files downloaded from the host.

[ Reply to This | # ]

New Yorkers Please Help!
Authored by: Anonymous on Sunday, March 04 2007 @ 07:56 AM EST

The bulk of the testimony seams to indicate that Mrs. Lindor had a Cable Modem. However, Dr. Jacobson testified he wasn't certain if she had a cable modem or a DSL modem. If you look at the tracert log you see the line:

15. a3-0-0-1728.dsl-rtr10.ny325.verizon-gni.net

This would lead me to believe that this is likely a DSL address. It is a pretty major detail could really weaken the RIAA case. The exhibit is at: http://www.ilrweb.com/viewILRPDF.asp?filename=umg_ lindor_070223JacobsonEx13

You can run a tracert and find out if you are connected via that router by typing this at the Windows XP command line:

tracert slashdot.org

or

tracert 141.155.57.198

It would be really interesting to know if any New York customers connecting through a3-0-0-1728.dsl-rtr10.ny325.verizon-gni.net are running DSL or Cable Modems. It might really help the case.

[ Reply to This | # ]

Nits to Pick
Authored by: Blrfl on Sunday, March 04 2007 @ 09:10 AM EST
A couple of things I noticed:

Page 142, Lines 18-21: Technically, his statement about every packet having
some kind of MAC header is incorrect. There are a number of transport
mechanisms you'd find on a large ISP's network that don't have anything
analogous to a MAC. In any case, MAC addresses are meaningless here, because
either end is only going to see MACs for devices that are electrically connected
(i.e., on the same Ethernet segment).

Page 142, Lines 22-25: Verizon does not offer IPV6 to residential customers.

Page 148, Lines 2-5: Again, incorrect about MACs. Any two nodes communicating
on the Internet identify each other using *IP* addresses.


I do hope this case works out, because it would set precedent that you can't
make the jump from an IP address to a living, breathing person without
additional evidence.

--Mark

[ Reply to This | # ]

Faulty assumption
Authored by: Anonymous on Sunday, March 04 2007 @ 09:45 AM EST
The witness makes repeated assertions that because the X-KaZaA-IP field in the
packet matched the source address that indicates that NAT was not done. This is
untrue in the case that the NAT implementation is aware of Kazaa packets and can
replace that field with the real external IP address in which case they would
match.

[ Reply to This | # ]

An easier read?
Authored by: The Cornishman on Sunday, March 04 2007 @ 09:52 AM EST
The transcript is a superb job of reproducing the pdf exactly, but it's a bit hard on the eye, and a nightmare for screen readers, so as I read, I edited. A reformatted edition is here without line numbers and using single spacing. Jonathan

---
(c) assigned to PJ

[ Reply to This | # ]

  • An easier read? - Authored by: Anonymous on Sunday, March 04 2007 @ 10:54 AM EST
Ray Beckerman's comments on Slashdot
Authored by: Anonymous on Sunday, March 04 2007 @ 10:39 AM EST
Ray Beckerman has posted replies to comments on the "RIAA's 'Expert' Witness Testimony Now Online" article on Slashdot.org

Look for comments from "NewYorkCountryLawyer (912032)"

[ Reply to This | # ]

The Results of Your Labor and a Thank You, by Ray Beckerman, Esq.
Authored by: Anonymous on Sunday, March 04 2007 @ 10:46 AM EST
*uffff* I read it.

[ Reply to This | # ]

Experts and Depositions
Authored by: Anonymous on Sunday, March 04 2007 @ 11:17 AM EST
In this deposition it is clear that in spots the lawer asking the questions to
the 'expert' sometimes does not appear to have a real grasp of the topic. Not
that he should, being a lawyer.

So would permitted to have the deposition of the 'expert' done by an experst and
only supervised by a lawyer so that the anwers being given by the 'expert'
expert bering deposed can be properly reacted to.

[ Reply to This | # ]

The Results of Your Labor and a Thank You, by Ray Beckerman, Esq.
Authored by: Red rob on Sunday, March 04 2007 @ 11:26 AM EST
I don't think that John came out looking as expert as he went in.
Could his testimony be dismissed on the basis of him not proving his expertise,
and using methods which have not been proven to be valid or accurate?

There are a few things that I didn't see mentioned:

*No mention of internet connection sharing.
Possible that other computers/routers were connected to this computer.
*Issues with testimony about internet use:
It is possible to find out how much use of the web has occured by looking at
the cache, history etc.
*No questioning about how easy and why a user might change IP address.
For instance, change from a wireless NAT to a wired ISP assigned IP
address.
(Might be v. lileley if probelms were occuring due to the wireless network
being used by an unknown computer infected with viruses, or doing high bandwidth
P2P)
*No questioning about Verizon's method of dynamic IP assignment.

[ Reply to This | # ]

Up is down, no.. wait a minute...
Authored by: Anonymous on Sunday, March 04 2007 @ 11:29 AM EST
11 Q. Would it be possible to have the same
12 dynamic IP address assigned to three people during
13 one minutes?
14 MR. GABRIEL: Object to the form.
15 A. It's possible.
...and a matter of seconds later...
4 Q. Well, it's true, is it not, that
5 there can be more than one computer operating under
6 a single IP address?
7 MR. GABRIEL: Object to the form.
8 A. As I talked about it in the report
9 with public IP addresses, in order for the internet
10 to function there can only be -- every public IP
11 address has to be globally unique within that window
12 of time.

[ Reply to This | # ]

If I were on the Jury....
Authored by: davcefai on Sunday, March 04 2007 @ 12:46 PM EST
I'd be bemused.

1. There is presumably some unarguable evidence linking the IP address to Ms
Lindor's account.

2. There is "evidence" that, at that IP address, copyrighted files
were shared. Or isn't there? As a juror I'd want to see filenames, hear the
songs and hear evidence that they really were copyrighted by the plaintiffs.

3. On the other side of the connection there is evidence of a hard disc which
shows no traces of copyrighted files or file sharing software.

How can Ms Lindor be found guilty of anything? Even if everything Jacobsen said
about networking were true and correct, at the end of the forensic trail there
is NOTHING.

Not guilty your honour.

