decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Wednesday, December 26 2007 @ 12:12 PM EST

We have another request to pick your brain, please. It's a follow up to the earlier work you guys did on the UMG v. Lindor case preparation [here and here], which appears to have resulted in a supplemental report [PDF] from the RIAA's expert, which he'd appreciate it you would analyze.

I'll let the lawyer, Ray Beckerman, explain the details and what he'd like you to do. Lawyers are experts in the law. You know the tech. Please explain it to him.

********************************

Ray Beckerman:

Has RIAA expert Jacobson contradicted himself?

A year and five months after examining the defendant's hard drive in UMG v. Lindor, the RIAA's "expert" witness, Dr. Doug Jacobson, has issued a "supplemental report" which appears to contradict his earlier "reports" alluding to the hard drive inspection.

In view of the superb job the Groklaw community and the Slashdot community did in helping first to prepare for, and then to vet, Jacobson's deposition, I humbly submit for your learned review the now three (3) versions of the "expert's" opinions based on the hard drive, for your analysis.

As with almost all federal litigation documents nowadays, they are, unfortunately, in *pdf format: (a) December 19, 2006, declaration; (b) unsigned October 25, 2006, report, awaiting approval from RIAA lawyers; and (c) December 15, 2007, version.

The initial observations of commentators on my blog are located here.

Update: We have the December 2006 declaration done as text now, thanks to rpenner, and I've done the other two, so you can compare.

Here's the December 2006 Declaration of Dr. Doug Jacobson [PDF, local copy]:

****************************

Case 1:05-cv-01095-DGT-RML Document 114 Filed 12/20/2006

United States District Court
Eastern District of New York

05 CV 1095 (DGT)(RML)
----------------------------x
UMG Recordings, Inc., et al,

Plaintiffs

- against

Marie Lindor,

Defendant
----------------------------x

Declaration of Dr. Doug Jacobson, Ph.D., CFCE

I, Dr. Doug Jacobson, Ph.D., CFCE, declare:

1. I have been retained by the plaintiffs in this action, among other things, to review and provide my opinions regarding data and information contained on a disk drive images from defendant's computer that was provided to me. I have also previously provided an expert report regarding the initial detection of infringement on defendant's computer and the workings of Kazaa, among other things. I have personal knowledge of the facts set forth in this declarations except as where stated on information and belief. As to such facts, I believe them to be true.

2. My qualifications and prior testimony are as follows:

a. I am employed as an associate Professor of Electrical and Computer Engineering at Iowa State University and as the Director of the Iowa State University Information Assurance Center. I also have an appointment with the Iowa State University police department, where I aid in computer forensics.

b. In addition, I am the Chief Technical Officer and founder of Palisade Systems, a high-tech computer security company that specializes in network monitoring and filtering technologies.

c. My employment with Iowa State University began in 1982 as a computer programmer. I completed my Ph.D. in Computer Engineering with a focus in computer networking in December 1985. In January 1986, I was hired by the Department of Electrical and Computer Engineering as an Assistant Professor to teach and research in the area of computer networks. Since that time, I have taught over 25 classes in computer networks at both the undergraduate and graduate level. I have received over 5 million dollars in funding for my research and have written several articles and made numerous presentations on the topic.

d. In 1995, I created and taught one of the first computer security classes at Iowa State University and in the country. Under my guidance, in 1999, Iowa State University was recognized by the National Security Agency as a center of excellence. And in 2000, the Iowa State University Information Assurance Center was created. I am its first and only director. I am a Certified Forensics Computer Engineer.

e. On September 9th 2003, I testified in front of the U.S. Senate Judiciary Committee on the uses of peer-to-peer protocols.

f. A true and correct copy of my Curriculum Vitae is attached as Exhibit A.

3. My prior relevant experience is as follows:

a. I have been teaching computer networking since 1986 and written papers and performed research on computer networks.

b. I have given over 50 presentations on computer security and networks at conferences, workshops, and various meetings.

c. I hold two patents in the area of computer network security and have won two R&D 100 awards for technologies I developed at Palisade Systems. One of these technologies is designed to detect and block peer-to-peer network protocols in addition to over 100 other network protocols.

d. I have assisted the Iowa State University Police department on several computer cases, including cases using peer-to-peer networks to distribute pirated software and child po rngography.

e. One of my graduate students, under my supervision and guidance, developed a system that monitors peer-to-peer networks and other forms of file-sharing for child po rnography.

4. In connection with my analysis, I have reviewed all of the underlying investigative data for this case, including all of the data supplied by MediaSentry. I have also reviewed the information supplied by defendant's Internet service provider, Verizon Internet Service. In particular, I considered the following:

a. MediaSentry Screenshots

b. MediaSentry Systemlog

c. MediaSentry UserLog (compressed)

d. MediaSentry UserLog

e. MediaSentry Download Logs

f. Certificate of Registration

g. MediaSentry Trace

h. Verizon Internet Service subpoena response

i. Disk drive image from defendant's computer

5. Based upon my review of the foregoing materials, as well as on my education and experience, it is my opinion and belief that defendant's computer had a public Internet Protocol ("IP") address and was not connected to the Internet via a wireless router. I base this on the data mentioned above, as well as on the registry entries recovered from the computer and the fact that there was no internal IP address here. Based on how IP addresses are assigned, it is not difficult to determine whether a computer was connected to the Internet via a wireless router. This computer was not.

6. In addition, it is my opinion and belief, based on my education and experience and on the data recovered from the hard drive that I reviewed, that this hard drive was not the same hard drive that was used to share copyrighted sound recordings as shown by the MediaSentry materials. A forensic inspection of a computer hard drive in a case like this one can provide significant information regarding the infringement alleged. For example, a forensic inspection would allow one to see, among other things, whether a file-sharing program was downloaded or installed and whether there is a share folder. It would also show whether the audio files, or any remnants or evidence thereof, that MediaSentry observed being distributed from defendant's IP address remained on defendant's computer. Finally, a forensic inspection can reveal whether a party attempted to delete file-sharing programs or other files. The MediaSentry data here showed that the computer connected to defendant's Internet account was running the Kazaa program. As such, a forensic inspection of that computer would have reveals at least remnants of the Kazaa file-sharing service, as well as the existence of a share folder, or remnants of it, had someone attempted to delete it. The hard drive that was provided and that I inspected, showed little usage at all, as evidenced by the lack of user created files and e-mails, and did not reveal the evidence noted above, which I believe the correct hard drive would certainly have shown.

7. The hard drive that was provided did contain the resume of Gustave Lindor, Jr., and that document indicates that he was living and working in Brooklyn, New York during the dates that the copyrighted music was being shared.

Executed this 19th day of December, 2006, at Ames, Iowa

(signed)
Dr. Doug Jacobson, Ph.D., CFCE

Here's the report from October of 2006:

*************************

EXHIBIT
Deft's 15
2/23/07

Lindor report
[whited out]sk.doc (35 KB

--Original Message--
From: Doug Jacobson [mailto:redacted]
Sent: Wednesday, October 25, 2006 9:28 AM
To: Richard Gabriel
Subject: Lindor report Disk

Here it is

Doug

--
Doug Jacobson
Director. ISU Information Assurance Center
Dept. Electrical & Computer Engineering
[address, phone, fax, email, website urls]

****************************

UMG Recordings, Inc., et al v. Lindor
ED - NY Case Number: 05-cv-1095

Affidavit and Supplemental Expert Report

Dr. Doug Jacobson, Ph.D., CFCE
Ph.D. Computer Engineering
Certified Forensic Computer Examiner
International Association of Computer Investigative Specialists

________________________

Qualifications & Prior Testimony

1) I am employed as an associate Professor of Electrical and Computer Engineering at Iowa State University and as the Director of the Iowa State University Information Assurance Center. I also have an appointment with the Iowa State University police department, where I aid in computer forensics.

2) In addition, I am the Chief Technical Officer and founder of Palisade Systems, a high-tech computer security company that specializes in network monitoring and filtering technologies.

3) My employment with Iowa State University began in 1982 as a computer programmer. I completed my Ph.D. in Computer Engineering with a focus in computer networking in December 1985. In January 1986, I was hired by the Department of Electrical and Computer Engineering as an Assistant Professor to teach and research in the area of computer networks. Since that time, I have taught over 25 classes in computer networks at both the undergraduate and graduate level. I have received over 5 million dollars in funding for my research and have written several articles and made numerous presentations on the topic.

4) In 1995, I created and taught one of the first computer security classes at Iowa State University and in the country. Under my guidance, in 1999, Iowa State University was recognized by the National Security Agency as a center of excellence. And in 2000, the Iowa State University Information Assurance Center was created. I am its first and only director. I am a Certified Forensics Computer Engineer. My Curriculum Vitae is attached as Exhibit (A)

5) On September 9th 2003, I testified in front of the U.S. Senate Judiciary Committee on the uses of peer-to-peer protocols.

Prior Experience

6) I have been teaching computer networking since 1986 and written papers and performed research on computer networks.

7) I have given over 50 presentations on computer security and networks at conferences, workshops, and various meetings.

8) I hold two patents in the area of computer network security and have won two R&D 100 awards for technologies I developed at Palisade Systems. One of these technologies is designed to detect and block peer-to-peer network protocols in addition to over 100 other network protocols.

9) I have assisted the Iowa State University Police department on several computer cases, including cases using peer-to-peer networks to distribute pirated software and child por nography.

10) One of my graduate students, under my supervision and guidance, developed a system that monitors peer-to-peer networks and other forms of file-sharing for child por nography.

11) My rate for analysis and testimony is $200.00 per hour. Additional expenses relating to analysis, testimony, and travel are reimbursed at the incurred costs.

Materials Considered

12) I have reviewed the underlining investigative data for the Lindor case. This includes all of the data supplied by MediaSentry. I also have reviewed information supplied by Defendant's Internet Service Provider (ISP) Verizon Internet Services. Below is a list of the materials I considered in developing my conclusions.

a) MediaSentry Screenshots
b) MediaSentry Systemlog
c) MediaSentry UserLog (compressed)
d) MediaSentry UserLog
e) MediaSentry Download Logs
f) Certificate of Registration
g) MediaSentry Trace
h) Verizon Internet Services subpoena response
i) Disk drive image from defendant's computer

Conclusions

In addition to the conclusions contained in my report dated April 7th 2006 I have the following additional conclusions based on the additional information from the hard drive image.

13) I will testify to the procedures used and results obtained by MediaSentry coupled with the information supplied by Defendant's ISP, to demonstrate the Defendant's Internet account and computer were used to download and upload Copyrighted music from the Internet using the KaZaA peer-to-peer network.

14) I will testify that based on the MediaSentry data mentioned above and registry entries recovered from the computer that the computer had a public IP address and was not connected to the Internet via a wireless router.

15) I will testify based on the forensics examination that the computer had three usernames of interest that were named Kathleen, Woody, and Yanick.

16) I will testify that none of the three users appeared to have used the computer much due to the lack of user created files and emails.

17) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.

18) I will testify that the computer contained the resume of Gustave Lindor, Jr and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.

19) I reserve the right to review additional discovery materials, as they are made available for my review, and use any of the material considered as exhibits in my testimony.

Attachments;
Doug Jacobson -- Curriculum Vitae -- Exhibit (A)

I declare under penalty of perjury and the laws of the United States that foregoing is true and correct. Executed this ____ day of __________ 2006, at _______

______________

Dr. Doug Jacobson

Subscribed and sworn to before me this _____day of ____________

_______________

Notary Public

My commission expires:

And here's the most recent Supplemental Declaration [PDF, local copy]:

****************************

Case 1:05-cv-01095-DGT-RML Document 210-2 Filed 12/19/2007

UMG Recordings, Inc., et al v. Lindor
ED - NY Case Number: 05-cv-1095

Supplemental Declaration and Expert Report

Dr. Doug Jacobson, Ph.D., CFCE
Ph.D. Computer Engineering
Certified Forensic Computer Examiner
International Association of Computer Investigative Specialists

________________________

Qualifications & Prior Testimony

1) I am employed as an associate Professor of Electrical and Computer Engineering at Iowa State University and as the Director of the Iowa State University Information Assurance Center. I also have an appointment with the Iowa State University police department, where I aid in computer forensics.

2) In addition, I am the Chief Technical Officer and founder of Palisade Systems, a high-tech computer security company that specializes in network monitoring and filtering technologies.

3) My employment with Iowa State University began in 1982 as a computer programmer. I completed my Ph.D. in Computer Engineering with a focus in computer networking in December 1985. In January 1986, I was hired by the Department of Electrical and Computer Engineering as an Assistant Professor to teach and research in the area of computer networks. Since that time, I have taught over 25 classes in computer networks at both the undergraduate and graduate level. I have received over 5 million dollars in funding for my research and have written several articles and made numerous presentations on the topic.

4) In 1995, I created and taught one of the first computer security classes at Iowa State University and in the country. Under my guidance, in 1999, Iowa State University was recognized by the National Security Agency as a center of excellence. And in 2000, the Iowa State University Information Assurance Center was created. I am its first and only director. I am a Certified Forensics Computer Engineer. My Curriculum Vitae is attached as Exhibit (A)

5) On September 9th 2003, I testified in front of the U.S. Senate Judiciary Committee on the uses of peer-to-peer protocols.

Prior Experience

6) I have been teaching computer networking since 1986 and written papers and performed research on computer networks.

7) I have given over 50 presentations on computer security and networks at conferences, workshops, and various meetings.

8) I hold two patents in the area of computer network security and have won two R&D 100 awards for technologies I developed at Palisade Systems. One of these technologies is designed to detect and block peer-to-peer network protocols in addition to over 100 other network protocols.

9) I have assisted the Iowa State University Police department on several computer cases, including cases using peer-to-peer networks to distribute pirated software and child por nography.

10) One of my graduate students, under my supervision and guidance, developed a system that monitors peer-to-peer networks and other forms of file-sharing for child por nography.

11) My rate for analysis and testimony is $200.00 per hour. Additional expenses relating to analysis, testimony, and travel are reimbursed at the incurred costs.

Hard Drive Forensics

12) This case involved the examination of a hard drive. Several terms need to be defined relative to a hard drive examination.

Current Internet History -- Internet history on the computer that has not been altered. This history can be tied to a specific user account on the computer, if the operating system permits it.

Forensically Sound -- The preservation of evidence surrounding a case such that the evidence is kept exactly the way it was received. In computer terms, "forensically sound" relates to the preservation of the state of the data -- no information has been added, edited or removed from the forensic media during the examination.

Initiating Party -- The party that brings the forensic media in for analysis, and provides the scope of the investigation to the investigators.

Internet Cache -- A location on a piece of media that contains downloaded images, movies, sounds and web pages of locations users have visited on the Internet. The Internet Cache is often cleared to make more space available on the media, and can be configured to be emptied when the user closes the Internet browser.

Investigators -- Those performing the forensic analysis of the media for the specified parameters.

Media -- The items that contain digital evidence, which are brought to the investigators for analysis. Media includes, but is not limited to, hard drives, USB devices, CD-ROM's, floppy discs, ZIPtm discs and DVD's.

Past/Removed Internet History -- Internet history on the computer that had to be recovered from unallocated (deleted) file space.

Unallocated Space -- When files are deleted from media, references to them are removed, but the actual data may still exist on the media. Unallocated space is the term used to describe any part on the media where a file may have existed. Since unallocated space is eventually overwritten, the usage of the computer dictates how long a deleted file will exist here.

13) The hard drive examination followed several steps as outlined below, which are consistent with the process outlined by the International Association of Computer Investigative Specialists.

Evidence Acquisition Phase

During the acquisition phase, the initiating party provides the investigators with relevant media associated with the case. The initiating party also provides investigators with information surrounding the investigation that will be applied in the analysis stage. Once the media is delivered to the investigators, proper documentation is signed indicating the media transfer.

Evidence Preservation Phase

During the preservation phase, an exact, forensically sound copy is made of each medium obtained in the acquisition phase. This ensures the original media is not tainted in any way. Further, hash values are created of the original media, and compared against the copies, to ensure that the copied data accurately represents the original media. This keeps the forensic process sound.

Analysis Stage

During the analysis stage, information that relates to the case is searched for over all the media obtained. This information is retrieved during the acquisition phase. This ensures that the investigators are only looking for information pertaining to this case. Investigations outside the parameters will not take place, unless otherwise explicitly stated by the initiating party.

Conclusion Stage

The conclusion stage will draw together everything analyzed in the analysis stage. Here, the investigator will review the recovered data, and provide explanations of why the data exists where it does, and how the data relates to the case.

Materials Considered

14) I have reviewed the underlining investigative data for the Lindor case. This includes all of the data supplied by MediaSentry. I also have reviewed information supplied by Defendant's Internet Service Provider (ISP) Verizon Internet Services. Below is a list of the materials I considered in developing my conclusions.

a) MediaSentry Screenshots
b) MediaSentry Systemlog
c) MediaSentry UserLog (compressed)
d) MediaSentry UserLog
e) MediaSentry Download Logs
f) Certificate of Registration
g) MediaSentry Trace
h) Verizon Internet Services subpoena response
i) Disk drive image from defendant's computer

Conclusions

In addition to the conclusions contained in my report dated April 7th 2006 I have the following additional conclusions based on the additional information from the hard drive image.

15) I will testify to the procedures used and results obtained by MediaSentry coupled with the information supplied by Defendant's ISP, to demonstrate the Defendant's Internet account and computer were used to download and upload copyrighted music from the Internet using the KaZaA peer-to-peer network.

