Guardaley | X-Art
Bellwether trial update: How NOT to prepare for trial
As you may recall, M. Keith Lipscomb’s porn extortion enterprise hit a bump in the road last October when Judge Baylson of the Eastern district of Pennsylvania, more or less, directed Lipscomb to bring some of his copyright troll lawsuits to a verdict so as to ascertain whether these lawsuits were legitimate or not. Of course this direction is contrary to the usual porn copyright business model, which is to obtain the personal identifying information of the person who pays the ISP bill, harass the shit out of said person to pay thousands to settle, and then dismiss the lawsuit once it gets either (a) uncomfortable due to heightened judicial scrutiny or (b) grows stale with the maximum settlements deemed achieved. Aside from the Fantalis matter in Colorado this is the first lawsuit in which a copyright troll’s evidence will be tested in a court of law. Accordingly, SJD and others have been reporting on this lawsuit as it progresses and SJD’s coverage is here, here, here, and here.
Question: How do you gather and refine your evidence to prepare for a trial (the first of its kind in the US) which is set to begin on June 10th? Answer: If you are M. Keith Lipscomb, in the most overreaching and last minute fashion humanly possible.
One example of this has been his sloppy, roughshod trampling of privacy concerns in the third party discovery of ISP Verizon which has been covered by others, including TechDirt, as well as the incredibly invasive demand for “Six Strikes” info.
A more recent example of this overreaching and slipshod trial preparation was disclosed last week when Lipscomb filed an Emergency Motion to allow the plaintiff entry into John Doe 16’s home for the purpose of making forensic copies of his hard drives. The basis for this motion is that the copies of the hard drives previously provided by this party are unreadable which Lipscomb just discovered on April 30th due to the illness and resulting death on April 26th of one of his two experts witnesses. Conspicuously absent from this motion is an affidavit from the surviving expert witness explaining why the copies are unreadable and when this problem was discovered.
Keep in mind the trial is set to begin on June 10th and discovery should have been completed some time ago.
In opposition to this motion the attorney for John Doe 16, Ronald Smith, points out with well-deserved indignation that Lipscomb’s expert witnesses had been sitting on these supposedly unreadable copies for 4 months!
It appears unequivocal that Defendant’s counsel first learned of this problem on May 1, 2013, after the scheduling of this case for Trial. How or why, with a period of over four months, could the parties not be made aware of the difficulty in discovery and now at the midnight hour request an opening of the discovery process when trial is only days away. At this late juncture, not only has Defendant’s counsel for John Doe 16 been prejudiced, but perhaps other counsel in this matter who have indicated that they have had no choice but to settle.
Furthermore defense counsel underlines what by now is obvious:
Plaintiff’s counsel has been egregious in the handling of this case and at this late date the rewarding of and opening of discovery will not only penalized John Doe 16 but the other parties as well.
A telephone conference is scheduled for tomorrow regarding this example of sloppy and overreaching trial preparation and let’s hope that Judge Baylson is not in a forgiving mood.
32 responses to ‘Bellwether trial update: How NOT to prepare for trial’
Who doesn’t verify a drive image before returning the drive to the person?! I’m not sure who made the images but you’d think “Lipscum’s” experts would have verified them right away no matter who made the images. If they [Lipscum] made the images then there’s certainly no excuse. SOP is to verify the image before returning the drive. Not one of these clowns from Prenda to “Anal” Lesko (and I’m including “Lipscum” here) has ever done anything right when forced to actually do any work past cashing a settlement check. I hate that picture of Lipscum’s sanctimonious expression. Dirtbag extortionist.
A former client lost a mirrored drive on a Netware 3.x server and brought in experts from the big city to replace said drive. They replaced it, and mirrored the new drive onto the working drive – at which point the question became.. when was your last tape backup? (They erased the good drive!!) i.e. you’re also not supposed to do anything to your “original” drive until after you’ve made a copy of it.. perhaps in the last minute rush, they managed to wipe out the data? Although it’s sure suspicious that they waited 4 months to begin searching for evidence.
If one wanted to get out of discussing the merits of a case, it might be useful to find that one is missing some required evidence…
Consider motive and capacity.
