Case 4:16-cr-00016-HCM-RJK Document 37 Filed 05/06/16 Page 1 of 6 PageID# 327 IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Newport News Division UNITED STATES OF AMERICA ) ) ) ) ) v. EDWARD JOSEPH MATISH, III Criminal No. 4:16cr16 DEFENDANT’S MOTION TO COMPEL DISCOVERY Edward Matish, III, through counsel and pursuant to Federal Rule of Criminal Procedure 16(d), respectfully moves this Court for an order compelling discovery material to trial and the defense’s pending motions to suppress, ECF Nos. 18, 34.1 * * * The defense asks the Court to order the government to provide the source code or programming code for the NIT it used to search Mr. Matish’s computer. The government has invoked a “law enforcement privilege” and stated its intent not to provide this data, even under a protective order. The defense is seeking a copy of the code so that a computer forensics expert can independently determine the full extent of the information the government seized from Mr. Matish’s computer when it deployed the NIT; whether the NIT interfered with or compromised any data or computer functions; and whether the government’s representations about how the NIT works are complete and accurate. This forensic information is relevant to Mr. Matish’s First and Third Motions to Suppress. See United States v. Cranson, 453 F.2d 123, 127 n.6 (4th Cir. 1971) (“The defendant has remedies to secure pre-trial information on identification procedures 1 Because the hearings on these suppression motions are set for May 19, 2016, the defense requests that the Court set an expedited briefing schedule for this discovery issue. 1 Case 4:16-cr-00016-HCM-RJK Document 37 Filed 05/06/16 Page 2 of 6 PageID# 328 undertaken by the Government in advance of trial as a basis for a motion to suppress.”); United States v. Wilford, 961 F. Supp. 2d 740, 756 (D. Md. 2013), on reconsideration in part (Nov. 27, 2013) (holding that “information material to the Motion to Suppress, although sought in connection with a pretrial proceeding, might alter the ‘quantum of proof’” at trial and is therefore discoverable under Rule 16). The discovery is also relevant to assessing other potential pretrial issues that the lack of discovery has thus far prevented the defense from being able to adequately evaluate. Indeed, one of the FBI’s lead investigators on the Playpen case has stated in a declaration that “[d]etermining whether the government exceeded the scope of the [NIT] warrant thus requires an analysis of the NIT instructions delivered to [the defendant’s] computer.” Decl. of FBI Special Agent Daniel Alfin in Support of Gov’t. Mot. for Reconsideration, at ¶ 7, in United States v. Michaud, Crim. No. 15-5351, ECF No. 166-2 (W.D. Wash. Mar. 28, 2016). The NIT source code is also material preparing a defense at trial. For example, the defense needs access to the code to see how the government was purportedly able to link the information it collected to a particular computer or to a particular deployment of the NIT. The defense needs the NIT code to verify the government’s allegations that it deployed the NIT based on some specific action taken by Mr. Matish. And the defense needs to investigate the chain of custody for data collected remotely by the NIT. The need for the full NIT source code is discussed—albeit in more technical terms—in the attached declaration of Vlad Tsyrklevich, which was filed in support of a similar motion to compel discovery in Michaud. See Ex. A, Tsyrklevich Decl. from Michaud. To date, the government has provided no actual evidence on these issues. Essentially, the defense is willing to provide the conclusions that it believes can be 2 Case 4:16-cr-00016-HCM-RJK Document 37 Filed 05/06/16 Page 3 of 6 PageID# 329 drawn from its technological evidence. But the defense has thus far been denied access to the evidence upon which the government’s proposed conclusions are based. Due process demands that Mr. Matish be afforded the opportunity to verify that the government’s evidence actually supports its allegations. The government’s monopoly on the forensic evidence will allow its expert to testify at trial about what the NIT did, how it collected information, and how it allowed the government to verify what the user of Mr. Matish’s computer was doing and when. By invoking the law enforcement privilege, the government seeks to deny Mr. Matish access to the underlying data upon which the government’s key expert testimony against him will rest. The Court should note that, in connection with other NIT/Playpen cases, courts have ordered the government to make this very NIT programming code available to the defense for inspection and forensic analysis. See Order Granting Third Motion to Compel Discovery in Michaud, Crim. No. 15-5351, ECF No. 161 (W.D. Wash. Feb. 17, 2016) (ordering government to provide NIT source code in Playpen case). In other cases involving NITs, the Department of Justice has not invoked a “law enforcement privilege,” but rather has volunteered to make the programming code available for inspection by the defense. See, e.g., Ex. B, at 2 (Department of Justice notice and disclosure letter in United States v. Cottom, Crim Nos. 8:13-108, 8:15-239 (D. Neb. Dec. 22, 2015), summarizing government’s disclosures about NIT “Flash application” used in that case, including “example programming code,” and extending an offer for defense inspection of the “compiled code for the NIT” stored on government server). Even in other Playpen cases the government has agreed to provide some components of the NIT source code. The government’s refusal to disclose the code in this case is therefore inconsistent both with its prior practice and with court orders rejecting the very privilege claim put forward here. 3 Case 4:16-cr-00016-HCM-RJK Document 37 Filed 05/06/16 Page 4 of 6 PageID# 330 The defense has offered to enter into a protective order to address any legitimate confidentiality concerns the government may have about disclosing the code. Still, the Government says that it will not produce the code, asserting that it is “subject to law enforcement privilege.” To the extent the government needs to protect the confidentiality of the NIT code, confidentiality can be