16) I will testify that based on the MediaSentry data mentioned above and registry entries recovered from the computer that the computer had a public IP address and was not connected to the Internet via a wireless router.

17) I will testify based on the forensics examination that the computer had three usernames of interest that were named Kathleen, Woody, and Yanick.

18) I will testify that I found very few user created files and saved emails on the hard I was provided to by the defendant.

19) I will testify that based on the data recovered from the hard drive provided by the defendant that the users Woody, Kathleen, and Yanick accessed the Internet using the computer.

20) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.

21) I will testify based on the data recovered from the hard drive produced by the defendant that the computer had a Western Digital 100 GB USB external hard drive connected to it and that the external hard drive was first connected on or before 7/8/2004. The external hard drive was not provided by the defendant.

22) The user Woody used Windows MediaPlayer to access songs and other files from a directory:
(F:hDocuments and SettingsYanickMy Documentsdownloadyayahq) located on the external hard drive.

23) I will testify that based on the data recovered from the hard drive that the user Woody was administer of the computer.

24) I will testify that based on the data recovered from the hard drive provided by the defendant that several email addresses were associated with users on the computer including: [redacted]

25) I will testify that based on the data recovered from the hard drive provided by the defendant that the yahoo account jeanlindor was accessed using the computer.

26) I will testify that the computer contained the resume of Gustave Lindor, Jr. and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.

27) I reserve the right to review additional discovery materials, as they are made available for my review, and use any of the material considered as exhibits in my testimony.

Attachments;
Doug Jacobson -- Curriculum Vitae -- Exhibit (A)

I declare under penalty of perjury and the laws of the United States that foregoing is true and correct. Executed this 15 day of December, 2007, at 9:00 am

__[signature]___

Dr. Doug Jacobson

  


Pick Your Brain Time - A Lawyer Requests Your Input - Updated | 591 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here
Authored by: ralevin on Wednesday, December 26 2007 @ 12:19 PM EST
Although on such a short item this is mostly for tradition.

[ Reply to This | # ]

OT, The off topic thread...
Authored by: Erwan on Wednesday, December 26 2007 @ 12:20 PM EST
As usual.

---
Erwan

[ Reply to This | # ]

News picks discussions here...
Authored by: Erwan on Wednesday, December 26 2007 @ 12:29 PM EST
Remember to quote the article name.

---
Erwan

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input
Authored by: Anonymous on Wednesday, December 26 2007 @ 12:36 PM EST

I'm a tad confused as to what he is actually testifying too. He seems to make a bunch of points, almost all unrelated.

1. (#17) MediaSentry traced things back to the defendant's "computer".

2. (#20) The hard drive provided was not used for file sharing.

3. (#21) Another hard drive was connected to the computer.

4. (#22) The other hard drive was used to play songs, but not necessarily the songs obtained from MediaSentry logs. Additionally, the user names listed don't match between points #22 and #24 either.

5. (#20) No evidence that the computer provided ran Kazaa.

In summary, he didn't show that the new hard drive contained either a) illegal music, b) Kazaa, or c) even a matching user id. All he did was conclusively show that at some point one of the computers users connected a remote hard drive to play music files. This isn't a crime.

I think the new declaration shows is clearly summarized in point #20, that the data doesn't match. Additionally, if the hard drive was connected directly to the internet, then the computer should display the IP addresses used. That IP address should be provided.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input
Authored by: Anonymous on Wednesday, December 26 2007 @ 12:46 PM EST
After reading this and the atty's blog briefly I have to wonder why it has not
come up that ANYONE can boot off a thumb drive and not leave any evidence on the
host system?

This fact alone, assuming they can prove that it was that machine (which they
can't prove 100%, and certainly not from that machines records), that opens up
the suspect list to anyone who has stepped foot in the house during the time in
question.


Dan

[ Reply to This | # ]

My impressions
Authored by: Anonymous on Wednesday, December 26 2007 @ 12:51 PM EST
First, I'd note that the entire description of forensics 101 is nearly
meaningless because it only applies to item (i), the defendant's hard drive.
The other items on that list were NOT authenticated in that manner unless he has
some MediaSentry hard drives. I would drive this point home. He does not,
because he cannot, "authenticate" any MediaSentry materials in that
manner unless he can point us to where he forensically examined some MediaSentry
hard drives.

Second, I see a lot of "I will testify" but he admitted in prior
depositions to having no personal knowledge of MediaSentry's investigative
techniques. Because of his inability to answer depositions, I hardly think it
fair to lend MediaSentry his credibility at trial when he doesn't actually know
what they did, has no chain of evidence for the MediaSentry and ISP materials
he's "authenticating" and testifies that the defendant does not have
Kazaa, but apparently ONCE (?) listened to music from someone else's external
HD. That doesn't sound like a hard-core pirate to me.

Third, who was this Kazaa account registered to? The last few cases had them
trace an email back to someone. Perhaps someone should do a quick Google and
point out who it doesn't lead back to? I'm certain they'd have linked it to the
defendant if they could have, therefore, I can only assume that in actuality, it
leads to someone else.

[ Reply to This | # ]

The purpose seems to be ...
Authored by: rsteinmetz70112 on Wednesday, December 26 2007 @ 01:02 PM EST
... to establish that this hard drive wasn't the one originally in the computer
and that there is an external drive which wasn't produced.

This goes back to the allegation that evidence was either withheld or
destroyed.

The Wireless Router bit seems to be there to disprove the conjecture that some
third party might have accessed the Internet without the subscribers knowledge.
It might also allow the computer MAC address to be matched to the ISP records.

---
Rsteinmetz - IANAL therefore my opinions are illegal.

"I could be wrong now, but I don't think so."
Randy Newman - The Title Theme from Monk

[ Reply to This | # ]

Wireless router?
Authored by: Steve Martin on Wednesday, December 26 2007 @ 01:18 PM EST

I see a bit of hay being made here over the allegation that the defendant's computer was not connected to the Internet using a "wireless" router. Dr. Jacobsen states in his 2006 filing (¶ 5, page 4) that "Based on how IP addresses are assigned, it is not difficult to determine whether a computer was connected to the Internet via a wireless router." It is in fact not possible at all to tell based on IP address alone whether the router used to connect a computer to the Internet is wireless or hard-wired. I happen to have a LAN in my home which uses a private IP address range (one used on many, many private networks), with two hard-wired client computers, a hard-wired print server module, and wireless laptop connected through a separate 802.11g access point. All these devices are on the same IP address range, all addresses were assigned by me. The addresses used on these devices (and the address range used for the LAN) has nothing whatsoever to do with whether the router I use between my LAN and the cable modem is "wireless".

Now, there are some correlations between IP addresses and whether or not a "private LAN" range is being used such as would be used behind a home router. But that has nothing to do with whether or not the router used is "wireless". Perhaps Dr. Jacobsen meant to state that he could tell by IP address whether or not a router was used at all. That comes closer to credibility than the statement as given does.

---
"When I say something, I put my name next to it." -- Isaac Jaffee, "Sports Night"

[ Reply to This | # ]

alarming item number one...
Authored by: sumzero on Wednesday, December 26 2007 @ 01:25 PM EST
for me is that he appears to have opened and read personal documents of the
defendant [email and resume]. was that within the scope of allowable discovery?
or is that just a good, old-fashioned invasion of privacy?

sum.zero

---
48. The best book on programming for the layman is "alice in wonderland"; but
that's because it's the best book on anything for the layman.

alan j perlis

[ Reply to This | # ]

Gobbly-de-gook
Authored by: Nick_UK on Wednesday, December 26 2007 @ 01:27 PM EST
"Specifically, as set forth in the attached supplemental
report, plaintiffs' expert, Dr. Doug Jacobson, determined,
among other things, that a Western Digital 100 GB USB
external hard drive was connected to the hard drive that
the defendant previously provided, and this external drive
was first connected on or before July 8, 2004."

You don't connect a 'hard drive' to a 'hard drive' as
stated there.

Nick

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input
Authored by: eggplant37 on Wednesday, December 26 2007 @ 01:35 PM EST
I think my first question to refute this report would be as follows:

"What conclusive proof can you provide that specifically indicates which
actual person had accessed which one of the three user accounts on the computer
at the time that the MediaSentry data was acquired?"

Then sit back and watch them start to stammer as they invent an answer to that
question. I'd say they'll have a rather difficult time trying to figure this one
out.

[ Reply to This | # ]

A couple of thoughts
Authored by: Anonymous on Wednesday, December 26 2007 @ 01:39 PM EST
1. He testifies to a Western Digital Hard Drive being connected. Assumption is
that this is drive F though I'm not sure that he testifies to this.

2. Who was using the computer when it was logged in under the various usernames.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input
Authored by: achurch on Wednesday, December 26 2007 @ 01:57 PM EST
I don't know about contradictions, but some of his conclusions are certainly questionable:
15) I will testify to the procedures used and results obtained by MediaSentry coupled with the information supplied by Defendant's ISP, to demonstrate the Defendant's Internet account and computer were used to download and upload copyrighted music from the Internet using the KaZaA peer-to-peer network.

How can he testify to anything, really, about MediaSentry if all he has is screenshots and logs? How does he (as a supposed forensics expert) know that those screenshots and logs actually represent what happened on the Internet at that time? How can he be sure, for example, that a bug in the logging program didn't interchange one IP address with another, resulting in the Defendant's IP address being shown for someone else's uploads or downloads? And while we're at it, how can he testify that "Defendant's . . . computer [was] used"? Even assuming the IP address is correct, there's just no way to tell what physical hardware is associated with a specific IP address without physical access to that hardware (and all the routers in between, for that matter).

16) I will testify that based on the MediaSentry data mentioned above and registry entries recovered from the computer that the computer had a public IP address and was not connected to the Internet via a wireless router.

As others have said, you can't tell wired and wireless networks apart just from IP addresses; you can only tell NAT networks (that is, networks in which computers are assigned private IP addresses) from direct connections. It's perfectly possible to have a wired NAT network—I'm using one right now—or a direct connection that goes through a wireless router, though in the latter case I'm not sure whether commonly-used routers support that mode of connection.

It's also worth pointing out that, unless the registry data he extracted includes the correct date and time, one can't rule out a different computer at the same location being connected at that time. Even if it's a wired connection, all it takes is a single cable swap to hook up one's laptop in place of the computer that's usually connected.

17) I will testify based on the forensics examination that the computer had three usernames of interest that were named Kathleen, Woody, and Yanick.

18) I will testify that I found very few user created files and saved emails on the hard I was provided to by the defendant.

I'd like to stop here for just a moment and suggest that if this is the limit of his grammatical skills, I for one wouldn't put much faith in his forensics skills . . .

19) I will testify that based on the data recovered from the hard drive provided by the defendant that the users Woody, Kathleen, and Yanick accessed the Internet using the computer.

20) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.

So, uh, wait a moment . . . what was all that talk about the computer being used for uploading and downloading music? If it isn't the same hard drive, then all his other "conclusions" based on the hard drive he examined (like #16) go out the window; and if it is the same hard drive, that's pretty clear evidence that KaZaA wasn't used on this computer in the first place. Continuing for a moment . . .

21) I will testify based on the data recovered from the hard drive produced by the defendant that the computer had a Western Digital 100 GB USB external hard drive connected to it and that the external hard drive was first connected on or before 7/8/2004. The external drive was not provided by the defendant.

I suppose he's trying to suggest that KaZaA was installed on that external drive, and that's why he couldn't find it. But Windows doesn't work that way; no matter where you install a program, it'll usually leave traces in the registry or user profile, which are stored on the system drive—the same place he presumably looked for IP address information. If the program is installed into the Start menu, for example, a "shortcut" file is saved to the user's Start Menu directory on the system drive; likewise if an icon for the file is placed on the Desktop. (I haven't tried KaZaA myself, though, so I can't say specifically where one might look for such traces.)

I don't have time to go over the rest at the moment, so I'll just put it up as text in case it helps others to look it over:

22) The user Woody used Windows MediaPlayer to access songs and other files from a directory: (F:hDocuments and SettingsYanickMy Documentsdownloadyayahq) located on the external hard drive.

23) I will testify that based on the data recovered from the ahrd drive that the user Woody was administer of the computer.

24) I will testify that based on the data recovered from the hard drive provided by the defendant that several email addresses were associated with users on the computer including: wraymond yanick_wright, kathleen, yayagq, yanick_ray.

25) I will testify that based on the data recovered from the hard drive provided by the defendant that the yahoo account jeanlindor was accessed using the computer.

26) I will testify that the computer contained the resume of Gustave Lindor, Jr and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.

27) I reserve the right to review additional discovery materials, as they are made available for my review, and use any of the material considered as exhibits in my testimony.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input
Authored by: Anonymous on Wednesday, December 26 2007 @ 02:10 PM EST
I read all three reports. Mr Jacobson first tries very
hard to make it clear the a wireless router was not used.
He does this because wireless routers are notorious for not
having good security. In my neighborhood, for example, I
can connect to any one of 4 wireless routers besides my
own. There is nothing to stop me (besides my ethics) from
connecting to my neigbor's wireless router and engaging in
file sharing at my neighbor's expense.

In the second report, Mr Jacobson makes it clear that he
believes that the computer connected to the internet was
not used for KaZaA. I suspect he came to this conclusion
because there was no forensic evidence on computer hard
drive he had at the time.

The third report asserts that the USB drive is the drive
that was used with in conjunction with the computer for
file sharing. This is logical and seemingly consistent but
is not the only explanation. USB drives are inherently
promiscuous by nature. A USB drive can be connected to any
modern computer in a matter of seconds. There is no way to
know how many different computers have had access to this
USB drive. If the USB drive has not always been in the
Lindor's possession or if it was bought used or if anyone
ever had access to the drive then it's not possible to
connect the dots. Even brand new USB drives have been
shipped from manufacturers with viruses on them.

And finally I might add that with the sorry state of
computer security, it's entirely possible that a third
party could be using the Lindor's computer for file sharing
for their own gain. I wonder of Mr Jacobson took steps to
see of any malware, viruses or root kit software existed on
the Lindor's hard drive? Any system that is not up to date
with current security patches can easily be "owned"

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 02:37 PM EST
In 15) he says he will testify to the procedures and results media sentry
obtained. How can he testify to something after the fact when he was not
involved in the process, didn't vet the process and can not certify that the
procedures outlined were even followed. In my mind unless he was actually there
supervising the work an after the fact analysis is meaningless. I would couple
this by asking if Media Sentry is ISO 9000 certified, which basically certifies
that the procedures are outlined and being followed.

In 16) he claims to be able to tell if the computer was connected via a wireless
router. Unless his analysis includes verifying the interface via which the
computer accessed the Internet he is unable to tell if that connection was
wireless. But more importantly the detail that was left out, whether there was a
wireless router connected to the Internet along with the computer. Even if the
computer is connected via hardwire there could still be a wireless router
attached to the connection.

In 20) he says the hard drive isn't the one that shared the material. This
leaves the implication that the hard drive was switched in some way. The
question to ask is when was the OS on the computer installed or the installation
date, windows in particular records this in the registry. If it was installed
prior to the media sentry "investigation" then you have conclusive
proof that the computer in question was never used in the manner they claim.
Based on 21) that assertion appears to be true.

In 21) he is essentially implying that the external hard drive could have
contained Kazza. Program's (like Kaaza) even if installed on an external hard
drive will have registry entries and logs of the install, even if installed on a
secondary drive as the program has to be registered with the OS. He could be
arguing it was installed on some other computer and he just ran the binary from
the hard drive. I would be asking if he examined the logs and saw any instance
of the program ever being ran. Kazza has some nasty behaviors and even if you
ran the binary from an external drive it's going to leave traces on the OS
partition.

In 26) I would be asking why he was looking at items that weren't related to the
lawsuit. In fact, based on 26) I would ask for an explicit declaration of every
single file on the computer that was opened, read or printed (including word
documents, financial records, etc). I would also ask for an explicit declaration
that outside the forensic copy NOTHING was removed, printed or copied from the
hard drive that wasn't directly related to the investigation AND required for
the investigation. I would include in that the resume that he shouldn't have
even opened. I would also ask for an explicit declaration that the original,
every copy and anything printed be returned to the defendant (returned, not
destroyed, anything to be used at trial can obviously be kept but you should
have a list of every item they want to keep for trial) now that the
investigation is concluded. I would also be asking if it's ethical to be
accessing other files, whether it's standard forensic procedure in a case like
this to be accessing word documents that contain resumes.

Touching back on bit on the issue of him "validating" the media sentry
procedures you start asking questions like if he verified that the time on the
media sentry computers was synced with the atomic clock, that Verizon's DHCP
servers were also synced with the same clock and that when they requested the
account of the person with the IP that the same time on both computers was used
with regard to not only the time as synced, but the timezone and anything else
that can throw off a request of that nature. And if he's testifying on Media
Sentries procedures et al I would be asking for the procedure he used to
validate, the information used, whether he visited the site, spoke to any of the
people doing the illegal investigations, whether he personally validated that
the people doing the investigations were legally permitted to do so, that they
were qualified to do so and that he verified that they were in fact following a
defined set of procedures without variance. You should also get his testimony
either limited to or make sure and point out that he's verfing after the fact
and if there was an error in the procedure he wouldn't know it as all he has to
verify is what he was provided. He can say he thinks the procedure based on the
information he was provided looks good, but he can't say that was the procedure
used nor can he validate that the "screenshots" he was provided
weren't altered, nor that they are authentic. If they are going to argue that
the defendant hid material I would be arguing that there is no guarantee that
Media Sentry didn't falsify information.