The motive: Lipscomb’s extortion business model is built around fear and uncertainty. He has nothing whatsoever to gain by examining evidence in a timely or professional manner. By putting it off until the last minute he gains four more months of the defendant’s doubts eating at him to pay the ransom and make the nightmare go away. Now, by “losing” the evidence at the last minute, Lipscomb demands the court give him a green light to invade the defendant’s home thus gaining even more fear and uncertainty.
The capacity: What has Lipscomb been doing the past four months when he should have been keeping up with discovery in one of the handful of his cases that are actually contested? Filing 470 other Malibu cases with more coming this week. One man can only do so much and it’s clear where that man has most of his attentions.
I would have been surprised to see any other outcome here.
Reading this motion from Lipscomb is fun because of what isn’t stated to the court. The judge in this case is smart and is bound to have additional hard questions for Plaintiff. Four Months!!!! I wish I got watch the tap dancing that is sure to be on display.
As stated, the verification of a drive image is a normal activity. Make the image and then a hash file verification is accomplished to ensure the image is a bit-for-bit copy. Most commercial digital forensic software (EnCase, FTK, etc.) has this built in and it is one of the first things you learn to do. I don’t know the exact details of who did the imaging, but there is a possibility that someone hired by defense did the imaging. If so, they would likely have made a copy of the images and stored then just-in-case. They would at least have the records showing the details of the imaging, as well as the hash file #s showing an accurate copy was made. *** Plaintiff’s motion states that defendant produced a hard drive containing images of three hard drives. Plaintiff stated – “… the hard drive was unreadable and could not be opened with any program.” That sounds like a physical failure of the hard drive (crash).
As Lipscomb hired a commercial forensic firm to do the exam, I expect they would have first verified the images were good and that they could access the drives. Then they likely would have made ‘working’ copies to conduct the analysis on. They are getting paid good money and there is a chance that they will get called to testify on their findings – not a thing to screw up on and risk never getting hired again. For nothing to be said for 4 months is highly unusual and there is obviously more to this story that Plaintiff doesn’t want to put down on paper.
As security and safeguarding of case information (hard drives and info within) is a part of any case, I expect the issue may have something to do with the death of the examiner working the case. It is a possibility that as part of the normal examination, the expert password protected the image files and case work. If that password was lost because of the death, that would make sense. If the examiner kept written notes in a case file, details may emerge on if he was able to access the images and any results. Written notes are not a guarantee; as notes can be keep in a digital format. I personally prefer to keep both types of records.
A case like this isn’t going to be very tough for a seasoned forensic examiner. I haven’t looked into this company, but the two examiners did look like they had a experience at this. An examiner is going to look for the movie(s) in question, any BT software (especially the version seen downloading the movie), any torrent files, as well as any evidence that BT software once was on the systems. The scope of the search authorized by the court is also going to limit/permit how deep the experts can search. For these searches, I would expect the expert is either going to find a ‘smoking gun’ (the movie), absolutely nothing, or only small bits of data that could OR could not be evidence. Once a drive image is mounted, the search is pretty straight forward and easy. What can take time is when evidence is not out in the open. If the movie is not found, I expect Plaintiff will try to go the Prenda route and try to claim the defendant destroyed it. They will try to use anything the examiner finds to support their claims. They will also try to use anything on the computer to show the defendant lied. Example: state you never used BT and they find it was once installed (& removed) – not good. It will be interesting what the court asks and allows. Regardless, this is pretty sloppy and doesn’t bode well for Plaintiff.
What are the chances of one or more of 750+ malibu cases ending up in front of another pissed off federal judge? I hope Lipscomb is paying attention.