achieved through the entry of a protective order. Rule 16 and fundamental notions of due process preclude the government from refusing to allow the defense to inspect the key forensic evidence at issue in this case. Yet that is the government’s position. By invoking a law enforcement privilege, the government asks Mr. Matish and the Court to accept without verification the government’s representations about what the NIT is and how it works—questions critical to the defense’s pending motions and to trial. Here, the government used a sophisticated surveillance tool and then put Mr. Matish’s liberty at stake by initiating a prosecution based on information it gained through that surveillance. It cannot now, in fairness, claim that the means by which it obtained the evidence it plans to use against Mr. Matish is subject to a privilege that trumps Mr. Matish’s right to due process. * * * For the reasons stated above, Mr. Matish respectfully requests that the Court issue an Order for disclosure of the records and information sought by the defense, subject to such conditions or protections that the Court deems appropriate to address any legitimate confidentiality interests on the part of the Government. Respectfully submitted, EDWARD JOSEPH MATISH, III By:_________/s/_______________ 4 Case 4:16-cr-00016-HCM-RJK Document 37 Filed 05/06/16 Page 5 of 6 PageID# 331 Andrew W. Grindrod VSB # 83943 Assistant Federal Public Defender Attorney for Edward Joseph Matish, III Office of the Federal Public Defender 150 Boush Street, Suite 403 Norfolk, Virginia 23510 (757) 457-0800 (757) 457-0880 (telefax) andrew_grindrod@fd.org 5 Case 4:16-cr-00016-HCM-RJK Document 37 Filed 05/06/16 Page 6 of 6 PageID# 332 CERTIFICATE OF SERVICE I certify that on the 6th day of May, 2016, I will electronically file the foregoing with the Clerk of Court using the CM/ECF system, which will send a notification of such filing (NEF) to the following: Kaitlin Courtney Gratton United States Attorney’s Office (Newport News) 721 Lakefront Commons Suite 300 Newport News, VA 23606 (757) 591-4000 Email: Kaitlin.Gratton@usdoj.gov By:_______________/s/____________________ Andrew W. Grindrod VSB # 83943 Assistant Federal Public Defender Attorney for Edward Joseph Matish, III Office of the Federal Public Defender 150 Boush Street, Suite 403 Norfolk, Virginia 23510 (757) 457-0800 (757) 457-0880 (telefax) andrew_grindrod@fd.org 6 Case 4:16-cr-00016-HCM-RJK Document 37-1 Filed 05/06/16 Page 1 of 5 PageID# 333 1 JUDGE ROBERT J. BRYAN 2 3 4 5 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT TACOMA 6 7 8 UNITED STATES OF AMERICA, 9 Plaintiff, 10 11 v. JAY MICHAUD, 12 Defendant. 13 ) No.  CR15­5351RJB ) ) ) DECLARATION OF VLAD  ) TSYRKLEVICH ) ) ) ) ) 14 I, Vlad Tsyrklevich, declare under penalty of perjury that: 15 1. I have been retained by Mr. Michaud’s defense team to conduct a forensic  16 analysis of the “Network Investigative Technique” (NIT) that was used to search for  17 and seize data in this case.  A copy of my curriculum vitae is attached to this  18 declaration. 19 2. On January 11, 2016, I received a password protected disc from the FBI  20 which, according to the information I had been provided by defense counsel, would  21 contain the programming (or “source”) code for the investigative technique.  Prior to  22 receiving this disc, I had reviewed and agree to abide by the terms of a confidentiality  23 agreement and protective order that had been drafted by the government.  24 25 3.   After conducting an initial examination of the code that had been  provided by the FBI it was apparent that to me that the code was incomplete.  A brief  26 FEDERAL PUBLIC DEFENDER DECLARATION OF VLAD TSYRKLEVICH (United States v Michaud; CR15­5351RJB) ­ 1 (Third Mtn to Compel Discovery) 1331 Broadway, Suite 400 Tacoma, WA 98402 (253) 593­6710 A-001 Case 4:16-cr-00016-HCM-RJK Document 37-1 Filed 05/06/16 Page 2 of 5 PageID# 334 1 explanation of how NITs work and their various components follows, along with an  2 explanation of the missing aspects of the code.  3 4. The components of an NIT programming or source code and how they  4 work: The NIT presented by the FBI works by using an “exploit,” a piece of software  5 that takes advantage of a software “vulnerability” in the Tor Browser program. By  6 exploiting this software vulnerability, the NIT is able to circumvent the security  7 protections in the Tor Browser, which under normal circumstances, prevents web sites  8 from determining the true IP address or MAC address of visitors. After exploiting the  9 vulnerability, the NIT delivers a software “payload,” a predetermined set of actions, to  10 computers that receive the payload (the “host computer”).  The payload used by the FBI  11 in this case collected and then transmitted identifying information about the host  12 computer (including its IP address) along with a unique “identifier” used to associate  13 the target with the identifying information that the NIT collects.  As a result, these type  14 of investigative techniques have four primary components: 15 a. Software that generates a payload and injects a unique identifier  into it. 16 17 18 19 20 21 22 5.  b. The “exploit” that is sent to the target computer to take advantage  of a software flaw in the Tor Browser. c. The “payload” that is run on the target computer to extract  identifying information about it (such as its IP address). d. An additional “server component” that stores and preserves the  extracted information and allows investigators to access it. What the FBI Produced and What is Still Missing: The government  23 has provided us with one component of the payload (component “c”).  However, it is  24 unclear from the limited data provided so far whether the payload that has been  25 provided was the only payload associated with the NIT or whether other payloads were  26 executed.  Moreover, the FBI has not furnished  component “a” (the server component  FEDERAL PUBLIC DEFENDER DECLARATION OF VLAD TSYRKLEVICH (United States v Michaud; CR15­5351RJB) ­ 2 (Third Mtn to Compel Discovery) 1331 Broadway, Suite 400 Tacoma, WA 98402 (253) 593­6710 A-002 Case 4:16-cr-00016-HCM-RJK Document 37-1 Filed 05/06/16 Page 3 of 5 PageID# 335 1 2 3 4 that generates the payload and injects an identifier); “b” (the exploit component); or “d”  (the data preservation component).  