[ Reply to This | # ]

MediaSentry as a black box
Authored by: Anonymous on Sunday, March 04 2007 @ 01:19 PM EST
Everything here relies on the fact that MediaSentry identified the offending IP
address, but we have no idea how MediaSentry works. As for as we know it
generates purely random IP addresses. The software has not been vetted or peer
reviewed by an independent authority. Its just a black box with data in and
data out. And you know what they say, garbage in, garbage out.

[ Reply to This | # ]

Zombies
Authored by: Anonymous on Sunday, March 04 2007 @ 02:43 PM EST

    20 Q. When you provide your investigations,

    21 do you do anything to verify or to determine whether

    22 or not the computer in question was under control by

    23 an outside remote user?

    24 A. No

The defendents lawyers showed that Dr. Doug Jacobson made no effort to look for zombies. I know that spammers use zombies a lot. What about illegal file sharers? Do they sometimes use zombies to hide the origin of files being distributed illegally?

--------------------
Steve Stites

[ Reply to This | # ]

Class action anyone?
Authored by: Anonymous on Sunday, March 04 2007 @ 03:06 PM EST
Isn't it time to bankrupt the RIAA, with a class action suit brought by the
defendents? Could be a slam dunk for
an enterprising attorney.

[ Reply to This | # ]

  • Class action anyone? - Authored by: Anonymous on Sunday, March 04 2007 @ 03:59 PM EST
  • Ricco maybe? - Authored by: Anonymous on Sunday, March 04 2007 @ 07:40 PM EST
    • Rico maybe? - Authored by: Anonymous on Monday, March 05 2007 @ 06:25 AM EST
The Results of Your Labor and a Thank You, by Ray Beckerman, Esq.
Authored by: Anonymous on Sunday, March 04 2007 @ 03:52 PM EST
I noticed in the testimony that Dr. Jacobson wasn't questioned about the
computer he used to conduct his investigation. Was it compromised? Is it
connected to the internet? Does anyone besides himself have access to it when
he is not around?

[ Reply to This | # ]

Things to note on the deposition
Authored by: ikocher on Sunday, March 04 2007 @ 03:57 PM EST
A couple things I really don't understand how they can fly in this case:

- blackbox mediasentry stuff. The whole world _must_ asume that these reports
are true and correct, with no way to trace their "investigation",
methods, and tests. How can this be? There was a case in Florida about an
alcohol monitor that the local police used, with "dubious" methods to
reports the alcohol level of a person.

-The "expert" did not document anything on the hard drive. Is he an
expert? That should have been documented, but it only starts there: If the
hard drive is from Ms Lindor, and is supposed to be the offending one, why there
are no traces of kazaa in it? Only this question is complex enough to
investigate much further, why no kazaa in the drive. Could it be that there is
another program that caused it. About the IP address reported by verizon,
windos boxes _do_store_ the last IP address a dhcp server offered, and the
"expert" didn't check this? Maybe if he did, he could have checked
that the verizon report is wrong, IPs doesn't correspond. Also is there some
botnet/virus/spyware/etc program in the drive?
That mediasentry says kazaa is the program, doesn't mean that is was, just the
protocol! Also, if he didn't find anything, could it be due to a complete new
windows re-install? He doesn't specify that.

- The expert didn't gave a clear definition of NAT. NAT=network address
tranlation and that is it, not all the things that can happen there. Sort of
leaves the door way open.

- The expert doesn't even know which kind of connection the defendant has.
Shame on him, he is the expert, the forensic expert!!! The case has been going
for too long for he not to know this simple thing.

-There is no report about the time sincronization between the verizon logs and
the mediasentry logs, I have seen offsets of days between servers that have no
ntp sincronization. The expert doesn't mention this, neither the plaintiffs,
they just asume it is correct, and bad luck to the defendant. By now if those
servers are in sync, would be no news, but back then? Maybe there is no way to
probe it now.

- Another thing is the report verizon provided. They asume it is true to the
heart. Can't it be that another customer had the IP address before, went
offline (turn off the PC), and then a another windows asumed the IP can be used
without asking the dhcp server? I have seen this buggy behavoir in windowses.


Apart, the thing that the expert is not a proffesional engineer, is not critical
in my view, he is computer sciences engineer. Also that he does not know
certian words is nothing new. It is obvious that he has not a single minute
experience as expert witness, and shame on the plaintiffs to use him, but maybe
is the _only_ option they have, sort of the only one that wants to play this
game.

Also, the defendant lawyer seems to have some sort of confusion about MAC
addresses and IP addresses. MAC are used only in the local network, be it wifi,
wired ethernet, fddi, token ring, whatever. On the other hand IP is global. IP
doesn't care about MACs beyond local network, so there is no way normally to
know a MAC address beyond a router.


I found this site
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL
?rev=HEAD&content-type=text/vnd.viewcvs-markup
and has some sort of explanation on the fasttrak protocol that kazaa uses.
Some questions come up about the mediasentry report:
-is the offending IP (141.155.57.198) is a supernode or just client node
-which files it was offering
-which files it asked for searching
-which files it tried to download
-which username reported to the supernode

Maybe if at least some files could match in name... but this is not reported.

Is there some site where one can se the testimonies about this report?


Ivan

[ Reply to This | # ]

The Results of Your Labor and a Thank You, by Ray Beckerman, Esq.
Authored by: Richard George on Sunday, March 04 2007 @ 04:36 PM EST
The key point to help here is that an IP address is *NOT A UNIQUE* identifier
of a computer.

There is such a thing as Network Address Translation. (NAT) This provides a
many-to-one mapping from computers to IP addresses as a convenience, in
much the same way that a 4-way adaptor allows you to plug multiple
appliances into the same wall socket, or a switch-desk can redirect phone
calls.

Verizon is therefore not the sole, authoritive source of information for
mapping a particular IP address back to a particular computer, let alone
showing that a particular person was using a particular computer.

In addition to an IP address, there is a second parameter called a "port
number". Every IP address has approximately 65,000 ports available for
concurrent use, of which only a small fraction will be engaged at any one
time. Both a router and a computer can be asked to forward communications
on an unused port of one IP address on behalf of another.

This is a useful, frequently-used technique. Windows comes with this
technology built in via the 'Home Network Wizard', and there are many free
programs on the Internet that provide the facility of port-forwarding.

