Академический Документы
Профессиональный Документы
Культура Документы
1
2
3
4
5
6
7
8
9
10
11
12
13
14
______________________________________
DENNIS MONTGOMERY; MONTGOMERY
FAMILY TRUST,
Plaintiffs,
15
16
17
18
vs.
ETREPPID TECHNOLOGIES, L.L.C.; a Nevada
Limited Liability Company, WARREN TREPP;
DEPARTMENT OF DEFENSE of the UNITED
STATES OF AMERICA; and DOES 1-10,
19
20
Defendants
________________________________________
DECLARATION OF JONATHAN
KARCHMER IN SUPPORT OF
DEFENDANTS ETREPPID
TECHNOLOGIES, L.L.C. AND
WARREN TREPPS NOTICE OF
OBJECTION TO THE PUBLIC
FILING OF A FABRICATED
DOCUMENT BY DENNIS
MONTGOMERY
21
22
23
24
Pursuant to 28 U.S.C. 1746, I, JONATHAN KARCHMER, hereby declare:
25
26
27
28
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 1 of 9
1.
knowledge to which I could and would competently testify if called as a witness in this
matter.
2.
I am a Managing
Consultant in the Electronic Discovery practice based in Century City, Los Angeles,
7
8
3.
9
10
11
12
13
use forensic software during computer examinations. They are recognized by both law
14
15
forensics knowledge.
16
4.
Computer forensics and electronic discovery has been the focus of my career for more
17
than 6 years.
18
19
20
21
22
5.
23
24
LECG was engaged by eTreppid counsel to collect and analyze data including email
6.
On February 16, 2007, I visited the offices of eTreppid and met with the eTreppid
25
26
eTreppid network and email configuration to me. During the time period at issue in this
27
case, when eTreppid employees accessed their email, the email was transferred from the
28
eTreppid server to the users computers. Thereafter, a copy of the email was not
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 2 of 9
maintained on the server. eTreppid email was not centrally managed or backed up to
tape.
3
7.
I collected various instances of email belonging to Warren Trepp including his current
4
PST files, backups of his PST files created at different times, and a loose email (msg)
5
file. A PST file is basically an email mailbox; it is a single file containing email used
6
with the Microsoft Outlook email application. LECG subsequently visited eTreppid on
7
February 23, March 6, and March 23, 2007 to collect other email backups and stores as
8
they were discovered by eTreppid staff, including four hard drives located in a locked
9
cabinet that I am advised was used principally by a former eTreppid employee,
10
Mr. Montgomery.
11
12
8.
I used WinRAR and or EnCase software to perform file collection onsite at eTreppid.
13
Both tools preserve file system metadata (information associated with an electronic file
14
regarding dates and times of creation, delivery, receipt, modification, etc.) associated
15
with files collected for analysis. I used EnCase and dtSearch software to analyze the
16
email I collected.
17
18
19
20
21
22
23
24
25
26
27
9.
LECG performed testing of the Outlook email program and confirmed that email
messages sent in the past could be altered and edited at the will of anyone with access to
an individuals email account (or PST). A user could open an existing message, add or
remove content, and then print a hard copy of the altered email. However, if the email
message is altered and saved, those changes are subsequently saved in the email itself as
it resides in the PST mailbox file. Therefore, if an email message dated September 25,
2003 was later altered and saved in January 2006, for example, analysis of the PST file
containing that email would show discrepancies between the Sent (identified by
EnCase as Last Written) and Modified times associated with that email message.
Specifically, the emails Last Written date would be September 25, 2003, but its
Modified date would be January 2006. I note that it is not necessary for one to save
28
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 3 of 9
2
10.
Counsel asked LECG to analyze all collected email files and locate a September 25,
3
2003 email message between Len Glogauer and Warren Trepp regarding Congressman
4
Gibbons that purportedly included the sentence We need to take care of him like we
5
discussed. I located four instances of an email between Mr. Glogauer and Mr. Trepp
6
on September 25, 2003 regarding Mr. Gibbons in various locations, including PST files
7
belonging to Mr. Trepp, and on one of the external hard drives located in the locked
8
cabinet used by Mr. Montgomery. Attached to this declaration as Exhibit A is a printed
9
copy of the email as I found it. (All four instances of the email message are the same.)