It is all of these components in combination, not  just one or another of them, that constitutes a network investigative technique.   6. Why the Missing Components are Needed for a Complete and  Accurate Analysis:  The accuracy and potential admissibility of the evidence collected  5 by the NIT depends on the accuracy of the data the government claims is associated  6 with the computer that Mr. Michaud allegedly used to access “Website A.” In addition,  7 defense counsel has informed me that he is seeking to determine if the NIT used in this  8 case operated in the manner described in various warrant applications and whether its  9 execution may have compromised any data or functions on the target computer.  10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 However, the materials provided by the FBI are insufficient to make these  determinations or verify that the data extracted from the target computer is accurate for  the following reasons:  The software that generates a payload and injects a unique identifier into it  (component “a”) is critical to understanding whether the unique identifier used to  link a defendant to access of illegal content is actually unique.  If the identifier is  generated incorrectly, it could cause different users to be incorrectly linked to  each other’s actions. It is important to note that errors in the use of cryptographic  components are pervasive in modern software. The proper generation of unique  identifiers hinges on the correct use of a “Pseudo­Random Number Generator,” a  fundamental cryptographic technology that is frequently misused.  Without the  missing data, I am unable to make a determination about these issues. As noted, the “exploit” used in the NIT (component “b”) is intended to execute  on the computer that is being identified.  Analyzing and understanding the  exploit component of the NIT is critical to understanding whether the payload  data that has been provided in discovery was the only component executing and  reporting information to the government or whether the exploit executed  additional functions outside of the scope of the NIT warrant.  Without the  missing data about the exploit component of the NIT, I am unable to make a  determination about these issues. In addition, the server component that stores the identifying information returned  by the payload (component “d”) must faithfully store and reproduce the data it  was sent. The correct use of data storage primitives and the programming  practices used to avoid data corruption or tampering make analyzing this  FEDERAL PUBLIC DEFENDER DECLARATION OF VLAD TSYRKLEVICH (United States v Michaud; CR15­5351RJB) ­ 3 (Third Mtn to Compel Discovery) 1331 Broadway, Suite 400 Tacoma, WA 98402 (253) 593­6710 A-003 Case 4:16-cr-00016-HCM-RJK Document 37-1 Filed 05/06/16 Page 4 of 5 PageID# 336 component of the NIT essential to understanding and verifying the digital “chain  of custody” of information derived from the NIT. Without the missing data, I am  unable to make a determination about these issues. 1 2 7. The importance of this data to Mr. Michaud’s preparation of his defense is hard  3 4 to overstate because I am aware of a previous instance in which an NIT resulted in   5 indiscriminate targeting.  In August 2013, all of the websites hosted by “Freedom  6 7 8 9 10 Hosting” ­­ a service, run from servers in France, that hosted websites accessible to  users of the Tor network ­­ began serving an error message with hidden code embedded  in the page.1 That code was specifically designed to exploit a security flaw in a version  of the Firefox web browser used to access Tor hidden servers.2 According to an FBI  agent who later testified in an Irish court, the Freedom Hosting service hosted at least  100 child pornography websites.3 But the service also hosted a number of legitimate  11 sites, including TorMail, a web­based email service that could only be accessed over  12 the Tor network, and the Hidden Wiki, which one news site described as the “de facto  13 encyclopedia of the Dark Net.”4 Even though these sites were serving lawful content,  14 the FBI’s “watering hole” attack was performed in an overbroad manner, delivering a  15 NIT to visitors of all of the Freedom Hosting sites, not just to visitors of sites that were  16 engaged in the distribution of illegal content.  It is therefore important to Mr. Michaud’s  17 18 defense and trial preparations to determine whether a similarly indiscriminate “watering  hole” attack could have affected this case. 19 13th DONE this ___ day of January, 2016. 20 _________________________________ Vlad Tsyklevich 21 22 23 24 25 26 1  See Kevin Poulsen, FBI Admits It Controlled Tor Servers Behind Mass Malware Attack, Wired (Sept. 13, 2013),  http://www.wired.com/2013/09/freedom­hosting­fbi/. 2  See Goodin, Attackers Wield Firefox Exploit to Uncloak Anonymous Tor Users, Ars Technica (Aug. 5, 2013),  http://arstechnica.com/security/2013/08/attackers­wield­firefox­exploit­to­uncloak­anonymous­tor­users/. 3  Poulsen, FBI Admits It Controlled Tor Servers Behind Mass Malware Attack, supra. 4  Patrick Howell O’Neill, An In­Depth Guide to Freedom Hosting, the Engine of the Dark Net, The Daily Dot  (Aug. 4, 2013), http://www.dailydot.com/news/eric­marques­tor­freedom­hosting­child­porn­arrest/. FEDERAL PUBLIC DEFENDER DECLARATION OF VLAD TSYRKLEVICH (United States v Michaud; CR15­5351RJB) ­ 4 (Third Mtn to Compel Discovery) 1331 Broadway, Suite 400 Tacoma, WA 98402 (253) 593­6710 A-004 Case 4:16-cr-00016-HCM-RJK Document 37-1 Filed 05/06/16 Page 5 of 5 PageID# 337 Vlad Tsyrklevich http://tsyrklevich.net vlad@tsyrklevich.net (858) 722-6490 Skills Languages: C, Ruby, Assembly (x86/x64, PPC, ARM, MIPS, SPARC), C++/Objective-C, Java, Python, JavaScript Work Experience • Square Security Engineer San Francisco, CA and New York, NY 04/2012 – Present – Low-level iOS and Android platform analysis in order to develop custom security assurances and anti-RE measures – Develop a complex client-server software protection scheme integrating with an