There are certian IP addresses that are *designed* to be duplicated across
many computers in this way, on the assumption that another computer or
router will then provide the Network Address Translation by port forwarding.

for instance, any IP address beginning 10.x.x.x or 192.168.x.x is designated
as requiring translation by an upstream computer or router.

If the defendant had a wireless router, it would be trivial to get this piece of

hardware to forward requests that would masquerade as the defendant if
Verizon's logs were inspected.

If the defendant's computer were compromised or misconfigured, it would be
trivial to make Lindor's machine behave as a router itself and relay file-
sharing requests on behalf of another, unknown third party.

It is also possible to trick a router into believing that an unknown machine
owns a particular IP address by recording and then replaying the MAC
address of the true owner at a time when the true owner has their machine
turned off.

[ Reply to This | # ]

The big lie
Authored by: Anonymous on Sunday, March 04 2007 @ 05:34 PM EST
Mr. Beckerman presented the possibility that a visitor might plug a laptop into
an internet connection. That laptop would use the IP that had been assigned to
the connection. Even when Jacobson had been forced to admit that an IP address
does not uniquely identify a computer or the person using it, he still insisted
in talking as though there was such a link.

Jacobson teaches his students how to break security. Even though Jacobson
admitted that IP addresses and MACs could be spoofed he still talked as though
an IP address could identify a computer.

If you tell a big lie often enough, people will believe it.

[ Reply to This | # ]

A very sloppy report in the first place
Authored by: Alan(UK) on Sunday, March 04 2007 @ 06:21 PM EST
See April 12, 2006, Expert Witness Report of Dr. Doug Jacobson, items 15 to 23.

The man cannot even write a simple report - how did he write his PhD thesis?

It is just so careless. This section represents the only part of the 35 page report that contains material particular to the case. It seems to be entirely based on hearsay evidence.

I also note that the defendant has to ask for the documents essential to the plaintiff's case: Defe ndant's Request for Documents. If the defendant had failed to ask the plaintiff for evidence that they had standing to bring the case, would the plaintiff be able to bring this up in court?

---
Microsoft is nailing up its own coffin from the inside.

[ Reply to This | # ]

The RIAA Doesn't Really Need an Expert Expert....
Authored by: Anonymous on Sunday, March 04 2007 @ 06:41 PM EST
The RIAA intentionally targets those with little ability to challenge the threat
of a lawsuit. Since few, if any, have the resources to go one-on-one with the
RIAA, much less afford a **REAL** expert of their own, it really doesn't
matter.

It is the ability to abuse the legal system that matters to the RIAA, not the
merits of their claims.

May their day in court come at the pearly gates.

[ Reply to This | # ]

no md5 signatures?
Authored by: Anonymous on Sunday, March 04 2007 @ 07:17 PM EST
The most astonishing bit isn't about ips, macs or wireless...
Q. What is the MD5 hash of the hard
6 drive you examined?
7 A. I don't recall what that is.
8 Q. What is the SHA1 hash of the hard
9 drive image you examined?
10 A. I don't even recall looking at that.
Let me tell how a forensic works. The CSI (don't know in USA, here any investigation must be done by the police) get the drive, get a md5 signature of the disk and make other copies (bit to bit). Working with a copy, they make signatures of all the files of the disk. They have to document and procedure all the work, maintaining the integrity of the disk.
Is the disk the original one? if it is and the police didn't do anything with it, not only should it be discarded as proof, you should be able to accuse them for fakeing proofs and extortion because they could have just made up all the case planting the "evidences" after getting the disk. If it's a copy, how was managed the trust chain, where , when and who made the signatures. A report without following a standard isn't evidence is a fake, although you can always redo it from a trusted disk/copy.

Of course how was done the job by MediaSentry and the procedures of Verizon seem tainted too.

[ Reply to This | # ]

Is this normal for "expert" testomony?
Authored by: brian on Sunday, March 04 2007 @ 07:54 PM EST
From the deposition (cleaned up for clarity):

"Q. But when you viewed it in EnCase, you didn't make any
documentation of what you saw in the registry entries?

A. I was looking for evidence of the KaZaA program and
found none.

Q. But you actually had the register entries in front of
you on the screen and you didn't make any record of that?

A. There wasn't anything to make a record of.

Q. There were no register entries?

A. There were register entries, but none associated with
KaZaA.

Q. You were told by Mr. Gabriel just to look for things
that incriminated the defendant?

MR. GABRIEL: Objection to form.Lack of foundation.
Argumentative.

Q. Is that your testimony? Were you directed only to find
things that helped the plaintiffs win their case?

MR. GABRIEL: Same objections.

A. I was told to examine the hard drive for evidence of
file-sharing software and evidence of MP3.

Q. That's all you were told to examine it for? So you
weren't told to examine it for evidence as to whether it
had been -- the hard drive had been changed or anything
like that?

A. I wasn't directed to do anything more than that,
although as part of the examination I did -- as noted in
Exhibit 17, I noted, for example, that the operating
system was repaired on July 7th of '04.

RQ MR. BECKERMAN: I call for the production of those
register entries.

MR. GABRIEL: They don't exist. The witness doesn't have a
duty to create them and you have your image of his hard
drive. You can produce them yourself.

Q. So EnCase has no way of backtracking your project?

A. The only record it keeps is when you specifically write
something to a report file; when you see something, you
explicitly say, "Put this in a report."

Q. So you were just looking in the registry for evidence
of KaZaA? That's it?

A. I was looking for the IP address and as shown in
Exhibit 17, I was looking for evidence of dates about the
system, so the date the system was repaired."

Here you have a case of a negative finding and this expert
decides unilaterally to not record that fact?!?! To make
matters worse, you have the RIAA lawyer stating that they
don't have a duty to preserve evidence or to produce that
evidence in discovery...

"They don't exist. The witness doesn't have a duty to
create them and you have your image of his hard drive. You
can produce them yourself."

This appears to me to be a classic case of burying
evidence prejudicial to your case.

As an aside, does anybody here have any experience
with "EnCase"?

B.

---
#ifndef IANAL
#define IANAL
#endif

[ Reply to This | # ]

Future questions
Authored by: elhaard on Sunday, March 04 2007 @ 08:03 PM EST
Some questions I wish Dr. Jacobson had been asked:

Q:
Would it be possible to have a router or similar device
- wired or wireless - that would assign to a local
computer the same IP address that it itself got from the
ISP?