10
11
11.
The content of all four instances of the September 25, 2003 Len Glogauer email I
12
located at the eTreppid facility were identical, and included an email chain consisting of
13
three messages preceding the message Len Glogauer forwarded to Warren Trepp at 9:35
14
a.m.
15
12.
16
Analysis of the email I collected showed that all instances of the September 25, 2003
Len Glogauer email did not include the sentence We need to take care of him like we
17
discussed. In addition, I analyzed all instances of the email to determine whether that
18
19
20
13.
The EnCase forensic software is able to analyze metadata in Outlook email messages,
21
known as property tags. The EnCase forensic software identifies metadata in Outlook
22
23
date/time an email was first received and saved into a PST mailbox file by the recipient;
24
(b) Last Written identifies the date/time an email was sent by the author; and
25
(c) Entry Modified identifies the date/time an email was last modified or changed by
26
the recipient. Generally, the File Created date/time will match the Entry Modified
27
date/time for all email messages, unless a user edits or modifies an existing email after
28
receiving it, in which case the Entry Modified date/time will reflect the subsequent
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 4 of 9
2
14.
For example, if an email message was sent and received in 2003, but subsequently
3
altered (and saved) in 2006, embedded metadata within the PST file would indicate an
4
Entry Modified date/time in 2006, while the File Created and Last Written
5
dates/times would remain in 2003. (See Exhibit B for an example of a modified
6
Outlook email message and the resulting change to the email metadata).
7
8
15.
When I examined the eTreppid PST files using EnCase forensic software, the Last
Written and Entry Modified dates/times associated with the September 25, 2003
10
Glogauer email were consistent with the email having been sent by the author on
11
September 25, 2003 at 9:35 AM (Last Written date/time), and received by the
12
13
dates/times). None of the four instances of the September 25, 2003 email message that
14
I examined contained any discrepancy between the File Created date/time and the
15
Entry Modified date/time. This indicates conclusively that the September 25, 2003
16
email message was not modified by the recipient after it was received.
17
16.
18
At the eTreppid offices, during the relevant time period, the email server was
configured to act as temporary mail storage. In other words, when email was sent to
19
employees, the messages physically resided on the email server until the recipient
20
opened their Outlook application, and synchronized with the server and/or initiated the
21
Send/Receive process. At this time, new email messages transferred from the server
22
down to the users desktop/laptop where the PST was physically stored. (Send/Receive
23
can be configured to run periodically while Outlook is open, or users can initiate this
24
manually at any time.) The PST then stamped the incoming email message with certain
25
dates/time as appropriate.
26
27
28
17.
Exhibit C to this affidavit explains in detail the process by which email messages have
certain embedded dates/times assigned to them, and describes why all four instances of
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 5 of 9
the September 25, 2003 email found onsite at eTreppid show: (a) the emails did not
include the We need to take care of him . . . sentence, and (b) the emails were never
altered or modified after they were received, indicating that it is not possible that
anyone deleted the sentence We need to take care of him . . . from the original email.
Specifically, when an email message is saved into a PST, Microsoft Outlook will assign
for an email recipient, is the date/time the email is first received and saved to the PST,
email message was altered/modified in any way. When this metadata is viewed using
10
11
12
Modified. For all four of the eTreppid PST files containing the September 25, 2003
13
email message, the File Created and Entry Modified dates/times are identical, and
14
all read as September 25, 2003 at 09:42:52 AM. Were the message to have been altered
15
by someone, the emails Entry Modified date/time would differ from (i.e. be later
16
than) its File Created date/time (See Exhibits B, C). Instead, all four instances of the
17
September 25, 2003 email at eTreppid have identical File Created and Entry
18
19
18.
Based on the foregoing analysis, it is my expert opinion that the original email, as sent
20
from Mr. Glogauer to Mr. Trepp on September 25, 2003, did not contain the sentence
21
We need to take care of him like we discussed.
22
23
19.
I am informed and believe that a txt file was submitted to the Court by Mr. Dennis
24
Montgomery on June 12, 2006 as a true and accurate copy of the September 25, 2003
25
Len Glogauer email. This txt document is not a verifiable or accurate copy of the
26
27
20.