external hardware module – Audit services in production datacenters and work with the platform team to fix flaws and introduce new security measures – Consult with software engineering teams on secure application development, PKI, and network architecture • Irdeto Senior Reverse Engineer San Francisco, CA 11/2011 – 04/2012 – Analyze and defeat custom protection schemes implemented in user- and kernel-land on Windows – Work with partners on hardening their copy-protection mechanisms against reverse engineering – Evaluate both in-house and third-party anti-RE solutions for use by our partners and in our software • SPARTA, Inc. Security Researcher Centreville, VA 05/2006 – 11/2011 – Lead new research efforts in reverse engineering, vulnerability discovery and exploit development across Windows, Linux, and embedded platforms – Analyze undocumented network protocols and file formats in order to replicate behavior, bypass protection schemes and discover vulnerabilities – Reverse engineer armored and packed binaries and bypass anti-reverse engineering protection schemes – Develop low-level applications with high-speed, high-stealth and high-reliability considerations Open Source • Metasploit Framework 2005 - 2006 – Develop payloads for Windows, Linux, Solaris and other operating systems across multiple architectures – Port public exploits and write new exploits, shellcode encoders, nop generators and backend plug-ins Education University of California, Berkeley B.A. Applied Math with a focus in Computer Science; GPA: 3.6 Presentations • Co-speaker at Blackhat USA 2007: Single Sign-On for the Internet: A Security Story • Speaker at Toorcon San Diego 2006: Polymorphic Shellcode at a Glance (Third Mtn to Compel Discovery) 1 A-005 Case8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # Document 318 Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 Page 10/20/15 1Page of 5Page -1Page of 113of ID PageID# 13 # 2124 338 U.S. Department of Justice Criminal Division Child Exploitation and Obscenity Section 1400 New York Ave., NW Suite 600 Washington, DC 20530 (202) 514-5780 FAX: (202) 514-1793 November 7, 2014 Dear Counsel: Pursuant to Rule 16(a)(1)(G) of the Federal Rules of Criminal Procedure, the government hereby discloses that it intends to elicit testimony from Federal Bureau of Investigation (“FBI”) Special Agent (“SA”) Steven A. Smith, Jr. and FBI Supervisory Special Agent (“SSA”) P. Michael Gordon, under Federal Rules of Evidence 702, 703, or 705. Pursuant to Rule 16(b)(1)(C) of the Federal Rules of Criminal Procedure, the government hereby requests from defendant disclosure of testimony he intends to use under Rule 702, 703 and/or 705 of the Federal Rules of Evidence as evidence at trial. The CVs of SA Smith and SSA Gordon are attached. Their testimony will be based upon their respective knowledge, skills, training and experience in the areas of computer forensics, computer programming, computer networking and network management and analysis, computer forensic data acquisition and analysis, investigations in child exploitation cases, the Internet, and forensic analysis of digital media including computers, computer servers, and websites. They may also testify regarding the Internet, the forensic examination of computers and digital media, and how the Internet is used to trade child pornography. Specifically, they may testify about the following topics: • The Onion Router (“Tor”) anonymity network, including its origin, structure, function, configuration and software applications; the Tor browser bundle; other methods to access the Tor network, such as tor2web and onion.to; and investigative strategies to identify users of the Tor network. Please note that detailed information about the Tor network, its structure and function, is publicly available at the Tor project website, www.torproject.org. • the structure, operation, monitoring and seizure of data from the websites your clients are charged with accessing. Such testimony may include a description of the structure, function, and content of the website, including the child pornography available (as further described in your client’s Indictment, the search warrant affidavit authorizing the deployment of a Network Investigative Technique on the pertinent website, and the search warrant affidavit authorizing a search of your client’s residence, all of which you have been provided through discovery); unique session identifiers that track a user’s activity on the site; the particular web pages accessed by a user during one of those sessions; and particular child pornography images/videos accessed by a user during one of those sessions. Such testimony may include but not be limited to the operation of websites, computers and computer servers, and related technical terms/concepts including HTML, HTTP, Case8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # Document 318 Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 Page 10/20/15 2Page of 5Page -2Page of 213of ID PageID# 13 # 2125 339 PHP, Flash, and Javascript. Please note that a working offline copy of each of those websites has been made available to you and/or an expert of your choosing for examination. Further, through discovery, you were provided reports documenting data obtained from those computer servers, including data pertinent to your client’s actions on the site. In addition, as we have previously advised you, the computer server(s) that hosted the websites are, and remain, available for examination by you or your chosen expert. • the “Network Investigative Technique” (“NIT”) that was deployed on each website and the admission of evidence obtained through the use of that technology. Such testimony may include: technical concepts underlying the use of technology such as the NIT, including but not limited to Flash, TCP, proxy servers, IP addresses, web browsers, computer servers, and exploits; the programming and operation of websites and computer servers; and the programming, testing and deployment of computer code on websites and computer servers; the configuration and deployment of the particular NIT utilized on the websites your clients accessed; and pre-deployment testing performed regarding the particular