4/28/11
Defense offer of proof
Defense attorneys question computer forensics expert Giovanni Masucci outside the presence of the jury for the purpose of appeal, if Brad Cooper is found guilty. Masucci has not been allowed to testify in the case.
PART 1
Giovanni Masucci (digital forensic examiner - 9 years experience)
-started own digital forensics company in 2002
-uses 50+ different digital forensics tools
-performed over 500+ forensic examinations (machines)
-also certified in cellphone forensics, GPS forensics, smart phones, went to Federal LE school for cyberterrorism.
-started National Digital Forensics in 2008.
-has been an expert for both pros, state, civil cases in NC - Superior and district court, qi=ualified in computer forensics for each instance.
-serves on Charlottes secret service task force (cyber)
-serves on various national and regional cyber forensics organizations (STCIA, Infoguard, Digital Forensics Association).
-Tendered and accepted as expert in digital forensics
HK: Mr. Masucci, have you had the opportunity to review the data from Mr. Cooper's IBM thinkpad computer?
GM: I have
HK: ...and have you had an opportunity to read through the FBI's report as well as law enforcement reports detailing the means by which the evidence was collected?
GM: yes
HK: do you have...in doing so have you formed any opinions in respect to the protocols that were or were not followed during the collection of that evidence?
GM: I do, and that's one of the reaons why I am here as a computer forensic examiner, and one of my big things is when I do teaching - train law enforcement and government agencies, and corporate personnel, attorneys and judges and so on...is protocol. Its very important that you're dotting your i's and crossing your t's, starting with chain of custody, and that you
follow it so you don't have nay issues of spoilation - or anything that can come back, but you need to address it. I did see some issues early on.
HK: When you say 'spoilation' what exactly do you mean in computers?
GM: If I'm involved in an examination - or any digital forensics or computer forensics exam which is one in of the same...if we notice after the fact that it was taken into custody, that if files are altered - to us that's suspicion of spoilation. Anything that you work on, you should have a write-protect. Now there are instances, if when we are doing a server, because that is volitile data - we can't shut down a company, we can go in and document what we're doing...as long as we have documentation, its acceptable that we will be accessing a live server.
HK: in this particular case, how was the IBM collected, and how should it have been collected?
GM: It is my understanding that the computer was left on. I kind of cringed when I heard that, because typically if there's RAM data on there, because a computer is left running, before they collect that they should use a forensic tool to collect RAM data and then shut the computer down, but there's a full process before we even get to that point: documenting exactly and taking digital photographs of the scene, taking digital photographs of the computer itself, logging and documenting serial number, model number, the type of computer it is. You are not going to get access to that hard drive right there and then. You take it back to the lab and do the same thing, follow processes: log it in, document the hard drive, take pictures of the hard drive. In our lab, part of the protocol - and pretty much stanfard protocol is that you have to document everything - from the time you get it, to the time you log it in and secure it. This computer, the IBM Thinkpad of BC was left on. That's an issue, because my understanding was that it was still connected to a VPN, it was connected to a wireless network as well, so anyone can gain access to that computer. Now you will have things that can be changing, files that will change, there could be updates - I know BC was connected to the Cisco network. There could be updates through the Cisco network. I saw file changes, I mean I saw numerous file changes, just based on the reports I read there were several hundred files that were changed. To me, again that's spoilation to a forensic examiner.
HK: Now when you talk about the reports that you read, are you in part referring to the FBI's own databases of files that included timestamps?
GM: Yes
HK: Do you recall how many files the FBI's own access database reflects as having been changed after it was out of BC custody?
GM: I don't have that in front of me but I velieve it was 674 or 694. Somewhere around there.
HK: 692 ring a bell?
GM: that could be it.
HK: Why is it that file changes like that are problematic with computers?
GM: Things will be altered. Once its in custody - say I'm getting a computer in, and I'm doing a forensic examination on it, I have to make sure nothing is disturbed on it - so I'm going to take a forensic image of that internal hard drive. From there, I'm going to make two copies. One's going to go in our vault for safekeeping, in case something happens to that first copy we made. The original is going to be stored, unless we need to utilize that, but typically we don't, only in rare circumstances. We work off the forensic image to do the analysis, and we take hashes off both of those images.
HK: Can you briefly explain what that means: "taking hashes"?
GM: A hash validates that when I first do a forensic image, and I've used EnCase to get the first hash as when I first received the data to look at to know what I would be talking about, we'll take an initial hash saying okay this is the image, and when we go about acquiring the image we'll take another hash. Those two better match. If they don't - that means I did something wrong, and I've altered some data. If you alter data, you created spoilation. Then we'll take another hash at the end, and we'll corelate that to make sure all the hashes match. Typically we do an MD5, and then we do a Shaw.
HK: And those are just two different types of has techniques?
GM: Yes, the MD5 is a typical one, the second one is a 256 bit hash.