It’ll take more work to stop Lipscomb. For one thing, his copyright holder client is legit. Two, he’s providing better “evidence” to support his claims. I think the Bellwether trial will set the tone going forward. He has a lot riding on this outcome. That said, he’s still nothing more than a blackmailer and extortionist masquerading as an attorney.
ummm – not really – it’s all the same – he’s not any smarter; just quieter
Lipscomb has changed his approach. New cases are single Doe, they are all filed in proper jurisdictions, claims are supported by “enhanced surveillance”, i.e. years-long lists of pirated stuff, so pretty much every tested defense tactic is obsolete now. Barring stupid mistakes, there’s just one vulnerability I can see: quality and legitimacy of Lipscomb’s IP harvesting process, and I’m not sure even that is actually real vulnerability. I follow 16 cases in Central and Northern Illinois, filed in January and February, and 4 of them are already settled. Considering rumors about much higher settlement amounts for this type of cases, new approach seems to be working OK for Lipscomb.
The most fundamental defense hasn’t changed at all, an IP address is not the person paying the cable bill. Lipscomb can claim that a given IP was spotted in many torrent swarms instead of just one. That’s damning to observers without technical background in wireless, NAT, etc. But a hundred torrents don’t turn an IP into a person any more than one do.
Hopefully. I wonder though, what will a jury’s feelings be about this point after looking at the enhanced surveillance stuff etc. I’m afraid we’ll have a chance to see that. New wave of cases looks like Lipscomb decided to get a couple of them to the trial.
He is capable of colossal blunders. See for example http://www.archive.org/download/gov.uscourts.flsd.404544/gov.uscourts.flsd.404544.7.1.pdf
“Any material lack of compliance with applicable regulations on the part of an adult content producer plaintiff can become a serious litigation vulnerability if exploited by a knowledgeable opponent.
Adult entertainment companies should always consider the fact that filing a lawsuit can trigger a defendant’s right to legal discovery, which might include, for example, the right to depose the company’s principals and employees.
It is important to always remember that litigation is a two-way street. And once started, the party initiating the litigation may not be able to control the outcome or dismiss the case. For these and other reasons, seasoned adult entertainment attorneys will always try to make sure that their client’s commencement of any kind of lawsuit will not result in the legal equivalent of throwing stones while living in a glass house.
Adult companies seeking to enforce their intellectual property rights avoid strategies that explicitly or implicitly employ intimidation or seek to exploit negative societal views regarding adult content. Such strategies can backfire badly and, in some cases, can produce zealous defendants, particularly if the party was erroneously named and was not in fact involved in the alleged file sharing of the subject adult content. It’s good to always remember that it isn’t just adult entrepreneurs that get pissed off and fight light hell when they are wrongly hauled into court.
An adult entertainment company is well-advised not to become embroiled in patent litigation for directly or indirectly infringing a patent involving infringement detection.”
DECLARATION OF COLETTE LEAH PELISSIER FIELD (dated 12-5-2012)
24. “We have worked hard and invested millions of dollars in out business in order to produce the best quality product.”
“accessed by viewers in the hundreds of millions (100, 000, 000) ” X $99.95 annually per
DECLARATION OF COLETTE PELISSIER FIELD (dated 12-5-2012) = $9,995,000,000.00 – $99,000.00 = $9,994,901,000.00 (is the math right?)
Colette Antigua – https://twitter.com/colettexart/status/290238360528748545/photo/1
Colette Praque – https://twitter.com/colettexart/status/323507808949645312/photo/1
Colette riding her pretty little horses: http://www.youtube.com/watch?v=Wzh3Vqteu6Q
Colette riding her pretty little horses: http://www.youtube.com/watch?v=BJh7Mynu6Bo
Colette riding her pretty little horses: http://www.youtube.com/watch?v=g-qVZoZVBIA
Brigham – $17.00 smoothies – https://twitter.com/BrighamField/status/257658574778540032/photo/1
Brigham Prague – https://twitter.com/BrighamField/status/277180613902098432/photo/1
Brigham St. Barts – https://twitter.com/BrighamField/status/291026670155091968/photo/1
Brigham Formula 3 car – http://brighamfield.com/post/45031121587
25. “For the first three years (when our site was not as popular), we didn’t have as many issues with piracy. Now, that our videos are highly desirable, more people steal our videos that pay for a
IANAL – but this “attitude” and lack of action seems negligent. Plaintiff seems just as responsible for allowing “unauthorized use” for the first three years and negligent for NOT taking reasonable and prudent action that would prevent continued “unauthorized use”.
