FTP PROTOCOL

 

A.K.A. "IF THE LOG FILES DON'T FIT YOU MUST ACQUIT!"


FACT

 

"CREATED" IS NOT "TRANSMITTED." "

 

DOWNLOADED" IS NOT "CREATED."

 

"ONLY ONE TRIBUNAL EVER ADOPTED A PRACTICE OF FORCING COUNSEL UPON AN UNWILLING DEFENDANT IN A CRIMINAL PROCEEDING. THE TRIBUNAL WAS THE STAR CHAMBER." U.S. v FARETTA , 422 US 806 (1975)

OUTSIDE IT'S AMERICA.

WHAT WOULD BE THE CAPACITY OF LAW ENFORCEMENT AND OF THE COURTS TO SUPRESS THIS KIND OF SPEECH?" --Judge A. Howard Matz, PRE-TRIAL OF KILLERCOP

SIEBERT

SIEBERT, William


Q And in addition to LA1, did you make any other copies of hard drives for the outside forensic expert?

A I don't remember right off the top of my head.

Q What about the removable media? Did you copy that?

A Yes. I created image files of the media that the case agent had determined was significant.
Q All of the copies -- excuse me, all of the pieces of removable media were not copied?

A Right.

Q Do you know what was done with the originals that were not copied?

A As far as I know, it was returned to the defense (by you).

Q After you made the copy of the hard drive and the copy of the removable media for the outside expert, what did you do with those copies?

A Well, I took the other copies that were prepared, with the help of John Medeiros and Don Schmidt, packaged them up and mailed them off to Mr. Siebert with Guidance Software.

MS. DUARTE: The government calls William Siebert to the stand, Your Honor.

WILLIAM SIEBERT, GOVERNMENT'S WITNESS, SWORN

 

THE CLERK: Please state your full name and spell your last name for the record.

THE WITNESS: My full name is William Charles Siebert, S-i-e-b-e-r-t.

THE COURT: You may proceed.

DIRECT EXAMINATION BY MS. DUARTE:

Q Good afternoon, Mr. Siebert.

A Good afternoon.

Q Where do you work? A I currently work at Guidance Software.

Q As a computer forensics consultant, what is it that you do?

A As a computer forensics consultant, I am asked to image, make copies of computer forensic media, analyze that media, and provide an opinion as to what the contents are or whether or not there is evidence on that media.

Q So did you do computer forensic examinations actually on behalf of or for the Customs Service?

A Yes. I did all of the computer forensic examinations for the Los Angeles Office of Investigations, predominantly from 1983 until my departure in December of 2000.

Q Have you also taught as well as just done public speaking
on those topics?

A Yes. I have taught a great number of law enforcement
personnel around the world.

Q What training have you, rather than given, specifically
received in this area?

A I've been through the federal law enforcement training center's four-week basic evidence recovery training,
and I've been through the two-week advanced evidence recovery network training class.

Q Who hired you?

A I was hired by the United States Attorney's Office.

Q Do you charge?

A Yes, I do.

Q How much?

A In this instance, $225 an hour

Q What were you asked to do?

A My initial request was to make a determination as to
whether or not there were Webpages that were created on some computer media.

Q So that's a total of seven?

A Yes.

Q So you received seven hard drives to analyze?

A Yes.

Q And what did you do? What's the first thing that you did
of significance with the hard drives when you received them?

A The very first thing, the most very important step in a
computer forensic examination, is you make a copy of the harddrive, that is, a copy of the hard drive from the very first
sector, the very first starting point, of the hard drive, to
the very end of the hard drive. It's not a file copy. It is what I'd like to refer to as an "evidentiary copy of the drive. That way you are getting the allocated files, the deleted files, and all of the unallocated space on the drive.

Q That process that you described, using Encase to copy the
drive, did you do that for all seven drives that you received?

A Yes. All seven drives were -- well, actually, the six
drives were done. The removable media drive, those "dd"
images, which were made with Linux, were added straight to the EnCase software.

Q Is there a reason for that?