The document submitted by Mr. Montgomery is a text or TXT file (a basic word
28
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 6 of 9
processing document), which can be easily manipulated or altered. A TXT file is not
submitted to the court was created with a Windows program called Notepad (a basic
text editor program included with all versions of Windows). When they are printed,
text files created with Notepad will include the file title at the top of the printed page,
and also include Page X at the bottom, where X corresponds to the page number.
These marks are consistent with the file submitted by Mr. Montgomery.
The file
8
21.
Further, the absence of the preceding email chain found in the original versions of the
9
email and the inclusion of the sentence We need to take care of him like we discussed
10
indicates that the document submitted to the Court by Mr. Montgomery is an altered
11
version of the email as it existed when Len Glogauer sent to Mr. Trepp on September
12
25, 2003.
13
14
22.
To illustrate the ease with which an email like the example Mr. Montgomery
15
provided to the Court can be created, on June 14, 2007, I used Notepad to create a
16
nearly identical TXT file that appears to be an email message. I created a text file with
17
the same filename as Mr. Montgomerys document. I added This sentence was added
18
by LECG on 6/14/2007 to the email body. This example is included with this affidavit
19
as Exhibit D.
20
21
22
23.
23
Note:
24
25
26
24.
27
it exists, with the email Mr. Montgomery provided to the Court, would reveal that the
28
email therein either (a) does not contain the sentence We need to take care of him like
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 7 of 9
Pursuant to the provisions of 28 U.S.C. 1746, I declare under penalty of perjury that the
6
/s/
JONATHAN KARCHMER
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 8 of 9
PROOF OF SERVICE
2
I, Gaylene Silva, declare:
3
4
I am employed in the City of Reno, County of Washoe, State of Nevada, by the law offices
of Hale Lane Peek Dennison and Howard. My business address is: 5441 Kietzke Lane, Second
Floor, Reno, Nevada 89511. I am over the age of 18 years and not a party to this action
5
6
I am readily familiar with Hale Lane Peek Dennison and Howards practice for collection of
mail, delivery of its hand-deliveries and their process of faxes.
7
8
9
10
_X___
11
filed the document electronically with the U.S. District Court and therefore the courts
computer system has electronically delivered a copy of the foregoing document to the
following person(s) at the following e-mail addresses:
12
13
14
15
16
17
18
19
20
21
22
23
24
I declare under penalty of perjury under the laws of the United States of America that
the foregoing is true and correct, and that this declaration was executed on June 22, 2007.
25
____/s/__________________
Gaylene Silva
26
27
28
::ODMA\PCDOCS\HLRNODOCS\641863\1
Page 9 of 9
Ex. A
User
From:
LEN [LEN@eTreppid.com]
Sent:
To:
WARREN
Len
----Original Message---From: Madura, Kenneth [mailto:Kenneth.Madura@mail.house.gov]
Sent: Thursday, September 25, 2003 9:32 AM
To: LEN
Subject: Congressman gibbons discussion with AF
Mr. Glogauer
This morning, the Congressman had breakfast with the Vice Chief of Staff of the Air Force, Gen Moseley, and he
brought up the eTreppid technology. Mr. Gibbons believes that this would be another good opportunity to
demonstrate the technology to the AF at even a higher level. Along with the data compression, the database
matching was extremely enticing for the AF. I will give the information the Congressman gave us to the Air Force,
and I hope that you can make a demonstration to General Moseley soon.
Please let me know if you have any questions.
Ken Madura
Legislative Assistant
Office of Congressman Jim Gibbons (NV-02)
Voice: (202) 225-6155 Fax: (202) 225-5679
Kenneth,madurn@maiLhPu_se,gol!
6119/2007
On the military side of things, I am compiling some key, very telling, information on the Army's Bandwidth
Bottleneck. A 66 page report was just released that shows the costs required to eliminate or at least decrease the
bottleneck by the year 2010. Costs somewhere in the neighborhood of $1 O Billion. With eTreppid Compression,
we can significantly reduce that cost, lower the budget and potentially cut the projected time-line in half. Not a
bad formula ... Spend less money and get it done sooner! What a concept... I will send our findings and
recommendations directly to you first.
Thanks again for your time.