“A person has acted negligently if she has departed from the conduct expected of a reasonably prudent person acting under similar circumstances.” (http://legal-dictionary.thefreedictionary.com/negligence )
26. “We are even getting many complaints from our members (asking why they should pay when they are available for free on the torrents).”
Again, IANAL, but this also seems negligent as the web master’s/admin responsibility is to make sure their site is secure enough to prevent “unauthorized use”. Its highly UNLIKELY that the web
master’s/admin has NO IDEA which one of THEIR OWN users “downloaded” referenced files and
subsequently uploaded same referenced files as a .torrent file.
ANYBODY who says they KNOW ANYTHING about .torrent files will also KNOW they multiply, like
children’s stuffed animals, especially when your not looking…
“These lawsuits have caused massive collateral damage to the individuals targeted, due process, and the legal profession. Copyright owners have a right to protect their works, but not at the expense of the due process rights of thousands of Doe defendants.”
It’s never too late, Colette & Brig, to change the trajectory
Malibu Media could drastically limit the damage to their company by inserting unique identifiers into their data stream and then suing the initial seeder who is a paid subscriber of their service. A couple of huge judgements against the X-Art subscribers who are uploading the material to the internet along with a ban from the company would greatly diminish their losses. Aggressive take down notices would also limit the distribution. The problem is that this would destroy the “legal” extortion scheme as a major revenue source. If they were actively trying to limit the spread of their material into the torrentsphere, instead of simply actively exploiting it for revenue, I’d be more sympathetic to their claims.
Losses? Damage? X-Art material is all over the tube sites, for free, much of it uploaded by X-Art employees complete with a link to the X-Art website at the bottom. Some of these videos have tens of millions of views, none of whom chipped in $19.95 towards Brig’s race cars. Yet suing 100 people a month is going to heal their business?
Free rolling on a tube site is fundamentally the same damn thing as free rolling a torrent from the user’s perspective. The technical back end isn’t but differentiating the two from anything but an engineering perspective is along the lines of pretending a phone call is no longer a phone call when it’s made from a cell phone.
This has never been about damages or piracy, it’s about an unintended loophole in a pre-internet law that a few scumbag lawyers discovered and are now abusing the hell out of.
The results of Lipscum’s investigation of Doe 16’s hard drives are extraordinary.
Click to access gov.uscourts.paed.461508.140.1.pdf
At face value, three days after being formally notified that Lipscum was demanding to see his hard drive (which is to say three months after becoming involved in the suit and lawyering up, and at least a month after Judge Baylson made clear that it would go to trial and discovery was coming), somebody wiped the drive, re-installed a fresh copy of Windows, removed nearly all of of the system folders, and zeroed out the remaining free space.
I have no trouble believing that a defendant with Bit torrent and a folder full of X-Art’s filth would not want to be caught with a smoking gun. Of course he’d delete them when an ISP letter showed up. Or his computer broke and he had to reinstall. Or it was stolen. Or it never existed in the first place because he used his wife’s Mac (without porn on it) instead all along. Go ahead and prove that I did it.
Some of that could look questionable. Worse than questionable if a good tech guy could find, say, a file association for .torrent files in the backup registry, or a cached network location with porn file names. But those would at least be plausible.
This isn’t even close to plausible. That an allegedly computer savvy defendant (with counsel, no less!) would instead submit such clumsily falsified and utterly damning evidence against himself almost defies credibility.
I don’t recall John Doe 16 ever stating that this drive was the boot drive. From what I understand, he turned over images of 3 drives and this drive could very well have been a second or third drive in the same PC which would not have the Windows O/S, Program Files directory, etc.
If it’s a secondary drive used for additional storage, I would not be surprised at all that most of the drive has never been written to and is blank.
Looking through the report again, I see there was another image provided to the investigator called “desktop-240gb” which the investigator did not go into any detail about whatsoever. It would make sense that the computer had a 240GB boot and program drive (which, that small, would only be a SSD now) and this 1TB image is a data drive.