NIT utilized on the websites your clients accessed. You have previously been provided reports documenting data obtained via the use of the NIT, which includes IP address information, session identifier information, operating system and architecture type. We have also previously disclosed to you via e-mails dated September 4, 2014, and September 23, 2014, incorporated herein by reference, details regarding where the particular NIT code was obtained and how it operated. In particular, as described in my September 4, 2014, e-mail message, the technique utilized a Flash application that, when downloaded by a user and activated by their browser, made a direct TCP connection to a server that the FBI controlled. Depending on the operating system and version of the user's browser, the connection would bypass the browser's configured proxy server and reveal the user's true IP address. In addition, the NIT also sent the user's operating system name and architecture type. Please also see my September 4, 2014 e-mail for example programming code for the Flash application itself. Further, as noted above and in my September 4 and 23 e-mails, the computer servers that hosted the pertinent websites contain the compiled code for the NIT. Those servers have been, and remain, available for examination by an expert of your choice. The experts disclosed herein may testify based upon their knowledge, skills, training and experience, as to any matters disclosed therein. In order to avoid any confusion regarding the operation of the NIT, I offer the following further description of its functionality, about which the experts disclosed herein may testify. The NIT was a Flash application. Flash applications are commonly present on numerous Internet websites. The NIT did not consist of a virus or “malware.” The NIT took advantage of a potential vulnerability in the configuration of a user’s computer. When a user accessed a page on one of the pertinent websites where the NIT had been deployed, the NIT computer code would be downloaded to a user’s computer along with the images/text/content that made up that web page. If a user’s web browser was not configured to block Flash applications, then the NIT, once downloaded by a user’s computer, would cause the computer to send a communication (in other words, a request) to a government-controlled computer that revealed the computer’s IP address, a session identifier, the computer’s operating 2 Case8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # Document 318 Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 Page 10/20/15 3Page of 5Page -3Page of 313of ID PageID# 13 # 2126 340 system and architecture. If a user’s web browser was configured to block Flash applications, then the NIT would not successfully cause the computer to send such a request. As of November of 2012, the up-to-date Tor browser bundle was configured to block such Flash applications. Accordingly, the NIT would not have revealed the IP address of such a user, or of a user who had manually configured his/her browser to connect to the Tor network and opted to block Flash applications. Because none of your clients were using the up-to-date Tor browser bundle to access the website in question, and none of your clients configured his computer to block Flash applications, the NIT successfully identified your client’s IP address. Special Agent Smith and Supervisory Special Agent Gordon may also testify based upon their knowledge, skills, training and experience in the area of computer forensics, computer forensic data acquisition and analysis, investigations in child exploitation cases, and the Internet, as to the following matters: · regarding the Internet, which is a collection of computers and computer networks which are connected to one another via high-speed data links and telephone lines for the purpose of communicating and sharing data and information; · that connections between Internet computers exist across state and international borders; and that the Internet is a means of interstate and international communication; indeed, information sent between two computers connected to the Internet frequently crosses state and international borders even when the two computers are located in the same state; · regarding modems, and how a modem allows any computer to connect to another computer through the use of telephone, cable, or wireless connection. Electronic contact can be made to literally millions of computers around the world; · regarding Internet Service Providers. Individuals and businesses obtain access to the Internet through businesses known as Internet Service Providers (“ISPs”). ISPs provide their customers with access to the Internet using telephone or other telecommunications lines; provide Internet e-mail accounts that allow users to communicate with other Internet users by sending and receiving electronic messages through the ISPs’ servers; remotely store electronic files on their customers’ behalf; and may provide other services unique to each particular ISP. ISPs maintain records pertaining to the individuals or businesses that have subscriber accounts with them. Those records often include identifying and billing information, account access information in the form of log files, e-mail transaction information, posting information, account application information, and other information both in computer data and written record format; · regarding IP Addresses. An Internet Protocol address (“IP address”) is a unique numeric address used by each computer on the Internet. An IP address is a series of four numbers, each in the range 0-255, separated by periods (e.g., 121.56.97.178). Every computer attached to the Internet must be assigned an IP address so that Internet traffic sent from and directed to that computer may be properly directed from its source to its destination. Most ISPs control a range of IP addresses; · that when a customer logs into the Internet using the service of an ISP, the computer used 3 Case8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # Document 318 Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 Page 10/20/15 4Page of 5Page -4Page of 413of ID PageID# 13 # 2127 341 by the customer is