A:
I am not aware of any such use.

[Question repeated]

It would be possible, but uncommon.



Q:
If using such a router or similar device, is it true that
different computers connected to this router or similar
device at diferent times possible could be assigned the
same, public address

A:
That would be the case, yes.


Q:
Would it be possible to construct routers using NAT while
being aware of application-level protocols - thus having
the capability to not only do Network Address
Translation, with regards to the IP package headers but
also changing the payload of the packages accordingly?

A:
In theory, that might be possible.

Q:
Do there, to your knowledge, exist any such
application level aware routers?

A:
I am not aware of any specific product.

[Question repeated]

There might be some...


Q:
Would it be possible to have such a router change the
IP-address in the payload of packages used for Kazaa
traffic?


A:
I have no personal knowledge of such products.

[Question repeated]

It could be possible...



Q:
Considering this, are you absolutely sure that no router
or similar device has been used?


A:
Yes.

[Question repeated]

No.

Q:
And are you still absolutely sure that the computer
identified by MediaSentry belongs to Ms. Lindon?


A:
My report identifies Ms. Lindon...

[Question repeated]

Nowhere is purchase information.

[Question repeated]

The IP address is shown to...

[Question repeated]

No.



-elhaard

---
This comment is licensed under a Creative Commons License (Attribution 2.0).
Share & enjoy!

[ Reply to This | # ]

Why would Kaaza send a private IP address?
Authored by: Anonymous on Sunday, March 04 2007 @ 08:34 PM EST
The "evidence" that there was no router seemed to be that the Kaaza
software was sending "the" machine IP as data in a packet. It it were
to ship a 192.168... address it would be pointless - it may as well send out
127.0.0.1.

I imagine that if Kaaza actually sends an IP address in a data packet for some
real reason, it would have to be the effective public address. Such an address
can easily be automatically found by the software (like whatismyipaddress.com).
The "agreement" of IP addresses would occur every time whether or not
the computer running Kaaza was behind a NAT router, or wireless router etc.

[ Reply to This | # ]

Are you yourself an engineer?
Authored by: akStan on Sunday, March 04 2007 @ 09:16 PM EST
14 Q. Dr. Jacobson, are you yourself an
15 engineer?
16 A. Yes.

IEEE-USA position on Use of the Title Engineer
All jurisdictions protect the titles Professional Engineer, ....
some jurisdictions protect the title, Engineer, with no qualifying words added. ...
Generally, the public interprets the term, Engineer, to mean ....

It is our position that the title, Engineer, and its derivatives should be reserved for those individuals whose education and experience qualify them to practice in a manner that protects public safety.
1. In New York State, who can practice professional engineering/land surveying?

Engineers with striped bib-overalls and caps are hardly of concern here :-)
but use of engineer for achieving stature or qualification as to some level of expertise is of concern.

A case study by the NSPE Board of Ethical Review illustrates the level of acceptable practice involved.

[ Reply to This | # ]

Thank you, Mr. Beckerman
Authored by: grouch on Sunday, March 04 2007 @ 09:30 PM EST
Mr. Beckerman:

Thank you for your work and for this follow-up. It is both encouraging and enlightening. The way the deposition was conducted is very informative by itself, even without considering the content.

It couldn't have been an easy job to distill all of the stuff in the Groklaw discussion into the concise form of the deposition. That's assuming that those questions which somewhat match the ones suggested by various people in the discussion back in December actually came from there. It's kinda nice to think we (collectively) might have helped in the battle to force the RIAA to use facts instead of economic terrorism in their campaigns.

---
-- grouch

http://edge-op.org/links1.html

[ Reply to This | # ]

As I Read Through, I Note...
Authored by: Simon G Best on Sunday, March 04 2007 @ 10:19 PM EST

As I read through, I note the following.

  1. Page 40, line 22 to page 42, line 8: Jacobson's own hard drive examination methods haven't been independently checked, peer-reviewed, or anything like that. He doesn't even know the error rate of his methods:-

    41

    ...

    17 Q. Is there a known rate of error for

    18 your method?

    19 A. No.

    20 Q. Is there a potential rate of error?

    21 MR. GABRIEL: Object to the form.

    22 A. I guess there is always a potential

    23 of an error.

    24 Q. Do you know of a rate of error?

    25 A. To my process, no.

    Seems to me that he can't even testify that his own methods are reliable.

  2. Page 42, line 9 to page 43, line 22: Jacobson seems similarly unable to testify to the reliability of MediaSentry's methods. In particular, on page 43, lines 5 to 7, there's this:-

    5 Q. So when you evaluate the MediaSentry

    6 materials you are assuming them to be accurate?

    7 A. Yes.

    He's "assuming them to be accurate"?!? So, when it comes to his examination, review, or whatever it was, of MediaSentry's investigation, he's actually starting off with the assumption that their methods are accurate?!? Incredible. Unbelievable.

  3. Page 45, line 20 to page 48, line 11: Jacobson reveals that he had not taken possible computer security vunerabilities into account:-

    45

    ...

    20 Q. Do any of your three reports -- by

    21 "three reports" I'm referring to the April 7th

    22 initial report, the December 19th declaration that

    23 you signed and the October report which you did not

    24 sign. Do any of those three reports discuss the

    25 possibility of any alternate explanations other than

    46

    1 Jacobson

    2 copyright infringement?

    3 MR. GABRIEL: Object to form to the

    4 extent that they speak for themselves.

    5 You can answer the question.

    6 A. Please read the question. I didn't

    7 understand.

    8 (Record read.)

    9 A. Alternate explanations to?

    10 Q. Your conclusions.

    11 A. No.

    12 I'm sorry. I said, "No."

    ...

    47

    ...

    10 Q. Can you think of any possible

    11 security vulnerabilities in the computer that was in

    12 Marie Lindor's apartment?

    13 MR. GABRIEL: Object to form and

    14 foundation.

    15 A. Repeat the question. Read it back.

    16 (Record read.)

    17 A. I didn't examine the hard drive that

    18 was given to me for security vulnerabilities, so I

    19 can't attest to what vulnerabilities may have been

    20 present in that hard drive.