Best Regards,
Len
Lennard D. Glogauer
VP Industry Applications & Business Development
eTreppid Technologies, LLC
755 Trademarl< Drive
Reno, NV 89521
Len@eTreppid.com
Tel: (775) 337-6771
Fax: (775) 3371877
Len,
Indeed, both Dawn and I enjoyed ourselves at Primm's last Sunday,
and seeing you and Nanci there was especially nice.
I have asked Maj. Dan Waters, a Fellow assigned to my staff, to
contact the National Security Agency office (Dr. Rice) in an effort to
set up a meeting for you and the agency. From a personal point,
let me add that I was greatly impressed by the demonstration you
presented to me. No doubt, the Agency will be just as impressed!
Dawn has given you the correct e-mail address for me here in DC.
That e-mail address is a_cjirect link to my desk and does not go
through anyone else.
Thanks again for your help and support, but most importantly,
thanks for your friendship.
Jim Gibbons
6/19/2007
EnCase File Created column identifies the date/time the email was first created and
saved into the PST mailbox file.
EnCase Last Written column displays the date/time the email was sent.
EnCase Entry Modified column displays the date/time the email was last
modified/changed.
Generally, the Entry Modified date/time will match the File Created date/time for all email
messages. If, however, a user changes an existing email (adds/removes word(s), etc.), and then
saves the edited email message, the Entry Modified date/time will reflect when the
modification occurred. If this were to occur, the Entry Modified date/time would post-date the
File Created date/time.
(continued)
Exhibit B - Page 1 of 3
Standard Email
In the screenshot below, EnCase software is being used to examine a sample PST file. An email
message from the PST can be seen with subject Thank you from the CEO of Network
Solutions. The email was sent on January 4, 2005 at 7:47:28 AM (Last Written). It was
received (physically saved into the PST file) at 9:27:53 AM on the same day (File Created/Entry
Modified). Note that the Entry Modified date/time is identical to the File Created date/time.
These property tags / dates exhibit standard behavior normally seen in PST files.
Below is the email message as it normally appears to the recipient. (Recipient name has been
redacted in this example.)
To illustrate what an examiner would find if an email message was edited/modified, the above
email message was edited by LECG on June 20, 2007 at 10:29 AM. The results of this
modification are in the Modified Email section below, and can be compared to the Standard
Email section.
Exhibit B - Page 2 of 3
Modified Email
In the screenshot below, EnCase software is being used to examine the same sample PST file
used in the previous section Standard Email. The email message with subject Thank you
from the CEO of Network Solutions was modified by LECG to include text it did not originally
contain. Note how the Entry Modified date/time no longer matches the File Created
date/time. Instead, it reflects the date/time that the email was modified (June 20, 2007 10:29:32
AM).
Below is the edited email message as it would appear with changes. (Recipient name has been
redacted in this example.) Note the sentence that was inserted, circled in red.
Exhibit B - Page 3 of 3
Some of these MAPI Property Tags are identified by EnCase forensic software and are
displayed in columns corresponding to date/time values. For example:
PR_SUBJECT:
subject line of email, displayed in EnCase as File Name
PR_CREATION_TIME:
For SENDER: when the email is first drafted
For RECIPIENT: when email is received into PST file
Displayed in EnCase as File Created
PR_MESSAGE_DELIVERY_TIME:
when email is sent / delivered, displayed in EnCase as Last Written date/time
PR_LAST_MODIFICATION_TIME:
Date/Time that email was last changed
Will mirror PR_CREATION_TIME unless email is altered after being sent
Displayed in EnCase as Entry Modified
These Property (PR) date/time values are 64-bit / 8-byte Windows encoded dates
represented in hexacimal, i.e.: 30 38 17 74 13 B2 C7 01. This value for example,
decodes to June 18, 2007, 6:45:02 PM:
1
MAPI is a messaging architecture that enables multiple applications to interact with multiple messaging systems seamlessly across a
variety of hardware platforms. (Source: http://msdn2.microsoft.com/en-us/library/ms527628.aspx - Section: MAPI Concepts and
Architecture)
2 A property is an attribute of a MAPI object. Properties describe something about the object, such as the subject line of a message or
the address type of a messaging user. MAPI defines many properties, some to describe many objects and some that are appropriate
only for an object of a particular type. Clients and service providers can extend MAPI's set of predefined properties by creating new,
custom properties. Clients can define properties to describe new message classes, and service providers can define properties to
expose the unique features of their messaging system. (Source: http://msdn2.microsoft.com/en-us/library/ms528634.aspx - Section:
MAPI Properties)
3 . (Source: http://msdn2.microsoft.com/en-us/library/ms531530.aspx - Section: About Property Tags)
Exhibit C Page 1 of 7
For validation, the decoder above can be downloaded for free at:
http://www.digital-detective.co.uk/freetools/decode.asp.
