decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.

Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal

User Functions



Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Sunday, October 28 2007 @ 01:37 PM EDT

Another request from an attorney to pick your brains. Ray Beckerman asks the following in connection with the UMG v. Lindor litigation:
What data or documents should we ask MediaSentry for?

The Groklaw and Slashdot communities were so helpful in preparing for the deposition of the RIAA's "expert" witness, Dr. Doug Jacobson, we thought we'd come back and ask for your thoughts on what documents and/or data to request from the RIAA's 'investigator', MediaSentry, Inc. The documents produced so far are just printouts, which were used at Dr. Jacobson's deposition, specifically exhibits 6, 10, 11, 12, 13, and 14. Of course we have some ideas of our own about what to demand, but we want to leave no stone unturned.

It's an opportunity to help everyone become more technically accurate, and I'm sure the RIAA also wants to be certain that it has the right defendants, which is what the question fundamentally is. You may have read that the judge in the Atlantic v. Dangler case just ruled that the RIAA could not have a default judgment because of insufficient evidence:

Clearly, plaintiffs are entitled to relief if Dangler downloaded and distributed the Copyrighted Recordings without plaintiffs’ consent. The question this Court must decide is whether plaintiffs have proven that those circumstances exist here. Although the complaint establishes that someone using the “KaZaA” online peer-to-peer file sharing service uploaded the Copyrighted Recordings, or otherwise offered them for distribution, the complaint does not identify details such as the time period during which the violations allegedly took place, or explain how that user, identified only by the username heavyjeffmc@KaZaA, was determined to be the defendant.

Clearly, judges are becoming more technically clueful, and that's where you can definitely contribute in a positive way.

Here are direct links to the exhibits, all PDFs that will download if you click the links (all of the exhibits are here:

He didn't mention Exhibit 7 ("Kazaa Overlay" Study by Ross, Kumar, and Liang), Exhibit 8 (Diagram LAN router NAT), or Exhibit 9 (Pollution in P2P File Sharing Systems" Study by Ross, Kumar, Liang, and Xi), but it seems to me they would also be something to look at, to be thorough.

So, can you think of anything else? If you were representing Ms. Lindor, or were a technical expert, what else would you want to see? Remember that this is for discovery, and what he wants to request is *documents*. Look over what has already been produced, and then ask yourself if there are any other likely documents that could be helpful. Be specific, and don't assume he'll "just know". All the documents in the UMG v. Lindor case that are public are here. It's a New York case, filed in the US District Court for the Eastern District of NY.

This is probably also a good time to remind you of this article, Admitting Computer Record Evidence after In Re Vinhnee: A Stricter Standard for the Future?, setting out some guidelines one court recently followed when deciding what is required before digital evidence can be admitted. The abstract explains:

In re Vinhnee, a Ninth Circuit Bankruptcy Appellate Panel decision, employed Edward Imwinkelried’s eleven-step foundation process for authenticating computer records. In employing the eleven-step process, the Vinhnee court articulated a stricter standard than has previously been used by most courts for admitting computer records into evidence. This Article will first consider the various foundation standards that courts have applied to computer records. Next, the Article will analyze the Vinhnee standard, consider its elements, and compare it to the previous standards and commentary. Finally, the Article will conclude that the Vinhnee approach reflects common concerns by courts and commentators, and may influence other jurisdictions.


A Lawyer Wishes to Pick Your Brain- Re Media Sentry | 245 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Off Topic here
Authored by: Alan(UK) on Sunday, October 28 2007 @ 01:50 PM EDT
Clickable links: <a

Microsoft is nailing up its own coffin from the inside.

[ Reply to This | # ]

News Picks comments here
Authored by: Alan(UK) on Sunday, October 28 2007 @ 01:53 PM EDT
Please put subject in Title:
e.g. EU's gain is U.S. loss in influence on antitrust

Microsoft is nailing up its own coffin from the inside.

[ Reply to This | # ]

Corrections here
Authored by: Alan(UK) on Sunday, October 28 2007 @ 01:55 PM EDT
Please put correction in Title so that PJ can find it:
e.g. JP > PJ

Microsoft is nailing up its own coffin from the inside.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: John Hasler on Sunday, October 28 2007 @ 01:59 PM EDT
> So, can you think of anything else?

1) Whatever evidence the plaintiffs claim to have that the files actually
contained what the names and descriptions implied that they contained.

2) The source for any special-purpose software used by MediaSentry.

IOANAL. Licensed under the GNU General Public License

[ Reply to This | # ]

Ask how do they know the IP was not spoofed
Authored by: troll on Sunday, October 28 2007 @ 02:43 PM EDT
Ask them to document how they make sure that the IP address really belonged to
Not just a screenshot and a letter to ISP.
A well documented step-by-step procedure of checking and doublechecking. For
example what steps they actually made to make sure they have "synchronized
watches" with ISP. They make a screenshot at 17:38 and they ask who was
assigned the IP address at 17:38 half a year ago. What if one of the computers
had clock running 5 minutes late?
Did they make a traceroute at the moment the file was shared? That would make a
good evidence.

Ask them to document how they analyzed all the malware that *might* have been
present on the defendants computer at the moment they made the screenshot. I can
very well imagine a piece of malware tat distributes files. Viruses that send
out milions of emails are very well documented.
I can very well imagine a piece of stealthily installed software that works a
relay for somebody else.

Ask them to document how reliable all their analyzing software is. If you
compare two bullets you have to use certified equipment.

Ask them to document what makes their ... aehm ... "experts" qualified
to do what they do. I am pretty sure that I personally would not be allowed to
testify as expert for ...let us say ... technical state of vehicle at the moment
of crash. Even If I have a pretty good idea how the brakes work and have a
technical education.

Yours truly ...