    21 Q. As we sit here, can you think of any

    22 possible security vulnerabilities in the computer

    23 that was in Marie Lindor's apartment?

    24 MR. GABRIEL: Objection to form.

    25 Lack of foundation.

    48

    1 Jacobson

    2 A. Read that back.

    3 (Record read.)

    4 A. Can you read it one more time.

    5 (Record read.)

    6 A. I'm sure the possibility exists there

    7 were security vulnerabilities. Again, I don't know

    8 which ones would apply to that particular computer.

    9 Q. And did your report discuss any of

    10 those possible security vulnerabilities?

    11 A. No.

  4. Page 57, lines 17 and 18: Jacobson refers to "the public internet". Not exactly significant, but it amused me. Some might know why.

  5. Page 128, line 4 to page 131, line 11: Jacobson is, again, unable to testify to the reliability of Verizon's procedures for determining who the relevant IP address was assigned to at the relevant times. Indeed, on page 130, lines 10 to 14, there's this:-

    10 Q. So is it fair to say that all of your

    11 reports are based on the assumption that the

    12 information which you obtained from Verizon was

    13 accurate?

    14 A. Yes.

  6. Page 140, lines 20 to 24: In his investigations, Jacobson did nothing to determine whether or not the computer in question might have been compromised:-

    20 Q. When you provide your investigations,

    21 do you do anything to verify or to determine whether

    22 or not the computer in question was under control by

    23 an outside remote user?

    24 A. No.

  7. Page 140, line 25 to page 144, line 2: Again, Jacobson's done very little indeed to check the reliability of the stuff he looked at. Again, he seems unable to testify to the reliability of stuff from MediaSentry and Verizon. There's nice stuff about how easy it is to edit and modify screen shots and log files.

  8. Finally, page 152, lines 18 to 20: Mr Gabriel and Dr Jacobson have decided to make a quick getaway:-

    18 MR. GABRIEL: Thank you for your

    19 courtesy. We are going to run out and

    20 make a plane.

Well done, Mr Beckerman, on showing so clearly that Dr Jacobson had done very little indeed to actually verify the stuff he was testifying about. Well done!

:-)

---
"Public relations" is a public relations term for propaganda.

[ Reply to This | # ]

The Results of Your Labor and a Thank You, by Ray Beckerman, Esq.
Authored by: Anonymous on Sunday, March 04 2007 @ 10:22 PM EST
This is great, it's like the emperor (RIAA/MPAA) is FINALLY being told at long
last he wears no clothes after a long embarassing period of flashing (of not
much substance) by the plaintiff.

Kind of unfortunate (like in SCO v. IBM, etal.) that it is so painfully slow,
and costly for the defendants. I really pray for countersuits with damages (I
wish treble). I really hope it's not only RIAA who falls like this, and that
MPAA is not far behind.

Finally, this is so historic it's almost glorious to watch. Kind of feels like
a David v Goliath thing.

[ Reply to This | # ]

He seems remarkably well prepared
Authored by: rsteinmetz70112 on Sunday, March 04 2007 @ 10:54 PM EST
Based in depositions I've done he seems remarkably well prepared, repeating the
same answer to similar question verbatim.

I also would have, at times, liked to have had an attorney protecting me as well
as he was protected.

Many of the objections seem invalid and designed only to throw the questioner
off and consume time.

I still haven't gotten through the whole thing, it's hard to read.

---
Rsteinmetz - IANAL therefore my opinions are illegal.

"I could be wrong now, but I don't think so."
Randy Newman - The Title Theme from Monk

[ Reply to This | # ]

An open call for the REAL networking experts
Authored by: dht on Sunday, March 04 2007 @ 11:58 PM EST

I'd like to suggest that the legal team (and even many of us here) could do with some advice from some REAL networking experts. Perhaps one or some of the people from the netfilter.org team could be persuaded to take an interest. They know this stuff cold, and off the top of their head(s).

Perhaps someone with the stature of Rusty Russell?

[ Reply to This | # ]

As a victim of IP Spoofing...
Authored by: toads_for_all on Monday, March 05 2007 @ 12:01 AM EST
...I can say it takes some doing to convince your ISP that no, you really
*didn't* send that porn spam at 2:00AM, due to the fact that while your DSL
modem might have been on, your computer wasn't, and you were asleep. And don't
even try to blame my 75-year-old mother.

Actually, it was either spoofing, or someone managed to hack the wireless. I
turn my modem off nowadays when I'm not using it.

FWIW, EnCase seems to be a decent program. I used it to try out Evidence
Eliminator once. EE failed to delete everything it was supposed to. (No, not
the porn spam, some innocent test files)

[ Reply to This | # ]

Wow. Good Job.
Authored by: mobrien_12 on Monday, March 05 2007 @ 12:33 AM EST
I must say, I am impressed. I always thought the RIAAs cases were flimsy...
the more I read about this one, the more I was convinced about it.

Now this... I read this, and I am very negatively impressed with Dr. Jacobson.

All that stuff which he didn't document, because he wasn't looking for it, but
wasn't he the one who read the personal documents on her hard disk, including a
resume, which he did doucment? I would have loved to hear him explain how that
comes under forensics of Kazaa usage!

Oh yeah... this little gem:

"9 Q. And they have never used you as a

10 witness?

11 A. No. We never -- they've always

12 settled."

Wow... go figure. Makes one wonder if that was the RIAA strategy all along,
doesn't it?

Also, it looks like Mr. Beckerman got some good technical knowledge here to
question Dr. Jacobson. It seems at least some of the stuff from Slashdot and
Groklaw was helpful.

[ Reply to This | # ]

Is this scenario possible?
Authored by: Anonymous on Monday, March 05 2007 @ 05:24 AM EST
Could the NAT router have been incorrectly set up incorrectly in this way?

The defendant's husband is not an expert at setting up networks. The defendant's
husband connected to the Internet directly the first time, and got the IP
address assigned to the computer by reverse look-up on the Internet, or by using
a tool to look up the network address the computer interface was using. He
writes this IP address down for reference.