It’s not consistent to me, though, that a slow secondary data drive would:
A) have it’s partitions labelled as drive letters C and D. I haven’t seen a system drive that wasn’t C since the days of installing an upgrade copy of XP that left the old system intact on C.
or B) have a “program files (x86)” directory. You would install your programs on the fast drive, or if you did manually install a program on the data drive, Windows’ automatic naming conventions wouldn’t apply and it probably would not have that directory name.
It’s still much more plausible that this is a data drive with inconsistencies than that it’s an idiotically doctored boot drive. Looks extremely bad that it was reformatted immediately after the discovery order, but it would be premature to demand sanctions based on the contents of one drive without even bothering to investigate the other one. If the 240gb image turns out to be a functional boot drive it would be nice for that sanctions demand to come back and really bite Lipscomb in the ass.
I only gave the report a quick review, but I don’t like what is reported. It opens more questions of what the defendant did, as well details of the hardware setup. If he cannot or will not provide reasonable answers, it looks bad. Having the unallocated space all zeros looks like a fresh wipe. I will do a more thorough review of the findings.
When you first install a drive isn’t it filled with zeroes?
How would data magically get into the unallocated blocks?
It depends on the how the manufacture builds and prepares the drive; but having a single character (say a “0”) is an easy was to see that no data is on the drive (and thus is new).
No magic about data being in the unallocated parts of the drive – this is normal. This is what the expert shows about the “Steam” data in the unallocated parts. The data was once allocated but has since been deleted (but not wiped). The drive shows the area is unallocated (free for usage), as the previous files/folders (data) has been deleted and no longer required. The experts is saying that because there is so much unallocated space with “0”, that it was either wiped or the drive is new and never had data on it. It is what is NOT found that is unusual and raised many questions. They may be able to be answered, but until then it looks odd. As far as wiping, various program have the option to fill the unallocated space with a specific character or to randomize the data that is written to it. Even randomized data will stick out as odd, as the expert will still not be able to extract any documents or data from the unallocated space. Pulling data and/files out of unallocated space is not that hard to do with programs such as EnCase.
I will post an article to my site in a bit on this report.
Drive letters are assigned by the ‘missing’ operating system (read “Drive letter Assignment” on wikipedia). If the 240GB drive is the ‘first’ physical drive (as it is probably an SSD drive, I give it a 90% chance) then its first active partition is by default the “C” drive. This may be changed by the Windows operating system. For the ‘expert’ (I missed his qualifications) to assert a drive is lettered “C” and “D” without reference to an actual Windows operating system is a misstatement of fact.
Patrick Paige’s qualifications are here:
Click to access CV-Patrick.Paige.pdf
He’s a cop with experience in data recovery for kiddy porn investigations. He’s an expert in Encase. Exactly the kind of expert Lipscum would want to use to imply that he’s going after criminals and perverts.
He doesn’t present himself as any kind of Windows expert whatsoever and the blatant errors of interpretation in his declaration agree with that.
I’m not sure what to make of the forensic report either.
I don’t think it quite makes sense either as Lipscomb trying to completely misrepresent the findings or as an attempt at spoliation or fabrication of evidence on Doe’s part. It’s just weird.
If this is an attempt at subterfuge on John Does’ part this is as sloppy as it gets, and IMO it would be too bad and obvious to believe. He would have been better off buying a used 1TB drive from Craigslist and turning that in if he was willing to take the risk.
IMO, the forensics expert massively overplays the fact that the drive doesn’t have ANY operating system in all caps and underline. BFD, zillions of hard drives don’t have operating systems installed, and saying a “normal” hard drive has the Windows folders, etc. is approaching perjury IMO without further explanation, as that is a seriously misleading statement.
Similarly, the lack of nozero unused data may just be the result of a data drive that has only been getting filled and hasn’t seen meaningful deletions. If it is a data drive, all the temp file churn he’s expecting would be happening on the boot drive. However, if fresh drives are not normally zeroed and just come randomized, or whatever, then that would be very significant. That kind of stuff may be vendor specific but as an expert it would be nice if he had that knowledge or did the research and stated whether or not the zeroed state would be expected for unused space on this make and model of drive. Again, I am not impressed with this “expert’s” skills, it seems like pretty much all he can do is run someone else’s programs.