[ Reply to This | # ]

Who does the copy?
Authored by: cmc on Sunday, October 28 2007 @ 02:48 PM EDT
I know this question is most likely not going to help this attorney, but it is
the question that all of these cases hinge on, but nobody wants to ask:

When a file is uploaded/downloaded, who actually performs the "copy"?
Is it the person who is making the file available, or is the person explicitly
requesting the file?

[ Reply to This | # ]

Hashes v Filename & specific copyrighted work
Authored by: Anonymous on Sunday, October 28 2007 @ 03:02 PM EDT
Probably already covered in the litigation but just in case:

1) On most (all?) P2P networks files are uniquely identified not by their name
but by a "hash" value derived from the contents of the file.

So I could download a file, rename it to anything I liked, and re-share it. It
would still be "matched" to the original file by the software but
could appear to some people as something different. This is a common trick used
by individuals/companies trying to "pollute" the P2P networks.

So has it been shown that the files named after various copyrighted works
actually contained those works?

2) Taking an example from the exhibits listed: "Tania - Stranger in my

Has it been proven that this file contains the data from a specific commercial
release of that track - ie it is a track ripped from a specific CD, with a
specific catalog number, or some other clearly identified source?

Not free promo CD, a bootleg recorded from a live concert (still dodgy in a
legal sense but bootlegs have a venerable and somewhat honorable history), or
some other source?

This would appear to require data/audio analysis not present in the exhibits

[ Reply to This | # ]

sourcecode for the mediasentry software
Authored by: NemesisNL on Sunday, October 28 2007 @ 03:07 PM EDT
In order to be sure the software used to track the alleged distribution is
accurate, does not leave room for doubt, it important to be able to check the
way it works. For that the source code would be needed. As far as I've been able
to follow the case noboy ever was able to check the way this software
establishes the user, the ip number of the pc used, how does it offer files and
then tracks them. The way I understood the whole case is resting on the
assumption that this piece of software actually does what is claimed with any

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Sunday, October 28 2007 @ 03:16 PM EDT
If possible set her computer and router up to her original configuration and
have a qualified person come in with a laptop and give the court a practical
demonstration of computer security.

[ Reply to This | # ]

I just love Exhibit 8...
Authored by: Anonymous on Sunday, October 28 2007 @ 03:19 PM EDT
It is a std. picture from a router manual... and it tells nothing about NAT.

[ Reply to This | # ]

Software Testing
Authored by: Anonymous on Sunday, October 28 2007 @ 03:28 PM EDT
"Important" software has to be tested to make sure it works as
intended. Proper testing is often more oomplex and time consuming as writing the
code in the first place. I seem to recall there are books on the subject. Anyway
**somebody** has to design the tests, create testing protocols, institute
procedures, generate documentation, etc. When problems are found then there is a
procedure for review, correction, and further testing. In some cases this is
never ending.

Most companies, except for those involved in "mission critical"
applications don't do testing "by the book" and often wait for field
reports too pinpoint problems. Much cheaper and easier.

A typical commercial company's testing data in the hands of an expert familiar
with "mission critical" systems would be devastating.

[ Reply to This | # ]

Fair Use?
Authored by: Anonymous on Sunday, October 28 2007 @ 03:29 PM EDT
She owns many of the works she is being sued for distributing, for fair use is
it required that she did the actual conversion from source to MP3? There is
still the question of did anyone else download the files other then
MediaSentry(the "making available" issue).

[ Reply to This | # ]

Time Stamps!
Authored by: dlrapp on Sunday, October 28 2007 @ 03:29 PM EDT
Fundamental to every piece of data is data integrity. Time stamps can be easily
verified if the system logs show that NTP is running and is configured properly.
If it is not then the accuracy and standard deviation of the time stamps
present must be verifiable. If neither of the above is the case then the time
stamps might as well not be there.
I was an engineer involved in wind tunnel testing for many years and believe me
every transducer, cable, instrumentation amplifier, and software algorithm was
tested, calibrated, and verified before use. It goes without saying that time
stamps were treated the same way.


They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."

-- Benjamin Franklin, Historical R

[ Reply to This | # ]

What Else Was in the Folder/Directory? What Else Was on the Machine?
Authored by: Anonymous on Sunday, October 28 2007 @ 03:34 PM EDT
Were there any legitimately sharable files in the directory(s)/folder(s) in
question? Were there any files in those locations in which the RIAA could have
no reasonable interest?

What directories/files were searched, and why?

Did Media Sentry have permission to do what they did? From whom? (I know I'd
be more than a little annoyed if someone messed with the contents of my hard
drive without my permission.)

Was there a hardware/software firewall in place? Was it bypassed? If it was,
how? What port did Media Sentry use? Why that port (or those)?

What antivirus/antimalware programs were in place? What measures, if any, were
taken to defeat or bypass antivirus or antimalware programs (if there were any)?

What effort was made to determine whether the machine in question was/had been
infected with malware of any description? In particular, what tests were done
to establish that the machine is not/was not part of a botnet?

Final note: check with SANS Institute, who know about as much as anyone about
what kinds of things can go wrong. In particular, Tom Liston is engaging and
knowledgeable--and the rest of the crew are no slouches either!


[ Reply to This | # ]

Where to begin?
Authored by: Anonymous on Sunday, October 28 2007 @ 03:38 PM EDT
1) Electronically produced records should be excluded unless and until a
proper foundation has been established. These records can be forged in to
many ways for the court to accept them. Thus the chain of custody with each
person involved with the production of each exhibit should be provided.
Further, each system should be made available for examination that
produced the result including the all software and source-code for that
software. Additionally, I would ask for the certification, experience,
and licensing of all individuals in the chain of custody of the exhibits.

2) The RIAA attorneys have made a serious mistake in my opinion, in most
states only licensed professional engineers are authorized to expression
opinions on communication systems matters. Just as it is illegal for anyone
to practice law with out a license, it is also illegal to practice engineering
without a license. Thus remarks made by attorneys about communication
systems lacks proper foundation.