The defendant's husband then goes out and buys a NAT firewall-router (or sets up
a firewall-router built into the DSL modem). Not being an expert on firewalls,
he thinks this is the IP address that the computer must always have, and sets up
either DHCP on the LAN to allocate this to the computer's ethernet interface, or
sets up that IP address as a static address on the computer interface. He using
his limited knowledge, he enables NAT on the firewall-router and fiddles around
with the LAN subnet address and netmask on the NAT router until it works.

He now has the network interface on his computer set to one of the IP addresses
in the ISP's IP address pool, and this is translated to the (different) IP
address allocated by the ISP at that time to the interface on the Internet side
DSL router.

The RIAA's expert Mr Jacobson examines the hard drive and finds no private IP
numbers on the hard drive. He may also find one IP address on the computer that
matches one of the IP addresses in the ISP's DHCP IP pool. He concludes that the
computer must have been connected directly, but he is wrong. What is more the
Internet IP address found on the computer that matches those associated with
illegal file copying would at the same time have been allocated to someone else
on the Internet, who is the real illegal downloader and not the defendant.

[ Reply to This | # ]

Has anyone considered time drift?
Authored by: Anonymous on Monday, March 05 2007 @ 07:04 AM EST
Each machine can have a different time.

The ISP server could have a different time then your PC.

In addition the PC monitoring so called illegal activity could have a different
time from everyone else.

So how do you tie the ISP server log time with time on the monitoring PC and
anyone elses PC?

You can't without knowing that at least the ISP's Server and the monitoring PC
are locked to the same time perferably via a hardware clock using an atomic
radio signal (quite expensive).

Because if you do the time sync via the internet you can can have quite a large
time difference depending on the load on the timer server and internet traffic
as well as distance (number of nodes) from the time server...

So ask them to __prove__ the times are the same.

DBLD

[ Reply to This | # ]

This bears closer following`
Authored by: Anonymous on Monday, March 05 2007 @ 07:31 AM EST
PJ, MathFox, I think this is one of those cases that bears more permanent following. Clearly it could benefit from community scrutiny of the kind that SCO vs IBM has had at Groklaw, and very possibly has the potential for broader and more lasting societal impact. We should consider whether we can add this one to the official set of cases we watch in detail.

J

[ Reply to This | # ]

A few points that may help
Authored by: pajamian on Monday, March 05 2007 @ 08:11 AM EST
First off, IANAL and IANAE (I am not an expert) (ok, it's possible that I might
be considered an expert in some capacity, but don't rely on that).

These have been pointed out already, but I thought I would recap them myself in
case they are missed:

Primary point: Expert contends that the public IP address shown by Media Sentry
indicates that a NAT router was not used.

Rebuttal: I can only speculate as to why Kazza supplies a secondary IP address
in the data packets, but perhaps this will help.

Kazaa and other P2P apps work by transferring a data payload directly between
two peers. The peers need an IP address in order to know what computer to
connect to to get the data for a file on the internet. Kazaa most likely
supplies the address of the computer it's running on for this purpose.

Now supplying an internal private network IP address is utterly useless because
no computer on the internet can connect to it except for those that are also on
the same internal network. Kazza, however, can't know that it is running on a
computer behind a NAT firewall and so will likely, in its default configuration
supply such a private IP address, which would show up in the Media Sentry logs
and indicate that the computer resides behind a NAT router. The expert here
contends that because this supplied IP address is the same public IP as the one
that is in the packet headers then the computer must not be behind a NAT router.
THIS IS NOT TRUE!

The Kazaa supplied IP address can likely be manually set (via some configuration
option) to be the same as the public IP address (I do not know this to be the
case absolutely, but it would make sense that it can be to overcome the problem
of locating a computer on the internet that is behind a NAT router). Even in
the event that Kazaa itself does not have this option, one or more of the many
Kazaa clone programs probably can. Also note that as others have stated, this
could also be changed by a smart router that can recognize a Kazaa packet and
change this IP address on the fly.

Point 2: The "Expert" states that by his examination of the Media
Sentry logs, Kazaa was definitely running on the computer at that IP address.

I would venture into this further, there are several Kazaa clone programs that
can operate on the Kazaa network and appear as Kazaa to other programs on the
network. Does this expert know for a fact that the program was indeed Kazaa and
not one of the clones? If so, how? If not, how can he be certain that subtle
differences between the way that Kazaa works and the clone works might not
affect the data gathered from Media Sentry? Specifically how can he be sure
that the clone program might not report the actual public IP instead of the
private one if the computer were behind a NAT router?

3rd point: This is just educational and may help your understanding of dynamic
IPs. It has also been discussed at length by others, but I'm re-iterating it
here just in case my summary can help.

A dynamic IP is simply any IP address issued by an ISP or some other host entity
that is subject to change at any time. Depending on the ISP the IP address can
last for seconds, or hours or days or even years. As an example, I know of ISPs
who reset all DSL connections and re-assign IP addresses on a daily basis. In
contrast my own ISP defines my IP as dynamic, but it hasn't changed in the
several months that I have been with that ISP, despite several resets of my DSL
router (they tell me that the IP is really 99% static, but they call it dynamic
so that they can legally change it without notice if some pressing technical
reason presents itself for that).

My point is that "dynamic" can really mean lots of things in terms of
how often an IP address changes and you really can't know for sure without
checking with the ISP itself.

I think that for this and other reasons it may be worth while to depose someone
from the ISP in this case. I say "may" because it is possible that
the records and testimony you get from them could strengthen the RIAA case.

Good luck and I hope that these points help.

---
Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack
perspective.

[ Reply to This | # ]

MediaSentry's methods
Authored by: Anonymous on Monday, March 05 2007 @ 09:13 AM EST
Jacobson is using information provided by MediaSentry to base his findings.
Throughout this deposition he repeatedly states that he has no knowledge of
MediaSentry's methods for gathering their data.

Anyone can create a text file containing data that looks like a KaZaa log
showing the downloads of files. Screen shots can be faked as well.

Is there someone from MediaSentry who will testify on how they produced their
data that Jacobson is drawing his conclusions from?

[ Reply to This | # ]

The Results of Your Labor and a Thank You, by Ray Beckerman, Esq.
Authored by: Anonymous on Monday, March 05 2007 @ 09:29 AM EST
It took a while to read this and it was very interesting.
It seems to me that the US legal system has a problem.