A There was -- each -- the removable media was the Zip
disks
, I believe the CDs and the floppies. And the easiest way
to handle it was just to add it all in, individually, as
images.

Q After you captured these drives, these seven drives, with
EnCase, did you examine them for any particular category of item?

A Yes. In providing an opinion, I figured there was four
ways to attack the drive, and --

Q By "attack" the drive, you mean "approach" the drive.

A Approach the drive and the amount of media there were.
The very first thing that I was asked to do was to provide an opinion as to whether or not the Webpages were created on those machines.

Q If we could go ahead and click on the link "Threats" here.
Scroll down on the main body that's being displayed.
We see a "Joe Shmoe threat" correct?

A Yes.

CROSS-EXAMINATION

Q Good afternoon, Mr. Siebert. How are you doing today?

A I Not too bad.

Q You are in the IT business -- Information Technology?

A Yeah.

Q I have a few IT questions for you, then. Now, you talked about, earlier, how deleted doesn't mean deleted. Do you remember that?

A Correct.

Q Okay. Now, I'm going to direct your attention back to the
word "Threats." (Playing audio. ) Do you recognize that "Ren & Stimpy" sound effect there?

A I would not know where it came from, but now that you
mention it, yes, it does sound like "Ren & Stimpy."

REDIRECT

BY MS. DUARTE:
Q Mr. Siebert, the files that you found on the seized media
and that we've looked at in the exhibits, in your opinion,
could those be the product of random Internet browsing?

A No.

Q And how is that?

A They are in a format that is -- they are in a format that
they can be loaded -- the Webpages can be loaded when Internet -- when you have the caching, as Killercop talked about, that goes into a particular folder and all of the contents go into a particular -- one particular folder. They don't go into a structure such as Killercop had on the Webpage.

Q So the area in which they were located would indicate to
you, in your expert opinion, that those were not product of --
those were not contained in the cache?

A No, they were not -- they were not the product of visiting
the site on the Internet.

Q In your opinion, were they the product of visiting a site,
perhaps making a download or two, and then backing up that data?

A It is possible that that is the product of downloading a
Webpage or actually creating it on his machine and uploading it back to the Internet.

--Snip-- [Oppppps!]

Q In your examination of the seized media, were you able t o
form an opinion on who created -- I should say, on whether the website evilgx.com was created on the computer that you were examining?

A Yes. I would most definitely say that the evilgx.com" Webpages were built on the hardware seized from Killercop.

MS. DUARTE: Nothing further, Your Honor.

THE COURT: Okay. Anything further?

KILLERCOP: Yes, Your Honor, just one question.

RECROSS-EXAMINATION

Q Of these pages you talked about that were created -- on
"evilgx that were created on this computer, can you tel l with 100 percent accuracy whether all of those pages were created by the defendant?

A No, I cannot. Since I did not witness you sitting at the
computer, I cannot state that you, in fact, were at the
computer and created those.


Q Of the edited versions, anybody with access to that
computer could have edited any pages; right?

A That is correct.

Q And if those pages were downloaded to somebody else who had FTP access to that website, they could tinker with the page, too, couldn't they?

A Yes . They could alter the Webpages that were up on the
Internet.

Q Right. Say, if I did a download or backup of that website
and somebody had altered a page, it goes onto my computer, too; right?

A Yes. If you had downloaded the Webpage, then you would have a copy of that on your machine.

Q Can you tell, in your opinion, with 100 percent accuracy,
when each of those pages was created?

A I can look at the file dates and time and form an opinion
as to the time period that the Webpages were created, but to
actually give an exact opinion as to the exact moment in time, it would be extremely difficult.

Q Can you tell, through your analysis, where physically the
defendant or anybody was when that page, or any of those pages, was transmitted on the website?

A No, I can't tell you where the computer was physically
located when the Webpages were created and transmitted to the Internet.

KILLERCOP: Nothing further.

 

THIS PREMIUM DOMAIN NAME IS FOR SALE.

EMAIL KILLERCOP

DISCLAIMER

FAQ

CONTEXT

REWARDS

CONTACT

Copyright 1997-2022

All Rights Reserved.