3) It appears to me, that Media Sentry has been asked to act as an
investigative service. This brings up the issue of licensing as investigators.

Thus in order to conduct this investigation I would expect that every person
in the chain of custody in the exhibits is a) licensed investigator in the state

the alleged act took place, b) in order to express an opinion on the results
and how the results were obtained from a communication system these
persons are licensed professional engineers whom can express a legal
opinion as to the results, the error rate of the results, and how the results
were obtained. Failing that, the evidence should be dismissed for lack of

4) Any and all software, hardware, procedures used to obtain results should
be identified, as to how and by whom obtained the data presented as
evidence. The they should be asked to explain, what if any third part
organization has review and approved the method and procedures used to
obtain the results. I would also request what the error rate in obtaining these

results is/was, and whether it has improved or gotten worse over time.

5) By which professional engineer where the results obtained under who had
responsible to the collection of data. Where are his/her logs reflecting when
and how the data was collected, and where he/she identified the time and
place, equipment, software, and technicians involved in the collection of the

6) By which professional engineer where the results analyzed, and by what
method and procedure. Has this method and procedure been review and
approved by any third party organization who normal such reviews.

7) Did the professional engineer maintain proper chain of custody, of the
equipment, software, personnel used to obtain the results. How did the
professional engineer calibrate the equipment and software used to collect
the results. What safeguards and procedures are/were in place to protect this
equipment from damage and tampering.

8) How where the results delivered to each person in the chain of custody, if
transfered electronically, (email, etc) how was the results protected from
damage or tampering. What procedures for chain of custody of the
equipment, software, and personnel is/was followed.

Note: I'm not an attorney, but I believe the courts have defined and 12 step
analysis as to whether results generated by a computing system can be said
to reliable in order to be introduced as evidence in a court of law. The RIAA
lawyers know this, which is why they keep dancing around it.

I hope this helpful.

[ Reply to This | # ]

So What about the Comcast IP Spoofing..
Authored by: Anonymous on Sunday, October 28 2007 @ 03:58 PM EDT
Can anyone really be sure the IP that is being reported is really yours?

Comcast is spoofing IPs...

"Each PC gets a message invisible to the user that looks like it comes from
the other computer, telling it to stop communicating. But neither message
originated from the other computer — it comes from Comcast. "

So how can anyone really be sure the IP being reported in their software is
correct. If this ISPs are doing it..

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Sunday, October 28 2007 @ 04:08 PM EDT
American justice is (in this case) related to a huge inequity in economic power.
Plantiffs have limitless financial resources, and don't seem inclined to accept
that from an engineering point of view they may be wrong; also, plaintiffs
sponsored the law by which they are suing.
Defendant has severely limited resources to defend with.

So, 'Lady Liberty' has severely-unequal scale pans.

It's like 'losing the lottery', analagous to 'winning the lottery' but in
reverse and going several million dollars down the tubes.

Sorry, but until the economic imbalance between the parties is remedied, justice
is unlikely to be done.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Tezzer on Sunday, October 28 2007 @ 04:40 PM EDT
Were the RIAAs investigators paid a flat rate for their services or were there
any 'performance related' payments, either at a company level or for

Can their impartiality be guaranteed?


[ Reply to This | # ]

Just printouts?
Authored by: Anonymous on Sunday, October 28 2007 @ 04:54 PM EDT
Is this all you've got? (sorry :-(
Imwinkelried is now 27 years old, brief in legal terms, but
the technology has advanced rapidly, as this case attests.

Where a defendant's hard disk has been siezed an independent
forensic analyst can provide both parties with digitally signed
read-only images. Yet before that happens either party may
have perpetrated or been victim of: IP spoofing or system log

Imwinkelried's 11 steps fail IMHO at 4. There seems to be little point
in certifying the veracity of a printout, including the method of
obtaining it, if the data presented is false. The "built-in safeguards
to ensure accuracy and identify errors" were intended for business
systems, to prevent such things as booking events in the past,
or transferring funds between accounts not qualified for such transfer.

A judge who can understand these "simple" business procedures
may have difficulty with the system manipulation that relatively
simple script kiddie hacks can do, yet leave the machine
apparently unharmed and running "normally" for the user.

There will be true and false paper records, and
there will be true and false electronic records, and the current
rash of file sharing cases before the court probably contain
a lot of material that falls somewhere in the middle. I despair
of an adversarial system ever finding a solution to this

Good luck....

[ Reply to This | # ]

  • Info is needed - Authored by: Anonymous on Sunday, October 28 2007 @ 05:21 PM EDT
Design and Requirements documentation
Authored by: Anonymous on Sunday, October 28 2007 @ 05:17 PM EDT
Design and requirements documentation would be very useful in understanding how
many of the technical issues that have been discussed have been considered and
designed for within the software.

(Also agree about test case documentation and results as someone else


[ Reply to This | # ]

Is there any reason not to try for everything?
Authored by: Anonymous on Sunday, October 28 2007 @ 05:46 PM EDT
Is there some reason not to try for a very wide disclosure. You might not get
it, but I can see arguments woth trying for:

* Any and all correspondence with the suppliers of all the hardware and software
used by MediaSentry to obtain their evidence, with particular emphasis on any
fault reports, patch releases, maintenance, maintenance documentation, etc.
Also specification and Quality Assurance records for any bespoke software and
source code where they have it.

* A full byte-for-byte forensic copy of the harddisk(s) of the machines(s) in
question and any backups taken since the evidence was obtained -- your experts
might want to check how they are configured.

* Any and all internal correspondence relating to the maintenance or
configuration of all of the hardware and software used.

* Any and all correspondence or documentation relating to MediaSentry's own
internet connection and its reliability. Could a trojan program on an
intermediate router have been interfering with their IP tracing.

* Any and all correspondence and documents relating to all techniques that
MediaSentry has ever used or considered using to identify suspicious files on
P2P networks. The argument here is that they may have rejected some techniques
because they were too conservative (ie accurate) to suit their customers.