There is no technical threshold that needs to be passed
to even start a case against an individual. Its like
suing your neighbor because the rain storm flooded your
garden and you saw your neighbor dancing in his yard
just befor the storm came. There really needs to be a
rigrous technical review by technically competent
individuals of any "evidence" before the perspective
plaintiff is allowd to even start impacting the life of
a perspective defendant through legal proceedings.

This deposition really demonstrates how sorry the US
legal system has become. RIAA had no techincally correct
reason to go after Ms. Linder.

[ Reply to This | # ]

This guy has no idea was forensics really is about!!
Authored by: Anonymous on Monday, March 05 2007 @ 12:09 PM EST
The very first thing you do is TAPE everything with a camcorder from opening the
package with the HD image (and breaking the seals) to view and reporting.

Basically, not having done any of it, I would say his deposition is simply
"hearsay" and has no legal validity.

I hope that the whole thing will be thrown out and the guy will start learning
how to do his "expert" job.

[ Reply to This | # ]

Chain of evidence lacking
Authored by: pgmer6809 on Monday, March 05 2007 @ 12:25 PM EST
IANAL but it looks to me as if there is no 'verifiable' chain of evidence here.
If this were a drug case, say, where the various pieces of evidence were
collected that sloppily, I would guess that much of it would be thrown out.
There is no way of verifying Verizon, MediaSentry, which computer was used,
which person was using the computer, even which residence the IP was assigned
to, or whether it was spoofed.
What good is it to have an 'expert chemist' testify that yes the stuff in the
bag is cocaine, when you cannot prove where the bag came from, whether it was
planted, who touched it after you seized it, who it belonged to when you found
it buried in the back yard.

[ Reply to This | # ]

Cable modem downloads over a phone DSL Line?
Authored by: Anonymous on Monday, March 05 2007 @ 01:11 PM EST
It appears that Mrs. Lindor was using a cable modem, going by the DHCP servers listed on Exhibit 17. These DHCP addresses are from CableVision, a cable company. Exhibit 13 clearly shows a MediaSentry tracert to a DSL connection at Verizon, a phone company.

There is no way that Mrs. Lindor was going to be using DSL to download anything over a cable modem. From this, I see why Dr. Jacobson said the following:

Q. What type of internet service was used by the computer that MediaSentry was interacting with?

A. There wasn't enough information from Verizon to indicate whether it was a cable modem or a DSL.

Q. So you don't know?

A. No.

Thanks to the New Yorkers that helped out with me earlier post. In all probability, Mrs. Lindor did not even have the correct equipment in her house to connect to Verizon.

[ Reply to This | # ]

NAT options ignored...
Authored by: Marc Mengel on Monday, March 05 2007 @ 02:47 PM EST
Gee, my combo wired/wireless router at home lets me designate one computer to get 1:1 mapping -- it gets the same IP address as the router has, and maps all the ports through, any other system in the house gets a 192 address, and gets address translation applied. It also reports the MAC address of my desktop up to the ISP, so I didn't have to re-register with my ISP when I set it up.

So if someone has taken over the defendant's wireless router and configured it that way, the packet trace would look as he describes, yet the system being used could be next door, or accross the street (or further, with the right antenna).

[ Reply to This | # ]

Followup questions
Authored by: Wardo on Monday, March 05 2007 @ 04:30 PM EST
From: cvs.berlios.de (which I found in the Fast Track Protocol" on Wikipedia) detailing some packet information about the protocol used by KaZaA. Find out what the packets were, if you can see the whole packet capture and identify which packet types were captured and which addresses were passed in the data payload.

For instance, in packet type 0x0D Push Request, multiple addresses are passed in the packet payload. What sort of examination was made of the packets by the network monitoring people. IIRC the good doctor was relying on the logs from the MediaSentry software to connect the dots between the end user and the file sharing.

And the winner is packet type 0x2C, defined in that webpage as "your globally-visible IP address", which implies that it's not the private 192.x.x.x address.

Any chance the exhibits are going to be released (or have been released) to the public? Out of idle curiosity I would like to look at the logs used in this case.

Wardo

---
Wardo = new user();
Wardo.lawyer = FALSE;
Wardo.badTypist = TRUE; //don't bother to point out tyops
Wardo.badSpeller = TRUE; //or spelling misteaks

[ Reply to This | # ]

Teaches Computer Forensics ???
Authored by: ChefBork on Monday, March 05 2007 @ 07:34 PM EST

Page 38

24 Q. How did you learn your method of
25 determining from a hard drive whether a particular

Page 39

1 Jacobson
2 computer has been used for uploading or downloading
3 copyrighted works?
4 A. Well, the forensic examination
5 process I learned through self-study and through the
6 forensic examiner's exam.
7 Q. Now, am I correct that you were doing
8 this for law enforcement before you were a certified
9 forensic examiner?
10 A. That's correct.
11 Q. And when did you become a certified
12 forensic examiner?
13 A. September '04.
14 Q. And why did you become a certified
15 forensic examiner?
16 A. Two reasons. One is to be able to
17 better work with the law enforcement and the other
18 is to help support our university's educational
19 mission, since we teach computer forensics.

Did anybody else suppress a shudder at the thought of this guy teaching droves of students that how he does his own forensics is the "right and proper" way to do things? If not, then why did he do it this way?

If I was a member of the Iowa State Education Certifications Board, and I saw this deposition, I'd be interested in seeing what it was they were actually teaching, and possibly rescinding Iowa State's certification to teach computer forensics.

If I were a student in the Iowa State computer forensics course, I'd be wondering whether I'm learning the proper methods and if this deposition becoming public knowledge might cause me to become unhirable at graduation.

---
If two heads are better than one, then why are liars two-faced and being of two minds indecisive?

[ Reply to This | # ]

Synchronized clocks
Authored by: Anonymous on Monday, March 05 2007 @ 09:07 PM EST
<blockquote>7 Q. Were MediaSentry's clocks

8 synchronized with Verizon's?

9 MR. GABRIEL: Objection to form.

10 Lack of foundation.

11 A. I have no way of knowing.

12 Q. How many people were assigned this IP

13 address during the 24 hours of August 7, 2004,

14 141.155.57.198?

15 A. The date you said was August 7th?

16 Q. August 7, 2004.

17 A. I have no way of knowing that.</blockquote>

This is very important stuff. One of many examples of the very weak evidence on
RIAA's part.