HK: Now I believe the prosecution and the FBI have asserted that many of the files that were altered after Mr. Cooper had left the house were relates to a Microsoft update. Were you able to determine if there was any update?
GM: I saw access through the VPN where Cisco was communicating with that laptop. That in and of itself is an issue, because files were getting changed when they shouldn;t have - that laptop should have been off. I did not see an actual update as far as Microsoft to the operating system.
HK: The files that did download that said update, were they actually appropriate for that system? or were they mismatched?
GM: It was more like...when you have a VPN tunnel, and files can get updated - updating the system of the VPN network itself. If there were any updates to the program of the VPN tunnel, that was getting updated. That was just part of it, but then there were other files that were accessed and deleted...which was alarming to me. When I see deleted files after the fact - that's another problem.
HK: You taken a look at the FTK - or parts of the FTK report that you were provided that originated with the FBI?
GM: yes
HK: and in that FTK report did it say how many files were actually on the computer when it was imaged?
GM: the FBI report had over 800,000 files listed on the FTK report
HK: now they also provided an access database that had a number of files in it, how many files were in the access database?
GM: I believe it was under 200,000...which didn't make sense to me.
HK: Why doesn't that make sense to you?
GM: Well, if the access database was supposed to do the file listing like you can do with FTK, they should have listed all the files in there.
HK: you would expected-
GM: I would have expected to see the files database showing all the files, or at least an HTML that you can click on to make an HTML listing of every file that's on that computer.
HK: And how many files were in the Master File Table?
GM: On the...I don't have that, couldn't tell you right off hand...
HK: Was it 800,000?
GM: It would be exactly what was on the computer according to the FBI report.
HK: When those numbers don't add up, what is your thought process at that point as to what the potential causes are?
GM: It leads me to a little bit of suspicion. What happens is that anytime we see any kind of deviation or any kind of issue with a computer - we're going to look further and investigate what may have caused that. We're going to look at the whole parameters of what the case is, what we're looking at if there was chain of custody involved, if anything was touched...and we already knew when I looked at it that things were touched, even as I read and was able to do an FTK indexing and do an EnCase image I can now actually see things that were touched.
HK: And when you say "touched" are you talking about things that had been changed because of an automated process, or things that had been done by somebody actually at a keyboard or somehow accessing the computer?
GM: Both. It led me to believe that at some point a write-block was not utilized.
HK: And what do you mean by that?
GM: A write-block put the computer you are going to analyze or the image you are going to analyze in a read-only format. If that is not connected correctly, if there is something wrong with that write-block, or if one isn't used: the files will change. The last access...or if a file was created and never touched again, the metadata behind there: created, modified, last accessed will all show the same. Now I saw that where there were deleted files where the metadata: created, modified, last accessed, were all the same but they were deleted at the time they were created - which didn't make any sense to me.
HK: files are deleted at the same moment they are created?
GM: as soon as they were created they were deleted.
HK: how can that happen?
GM: Somebody - I don't know who did it, or what had happened...all I can tell you is that I went through the file extension, the file date and at the time the law enforcement had it in custody, and all these files came up as showing 'deleted'. I did a data carve, like the FBI did a data carve, I did a data carve...my files show less than what they had on their report, as far as their total files that they data carved...and show that all these different files were deleted. It just doesn't make sense, it doesn't add up right because if somebody deleted something all of the metadata's there and it should have had a creation date a little bit different, but it was all done at the same time it would lead me to believe.
HK: were you able to determine exactly what those files were?
GM: Some of them. Again, I haven't really had enough time to dig into it, but some of those files were accessed through the Cisco VPN network, some of them were documents, temporary folders, temporary files, temporary internet files that were accessed...BC's email, archived email, history, PST, .pst files which is your mailbox, and there were some deleted hidden files that were deleted during that time...and archived.
HK: Now in addition to the files that you can see being changed or deleted after BC was out of the house, did you also notice anomolies with other files on the computer?
GM: I did
HK: And were those essentially timestamp anomolies?
GM: I did, numerous
HK: Where...in what type of timestamp were the anomolies?
GM: they were in the Google searches, there were timestamps that were anomolies.
HK: And when you say they were in the Google searches, the entire map search were there any...am I correct that there were 507 files that were associated with that search?
GM: I believe so, I don't have the exact figure infront of me.
HK: Was there a single one of those files that did not show an invalid timestamp?
GM: I believe no, there wasn't any...based on the Google only.
HK (to judge): your Honor, I have previously admitted for appellate purposes exhibit 154 which is Mr. Massucci's report. That report actually includes a number of visuals and I would just wish to able to publish them electronically without numbering them individually since they are all in the report.
Judge: that's fine, whatever you need to do um, that's fine.
HK: Mr. Massucci would it help to look at the graphic images to chart out the timeframe of timestamp anomolies?
GM: please
HK: (okay, if we can show the overall...? slide up)