* You could try for complete records of all of their data captured from
whichever P2P network it was, so that you can check it against independent
sources for accuracy.

* All of their internal procedures relating to capturing evidence of this kind.
Also any documents relating to occasions on which these procedures were alleged
not to have been followed correctly.

Of course, if you get all this and they comply, you may need a larger office.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: tknarr on Sunday, October 28 2007 @ 06:24 PM EDT

One of the immediate things I'd ask for, given the ruling listed at the end of PJ's post, is documentation from Media Sentry detailing the steps taken and procedures followed to insure the integrity of the computer records they're producing. Anyone can take a log file and edit it to say anything they want. What did Media Sentry do to insure that the log produced in discovery is in fact unaltered from when it was made? If they're doing their job, they'll be able to respond with something like "Here's the MD5 checksum of the log taken when it was made, and the attestation of the person who did it that it was of the actual log file. Here's the MD5 checksum of the log just before it was given to you, and it's identical to the first one. We used this program to do the checksum, so you can repeat our process to verify the results.". If they didn't checksum things, you'll want to look at how they secured the media the logs and everything were stored on. If the media was secured the judge'll probably accept an attestation from the people with access that they didn't alter the files, but if it wasn't secured there's again a chain-of-custody issue. All of this should be discoverable, since it goes to the question of whether the evidence being submitted is in fact authentic.

[ Reply to This | # ]

How do they know the host wasn't compromised?
Authored by: Anonymous on Sunday, October 28 2007 @ 06:24 PM EDT
I manage the backup systems in my lab. Once, while checking logs, I noticed a
bunch of error messages that were posted when certain files failed to verify -
that is the file on the verification pass was different (size, checksum, or
whatever) than what had been written to tape. These happened to be .mp3 files.
These files had been written into one of the Windows system directories. They
weren't the type of music I know the user of that computer listened to. So I
asked him about it. Turns out he didn't know that there were any music files on
that system - someone from outside the network had broken into that system and
was using it to host the music files. No sooner than he had cleaned up the
system, than the files were back. He had a heck of time cleaning that up, and
preventing future compromises. (I have no idea what he eventually did, since I
know nothing of Windows, but he did manage to eventually tighten the system

So, how do they know that the "owner" of the computer isn't
unknowingly hosting the files?

[ Reply to This | # ]

Background article about weaknesses of computer-forensics
Authored by: Walter Dnes on Sunday, October 28 2007 @ 06:39 PM EDT
See this article at for a discussion of problems with computer forensics. The "presumption of reliability" is a bad idea.

[ Reply to This | # ]

Kazaa and willfullness
Authored by: kh on Sunday, October 28 2007 @ 07:01 PM EDT
As a network admin I found that People who used kazaa often had no idea what
kazaa was doing and were unaware that it was sharing their files with others or
that other people could upload files to their computer and then others download

I wonder if you can say that someone "intended" to to all the things
that kazaa did on their computer.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Sunday, October 28 2007 @ 07:04 PM EDT
Ask MS to demonstrate that their records management process and practice
conforms to ISO15489 or some other recognised and relevant standard. This is

Further (given they're gathering supposedly admissible evidence) ask them to
demonstrate that their information gathering and record keeping methods
processes and practices conform to some recognised and relevant standard for
legal admissibility, such as BSI DISC PD0008 ("Code of Practice for Legal
Admissibility of Information Stored on Electronic Document Management

In this context for example, if automated scanning of "available
files" is done, one good practice would be to create an immutable archive
of each day's scans, so as to be sure that it could not be altered and could
later be produced as high-quality evidence.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Kilz on Sunday, October 28 2007 @ 07:14 PM EDT
I am not a lawyer, but I read that the fines may be based on the value of the
Just in case for some reason the person would be found guilty. I think I would
request documents dealing with the amounts that the copyright holder sells
digital recordings for online. We all know that songs can be had for 99 cents.
This should place the value of the recordings at less than a dollar each for
each recording they can prove is legitimate and was downloaded by someone.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: jacks4u on Sunday, October 28 2007 @ 07:17 PM EDT
As was alluded to in a previous comment, it is possible, that prior to actually
finding the infringing products on the defendant's computer, the plaintiff's p2p
program might have actually placed that/those product(s) on the defendant's
computer. This would in essence be a setup job, where by a person plants
evidence on another, then claims foul.

I would ask for directory lists of the investigator's computers, before, during,
and after the 'investigation', system logs that show specifically file
transfers, file creation and deletion data, and logs showing network traffic.
Not just traceroute data, but the actual packets sent and received, before and
during the entire investigation - this might be an extremely long document,
perhaps suitable for delivery on CD or DVD. This data may then be used in a
packet analysis program.

The defendant claims to actually not own a computer. I would ask the plaintiff
for citations of their legal authority to pursue action against a person that
could not have actually infringed their intellectual property.

It would seem that since there 'was' a computer, and it's hard drive was
examined, and found to not contain any trace of plaintiff's IP, and plaintiff
claims the drive was changed, plaintiff must have some reason for stating this.
I would ask them for data relating to the investigation of that drive. Date and
time of file creation is an imperitive for computers. virtually every file
created or accessed on a computer is timestamped, with the creation time/date
and/or access time/date. Though a fairly skilled person could change time/date
information, it could still be an indicator as to when the operating system on
this drive was last installed.

Who has actual custody of said hard drive? or, has plaintiff made an image of
this drive, and returned it to defendant? If this is the case, I'd ask for a
complete directory and file list of plaintiff's image of said drive, including
file creation and access time/date.

That's about all I can think of. I am NOT a lawyer. I do not file share, or
comsume on-line music. period I also have not had a Microsoft based computer
connected in any way to the internet in the last 6 years.

I'm not a Lawyer, this is my opinion only. I may be wrong, but I don't think so!