Frankly I think his testimony regarding Media Sentry is hearsay as the person
testifying to those procedures etc should be someone at media sentry that was
supervising the work. Their reluctance to provide such a person should be
indicative of a potential problem on their side.

I would actually ask for a summary judgement motion at this point based on their
own expert witness saying that the computer hard drive showed no installation of
Kazza, which is a key point their entire case is based on (the IP information is
all meaningless if they alledge they used Kaaza and their own witness says it
wasn't used). Although I might get a deposition first and get him to admit that
even if it was ran from an external hard drive there would have been evidence of
it's being run from the main computer.

[ Reply to This | # ]

Didn't he just exonerate Lindor?
Authored by: tinkerghost on Wednesday, December 26 2007 @ 02:46 PM EST

Initial report:

para 18:

[snip]IP address of 141.155.57.198 on 8/7/2004 @6:12:45 AM EDT[snip]

New Report:

para 21:

[snip]first connected on or before 7/8/2004[snip]

para 20:

this hard drive does not appear to be the same hard drive that was used to share copyrighted files [snip]the computer had no evidence of the KaZaA program nor was any evidence of the KaZaA program ever being installed on the computer.

OK, we have

  1. the HD in the computer has not been wiped for at least a month before the alleged filesharing incident.
  2. the RIAA's expert saying that the computer does not and has not ever had KaZaA installed on it.
  3. neither a petition by the RIAA for this external HD nor any motion to compel/motion for sanction for discovery failures.

Items 1 & 2 make it extremely unlikely that your average computer user would have done the installation. Anything that uses the MS installer - which I believe KaZaA did - will leave footprints in the registry regardless of where it is installed (primary, secondary, and removable drives are all reported).

Item 3 indicates that the RIAA doesn't care about the facts. Given that the full report should include methodology and supporting data, the RIAA has known about this drive for over a year and yet never requested it. Further, given the usage pattern described by the report, it would be unlikely in the extreme for Ms Lindor to actually own such a drive. Someone who stores very few personal files & a few emails does not use a 100GB WD external drive. Especially given the prices in 2004.

Further I find the discrepancies between para 15 & para 20 in the supplemental report to be disturbing:

  • Para 15:
    [snip]to demonstrate the Defendant's Internet account and computer were used to download and upload copyrighted music from the Internet using the KaZaA peer-to-peer network.
  • Para 20:
    [snip] this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify [snip] that the computer had no evidence of the KaZaA program now was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.

To my legally untrained eyes, I think he just stated that he was going to testify that Ms. Lindor's computer was definitely using KaZaA to download/upload songs while also testifying that neither the program nor the music were ever on the computer.

At best, he appears to be arguing that the defendants ISP connection was used. His statement in para 20 says he can't tie the computer itself to the infringing act.

---
You patented WHAT?!?!?!

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Maxmars on Wednesday, December 26 2007 @ 03:04 PM EST
It seems to me that this response only weakens their case.

Primarily it solidifies any existing doubts about the competency of the
testimony already rendered. This kind of 'annotated flip-flopping' belies the
strength of the 'expert' and his opinions. (yes, no, yes, - wait, 'do over!')

Also, despite the credentials he offers, he can't get his facts straight, and
seems to be 'framing' his responses to contend with unstated weakness in their
case.

I do have a legal background, but IANAL, and I am probably asking for trouble
when I state that a good logician (which hopefully the adjudicator is, or has
access to, one) will tell you that the net value of these statements is as
follows: "Based on the premise that all data given to me by the plaintiff
is true and accurate - I cannot state that there are any solid facts that match
this hard drive [image] to the offense in question." HOWEVER, he goes on
to implicate the defendant in some form of subterfuge which deprives the expert
of the evidence which OBVIOUSLY must exist since the plaintiff says so in there
report.

Sorry folks, this is weak testimony at best. Frankly, I wouldn't be surprised
if you didn't even have to address the technical inaccuracies of his 'analysis'
because his statements are not consistent with prior testimony and are revealing
of a disingenuous 'expert' witness. Also, discussions of evidence not provided
or withheld are out of place - since we're beyond discovery here. They accepted
this as the evidence. Now that they have nothing helpful to their case, they
want to turn back the clock and try again?

I am uncertain if the defense has stipulated to any of the, apparently embedded,
implications. If not, this is not a very useful tool for the prosecution.

I thought these guys were smarter than this?

[ Reply to This | # ]

Have they even identified the computer?
Authored by: Anonymous on Wednesday, December 26 2007 @ 03:11 PM EST
  • It would be a mistake to accept that they have even identified the computer that was involved in their alleged file sharing.

    The last time this came up, I spent some time researching DSLAMs. wiki Iirc, anyone on a DSLAM can 'see' anyone else on the same DSLAM. That being the case, there is nothing to keep any subscriber from sniffing and using another subscriber's login.

    The question here would be: what kind of DSLAM was connected to the customer when the alleged file sharing took place? Could the customer's login id and password be sniffed by another customer? The knowledge of how to sniff unencrypted logins and passwords seems to be common among my students.
  • Was the computer ever in the repair shop. That would explain why there may be traces of another hard drive connected to the computer.
  • Where was the computer bought and how was the operating system installed. That might also explain the traces of another hard drive.
  • Given the above two points it would be a mistake to accept that any other hard drive was connected to the customer's computer when it was in her house.
  • Do not put blind trust in the times recorded in the file system. A computer's clock only knows what time (and date) it thinks it is. There are lots of reasons why the clock could be wrong. There are time stamps on my file system for dates that haven't happened yet. There are also time stamps for dates before the computer was built.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 03:12 PM EST
8) I hold two patents in the area of computer network security ...
Two patents are in my opinion a rather low number of a professor. I, a garden-variety engineer, hold more. Professors at my Uni would have been ashamed to hold only two.
10)One of my grade students, under my supervision and guidance, developed a system that monitors peer-to-peer networks and other forms of file-sharing for child-pornography.
In other words, the Doctor never developed such a monitoring system by himself. He knows about monitoring file-sharing networks from the work of one of his students. That work was not in any way a professional system, but in the pure sense of the wording, just student work.

Those who have graduated know very well what "under my supervision and guidance" can mean in academics. In the worst sense it means I allowed the student to put my name on the title page, behind the "Supervisor" label and didn't care otherwise. Usually it just means that the student came up with a question from time to time, and that the professor told him to look up things in the scientific literature. The scientific way of RTFM.

Further notice that this is the only project mentioned with a relation to file-sharing. Breathing up a student's neck doesn't make one an expert in a particular issue in my book.

And note the mentioning of child-pornography. For me that smells like an attempt to link the issue currently in front of the court to child-pornography, and paint the defendants in a shady light. Is an expert whiteness allowed to do this? Does this demonstrate a form of bias?

17) I will testify based on the forensics examination that the computer had three usernames of interest that were named Kathleen, Woody, and Yanick.
(emphasis mine)

So the doctor had made some decision and decided on his own what constitutes an interesting and what doesn't constitute an interesting username. Sounds like it might be a good idea to ask for all usernames he found, and why he just picked the three, and didn't provide complete information. Hint: Self-fulfilling prophecy.

Further, the doctor is not clear on the difference between a username and a user's account. A username is just that, a name a user might have given to an account. The statement "usernames ... that were named" doesn't make sense. Not only in the grammatical sense, but also in a technical sense. Such a statement shouldn't come from an expert.

18) I will testify that I found very few user created files and saved emails on the hard I was provided to by the defendant.
How did the doctor figure out if a file was user-created or not? And if a file was not user-created, how was it created? And what constitutes a user-created file? If a user uses an application and if that application happens to created a file in the background, does that file count as a user-created file or not? How many indirections / intermediate levels between a user action and a file creation are allowed to still call a file user-created?

In short, the doctor introduces a criteria (user-created) which looks simple on the surface, but is difficult in detail. And there is no real way to always decide if a file was user-created.

And again I have the feeling the doctor is biased, trying hard to indicate that the defendant(s) somehow managed to replace the hard disk with the alleged evidence with an almost empty one, fooling the poor doctor.

19)I will testify that based on the data recovered from the hard drive provided by the defendant that the users Woody, Kathleen, and Yanick accessed the Internet using the computer.
If he testifies this, then it would be a lie in my book. He can't testify that the users Woody, Kathleen, and Yanick did this, since the users are the physical persons. Unless he found human DNA on a "connect to the Internet" button, he can't know what the persons did. All he might know is that Internet connections were initiated from the user accounts name Woody, Kathleen, and Yanick. That distinction is important, since an account name is not necessarily related to a person with a similar name. I could create an account "Paris Hilton" on my PC, but that wouldn't make be bein Paris Hilton (thanks $DEITY).

BTW: Many people don't use uppercase letters in usernames. Could it be that the doctor messed a little bit with the account name spelling, to create a closer association with persons of holding similar names?

20) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.
(emphasis by me)

Surely an expert should be able to tell if it is the same drive, or not. "appears to be" is to vague for my taste. is it, or isn't it?

To summarize, from this sample of the doctor's work, I would regard him as sloppy at best, and incompetent at worst. But I have no idea of how to tell this a judge in the nicest possible way.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Cyrock on Wednesday, December 26 2007 @ 03:22 PM EST
5. Based upon my review of the foregoing materials, as well as on my education and experience, it is my opinion and belief that defendant's computer had a public Internet Protocol ("IP") address and was not connected to the Internet via a wireless router. I base this on the data mentioned above, as well as on the registry entries recovered from the computer and the fact that there was no internal IP address here,
Public IP Address, Static IP or DHCP?
This means that the DSL modem, router or wireless router was in bridge mode. Any computer, desktop or laptop, connecting to it would get a public IP address.

Can you get the MAC address from Version? That is the only way to know for sure which computer accessed the internet, otherwise it’s just a guess.
6. In addition, it is my opinion and belief, based on my education and experience and on the data recovered from the hard drive that I reviewed, that this hard drive was not the same hard drive that was used to share copyrighted sound recordings as shown by the MediaSentry materials.

This is a correct statement

Did the harddrive contain data and info from before the MediaSentry investigation that showed normal use? Mr Jacobson believes that a different harddrive with operating system was installed and that the current harddrive replaced it after the law suit started.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 03:49 PM EST
1) Why wasn't the reference to an external hard drive brought up before? Now, a year later, who can say what might have been on it? How did he find it, and why didn't he find it before? This loss of a year is almost certainly going to be highly prejudicial to seeing that hard drive.


2) The registry would have contained evidence of Kazaa had it ever been installed, from an external hard drive or not. He finds evidence that several people have used the machine, and doesn't think it's significant. He STILL says Kazaa wasn't there, then blithely ignores his own statement and continues on. That's what this is ABOUT, is Kazaa. They say she downloaded things off Kazaa. Or are they alleging she used some unspecified 'file sharing software'? What program SPECIFICALLY are they alleging she used, if it's NOT Kazaa then why are they talking about Kazaa, and if it IS Kazaa then why didn't they find it?


The only way to have no footprints at all on the computer, and yet have Kazaa installed, would be to *install windows* on the external USB hard drive -- then boot off that device to use Kazaa. But this is inconsistent with using the existing Windows installation to access the hard drive (the Windows on the computer was used to play music from this external drive).

The files were stored on the external hard drive in a location commonly set up during a Windows OS installation. This does lend some support to the idea that Windows might have been installed on it, but see here: http://blogs.msdn.com/oldnewthing/archive/2004/04/15/113811.aspx -- it is (or, at the time, was) IMPOSSIBLE to install Windows to a USB device. (The article says all USB devices on a machine briefly become unavailable when plugging in/removing any of them, and this could cause Windows to crash).

It appears that there is simply no way that Kazaa was on this machine. Given that this is the root of their whole case, everything else concerning who used the machine and what for, would appear to me to be irrelevant (and thus inadmissible) -- but you're the attorneys here :)


3) This machine was not running Vista at the time. All other versions of Windows either a) don't even have the concept of privilege levels (98 and prior) or b) almost always were operated by all users having administrator access. It requires large amounts of effort to get most programs to run, and often they won't even install properly, if the user is not an administrator.

This is important, because he appears to be insinuating that Woody (the user using the external hard drive) was the owner of the machine. This is not at all the case.


4) How does he know what's going on at MediaSentry? Didn't he say earlier he didn't? If he's been brought up to speed after the fact, then isn't that hearsay? He would simply have to take on faith what was going on *before* he saw what they were doing. One of your best defenses is going to be that either MediaSentry or the ISP made a mistake. How can he possibly testify as to the likelihood MediaSentry made a mistake, if he wasn't there when it was happening?


5) There are three user accounts on that machine that accessed the Internet. Even though none of them accessed Kazaa, ignore this for a second -- that's 3 seperate individuals who could have done this. Unless more than one account tracked back to the same person. Same for the number of email addresses "associated with users on the computer". Have they been investigated? Why was Ms. Lindor, and not one of these users, sued? And what about Gustav Lindor, Jr.? Which one of those three users was he? Does it matter where he was working, or was that put in there just to humiliate Mr. Gustav?


6) He appears to be attempting to imply that this computer is not the one that was used to access Kazaa -- that either they swapped out the hard drive or the computer, in an attempt to destroy the evidence. To try to imply this he is saying the machine was barely used -- that is, the swap was done specifically to fool the investigator. But this machine WAS used, it had multiple user accounts and was used to access multiple Yahoo! accounts on the web. Also, if this were true then one might expect to find traces in the registry that the computer hadn't been used at all before a recent time. Such were not mentioned.

[ Reply to This | # ]

Sanctions against Gabriel?
Authored by: jmc on Wednesday, December 26 2007 @ 04:02 PM EST
This Gabriel guy is clearly no archangel.

Whether or not he'd sell his own grandmother isn't clear but he's clearly sold a
good few other people's.

I know we're in the habit of asking this for BS&F but I hope this particular
sleazeball eventually gets his comeuppance.

[ Reply to This | # ]

Another sloppy definition: Unallocated Space
Authored by: Anonymous on Wednesday, December 26 2007 @ 04:03 PM EST
Unallocated Space -- When files are deleted from media, references to them are removed, but the actual data may still exist on the media. Unallocated space is the term used to describe any part on the media where a file may have existed. Since unallocated space is eventually overwritten, the usage of the computer dictates how long a deleted file will exist here.

This is nonsense. The term is used for space which is unallocated. It may have been allocated in the past, or it may not. Only in the former case a file may have existed there. Or something else, like a directory, a hash table, block allocation map, or whatever else a filesystem may store on a disk.

Getting such a definition wrong while it was trivial to get it right gives me a bad impression of his competence.

[ Reply to This | # ]

Can not find certification?
Authored by: Anonymous on Wednesday, December 26 2007 @ 04:16 PM EST
I've never heard of a "Certified Forensics Computer Engineer".

So, I spent quite a bit of time searching the web and technical libraries, and I
can not find a single organization that offers certification in Forensics
Computer Engineer.

I can find considerable information on Certified Computer Examiner, by the
International Society Of Forensic Computer Examiners, unfortunately, Dr. Doug
Jacobson, is not listed as a certified individual.

I can find the International Association of Computer Investigative Specialists,
which offers a Certified Forensic Computer Examiner and a Certified Electronic
Evidence Collection Specialist certifications, and according to the office Dr.
Doug Jacobson is not a member or certified by them.

My first question is from whom and how was Dr. Doug Jacobson certified as a
Certified Forensics Computer Engineer?


[ Reply to This | # ]

Two items at odds
Authored by: GLJason on Wednesday, December 26 2007 @ 04:19 PM EST
20) I will testify that bassed on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.

15) I will testify to the procedures used and results obtained by MediaSentry coupled with the information supplied by Defendant's ISP to demonstrate the Defendant's Internet account and computer were used to download and upload copyrighted music from the Internet using the KaZaA peer-to-peer network.

So the hard drive shows that KaZaA was never installed, yet he is willing to testify under oath that the particular computer was used to share music using KaZaA? ANY independent analysis of this data comes to the logical conclusion that this computer was NOT used to access KaZaA. This is akin to a police officer saying a defendant committed the hit and run because an informant said he saw the car do it and pull into her driveway. There are no marks on her car, in fact an examination of her car reveals it hasn't been driven in years. Yet the officer is tesifying that her car did it and she was driving at the time all because a third party says they saw the car that did it pull into her driveway and he can't even describe the car.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 04:21 PM EST
Mac address cloning, anyone? I haven't seen anyone bring this up yet, so apologies if someone did and I missed it.

One of the features of any good wireless router is the ability to set its MAC address. A number of Linksys products, which I use, have this feature. Technical investigation could compile a list of routers (wireless or not) available on or before 2004 which had this feature.

The Media Access Control (MAC) address is the 48-bit (12 hexadecimal digit) hardware address. MAC addresses are supposed to be unique among every Ethernet (including wireless Ethernet) device, and wireless routers are shipped with an unique address.

A theory of the alleged crime

Assuming that the IP address logs are correct, the following may have taken place:

  1. Someone obtained a router capable of changing its MAC address.
  2. That same or some other person observed defendant's computer's primary Ethernet interface's MAC address. This can be done with the command 'ipconfig /all' and would leave no discernable trace on the system.
  3. The person in possession of the router configured it to use defendant's computer's primary Ethernet interface's MAC address.
  4. The person in possession of the router attached it to the defendant's ISP at a time when defendant's computer was not connected to the ISP. This connection may have been made at defendant's residence or anywhere else on the ISP's local network, provided that the request was automatically forwarded to the same DHCP servers which served defendant's residence.
  5. The router then asked for a DHCP address from the ISP's DHCP servers. The router used the same MAC address as the defendant's computer, and so the DHCP server was unable to distinguish between the two devices (Router and computer) using the same MAC address. If the defendant's computer had recently held an IP address, the IP address would have been issued to the router. In any case, the IP address assignment would have been logged by the MAC address of the requesting advice--again, indistinguishable.
  6. The computer which had access to and shared unlicensed copyrighted files was connected to the Internet via this router--perhaps directly by Ethernet cable, perhaps wirelessly, perhaps with the knowledge and consent of defendant, perhaps without.

Unlikely, perhaps, but far from impossible. I've done this myself on a network that used MAC address restrictions.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: NilsR on Wednesday, December 26 2007 @ 04:23 PM EST

22) The user Woody used Windows MediaPlayer to access songs and other files from a directory: (F:hDocuments and SettingsYanickMy Documentsdownloadyayahq) located on the external hard drive.

The user account "Woody" was used to access songs and other files from F:\Documents and Settings\Yanick\My Documents\download\yayahq ?

But isn't this folder only normally accessible from the "Yanick" account? Is this why he makes a number out of "Woody" being an administrator (account)? So that a person logged into the "Woody" account would have the rights to access folders of other accounts?

I'm also wondering about what he means by Windows MediaPlayer accessing "other files"? Just something trivial like videos? Or what?

I was curious about the "yayahq", so I googled it. I found this discussion that goes into much more details. For example:

By default, Windows XP attempts to isolate user files, so user A of a computer cannot access user B's files that are stored in the "Documents and Settings" folder. This is true even if the users are "Administrators." Generally, when new users are created on an XP system, they are by default given "administrator" rights.
So when Dr. Jacobson states that Woody was an "administrator," he is trying to imply that the user had full rights to access every file on the system, but that is not necessarily true. This can be verified by taking a newly set up XP system, creating one user, then creating another user and attempting to access her files in the "Documents and Settings" files - you'll get an "access denied" message even though the users are both administrators.

---
NilsR

[ Reply to This | # ]

Public IP does not rule out wireless
Authored by: Anonymous on Wednesday, December 26 2007 @ 04:37 PM EST
It is perfectly possible to set up a wireless router which distributes it's own
external public IP address as one of the internal addresses. As such, his he is
inaccurate in stating that the public address proves a direct connection.

There are a number of mechanisms for this. A) set up the router as a
transparent bridge B) use proxy ARP on the router and internal private IP
addresses (NATing multiple systems) C) clever stuff with ettercap.

Most of these would leave other traces (e.g. in B the DHCP server address would
be different from the address of the provider's DHCP server).

It's a strange argument to me. The devices present in the system and which ones
were active should be simply present in the system logs. If there was no
wireless device (this can be told from the MAC address of the device being used
if nothing else) then a wireless router wasn't used. If there was a wireless
device and it was active then it was used. Would a Windows expert like to
comment on the information present in the Windows event log?

[ Reply to This | # ]

Source Code?
Authored by: GLJason on Wednesday, December 26 2007 @ 04:39 PM EST

I think they should demand the source code for the MediaSentry programs. This is an application that we have no idea of how it works internally. This expert doesn't even know, he just gets the log files and interprets them according to how MediaSentry tells him to. A DUI case in Florida was thrown out because the breathalyser company wouldn't give up their source code. The defense should have the opportunity to determine themselves whether the application works correctly and whether it was used correctly. The only thing they have I think are snippets of log files. Applications can have bugs, you can't just assume that they produce accurate data. Things like IP addresses are stored as data in a program, it can be easy to get these out of sync for instance so that one piece of data is correlated incorrectly with an Ip address at a different position in the list. This is just an example, the applications really need to be looked at by the defense to make sure there aren't errors that could cause misidentification. They should also look into whether MediaSentry is licensed to do investigations in her state.

They should also ask for the detailed ISP logs at that time. It is easy for ISPs to misidentify which account has which IP at a certain time. I can't remember the case, but there was one suit brought by the RIAA where the individual identified didn't even use that ISP any more when the file sharing occurred, the ISP had given them the wrong name for that IP and time.

[ Reply to This | # ]

  • Source Code? - Authored by: Anonymous on Friday, December 28 2007 @ 12:47 PM EST
The Users...
Authored by: sproggit on Wednesday, December 26 2007 @ 04:40 PM EST
Sorry if this is a trivial point.
<br><br>
One of the statements in the second report reads as follows:
<br><br>
<i>17) I will testify based on the forensics examination that the computer
had three usernames of interest that were named Kathleen, Woody, and
Yanick.</i>
<br><br>
Within the statements that PJ has posted so far, it seems as though this expert
witness is making a series of circumstantial assumptions about the ownership and
use of the computer system.
<br><br>
If this machine is running a version of the Windows Operating System [such as
Windows XP] then it is quite possible for it to have been set up with multiple
user accounts that appear for selection at boot time.
<br><br>
What is <i>not</i> a given is simply that just because a machine
contains three defined users, that those accounts are all password-protected
with passwords known only to the defendants. So in other words, this is just
circumstantial evidence.
<br><br>
We don't know the exact circumstances of the property or the machine in question
[ and I don't suppose the RIAA did either] but it seems to me that just because
a family machine is shared by 3 members of the same family, it does not mean
that other users cannot access it...
<br><br>
For example... If the machine <i>was</i> running Windows XP, then it
is relatively easy for anyone known to the accused, and who had access to the
machine, to walk up to it with a portable USB-connected hard drive and make a
connection for the purpose of retrieving downloaded content.
<br><br>
Similarly, if the regular users of the machine are not technically
"savvy", it's possible that the machine could have been running a
peer-to-peer client set up by A.N.Other without their knowledge or consent.
<br><br>
Just out of curiosity, do we have any kind of idea what the accepted standard of
evidence would have to be in a case like this? Is it enough for the RIAA to
prove that the machine contained MP3 content, a peer-to-peer client and was also
owned and used by the 3 who stand accused?

[ Reply to This | # ]

Item 23 in supplement.
Authored by: proceng on Wednesday, December 26 2007 @ 04:44 PM EST
23) I will testify that based on the data recovered from the hard drive that the user Woody was administer of the computer.
Notwithstanding that Dr. Jacobson seems unable to spell (s/adminster/administrator/), any and all users on your standard WinXP machine are administrators.
Again, for him not to know this makes all other conclusions that he draws suspect

---
And ye shall know the truth, and the truth shall make you free.John 8:32(King James Version)

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 04:44 PM EST
A few arguments I'd make.

(1) The *only* evidence that the user's computer ran kazaa comes from
"MediaSentry" and no where else. A forensic analysis of the user's
computer shows no such program was run.

The expert is ASSUMING that this is a different hard disk because it has so
little data on it, but also mentions that there was an external hard disk used.
It may be worth while to point out that it appears that this is a shared
computer and it may make sense that there are fewer files on it.

He does not mention the "install" date of the system nor does he
mention the date the user accounts were created. If this is, in fact, NOT the
real hard disk, but some mock up for discovery, there should be enough evidence
in the form of lack of use. Windows machines tend to build up a lot of cruft
over time, it should be easy to show that the computer was used by looking at
the dates of files like .DLLs and ActiveX components that get added to the
system as it is used.

If you can show that the system was regularly used, you can argue that their own
expert says that the system does not and has not had Kazaa installed, so that
their own expert is basically saying that this computer is not the one they are
looking for.


(2) While he testifies that it is "not difficult to determine whether a
computer was connected to the Internet via a wireless router." I would make
him twist a bit because it is possible to use a WAP (Wireless Access Point) to
connect to a wireless router/network through normal wired Ethernet connections
and the OS would have no idea that it was happening, thus making it difficult or
impossible for forensics to detect. This also harms credibility of the expert,
showing that he is jumping to conclusions by ignoring some obvious problems with
his forensics.

Asking a question like "Wouldn't using WAP make it very difficult to detect
whether a computer was connected to the internet via a wireless router?"
The answer must be "yes" because the computer just thinks its using
its ethernet adapter. I use a WAP to go between a desktop and my wireless
because the desktop didn't have a wireless ethernet card and the WAPs tend to
have a better range.

(3) His statement: "this hard drive was not the same hard drive that was
used to share copyrighted sound recordings as shown by the MediaSentry
materials."

Requires that the case be dropped unless they can prove that the hard disk is a
fake. It calls in to question the veracity of the MediaSentry materials.

Seriously, I think this testimony could be used to clear the defendant. It
disproves their evidence. Instead, they now have to prove that the hard disk is
a fake.

[ Reply to This | # ]

Was the computer acting AS a router?
Authored by: Eeyore on Wednesday, December 26 2007 @ 04:51 PM EST
Windows XP (which I think we are talking about) has the capability to share an
Internet connection with other computers.

If the computer in question was configured to share a connection (via a wireless
card or otherwise), then anyone that could connect to that computer could have
accessed the Internet (yes, they could even use Kazaa and NOT have it installed
on this computer) and it would have been logged as coming from this computer.

Unknown computer(s) -> This Computer -> ISP

I believe this can be configured using a Windows Wizard.

[ Reply to This | # ]

Hiding of / destruction of evidence in criminal cases
Authored by: Anonymous on Wednesday, December 26 2007 @ 04:55 PM EST
The testimony states that a WD 100GB drive was connected. This is interesting.
Almost certainly this was logged by the OS into the internal event log. I think
that that has to be explained away completely. Some ideas:

a) the hard drive could be provided (but why not earlier?)
b) these disk use records could have been added maliciously ;
b.1) malware running on the computer - very unlikely; has never been observed
b.2) someone during forensics examination - this depends on bad procedures. An
initial copy of the hard disk should have been taken and the original left
unaltered as verifiable evidence
c) the disk was added by someone else unknown
c.1) someone who was sharing an account or using a system account

Since computer log records are remarkably easy to change the level of evidence
here is very difficult to compare to normal written records. Probably these
will be treated as evidence of destruction of evidence and yet the lack of these
records could just be explained by the disk being put in read only mode during a
boot.

From this we learn that we really have to be in control of what our computer is
recording about us, and yet that's almost impossible for anybody but the most
expert.

[ Reply to This | # ]

Peculiar wording.
Authored by: kh on Wednesday, December 26 2007 @ 05:09 PM EST
5. Based upon my review of the foregoing materials, as well as on my education and experience, it is my opinion and belief that defendant's computer had a public Internet Protocol ("IP") address and was not connected to the Internet via a wireless router. I base this on the data mentioned above, as well as on the registry entries recovered from the computer and the fact that there was no internal IP address here. Based on how IP addresses are assigned, it is not difficult to determine whether a computer was connected to the Internet via a wireless router. This computer was not.
It's hard to understand what this paragraph really means.

If they have ISP logs then presumably they know what IP the ISP had assigned to the *user*. So why say "a public IP address"? The computer had *the* public address assigned or it didn't. If it didn't then there was probably a router involved. I don't see the relevance of saying "wireless router". There are various kinds of routers, these days some are wireless. How is this important? Did the computer have wireless? It's not addressed.

What does "no internal address here" mean? It would seem to me that a computer connecting via dhcp would not have a hard coded IP address. Whether the DHCP server came from the ISP or a home router would be hard to determine. Either kind would not have to assign IP addresses in the private ranges. He doesn't say that a public or fixed IP address was present? Why not?

If the ISP modem was a USB modem then there should be cable or ADSL modem software installed. He doesn't mention this.

[ Reply to This | # ]

Several Items of Concern
Authored by: proceng on Wednesday, December 26 2007 @ 05:18 PM EST
Several things give me pause about accepting this gentleman as a "Subject Matter Expert"-

In several places, he uses the phrase "I will testify that X is true" - for example

17) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials.
This should be "I will testify that in my opinion based on the data...

The so-called SME also stated:

For example, a forensic inspection would allow one to see, among other things, whether a file-sharing program was downloaded or installed and whether there is a share folder.
No forensic inspection would allow, with certainty, a determination as to whether a file of any type was simply downloaded, nor is this of any legal interest (apart from if ibiblio.orgography was actually found on the drive.

18) I will testify that I found very few user created files and saved emails on the hard I was provided to by the defendant.
Why, exactly is this of any significance?

26) I will testify that the computer contained the resume of Gustave Lindor, Jr. and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.
Since the suit is against Marie Lindor, what gave the SME the legal right to inspect a stored document that obviously did not belong to her?

24) I will testify that based on the data recovered from the hard drive provided by the defendant that several email addresses were associated with users on the computer including:
Were any of these email accounts traced to the defendant? If not, what is the significance?

25) I will testify that based on the data recovered from the hard drive provided by the defendant that the yahoo account jeanlindor was accessed using the computer.
See last paragraph.

22) The user Woody used Windows MediaPlayer to access songs and other files from a directory: (F:hDocuments and SettingsYanickMy Documentsdownloadyayahq) located on the external hard drive.
Since when is this evidence of illegal file sharing. If it is, Microsoft should have been added to this suit, since this is the sole purpose of Media Player.

20 (in supplemental):

I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.
(emphasis added)
Your Honor, I/we move to dismiss WITH prejudice, as the plaintiff's Subject Matter Expert has just stated that there is no way that this computer, as identified by Media Sentry, could have been used to share files illegally or otherwise. In addition, I/we request all attorneys fees to be paid by plaintiff, as well as sanctions levied for malicious prosecution

---
And ye shall know the truth, and the truth shall make you free.John 8:32(King James Version)

[ Reply to This | # ]

Am I missing something here?
Authored by: tiger99 on Wednesday, December 26 2007 @ 05:21 PM EST
I am puzzled. This is about an alleged forensic report by an alleged expert, which was thoroughly discredited here on Groklaw, by a number of obvious networking experts, some time ago. So now he has produced a supplemental report, to try to explain away all his previous errors and omissions.

His original report was so poor that he ought to have had his contract with the local police terminated, amongst other things, because an "expert" who manifestly is not is simply a liability in any criminal trial (just as Mark Rochkind was to SCO, albeit not in a criminal trial). But I can't see that there is any new evidence here. All the logs were available first time around.

I think many of us will agree that the RIAA are racketeering, and have been for some time (am I mistaken in thinking that a court said as much recently?), and this smells very bad indeed. Their "expert", regardless of whatever fee he has been paid, now has a very strong vested interest in preserving his own reputation, so his analysis cannot be truly objective, and trustworthy. Had they been honest, they would have employed a second, independent expert.

But is there any actual, genuine evidence that connects the probably innocent victim to the alleged offence? It all seems totally circumstantial to me, which is why I wonder what I have missed.

It seems to me that the RIAA will be throwing people into the nearest body of deep water soon, if they float they are guilty of copyright theft and must be stoned/hanged/crucified/burned at the stake..... If they drown, they are innocent.

We abolished that in the UK some time ago, but it seems to be making a comeback in the US.

Oh, and by the way, how does the expenditure on lawyers and court fees so far compare to the value of the alleged theft, and the likely prospect of recovering damages? Sensible people do not pursue legal actions which will not be cost-effective. In many places even the police take that view for criminal offences, because the cost is often far too great to justify the possible result.

[ Reply to This | # ]

  • Yes - possibly - Authored by: Anonymous on Wednesday, December 26 2007 @ 05:30 PM EST
What's missing from the declaration?
Authored by: whoever57 on Wednesday, December 26 2007 @ 05:31 PM EST
It is often interesting to see what might be missing from the declaration.

One item that I can clearly see is that he does not state that there is a lack
of user data with timestamps that pre-date the Media Sentry investigation. While
it is possible to fake this data, I think that it would be difficult to fake it
in a manner that would be undetectable.

What else does he not say?

[ Reply to This | # ]

Observations
Authored by: Anonymous on Wednesday, December 26 2007 @ 05:32 PM EST
I'd like to make a few observations on the testimony and on some of the other
comments. I'll first make a few observations on some comments that I think won't
fly in a court of law:

1) "owned". While it is obviously possible to "own" a
computer and run whatever program on it, I seriously doubt it is possible to
"own" a computer and run Kazaa on it (this would have left signs in
the registry and, as far as I understand Windows model, also on the screen). It
is theoretically possible to "own" a computer and run some software
that emulates Kazaa, but it's quite a feat and I do not think the international
organisations that profit from botnets want to spend a lot of time on creating a
headless Kazaa-compatible software.

2) "friend used it". As far as I understand the alleged sharings are
not isolated. If the alleged sharings are indeed frequent, I think it'll be
difficult to use a "a friend did it" defense.

3) "shared connection". While this is theoretically possible, it's not
a very good defense ("who did you allow to share your connection ?"
will be the next question)

4) "h" in the name on the USB disk. There are backslashes missing in
the text: in F: there is a directory h that contains "Documents and
Settings", etc (see pdf). We cannot know of the external drive was
formatted (FAT or NTFS) it's difficult to say that the files where protected for
a different user.

Better part: where the deposition is lacking (a lot)

5) "wireless router". As observed many times above, it's probably easy
to detect whether the computer was connected to the internet using a
connection-sharing router (even though we are still waiting to know how he would
know it) but it's very difficult to tell a wirefull from a wireless router. It
might be possible in some cases, but I wouldn't bet my life on it !

6) "USB hard disk connected to hard disk". It's obviously impossible.
This discredits the expert.

7) Coherency: he says:
- the IP address given by MediaSentry was the one stored on this hard-disk
- Kazaa software was not installed
- this hard disk was not the one (of the computer) used for file-sharing.
As observed by someone before me, this is a big help to the defense. If this
hard-disk was the hard-disk of the computer that got the IP address and has no
sign of Kazaa installed, then:
* either the computer is not the correct one (and first point fails);
* MediaSentry data is unreliable (and first point fails, but in addition
defendants are probably entitled to big check from the RIAA and MediaSentry);
* or the defendants are innocent.

8) Point 15) leaves a lot open: it might be possible to show that the user
account has been used to transfer copyrighted files (but it's VERY difficult
and, as far as I know, the defendants have not yet been able to see any evidence
in that direction. To show that the "computer" has been used is next
to impossible (mainly because of the above point: either the evidence goes all
the same way and the jury could decide to convict the defendants -- or, as here,
it does not and it's difficult to convict).

I'd say that the weakest point of the "expert" is that he does not
look very expert of this field. The points 5) and 6) above look (to me) like a
big "NO, NO" from an expert. His point 15) (and, to be precise, all
the points where he says "I will testify") should be investigated by
the defendants: "How, exactly, will you prove what you say" -- put up
or shut up.

Loïc

[ Reply to This | # ]

  • Wordplay - Authored by: GLJason on Thursday, December 27 2007 @ 04:24 PM EST
  • Observations - Authored by: Anonymous on Saturday, December 29 2007 @ 08:02 AM EST
    • Observations - Authored by: Vic on Saturday, December 29 2007 @ 12:39 PM EST
  • Observations - Authored by: Anonymous on Saturday, December 29 2007 @ 12:04 PM EST
So as I understand it
Authored by: kh on Wednesday, December 26 2007 @ 05:38 PM EST
So as I understand it the computer did not have Kazaa on it and wasn't sharing
files.

Someone somewhere insists that this user was running Kazaa and was sharing files
and the things that tie those elements together are the ISP logs of IP addresses
against time and user accounts, and some kind of logs of Kazaa access by another
company.

Both of those things would have to be proved or certified to be correct and we
know ISP logs are not error free, you would have to show both the ISP logging
machine and logging server must maintain correct time and they were correct on
this occasion and the Media Sentry machines had accurate time and were
synchronised with the ISP then you would have to show that you have seen all
computers connected to this ISP account.

If there were no other computers connected to this account then either the whole
complaint is completely wrong or the account owner had other computers or there
were other computers the user didn't know about using their account.

I'm not sure I see where this is going. Are they going to try and say the user
didn't hand over all their computers? Are they trying to show that their
information isn't adequate to pinpoint a user? Seem to have done a pretty good
job of that so far.

As others have said adding another hard disk still doesn't give you kazaa
registry entries, so it doesn't seem to add anything useful.

[ Reply to This | # ]

directory for yayahq
Authored by: Wardo on Wednesday, December 26 2007 @ 05:39 PM EST
Google for a couple variations on yayahq got me to this article from 2002:
http://www.fastcompany.com/magazine/58/advergames.html(popups, so I won't give a
clickie). The article says a company is making games into advertising and
tracking the use of the games, and your choices in the games.

I can't get to the company's site (www.yaya.com) from this connection to see
what they advertise with, perhaps a software suite named YaYa HQ? Or at least
installed to that directory.

It would be funny if that's a peice of adware/software one of the RIAA members
had written to advertise an album release... "Pick your favorite <band
name here> songs of all time and listen to them free for a month!"

Wardo

---
caveat lector...
Wardo = new user(lawyer = FALSE,badTypist = TRUE,badSpeller = TRUE);

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 06:35 PM EST
A couple of other items:

1. If the connection to the ISP was/is a wireless connection it is possible
that someone else, in another location, connected to the ISP using the
respondents IP address. This is not at all uncommon and "I Cringely"
and "GRC.com" have articles about it.

2. A friend and/or guest of the respondent may have done the alleged infringing
using their own laptop (laptops are after all rather wide spread nowadays).

3. The lack of 'actual' evidence of infringement and the plaintiff's concept of
hinting that (a) encrypting data, (b) wiping data (or a partition or drive) or
(c) all of the above are an affirmative showing or trait of an infringer is both
utterly ludicrous and without merit. As an example -- I have one partition on
my drive that is my 'experimental' partition. When I am done doing whatever on
that partition I routinely (a) encrypt using 'bcrypt' and then (b) wipe the
encrypted data or whatever using 'wipe'. Secondly, if I purchase a new HDD to
replace an existing drive I always wipe the old HDD using 'nuke' from a bootable
CD, floppy or flash drive.

krp

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: afruss on Wednesday, December 26 2007 @ 06:40 PM EST
As to this statement!
16) I will testify that based on the MediaSentry data mentioned above and registry entries recovered from the computer that the computer had a public IP address and was not connected to the Internet via a wireless router.
He can only really testify to linking the three issues (not the accuracy of the first and second).
The statement on this must be qualified:
that the computer had a public IP address and was not connected to the Internet via a wireless router.
Because he only knows the current network configuration, not previous configurations. He doesn't mention previous configurations he found in the registry or elsewhere (if they are stored/backed-up anywhere).
The phantom wireless router could easily be 'swapped in and out', there is nothing to suggest otherwise.
He confuses the term computer in 15, with the term computer in 16, because they could be different computers, hard disks or network devices.
He doesn't speculate that the external hard drive could be the computers former boot disk in a USB enclosure (with a bootable windows XP). The fact that the Documents and Settings directory is used indicates that Windows XP was bootable on the hard drive and Yanick was a user of the former hard disk. It also is noteworthy that the directory used was not the default shared directory for Kazza.
He doesn't mention any dates of emails stored on this computer if any, the date windows purported to be installed, the dates the users were created (esp Yanick), the earliest and latest web-browsing history, whether other users also have Administrative access to the computer. All those dates can be 'manufactured' but the story of the dates point to dishonesty (or otherwise) of the ownership and use of the computer.
It is appropriate that he explain how he determined the yahoo user id. He might of 'hacked' yahoo by assuming the identity of the person that logged on most recently to yahoo using cookies stored on the hard drive (that might be a felony). Possibly he could of examined an encoded cookie which revealed this information.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 07:21 PM EST
I honestly can't tell if the SME is on the side of the defense or prosecution
here. Part of his testimony seems to indicate that he believes that the hard
drive that he examined had been in the computer prior to, during, and after the
illegal file sharing happened. For example, he notes the log entry for the USB
disk which happened prior to the file sharing. He also notes that he relied on
registry entries on the hard drive to eliminate the possibility of wireless
access during the event. But then he says that this drive does not appear to be
the one used to share copyrighted songs.

Although he doesn't say that he found any evidence that this drive had been
replaced after the illegal file sharing he MUST have looked for it. I think its
significant that he isn't testifying about this part at all.

[ Reply to This | # ]

Forensic Catch22
Authored by: Anonymous on Wednesday, December 26 2007 @ 07:28 PM EST
I'm not an expert but I have sat in on a number of discussions about hard drive
data recovery. I'm offering this as a comment on the current state of the art
as I understand it.

It appears that the "forensic" exam is flawed in the first place.
From what I can tell the tools used do a sector by sector copy of the target
drive. This yields a new drive that can be used to recover files like logs. It
can also recover erased files where the erasure consists of marking the file
"erased" freeing the associated space for future writing. It does
that because the data is still on the disk. It cannot, however, recover
properly shredded data where the blocks of data are overwritten and the file
table entry properly altered. In other words if the data is there you can see
it and testify about it but you cannot really say it was never there.

If somebody with adequate resources has the money and desire one can go into
clean room analysis and recover data that was overwritten several times. The
heads don't track perfectly, the media does not change to a fixed state.

Bottom line
The expert can testify he found something. He cannot testify it was never
there. He does not have the original drive or the tools to look at it. If it's
your drive and you really want to clean it I have heard that soaking the
platters in battery acid works but haven't tried it.

;-)



[ Reply to This | # ]

  • Forensic Catch22 - Authored by: Anonymous on Wednesday, December 26 2007 @ 10:46 PM EST
  • Forensic Catch22 - Authored by: Anonymous on Thursday, December 27 2007 @ 07:31 AM EST
  • Forensic Catch22 - Authored by: Anonymous on Saturday, December 29 2007 @ 11:17 AM EST
    • Forensic Catch22 - Authored by: Anonymous on Sunday, December 30 2007 @ 12:35 PM EST
Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 07:39 PM EST
Ok, maybe I'm just confused but doesn't he setup a paradox?
A) data from this hard drive proves the defendant was directly connected to the
internet with an public IP address
and
B) data from this hard drive proves the defendant never used or installed a file
sharing application.

So if we assume the drive was replaced (hiding the file sharing application
evidence) then the IP address info is invalid or at least unproved(able) - as of
the time of infringement
Of course if you want to assert the IP address proof (discounted elsewhere) then
you win on the lack of file sharing evidence.

jen

[ Reply to This | # ]

Verizon data?
Authored by: katayamma on Wednesday, December 26 2007 @ 07:45 PM EST
I've looked for the information returned by Verizon and haven't spotted it in
any of the document's so far.

Is it possible to post the Verizon information associated with the DHCP logs and
other machine specific identification?

Being a network admin, I'm interested in seeing the raw logs to see just how
tight their machine identification is.

---
Never underestimate the power of human stupidity.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 08:01 PM EST
It's not so easy to determine that a wireless router
was (or was not) attached. See multi-NAT protocols.

http://www.zyxeltech.de/snotezw5_362/app/multi_nat.htm#how

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 08:54 PM EST
Based upon the examiner's assertion 15), he found at best that the accused's
account was used to download or share songs using Kazaa. From a strictly
logical point of view the declaration is still full of holes. While I am not a
"forensics" expert, I am a scientist. As such when I make an argument
I am concerned with both necessary data and sufficient data.

The declaration does not present any evidence that would be necessary to _prove_
the computer and harddrive combination had been used to access the material the
RIAA expresses concern about. The declaration does say that another, external
harddrive was connected to the computer but apparently was not examined
(15-27).

Data not provided include a description of the internet connection setup. For
instance, how was the computer connected? Was it connected directly to a DSL
modem? Was there an intermediate switch, hub or router between the modem and
computer? If there was, was it a hard wired or did it include wireless support.
If there was wireless support, was it wide open or locked down in any way? The
connection would have stood as the proxy IP connection for _ANY_ system(s)
connected as far as the remote system was concerned. MediaSentry would have no
means of ascertaining (legally) how many systems might be connected through that
account.

Trace data. Is there any trace data available to indicate where the machine
accessing the account was located? In other words, how do the RIAA
investigators know the account was not comprised and the system spoofed?

Right now, if the investigator is asked, "do you have ANY evidence that
this computer and harddrive combination is the machine used to run Kazaa and
share your clients precious material?" the investigator would have to
answer "no," based upon the contents of this declaration. The defense
cannot prove that the computer is not the "baddie's" machine, but
proving a negative is impossible. However, based on this limited amount of
information, the accusers can't prove a positive assertion either, which should
be infinitely easier. Right now, I would think the RIAA would be better off
leaving this fellow and his testimony out. "No" is pretty cut and
dried.

[ Reply to This | # ]

The big gaping hole here appears to be ...
Authored by: Anonymous on Wednesday, December 26 2007 @ 09:41 PM EST
"I will testify to the procedures used and results obtained by Media Sentry
...".

Just after he states that the "materials I considered in developing my
conclusions" consisted merely of some screenshots and various species of
log files that they supplied to him.

Seems to me that he can develop whatever conclusions he likes from those
materials, and try to sell them wholesale, but if that's all he had then he
can't possibly testify as to Media Sentry's procedures.

The only first-hand, non-hearsay, knowledge he could testify to would be that
the materials in question, entered as evidence, were the ones he used in his
analysis.

So, either:

a) He has some personal knowledge of Media Sentry's procedures which he does not
reference in this statement; or

b) He has documentation regarding their procedures, other than the quoted
screenshots/logs, that he is failing to reference; or

c) He has no standing whatsoever to testify on the accuracy and trustworthiness
of their procedures.

You can't work backwards from the bare results (output) of a process/procedure
to determine whether that procedure was valid.

Taking his statement purely as written, how does he show that the screenshots
and logs he was analyzing weren't just knocked up someone in Excel and
Photoshop?

Is someone else going to testify as to the procedures used and the accuracy of
the data he used for his analysis?

Or is he intending to introduce further evidence, regarding his personal
knowledge of Media Sentry's procedures, which he is currently withholding?

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Wednesday, December 26 2007 @ 10:08 PM EST
I haven't seen IP address spoofing discussed in the RIAA cases. Maybe I'm all
wet on this -- please flame me if I am. The scenario below is theoretically
possible. Verizon's specific equipment configurations can make the scenario
possible or impossible. I assume that the Verizon connection was DSL.

I propose that a neighborhood kid can spoof the Lindor's IP address if he is
also a customer and shares the same edge router at the CO. No wireless or
wiretapping is necessary. Kid just ignores his own DHCP assigned host address
and spoofs another in the same subnet by binding his network interface (NIC) to
it. If the spoofed address happened to belong to Lindor -- oh well -- sorry.

If the Lindor's gear were powered off, then there wouldn't be an ARP conflict.
Unless specific access controls were in place to block it, the Verizon router
would believe ARP and route Lindor labled traffic thru the kid's DSL.

Verizon probably has a record of the IP address its DHCP server assigned to
Lindor's registered MAC addrss, the date/time it was assigned, and the date/time
it was released. I presume this is the supena info. However, does Verizon have
a record explicitly associates Lindor's IP addres to their MAC address for all
packets? I doubt it.

If Verizon claims access controls are in place to prevent such spoofing, they
should be required to provide evidence that controls were effective, operating
as intended, and in place continuously. That is not an easy chore.

[ Reply to This | # ]

Was the computer ever serviced by a 3rd party?
Authored by: Walter Dnes on Wednesday, December 26 2007 @ 10:12 PM EST
Was the computer ever serviced by a 3rd-party, e.g. "Geek Squad" or
even "the kid down the street who knows Windows"? This would be
consistent with an external drive being attached, i.e. by the service
technician.

[ Reply to This | # ]

Not much brain to pick
Authored by: Alan(UK) on Wednesday, December 26 2007 @ 10:27 PM EST
IANAL and much of this stuff is too technical for me. Although the 'expert' has
been shown to not be very expert, let us assume that the plaintiff puts him on
the witness stand to give evidence based on the contents of this report.

1) He will have to admit that the drive came from a computer that is used by the
defendant and others in her household [based on contents found on drive].

2) The hard drive has not been replaces since the time in question [based on
comment about the date that F: was connected].

3) The drive shows no sign of being tampered with [based on his lack of evidence
to the contrary].

4) The computer was not part of a wireless network [based on his own
reasoning].

5) Lindon Jnr has not come along with his laptop and done the deed [based on his
supposition that he was in NY at the time].

6) The computer shows no sign of harbouring the offending files nor of
containing the Kazza program.

7) The computer shows no sign of ever being used for illegal file sharing.

8) The 'expert' believed that if this machine had been used for illegal file
sharing then he had the ability to either detect evidence of this or of the
evidence being tampered with [based on his qualifications and experience].

9) The 'expert', having eliminated all other possibilities [at least in his own
mind] has to admit that the defendant is cleverer than him and has been able to
participate in illegal file-sharing in some way that he cannot even think of
[except for the mysterious drive F:].

The obvious conclusion from all this is that, somewhere between writing the
MediaSentry code and serving the writ on the defendant, someone has made a
mistake.

The problem for the plaintiff is not that the 'expert' is not very good. The
problem is that the case shows that their modus operandi is fundamentally
flawed. Having said that, they probably don't care. Threatening letters work
most of the time and their $200 an hour 'expert' would be able to find
sufficient dvd downloads and porn on a re-formatted drive to get a settlement on
the courthouse steps in the few stubborn cases.



---
Microsoft is nailing up its own coffin from the inside.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: ronhughes on Thursday, December 27 2007 @ 01:17 AM EST
Not sure if this has been mentioned but…
<$.02> <alt_theory>
C is usually the boot device which is usually a hard drive.
D is usually the optical removable media device.

He states that Windows Media Player accessed songs on the F drive with a long
confusing path which mostly mimics a path located on the C drive by default.

He does not state that there was an additional drive or additional device
connected… so what happened to the E drive. Windows allocates drive letters
automatically and sequentially as devices are attached. Physical devices come
first and then logical devices (by default) when drive letters are assigned.
He does not state that the Disk Management application was used to change the
default drive letter assignments.

The only time a user gets to pick a drive letter is when they are creating a
network drive and they can then select which drive letter to assign as a mount
point.

In #21 he mentions a 100GB USB external hard drive and in #22 states that it
was
‘located on the external hard drive.’ I understand that to be the drive
mentioned in #21. This is misleading and jumps to a conclusion as it may have
been on different physical or logical media altogether. If this was checked and
verified it should have been included within the declaration.
</alt_theory>
</$.02>

[ Reply to This | # ]

Technically good
Authored by: Quila on Thursday, December 27 2007 @ 01:29 AM EST
I don't know the legal stuff surrounding this, but it looks technically correct.
A few of the more interesting ones:

I guess Lindor made the claim that someone was riding on their wireless? Windows
remembers wireless routers it was connected to, and they will likely give
192.168.x.x addresses (known as a private IP range). All home routers I know of
do this. A system connected directly to the ISP will get something else in the
ISP's IP range.

21) Windows does remember USB devices that were connected to it, and usually you
can find the brand and capacity of the drive in the registry. The RIAA will
probably be asking for that hard drive.

23) is likely a mistake. Should be he was "an Administrator" or
"had an account with administrative privileges."
"Administrator" is an account with full privileges
("administrator") on the machine. Administrators is a group, and
everyone in that group gets administrator privileges. By default, the person
setting up the computer is in this group.

[ Reply to This | # ]

Has anyone looked at the DSL router
Authored by: Anonymous on Thursday, December 27 2007 @ 02:54 AM EST
Many are supplied with both wired and wireless ports and the default is to have
the wireless turned on and open out of the box. Also I've seen some that pickup
their own ip address as the default base for nat.

[ Reply to This | # ]

IMPORTANT QUESTIONS
Authored by: Anonymous on Thursday, December 27 2007 @ 04:16 AM EST
It just hit me the answers to this case are in the log files of the computer.
The first question to ask is do the log files appear to be forged? Large gaps in
the time stamps, if auto update turn on a large number of them all at once, or
spread out at about the right time? Second did he use information in the log
files to determine if the computer was on off or suspended at the time in
question? There are Windows start and shutdown messages that would give you a
time line. I don't know how Windows manages it's log files but if it creates a
new one from time to time then their will be a trial of deleted old ones left on
the disk.

[ Reply to This | # ]

Technically Very Poor Results
Authored by: Anonymous on Thursday, December 27 2007 @ 05:02 AM EST
First, as has been pointed out before, without proper evidence chain and
custody I don't believe computer logs meet the requirement for electronic
evidence and therefore should be excluded.

I'll make an assumption here, but I bet dollars to donuts that the defendant's
computer is running Windows XP Home edition.

If I'm correct, than I would have expected the good doctor to describe certain
aspects of his so-called examination of the disk drive to go some thing like:

In the Software database stored on the hard disk at registry key
SoftwareMicrosoftWindows NTCurrentVersionNetworkCards which
contained two keys. the first was 11, which had a device guid of {guid here},
and was Vendor X type device. So on and so on...

In the SoftwareMicrosoftWindows NTWinlogon at key x, I found that the
version of Windows installed was {Windows Version Here} and based upon key
Y the System Administrator account was {sys_admin_account} with a security
id of (1-3-100}. So on and so on...

Now some background, on the above, under Windows XP all versions, in the
directory %SYSROOT%/system32/config directory or for you Windows types
folder are four binary files that get open at boot up and are owned by the
system account, are software, SAM, security, and system. Microsoft refers to
these binary files as databases, and provides system administrators two tools
(programs to manipulate these files) regedit.exe and regedt32.exe. These
databases are Hives and contain keys and values, the root of the four major
databases are referred to as HKEY, for HIveKEY. Thus the system HKEY and
the software HKEY can contain all of the information about the when windows
was installed, who installed it, how it was configured, and other information.

In Windows, every account, including user accounts are assigned a security id
which is unique within a system, in the HKEY local_system in the key
CurrentControlSet are number of keys that identify the boot disk and
partition, the boot drive letter, and the definition of the system environment
variable %SYSROOT%.

Since non of the good doctor's declaration reference any specific key or
values, or how the data and results where achieved.

I'm left the to the conclusion the good doctor's declaration is hearsay, not
based upon established practice or reproducible.

The doctor's declaration lacks any credible evidence, explanation of how the
evidence was produced, what the error rate was/is he based his conclusions.

As an electrical engineer and computer scientist, dual degreed, I would lose
my job if I went to my management with such a declaration. The first
question out of my management's mouth would be where is your data, and
what methods /technologies/equipment did use to produce these results.

Conclusions aren't worth the paper they are written on, unless you have
strong data/methods/equipment to support your conclusions or inferences
from the data.

As I said, the good doctor's declaration is sorry lacking in hard data. I'm not

sure I want to go further at this juncture as I think the good doctor should
have to pay me for training him!


Lastly, if the good doctor is any indication of the quality at the University he

claims to teach at, I would look for another school pronto! Fortunately, I have

no furthering schooling ambitions at this time, and I rather enjoy being a
practitioner at company supporting DHS (Automated Fingerprint Identification
Systems).

[ Reply to This | # ]

Enough with the "public IP means no router" already
Authored by: giolla on Thursday, December 27 2007 @ 06:58 AM EST
Please can people stop claiming that a computer having a public IP address means
it must be directly connected to the internet. It's utter nonsense.

All of my computers at home have public IP addresses and connect via a hub then
ADSL firewall/router. But then I have a /25 netblock assigned from my ISP. There
are many ways to set up connections some of which reveal the presence of a
router some of which don't.

Even if the router was doing NAT with a single public IP address assigned to the
WAN interface, that doesn't mean that private ( RFC 1918 ) address space was
used internally, yes it should have been but that doesn't mean it was. It would
be easy to set up NAT using public IP space both sides, I've seen it done even
in large companies. It's stupid, it's broken but it's doable.

Not knowing the details of the hardware used to connect the machine in question
to the ISP it is impossible to determine anything from the fact that the
computer had a non-RFC 1918 address.

And as for the wireless thing, the laptop I'm currently using gets the same
public IP address from the local DHCP server no matter if it's connected by wire
or wireless ( I configured the DHCP server to assign the same IP to both MAC's
)

Seriously all that you can tell from a PC having a public IP address in it's
configuration is that it was configured with a public IP, doesn't tell you
anything at all about the connection.

I have to wonder though why if a direct modem connection was used wasn't that
mentioned. You know "The registry showed that an Acme-USB-modem was used to
connect to the internet and used/was assigned such and such an IP address"

---
Giolla
873

[ Reply to This | # ]

Pick Your Brain Time - Windows Guru question
Authored by: Anonymous on Thursday, December 27 2007 @ 08:11 AM EST
Does windows keep a connection log that shows what IP was being used at a given
time? If not the only "proof" that a router was not being used is the
connection side that would not know what it was connected to.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Anonymous on Thursday, December 27 2007 @ 08:13 AM EST
This proves absolutely nothing, but demonstrates that the Media Sentry data does
not match the data on this hard drive.

To be honest, anyone could have borrowed that connection to do those things -
but it likely wasn't performed on the provided hard drive.

Anyone using their computer for Internet browsing is not going to leave a lot of
'user-created files'. That's not suspicious, that s normal!

The external hard drive is neither here nor there - KaZaa would leave traces on
the system drive regardless of where it was installed, but a skilled user could
remove these traces.

There is no evidence from this 'expert' that the timestamps used are in any way
accurate or not.

Wireless IP or not, means nothing because this drive was likely not the system
drive of a computer that is described by the MediaSentry claims. Doesn't matter
in the slightest.
This shows they are barking up the wrong tree (aside from questions of the
veracity of MediaSentry's data).

Spend the money and analyse the disk, see if ever there were the files alleged,
or the program alleged - come on RIAA, this expert is just an attempt at saving
money! (Cheap shot)

Merry Christmas all!

[ Reply to This | # ]

Little Usage
Authored by: Anonymous on Thursday, December 27 2007 @ 08:42 AM EST
> The hard drive that was provided and that I inspected,
> showed little usage at all, as evidenced by the lack of
> user created files and e-mails, and did not reveal the
> evidence noted above, which I believe the correct hard
> drive would certainly have shown.

Using any webmail (such as Yahoo Mail, which seems likely to have been used,
point 25 in the supplemental declaration) would explain the lack of e-mails.
Lack of other user created files could be explained by either usage of online
content creation tools or external hard drives, or even by the user not creating
them in the first place.

As for playing songs from another device with windows-like paths, while I was
living away from my parents I would always bring my computer's HD with me when I
visited them; I had even bought an USB HD enclosure to be able to connect my HD
to other computers and accesss my files.

[ Reply to This | # ]

Standard of evidence/proof
Authored by: jpvlsmv on Thursday, December 27 2007 @ 08:59 AM EST
People, please keep in mind that this is a CIVIL case, brought by one PERSON
(corporation) against another PERSON.

In Criminal cases (where the government brings suit against a person), the
defendant must be guilty "beyond a reasonable doubt". In Civil cases,
the defendant may be found culpable "by a preponderance of the
evidence".

So even if there's a smoking gun piece of evidence that 100% proves that the
defendant is not culpable, that evidence must be weighed against the other
evidence presented -- circumstancial or direct. And if 51% of the (weighted)
evidence says "guilty", that's enough for a judgement against Ms.
Lindor.

In this case, the expert's opinion is expected to carry a lot of weight with the
jury. Expert witnesses are intended to interpret highly-technical evidence
(such as the screenshots, logs, and HDD forensics) and present opinions on what
that evidence implies. Just like all the other evidence in the case, though,
these implications are weighed against the other evidence. (And the 51% rule
applies) Experts can dazzle the jury with technobabble, even if it's not 100%
accurate, and as long as their opinion is convincing, it will carry a lot of
weight.

IANAL.

--Joe

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Vic on Thursday, December 27 2007 @ 09:26 AM EST
OK, a few random thoughts as my hangover subsides...

> a. MediaSentry Screenshots
>
> b. MediaSentry Systemlog

These two are easily doctored. But until we see what is in them, it's hard to
say whether they constitute evidence at all.

This is interesting:

> c. MediaSentry UserLog (compressed)
>
> d. MediaSentry UserLog

If the userlog is compressed, it's not human-readable; all he's going to get
from it is the timestamps. He *could* use some sort of uncompressing reader
(like "less") - but then it's no longer the compressed Userlog, it's
the uncompressed one.

This smells of the BBB approach...

But here comes a cock-up:

> 5. Based upon my review of the foregoing materials, as well as
> on my education and experience, it is my opinion and belief
> that defendant's computer had a public Internet Protocol
> ("IP") address and was not connected to the Internet via a
> wireless router.

I think people are making a bit too much of the "wireless" bit of the
above; yes, what has been said elsewhere is correct, but he clearly just means
"router". And however much his opinion might say a router wasn't used,
however much he might believe it, he hasn't proved it.

Most routers support something called "half-bridge" mode, in which the
external IP address offered by the ISP is passed on to a client inside the
network. The computer *appears* to be directly connected to the Internet, but
isn't. If the machine in question here was connected in half-bridge, it would
have an external IP address and not an internal one.

Now the way it *should* work is that only one client can use the router when
it's in this mode; this is pretty much indistinguishable from a modem operation.
But how many stories have we seen where router firmware is buggy? My own router
(a very old & cheap Conexant-based unit) has known backdoors that are open
by default (and can be closed if you know about them). And yes, despite being
older than Methusela and the cheapest I could find at the time, it does support
half-bridge.

> I base this on the data mentioned above, as well as on the
> registry entries recovered from the computer and the fact that
> there was no internal IP address here.

So with this, he's wrong.

> Based on how IP addresses are assigned, it is not difficult to
> determine whether a computer was connected to the Internet via
> a wireless router. This computer was not.

And again.

Having said that - this computer *probably* was connected directly. And Windows
machines connected directly to the Internet, are a constant revenue stream for
PC repair people; they are *so* easily infected, I find it rare to find one that
*isn't* a steaming cesspool of malware.

So my guess - and it is no more than that - is that the Guru was right (albeit
for the wrong reasons). And seeing that he appears to have indications that the
IP address was used for filesharing, yet there is no evidence that the disk was
so used, and the installation of the OS on that disk predates the alleged
offence, it's a good bet that the machine has been compromised, potentially to
assist such illegal activity in the guise of a proxy server.

> A forensic inspection of a computer hard drive in a case like
> this one can provide significant information regarding the
> infringement alleged. For example, a forensic inspection would
> allow one to see, among other things, whether a file-sharing
> program was downloaded or installed and whether there is a
> share folder.

This is only true in the event that the user doesn't know how to clean up after
himself. Given the degree of knowledge required to perpetrate the destruction of
evidence alleged, it's a bit rich to start claiming this sort of thing as fact
when it is only true when the alleged perpetrator is not that knowledgeable. You
can't have it both ways; either the guy in question is knowledgeable, in which
case your forensic searches have a good chance of failing entirely, or he is
clueless, in which case he's not going to provide a doctored disk because he
won't know how.

> The hard drive that was provided and that I inspected, showed
> little usage at all, as evidenced by the lack of user created
> files and e-mails,

This is based on a *huge* assumption!

If anyone were to inspect *my* hard-drive, they'd find *no* emails. None at all.
To infer from that that I don't use this machine for email would be
preposterous; I receive hundreds of mails a day, and send quite a lot.

I also look after a number of users who are in exactly the same boat; their
machines contain *not a single* email. This is not because we go about disposing
of everything to try to hide it all - just that a local hard disk is not the
place to put emails. My inbox currently holds 7760 mails. And none of them are
on this machine, even though I have one open for reading as I type this...

> and did not reveal the evidence noted above, which I believe
> the correct hard drive would certainly have shown.

His belief is clearly incorrect; the "correct" hard drive could easily
have no mails on it at all. Thus is shown the circularity of our qualified
friend's argument; he believes something should be so, and therefore the
defendant must be covering-up if it isn't. Fact is, he's just plain wrong.

> 7. The hard drive that was provided did contain the resume of
> Gustave Lindor, Jr., and that document indicates that he was
> living and working in Brooklyn, New York during the dates that
> the copyrighted music was being shared.

Errr - big deal.

If my hypothesis above is correct, it might well have been Mr. Lindon's computer
using Mr. Lindon's IP address that actually did the sharing. But that doesn't
mean it ever went anywhere near Mr. Lindon; if Dr. Jacobson was right about the
system not using a router, then this machine was *so* open to abuse by even the
most meagre of skiddie talents, that some sort of nefarious network use is not
just possible, it's *expected*. And if Dr. Jacobson was wrong - well, he's just
wrong.

But to be sure of anything, we'd need to see the evidence he claims to have
captured, not his assertions about what that "evidence" means...

Vic.

[ Reply to This | # ]

Also missing...
Authored by: Anonymous on Thursday, December 27 2007 @ 10:16 AM EST
All of the declarations say in one way or another...

2. My qualifications and prior testimony are as follows:

3. My prior relevant experience is as follows:

None, or at least none that I can find, address the funding for his research.
It would be very interesting to follow the money. It may not be of value, but I
would bet that it is pertinent to his conclusions and the defense.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: hamstring on Thursday, December 27 2007 @ 11:21 AM EST

I think a good summary is that our educational system is a failure!

This person is a PH.D? Well, maybe.. but it sure is not in computer systems, logic, theory, AI or anything else.. Maybe a foot doctor turned computer forensic? He toots his own horn, but to anyone working in the field he looks like an average sales person, not a technical expert. (No insult intended to sales persons.) His rate is only $200.00 per hour, which says a whole lot about his abilities/credibility in the field. Forensics is normally in the 500+/hr range.



While many many things are possible on the defendants side, he points out nothing that would prove guilt.. and in fact in many cases raises doubts.


20) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.

Is that not admitting the defendant is innocent right there?


I know.. innocent before proven guilty is not really the way of law any more.. but hopefully one day we shall return to that mindset.

---
# echo "Mjdsptpgu Svdlt" | tr [b-z] [a-y]
# IANAL and do not like Monopoly

[ Reply to This | # ]

#15 information supplied by Defendant's ISP
Authored by: hAckz0r on Thursday, December 27 2007 @ 02:01 PM EST
Ok, lets just assume for the moment that Verizon knows how to grep their logs
and get the correct answer from their DHCP servers. Out of 105 address requested
by the RIAA Verizon failed to find any records for 8 of those requests. Given
the infallibility of Verizon that would imply that the RIAA supplied the wrong
information for 8 out of 105 sessions. If 7% of the requests were not actually
on Verizons network at the time then what is the percentage of IP addresses that
were supplied by the RIAA incorrectly that by chance did happen to be Verizon
customers, but not one committing copyright violations at the time?



---
DRM - As a "solution", it solves the wrong problem; As a "technology" its only
'logically' infeasible.

[ Reply to This | # ]

MediaSentry Logs
Authored by: hAckz0r on Thursday, December 27 2007 @ 04:03 PM EST
I took a little bit of time to grok the Media Sentry logs and have a few issues which might show some inconsistencies or timing problems in the code. Since we all know that the code is NOT up for review the best we can do is to look for the tell-tale signs of logic errors.

I find that the program is multi-threaded, or at least not serialized, and therefor it has to log records grouped by the request and not in strict time order sequence. For a “certified” legal document I would say that the logs provided are incomplete or have had information removed, possibly to reduce the volume, but edited never the less. There are instances where two requests were issued and only one reply(Smooth Criminal), and also two replies for only one request(Maria).

On average the time skew of the target machine was off by -102 seconds which I used for validation on the send and receive times of MediaSentry. The traceroute documentation tells me that the round trip can be no better than 1.1 seconds through the 16+ hops through the network (assuming that the failed traceroute log submitted would actually connect to the proper host). However, three of the 11 files exchanged had a round trip time logged of ZERO seconds(Cant be that other Woman, grindin, song for mama). I sure wish my network had that kind of bandwidth! Considering that the alleged Lindor machine is likely not a super computer, actually reads from a physical drive that has latency, is currently being hit with many overlapping requests from MediaSentry at the same time, and that the MediaSentry machine has to actually process all the packets as well, I therefor find it impossible to believe what I see in these logs. Something is not right, or the data provided is just not the pristine unadulterated logs that the MediaSentry/RIAA would like us to believe it is.

---
DRM - As a "solution", it solves the wrong problem; As a "technology" its only 'logically' infeasible.

[ Reply to This | # ]

Defense Expert, strike the report?
Authored by: GLJason on Thursday, December 27 2007 @ 05:01 PM EST

Does the defense have their own experts yet? I imagine there are a few people here that would do it for free or for very little money. Although I've had experience with computers since I got a Commodore 64 when I was eight and started programming assembly language a few years later, I only have a B.S. in computer science. From building and running my own networks at home and networks at work over the last ten years though it seems like I am more competent than the expert here, but not the credentials.

I think the defense needs their own expert to examine the exact same data provided to this expert and to form their own opinions. It's not good for only one side to have an expert... The report is riddled with inconsistencies, inaccuracies and misrepresentations. In my opinion it should be stricken in its entirety if possible, or at least in part. At the very least, item 18 should be stricken from his report:

18) I will testify that the computer contained the resume of Gustave Lindor, Jr and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.

Is this the proper testimony for a subject matter expert? His expertise is in forensics and computer networking, at least that's what he claims. The plaintiffs never to my knowledge produced a request for resumes of Marie Lindor or her family members.

It appears that the expert was not acting as a subject matter expert in this case, but acting as an investigator for the plaintiff. Rummaging through personal files does not help an expert determine if a file sharing program was installed or what IP address a computer had assigned. I would ask to see his license to investigate, which is required in some states.

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: Ray Beckerman on Thursday, December 27 2007 @ 05:50 PM EST
This is fantastic stuff, people!!!!!

On behalf of Marie Lindor, a home health aide who has never even used a
computer, and on behalf of all of the other basically defenseless people caught
up in this giant RIAA scam, thank you from the bottom of my heart.

This is beautiful.

---
Best regards,
Ray

[ Reply to This | # ]

A thought about the hard drive
Authored by: Wardo on Thursday, December 27 2007 @ 06:09 PM EST
If the hard drive originally in the machine is still being maintained as
evidence, or still available in some fashion, you may have proof it's the
original item.

If you contact the manufacturer and ask if they keep records of all the serial
numbers used for a particular computer, if they still have the records, this
could be used to prove an unaltered hard drive.

One of the ISO 9000 series deals with this sort of tracking, which parts went
into which finished goods. I don't know what the retention policy is for this,
but if it was made by one of the big computer houses (Dell/Acer/Compaq/HP/etc.)
they may have kept these records.

Might be worth the time to send a letter to the maker with the PC's serial and
model numbers, and perhaps date of purchase or other details to narrow down the
records...

Wardo

---
caveat lector...
Wardo = new user(lawyer = FALSE,badTypist = TRUE,badSpeller = TRUE);

[ Reply to This | # ]

Webmail can prove his innocense.
Authored by: katayamma on Thursday, December 27 2007 @ 07:37 PM EST
Assuming that he uses webmail (yahoo, google, hotmail, etc.) or any other on-line message posting service can be use to prove that he didn't have that IP.

When sending an E-Mail through Yahoo or any other service provider, they log the IP that it originated from. Here's an example from an e-mail I sent on Yahoo:

From Hikaru Katayamma Mon Dec 17 05:33:47 2007
Received: from [72.128.14.218] by web35401.mail.mud.yahoo.com via HTTP; Mon, 17 Dec 2007 05:33:47 PST
Date: Mon, 17 Dec 2007 05:33:47 -0800 (PST)
From: Hikaru Katayamma
Subject: United Way...
To: recipient user
That 72.128.14.218 is my RR IP address. If the defendant sent any web mail messages or posted to any public bulletin boards and/or blogs, then his IP should be logged. If they don't match the IP that is supposed to have been used, then clearly the track-back information is invalid.

Cheers!

---
Never underestimate the power of human stupidity.

[ Reply to This | # ]

Check out the Supplemental
Authored by: shun1943 on Thursday, December 27 2007 @ 07:53 PM EST
I am not going to go over the early filings, as there is more than enough material in the new "brief". I just wanted to point out some inconsistencies. First, what do 12) and 13) have to do with anything? Aside from confusing the judge, they don't exactly add much to the discussion. Ray or PJ can attack him on his definitions, though. OK, on to the meat:
17) I will testify based on the forensics examination that the computer had three usernames of interest that were named Kathleen, Woody, and Yanick.
Someone already pointed this out, but this is just horrible grammar. Also, it is unclear whether he was saying that these usernames corresponded to actual people who used the program or that the defendant (who is the one on trial here) actually went by 3 usernames.
18) I will testify that I found very few user created files and saved emails on the hard I was provided to by the defendant.
Just what is he trying to imply here? Either the defendant doesn't use her computer for much, doesn't store a bunch of stuff on her computer, or she recently formatted it. Mr. Computer Expert should know the difference between the three.

Also, it is possible to use a computer a lot, but have very little stored on it. Think about the typical user. What do they do? Check email, go on the web, comment on Groklaw...I mean, not a lot of "user-generated" content, except what's already out there on the web. Why didn't he look for web-based content, like You Tube uploads? Oh, that's right, he was looking for evidence of illegal file-sharing. So far zippo.
20) I will testify that based on the data recovered from the hard drive that this hard drive does not appear to be the same hard drive that was used to share copyrighted songs as shown by the MediaSentry materials. I will testify based on the forensics examination of the hard drive that was copied from the computer owned by the defendant that the computer had no evidence of the KaZaA program nor was there any evidence of the KaZaA program ever being installed on the computer, although the MediaSentry data showed the computer connected to the defendant's Internet account was running the KaZaA program.
OK, I'm skipping but I just wanted to make this point. He confuses the word "computer" with the words "hard drive" a lot. I think this is intentional. Tell ya why. They are basically grasping at straws at this point. I'm pretty sure that one of the other theories is correct, either her account was hijacked, another machine was used to do the file-sharing, or some kind of spoofing was done. The point is, they've got the wrong person/computer. They just can't admit it. Well, actually, they just did. Let's move on.
22) The user Woody used Windows MediaPlayer to access songs and other files from a directory: (F:hDocuments and SettingsYanickMy Documentsdownloadyayahq) located on the external hard drive.
What? No "I will testify that based upon..." OK, so we can be pretty sure that he is just pulling this out of his butt then. Good. Also, why no slashes between F: and Documents and Settings? Bad HTML parsing?
26) I will testify that the computer contained the resume of Gustave Lindor, Jr. and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.
OK, aside from the potential invasion of privacy liability that this places Mr. Expert into (yes! I can have bad grammar, too), this is a break in pattern. Instead of "I will testify that based on the data recovered from the hard drive..." he's saying "I will testify that the computer contained..." which is not exactly the same thing. I would like to ask Mr. Expert just where on the computer did he get this information? Did he shake it out of the video card? Was it sitting in volatile memory? Did he just politely ask the computer, and did the computer tell him? Hmm...methinks this is more obscurity.

I think the best thing would be for the RIAA to drop this expert and get a different expert. This one is far too compromised, and is likely to fail under pressure. He seems to be unable to clarify his terms. He's been given 3 chances. If they are so bloody sure that the hard drive that contains Kazaa was hidden or destroyed by the defendant, why don't they file a Motion to Compel? You know, there are sanctions for destroying evidence, as there are sanctions for holding yourself out to be an expert, when you obviously are not. My favorite:
18) I will testify that I found very few user created files and saved emails on the hard I was provided to by the defendant.
I'll provide you with a "hard"...um, nevermind!

---
IANAL - but I play one in my imagination

[ Reply to This | # ]

  • 18) - Authored by: Anonymous on Friday, December 28 2007 @ 01:34 AM EST
    • 18) - Authored by: Vic on Friday, December 28 2007 @ 07:13 AM EST
MediaSentry certification
Authored by: Anonymous on Thursday, December 27 2007 @ 09:28 PM EST
Dough Jacobson assumes, without stating so explicitly, that MediaSentry's
product(s) work flawlessly and reflect a true state of affairs wrt the
conditions of hardware, software, and middleware (IP addressing etc.) at the
time in question.

Does he possess any or sufficient training in using MediaSentry's product(s) to
such an extent that he can draw fact-based conclusions regarding the results
obtained from MediaSentry's product(s)?

Is he an expert wrt MediaSentry?
If not, what standing does he have to draw conclusions regarding the results
provided to him by MediaSentry?

[ Reply to This | # ]

Pick Your Brain Time - A Lawyer Requests Your Input - Updated
Authored by: hexdump on Thursday, December 27 2007 @ 11:37 PM EST
26) I will testify that the computer contained the resume of Gustave Lindor, Jr. and that the document indicates he was living and working in Brooklyn N.Y. and working at Long John Silver's during the dates that the copyrighted music was being shared.
I'm not a forensic expert by any means, but it seems to me that the "expert" is trying to imply that the hard drive in the Lindor computer wasn't the original, but instead it came from Gustave's computer. If this was indeed the case, then it should be easy to show that the computer isn't the same as the one the hard drive was in when Windows was installed. The devices in the registry would show multiple entries for items that normally would not change. (Unless the two computers had exactly the same motherboard chipset.) I've actually migrated a hard drive from a failing motherboard once. Since the chipsets were similar it worked, but several devices were re-detected and new drivers were installed by Windows when it was booted the first time. (This was before WinXP so activation was not an issue.)

[ Reply to This | # ]

USB Drive thoughts
Authored by: hAckz0r on Thursday, December 27 2007 @ 11:51 PM EST
In defense of the "USB Hard drive" (model number not important) I would submit (since I believe there was an accusation of a total disk replacement) that when rebuilding a machine, attaching a USB drive these days is "expected" by anyone that knows what they are doing. Nobody (commercial anyways) would attempt to rebuild a Windows(tm) system by inserting all the install disks for each and every piece of software there is. Copying files from a "download" directory from another (USB) disk would also be "expected" if the goal is to get the system up and running without being infected by being attached to the Internet before the system is ready to defend itself. I believe the mean-time to be infected on a Windows box is said to be MUCH less (< five minutes) than the time necessary to download all the patches (hours++) from the Microsoft update site, which is necessary to fix all the security holes added by the basic (non-updated) Windows installation disks. So why are they making a fuss over a USB drive being attached? Or a "download" directory being present? Its expected!

If they are going to insinuate that Windows Media player was used to play files from a "download" directory then they should also detail exactly what those files were. If they were media files you get automatically when you visit a site that wants you to hear their adware-music then they should just say so and get over it. They should not try to make the judge/jurors/etc think that the Lindors were doing something illegal. If its not illegal either don't mention it or say its not illegal! They are clearly trying to make an insinuation of guilt with out directly coming out and saying it.

---
DRM - As a "solution", it solves the wrong problem; As a "technology" its only 'logically' infeasible.

[ Reply to This | # ]

Questions not asked nor answered
Authored by: Anonymous on Friday, December 28 2007 @ 12:29 AM EST
There seem to be some pertinent questions that have not been addressed. Of course, it's not the plaintiff's job to seek out exculpatory (or however you say that in Civil) information, but if the information were inculpatory, I'm sure it would have been reported.
  • There were three usernames on the HDD, "Kathleen", "Yanick", and "Woody". "Woody" is said to have been an administrator. Were either of the others also administrators? An administrator has more power than a regular user, although Microsoft Windows requires, in practice, that any user be an administrator, unless there's an experienced techie around to overcome Microsoft's lack of operating system expertise.
  • Has any attempt been made to correlate these usernames with actual people? This could shed some light on the provenance of the HDD: if the people are friends or family of Mrs Lindor or her late husband, it indicates that this is likely to be the correct HDD.
  • The registry can contain further information about each username: does this yield any useful identifying information about the usernames? This helps with the item just above.
  • Are any of the usernames given a password? Which ones? A user account without a password is an invitation for anyone near the keyboard to impersonate a valid user.
  • What sort of files were in the 'My Documents' subdirectory ("folder") for each of these users? This may help identification and validation.
  • The event logs should contain entries for log-in and log-out events for the usernames. Did the usernames appear in log-in and/or log-out records? When did such log-in and log-out events occur (according to the computer's timekeeping)?
  • The event logs should contain shutdown and reboot events (services ending and starting), although shutdown events only occur on an orderly shutdown, not on an external power failure. When was the computer on versus off, according to the computer's timekeeping? If the computer's time was anywhere near being valid, this could show, for instance, that the computer wasn't even on at the time of the supposed infringement.

    I'm not a Certified Computer Forensics Engineer, so I don't know what is expected of one. I do know that one of the basic questions that should be answered about a disk image purportedly from a particular computer is "Is this disk consistent with the computer?" This is a sine qua non sanity check--if the analysis doesn't complete and pass this minimal check, something's quite wrong with the assumptions, and none of the other results can be counted on.

    If I have the computer in hand, I can gather some information about it, to compare with the information in the registry. If I do not have the computer, I must gather and report on the registry information, for others to compare against the computer. This information would include all the stuff that WGA maintains, as well as

  • the Computer name and description
  • the hardware and drivers for each hardware profile
  • the CPU model and serial number
  • the model and address of each device on the computer.

    I'm sure there are other registry entries that can be used for this compatibility check. Any competent Computer Forensics Engineer will have done enough such analyses to know what else is there, what it all means, and how to get and validate the information.

    This basic, preliminary sanity check was not mentioned in the "expert's" report. I can only think of two possibilities for its omission, but there might be others:

  • The expert was instructed to omit it, possibly because it is (or could be) exculpatory; or
  • The "expert" didn't bother to validate his analysis.

    ---
    --Bill P, not a lawyer. Question the answers, especially if I give some.

    [ Reply to This | # ]

    • Ray did you see this?
    Authored by: Anonymous on Friday, December 28 2007 @ 05:53 AM EST
    The following was take from the outreach portion of Dr. Doug Jacobson's web
    site at vulcan.ee.iastate.edu/%7Edougj - December 28, 2007 at
    approximately 2:51 AM PST.

    I wonder what this actually means.


    "ISU Cyber Crime Laboratory - Iowa Criminalistics Laboratory (ICL) recently

    lost its computer forensics expert to private industry and, due to state budget

    shortfalls and labor-pool deficits, does not expect to re-staff the position. As

    a result, the ICL no longer accepts suspected evidence of computer crime
    from Iowa 's law enforcement agencies for analysis. Instead, ICL personnel
    refer local law enforcement agencies to certified computer forensic
    investigators. However, Iowa has few such experts. As a result, Iowa 's rural
    communities face the problem of finding qualified computer forensics
    analysts to investigate local computer crime. Iowa State University 's
    Department of Public Safety (DPS), Information Assurance Center (IAC), and
    Midwest Forensics Resource Center (MFRC) propose to coordinate their
    existing resources to establish a computer crime investigation effort. The
    participants include the DPS's computer crime investigator, senior faculty and
    students from the IAC, researchers from the MFRC, and MFRC crime
    laboratory partners. The effort will not only help law enforcement but will
    provide a resource for business and industry if they experience a cyber
    incident. For more information please contact Doug Jacobson"

    [ Reply to This | # ]

    Pick Your Brain Time - A Lawyer Requests Your Input - Updated
    Authored by: Anonymous on Friday, December 28 2007 @ 08:31 AM EST
    the declarations seem to point to an interesting conclusion.

    There were very
    few user created files: of course there were! I seem to remember a statement hat
    the computer hadn't been used much by the defendant. This seems to say that
    statement was true.

    There were three user accounts he identified:
    So the theory
    of someone else than the defendant accessing the computer is very likely!

    The
    above statements make a scenario where someone else accessed the computer, using
    an usb drive, to the the pc very likely. If that is the case.....shouldn't the
    riaa/media sentry show a lot more proof to conclusively show it was the
    defendant that actually did he file sharing? If there were any files shared at
    all!

    The windows registry is known to become bloated when you install and
    uninstall software. The reason is that windows almost never removes all entries
    for software that was uninstalled. Even if kazaa was installed and uninstalled
    using the usb drive as target it would still show up in he registry.

    The
    picture being painted here is of a computer savvy user sharing files and then
    deleting all evidence of ever doing so. Being clever enough to use an usb drive,
    clean up the registry etc etc. The picture I get from the defendant is that it
    is extremely unlikely that the defendant has that kind of knowledge.

    The story
    now looks more like a conspiracy theory with wild accusations thrown around for
    good measure.

    The proof that seems to be there is pointing towards the
    defendant not having shared a single file in her life from that pc and kazaa not
    ever having been installed on her pc. Those are conclusive statements made by
    the expert. He then says there must have been some deliberate foul play to hide
    evidence. Occam's Razor would point to the only logical conclusion.... the
    defendant did not share any files. The defendant never had kazaa installed on
    her pc.... period. The rest of the statements are elaborate tries to make non
    existent evidence fit the "evidence" the expert was given by media sentry.

    [ Reply to This | # ]

    Chain of evidence, MediaSentry
    Authored by: Anonymous on Friday, December 28 2007 @ 09:39 AM EST
    None of documents mention custody and chain of evidence. Could drives been
    tampered with prior to the expert examination?

    Did the expert actually run the MediaSentry traces and exams? Or was he just
    looking at the output as screen shots? If that's the case, how do he know the
    info is accurate?

    Not a lot is said about the external hard drive. Is it alleged that the files
    were downloaded to that hard drive? Did someone copy them to another drive --
    the drive used by the expert for analysis.

    How was the material from the defendant obtained? What steps came next? Were the
    people performing those steps competent to perform them?

    Is there a disk image of the orginal hard drive form the PC available for
    analysis?

    You may have already thought of these questions. If you have any questions let
    me know emeryj (at) cfl.rr.com

    [ Reply to This | # ]

    Just because I seek closure....
    Authored by: Maxmars on Friday, December 28 2007 @ 10:42 AM EST
    If the defense stipulated the 'expert' witness is such;
    Then sadly, the time for challenging the witness' expert status may have
    passed, and his testimony will be entered into consideration. A point-by-point
    rebuttal is in order, and might really damage the plaintiff's case - assuming
    they have nothing else to go on.
    A series of questions posed to drive the expert to express or acknowledge
    the 'alternatives' which he chose to ignore in his analysis, may lead to an
    inevitable examination of the source of data. The defense must have some leeway
    here, since it is faced with the burden of proving a negative assertion.
    Remember, at the end of the day, this case was assembled by lawyers (no offense
    intended) who have a client to represent and the client's desire is the driving
    force behind the case. They are not interested in exculpatory information. This
    kind of litigation is about blame.

    But what if the defense has already attempted to seek analysis of the
    process and code used to 'acquire' its alleged incriminating data and been
    rebuffed.

    There is a class action in here, as it is clearly an abuse of the justice
    system, and most officers of the court know, beyond the theater of litigation, a
    strict blow by blow analysis of the plaintiff's methodology and process would
    prove someone had been taking advantage of laypersons misconceptions. Think -
    'voting machines'. But if this course is closed, the plaintiff is protected and
    can make whatever allegations it wants, free from scrutiny or repercussion.

    There must be no settlement that does not completely exonerate the
    defendant. There must be no gag-order. The RIAA by means of the legal system
    is, by strict definition, engaging in 'Racketeering' and maybe even 'Extortion.'
    But it will never get to that point in the courts, because once this is proved
    they will simply disband and reorganize under a different umbrella.

    Also, with the tremendous influence wielded by the RIAA via its media
    connections, one can be certain that friendly adjudicators will be rewarded by
    positive media coverage.

    ALL OF YOU - please remember the media has no legal obligation to tell the truth
    - and most of the attention this case will get will be media driven. The RIAA
    works for the media concerns. It is no wonder the only place left with a
    modicum of freedom is the internet, the media's biggest competitor.

    [ Reply to This | # ]

    KaZaA/FastTrack - does it STUN?
    Authored by: Vic on Friday, December 28 2007 @ 11:31 AM EST
    Every response I read from Jacobson's deposition causes my gob to be that bit more smacked. This stuff really does need to be preserved as an object lesson in how not to do a forensic investigation...

    But anyway - I've come to the bit that could rend his entire testimony asunder: his assertion that the PC was connected directly to the Internet, without a router (wireless or otherwise). His argument is based on the inspection of a KaZaA packet :
    14 Q. How did you make that determination
    15 in this case? I'm not sure I follow that.
    16 You put in your declaration on
    17 December 19th "Based on how IP's are assigned, it is
    18 not difficult to determine whether a computer was
    19 connected to the internet via a wireless router.
    20 This computer was not." How did you determine that
    21 that computer was not connected to the internet via
    22 a wireless router?

    25 A. This computer had a public IP address
    2 that matched the IP address that was in the packet
    3 that was transmitted onto the internet from an entry
    4 point into the internet. And so, therefore, since
    5 the computer said it had the same address as the
    6 packet ...
    So he's basing his entire thesis on the fact that the packet *payload* had the external IP address of the system; he concludes that this means the computer had been assigned that external IP address, therefore there was no router.

    I'm not sure he's right.

    My SIP phone here, for example, transmits packets that contain my external IP address. By Jacobson's reasoning, that means I have no router - a suggestion that I will gladly rebutt :-) I have a router. My phone uses a STUN server to determine the external IP address. That allows it to describe itself accurately to other SIP devices, meaning I actually get audio (kinda handy for a phone).

    Now FastTrack does various things to manage its network, including traceroutes to determine the most accessible supernode. It would amaze me if it doesn't do some sort of STUN-type transaction to get its external IP address - after all, the whole point of a peer-to-peer system is that you should communicate with peers, not central servers. Skype, which is based on KaZaA, most certainly *does* use a STUN-derivative.

    The upshot of this is that, if KaZaA uses STUN, it would be perfectly normal to find the external IP address of the system in the application payload - even when the KaZaA client is behind a NAT router.

    Does anyone know if it does? My searches so far haven't turned up anything defeinite.

    Vic.

    [ Reply to This | # ]

    external hard drive
    Authored by: Anonymous on Friday, December 28 2007 @ 12:03 PM EST
    He refers to evidence of an external USB hard disk that was attached to the
    computer at some point in the past, and implies that this external hard drive
    may be where the alleged "sharing" folder was stored. This does not
    make sense. Even if the defendant had installed the Kazaa software and sharing
    folder onto the external hard drive, there would still be references to Kazaa in
    the registry, even if it had been uninstalled later, and the registry is on the
    hard disk that was examined, and this "expert" admitted that there was
    no remnants of evidence that Kazaa had ever been installed onto that computer.

    [ Reply to This | # ]

    Pick Your Brain Time - A Lawyer Requests Your Input - Updated
    Authored by: Anonymous on Friday, December 28 2007 @ 09:56 PM EST
    "22) The user Woody used Windows MediaPlayer to access songs and other
    files from a directory: (F:hDocuments and SettingsYanickMy
    Documentsdownloadyayahq) located on the external hard drive."

    The "Documents and Settings" directory is created by Windows to store
    user data and configuration. It can only reside in one place (one drive) for
    each PC. I assume that the internal HD had it's own "Document and
    settings" folder, so the F: path came from a different Windows on a
    different computer. It could even have been a shared network disk, from a friend
    bringing a laptop over maybe?

    Is there possibility to perform a counter-expertise to address the weird points
    raised and check the network statement?

    "16) I will testify that based on the MediaSentry data mentioned above and
    registry entries recovered from the computer that the computer had a public IP
    address and was not connected to the Internet via a wireless router."

    Windows does not retain a list of all IP addresses it has ever used so that
    makes it impossible to determine if that PC indeed had this IP address at that
    time. From there on, it is impossible to determine whether there was a router in
    the middle.
    Did the ISP provide the MAC address that was linked to the IP? That would be a
    critical piece of information.

    If somebody was over with a laptop and using Kazaa then would Ms Lindor be
    guilty by association since that person used her connection?

    [ Reply to This | # ]

    Pick Your Brain Time - A Lawyer Requests Your Input - Updated
    Authored by: davidf on Saturday, December 29 2007 @ 03:34 AM EST
    I'd be really interested in this graduate student he supervised in the
    development of the p2p monitoring system. Which system is it? Which operating
    system does it use. Can we depose this person?

    He claims so little detailed knowledge about Media Sentry, so how can he
    supervise a post graduate student in the creation of a similar system?

    Is the system in question, in fact, Media Sentry?

    That one of his students may have developed Media Sentry may be an insane idea,
    but it did cross, given his connections to the RIAA etc. It would be worth
    asking about.

    Why did was this not on his previous resume? In his position, it would be one of
    the first things I'd put on a list of jobs or projects i'd either worked on or
    supervised.

    May we see his research projects? If not, can we know why and for whom they were
    done?

    Which patents does he hold?

    Can he be more precise about the systems he's developed for Palisades? If he is
    the author/programmer, surely we can see the code he wrote. If not that code,
    Can you show us some sample code which demonstrates your abilities in the areas
    you have claimed?

    It sounds to me like he's blowing whole lot of smoke, artificially created to
    cover the fact that there's no fire at all! He's all smoke and mirrors. Its
    rather like going into this HUGE retail music outlet and realising after you are
    inside that there's really not much more product that what's in the little
    Ma'& Pa' record shop in you home small town -- maybe even less!

    cheers, ... when the smoke clears (hah hah)
    davidf

    [ Reply to This | # ]

    Logs in text format please
    Authored by: Anonymous on Saturday, December 29 2007 @ 03:16 PM EST
    One of the greatest difficulties in technical analysis of this case is that all
    the logs are in almost unreadable (really messy) PDF format. Please please
    could someone find a way to deliver the original files to us in plain text.
    This would allow automated analysis and faster handling. Preferably not retyped
    OCR since errors in the typing would directly influence the ability to handle
    logs through automated tools.

    [ Reply to This | # ]

    CFCE 2 week basic computer course
    Authored by: Anonymous on Monday, December 31 2007 @ 01:13 AM EST
    http://www.cops.org/training
    Here is the organization from which this so-called expert is certified.

    Please do not look while I make smoke and mirrors. And pay no attention to
    that man behind the curtain,

    Pitiful

    [ Reply to This | # ]

    Pick Your Brain Time - A Lawyer Requests Your Input - Updated
    Authored by: Anonymous on Monday, December 31 2007 @ 07:39 PM EST
    For those of you that are interested here is the deposition of Jacobson by the
    Defense:

    http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_061226RBtoMagisReJacobs
    on

    It's lovely to see all the questions we suggested in there. In particular I
    think you set him up to absolutely hammer him on the time issue when he's on the
    stand. Beautiful work actually of asking the question without tipping your hand
    too much.

    Now all you need is the counter expert that can get up there and take all his
    reports and deposition and make a fool of him for some of the answers he gave.
    His reliance and testimony about the MediaSentry data without any kind of
    verification is an absolute killer. He simply can't be a witness of value when
    he made NO effort to validate the information he was given. On top of that his
    assertion that there is some second computer when the computer he examined is
    the one that got the IP address (DHCP would assign an different address to a
    different MAC address request) and the computer showed NO evidence of Kazza ever
    being installed. Top that with not checking to see if the computer was cracked,
    making no record of what information he reviewed and his spending only 15-45
    minutes doing "forensic" work for the RIAA in excess of 200 cases.

    [ Reply to This | # ]

    • Going Forward - Authored by: Anonymous on Wednesday, January 02 2008 @ 09:06 AM EST
    Current Internet History etc.
    Authored by: Anonymous on Thursday, January 03 2008 @ 09:50 PM EST
    (BitOBear here, I cannot log in from here for various reasons)

    1. Flawed definitions:

    RE: "Current Internet History" and "Internet Cache"
    What? Excuse me... WHAT?

    I would give this guy "Browser History" and "Browser Cache"
    if he'd used _those_ phrases, they'd still be overly vague, but I'd let them
    slide (as opposed to say some technically specific and particular thing like
    "Internet Explorer Cache" and "Internet Explorer Browser
    History" and similarly and separately "Firefox (whatever)"
    etcetera as actually encountered on the system in question.

    I point this out because, among other facts of interest, Internet Explorer isn't
    part of the file sharing application that was alleged to have been used to share
    files over "the internet". So using those exceedingly vague terms is
    sufficent enough to confuse or mislead, (accidentally or deliberately) any non
    technical party (like a judge or jury) about the significance of the material
    disclosed.

    Example: If I examine the trap on your kitchen sink and call it your Method of
    Disposal, and thus imply singularity of methodology, and then I start talking
    about your trash cans and storm gutters; if you didn't _already_ know the
    difference between a kitchen drain and a medical waste container, I could make a
    lot of assertions about the "encountered biological materials" that
    tar with an extremely wide brush.

    Contrapositively I could make statements about activities ("I found
    decomposing bits of avian flesh and evidence of fethers") to seemingly
    prove unfounded assertions ("so respondant is clearly in the habit of
    regularly slaughtering chickens").

    I (not being a lawyer) call this "The Magical Aggregation of
    Inferences". It is a common occurrence I run into professionally when
    non-technical persons not familiar with the significant distinctions of my craft
    use the apparent sameness of words to presume relationships, and therefore
    "facts" that are simply not in evidence. I lose a lot of time to
    management types who insist on diagnostic procedures they have invented based on
    how things sound alike.

    So any way, this computer doesn't have "an internet history" as it is
    only tangentially connected to the whole of the internet, and what you find in a
    browser cache or history is not indicative of deliberate, mindful action of any
    party, let alone "the owner of the computer" etc.

    Ever get an unwanted popup? That's in your browser cache and history _even_
    _if_ you never saw it, let alone asked for it. Does that make you a
    pornographer?

    If the peer-to-peer application interacted (for its own purposes) with the
    browser at all, there is no chain of _meaningful_ inference that can be drawn.
    The (p2p) program, and not the "owner" is doing the
    "browsing" at that point.

    Remember my first line above, the one about not logging in? The defense
    contractor that "owns" this computer I am typing this message on, has
    no knowledge of nor relationship to these words I type, despite their eventual
    insertion into "their" "internet cache" both here and on the
    proxy I know exists between this computer and the internet in general.

    RE: Media -- "The items that contain digital evidence,"

    Media contain, at most "digital sequences" (yes just
    "sequences", not even "patterns"), the fact that this guy is
    characterizing this stuff as "evidence" in such broad terms is
    laughable. I have plenty of media that isn't evidence of any darn thing at all.
    It's this guys job to turn these sequences _INTO_ evidence by meeting a very
    difficult progressions that demonstrate how each _significant_ sequence came to
    exist as the _foreseeable_ result of some particular action in a particular
    context.

    This is the same thing criminal investigators have to consider when dealing with
    the "chain of evidence". You break the chain, its not evidence any
    more, if it ever was in the first place.

    RE: Past/Removed Internet History -- Internet history on the computer that had
    to be recovered from unallocated (deleted) file space.

    No recovery technology I am aware of can demonstrate that a particular bit of
    digital sequence was _particularly_ EVER any part of the "internet
    history". For instance if undelete a chunk of data that looks like a
    picture, you cannot say that that picture was from my browser cache or internet
    history. You can guess that it might be, but if someone were, say, running a
    peer-to-peer application and someone else were to publish a file that looked
    like a fraction of _their_ browser cache, and you deleted that file after
    receiving it, was it _your_ history or _theirs_? (etc)

    (2) DELETED FILES DO NOT EXIST. Deleting a file may leave file _FRAGMENTS_ of a
    files (etc) on the media. In recovery the actor makes a good-faith attempt to
    look at all the _fragments_ in an attempt to recreate a file. Anybody who has
    ever done this knows that it is a dodgy proposition at best. Its far easier to
    "un-shred" a document because the act of severing leave matchable
    bits. But "fragments" are all the same size and a file may be any
    real number of fragments long. If the file is 1/8th a fragment long (yes,
    "fragment" is a term of art, which is why you "defragment"
    the files on your disk) 0r 36.28 fragments long... when you recrate it you have
    to guess what parts of any given fragment were actually part of a file.

    Now recovering a file isn't that dark an art, but it is being presented here as
    science, but it is truthfully far more guesswork than the text tries to make it
    appear.

    ====

    Seriously, reading this guys presentation is like watching Matlock.

    He will testify that The owner of the computer had his resume on the computer he
    owned and appeared to be the administrator of same. (items 23 through 26)

    And I will testify that there is a mysterious missing USB hard drive (which is
    oh, so suspicious! Cue duhn-duhn-dun! music.)

    And seriously, you know how reliable "recovered memory" has proved to
    be over time. This is recovered computer memory.

    The fact that this other existent hard drive could be the source of ANYTHING
    found on the computer including "history like" or "copy
    like" recovered fragments.

    For instance, some friend brings over his _perfectly_ _legal_ space-shifted MP3s
    for a party (this actually happens) and the other person plugs in this drive and
    moves a play list, or points the player built into the peer-to-peer application
    at the directory and contaminates the entire computer. In terms of who knew
    what was being done to what files, the presence of a large rewritable media that
    has not been evaluated is a bit like finding a body, and a track where another
    body has been dragged off and thrown into the trunk of a late model car... and
    then saying "well, we have one body, so this scene must be a
    Suicide."

    ===

    This guy can truthfully testify that he saw a drive from a computer that was at
    some point co-joind to another drive and was frequently on the internet.

    That's about it. Every factor he adds, adds other actors and explanations for
    any digital sequences he might encounter. think about it... At least one
    foreign drive connected at least once. Two other user names so presumably two
    other users. Software that interacts directly with the web browser. No
    provision for exclusivity of access nor limited means of access. No way to say
    _who_ copied any given file into a share directory, nor why, nor when, nor from
    whence.

    This is evidence for the respondent. Seriously. This guy "will
    testify" that there is NO POSSIBLE chain of accountability, intent, or
    evidence that can be drawn from the presented material. He "will
    testify" that just about anybody could have put any of this stuff on there,
    but Woody clearly worked for Long John Silver's, which means he must be guilty
    of _something_... 8-)

    (1/2 Joke: Somebody better go get those poor mis-convicted
    "child-pornographers" from item 9 out of jail. Clearly they were
    convicted based on Doug's down-home charm, senatorial voice, and spotless white
    suit.)

    [ Reply to This | # ]

    • Iowa State - Authored by: Anonymous on Friday, January 04 2008 @ 02:29 PM EST
    Groklaw © Copyright 2003-2013 Pamela Jones.
    All trademarks and copyrights on this page are owned by their respective owners.
    Comments are owned by the individual posters.

    PJ's articles are licensed under a Creative Commons License. ( Details )     		Site layout based on Woodlands theme by Bryan Bell.
    Groklaw logo by John Crowley.
    News Picks logo by Ted Thompson.
    Powered By GeekLog
    Created this page in 0.09 seconds