The file timestamps on the drive, on the other hand, are something for which I can’t come up with a reasonable, innocent explanation. The only thing I can think of is if he did like a drag-and-drop copy of that drive to another drive before zipping up the images, instead of using actual disk imaging software. I believe that would result in new creation dates for the folders and maybe files, but if that’s the case then that was a bad call on the Doe’s part instead of using real imaging software or his own forensics expert.
I notice the expert does not say anything about the FILES on that drive, what they are, what their timestamps are, if there are any, etc. It may very well be full of files with pre-11/11/12 creation dates, but he’s not saying. Why not?
Based on having tons of computer experience but not a forensics background, I honestly feel like their expert is not that knowledgeable and/or is leaving critical details out in order to spin the report to the Plaintiff’s advantage. I just feel like everything that is not said in his report in being intentionally withheld.
I am frustrated that the expert makes assertions without providing citations or data to back them up. Maybe that’s the way it works with expert witnesses in court but it seems very half-assed and sloppy to me, as some of these things are not opinions and he should be required to back his claims up with proof.
That said, Doe definitely has some ‘splainin’ to do and I think at best he will have to explain to their forensics expert how to properly decode his dump of images and explain what computers they were in, how they were archived and how they were configured as boot or data drives, and he’s probably going to have to produce the drives themselves for examination and hopefully be able to defuse the tampering claims.
I am not impressed by Lipscomb’s expert either.
Besides what you already pointed out (making a major point of the non-point that a data drive does not have an operating system), he is at least disingenuous if not outright wrong on several other points.
Eg 16-26, that the second drive hash is not identical to the first drive. The first drive was damaged and not fully readable. Of course a readable drive doesn’t match, if it did it’d be unreadable too. Even if that were not true, the second drive is not an image, it is a collection of images. If it could be claimed that an image were not identical to another image purported to be the same drive that would be meaningful but just copying an identical set of images to the transfer medium for examination in a different order would also give a different hash.
42, that data remains intact in unallocated space. That is true for a mechanical hard drive but a SSD (as the system disk in this case) continuously uses TRIM in the background and deleted data is generally gone forever. The MFT record of file names may be intact but the contents certainly will not be.
44, that a normal computer would have deletions from google, Ask Jeeves (The Ask toolbar, essentially a malware provider), emails, etc. That’s an awkward way of stating it would have a temporary internet files cache, which isn’t necessarily true in itself (incognito mode) and would in any case have been on the system drive and not the data drive. A data drive without programs installed on it would not have automatic file writing and deleting go on and could well have legitimately have nothing at all in its unallocated space. (But why is Steam there?)
But for all of those points, that the drive looks like it was rebuilt three days after the discovery order remains damning. What on earth was Doe #16 thinking?
Why does it not discuss the 240gb hard drive at all in that declaration? It’s also called “desktop”. Dual drive computers aren’t that rare than a professional forensic examiner would have never seen them. A small SSD for booting with a much larger magnetic data drive is going to be a pretty common setup. Testifying that he built a computer with a 1TB hard drive does not mean he built it with ONLY a 1TB hard drive.
Regarding the Date Created, I know from my own experience that that value is changed when you move or copy a file. It’s conceivable (may even be reasonable) to think that the Defendant may have copied over the files to a new drive, except for the ones that would have harmed his case.
I also note that there is no expander indicator next to most of the folders in the second partition, so there’s nothing in those folders. The only actual data on that drive appears to be Steam and the Recycle Bin. Seems odd having such a large data drive with no actual data on it.
The presence of Steam is rather odd, and I don’t know what to make of that.
Furthermore, what “core Windows files” is he talking about in 33? He had just declared in 32 that the drive “… is missing all of the files for Windows and all of the Program Files and User folders”.
As a technical person myself (though not in IT), I am underwhelmed by the information provided in the declaration. Are technical reports provided to courts usually that barren? I expected something more thorough and detailed.
However, even if the examiner doesn’t seem that competent, I see enough in that declaration to be suspicious of Defendant.
Another filing from Lispcomb today and I believe they are overplaying this hand and further demonstrating the lack of true expertise of their “expert.”
It really makes it look like the guy did not even make an effort do to a real analysis and has just cherry-picked things that let them make this argument. Misrepresenting the lack of OS to the court was a bad start so if this guy gets challenged he may come out looking foolish.
Doe appears to have left himself vulnerable to this, but considering the “expert” waited until the last minute to even try to read the drives, and then uses his own incompetence and lack of ingenuity as an excuse for not being able to figure out how to read the drives, this is not compelling.
Doe needs to explain WTF is going on, period.
Here’s my $.02. I’ve been using and programming computers since 1972, so I think I know my way around, a bit. We’ll take this point by point.
1. “I am a founding member” of an LLC. Whoopee. So’s Lutz. Doesn’t make you an expert.
3. There is no date associated with the receipt of the First Hard Drive. How long did he sit on this? Or did Lipscum?
5. “TD3 forensic devices are widely used by computer forensic experts” Using professional equipment does not make you a professional.
7. See above. Using Encase does not make you a forensic expert.
16. Wait…you calculated Hash Values on the bad hard drive AFTER you determined (para 15) that it was bad? Why? Just so you could bill for the fifteen hours it took?
16-18. Also, you asserted in Para 6 that the Tableau TD-3 maked forensically sound copies. Why compare hash values?
25 and 26 are in reverse order. 25 is a conclusion, 26 is the data that supports that conclusion. Other commenters have noted that the difference in hash values is to be expected, since the first could not be examined, and the second one could be. A single bit difference means the hash is different, and not by a little bit, either.
27a. Typo. You meant Desktop-240.img, not .im There are two paragraphs labelled 27b. “of what appear to be a working computer systems based on their file structures.” How do you know they are ‘working’? A system throwing a ‘blue screen of death’ also looks like it has working file structures.
28. The entire paragraph has served to poison the forensic investigation. A good FE should report just the facts. In this case, since Libscum told the FE that the computer was built with a ‘1Tb Hard Drive’, the FE assumed that an image labelled as such must be the ONLY thing in that machine.
30. This is a direct result of the faulty information in para 28. The FE has become so fixated on the ‘1Tb HD’ that he has failed to consider other possible configurations.
31. ‘Missing’ implies that the files were once there are are now no longer there, i.e. purposefully not copied over. A fair FE would state that ‘files and folders necessary for Windows to operate are not present on the disk image [xxxxx]’
33. “I know Windows was installed on the 1 Terabyte Hard Drive at some point because it has the core system files that correlate to Windows.” No. You. Don’t. The presence of ‘system Volume Information’ or ‘Program Files (x86)’ does NOT mean that Windows was once installed. It does mean that it was once attached to a windows machine, however.
36. The MFT is created when a drive is formatted, not when Windows is installed.
41. BINGO – he finally swerves into the most probably scenario: that the 1Tb drive was used as a Data Drive, not the OS Drive.
42. “When data is deleted from a computer running a Windows operating system, the data remains on the hard drive until the operating system overwrites that area. The deleted data will then reside in an area of the hard drive commonly referred to as unallocated space.” False, false, false! The data does NOT move. The operating system deletes data by altering the allocation block in the MFT. This shows this ‘forensic expert’ does not understand the first thing about how the Windows operating system works.
43. “…99% of the unallocated space on desktop-1tb.img contains zeros, i.e. no data.” Perfectly explicable by at least three different scenarios. 1) the files were copied to the image as files, instead of the entire drive as a bit-by-bit image, 2) All temporary files (including pagefiles) are housed on the SSD, and/or 3) a combination of disk defragmentation and free space wiping is carried out on a regular basis.
44. See above. This should have given him a clue that he wasn’t lookng at the OS disc.
45. Hey, Nimrod! What about the 240Gb image?
This guy is as much of a ‘forensic expert’ as Lutz is CEO material. This is, of course, my opinion, though informed by forty years of work in the computer science field.
Perhaps plaintiff’s attorney made big error. Perhaps asking for hard drive images and the defendant boots off of a USB flash drive.
Wow, this piece of writing is fastidious, my younger sister is analyzing these kinds
of things, therefore I am going to let know her.
Pingbacks & Trackbacks