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Ray Beckerman on Sunday, October 28 2007 @ 07:26 PM EDT
I want to take this opportunity to thank PJ and all the members of the Groklaw
community who are taking the time to give their input!!!

You guys are the greatest.

Best regards,

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Sunday, October 28 2007 @ 07:54 PM EDT
List of engineering change requests.
Is there any formal change control process?
List of bug reports.
List of known bugs.
List of bugs fixed.
Contents of bug tracking database(s).
List of all versions and date released.
Release notes (new features, changes, bug fixes) for each version.
Number of programmers and hours worked on each release.
Number of total lines of code in each release.
Number of lines of code added/changed/deleted in each release.
Number of bugs found and fixed so far in development of this software.
Estimate of number of bugs remaining in software.
Kind of SCM (source code management) software used if any?
Summary and detailed revison log from SCM.
Whether software dev process is iso-90003 compliant.
Any 90003 related documents.
Rank/level of organization according to CMMI (capability maturity model
What formal software engineering methodology(s) are used if any?
Testing methodology used.
Any automated tests? Regression tests?
List of regressions found during development.
Reports produced by automated tests for each version of software.
Estimated "coverage" of tests.
How many distinct tests are contained in the test suite?
History of test suite. How many new tests were added for each new version of
the software?
Length of time it takes to run the tests.

[ Reply to This | # ]

Things to request
Authored by: Anonymous on Sunday, October 28 2007 @ 07:56 PM EDT
1) Source code. As we know from the MediaDefender leaks (see for full details), they use hacked versions of official clients to gather information as well as to "interdict" files (i.e. upload false copies). Yes, I know that that's MediaDefender, not MediaSentry/SafeNet, but I see no way for them to do what they do without custom applications. I also know that on at least one occasion, MediaDefender partnered with MediaSentry to make false copies of some file and upload it to many sites.

2) Changelogs, version changes and bug reports for all versions of their application. The less you get of this information the MORE suspicious their program is. If there's no real quality control behind it, given that it has to be a fairly complex, custom application, you KNOW it's shoddy workmanship. There's no programmer, however genius they might be, who codes without bugs. Knuth has handed out several checks in his day and he writes formal proofs of correctness for his applications. I can guarantee you that they don't have any of those for their applications, though. Pretty much nobody does. They SHOULD, however, have some kind of internal QC, changelogs, comments, different versions, bug reports, etc.

3) What version of their program "identified" your client? Which bugs was it later found subject to (by the time it reaches court, it may be years later--if you can, make sure they're forced to update you on this as new bugs are identified during litigation)? It *should* be hard for them to argue that this is irrelevant, but their lawyers are pretty good at snowing people. Also, you want to know file sizes and hashes for all files allegedly shared to know if they were fakes. Those MD leaks have some interesting tidibits. Remember what I said about MediaDefender & MediaSentry working together? MediaDefender makes all their fake file hashes divisible by some number (they've probably changed that by now), and they also had some bugs with that relating to their MiiVii site. MediaSentry, however, did the same thing but with a larger number and they did it to the file SIZES (if there was a set of files, this check applied only to the last file). I'd mention the numbers, but I don't remember them. They're in the leaked email, but I'd get them from discovery, anyhow--they've probably changed them by now. Of course, it occurs to me that they might claim that they're a trade secret, and they may have come up with new methods by now. They'd probably insist on supplying that to outside counsel only. I should mention, BTW, that I believe that MediaDefender's scheme would have slightly less than a 1% chance of a false positive for any random file. MediaSentry's false positive rate would be significantly lower, although this might change depending on how often they've changed their secret modulus. I believe that there are other mathematical weaknesses in their scheme, but those are only relevant to people trying to detect those flooding the net with junk files, so I won't mention them here.

4) Chain of custody for all this digital evidence. You want to know every single person who had access to this data, what access they had, etc. Chain of evidence *IS* the evidence for digital files. I know that they can use a silly "business records" exemption to include this even though it's rightfully hearsay, but you want to fight that as hard as you can as well. They are NOT relying on these logs in their business, and they've been proven wrong many times in the past. They make money whether they're right or not so long as it's hard for people to fight them. By ALL means, make note of that juror's statement (the guy who never even used the internet!) about how she "should've just settled" when mentioning your client's plight. If THAT is how the ignorant masses see these cases, your client is fighting an unfair battle. I'll be honest, too: I'm not sure a jury trial is your best bet, after that. I may be wrong and I'm not a lawyer, but it seems like the juries believe any nonsense spouted by an expert. And people like me? I've never made it past voir dire, not even ONCE, and I WANT to serve on a jury someday...

5) Maybe this is too Matlock, but if you need to drive home how terrible mere screenshots are as "evidence", show some fake ones to their "expert" and see if he authenticates them. Bonus points if you replace the IP of the file sharer with (better known as

6) Get the financial arrangements between the RIAA and MediaSentry. I smell a rat, as if they're being compensated on a per-infringer basis. This could really help shoot down the business records exemption they rely on if you have a clueful judge. Kill their evidence and they have no case at all. I really feel like they're not the independent experts they claim to be, but I have only a gut feeling on that point, bolstered by their evasiveness last time you fought them on that point. I know you hate it, but I somehow wouldn't mind seeing a bit of "sharp practice" if it made their fee arrangements public knowledge. I'm convinced they're dirty, but I have absolutely no proof.

Anyhow, good luck! You're going to need it, because these folks don't fight fair. Wish I could help more, but IANAL.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: mhoyes on Sunday, October 28 2007 @ 09:34 PM EDT
Looking at the information provided, the first things that come to mind are:

1) How was the time differences determined between the media sentry computer
performing the examination and the ISP system that had the logs. This time
difference would have to be at the time of the purported copies being available,
and not the current time difference.

