Case Document 207-2 Filed 05/19/16 Page 1 of 5

EXHIBIT 

Case 3:15-cr-05351-RJB Document 207-2 Filed 05/19/16 Page 2 of 5

The Honorable Robert J. Bryan

1
2
3
4
5
6

UNITED STATES DISTRICT COURT FOR THE
WESTERN DISTRICT OF WASHINGTON
AT TACOMA

7
8
9
10

UNITED STATES OF AMERICA,

11

NO. CR15-5351RJB

Plaintiff

DECLARATION OF FBI SPECIAL
AGENT DANIEL ALFIN

12
13
14

v.
JAY MICHAUD,

15
Defendant.

16
17
18
19
20
21
22
23
24
25
26
27

I, Daniel Alfin, declare as follows:
1.

I am a Special Agent of the Federal Bureau of Investigation. I am currently

assigned to FBI Headquarters, Criminal Investigative Division, Violent Crimes Against
Children Section, Major Case Coordination Unit. My duties involve the investigation of
individuals using various types of technology to produce, distribute, and trade child
pornography. I hold a University Degree in Information Technology and multiple
industry certifications that are recognized by the United States Department of Defense.
Additionally, I have completed all stages of FBI Cyber Training, including courses on
Advanced Network Investigative Techniques, Network Traffic Analysis, Ethical
Hacking, and Malware Analysis. As an FBI Special Agent, I have been, on a number of
occasions, tasked with the process of examining digital devices to determine whether

28

EXHIBIT B

 Case 3:15-cr-05351-RJB Document 207-2 Filed 05/19/16 Page 3 of 5

1 malware 1 was present on those devices and if so, to identify and analyze that malware.
2 The purpose of such analysis is to determine the impact that the malware may have had
3 on the device on which it resides or other devices with which the “infected” machine may
4 have communicated. I have conducted this malware identification and analysis in both
5 criminal and national security matters.
2.

6

In each instance when I have been tasked with identifying and analyzing

7 malware, I did not have advance knowledge of the specific malware for which I was
8 looking or even if malware was actually present, though there was reason to suspect the
9 presence of malware. I have nonetheless been able to locate, identify, and analyze
10 suspected malware notwithstanding the lack of advance knowledge about the particular
11 malware. In this declaration, I will lay out in general terms some of the steps that can be
12 taken to identify and analyze malware and provide additional detail concerning the
13 operation of the NIT used in the FBI investigation at issue in United States v. Michaud.
3.

14

As a threshold matter, I would note that I do not consider the NIT used by

15 the FBI to be “malware,” though the experts retained by Mr. Michaud describe the NIT in
16 such terms. The word malware is an amalgamation of the words “malicious” and
17 “software”. The NIT utilized in this investigation was court-authorized and made no
18 changes to the security settings of the target computers to which it was deployed. As
19 such, I do not believe it is appropriate to describe its operation as “malicious.”
4.

20

Prior to analyzing a device for traces of a malware infection and even

21 without knowledge of the specific type of malware involved, an investigator generally
22 has some information or indication of the presence of malware. For example, an
23 individual’s computer could be experiencing problems with programs failing to operate
24 as intended or a user may notice that data have inexplicably been deleted from the
25
26
27
28

1

The term “malware” generally refers to computer software that impairs the integrity or availability of data, a
program, a system, or information. Other common terms that describe various types of malware are “virus”,
“trojan”, and “worm”.

EXHIBIT B

 Case 3:15-cr-05351-RJB Document 207-2 Filed 05/19/16 Page 4 of 5

1 system. Malware may also be responsible for sending data across a network or across the
2 internet.
3

5.

If malware does in fact transmit data over the Internet in a similar fashion

4 to how the NIT transmitted data to an FBI controlled computer server, having a copy of
5 the transmitted network data would be a valuable tool that would assist with analyzing a
6 system and searching for malware. If the network data is not encrypted, it will generally
7 contain strings of plain text containing identifiers that can be used as search terms during
8 the course of a forensic analysis. Although the defense has declined to review the
9 network data available in this case, I have reviewed and analyzed that network data. My
10 review confirmed that it is not encrypted and contains various strings that would
11 generally be considered valuable during the course of forensic analysis. For example, a
12 defense expert who suspects that a given device was a target of the NIT could use these
13 search terms to try and assess whether there are any traces of the NIT still left on the
14 target device or if the NIT otherwise remains on the device.
15

6.

Utilization of search terms is just one avenue of analysis available to locate

16 and identify malware on a device. It is also possible to review the list of programs
17 designated to run when a device’s operating system loads. Such a review is a crucial step
18 in determining whether a computer may be infected with malware. After identifying and
19 eliminating from consideration known programs that the user intended to execute upon
20 startup, an investigator may focus on any remaining programs whose purpose is
21 unknown. In some instances, malware can be disguised as a legitimate program and can
22 be identified by comparison of the legitimate program’s file hash value against the hash
23 value of the suspect program.
24

7.

Where there is reason to suspect a storage device such as a USB drive or

25 even a cellular telephone has been infected with malware, an investigator can undertake a
26 dynamic analysis of any suspect files on that device and verify that those files either do or
27 do not have the ability to execute malicious code. The process of conducting a dynamic
28 malware analysis generally involves creating a copy of a suspect file and executing it in a

EXHIBIT B

 Case 3:15-cr-05351-RJB Document 207-2 Filed 05/19/16 Page 5 of 5

1 test environment. The state of the test environment is recorded prior to execution of the
2 file and various programs are active in the test environment that record changes to the
3 system. Additionally, various pieces of software or hardware can be utilized to capture
4 any network data generated by the file upon execution.
5

8.

I have personally executed the NIT on a computer under my control and

6 observed that it did not make any changes to the security settings on my computer or
7 otherwise render it more vulnerable to intrusion than it already was. Additionally, it did
8 not “infect” my computer or leave any residual malware on my computer.
9

9.

The devices seized from Mr. Michaud are available to the defense for

10 inspection and review, and I believe, based on my training and experience, that the
11 procedures describe above (among others) could be applied to those devices to determine
12 whether there is evidence suggesting that the NIT or a piece of malware was responsible
13 for the collection of child pornography found on Mr. Michaud’s devices.
14
15

EXECUTED: May 19, 2016.

16
17
18
19

_______________________
DANIEL ALFIN
Special Agent, FBI

20
21
22
23
24
25
26
27
28

EXHIBIT B