assigned an IP address by the ISP. The customer's computer retains that IP address for the duration of that session (i.e., until the user disconnects), and the IP address cannot be assigned to another user during that period; · regarding four basic functions computers and the Internet serve in connection with child pornography: production, communication, distribution, and storage; · regarding how individuals can use computers and the Internet to meet, communicate with each other, and share files, including but not limited to websites, chat rooms, message boards, email, instant messaging, news groups, social networking sites, peer-to-peer programs, ICQ; · regarding how child pornographers can transfer non-digital photographs from a camera into a computer-readable format a scanner, and how digital cameras allow images to be transferred directly onto a computer. Digital cameras often embed information into digital pictures, known as metadata, that identifies the camera used to take the picture; · regarding how a computer’s ability to store images in digital form makes the computer itself an ideal repository for child pornography. The size of the electronic storage media (commonly referred to as the hard drive) used in home computers has grown tremendously within the last several years. These drives can store hundreds of thousands of images and videos at very high resolution; · regarding how digital images/videos can be stored on external storage media such as thumb drives, compact disks, external hard drives, mp-3 players, smart phones, and how digital images/videos can be easily transferred from one digital device to another; · regarding dedicated online storage space, such as the “FTP,” or “File Transfer Protocol” site, and how such a site allows Internet users to maintain a massive and secure private library of child pornography that is available for viewing or download only by a certain group of individuals, such as members of the PedoBook online bulletin board; · regarding user-created message boards, and how they can be easily created with free or inexpensive software and commercial web hosting companies; · regarding forensic hashing, which is the process of using a mathematical function, often called an algorithm, to generate a numerical identifier for data (such as a particular file). If the data is changed, even very slightly (such as the addition or deletion of a comma or a period), the identifier should change. A hash value can be thought of as a “digital fingerprint” for data; · regarding the use of a “hash set” which contains the hash values of image and video files associated with known identified victims of child pornography to determine whether these files are stored within a digital device; 4 Case8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # Document 318 Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 Page 10/20/15 5Page of 5Page -5Page of 513of ID PageID# 13 # 2128 342 · The process of obtaining and verifying an image of a computer media item, bit-stream copies, and Message-Digest algorithm 5 (MD5) hash values; · Specialized computer terms, including, but not limited to, terms mentioned in this notice and in his report, such as “.html,” “.lnk” “.jpg,” “.mpg,” “.avi,” “cookie file,” and “file slack;” · Evidence of web browsing activity and e-mail communications, including, but not limited to, fragments of web pages accessed, cookie files, e-mail messages, and other Internetbased communications stored in locations including, but not limited to, the temporary Internet file folders, file slack, and unallocated space; · The operation, analysis and investigation of websites, bulletin boards, social networking platforms and other Internet technologies dedicated to the sexual exploitation of children; · Online undercover tactics and techniques pertinent to the investigation, identification and apprehension of suspects engaging in online sexual exploitation of children; · Methods, tactics and techniques of individuals who seek to exploit children online. Please contact me, Assistant U.S. Attorney Michael Norris or Trial Attorney Sarah Chang or if you have any questions about any of the information provided. Sincerely, /s/ Keith Becker__________________ Keith Becker Trial Attorney Child Exploitation and Obscenity Section Criminal Division United States Department of Justice Enclosures 5 Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB DocDocument # 318-1 Document Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 10/20/15 Page 1 Page of Page 4 6- Page of 613ofID PageID# 13# 2129343 P. MICHAEL GORDON 801 International Drive Linthicum Heights, MD 21090 PROFESSIONAL EXPERIENCE United States Department of Justice Federal Bureau of Investigation- Special Agent 03/1999 - Present New Orleans Field Office 07/1999 - 02/2007 Investigated federal white collar crime violations for approximately two years. Investigated cyber crimes for approximately six years to include cyber intrusions and served on the regional Cyber Action Team. Innocent Images National Initiative 08/2004 - 02/2007 Served as the National Initiative case agent for the New Orleans Field Office Innocent Images investigation. Conducted 79 original method Peer to Peer file share investigation sessions. Participated in the testing and development of the eP2P FBI investigative tool. FBI Assignments Hazardous Material Response Team (HMRT) Assistant Team Leader HMRT Relief Supervisor Cyber Squad, New Orleans Major Case Coordination Unit, FBIHQ Violent Crimes Against Children Unit, FBIHQ 10/1999 - 02/2007 06/2002 - 02/2007 03/2005 - Present 03/2005 - 02/2007 02/2007 – 03/2014 03/2014 - Present FBI Innocent Images Unit / Major Case Coordination Unit 02/2007 – 03/2014 Assigned to investigate international and domestic incidents of child exploitation and the use of file sharing networks in the distribution of child pornography. Lead investigations focused on the identification, location, and arrest of individuals and groups involved in the trade, distribution, and production of child pornography and the sexual exploitation of children via the Internet.. Operation Achilles Served as the co-case agent investigating an international 02/2007 - 02/2009 Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB DocDocument # 318-1 Document Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 10/20/15 Page 2 Page of Page 4 7- Page of 713ofID PageID# 13# 2130344 enterprise focused on individuals who utilized newsgroups and sophisticated security practices such as multiple layers of encryption for messages and content and regular use of proxy IP addresses for the trade and distribution of child pornography. The case was the first conviction under Title 18, U.S.C. 2252A and resulted in seven life sentences for 14 indicted subjects. The case won the Criminal Division’s Assistant Attorney General Award. Operation Green Ocean 08/2010 - 12/2012 Served as the case agent investigating an international conspiracy involving 21 individuals utilizing Facebook to traffic child pornography images. Six U.S. targets were convicted and sentenced. Foreign Bulletin Board 10/2011 Oversaw the review and triage of a foreign language bulletin board which consisted of over 177 thousand sub-forums, 119 thousand threads, and over 76 thousand active posters responsible for over 1.7 million posts, over 125 thousand attached image files, and over 1 million links to third-party hosting sites. Additional translation of posts, categorization of attached files, and geolocation of over 520 thousand unique IP addresses was necessary in order determine potential targets based on the volume of data. FBI Violent Crimes Against Children Unit Currently assigned as program coordinator for online child exploitation investigations and special projects 03/2014 - Present COMPUTER TRAINING Basic Innocent Images Training Dallas Crimes Against Children Conference Image Scan Training Advanced Innocent Images Training A+ Certification Net+ Certification Cyber Special Agent Career Path Stage II Completed Cyber Special Agent Career Path Stage III Completed Cyber Special Agent Career Path Stage IV Completed INSTRUCTIONAL EXPERIENCE 04/2003 08/2006 11/2006 04/2007 04/2009 12/2009 10/2009 12/2009 04/2011 Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB DocDocument # 318-1 Document Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 10/20/15 Page 3 Page of Page 4 8- Page of 813ofID PageID# 13# 2131345 U.S. Instruction IACLEA Southeast Region, New Orleans, LA ROCIC Conference, Greensboro, SC Enhanced Peer-to-Peer Training Lake Charles Local LE training, Baton Rouge, Louisiana FBI Basic Online Undercover Training (Innocent Images) Online Covert Employee Course National ICAC Conference, San Jose, CA -eP2P file share investigation techniques National ICAC Conference, Columbus, OH -eP2P file share investigation techniques ICAC Training Class, NCMEC, Alexandria, VA -eP2P file share investigation techniques Regional ICAC Conference, San Jose, CA -Operation Achilles (co-presenter) 2005 2005 03/2006 2006 2007 - Present 2008 - Present 05/2007 05/2008 2008 05/2009 Overseas Instruction International Training Assistance Unit, Poland -Basic Cyber Crime Overview and Techniques International Training Assistance Unit, United Arab Emirates -Basic Cyber Crime Overview and Techniques International Training Assistance Unit, Romania -Basic Cyber Crime Overview and Techniques Pacific Training Initiative, Thailand -Innocent Images Overview and Techniques Pacific Training Initiative, Philippines -Innocent Images Overview and Techniques 2004 2005 2006 2007 2009 COURTROOM TESTIMONY United States v. Robert Myron Latham, DNV 2008 -Testified as the investigating undercover agent and to the methods, procedures and function of P2P file sharing United States v. Andrew Edward Flyer, DAZ 2008 -Testified as an expert in P2P investigative techniques United States v. William Ernest Fuller, DAZ 2008 -Testified as an expert in P2P investigative techniques United States v. James Freeman, et. al (Op. Achilles), NDFL 2009 -Testified on six occasions to identification of subjects and forensic review of the computer evidence United States v. David Chiaradio, DRI 2010 -Testified as an expert on the eP2P investigative tool United States v. Max Budziak, NDCA 2011 -Testified as an expert on the eP2P tool and file share Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB DocDocument # 318-1 Document Filed: 37-232-1 11/07/14 FiledFiled 05/06/16 10/20/15 Page 4 Page of Page 4 9- Page of 913ofID PageID# 13# 2132346 investigations State of Illinois v. Manuel Sanchez -Testified as the investigating undercover agent and methods, procedures and function of P2P file sharing United States v. Paul Stanley, DMD -Testified as expert in P2P programs and investigations United States v. James Driver, EDMI -Testified as expert in P2P programs and investigations United States v. Christopher Myers, DMD -Testified as expert in P2P programs and investigations United States v. Alan Clifton, DMD -Testified as expert in P2P programs and investigations United States v. Timothy Defoggi, DNE -Testified as expert in online investigations, Internet / anonymous network basics, websites that facilitate the trafficking of child exploitation material, and methods/ tactics/operations of trafficking child exploitation material via the Internet United States v. Paul Wencewicz, et al, DMT -Testified as expert regarding investigations related to online bulletin boards 2011 2012 2012 2012 2013 2014 2014 EDUCATION United States Naval Academy Bachelor of Arts, Physics 1993 MILITARY EXPERIENCE United States Marine Corps The Basic School (TBS) and Basic Armor Officer Course Platoon Commander, 1st Tank Battalion, Bravo Company Executive Officer, HQ Service Company, 1st Tank Bn Project Officer, Marine Corps Warfighting Lab 1993 - 1999 1993 - 1994 1994 - 1996 1996 - 1997 1997 - 1999 Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # 318-2 Document 37-2 Filed: 32-1 Filed 11/07/14 Filed 05/06/16 10/20/15 Page Page 1 ofPage 410 - Page of1013ofID PageID# 13# 2133 347 Steven A. Smith Jr. 2635 Century Parkway NE Atlanta, GA 30345 PROFESSIONAL EXPERIENCE United States Department of Justice Federal Bureau of Investigation- Special Agent 11/2007 – Present Cleveland Field Office, Toledo Resident Agency 11/2007 – 10/2011 Investigated federal crimes involving the possession, receipt, distribution and production of child pornography and