2) What method was used to confirm that the titles listed were actually
available. Kazaa tends to combine index listings so the list may not even be

[ Reply to This | # ]

Computer Forensics
Authored by: Anonymous on Sunday, October 28 2007 @ 09:47 PM EDT
Since the "researcher's" workstation contains the evidence, request
the actual workstation used to perform the analysis. This gives you all the
data that was used in the performance of the analysis. You can then have a
third-party digital forensic analysis of the logs, the data, and all the
relevant information on the system.

If they refuse, ask for a complete, digitally-verified, forensic copy of the
workstation (and appropriate systems). Request that your forensic investigator
make the copy so that he can state that he has the actual source of the data.
He could also check for timestamps, complete data logs, (perhaps) usage of the
software at the time that the researcher claims that he made his findings.

The NIST (National Institue of Standards and Technology) has several public
papers on digital forensics, and (to my knowledge) they satisfy the minimum
standard that law enforcement requirements to get computer data into court
(chain of custody, written reports on methods and results, software testing to
compare which methods are acceptable and which aren't.)
The NIST papers are done in conjunction with the FBI, Homeland Security, and
the NSA. Digital forensics is a serious matter, because 1's and 0's can be
forged so easily.
NO WHERE have I seen that a "screen shot" has been acceptable in a
criminal court, if someone is willing to press the issue. Hopefully, the civil
court should be willing to accept these as the standard to which Media Sentry
should be held.

If Media Sentry refuses either of these, that should lay the foundation for
all their data to be thrown out, since you cannot have an independent agent
verify their tools, methodology, or conclusions.

NIST papers on forensics are located here:

[ Reply to This | # ]

  • Computer Forensics - Authored by: Anonymous on Monday, October 29 2007 @ 02:08 AM EDT
  • Cost - Authored by: mhoyes on Monday, October 29 2007 @ 09:55 AM EDT
    • Cost - Authored by: Anonymous on Wednesday, October 31 2007 @ 04:46 AM EDT
A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: lyttlec on Sunday, October 28 2007 @ 11:17 PM EDT
Don't ask just for the source code, ask for the peer reviewed publications for
the algorithms that the source code that the source code purports to implement.
This wouldn't be the first time someone didn't properly implement something.
As a registered professional engineer, I often had to produce copies of
standards, etc. and show that my design correctly implemented them.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: wvhillbilly on Sunday, October 28 2007 @ 11:18 PM EDT
How does Media Sentry determine who is logged on with a particular dynamic
(DHCP) IP address at the time an allegedly infringing file is
uploaded/downloaded from that address?

What goes around comes around, and the longer it goes the bigger it grows.

[ Reply to This | # ]

From my persepective.....
Authored by: Anonymous on Monday, October 29 2007 @ 02:53 AM EDT
Having a fond interest in photography I've always been curious about how digital
photographs can be used by the police or other agencies as proof in a criminal
case. How it's done (with the forensics package I'm familiar with) is that they
use special software to download and special firmware on the camera. The camera
on image generates a watermark that is digitally applied to the image along with
a checksum/hash, some software also tags on a public key encryption signature
that is automatically voided if a single pixel changes.

You are trying to prove that the data they have collected is bad. To verify that
as other posters said you need a "chain of trust".

The first question is "How was the data acquired". This is where you
need the software code, because without the code the program could spit out
random IP addresses when identifying a client. After you get the code you have a
CompSci expert look through the code and verify that the software does what it
says, and here is the key part, without error. If you can find a single bug in
the program that effects key data the whole thing is out the window. This is
very similar to the recent DUI cases where the person on trial has requested the
code for the software, for without the code how can you verify that the software
does what it says it does? Even a screen shot is meaningless if they altered the
image in some way (ie it didn't go straight to the printer, and don't think that
print screen on the keyboard goes to the printer, in windows it goes to the
clipboard where it can be altered and has the integrity of a crayon drawing
without forensics software).

The second question is "When was the data acquired". The software
supposedly presents time stamps. Time is a relative concept that is essentially
meaningless without a frame of reference. So the question becomes where did they
get their time from? Was it a calibrated client running a network time client
that pulled it's time in GMT from a nuclear network time server? The GMT issue
is key as it's important that when they say the computer was logged on at 21:36
that it was actually 21:36 in the same timezone. Even a minute of difference in
the timestamp could be another person, but that deals with one of my other

The third question is "How was the data Stored". This is very very
important. Were these important records stored on the back of sticky notes? Was
it electronic? Who had access to it? How did they secure the data? Was it on a
network accessible computer? Did they apply signatures to the data to ensure
integrity? Do they run backups? Was the data compared against backups before
submission to the ISP? Have their computer networks ever been breached? Have
they ever had data loss, either on the server or on the workstation? Do they do
network security audits to verify the security of their network? What about the
empoyees, do they have criminal backgrounds? How are the employees paid, for
example are the paid commission for every individual identified? Do the human
employees prepare and sign affidavits or digitally sign the data when the data
is collected and transmitted? Is there any kind of log on access to data
collected? Basically this question has hundreds of subquestions, boiling down to
who prepared the data (and what kind of person are they, are they licensed
etc..), how was the data stored and who accessed it and can they prove that no
one tampered with it. Remember, they have to prove that the data is accurate and
untampered with. The court shouldn't consider any data for which the company
can't say with 100% certainty that the data was NEVER altered for any reason and
they have security measures to verify that. The analogy is a murder occurs in a
building at night, the building has a data key entry system if there was only
one other person in the building you convict the guy that was in the building at
the time, but you can only do that if the log entries can't be tampered with
(most older systems sent every entry to a line printer that logged to hard

The fourth question is "How did they transmit the data". Did they send
the ISP a one sentence email saying at 12:23pm on august 9th, IP address
XX.XX.XX.XX? Was it a hard copy letter? How did they ensure that the data being
sent could not be misinterpreted by the ISP? Did they note timezone? Did they
ask if the IP was static or dynamic? Did they ask for just that second or did
they ask for the timeframe the IP was in use? Did they verify with the ISP that
the ISP was running Network time servers and clients? How did the ISP record the
data? How did the ISP verify the data? Basically every data question you ask MS
you also ask MS if they verified the same data with the ISP to ensure the ISP's
records are accurate and untampered with and that qualified people retrieved and
provided the data. If the 14 year old computer geek working after school wrote
down an IP he looked up in the DHCP logs or if their network engineer verified
the data integrity, looked up the data and provided the data in a way that could
not be tampered with.