[ Reply to This | # ]

Expert is claiming the logs are wrong
Authored by: Anonymous on Monday, March 05 2007 @ 11:05 PM EST
This expert indirectly disputes the log evidence that was collected

He has examined the defendants computer and
----------------------------------
13 Q. Based upon your examination of the
14 hard drive which you examined in this case, what
15 evidence did you find that supported or would
16 support a conclusion that Marie Lindor had
17 personally uploaded any files?
18 A. The hard drive that I examined showed
19 no evidence of any peer-to-peer software or MP3
20 music files.
21 Q. So is it correct to say that there
22 was nothing on the hard drive that tended to prove
23 that she had uploaded or downloaded anything?
24 A. There was nothing on the hard drive
25 that indicated there was any peer-to-peer software.
--------------------------------------------
So according to the expert this computer was not running P2P software and never
had any MP3 files on it to share in any case.

So what is the easier explanation
a) they identified the wrong computer
b) the entire system was rebuild and all the dates faked before being seized

Unfortunately his credibility is pretty much shot but hey. If they want to use
him. According to him this computer is clean and was never used for P2P software
or storage of MP3.

All that exists is an uncertified, untraceable, unverifiable, untested log.

I would be pileing on the damage counter claims.

[ Reply to This | # ]

For Ray: EnCase Information
Authored by: Anonymous on Tuesday, March 06 2007 @ 12:18 AM EST
I note that Ray asked them to produce their EnCase case file and he said that he
didn't save anything because he didn't find anything.

Be that as it may, one of the things you probably *can* ask for is the set of
scripts he used to search the drive. You see, EnCase allows you to create
custom scripts and hashes of files that it will look for (e.g. I'm sure he has
one for Kazaa files), among other things (such as showing you all the deleted
files on the drive).

So even if he can argue that his non-findings aren't relevant, what he
*searched* for probably is relevant. Although it may or may not do you much
good without a copy of EnCase because I don't have it or know how it stores the
files. In other words, if you ask them to produce that, make sure you get
printouts or human readable versions unless you have a copy of EnCase to use.

And please note that I'm basing this on second hand knowledge. I've never
actually used EnCase, but I remembered reading about it in my copy of _Cyber
Crime Investigator's Field Guide_ by Bruce Middleton (ISBN 0-8493-1192-6) which
was published in 2002. EnCase is discussed on pages 53-66, complete with
low-res screenshots.

Glad I remembered I even had that book; it was waaaay down in the bottom corner
of my bookshelf.

Hope this helps!

[ Reply to This | # ]

Morals
Authored by: Anonymous on Tuesday, March 06 2007 @ 11:36 AM EST
Is it just me, or is anyone else appalled at the lack of morals of Dr. Jacobson.
He cannot be unaware that the RIAA is using the reports he produces to brow beat
people into making settlements, and with a degree in computer forensics, he
should be well aware that his 'evidence' is dodgy at best.

This attitude of "give me some money, and I will do whatever you want"
will be the downfall of western society. The formal name for it is prostitution.

[ Reply to This | # ]

DSL or Cable without Modem
Authored by: Anonymous on Tuesday, March 06 2007 @ 11:54 AM EST
Just a question for all those who might know more than me. If I wanted to
connect to an Internet Provider via DSL or Cable I would NEED a Cable or DSL
modem, or not? I am currently only aware of very few PCI cards that are Cable or
DSL modems, requiring NO external box.

If I the defendant did not have such a PCI card (could be read out of the
registry) but connected via the standard Ethernet card, it would
"prove" an external Cable or DSL modem.

Now, how many DSL / Cable modems have you seen that do not have more than one
Ethernet port? how many don't have a wireless connection ability?

My logic: Either the defendant had a fairly new modem with firewall and/or
wireless then, it is impossible to pinpoint what PC was using that modem (could
have been any as the hard drive does not prove anything). If she did not have an
external modem but a PCI modem then she would have needed a firewall software on
the PC... did she?

[ Reply to This | # ]

Congratulations to Mr. Beckerman
Authored by: PeteS on Tuesday, March 06 2007 @ 04:54 PM EST
I (amongst others here) have been an expert witness in court, in the USA. The
key thing for many to realise is that expert witnesses live and die by their
credibility.

Mr. Beckerman has [apparently] effectively shot any credibility of Dr. Jacobsen,
and he doesn't seem a strong witness (although I have never met him and can't
say for sure, obviously).

To me it merely shows the incredibly weak case they have; Dr. Jacobsen did the
best he could while staying legally honest, but I can see some hay making in
this deposition.

PeteS


---
Only the truly mediocre are always at their best

[ Reply to This | # ]

reality check.
Authored by: Anonymous on Tuesday, March 06 2007 @ 06:05 PM EST
i know this should be evident from knowledge of the kazaa protocol, but the
problem i have is why kazaa would want the secondary ip address. no consumer
router that i know of does kazaa packet inspection to determine where to route
an incoming packet once it's past the wan interface. and for that second address
to have any usefulness, something in the router has to recognize the second
address and direct the packet to the appropriate internal node.

the only situation where i think that second address might come in handy is if
the lan side of the router is a hub instead of a switch, and so the kazaa client
itself can pick out kazaa traffic that's relevant... but that can't be very
effecient, and seems contrary to best practices.

so, i'm missing something. that secondary address might be useful in some
situations, or maybe is one way to indicate the potential presence of an
intermediate device, but i don't think it would be used in a typical NAT.

guess i'll have to check the kazaa protocol as to why it would be situated like
that. once i know why, then it's reasonable to surmise whether it tells us
anything at all in this case...

as far as a reason why there might be a secondary address for the supernode..
well, i think kazaa has the ability to work behind a proxy. that's where i can
send packets directly OR through the proxy, but can only receive packets sent to
the proxy. if the secondary address in the kazaa protocol is for allowing a
proxy to be used, then the "expert"'s theory is blown completely out
of the water. that secondary address would normally default to the WAN or public
address, regardless of router or not, and the existence or lack of a NAT router
could not be proven by looking at the individual packets and whether or not the
secondary address matches the source.

i'll look a little bit, but if someone wants to enlighten me, post back.

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )