Q. Mr Examiner, you have in front of you a copy of your summary report dated March 27th, 2008. Is that correct?
A. Yes.
Q. Mr Examiner, is this the report you wrote regarding your investigation of the computer?
A. Yes it is.
Q. Mr Examiner, referring to your report, you state that this is the summary report of the procedures and findings of the computer investigation you did. Is that correct?
A. Yes it is.
Q. Mr Examiner, the word “summary” implies that there is a detailed report to support the summary. Did you do a detailed report?
A. No.
Q. If he answers No: So you did not write a detailed report of the steps taken during your investigation?
A. No.
Q. And you did not write a detailed report to support your summary report?
A. No.
Q. Mr Examiner, if you did not write a detailed report, how did you manage to write a summary report?
A. (No way to anticipate the answer.)
Q. Mr Examiner, in your summary report you state that on March 21st of 2008 that you; and I quote: “Received a computer laptop for investigation.” Is that accurate according to the document you have in front of you?
A. Yes it is.
Q. Mr Examiner, can you describe for the court the methods you used to receive the laptop?
A. At this point he should be able to articulate his method for beginning the chain of custody. If he cannot, then question him about chain of custody specifically:
Q. Mr Examiner, are you familiar with the phrase, “chain of custody?”
A. Yes.
Q. Mr Examiner, can you describe for the court what chain of custody is?
A. (Correct Answer): Chain of custody is a process for ensuring that evidence is properly identified, collected, and protected from any changes from the first contact with the evidence and continuing through the end of litigation.
Q. Mr Examiner, referring to your summary, you state that at 11:13 AM you: “Removed hard drive from laptop and began imaging.” Is that a correct reading of your summary?
A. Yes.
Q. And your summary then states: “Disk Imaging process began.” Is that correct?
A. Yes.
Q. Mr Examiner, can you describe for the court the steps you took to protect the original hard drive from my client’s computer prior to and during this disk imaging process?
A. He should describe here how he performed this in a forensically sound manner. If he is not specific about how he protected the hard drive, then ask him:
Q. Mr Examiner, did you use any special tools or equipment to protect the hard drive from any possible changes before and during the disk imaging process?
A. If Yes, have him describe them.
Q. Mr Examiner, can you describe for the court exactly how you went about protecting the evidence on the hard drive?
A. If No, attack his methods.
Q. Mr Examiner, are you telling this court that you did not take any precautions of any kind to protect the evidence provided to you by my client?
Q. Mr Examiner, do you have any idea of how to conduct a forensically sound examination of a computer?
A. If Yes: Mr Examiner, if you know how to conduct a forensically sound examination of a computer, why didn’t you?
A. If No, attack his expertise.
Q. Mr Examiner, you have presented yourself here today as an expert in computer forensics. But now you are telling this court that you really have no idea about computer forensics. Is that a correct assessment?
A. Yes.
Q. Mr Examiner, did you take any steps to validate the disk image you made from the hard drive?
A. He should say here that the tool he used created a verification hash value for the hard drive. If not, then ask about hash values.
Q. Mr Examiner, are you familiar with the term hash value?
A. Yes.
Q. Mr Examiner, specifically in the realm of computer forensics, can you explain for the court what a hash value is?
A. (Correct Answer): A hash value is a mathematical operation that computes a unique value for the contents of a hard drive or a file. This acts as a fingerprint so that the contents of the hard drive or file can later be validated as unchanged by recomputing the hash value against the original evidence. This is the only accepted method for verifying that evidence has not been changed in some way.
Q. Mr Examiner, did the tools you used to create the image of the hard drive from my client’s laptop computer compute this hash value?
A. No, it did not.
Q. Mr Examiner in your report, you state that at 2:46 PM: “Started data recovery process on disk image.” Is that correct?
A. Yes.
Q. Mr Examiner, what is data recovery?
A. (Correct Answer): Data recovery is the process of locating and rebuilding files that have been deleted on a computer hard drive.
Q. Mr Examiner, can you tell the court what software you used to perform this data recovery?
A. (Not in his report)
Q. Mr Examiner, have you received any training for this particular data recovery software?
A. (Not in his report or CV)
Q. Mr Examiner, can you explain for the court what happens when someone deletes a file on a computer?
A. (Correct Answer): When the user “deletes” the file, the operating system marks the file for deletion and puts it in the Recycle Bin. The operating system does not allow the space used by the deleted file to be used just in case the user changes their mind and wants to get the file back out of the Recycle Bin.
Q. What happens when the user empties the Recycle Bin on their computer?
A. (Correct Answer): Initially when a file is deleted it goes into the Recycle Bin. However, when the computer user empties the Recycle Bin, the operating system, in this case Windows, just stops keeping track of the file since the user has indicated that they no longer care about the file. The file itself is not actually deleted. Only the information about where the file is located is deleted. In effect, the operating system now “releases” the space used by the deleted file so that the operating system can use that space again for new files when the space is needed.
Q. Mr Examiner, is there a name for the space you are talking about when you refer to files that have been removed from the Recycle Bin?
A. (Correct Answer): Yes, this area is called “free space,” or the correct term is “unallocated space.”
Q. Mr Examiner, can you explain for the court how files are recovered by the software you used?
A. (Correct Answer): Data recovery software uses three methods for recovering files.
The first method is the equivalent of just looking in the Recycle Bin and restoring the file from there. This will result in the entire file being recovered.
The second method involves “reading” the file table that is maintained by Windows. This allows the recovery software to locate at least the first piece of a file. Then the recovery software follows a method called chaining, in which each piece of the file it finds contains information about the next piece of the file. This method may get some or all of the file.
The third method uses file signatures to recover files from unallocated space. This method will result in many files that cannot be opened.
Q. Mr Examiner, can you explain to the court what a file signature is and how it is used to recover a file from this unallocated space?
A. (Correct Answer): Nearly every kind of file has something called a header and sometimes a footer as well. A file header is in the first little bit of the file and describes what kind of file it is. The footer is at the end of the file itself and tells the software where the end of the file is.
For example, a Microsoft Word document has a specific header that tells the recovery software what kind of file it is. When the recovery software sees the header for a Microsoft Word document, it will then attempt to recover that document beginning at the point where it finds the header. However, this method only knows about the very first part of the file that contains the header information. From that point the software grabs everything until it either locates a footer for that file or finds a new header for a different file.
This method has to assume that all of the file pieces are next to each other on the hard drive. If all of the pieces of the file are together on the hard drive, the file can be recovered and can probably be opened. However, if all of the pieces are not together on the hard drive, the recovery software will still attempt to recover the file. This results in a lot of files that cannot be opened.
Q. Mr Examiner, did you at any time during your investigation operate or use my client’s computer after you made the disk image? (This is a reference to the notes of the witness who observed the examination.)
A. Yes.
Q. Mr Examiner, are you aware that by doing so you altered and destroyed some of the original evidence?
A. He might say here that he asked the client for permission. If he does, then ask:
Q. Mr Examiner, is my client a computer forensic expert?
A. Not that I am aware of.
Q. Did you inform my client that by operating his computer you would be altering and destroying evidence contained on his hard drive?
A. No.
Q. Mr Examiner, in your summary you stated that on March 22, at 11:11 AM you identified that program “File Wiper” was used on the subject hard drive on January 27, 2008 at 3:03 PM. Is that an accurate reading?
A. Yes.
Q. Mr Examiner, are you certain about the date and time that you show in your report as being accurate?
A. Yes I am.
Q. Mr Examiner, can you tell the court what time zone you are referring to for the time to be 3:03 PM?
A. (Correct Answer): GMT.
Q. Mr Examiner, if the time you show in your report is GMT, what time would it be in the current time zone for my client’s computer?
A. (Correct Answer): 11:03AM Eastern Daylight Time
Q. Mr Examiner, you stated that the program “File Wiper was used on the subject hard drive.” Is that an accurate reading of your report?
A. Yes.
Q. Mr Examiner, how do you know that the program was used on the subject hard drive on that date and time?
A. Here he will probably say that was the last accessed time, which would indicate the last time the program was run.
Q. Mr Examiner, I don’t see anything in your report that shows where that date and time came from. Is it in here and I just cannot see it?
A. This information is not in the report.
Q. Mr Examiner, is there some other report that contains this information? (If so, where is it?)
A. No.
Q. Mr Examiner, can you tell the court exactly where you obtained the date and time that you indicate is the last time the File Wiper program was run?
A. He should say that he got this from the thumbs.db file in the File Wiper folder.
If Yes then:
Q. Mr Examiner, is this thumbs.db file you are referring to part of the File Wiper program?
A. (Correct Answer): No it is not.
Q. Mr Examiner, can you explain for the court what a thumbs.db file is?
A. (Correct Answer): The thumbs.db file is a file that is automatically created by the Windows operating system that contains little pictures of the program’s icons, documents, and so on.
Q. Mr Examiner, can you explain to the court how and when the dates and times get updated for a thumbs.db file?
A. (Correct Answer): The dates and times in a thumbs.db file are updated any time the files in the folder where the thumbs.db file is located are changed in some way.
Q. Mr Examiner, would deleting a file in that folder be a change to that file?
A. Yes.
Q. Mr Examiner, would the thumbs.db file be updated when the files in the folder are deleted?
A. (Correct Answer): Yes.
Q. Mr Examiner, can you explain for the court what the program “File Wiper” does?
A. (Correct Answer): It permanently destroys data on a computer hard drive.
Q. Mr Examiner, can you explain for the court how this program accomplishes the permanent destruction of data on a computer hard drive?
A. (Correct Answer): The software writes over the file with new data, usually in the form of ones or zeroes. Once data is overwritten in this manner, it cannot be recovered.
Q. Mr Examiner, on the second page of your report you have a paragraph title “Findings.” Is that correct?
A. Yes.
Q. And in that paragraph you have two sentences. Is that correct?
A. Yes.
Q. In the first sentence you state and I quote, “File Wiper” is software that is designed to permanently destroy data from computers. Is that an accurate reading of your statement?
A. Yes.
Q. Mr Examiner, in the second line of the paragraph you have labeled as Findings in your report, you state, and I quote, “Because this software was being used on the hard drive, many of the files recovered were unreadable.” Is that an accurate reading of your statement?
A. Yes.
Q. Mr Examiner, if as you indicate in your findings that File Wiper permanently destroys data, how it is possible that the files recovered were unreadable? A. (Correct Answer): It is not possible.
Q. Mr Examiner, if as you state, the program that the File Wiper was run on January 27th of 2008, how is it possible that any files were recovered that existed prior to that date?
A. (Correct Answer): It is not possible.
Q. Mr Examiner, you are telling this court that this File Wiper program was run on a particular date and time. Is that correct?
A. Yes.
Q. Mr Examiner, is there any kind of evidence to back up your statement in your report?
A. Not directly.
Q. You mean not at all, don’t you?
A. Yes.
Q. So you offer your opinion based on your report, but offer no evidence of any kind to support your statement?
A. Yes.