The 5th and final question is then "How was everything put together"?
Again how was all the new data stored? How was it mated with the original data?
How was integrity ensured? How was it then transmitted with lawyers and court
documents? Who handled the data, when and how was it used. Was it checked? Were
their typos in ANY of the transmissions of data, ie can they provide a copy of
every single time the data was passed to someone else? If they can't provide
every single transmission, whether it be email or written then I would say they
have a problem of verification.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Pogue Mahone on Monday, October 29 2007 @ 03:30 AM EDT
Ask for the copyright registrations of the works in question, and the exact works that were registered. Not just the titles (unless of course they're only claiming copyright in the title). Also ask how they determine that the files that were allegedly distributed were identical or substantially similar. Encoding a CD to mp3 at 128kbps throws away a lot of information, so a simple file comparison wouldn't work. If nothing else we might get a legal recognition that an mp3 file is *not* a perfect digital copy of the original CD, as a lot of record companies appear to claim.

If the record companies cannot determine mechanically that the distributed files are encoded versions of their copyrighted works they might have to fall back on subjective assessment. Ask how that was done.

Of course, there's always the compers copyright in the music and the lyricist's copyright in the words, but the record companies might not have standing to sue over such violations.

(c) 2007 Typo, Inc. All rights reversed.

I'm not afraid of receiving e-mail from strangers - see bio

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Monday, October 29 2007 @ 06:30 AM EDT
Sorry if this was already mentioned but there is just too much information to go
through and I don't have time.

I didn't see a 'chain of evidence' with md5 checksums of the files. I work at a
University in computer security and when we aquire something for litigation we
always do a checksum.

[ Reply to This | # ]

X-Kazaa-Username: jrlindor, Source: [MediaSentry IP Address]:3965
Authored by: cybervegan on Monday, October 29 2007 @ 06:44 AM EDT
The DownloadData text file log repeatedly contains the reference above.

Who is "JRLINDOR"?

Of course, there's no proof either way that this user is not Marie Lindor's, but
it doesn't match up. However, it would have to be proven that Marie was the
person using that ID at the time that the alleged infringement took place,
wouldn't it?

Furthermore, the source is noted as being:
Source: [MediaSentry IP Address]:3965

Doesn't that mean that MediaSentry were providing the file? Isn't this either
Entrapment or Contributory Infringement? They were obviously providing the file
for download, and the actual download may never have ned if the file had not
been available.

Furthermore, were the files that were allegedly downloaded ever found on any of
Marie's computers? (I think the answer to that was 'NO' if I remember the
forensic analysis of her disk image).

This file is only a link in the chain, a clue, not the evidence itself.


Software source code is a bit like underwear - you only want to show it off in
public if it's clean and tidy. Refusal could be due to embarrassment or shame...

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Monday, October 29 2007 @ 09:21 AM EDT
If either one or the other are NOT using NTP then documentation must be provided
that MediaSentry's clocks used for timestamps are in sync with the ISP's server

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: MathFox on Monday, October 29 2007 @ 10:44 AM EDT
There are a few good questions to ask after a forensic examiner finds evidence
of a (previous) installation of Kazaa (or another P2P program) on a computer

When was the program installed?
Is there conclusive evidence that the defendant installed the program
+ Why do you rule out a remote installation of the program via a Windows
security hole?
+ Why do you rule out that the computer operator was tricked into installing the
program as part of a trojan horse?
+ How do you conclude that defendant physically operated the computer at the
time of installation?

Once you have established that a third party could have installed the software,
let's go to part two:

How could defendant have detected that someone installed the program on her
computer without permission?
+ Is it fair to expect that a relatively computer illiterate person would have
detected the symptoms?
Is it fair to expect that a relatively computer illiterate person would be able
to stop the program from facilitating copyright infringing actions?
+ Which actions are required to permanently stop the program, considering
automatic software updates and potentially installed back doors?

If an axiomatic system can be proven to be consistent and complete from within
itself, then it is inconsistent.

[ Reply to This | # ]

Exhibit 8
Authored by: GLJason on Monday, October 29 2007 @ 11:02 AM EDT
I think this is a little confusing. It diagrams three computers connected to
the internet through a router and cable modem. It's great that it shows
different IP addresses on the internal network, but I think they should also
show the external IP of the cable modem, such as If any of these
three computers contacted a computer on the internet, it would see the address, not the differing internal addresses. I don't think
that's clear from the diagram. Maybe you could show all three computers
connecting to and displaying the same external
address. It'd be great to see a laptop using wireless and getting the same
results as well.

[ Reply to This | # ]

Procedures for Time verification and downloaded file verification
Authored by: Anonymous on Monday, October 29 2007 @ 11:44 AM EDT

1) What procedures are used to verify the accuracy of the computer clock at
MediaSentry? How often are these procedures performed?

Also, from the ISP, what procedures do they use to verify the accuracy of their
clocks? What time was Ms. Lindor's system assigned the IP address in question,
and what time did her system release it?

2) What were the file hashes reported prior to download of the files, and what
are the hashes on the files that MediaSentry saved. For any pair of files
(original as reported by the file sharing software, and the copy MediaSentry
received), if the hashes do not match, the files are not the same and
MediaSentry's copy should not be permitted as evidence.