Times in this report are GMT -8 (Pacific).
Outlook Testing
To confirm EnCase softwares interpretation of Outlook MAPI properties, I used a
testing environment similar to the eTreppid email environment which included Microsoft
Windows Server 2000, Microsoft Exchange 2000, and Microsoft Outlook 2003.
I created a virtual Windows network environment with Exchange as the email server
application. I created 2 user accounts, called USER1 and USER2. In this example,
USER1 is the email sender, and USER2 is the email recipient.
On June 18, 2007 at 6:44 PM, I acted as USER1 and opened that users Outlook profile.
At 6:45 PM, I drafted a new email message to USER2. The subject line of the email was
new msg opened 6:45 PM. The email message was submitted for delivery (Sent) at
6:46 PM.
Later on June 18 at 7:50 PM, I acted as USER2 and opened that users Outlook profile. I
prompted Outlook to Send/Receive new email messages that may be waiting. The
email message from USER1 was delivered into USER2s PST file at 7:50 PM.
Below are the results of this test. PST mailbox files from USER1 and USER2 as
displayed in EnCase forensic software are shown.
Exhibit C Page 2 of 7
PR_CREATION_TIME: 30 38 17 74 13 B2 C7 01.
This is decoded as June 18, 2007, 6:45:02 PM.
PR_MESSAGE_DELIVERY_TIME: 00 BC 5A 96 13 B2 C7 01.
This is decoded as June 18, 2007, 6:46:00 PM.
PR_LAST_MODIFICATION_TIME: 30 38 17 74 13 B2 C7 01.
This is decoded as June 18, 6:45:02 PM.
Note: some of the EnCase screenshots appear to include two line items for a single email message. This is due to EnCase
identifying the email class object and the email body as two separate items.
Exhibit C Page 3 of 7
PR_MESSAGE_DELIVERY_TIME: 80 7F 24 98 13 B2 C7 01.
This is decoded as June 18, 2007, 6:46:03 PM.
The email was received by Exchange Server at 6:46:03 PM (three seconds after USER1
sent the email), but USER2 did not physically receive the message in their PST file until
they logged in and opened Outlook at 7:50 PM.
PR_CREATION_TIME: 00 E4 A4 98 1C B2 C7 01.
This is decoded as June 18, 2007, 7:50:29 PM.
Exhibit C Page 4 of 7
PR_LAST_MODIFICATION_TIME: 00 E4 A4 98 1C B2 C7 01.
This is decoded as June 18, 7:50:29 PM.
TESTING SUMMARY
These results show that when an email recipients PST file is examined with EnCase, an
email message he or she received will show a File Created and an Entry Modified
date consistent with when the message was first received and stored in the PST (6/18/07
7:50:29PM). The Last Written date is when the email was submitted for delivery by
the author of the email (about an hour earlier at 6:46 PM).
If an email message was altered and saved after having been received, EnCase would
show an Entry Modified (PR_LAST_MODIFICATION_TIME) date that post-dates the
File Created (PR_CREATION_TIME) date associated with the email (see Exhibit B
for example of a purposely modified email).
Exhibit C Page 5 of 7
PST A0004_Trepp_PSTs_021606
PST A0010_WarrenEmail_010606
Exhibit C Page 6 of 7
All of the above PR tags associated with the September 25, 2003 email messages
receipt are: E0 EF 39 10 84 83 C3 01.
This decodes to 9/25/03 9:42:52.
Exhibit C Page 7 of 7
Ex. D
2003.09.25.GibbonsFavors.txt
Message
From: LEN [LEN@eTreppid.com]
sent: Thursday, September 25, 2003 9:35 AM
To: WARREN
subject: FW: congressman giibons discussion with AF
For your information .... It looks like Jim has ''hit the ground running'' on this
one!
This sentence was added by LECG on 6/14/2007.
Len
Page 1