cyber crimes involving phishing/vishing attacks, VoIP intrusions, website intrusions, ACH fraud, botnets, credit card fraud, and Distributed Denial of Service (DDos) attacks. FBI Violent Crimes Against Children, Major Case Coordination Unit Headquarters 10/2011 – 10/2014 Investigated international and domestic incidents of child exploitation and the use of bulletin board systems in the distribution of child pornography. Involved in the review and triage of over 15 bulletin boards of varying types. Lead investigations focused on the identification, location, and arrest of individuals and groups involved in the trade, distribution, and production of child pornography and the sexual exploitation of children via the Internet. Foreign Bulletin Board 12/2011 – 02/2012 Developed the technique and process for the review and triage of a foreign language bulletin board which consisted of over 177 thousand sub-forums, 119 thousand threads, and over 76 thousand active posters responsible for over 1.7 million posts, over 125 thousand attached image files, and over 1 million links to third-party hosting sites. In addition, translation of posts, categorization of attached files, and geo-location of over 520 thousand unique IP addresses was necessary in order to identify potential targets based on the volume of data. Atlanta Field Office Currently assigned to investigate cyber crimes, to include computer intrusions. 10/2014 – Present Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # 318-2 Document 37-2 Filed: 32-1 Filed 11/07/14 Filed 05/06/16 10/20/15 Page Page 2 ofPage 411 - Page of1113ofID PageID# 13# 2134 348 FBI Assignments Digital Evidence Extraction Technician (DExT) Relief Supervisor Toledo RA, Cleveland Major Case Coordination Unit, FBIHQ Cyber Squad, Atlanta Field Office Coordinator Northern Ohio Cyber Crime Task Force Northwest Ohio InfraGard Chapter 12/2011 – Present 04/2010 – Present 04/2010 – 10/2011 10/2011 – 10/2014 10/2014 – Present 04/2010 – 10/2011 04/2009 – 10/2011 Regal Lager, Inc. Information Technology Manager 02/2002 – 11/2007 Member of the Senior Management Team and responsible for the overall technology direction of the company, to include long-term goals, policies and procedures. Broad range of daily responsibilities included the security, availability, configuration and maintenance of the network, servers, desktop computers, laptops, mobiles devices and corporate software applications; troubleshooting any computer related problems; and training personnel on systems usage and best practices. Also, developed and maintained the company website and ecommerce presence. Get Functional Freelance Consultant 02/2000 – 11/2007 Worked with companies to improve business processes and integrate disparate systems. Developed web sites for new web based companies and existing companies creating a presence on the Internet for the first time. Industrial Metal Fabricators, Inc. University Cooperative Program Responsible for maintaining and supporting the company’s network, computers and software applications. As part of this responsibility, developed and implemented a network migration from a Novell coax network to a Windows NT 10-BaseT network by designing the new network, gathering requirements, purchasing equipment and performing the migration. Researched, analyzed and coordinated the migration from an analog phone switch to an ISDN based phone system. Also developed the company’s first website. 09/1995 – 08/1999 Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # 318-2 Document 37-2 Filed: 32-1 Filed 11/07/14 Filed 05/06/16 10/20/15 Page Page 3 ofPage 412 - Page of1213ofID PageID# 13# 2135 349 COMPUTER TRAINING Microsoft Certified Systems Administrator (MCSA) Microsoft Certified Systems Engineer (MCSE) Cisco Certified Network Associate (CCNA) Network+ Certification Cyber Special Agent Career Path Stage III Completed Unix Intrusion Techniques Online Covert Employee Certification Image Scan Training Dallas Crimes Against Children Conference A+ Certification Cyber Special Agent Career Path Stage II Completed Advanced Network Investigation Techniques – Windows Basic Innocent Images Training Intrusion Response Dallas Crimes Against Children Conference CART 101 Training AccessData Boot Camp P2P Instructor Training 01/2004 01/2004 01/2009 02/2009 03/2009 08/2009 08/2009 02/2010 02/2010 03/2010 03/2010 07/2010 08/2010 09/2010 11/2011 05/2012 INSTRUCTIONAL EXPERIENCE U.S. Instruction Bowling Green State University, Bowling Green, OH Northwest Ohio ISACA Chapter, Bowling Green, OH FBI VCAC International Taskforce Training, Linthicum, MD -P2P file share investigative techniques -On-scene triage techniques DOJ Project Safe Childhood Conference, Columbia, SC -Anonymization and encryption FBI VCAC International Taskforce Training, Alexandria, VA -Investigating Anonymous Networks 10/2009 01/2011 08/2012 02/2013 08/2014 Overseas Instruction Romanian Directorate for Combating Organized Crime, Romania -P2P file share investigative techniques Italian Postal and Communication Police, Italy -On-scene triage techniques Italian Postal and Communication Police, Italy -Innocent Images Overview and Techniques -On-scene triage techniques FBI VCAC International Taskforce Coordination Meeting, Peru 06/2011 03/2012 04/2012 06/2012 Case 8:13-cr-00107-JFB-TDT 4:16-cr-00016-HCM-RJK Case 3:15-cr-05351-RJB Doc Document # 318-2 Document 37-2 Filed: 32-1 Filed 11/07/14 Filed 05/06/16 10/20/15 Page Page 4 ofPage 413 - Page of1313ofID PageID# 13# 2136 350 Dutch National Police Conference, Netherlands -Bulletin Board and P2P IP analysis FBI VCAC International Taskforce Coordination Meeting, Netherlands 04/2013 05/2014 COURTROOM TESTIMONY United States v. Timothy DeFoggi, District of Nebraska 2014 Testified as an expert witness regarding the following: -Operation of websites and online bulletin boards -Computer networking -Computer forensics -Forensic artifacts pertaining to the use of websites -Investigation and analysis of websites and online communities dedicated to the exploitation of children -Methods, tactics and techniques of individuals seeking to exploit children online EDUCATION Georgia Institute of Technology Bachelor of Science, Computer Science 2003