The hash is a number computed from the data in the file that is designed to show
a large change in the result for small changes in the data file. Two different
digital copies made from the same recording might sound identical and may even
have identical file sizes, but almost certainly have different file hashes.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: Anonymous on Monday, October 29 2007 @ 01:10 PM EDT
I would want to compare MediaSentry logs against my own, to verify or refute their allegations. I would ask for:

1. Logs of outbound and inbound connection packets from the MediaSentry border routers at the time of the alleged infringement, showing source IP address and port and destination IP address and port, and timestamp. [I am presuming that the MediaSentry machines used to conduct the scanning sit behind a router.] If Network Address Translation is used between any of the internal machines and the external network, logs for the devices provding the translation service as well (if different from the border router).

2. For each and every computer or other device that reports timestamp information presented in the Exhibits, logs or other documentation showing how the timing information is derived from or synchronized with fundamental time standards, e.g., via ntp, and an analysis of the estimated error in all timestamps.

3. For each program used to document the infringement, full source code. There are several reasons for requiring the source code. Examples:

a) to document just exactly what is being displayed. For example, in exhibit 6, one of the dates listed is "8/7/2004" - is this Aug 7 or 8 July?

b) to document the events being reported by the program. For example, in exhibit 6, is the "SENT PACKET" event the initiation of the connection such that it should show up in the border router logs?

c) to document the interaction between packets sent by the program and received by my router. E.G. does the program sent malformed packets that might not be recognized by my router?

4. An unredacted version of Exhibit 6. E.G., in the line: "Source: [MediaSentry IP Address]:3965" the actual IP address of the machine should be shown.

[ Reply to This | # ]

Authored by: Anonymous on Monday, October 29 2007 @ 03:20 PM EDT
Several others have noted timestamps. I'd like to note that Windows keeps track
of this for you, or can.

In other words, request the full logs from the Windows "Event Viewer"
which lists all crashes, informational events, etc. My own, personal, Event
Viewer is filled with errors from all the times that Win32Time (or whatever it's
called) couldn't synch my computer's clock...

Get this for the ISP's DHCP server, too, BTW. ESPECIALLY for that server. And
not just the time errors, the rest of them might be juicy, too. Especially if
you can show their custom infringement-finder applications crashing. But be
careful, it might be in .NET or Java, so make sure you take a close look at
*every* event in the log, even the boring ones...

[ Reply to This | # ]

What evidence do they have that...
Authored by: Marc Mengel on Monday, October 29 2007 @ 05:49 PM EDT
Basically, where it would seem you could get them is simply this -- What
evidence do they have that the plaintiff ever used the computer they connected
to over the network? What do they actually know about this computer?

Can they tell what model or type of computer it is?

What color was the computer?

What brand was the computer?

Where was the computer located?

Does the computer have anti-virus or anti-spyware software installed?

Is the computer part of a botnet? (Symantec puts the number of computers
compromised with bot software in the hundreds of thousands. Other security
experts have put the number in the millions.)

Do they have receipts showing the plaintiff purchased the computer in question?

Do they have any sort of evidence (fingerprints on keyboard? witnesses?) showing
the defendant ever used a computer at all?

How does the ISP verify the identity of their client (credit card order? talked
on telephone?)

Can you, the lawyer, or some private eye type, get an account with that ISP
under the name of the plaintiff (or the judge :-))?
How hard is it to do?

Are they certain the client is not a victim of identity theft, and that this
isn't an ISP account actually held by another person? If so, how do they know?

[ Reply to This | # ]

Refinement fire
Authored by: tz on Tuesday, October 30 2007 @ 08:40 AM EDT
One question might be if there is a changelog or similar documentation for the
busybodybot code and what was the exact version used to identify this particular

If it is like most code, it goes through refinements, and will always have false
negatives and positives along with correctly identified infringement and

What are the rates of false positives (Imagine an HIV test or sexual assault
convictions)? And do they change with versions, or otherwise why try to refine
the software?

What were/are the rates with the particular version used to identify the

[ Reply to This | # ]

Document request
Authored by: ExcludedMiddle on Tuesday, October 30 2007 @ 05:24 PM EDT
1. A full specification for Media Sentry's own network.
2. Source code of _all_ software used to gather evidence for this case.
3. Any and all documentation regarding the supernode that was used in this. Was
it owned by mediasentry, or was the supernode just another user? If owned by
mediasentry, all specifications on that node computer.

[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: TomWiles on Thursday, November 01 2007 @ 09:42 PM EDT
I thought about this for a couple of days before I decided to make a comment.

What good are the right questions if you can not properly interpret the evasive
answers. Thomas lost in court because she was out lawyered.

A lawyer friend once told me that you pound the facts. If you have no facts,
you pound the law. If the law is against you then you pound the table.
Thomas's accusors pounded the table and got away with it.

What you need is a qualified, knowledgeable, expert witness. One who
understands both networking and the law.

I mention this because we happen to have one here in Dallas. He was on the
stadards committee for COBOL with Grace Hopper and he monitored the security of
the NAVY's data centers for over ten years. He is long retired now, but he is
still active in Dallas both as an expert witness and as an investigator for
cases very similar to yours.

If you choose to append a email contact point to this post, I will forward that
to him.

I have not discussed this with Fred but it sounds like something he would like
to be involved with.


[ Reply to This | # ]

A Lawyer Wishes to Pick Your Brain- Re Media Sentry
Authored by: slcdb on Saturday, November 03 2007 @ 08:09 AM EDT
1) Ask them how they obtained the IP address of the alleged infringer. Did the
P2P software itself show the IP address on the screen? Did they need to use some
other utility to show the address?

If the P2P software itself doesn't display the IP addresses of other users, then
you might be able to argue that the act of determining which IP address the P2P
software is connecting to, when it connects with another user, is an act of
reverse engineering.

But you'll first want to find out if there is there a prohibition on reverse
engineering in the end-user license agreement for the P2P software they were
using. If there is, then it might have been a violation of the P2P software's
EULA to obtain the alleged infringer's IP address.

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )