822 K2B3SCH1 2 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK ------------------------------x 3 UNITED STATES OF AMERICA, 4 v. 1 5 JOSHUA ADAM SCHULTE, 6 7 S2 17 Cr. 548 (PAC) Defendant. Trial ------------------------------x New York, N.Y. February 11, 2020 9:15 a.m. 8 9 Before: 10 HON. PAUL A. CROTTY, 11 District Judge -and a jury- 12 13 14 15 16 17 18 19 20 APPEARANCES GEOFFREY S. BERMAN United States Attorney for the Southern District of New York BY: MATTHEW J. LAROCHE SIDHARDHA KAMARAJU DAVID W. DENTON JR. Assistant United States Attorneys SABRINA P. SHROFF JAMES M. BRANDEN Attorneys for Defendant -andDAVID E. PATTON Federal Defenders of New York, Inc. BY: EDWARD S. ZAS Assistant Federal Defender 21 Also Present: 22 23 24 Colleen Geier Morgan Hurst, Paralegal Specialists Achal Fernando-Peiris John Lee, Paralegals Daniel Hartenstine Matthew Mullery, CISOs, Department of Justice 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 823 K2B3SCH1 David - Direct 1 (In open court; jury present) 2 THE COURT: 3 You're still under oath. 4 THE WITNESS: 5 MR. DENTON: 6 Good morning. All right, Mr. Denton. Yes. Thank you, your Honor. DAVID, 7 called as a witness by the Government, 8 having been previously sworn, testified as follows: 9 DIRECT EXAMINATION (Continued) 10 BY MR. DENTON: 11 Q. Good morning, sir. 12 A. Good morning. 13 Q. I want to pick up where we left off yesterday with some of 14 the events of April 20, 2016. 15 MR. DENTON: Ms. Hurst, can we bring up Government 16 Exhibit 1069, please. 17 Q. 18 happened for a second. 19 e-mail about the infrastructure changes yesterday? 20 A. Yes. 21 Q. What time was that e-mail sent? 22 A. The e-mail was sent April 20, at 15:58, almost 4 o'clock 23 p.m. 24 Q. Do you see next to that where it says GMT minus 04? 25 A. Yes. I just want to go over the times that some of these things Do you remember taking a look at this SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 824 K2B3SCH1 David - Direct 1 Q. What does that indicate? 2 A. From Greenwich Mean Time is four hours less than Greenwich 3 Mean Time, which would be Eastern Standard Time. 4 MR. DENTON: So, if we could then go, Ms. Hurst, to 5 Government Exhibit 1203-25. 6 Q. Do you remember taking a look at this yesterday, sir? 7 A. I do. 8 Q. And the top line that's highlighted in black there that 9 ends in initiated lazy snapshot BKUP? 10 A. Yes. 11 Q. What's the date and time of that entry? 12 A. The date and time is April 20, 2016, at 21:30 Zulu, 13 Greenwich. 14 Q. And what does that translate to in local time? 15 A. That is four hours less. 16 about 5:30 p.m. 17 MR. DENTON: So, that would be -- it would be If we could skip ahead to Government 18 Exhibit 1202-18. 19 Q. 20 that ends in revert to snapshot BK 4-16-2016. 21 Again for the the top line here that's highlighted in black What's the date and time for that entry? 22 A. The date is April 20, 2016, the time is 17:35 or 23 approximately 5:30 p.m. 24 Q. Is that local or Zulu time? 25 A. That would be local time, Eastern Standard Time. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 825 K2B3SCH1 David - Direct 1 MR. DENTON: 2 to Government Exhibit 1207-30. 3 four or five lines, that would be great. 4 Q. 5 March 3, 2016, was last accessed? 6 A. It was last accessed on April 20, 2016, at 5:43 p.m. 7 Q. So, I want to pick up from there, sir, if we could. If we can just blow up the top Sir, what is the date and time the file that was created on 8 9 Then finally, Ms. Hurst, if we could go And Ms. Hurst, can we put up Government Exhibit 1203-38. 10 Sir, I think this was something we looked at earlier 11 in your testimony yesterday. Do you remember that? 12 A. Yes. 13 Q. And you talked about how these were the kinds of files you 14 used to audit user activity on the system? 15 A. Yes. 16 Q. So, I want to start with the first line that's highlighted 17 in black there which ends in LS-AL. 18 A. Yes, I do. 19 Q. Do you know what that means? 20 A. That is a directory listing, a listing of all the files 21 and/or directories in this directory on the ESXi server. 22 Q. And what sorts of files are listed in this directory? 23 A. These are all the files that make up the Confluence virtual 24 machine. 25 the VSWP are swap drives, there's the VMX which are Do you see that? The dot BUDK files are basically virtual hard drives, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 826 K2B3SCH1 David - Direct 1 configuration files which describe how the virtual machine is 2 set up as far as processors or memory. 3 Q. 4 happens automatically or is that a user command? 5 A. That's a user command. 6 Q. Then, down towards the bottom, we talked a little bit 7 yesterday about the six files that end in dot log. 8 that? 9 A. I do. 10 Q. So if I can ask you, you see the line that ends in 11 VMware-8.log? 12 A. Yes. 13 Q. Is there a date and time for that file? 14 A. Yes, that was created on April 16, around 5:42 p.m. 15 Q. Did you do anything in the Confluence VM on April 16, 2016? 16 A. Yes. 17 Q. Then the two files below that, VMware-9.log and VMware.log. 18 Is there a date and time for those files? 19 A. 20 which is 10:38 p.m. 21 later. 22 Q. Did you do anything in the Confluence VM on April 20, 2016? 23 A. I did not. 24 Q. If we can go down two lines below that, sir. 25 the line that ends in RMVMware-9.log? That directory listing, the LS-AL, is that something that Yes. Do you see We changed the administrative permissions, SSH keys. They're April 20, at 22:38, which is fairly late, And the subsequent one is a couple seconds SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Do you see 827 K2B3SCH1 David - Direct 1 A. Yes. 2 Q. Do you know what that means? 3 A. That means remove or delete that log file. 4 Q. What about the entry below that that ends in RMVMware.log? 5 A. RM is remove, and that is a deletion of VMware.log. 6 Q. Did the defendant have any administrative reason to review 7 log files for Confluence on April 20, 2016? 8 A. No. 9 Q. Did you delete any log files from Confluence on the evening 10 of April 20, 2016? 11 A. No. 12 Q. As a general matter, would you delete log files in your 13 practice as a system engineer? 14 A. 15 possibly delete them is if there was a space issue on the 16 server. 17 Q. Why wouldn't you delete log files? 18 A. Log files are an audit trail. 19 for problems the server may or may not be having at particular 20 times. 21 how servers are running, and troubleshooting future problems 22 that they may have. 23 Q. 24 VMware, have on your ability to audit user activity on DevLAN? 25 A. I would never delete log files. The only time I would They also show performance They are very important for historical purpose as to What effect did deleting these log files, VMware-9 and I wouldn't be able to see what happened during that time SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 828 K2B3SCH1 1 David - Direct period relating to that virtual machine. 2 MR. DENTON: Ms. Hurst, if we can bring up Government 3 Exhibit 1202-19 which is another log file from the defendant's 4 DevLAN machine. 5 Q. 6 sir? 7 A. Yes. 8 Q. What is the date and time for that entry? 9 A. That is April 20, at 6:51 p.m. Eastern Standard Time. 10 Q. What does that top line say? 11 A. "Current state of the virtual machine will be lost unless 12 it has been saved in a snapshot. Do you see the top line that's highlighted in black there, 13 MR. DENTON: Revert to snapshot BKUP." Ms. Hurst, would it be possible to also 14 put up Government Exhibit 1203-25? 15 Q. 16 snapshot BKUP? 17 A. As far as the evidence goes, yes. 18 Q. Is that the same snapshot that was taken earlier that day 19 that's shown in Government Exhibit 1203-25? 20 A. 21 So, focusing on the left on 1202-19. Do you recognize Yes. MR. DENTON: Ms. Hurst, we can go just to 1202-19. 22 Q. Sir, did you revert to snapshot BKUP on April 20, 2016, at 23 6:51 p.m.? 24 A. I did not. 25 Q. We have been talking during your testimony about two SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 829 K2B3SCH1 David - Direct 1 different reversions, first to the April 16 backup and now to 2 this one. 3 Once a system has been reverted to a snapshot, is 4 there ever a reason to go back like this? 5 A. No. 6 Q. Why not? 7 A. If you're in my line of work, if you revert to a snapshot, 8 there's something that happened to the current state of the 9 machine that is either extremely difficult to fix, or is 10 unfixable. If I were to revert to a snapshot, we would stay on 11 that reverted snapshot until the problem would be solved or a 12 better path could be identified for updating or upgrading that 13 server. 14 Q. 15 highlighted in black. 16 full line that says "finish revert on virtual machine 17 snapshot-57 snapshot-3"? 18 A. Yes. 19 Q. What does that indicate? 20 A. That indicates that snapshot-3, which if you saw in some of 21 the earlier documentation, that's an internal name for VMware, 22 that that revert finished, and on April 20, at 6:51. 23 Q. 24 relationship between snapshot-3 and the description BKUP in 25 that top line? We would never go forward again after that fact. If we can look at the last two lines here that are Do you see in the middle of the last When you say it's an internal name, what is the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 830 K2B3SCH1 David - Direct 1 A. Basically, the BKUP is what they call a friendly name. It 2 is what the person that configures that snapshot to be called 3 for remembering what it is. 4 snapshots usually with a backup and a date, so I know when that 5 snapshot was taken. For example, I name all my 6 Internally to ESXi or VMware, they have internal names 7 as to the number of the latest snapshot, which in this case was 8 internal snapshot number three. 9 MR. DENTON: So, if we could then go to Government 10 Exhibit 1202-21, another forensic file from the defendant's 11 computer. 12 Q. 13 there? 14 A. Yes. 15 Q. What's the date and time for that entry? 16 A. The date and time is April 20, 2016, at 6:55 p.m. 17 Q. What does the rest of that line say? 18 A. "Confirm delete, are you sure you want to delete this 19 snapshot?" 20 Q. Under what circumstances would you delete a snapshot? 21 A. The only reason I would personally delete a snapshot is in 22 the event of a successful upgrade to that virtual machine. 23 would do that after a period of time that the upgrade had been 24 proven to be successful, typically a week or two, and then we 25 would go back and clean up the snapshots. Thank you, Ms. Hurst. Sir, do you see the top line that's highlighted in black SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I 831 K2B3SCH1 David - Direct 1 Q. On April 20, 2016, did you delete any snapshots of 2 Confluence? 3 A. I did not. 4 Q. On that date, did the defendant have any administrative 5 reason to delete snapshots in Confluence? 6 A. He did not. 7 Q. Do you see the next line below, sort of starting in the 8 middle, where it says "start remove on virtual machine 9 snapshot-57 snapshot-3"? 10 A. Yes. 11 Q. Which snapshot is that referring to? 12 A. That's referring to the snapshot BKUP. 13 Q. And did that removal or deletion complete? 14 A. Yes, it did. 15 Q. When did it complete? 16 A. On April 20, at 6:55 p.m. 17 MR. DENTON: Thank you. 18 Ms. Hurst. 19 Q. 20 spring, early summer of 2016. 21 A. 22 We can take that down, I want to leave April 20 and move forward to sort of late Okay. MR. DENTON: If we can bring up Government Exhibit 23 1079, please. Can we blow up the bottom e-mail. 24 Q. Sir, who sent this e-mail? 25 A. Josh Schulte. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 832 K2B3SCH1 David - Direct 1 Q. Who did it get sent to? 2 A. This was sent to our branch, ISB. 3 Q. Did you receive it? 4 A. I did. 5 Q. When was it sent? 6 A. This was sent on Thursday, May 26, at 12:39 p.m. 7 Q. What is the defendant asking for in this e-mail? 8 A. The defendant is asking for admin privileges for a project 9 within Stash called Brutal Kangaroo. 10 Q. Do you know anything about Brutal Kangaroo? 11 A. No, not really. 12 Q. At this time, in May, late May of 2016, was there a process 13 in place for developers to request access to projects? 14 A. There was. 15 Q. What was that process? 16 A. The process was the developers were required to request 17 permission to projects and changes to projects through their 18 branch manager or branch chief, and that branch chief was to 19 send the request via e-mail to our group in ISB. 20 MR. DENTON: If we can go to the top e-mail in this 21 page, Ms. Hurst. 22 Q. Who sent this e-mail? 23 A. I did. 24 Q. Who did you send it to? 25 A. I sent it to the defendant, Josh Schulte. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 833 K2B3SCH1 David - Direct 1 Q. Anyone else? 2 A. I cc'd -- actually it was to my group as well, to let them 3 know I had completed the work. 4 Q. When you say you completed the work, what did you do? 5 A. I added Josh as the admin -- as an admin to the project 6 Brutal Kangaroo. 7 Q. 8 did that? 9 A. I did not. 10 Q. After you gave the defendant administrative privileges to 11 Brutal Kangaroo, did you do anything else about that? 12 A. 13 verbally had a conversation with Anthony Leonis. 14 Q. 15 when you had any further conversations with Anthony about 16 Brutal Kangaroo? 17 A. 18 down and reviewed all the audit data and configurations for the 19 project Brutal Kangaroo. 20 Q. 21 conversations took place? 22 A. 23 I don't remember, it was quite a while ago. 24 Q. 25 file? Did you follow the policy that you just described when you I did. I realized the mistake I had made, and I went and Other than that conversation, did there come another time Yes. A period of time after that, we -- Anthony and I sat Just to be clear, do you remember exactly when those I don't remember specifically. It was a week, maybe two. You said you reviewed something about the audit for the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 834 K2B3SCH1 David - Direct 1 A. Yes. 2 Q. Did you have an understanding of why you were doing that? 3 A. Not specifically, no. 4 Anthony, and we were having some problems with some of the -- 5 with a developer. 6 Q. 7 Kangaroo around that time? 8 A. 9 requested to remove all administrative controls from that It was more of a request from Did Anthony ask you to do anything with respect to Brutal Around that time, some time after that, I was -- we were 10 project as well as user access, and only put Anthony down as 11 the sole project admin or person who could access it. 12 Q. Again, do you remember why you were asked to do that? 13 A. There was problems with Josh with that project. 14 get into specifics with it. 15 and this needed to be handled. 16 Q. 17 described, did you ever do anything else in connection with 18 Brutal Kangaroo? 19 A. I didn't They just said there was a problem Other than those couple of things you've just now No. 20 MR. DENTON: Thanks, Ms. Hurst. We can take that 21 down. 22 Q. 23 moment, okay? 24 A. Okay. 25 Q. Did there come a time in that period when you learned that Sir, I want to ask you to focus on the spring of 2017 for a SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 835 K2B3SCH1 David - Direct 1 information from EDG had been posted on WikiLeaks? 2 A. Yes. 3 Q. Were you working that day when you learned that? 4 A. I was. 5 Q. What happened? 6 A. We were notified some time midmorning that a lot of the 7 tools and things that we did were posted to WikiLeaks under a 8 project called Vault 7. 9 what to do. 10 There was a lot of confusion as to Eventually throughout the course of the day, we ended 11 up shutting down access to the network by disabling all the 12 user accounts and shutting off the internet as well. 13 Q. When you say "the network," what do you mean? 14 A. The DevLAN network was -- we turned off all the user 15 accounts so no one could log in. 16 Q. Why did you do that? 17 A. That was at the request of our management to try and 18 preserve what was left on the system so that the FBI and folks 19 could come and we could start figuring out what happened. 20 Q. 21 have on the work of EDG? 22 A. 23 period of time. 24 Q. 25 still in your server room at the CCI office? What effect did disabling all of the user access to DevLAN It shut EDG down. No one could do anything for a long Are the servers and various components that made up DevLAN SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 836 K2B3SCH1 David 1 A. No, everything has been removed and is either in FBI 2 custody or in secure storage. 3 MR. DENTON: 4 THE COURT: 5 MR. DENTON: 6 THE COURT: Just have a moment, your Honor? Yes. Nothing further, your Honor. Ms. Shroff. 7 CROSS-EXAMINATION 8 BY MS. SHROFF: 9 Q. Good morning, sir. 10 A. Good morning. 11 Q. Let me just start with the access logs that Mr. Denton 12 showed you, right? 13 A. Okay. 14 Q. And he showed them to you a couple of times, right? 15 showed you the access log and then he showed you a time next to 16 it. 17 A. Yes. 18 Q. And he focused on it yesterday in direct and again this 19 morning, correct? 20 A. Yes. 21 Q. Sitting here today, do you know who accessed those logs? 22 23 Correct? You don't know, right? A. 24 25 He I'm sorry, in regards to? MS. SHROFF: A. Could you pull up the exhibit for him. We've looked at a lot of logs. I'm not sure which one SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 837 K2B3SCH1 David 1 you're referring to. 2 Q. 3 give it a second. 4 of you, sir? 5 A. I do not. 6 Q. Okay. 7 Exhibit 1207-27 and Government Exhibit 1207-30. 8 to show them to you, sir? 9 A. Yeah, if you don't mind. 10 Q. Okay. That's all right. They'll pull it up in a minute. Just Do you have a copy of the documents in front Let me see if I can help you out. 11 THE COURT: 12 MS. SHROFF: 13 THE COURT: It's Government Do you want me What are the numbers again, Ms. Shroff? 1207-27 and 1207-30. Thank you. 14 Q. Looking at these logs, you said they're logs, right? 15 A. These are not logs. 16 Q. I'm sorry? 17 A. These are not logs. 18 Q. Okay. 19 A. These are directory listings of the Altabackup which was an 20 NFS share on the NetApp used for backup purposes. 21 Q. 22 testified on direct that you can read the access times, 23 correct? 24 A. You can see the access times, yes. 25 Q. From seeing the access times, can you see if whatever was Okay. It tells -- whatever they are, it tells you, and you SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 838 K2B3SCH1 David 1 accessed was ever downloaded? 2 A. 3 usually the -- 4 Q. 5 if you know, sitting here today, from this document, that it 6 was actually downloaded; yes or no? 7 A. Yes. 8 Q. You can tell sitting here today that something was 9 downloaded after an access? We can see that it was accessed at a specific time, which I'm not asking you what it usually means. I am asking you, 10 A. Data access usually means a download. 11 Q. I didn't ask you what it usually means. 12 whether you can tell. 13 A. Not from this document, no. 14 Q. Exactly. 15 this document I mean 1207-27 or 1207-30 -- sitting here today, 16 sir, you cannot tell whether anything was copied after access. 17 Correct? 18 A. No. 19 Q. Okay. 20 I'm asking you And you cannot tell from this document -- and by MS. SHROFF: You can take that down. 21 Q. You talked a lot on direct about the system, correct? 22 DevLAN system? 23 A. Yes. 24 Q. Okay. 25 said that you thought it was a secure system. This And you testified, and correct me if I'm wrong, you SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Is that what you 839 K2B3SCH1 David 1 said? 2 A. It was fairly secure. 3 Q. Fairly secure? 4 A. Hmm-hmm. 5 Q. You work at the CIA? 6 A. I do. 7 Q. I am assuming the CIA is not in the business of running a 8 system that's fairly secure. 9 A. It depends on the use and purposes of the system. 10 Q. Okay. 11 system. 12 Correct? Well, let's talk about the use and purposes of the You testified that -- you just said, actually, fairly 13 secure, right? 14 A. Yes. 15 Q. You remember meeting with the FBI about in 2017? 16 A. Yes. 17 Q. And you met with them several times, correct? 18 A. Yes. 19 Q. And they spent an inordinate amount of time talking to you 20 about this system, correct? 21 A. Yes. 22 Q. And one of the things they asked you to do is to describe 23 the system to them, correct? 24 A. Yes. 25 Q. And you used the phrase "wild west." SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 840 K2B3SCH1 David 1 A. Yes. 2 Q. Tell us, please, what is wild west? 3 A. Sure. 4 malware -- 5 Q. No, no. 6 A. -- and other tools. 7 Q. I'm sorry. 8 A. The system is designed for the creation of malware, tools, 9 nation state tools, things to be used for what COG uses them The system is designed for reverse engineering of 10 for. 11 Q. COG what? 12 A. The COG network or the operators, the other side who EDG 13 develops tools for. 14 I'm sorry. Your voice dropped. So, there were some -- there was -- there was user 15 auditing in place. 16 to have a user password and the specific drop and access to the 17 network to get on. 18 Q. 19 wild west. 20 A. 21 We designed the network that it was flexible so that developers 22 could create what they needed to create. 23 same use policies as some of the other networks the CIA ran 24 because the nature of the work. 25 The system was a closed network. You had Okay, that doesn't answer my question why you called it the Because you can bring malware in and reverse engineer it. It did not have the Everyone on the DevLAN network, all the developers SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 841 K2B3SCH1 David 1 were admins over their own box. They could create and do 2 whatever they needed to do on their own workstation. 3 that way because they were developers. 4 Q. You finished? 5 A. I'm done. 6 Q. Okay. 7 it was a wild system; is that right? 8 A. 9 systems that we ran, it was pretty open. It is Did you finish your answer, sir? So you called it the wild west because you thought I called it the wild west because, compared to the other 10 Q. Right. 11 you had. 12 A. Yes. 13 Q. People developed malware on it, correct? 14 A. Correct. 15 Q. And malware is just a way to infect another system, 16 correct? 17 A. Yes. 18 Q. Malware is something that you create when you want to 19 insert a virus into a computer and shut somebody else's 20 computer down, correct? 21 A. 22 developers did for EDG. 23 Q. Right. 24 A. Yes. 25 Q. Okay. Yes. So let's talk about this pretty open system that Right? But not for the nature of what we did. What the They wanted to steal somebody else's data? Regardless of what they wanted to make the tool for, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 842 K2B3SCH1 David 1 it was malware, correct? 2 A. Functionally, yes. 3 Q. How many developers were there developing malware? 4 A. I would say probably 120 to 150. 5 number. 6 Q. 7 that there were shared passwords, correct? 8 A. Yes. 9 Q. And you knew that people accessed each other's projects, Okay. I don't know the exact When you worked on DevLAN, you knew, did you not, 10 correct, on DevLAN? 11 A. 12 typical development shops work. 13 Q. It's collaborative and open, correct? 14 A. Open, yes. 15 Q. Right. 16 open, correct? 17 A. I did. 18 Q. Right. 19 it, correct? 20 A. I did at the time, yes. 21 Q. Right. 22 closer to when DevLAN was being used at the CIA than now, 23 correct? 24 A. I don't understand your question. 25 Q. Okay. Yes, it was a collaborative environment. That's the way And you told the FBI, did you not, that it was wide And you told the FBI that there were no controls on And by "at that time," you mean at the time far Let me try it again. When you met with them, it was SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 843 K2B3SCH1 David 1 closer to the time of when you discovered WikiLeaks, correct? 2 A. It was after the leak, yes. 3 Q. Right. 4 now, right? 5 A. They were fresh in my mind. 6 Q. Good. 7 A. However, some of the things that they were referring to, 8 things like specifically Altabackup -- 9 Q. Sir, can I stop you here for a minute. 10 11 MS. SHROFF: Your Honor, could the witness just be instructed to answer the question. 12 13 So things were fresher in your mind than they are THE COURT: David, listen to the question, answer the question. 14 THE WITNESS: 15 THE COURT: 16 Yes, sir. If there are other things you want to talk about, Mr. Denton will bring that up. 17 THE WITNESS: Excellent. Sorry. 18 Q. You told the FBI, did you not, that there was not too much 19 logging turn-on on DevLAN, correct? 20 A. Yes. 21 Q. And you told the FBI, did you not, that it was easy for 22 somebody to connect the DevLAN box to the internet, correct? 23 A. I don't remember saying that. 24 Q. Do you remember saying to the FBI if someone wanted to 25 connect a DevLAN box to the internet, the person would have SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 844 K2B3SCH1 David 1 only had to just switch the DevLAN and FIN fiber or ethernet 2 cable in the back of the box. 3 A. 4 I don't remember sitting here today. 5 Q. 6 you 3515-13, page five. Do you remember saying that? If I said it according to the -- then I must have said it. Let me see if I can refresh your recollection by showing 7 MS. SHROFF: 8 THE COURT: 9 (Pause) 3515-13, page five. May I approach, your Honor? Yes, you may. 10 A. I remember that, yes. 11 Q. Good. 12 security monitoring or tool would have prevented someone from 13 doing so, correct? 14 A. Correct. 15 Q. And after that, they asked you if you knew of anyone who 16 had done that, and you said no; correct? 17 A. Correct. 18 Q. Where did you sit, sir? 19 A. Yes. 20 Q. In a closed office? 21 A. Yes. 22 Q. Outside of the cubicles? 23 A. Yes. 24 Q. Nowhere near the people who were sitting in the cubicles? 25 A. There were only about six or seven people who sat in our And then you went on to tell the FBI that no Did you sit in an office? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 845 K2B3SCH1 David 1 actual office. 2 Q. Okay. 3 A. Yes. 4 Q. And you said you were sitting in a vault, you said, right? 5 A. Yes. 6 Q. You locked in and out of that, you clicked in and clicked 7 out? 8 A. Correct. 9 Q. Outside of your office, how many other people had a FIN? 10 A. How many FIN drops did we have. 11 to 75. 12 Q. 50 to 75 FINs, right? 13 A. Yes, ma'am. 14 Q. How many DevLANs? 15 A. Quite a bit more. 16 Q. So at the least we have 50 FIN cables, and 200 DevLAN 17 cables, right? 18 A. That would probably be an accurate assessment. 19 Q. Fair to say you spent a majority of your time doing work in 20 your office, correct? 21 A. 22 on the floor, I spent time in the server room. 23 Q. 24 you were working, correct? 25 A. And your office was locked you said, correct? We had approximately -- 50 Probably 200. I would say I spent some time in my office. I spent time We'll talk about the server room in a minute. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 But mainly 846 K2B3SCH1 David 1 Q. It wasn't a secret, sir, was it, that you could switch 2 cables? 3 A. No. 4 Q. Okay. 5 right, according to your testimony to Mr. Denton here, that 6 Websense would immediately notice, right? 7 A. 8 station connect. 9 Q. You testified on direct that if somebody did that, It would notify on the screen, yes. We would see a work Do you remember a time when an employee plugged in a laptop 10 with wi-fi? 11 A. I do. 12 Q. It took four hours for somebody to figure out it had been 13 plugged in, right? 14 A. Yes. 15 Q. And four full hours before they even knew that a laptop 16 with internet was plugged in, right? 17 A. Yes. 18 Q. Websense didn't pick it up, right? 19 to see it? 20 A. No. 21 Q. Right. 22 internet network means? 23 A. 24 was a unclassified CIA attributable network that was connected 25 with a 45 meg internet circuit. Four full hours? Somebody just happened By the way, could you tell me what fast IOC That was FIN, if I were correct. It was -- basically, FIN It's called fast IOC network. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 847 K2B3SCH1 David 1 Q. It was a pretty good network? 2 A. It was okay, yes. 3 Q. Yeah. 4 set up. 5 A. Okay. 6 Q. Do you recall at one point telling the FBI that the 7 security logging capability on Stash was set at default. 8 you remember that? 9 A. Initially, it was set to default. 10 Q. Right. 11 right? 12 A. Yes. 13 Q. Absolutely the bottom rung, right? 14 A. Default is default, so whatever -- default means different 15 things for different applications. 16 Q. 17 one of your most guarded code repositories, right? 18 A. Yes. 19 Q. It's set at default, the logging on it, right? 20 A. Yes. 21 Q. You also testified quite a bit, did you not, about this 22 phrase of latency, right? 23 A. Latency between -- 24 Q. I just asked you if you remember testifying about it. 25 A. Yes. Now, you talked about how the security system was Let's just keep talking about that, okay? Right. Do Just -- Default is the lowest level of logging capability, And this is Stash, right? You testified Stash is Remember that? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 848 K2B3SCH1 David 1 Q. Now, you testified about latency because you were asked by 2 Mr. Denton about access to DevLAN from Foreign Office East and 3 Foreign Office West, correct? 4 A. Yes. 5 Q. And you testified, did you not, that -- or Mr. Denton 6 elicited it, that there were so many problems because the 7 internet was so slow, right? 8 THE COURT: The internet was what? 9 Q. So slow. 10 A. It wasn't an internet. 11 encrypted tunnel between CCI East, the CCI, and Foreign Office 12 East and West. 13 Q. 14 internet fast or well according to your direct, right? 15 A. 16 facilities between here and overseas. 17 Q. 18 this -- 19 A. 20 this wasn't touching the internet. 21 Q. Let's try it again. 22 A. Hmm-hmm. 23 Q. Right. 24 A. Yes. 25 Q. Okay. It was an extended private It did not traverse the internet. It did traverse the internet, it just didn't traverse the It was running through CIA infrastructure and other private Okay. Did you understand my question to mean simply Please repeat it then. I understood you said internet, and People in Foreign Office West -- Had a way to connect into DevLAN here. Correct? And you just testified that it's through an SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 849 K2B3SCH1 David 1 encrypted tunnel, correct? 2 A. Yes. 3 Q. And the whole point of this tunnel is to make sure that 4 whoever is in Foreign Office West knows and can access United 5 States, correct? 6 A. Yes. 7 Q. That's the point, right? 8 A. Yes. 9 Q. Right. And you testified that this was so slow that you 10 used the phrase "latency," correct? 11 A. Yes. 12 Q. And you also testified that you would have personal 13 knowledge because you're one of the people who worked on 14 latency, correct? 15 A. 16 well. 17 Q. Oh. 18 A. I have a little bit of hearing loss. 19 Q. So you testified that latency was something that you tried 20 to fix, correct? 21 A. Tried to adjust, yes. 22 Q. Is it fair to say, sir, that in your weekly activity 23 reports, you did not note working on latency issues? 24 A. 25 was part of the daily activity. I'm sorry, I didn't understand. I can't hear you very Nobody's ever had that complaint before, so thank you. I apologize. I don't have any specific knowledge either way on that. We worked on our projects. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It 850 K2B3SCH1 David 1 Our weekly reports typically focused around projects we were 2 doing locally with the developers, putting and bringing them 3 services, things of that nature. 4 Q. 5 doesn't talk about your work on latency, but you tried to fix 6 the problem, correct? 7 A. Yes. 8 Q. Is it your testimony sitting here today, sir, that the CIA 9 still has trouble letting Foreign Office West access 10 So it's fair to say, right, that your written weekly report information in the United States? 11 MR. DENTON: 12 THE COURT: 13 Q. Objection. Sustained. Does the problem still exist, according to you? 14 MR. DENTON: 15 THE COURT: Objection. Sustained. 16 Q. Did the problem still exist in 2016, according to you? 17 A. Yes. 18 Q. It existed in 2016. 19 A. No. 20 Q. So, the CIA was aware of a problem and just didn't fix it 21 since 2016? 22 A. That's correct. 23 Q. 2017? 24 A. Correct. 25 Q. So, according to you, the CIA has a foreign office that Did you fix it? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 851 K2B3SCH1 David 1 cannot access information in its local office. 2 testimony today? 3 A. Yes. 4 Q. Okay. 5 the security of DevLAN. 6 DevLAN was a mess? 7 A. Not specifically, no. 8 Q. Take a look at 3513, you still have it in front of you, 9 page three. Staying with the system. That's your Just talking still about Do you recall telling the FBI that Do you remember saying that to them? Page three of five, all the way at the bottom. 10 A. Okay. Yes. I remember that now. 11 Q. Right. 12 over 100 to 200 terabytes of crap? 13 A. Yes. 14 Q. Okay. 15 were there not, on DevLAN users' ability to navigate on to 16 Altabackup, correct? 17 A. Yes. 18 Q. And you said Altabackup was wide open. 19 A. I remember saying that, yes. 20 Q. Right. 21 someone to know an IP address, correct? 22 A. Correct. 23 Q. You also told the FBI, did you not, that it would be easy 24 for somebody to pull down a read only copy of the backups of 25 DevLAN, correct? And you told them DevLAN was a mess, and there was And they also asked you if there were restrictions, Correct? And then you said that the only restriction was for SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 852 K2B3SCH1 David 1 A. Backup of -- in the entire DevLAN? Or -- 2 Q. Let's just start with, let's stay with Altabackup. 3 told the FBI, did you not, that somebody could pull down a read 4 only copy of Altabackup, right? 5 A. Yes. 6 Q. And how many people at the FBI -- I mean at the CIA could 7 pull down the Altabackup as a read only copy? 8 A. 9 how Altabackup was set up. You At the time that I made that statement, I was ignorant to 10 Q. Sir, did you hear my question? 11 A. I did. 12 Q. Okay. 13 question about that. 14 I didn't ask you if you were ignorant then or any And let me just go back to that answer for a minute. 15 Did you tell the FBI that you were ignorant? 16 A. No. 17 Q. Why? 18 A. I believed at the time I told the FBI that I did not know 19 how Altabackup was set up. 20 Q. 21 was set up so go ask someone else"? 22 A. No, I said -- 23 Q. No? 24 A. I said -- 25 Q. Sir, listen to my questions, please. Really? Did you tell the FBI, "I don't know how Altabackup SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 853 K2B3SCH1 1 David You did not tell the FBI, did you, that you didn't 2 know the answer; no, right? 3 A. No. 4 Q. Right. 5 Altabackup, go ask someone else," correct? 6 A. Correct. 7 Q. Right. 8 A. Correct. 9 Q. In fact, they came to you with a long list of written You didn't tell them, "I'm ignorant about You answered their questions, correct? 10 questions, right? 11 A. Yes. 12 Q. Right. 13 them, and then you answered them, right? 14 A. Yes. 15 Q. I mean, it wasn't like the FBI was rushing you, correct? 16 A. Correct. 17 Q. They gave you all the time you needed to answer them, 18 correct? 19 A. Yes. 20 Q. They even told you that this was a voluntary interview, you 21 didn't have to be there, correct? 22 A. Yes. 23 Q. And then they told you if you wanted, you could have a 24 lawyer there, correct? 25 A. They gave you written questions, you thought about Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 854 K2B3SCH1 David 1 Q. And then they told you take as many breaks as you want, 2 correct? 3 A. Yes. 4 Q. They thanked you for helping them, correct? 5 A. Yes. 6 Q. It was a friendly interview, right? 7 A. Yes. 8 Q. You could have told them, I'm ignorant about Altabackup, 9 right? 10 A. Yes, I could have. 11 Q. But you did not, right? 12 A. Correct. 13 Q. Okay. 14 never tracked bandwidth activity, right? 15 A. No. 16 Q. That's one way to keep track of what is or is not secure, 17 right? 18 A. It is one way, yes. 19 Q. You testified about logs, right? 20 A. Yes. 21 Q. And you noted the importance of logs, correct? 22 A. Yes. 23 Q. Right. 24 DevLAN system? 25 A. You did not, correct? Let's talk about tracking bandwidth activity. You And is it fair to say nobody audited logs on the Just yes or no. We did audit logs. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 855 K2B3SCH1 David 1 Q. Okay. Did you tell the FBI that you did not audit logs? 2 A. As far as relating to user activity. 3 Q. No, right? 4 A. No. 5 Q. Okay. 6 for removing people from projects was the same process as 7 adding them on to a project? 8 A. I don't remember specifically saying that. 9 Q. Okay. 10 A. Okay. 11 Q. Now, you said that 99 percent of the work, and you correct 12 me if I'm wrong, okay, of the work could be done through web 13 interface, and you did not need to go through SSH keys for most 14 tasks. 15 A. Which applications are we talking specifically? 16 Q. Any application. 17 true, right? 18 interface, right? 19 A. I'm going to disagree with that. 20 Q. Okay. 21 99 percent of the work with web interface? 22 A. 23 the applications through the web interface. 24 Q. 25 Could you explain to the jury exactly what you mean. Did you tell the FBI, by the way, that the process But ... Let's talk about SSH keys, okay? For almost any application this would be 99 percent of the work can be done through a web Tell me which applications would you be able to do With Atlassian, you can do a lot of the administration of Okay. Let's stay with that. Okay. Let's break that down. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 856 K2B3SCH1 David 1 A. A lot of the admin control, how projects were set up, which 2 users had access to which projects, adding people to the wiki 3 Confluence and other things could be done via the web GUI. 4 browser. 5 Q. What is a web interface, by the way? 6 A. It was whichever browser you wanted to use which was in 7 somebody's work station. 8 be Chrome, it could be Firefox, it could be Internet Explorer. 9 Q. So the same web browser I have on my iPhone, right? 10 A. Yeah. 11 Q. Google, Safari, Yahoo; whatever I want? 12 A. Fundamentally, it has to be a web browser. 13 Q. You could log in just like you log into The New York Times, 14 right? 15 put in your password, you move right along, correct? 16 A. Correct. 17 Q. By the way, once you log in that way, if you don't log out, 18 you remain logged in, correct? 19 A. Correct. 20 Q. You could remain logged in for days, correct? 21 A. I don't specifically recall -- 22 Q. I am just asking you if one could remain logged in for 23 days. 24 A. I'm not sure. 25 Q. Okay. It could be -- excuse me. Web It could You put in thenewyorktimes.com, gives you a prompt, you You are not sure if a person can remain logged in SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 857 K2B3SCH1 David 1 for days. 2 A. Yes. 3 Q. Okay. 4 home directory. 5 A. Okay. 6 Q. You testified on direct yesterday, I think it was 7 yesterday, that you kept two copies, at least two copies of 8 Stash, correct? 9 A. Yes. 10 Q. And you testified that you kept one copy on your home 11 directory, right? 12 A. Yes. 13 Q. And then you kept one copy, you put it on a hard drive? 14 A. Yes. 15 Q. By the way, before you did that, did you talk to Mr. Leonis 16 about how you were going to back up Stash? 17 A. No, I worked with Jeremy on what we were going to do. 18 Q. I didn't ask you about Jeremy. 19 A. I didn't work with Mr. Leonis. 20 Q. You did not tell Mr. Leonis that one of the ways you were 21 going to back up Stash was to put it in your home directory. 22 Is that your testimony? 23 A. 24 25 Is that your testimony? Let's talk about the Stash backup that was in your Okay? Yes. MS. SHROFF: actually. Can you just pull that exhibit up. Hold on for a minute. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 35 -- 858 K2B3SCH1 David 1 Q. When you backed up Stash into your home directory, you made 2 no note of that anywhere, correct? 3 A. Correct. 4 Q. Only you knew that you did that, along with Jeremy and Tim? 5 A. Correct. 6 Q. Right. 7 A. Yes. 8 Q. So you took them, and you put them in your home directory, 9 right? And Stash is where your crown jewels are, correct? 10 A. Yes. 11 Q. How many home directories are there at the CIA? 12 A. That's not an accurate question. 13 directories, it would be on DevLAN. 14 Q. 15 it again. Okay. 16 If we're talking home Well DevLAN is at the CIA, so I'm sorry. Let me try How many home directories are there on DevLAN? 17 A. There was probably over 200. 18 Q. Right. 19 A. Who had an account on DevLAN, yes. 20 Q. Okay. 21 another person on DevLAN, they could literally put the file 22 into the other person's home directory and say to Dave, from 23 Anthony. 24 A. I believe that's how some of the developers were set up. 25 Q. Right. And each employee has a home directory, correct? And so, if one person wanted to send a file to Correct? In fact, most developers were set up that way, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 859 K2B3SCH1 David 1 right? 2 A. Yes. 3 Q. Okay. 4 home directory, right? 5 A. Yes. 6 Q. Okay. 7 done with your home directory, right? 8 A. Correct. 9 Q. And you told the FBI when you met with them that you put So, a developer could go into another developer's And you testified on direct that that couldn't be 10 one copy in your home directory, correct? 11 A. Yes. 12 Q. By the way, when you told the FBI that, you also told them 13 that you put a copy on the hard drive, correct? 14 A. Yes. 15 Q. And then on direct you told us that you put this hard drive 16 in a safe in your office, correct? 17 A. Yes. 18 Q. And then at some point, when you got rid of the safe, you 19 put it in your desk? 20 A. Yes. 21 Q. This is Stash. 22 A. Yes. 23 Q. On a hard drive? 24 A. Yes. 25 Q. Do you remember by any chance never telling the FBI that SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 860 K2B3SCH1 David 1 you put this hard drive in a safe? 2 A. I might have. 3 Q. Let's try. 4 3515-09. Here you go, sir. (Pause) 5 Q. This is your interview with them in May of 2017, right? 6 A. Yes. 7 Q. You tell them that you made a backup, correct? 8 A. Yes. 9 Q. Made a backup on April 16, correct? 10 A. Yes. 11 Q. You placed the copy on your home drive, on your home 12 directory, correct? 13 A. Yes. 14 Q. You never tell them that your home directory is locked at 15 all, correct? 16 A. Yes. 17 Q. And then you tell them that you made a separate copy and 18 put it on a hard drive, right? 19 A. Yes. 20 Q. And then you told them, they asked you, hey, where's that 21 hard drive, right? 22 But we'll get to that in a minute. Right? You have to answer verbally. 23 A. Yes. 24 Q. The FBI asked you where's the hard drive, right? 25 A. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 861 K2B3SCH1 David 1 Q. And you said you were not sure if you still had the hard 2 drive, correct? 3 A. Correct. 4 Q. Or that if you had wiped the hard drive, correct? 5 A. Correct. 6 Q. You never mentioned a safe, correct? 7 A. Correct. 8 Q. You never mentioned any vault, correct? 9 A. Well, it was located inside of a vault. 10 Q. I am not asking where it was located. 11 you told the FBI about that. 12 A. Yes, no. 13 Q. You never told the FBI, did you, that you ever moved it to 14 a locked compartment in your desk, correct? 15 A. Correct. 16 Q. And you also said that you actually couldn't even recall if 17 you had wiped the information about Stash off of that hard 18 drive, correct? 19 A. Correct. 20 Q. And sitting here today, you have not a clue as to where 21 that hard drive is, correct? 22 A. No, I don't. 23 Q. You also told the FBI, did you not, in May of 2017, that 24 home directory information was available to everyone with an 25 Atlassian account, correct? I'm simply asking if SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 862 K2B3SCH1 David 1 A. The home directory -- 2 Q. I just asked you if you told the FBI that. 3 asking, sir. 4 A. Yes, I'm sorry. 5 Q. You did, right? 6 A. Yes. 7 Q. You told them that? 8 That's all I'm Did you tell them your home directory was locked? 9 A. I don't recall. 10 Q. And then you told them, again, that it was the wild west, 11 correct? 12 A. Yes. 13 Q. You also told them during that same interview, did you not, 14 sir, that anyone could have copied and downloaded the data on 15 Confluence by using vSphere, correct? 16 A. Yes. 17 Q. And then you told them that another way to download and 18 copy this data was by cloning, correct? 19 A. Yes. 20 Q. And then you told them or it could be done by FSN -- I 21 don't know what this is. 22 A. I believe the acronym was Rsync. 23 Q. So that's three other ways using the vSphere, cloning, and 24 Rsync, correct? 25 A. FSYNC, correct? Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 863 K2B3SCH1 David 1 Q. Then you told them that the easiest way to copy this data 2 would be by using vSphere within VMware, correct? 3 A. Yes. 4 Q. Enable someone to copy the data quickly, right? 5 A. Yes. 6 Q. Then you said you could just walk it out the door? 7 A. Yes. 8 Q. Just simply walk it out of the CIA? 9 A. Yes. 10 Q. And that's because CIA had no controls, correct? 11 A. Correct. 12 Q. Right. 13 computer in your hand, right? 14 A. Yes. 15 Q. I'm sure Mr. Denton will on redirect ask you if you saw 16 somebody walk out with a computer in your hand. 17 you did not, right? 18 A. No. 19 Q. But one could. 20 A. Potentially. 21 Q. Right. 22 testified about your daily hours at the CIA. 23 A. Yes. 24 Q. Right. 25 A. Usually start at 8:3:0, 9 o'clock in the morning, finished The copy would take some time, but yes. You could walk out of the CIA with literally a I am assuming By the way, let me ask you something. You What time do you generally start work? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 864 K2B3SCH1 David 1 around 4:30 to 5 in the evening. 2 Q. Did CIA have flex time, by the way? 3 THE COURT: 4 MS. SHROFF: 5 THE COURT: What? Flex time. Thank you. 6 A. I'm a contractor. That option is not available to me. 7 can assume there may be some with the staff. 8 Q. 9 their day later than you? I Did you know of people who started later than you and ended 10 A. I didn't pay too much attention to what the developers did. 11 I didn't work with them. 12 didn't see the comings and goings typically. 13 Q. 14 allowed for people to start later and end later. 15 A. Yes. 16 Q. Okay. 17 testified that you came in on a Saturday, correct? 18 A. Yes. 19 Q. And you came in with Mr. Weber, correct? 20 A. Yes. 21 Q. And then the other person that was there was Tim, correct? 22 A. Yes. 23 Q. And is it fair to say that on that date, you deleted all 24 the secure shell keys, correct? 25 A. I worked in a separate office. So I I was just wondering if you knew of the CIA policy that Let me stay on April 16. That's the day you We deleted the keys that would allow me to log into the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 865 K2B3SCH1 David 1 servers. 2 Q. 3 had an SSH key on Confluence; is that correct? 4 A. I don't remember that. 5 Q. You don't remember that? 6 A. I apologize, I don't. 7 Q. That's all right. 8 Patrick had already left the CIA's local office, correct? 9 had moved on? And you testified that at that time, someone named Patrick That was a long time ago. By the time you went in on April 16, Referring to which Patrick? Schaeffer. He 10 A. I apologize. Yes. 11 Q. Okay. 12 A. So if I may correct myself, I had a different Patrick in my 13 head. 14 had the SSH keys. And -- Could you repeat the previous question for me as to who 15 If it was Patrick Schaeffer, prior to April 16, he may 16 have had a copy of that key to log into the server. 17 Q. He did, right? 18 A. Prior to the 16th, yes. 19 Q. And prior to the 16th, or even after actually on the 16th, 20 Patrick's keys were still there, correct? 21 A. Before or after? 22 Q. No, no. 23 A. Before, yes. 24 Q. But they were left there long after he had left? 25 A. Yes. I apologize. After the 16th? Before? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 866 K2B3SCH1 David 1 Q. For the foreign office, correct? 2 A. Correct. 3 Q. How long had his keys just been there since he left for the 4 foreign office; do you know? 5 A. 6 between -- 7 Q. I appreciate that. 8 A. Okay. 9 Q. His keys were still there, correct? 10 A. The key was still there, yes. 11 Q. Right. 12 A. Yes. 13 Q. No need for his key to still be there, correct? 14 correct? 15 A. 16 Linux servers with administrative credentials. 17 Q. But he is not using the key, correct? 18 A. Correct, but the key was still used to log into the 19 servers. 20 that key, no one gets into the servers. 21 Q. 22 simply change a key after someone leaves, correct? 23 A. You can. 24 Q. You should, correct? 25 A. Correct. The keys were actually, it was one key. My question was far simpler. He was gone. Incorrect. And it was shared Correct? He's gone, That was the key that logged on to each of the That was the log-in to the servers. If you delete You don't have to delete a key after somebody leaves. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You 867 K2B3SCH1 David 1 Q. You should delete that key after he left, correct? 2 A. Correct. 3 Q. That would make for security, correct? 4 A. Correct. 5 Q. You did not change that key after he left, correct? 6 A. Correct. 7 Q. Okay. 8 this question without an exhibit. 9 Let's see if we can pull up -- let me just ask you Do you know somebody named Rufus, by the way? 10 A. Yes. 11 Q. Rufus had a key, right? 12 A. I assume that Rufus did. 13 interactions with Rufus. 14 Q. 15 2016, correct? 16 A. I'm going to have to take you at your word on that. 17 Q. Will you take me at my word that he was no longer in EDG at 18 that time? Okay. 19 I didn't have too many He did not sit in our office. Rufus had a public key on Confluence as of April 16, MR. DENTON: Objection. 20 Q. I'll ask it -- did you know if he was in EDG at that time? 21 A. I don't remember when Rufus left. 22 Q. Do you know that Rufus' keys after he left were still 23 there? 24 A. Yes, that makes sense for how SSH keys work. 25 Q. That's how SSH keys work. You leave EDG, and you leave SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 868 K2B3SCH1 David 1 your public keys behind. 2 A. Yes. 3 Q. Okay. 4 A. That's how they did it. 5 service at that time. 6 Q. That wasn't my question at all, sir. 7 A. I apologize. 8 Q. My question for you is, is it good security practice to 9 leave your key after you have left that group or that division 10 That's how it works? I was not administrating the or that branch. 11 Is it not poor security practice to leave your key? 12 A. Yes it is. 13 Q. Thank you. 14 procedure, correct, to not leave a key after you've left a 15 group, a division or employment. 16 A. Yes. 17 Q. You testified about other types of public keys on DevLAN, 18 correct? 19 A. Yes. 20 Q. And another type of a public key is called a root public 21 key, correct? 22 A. I don't recall ever talking about root public keys. 23 Q. Okay. 24 A. There are public keys and private keys, in talking about 25 the SSL the TLS. In fact, it's basic standard operating Correct? Is there such a thing as a root public key? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 869 K2B3SCH1 David 1 Q. Is there such a thing as a root key? 2 A. In regards to? 3 Q. On servers. 4 A. I believe so, yes. 5 Q. Right. 6 A. Thank you. 7 Q. If someone had root access on any one of the CIA's servers, 8 could they not also have root access on Confluence? 9 A. You just called it root access, correct? They would have root access to the server. They would be 10 able to see the files and folders and database, but that would 11 not enable them to log into the web and make changes. 12 Q. 13 asked you a far easier question. 14 A. Okay. Can you repeat the question, please? 15 Q. Sure. If somebody had root access on a server, that would 16 give them root access to Confluence, correct? 17 A. Yes. 18 Q. Let me see if I can pull up Exhibit 1207-7. 19 sir, there is a P for root@Jira.IOC.local? 20 A. Yes. 21 Q. You see that? 22 A. I do. 23 Q. Does that mean that Jira had root access to Confluence? 24 A. No. 25 log into the Jira application to push code up and things to the I didn't ask you if they could make changes, sir. I simply Do you see, My understanding with this key is, this is a key to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 870 K2B3SCH1 David 1 Jira application, not to the server. 2 Q. 3 Jira, I'm going to come back to that. 4 didn't like it, correct? 5 A. That was my understanding. 6 Q. All right. So your testimony is, and you've already testified about 7 You testified that COG We'll come back to that one. Your testimony is that this section does not mean to 8 you that Jira had root access to Confluence. 9 testimony? 10 A. 11 exhibit. 12 Q. 13 thank you, sir. 14 Could you repeat that one more time? That's okay. Is that your I was looking at the If could you just pull that back up for -- You see that? 15 A. Yes. 16 Q. Root@Jira.IOC.local? 17 A. Yes. 18 Q. And your testimony sitting here today is that you disagree 19 with me when I say this shows that Jira had root access to 20 Confluence. 21 A. Looking at this key, this appears to be a log in to Jira. 22 Q. Right. 23 A. I would -- I can't say specifically if this would allow you 24 onto Confluence or not. 25 Q. Okay. You disagree. Thank you. Now, when you said that on April 16, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 871 K2B3SCH1 David 1 what you essentially did was you, by deleting keys, essentially 2 what you did is, you changed everyone's password. 3 that an easier way to understand that? 4 Right? Is You can take this down. 5 A. Is this a yes or no question or can I explain what we did? 6 Q. Well, if you want to explain it, but, you know. 7 have limited technology. 8 A. 9 this was the only key that was used to log in to the operating We all What we did on, when we changed the root key to get in, 10 system of each Linux machine. 11 it for everybody. 12 Q. 13 essentially like, everybody comes in the next day, and their 14 keys are no longer working, right? 15 A. 16 able to get in. 17 Q. 18 password was changed and you couldn't log in anymore, right? 19 A. Correct. 20 Q. That's all I meant. Right. When we changed that, we changed But, basically, when you changed that, is that If they tried to log on to the server, they would not be I was trying to make it simple, which would be like if your 21 You stored the new keys somewhere, right, and you told 22 Tim where you stored them, correct? 23 A. Yes. 24 Q. And you stored them in a shared directory, right? 25 A. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 872 K2B3SCH1 David 1 Q. You gave that directory a name? 2 A. I don't remember specifically the name of that directory. 3 Q. You don't remember the name of the directory in which you 4 stored the passwords? 5 A. I remember where we put it. 6 Q. Right. 7 Do you remember? 8 A. I may have, yes. 9 Q. Right. Did you give it an Atlassian name, by any chance? So you made new keys, then you saved the new keys 10 with the name Atlassian in it. 11 A. Yes. 12 Q. Okay. 13 correct, by using Atlassian in it? 14 It's not a good way to store a changed password, You know what. 15 Right? I'll withdraw that. It's okay. When you took a snapshot of Confluence VM, right? 16 A. Yes. 17 Q. You saved that snapshot, right? 18 A. Yes. 19 Q. And then you saved the snapshot as backup before network 20 change, correct? 21 A. The Confluence, a backup was called backup 4-16-2016. 22 Q. Okay. 23 saved Confluence in your home directory, correct? 24 A. I saved Stash in my home directory. 25 Q. When you saved it, you don't remember saving it as backup When you saved it in your home directory, you never SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 873 K2B3SCH1 1 David before network change. 2 Take a look at 3515-09. 3 A. So I do remember what you're referring to. 4 Q. Okay. 5 A. That backup was not on 4/16. 6 following when we moved the Confluence and Bamboo virtual 7 server off of the OSB ESXi server over to ISB ESXi servers. 8 Q. 9 one backup before network change? That happened the week So you named another move that you made. You named that 10 A. Yes. 11 Q. And is it fair to say that after you made that particular 12 move, you changed the IP information for that VM? 13 A. Yes. 14 Q. And when you did that, am I correct that you had to first 15 shut down the VM, right? 16 right? 17 A. Yes. 18 Q. And then you copied it over, correct? 19 A. Yes. 20 Q. And then you copied it over to something called 21 OSB_test_repo, correct? 22 A. I do. 23 Q. Okay. 24 open? 25 A. You shut down that virtual machine, Do you remember that? Help me out here. Isn't OSB_test_repo also wide I don't remember the specific permissions on that, no. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 874 K2B3SCH1 David 1 But -- 2 Q. You told the FBI it was open, correct? 3 A. I said there were -- I didn't say specifically everything 4 was wide open. 5 Q. But this one was open, right? 6 A. I don't -- by the nature of the work that we were doing, 7 that was closed off. 8 Q. So it was not open is your testimony? 9 A. That is my testimony. 10 Q. It's your testimony today that it wasn't open; it was 11 closed off? 12 A. I believe it was closed up, yes. 13 Q. And you recall telling the FBI that it was open or you 14 recall telling the FBI that it was closed off? 15 A. I don't remember specifically referencing that to the FBI. 16 Q. Okay. 17 is that local storage? 18 A. That's network storage. 19 Q. It's local, right? 20 A. Network storage. 21 Q. Okay. 22 A. No. 23 Q. It's not? 24 A. No, it was storage on the NetApp server. 25 Q. It's storage on the NetApp server? All right. Let's talk about this. OSB_test_repo, It's storage on the OSB ESXi server, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 875 K2B3SCH1 David 1 A. Yes. 2 Q. You're saying that when you made this move, you moved that 3 VM from that server to its final destination, which is DS000; 4 is that correct? 5 A. I'm trying to explain. 6 Q. I don't want you to explain it. 7 A. Yes. 8 Q. That's where you moved it, right? 9 A. Yes. 10 Q. What is DS000? 11 A. It's referencing the NetApp. 12 Q. The NetApp? 13 A. Yes. 14 Q. Is it your testimony sitting here today that NetApp is open 15 or not? 16 A. Pieces of NetApp were open. 17 Q. No controls, correct? 18 A. Limited control. 19 Q. By limited control, you mean control that did not even meet 20 standard operating protocol, correct? 21 A. Yes. 22 Q. Okay. 23 protocol," I mean like basic -- like my office would have, 24 right, like we're lawyers' offices, basic protocol, right. 25 Standard -- Thanks. And by the way, when I say "standard operating SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 876 K2B3SCH1 David 1 A. 2 been in my environment for quite some time. 3 your office's protocol is. 4 Q. 5 a standard operating protocol, that is like the very basic 6 level, correct? 7 A. Okay. 8 Q. Okay. 9 A. Yes. 10 Q. Yes or no? 11 A. Yes. 12 Q. That was confusing, you saying "yes," me saying "okay." 13 I apologize, I can't answer that. Very fair. I don't know what, I've But let me ask you this. I don't know what When somebody issues That is what you must comply with, correct? No, no. Not "okay." Let's talk about these missing Stash logs, okay? You 14 said that you never would have in a security system or in a 15 secure system lose logs, correct? 16 A. Correct. 17 Q. And you were asked about missing logs, correct, missing 18 logs from January 14 to April 21, correct? 19 A. 20 report, I may have talked about it. 21 Q. 22 missing logs from January 14 to April 21, 2016. 23 A. 24 have the right -- do I have the right one? 25 Q. I'm sorry, I apologize, not really. Let's look at 3515-09. Page four. Is this -- which exhibit is this? You remember that? But if it's in the You were asked about Correct? I apologize. 3515-09. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I don't 877 K2B3SCH1 David 1 THE COURT: Here is a copy. 2 THE WITNESS: Oh. Okay. 3 Q. You see that paragraph? 4 A. I'm sorry. 5 Where is it on the page? THE COURT: Page five of 10? Page four. 6 Q. It's highlighted for you. 7 A. It's on the backside. 8 Q. Okay. 9 said it could be an issue with the server space, correct? Okay. Yes, ma'am. And they asked you about these missing logs, and you 10 A. Yes. 11 Q. You said you could have deleted older logs to free up 12 space, correct? 13 A. Yes. 14 Q. It's possible, you said, that logs are only kept for 30 15 days anyway, correct? 16 A. Yes. 17 Q. At the same time that they were talking to you about these 18 logs, they also asked you about Stash and how the identifier 19 for Stash could change, correct? 20 A. The identifier. 21 Q. Right. 22 A. Can you tell me specifically where that's referenced? 23 Q. Sure. 24 Still page four. 25 A. Just the highlighted section below. Still page four. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Where you were. 878 K2B3SCH1 David 1 Q. Right. 2 A. Oh, yes. 3 Q. You said you were not sure why they would change, but you 4 thought that IDs could change every time that the Stash service 5 was restarted, correct? 6 A. Yes. 7 Q. Now, you testified about server rooms, correct? 8 A. Yes. 9 Q. How many server rooms are there at the local facility? 10 A. We had -- basically two. 11 Q. Three? 12 A. Three. 13 Q. And they're all at the same facility; is that fair to say? 14 A. Between two floors, yes. 15 Q. They're between two floors, right? 16 A. Correct. 17 Q. You badge in, you go in and you work in the server room, 18 correct? 19 A. At the time only one server room had badge access. 20 Q. Only one server room had badge access? 21 A. Yes. 22 Q. What was the access to the other server rooms? 23 A. It was open, which means it was inside of a vault, but the 24 room did not have a separate badge or combination on it. 25 Q. Okay. Three. The eighth and ninth floors, yes. So, let's start with the one where you badged in. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 879 K2B3SCH1 David 1 A. Okay. 2 Q. They gave you like an access badge. 3 and you went in? 4 A. Yes. 5 Q. At that time there was no requirement for it to be double 6 badged, correct? 7 A. Correct. 8 Q. Now you need a double badge, correct? 9 A. Well, when I left that group about a year ago, when I left, You stuck it on there Or do you not know? 10 there was, yes, there was double badge. 11 Q. Right. 12 A. Yes. 13 Q. And once you single badged in, somebody badged in right 14 behind you, correct? 15 A. Yes. 16 Q. And there were times, is it fair to say, that you badged 17 in, and another employee is behind you, does not badge in, but 18 walks on in with you, correct? 19 A. Yes. 20 Q. Is that called tailgating into the server room? 21 A. It wasn't a policy at the time. 22 Q. I know it's never the policy. 23 happened. 24 A. Yes. 25 Q. And it's called tailgating into the server room, correct? But in 2016, you could single badge in, right? I am asking you if it SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 880 K2B3SCH1 David 1 A. Yes. 2 Q. You testified that there are no desks in the server room; 3 is that right? 4 A. Yes. 5 Q. Isn't it fair to say, sir, that even though there are no 6 desks, there are like these standing shelves where people can 7 stand and work? 8 A. Yes. 9 Q. Right. So it's kind of like having a desk, but it's like a 10 makeshift desk, right? 11 A. Yes. 12 Q. The thing, like, protrudes out? 13 A. Yes. 14 Q. You stand there, you do your work? 15 A. Yes. 16 Q. And then you leave, correct? 17 A. Correct. 18 Q. How many times would you say when you worked in the CIA 19 server room that you saw Post-its with IP addresses in the 20 server room? 21 A. Frequently. 22 Q. Say it again? 23 A. Frequently. 24 Q. A lot of Post-its with a lot of IP addresses on there, 25 right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 881 K2B3SCH1 David 1 A. Yes. 2 Q. People left notes for each other in the server room, 3 correct, on Post-its? 4 A. Yes, generalized descriptions of what things were. 5 Q. You don't know if they were generalized or not, correct? 6 You would only know if you knew what they were talking about, 7 correct? 8 A. Correct. 9 Q. You didn't know what a developer is talking about to 10 another developer, correct? 11 A. Correct. 12 Q. And you don't know what a coder is telling another coder, 13 correct? 14 A. I'm sorry, I didn't understand. 15 Q. You do not know what one coder is telling another coder, 16 correct? 17 A. 18 IP addresses. 19 Q. You don't know, right? 20 A. I read through a lot of them. 21 Q. Okay. 22 that people have written to each other, and you read them. 23 Correct? 24 A. Yes. 25 Q. So that means everybody else going in and out of the server I mean, if it's usually simple little things, server names, You're just guessing? I saw what they were. So you go into a server room, there are Post-its SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 882 K2B3SCH1 David 1 room is reading what each developer or coder is saying to the 2 other person. 3 A. Yes. 4 Q. Okay. 5 correct? 6 A. Yes. 7 Q. And they're leaving IP addresses for themselves, correct? 8 A. Yes. 9 Q. Let's go back to talking about your internet computer at And they're leaving IP addresses for each other, 10 the CIA. The FIN. Right? 11 A. Okay. 12 Q. And you said that that is the -- is that an unclassified 13 network, the FIN? 14 A. Yes. 15 Q. Is it fair to say that one person could connect to another 16 person's FIN? 17 A. No. 18 Q. It's not fair to say? 19 A. No. 20 Q. There is no way for you, for example, to RDP into another 21 person's FIN? 22 A. 23 desktop into the unclassified FIN network. 24 Q. Right. 25 A. Into the machines. As an administrator on FIN, I had permission to remote SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 883 K2B3SCH1 David 1 Q. So you could RDP into anybody else's FIN, right? 2 A. Yes. 3 Q. What is RDP? 4 A. Remote desktop protocol. 5 Q. That just means that you can remote log in to the internet 6 computer of another person there, correct? 7 A. Yes. 8 Q. And you would RDP in, not just to fix something, but if you 9 were too tired or too bothered to walk to that particular 10 person's desktop, correct? 11 A. 12 Yes. 13 Q. You did that, right, to Mr. Schulte? 14 A. I have done that, yes. 15 Q. Many, many times, correct? 16 A. I don't know about that. 17 Q. Okay. 18 A. Possibly, yes. 19 specifically. 20 Q. I understand. 21 A. But yes, I logged into multiple users' FIN machines if they 22 were having connections problems to the internet or other 23 issues. 24 Q. 25 care? Occasionally RDP had its ability to fix problems remotely. Okay. Well, you did do that, correct? It was a long time ago, I don't remember When you did that to Mr. Schulte, did he seem to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 884 K2B3SCH1 David 1 A. Not that I can recall. 2 Q. Let's see if we can talk about the Altabackups, okay? 3 A. Okay. 4 Q. Is it a fair statement to say that there were no 5 restrictions on who could access Altabackup? 6 A. It's not a fair statement. 7 Q. It's not a fair statement? 8 A. No. 9 Q. In your opinion, what were the restrictions on Altabackup? 10 MR. DENTON: 11 THE COURT: 12 MR. DENTON: 13 The objection is? He's not an expert. Your Honor, she's asking for his opinion. 14 15 Objection. THE COURT: A. 16 Overruled. Repeat the question please? (The record was read) 17 A. In my opinion, I did not know what the restrictions were. 18 And I assume they were wide open. 19 Q. 20 Could you just highlight there or I'm sure it's obvious. 21 you see where it says -- and I think you testified about this. 22 It says VMS.NFSmount.error.perm.denied, and then that signal 23 and then key. 24 A. Yes. 25 Q. And you said on your direct that that was an attempt by Let's see if we can pull up Government Exhibit 1202-8. But Correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 885 K2B3SCH1 David 1 Mr. Schulte to mount Altabackup to his work station at the CIA. 2 Correct? 3 A. Yes. 4 Q. Now, you've testified here and you also told the FBI, did 5 you not, that if somebody knew an IP address, they would simply 6 be able to access Altabackup. 7 that Altabackup was wide open, correct? 8 A. Yes. 9 Q. Sitting here today, sir, do you know what IP addresses had And, in fact, you just testified 10 permission to mount Altabackup? 11 A. I do not. 12 Q. Do you know sitting here today, sir, how many IP addresses 13 allowed for the mounting of Altabackup? 14 A. I do not. 15 Q. Is it fair to say, sir, that any virtual machine on the 16 ESXi server could mount Altabackup, literally any VM? 17 A. I can't answer that question. 18 Q. Sitting here today, sir, do you know what a test VM is? 19 A. Yes. 20 Q. What is a test VM, sir? 21 A. Test VM is a virtual machine. 22 system that's used for -- in the purpose of EDG development of 23 code. 24 you need to test, and you shut it down. 25 Q. I don't know. It could be any operating It's set up, it runs, you do what you need to test what And when you say you test what you need to test, or you run SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 886 K2B3SCH1 David 1 what you need to run, you're generally testing malware, 2 correct? 3 A. Yes. 4 Q. And you're generally testing a virus, correct? 5 A. Yes. 6 Q. And anyone in EDG who ran a test VM could mount Altabackup, 7 correct? 8 A. I can't answer that. 9 MS. SHROFF: You can take that one down, please. 10 Q. Now, you testified and I think you told the FBI this as 11 well, that in your opinion, Mr. Schulte knew the IP addresses 12 for the NFS Altabackup mount, correct? 13 A. Yes. 14 Q. Could you tell the jury what NFS is, just remind them. 15 A. Network file system. 16 is more or less specifically Linux computers can connect to, to 17 write their files up to say backups. 18 for saving files, but for Linux. 19 Q. Just a file share, right? 20 A. Basically. 21 Q. You share files on Window, you share files on Linux, 22 correct? 23 A. Yes. 24 Q. You like Windows, correct? 25 A. Yes. It is a location on the network that It is a network resource SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 887 K2B3SCH1 David 1 Q. You don't like Linux, correct? 2 A. Correct. 3 Q. And sitting here today, sir, do you know how many other 4 people knew the IP address for the NFS Altabackup? 5 A. I don't know. 6 Q. You have no idea, right? 7 A. No. 8 Q. In fact, nobody even kept track of that at the CIA, 9 correct? Certainly not you, right? 10 A. Not me. 11 Q. And I am correct that you did tell these FBI agents and you 12 spoke to all three, right? 13 Donaldson, right? 14 A. I spoke to a lot of FBI agents. 15 Q. Special Agent Schlesinger, correct? 16 A. Okay, yes. 17 Q. Evanchec, correct? 18 A. I don't remember the names. 19 Q. Fair enough. 20 that in your opinion, Altabackup was wide open. 21 phrase you used, right? 22 A. Yes. 23 Q. You told them, did you not, that it was up to each user to 24 connect their own network drives to their work stations, 25 correct? You spoke to Special Agent A lot of them? And you told these FBI agents, did you not, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 That's the 888 K2B3SCH1 David 1 A. Yes. 2 Q. Any user could do that, correct? 3 A. Yes. 4 Q. And you also told the FBI, did you not, when you spoke to 5 them, that there was a CIFS access to Altabackup, right? 6 A. I don't remember that. 7 Q. No, no, it's okay. 8 3515-13. I don't recall that. It's been a long time. 9 MS. SHROFF: 10 stop for the 11 o'clock break? 11 12 THE COURT: Yes? I apologize. Take a look at Your Honor, would this be a good place to Yes, we'll take our morning recess. We'll resume at quarter after. 13 (Recess) 14 (In open court; jury present) 15 THE COURT: 16 MS. SHROFF: All right, Ms. Shroff. Thank you, your Honor. 17 BY MS. SHROFF: 18 Q. 19 access to Altabackup. 20 A. I do remember it. 21 Q. You told the FBI that there was CIFS access to Altabackup, 22 correct? 23 A. I don't recall saying that. 24 Q. Can you just take a look, I think it's before you, 3513, 25 page two. Sir, right before we broke, we were talking about CIFS Do you remember that? Do you have it there still? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 889 K2B3SCH1 David 1 A. Was that 13 you said? 2 Q. Yes, sir. 3 A. Okay. 4 Q. Yes, sir. 5 A. Yes, I -- 6 Q. It's fair to say that you also told them, did you not, that 7 any Windows user could mount Altabackup that way, even if the 8 auto mount was not enabled. 9 A. 10 Page two of five. At the bottom that's highlighted? Correct? If I can review, one second. I see that. 11 Q. 12 CIFS share from Altabackup on March 1st; is that correct? 13 A. That may be correct, yes. 14 Q. Do you remember what year of March 1st you deleted that? 15 A. It was a while ago. 16 Okay. And is it fair to say, sir, that you deleted the 2016, I don't remember. (Continued on next page) 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 890 K2bWsch2 David - Cross 1 BY MS. SHROFF: 2 Q. Well, it's not 2016. 3 A. I'm sorry. 4 messed up a little bit. 5 Q. Right. 6 A. Yes. 7 Q. And until March 1 of 2017, the CIFS share for Altabackup 8 was still up, correct? 9 A. Two thousand -- I'm sorry. I got my years 2017. March 1 of 2017, correct? Yes. 10 MS. SHROFF: Now, let me see if I can show you what is 11 1203-28. 12 Q. 13 connects the Altabackup to the Doxygen server? 14 A. Now, on here, do you see -- it is the next command, that Can you show me specifically? 15 16 A. 17 MS. SHROFF: Are you sure that's the right document? MS. SHROFF: You can take that down for a minute. OK. OK. 18 19 Q. Am I correct, sir, that the Doxygen server is another VM 20 that runs on the ESXi server? 21 A. 22 of that server. 23 Q. OK. 24 A. I do not. 25 Q. Do you know whether or not it has wide access; it's called I will have to take your word for it. I have no knowledge Do you know anything about the Doxygen server? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 891 K2bWsch2 David - Cross 1 a wide-access server? 2 A. I know nothing about that server. 3 Q. Do you know whether the CIA has a Doxygen server? 4 A. I do not know what that server is or what its purpose is. 5 6 MS. SHROFF: Now, let me ask you, if I may, to pull up 1251. 7 Actually, I'm sorry. I changed my mind. 8 pull up Government Exhibit 601 for me. 9 Q. Could you This is a four-page document that you testified to on your 10 direct, correct? 11 A. Uh, yes. 12 Q. Did you create this document, sir? 13 A. Uh, I don't believe that I created this one. 14 may have created this. 15 Q. 16 testimony here? 17 A. I do not recall reviewing this with the -- with -- 18 Q. Did you review it with Tim? 19 A. Probably back in the day, yes. 20 Q. OK. 21 firewalls that you testified to. 22 A. OK. 23 Q. Could you point out for the jury where you see the 24 firewalls on this document? 25 A. OK. I believe Tim Did you review it with the government before your All right. So let's see if we can talk about the OK? This document is a copy of DevLAN. There were no firewalls SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 892 K2bWsch2 David - Cross 1 on DevLAN except on the Hickok network. 2 Q. 3 that's on page 3, right? 4 A. 5 Right. So let's just point the firewalls out, and I think Is that correct? Let me see. OK. 6 Q. Am I correct that the thingamajiggies that have, like, a 7 play sign, those are the firewalls? 8 A. Probably, yes. 9 Q. OK. 10 Just so that the jury knows, it's the one that -MS. SHROFF: 11 Q. 12 diagram? I can't. I don't know how to do this. But this and this is the firewall, right, according to your 13 MR. DENTON: 14 THE COURT: Objection. Overruled. 15 Q. Is that right? 16 A. Looking at the -- yes. 17 Q. OK. 18 A. I'm looking at the firewalls, looking at your descriptions, 19 yes. 20 Q. OK. 21 Are those the firewalls? I'm looking -- Thank you, sir. MS. SHROFF: Let's go to page 4. 22 Q. On page 4 -- you testified about this, right? 23 that the only traffic that goes into and from DevLAN, right? 24 You see that it goes into and from, right? 25 A. OK. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Page 4 says 893 K2bWsch2 David - Cross 1 Q. Do you see that on the top? 2 A. Hickok is -- 3 Q. Yeah. 4 Hickok, right? 5 A. Yes. 6 Q. DevLAN and COG, includes SSH, correct? 7 A. Yes. 8 Q. So if someone hacked into Jira -- 9 A. Yes. 10 Q. -- they could SSH into DevLAN. 11 So it says the only traffic allowed into and from MS. SHROFF: Could you go back and show him. 12 Q. Am I correct? 13 A. I'm not 100 percent certain on that. 14 the firewall rule sets, but -- 15 Q. The firewalls are right there. 16 A. There's rules set within the firewalls that allow for 17 traffic to be stateful and non-stateful, so if the -- there 18 were a lot of firewall settings on that firewall. 19 remember them personally. 20 Q. Well, take a look here at the firewalls. 21 A. Uh-huh. 22 Q. The Palo Alto firewall, is this something you buy -- I can 23 go buy that, right? 24 A. Yes. 25 Q. Right. I don't remember all Take a look. And anybody can go buy that, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I don't 894 K2bWsch2 David - Cross 1 A. Yes. 2 Q. How about this ASA firewall, also anybody can go buy it? 3 A. Right. 4 Q. Right. 5 Jira, they could just SSH into DevLAN, you can't answer that 6 question because you don't know the type of the firewall? 7 A. I know the type of the firewall. 8 Q. OK. 9 A. I do not know what the rule sets were within that firewall. 10 Q. Right. 11 not, correct? 12 A. They could or they could not. 13 Q. Right. 14 A. That is an accurate statement. 15 Q. Right. 16 A. Yes. 17 Q. Equally plausible that you could not? 18 A. Yes. 19 So your testimony is that if someone hacked into So you just don't know; they could or they could It is equally plausible that you could, correct? MS. SHROFF: Let's just go to page 2 of 2 or 2 of 4. 20 Q. Can you, looking at that chart, tell me, sir -- I don't 21 know how to take off the purple, so ignore it. 22 A. OK. 23 Q. So you see Jira down there? 24 A. Yes. 25 Q. This diagram does not tell you -SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 OK? 895 K2bWsch2 David - Cross 1 THE WITNESS: Oh, I'm sorry. 2 MS. SHROFF: Thank you, sir. Oh, there. Gotcha. 3 Q. This does not tell you, does it, how Jira was backed up? 4 A. Jira was not backed up. 5 Q. OK. 6 A. If I may correct? 7 remember specifically everything that was in Altabackup. 8 9 Your testimony is Jira was not backed up? MS. SHROFF: and go to 1207-36. I believe Jira was backed up. All right. I don't Let's just put this one aside OK? 10 Q. Now, there is a folder for Jira on Altabackup, right? 11 A. Yes. 12 Q. And this shows that the Jira folder was modified on April 13 13, 2016, correct? 14 A. Yes. 15 Q. And it also shows that Jira is backed up to the Altabackup, 16 correct? 17 A. Yes. 18 Q. So it's not just -- 19 MS. SHROFF: Going back to 601, page, I think it was 20 2. 3, maybe? 21 Q. So it's not just the HTTPS or the SLDAP or the SMTP and SSH 22 allowed by the firewall, correct? 23 A. Uh -- 24 Q. Take a look -- 25 A. I don't -- I don't know how that backup was being SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 896 K2bWsch2 David - Cross 1 performed, but you can use the SSH protocol to run a secure 2 copy through it -- 3 Q. Right. 4 A. -- which would be allowed through the firewall. 5 Q. Right. 6 allowed for an NFS connection from Jira to Altabackup. 7 A. Yes. 8 Q. All right. 9 file from Altabackup? So you agree with me now, do you, that the firewall Right? So then anyone on Jira could have copied any 10 A. Anyone who had access to Jira. 11 Q. Exactly. 12 A. Yes. 13 Q. Anyone who had access to Jira could copy any file from 14 Altabackup, right? 15 A. Yes. 16 Q. All righty then. 17 Now, sitting here today, you have no idea if there were any 18 other connections that these firewalls allowed, correct? 19 A. Correct. 20 Q. And sitting here today, you have no idea what the settings 21 on this firewall were in 2016, correct? 22 A. I do not remember that, no. 23 MS. SHROFF: OK. You can take that one down. 24 Could I just have one moment, your Honor? 25 THE COURT: Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 897 K2bWsch2 1 David - Cross MS. SHROFF: Now let me just for a minute go back, if 2 I may, to 1207-7. 3 Q. 4 again, but just bear with me. 5 Jira root thing. 6 A. OK. 7 Q. Now, you testified that this is the authorized key file on 8 Confluence that you edited on April 16, 2016, correct? 9 A. Now, if I could go back, and I think I asked you about this OK? Let's just go back to the Right there. I can't specifically memorize the keys. This is obviously 10 to connect to the Jira server. 11 Q. Right. 12 A. I don't know if this would work on the Confluence server. 13 Q. No, I didn't ask you that. 14 went in on a Saturday and you changed all the keys? 15 A. 16 these were the authorization keys to log in to the OSB server. 17 Q. 18 were authorized keys, correct? 19 A. Yes. 20 Q. So Jira here was an authorized key prior to April 16, 21 right? 22 A. Yes. 23 Q. So Jira had access to Confluence because it's an authorized 24 key, correct? 25 A. Right. Remember you testified that you I don't -- remember, we generated new keys, and But these are authorization keys prior to April 16; these Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 898 K2bWsch2 1 Q. 2 correct? 3 A. David - Cross And if you had root on Jira, you had root on Confluence, Yes. 4 MS. SHROFF: OK. You can take that one down too. 5 Q. Now, could you just tell me, sir, in your opinion, what is 6 a hackathon? 7 A. I do. 8 Q. Did the CIA run hackathons? 9 A. Yes. 10 Q. And when they ran hackathons, did they have a whole group 11 of people sort of having like a fun day doing hacking stuff, 12 whatever that is? 13 A. Yes. 14 Q. And how many people would you say from the CIA participated 15 in this hackathon? 16 A. 17 recollection was anywhere from 12 to 13, 20 people. 18 Q. 19 laptop, correct, to participate in this hackathon? 20 A. Yes. 21 Q. And these laptops, each one of them for all of these people 22 that were doing this hackathon, all of these laptops were 23 connected to DevLAN, correct? 24 A. Yes. 25 Q. And each one of these laptops had full access to DevLAN, Do you know what a hackathon is? I don't know. I didn't have too much involvement with that. My And each one of these 20 people were given a special SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 899 K2bWsch2 David - Redirect 1 correct? 2 A. 3 back, I believe we did set up -- some people already had access 4 to the network. 5 there were some folks that may have come in that accounts were 6 created. 7 Q. 8 they were also given access to DevLAN so everybody could 9 participate in this hackathon? 10 A. Yes? Full access to all of DevLAN -- They received IP addresses on the network. Right. I -- looking Already they were DevLAN users, and I believe So people had access already, new people came in, Yes. 11 MS. SHROFF: All righty then. 12 I have nothing further. 13 THE COURT: 14 MR. DENTON: 15 REDIRECT EXAMINATION 16 BY MR. DENTON: 17 Q. 18 series of questions about Jira? 19 A. Yes. 20 Q. When she was asking you questions, she didn't draw a 21 distinction between the Jira program and the Jira server. 22 you remember that? 23 A. Yes. 24 Q. Did everyone who had access to the Jira program have access 25 to the Jira server? Thank you. Mr. Denton. Thank you, your Honor. Sir, do you remember just now Ms. Shroff was asking you a SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Do 900 K2bWsch2 David - Redirect 1 A. No. 2 Q. Where was access to the Altabackups within Jira? 3 A. They were access -- can you rephrase the question, please? 4 Q. Was access to the Altabackups through the Jira program or 5 through the Jira server? 6 A. The Jira server. 7 Q. Did every Jira user have access to the Altabackups through 8 the Jira server? 9 A. No. 10 Q. Did Atlassian administrators have access to the server? 11 A. Yes. 12 Q. Now, she asked you a lot of questions just generally about 13 the security practices within the CCI building. 14 remember that? 15 A. Yes. 16 Q. When you get to the CCI building, do you have to go through 17 a gate? 18 A. Yes. 19 Q. Who's standing at that gate? 20 A. Armed guards. 21 Q. What are they armed with? 22 A. M16s, riot shotguns, things of that nature. 23 Q. What do you have to do to get by them? 24 A. Present credentials, a badge. 25 Q. What do you have to do to get that badge? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Do you 901 K2bWsch2 David - Redirect 1 A. You have to go through a year or more of background 2 investigation and polygraphs. 3 Q. 4 that get you? 5 A. It gets you to the parking lot. 6 Q. What do you have to do to get into the building? 7 A. You have to badge access through a main catcher-type 8 turnstile and provide a valid badge and a PIN. 9 Q. Once you get past that gate and those guards, how far does When you go up to your office, how do you get into your 10 office? 11 A. 12 door. 13 Q. Can you go into somebody else's office? 14 A. If I have access. 15 Q. What if you don't have access? 16 A. It will not allow me in. 17 Q. Was that true for that entire building? 18 A. Yes. 19 Q. Was there anyone in that building who did not have to go 20 through that process? 21 A. No. 22 Q. Now, Ms. Shroff asked you a lot of questions about the 23 Altabackups, and she asked you at one point who could pull down 24 a copy. 25 A. I have to present a badge to the badge reader to unlock the Do you remember that? Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 902 K2bWsch2 1 David - Redirect MR. DENTON: Ms. Hurst, could we put up Government 2 Exhibit 1202-18. 3 Q. 4 snapshot BK 4-16-2016, did the defendant have access to the 5 Altabackups? 6 A. Yes. 7 Q. Could he pull down a copy of the Altabackups? 8 A. Yes. 9 Q. And do you remember Ms. Shroff asking you some questions We've looked a lot at this. After the reversion to 10 about things you said about ways to copy the backup? 11 A. Yes. 12 Q. And you talked about vSphere and Rsync, is that right? 13 A. Yes. 14 Q. Is vSphere a computer program? 15 A. VSphere is an application that is used to manage ESXi 16 servers. 17 Q. Like the OSB ESXi servers? 18 A. Yes. 19 Q. When you say used to manage servers, does it manage the 20 virtual servers that are running on that? 21 A. Yes. 22 Q. So is vSphere something that you'd use to manage the 23 Confluence virtual server on the OSB ESXi machine? 24 A. Yes. 25 Q. Did anyone on DevLAN have access to vSphere? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 903 K2bWsch2 David - Redirect 1 A. There were multiple copies of vSphere. 2 running for the infrastructure virtual machines that ISB 3 managed, and I believe there was a copy of it running on that 4 server. 5 problems on vSphere. 6 Q. 7 account mean that you could access vSphere? 8 A. No. 9 Q. And Rsync, is that a computer command? 10 A. It is. 11 Q. What kind of command is it? 12 A. It's a Linux command. 13 Q. And what is it a command to do? 14 A. Copy. However, I believe it was not working. We had It was a long time ago. Let me put it this way. 15 There was one MR. DENTON: Did the fact that you had a DevLAN Could we put up Government Exhibit 16 1207-30, and again just blow up the top few lines. 17 Q. 18 questions about this? 19 A. Yes. 20 Q. And she said she wasn't interested in what usually would 21 change the date accessed? 22 A. Now, do you remember when Ms. Shroff was asking you Yes. 23 24 25 MS. SHROFF: Objection to the characterization, your Honor. THE COURT: The jury will determine that. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 904 K2bWsch2 David - Redirect 1 MS. SHROFF: 2 THE COURT: Thank you. The objection's overruled. 3 BY MR. DENTON: 4 Q. Is Rsync something that would change the date accessed? 5 A. Yes. 6 Q. Now, do you remember Ms. Shroff asking you about a Windows 7 version of the mount on the Altabackups? 8 A. Yes. 9 Q. Something called CIFS, right? 10 A. Yes. 11 Q. Now, you testified on your direct examination about 12 something called Active Directory, right? 13 A. Yes. 14 Q. What does Active Directory do? 15 A. Active Directory is a product from Microsoft running 16 Windows server that allows you to create users in a bunch of 17 computers together, what's called a domain. 18 users; their accounts; servers; permissions, primarily; and 19 there's a whole host of other things you can do with it. 20 Q. And is CIFS linked to Active Directory. 21 A. Yes. 22 Q. What does it mean to say that it's linked to Active 23 Directory? 24 A. 25 via the NetApp. It's just managing CIFS, more properly called, is tied into Active Directory It actually has a workstation account on the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 905 K2bWsch2 David - Redirect 1 domain and participates in the domain so that you can define 2 username and passwords that have the ability, are allowed to 3 access files and photos within that CIFS directory. 4 Q. Does it limit who can access a CIFS directory? 5 A. It can, yes. 6 Q. Now, Ms. Shroff asked you about connecting computers to FIN 7 and to the internet. 8 A. Yes. 9 Q. Do you remember that? 10 A. I do. 11 Q. She asked you about a particular incident where a laptop 12 was connected to the network. 13 A. Yes. 14 Q. After that incident happened, did you have to take any 15 corrective measures? 16 A. 17 formatted all workstations, all servers, every piece of 18 equipment, and rebuilt everything from scratch. 19 Q. Why did you do that? 20 A. It was a direction from our front office. 21 want any -- anything that may have lingered or possibly on the 22 network. 23 Q. 24 that this had happened? 25 A. Yes. Do you remember that? We basically rebuilt the entire network. We They did not And did that come about because your branch had detected Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 906 K2bWsch2 David - Redirect 1 Q. 2 about whether any virtual machine could connect to the 3 Altabackups? 4 A. 5 Do you remember being asked some questions by Ms. Shroff Excuse me. Yes, I do. 6 Q. And you said you couldn't answer that question, right? 7 A. That is correct. 8 Q. Did you need more information to answer that question? 9 A. I needed a lot of, more information. 10 Q. What more information would have helped you answer that 11 question? 12 A. 13 would be the IP addresses that were on the virtual machines. 14 Also, it would also need the corresponding what is called an 15 export list on the NFS mount on which IP addresses were allowed 16 to connect. 17 those pieces of information to accurately answer that question. 18 Q. 19 to connect to the Altabackups? 20 A. Yes. 21 Q. But off the top of your head, you don't know exactly which 22 ones? 23 A. I do not. 24 Q. OK. 25 system in general. The primary, primary piece of information I would need I did not have either of those info -- either of Do you know for sure that some IP addresses were not able I did not virtually set up that mount point, no. Finally, I just want to talk about the security of the You talked a lot about how it was set up to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 907 K2bWsch2 David - Redirect 1 let people do their work. Do you remember that? 2 A. Yes. 3 Q. Did you rely on those people for security on the network? 4 A. Yes. 5 Q. How did you rely on them? 6 A. Everyone was cleared to a top-secret SCI level. 7 an expectation of trust that people were going to follow some 8 basic, fundamental rules, and in following those rules, they 9 would be allowed some additional privileges on the network that There is 10 they would be able to create their work. 11 Q. 12 made administrators on the network? 13 A. Yes. 14 Q. Why? 15 A. You have a screen-user access, as they call it. 16 the ability to directly manipulate the network. 17 computers and systems that you had direct access to, you could 18 change them for the good or for the bad. 19 Q. 20 security with respect to regular users apply to system 21 administrators? 22 A. No. 23 Q. Did they apply to the defendant when he was a system 24 administrator? 25 A. And was there any particular trust for the people who were You have In the boxes, Did the sorts of policies that were in place to provide Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 908 K2bWsch2 Leedom 1 MR. DENTON: 2 THE COURT: 3 THE WITNESS: 4 (Witness excused) 5 THE COURT: 6 MR. LAROCHE: 7 8 No further questions, your Honor. OK. You're excused, David. Thank you. Thank you. Call the next witness. Your Honor, the government calls Patrick Leedom. PATRICK LEEDOM, 9 called as a witness by the government, 10 having been duly sworn, testified as follows: 11 THE COURT: Please sit down, Mr. Leedom. 12 THE WITNESS: 13 THE COURT: Pull yourself right up to the microphone. 14 All right. Mr. Laroche. 15 MR. LAROCHE: Thank you, your Honor. Thank you, your Honor. 16 DIRECT EXAMINATION 17 BY MR. LAROCHE: 18 Q. Good morning, Mr. Leedom. 19 A. Good morning. 20 Q. Did you graduate from college? 21 A. Yes, I did. 22 Q. From what college? 23 A. I graduated from the University of Colorado at Colorado 24 Springs. 25 Q. What's your degree in? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 909 K2bWsch2 Leedom 1 A. I have a bachelor's of science in computer science. 2 Q. Are you currently employed? 3 A. Yes, I am. 4 Q. Where are you employed? 5 A. I work for the MITRE Corporation. 6 Q. What is the MITRE Corporation? 7 A. The MITRE Corporation is a not for-profit company that 8 operates FFRDCs. 9 Q. What is an FFRDC? 10 A. An FFRDC stands for federally funded research and 11 development center. 12 entity that provides research and development to the 13 government. 14 Q. How long have you been at the MITRE Corporation? 15 A. About six years or so. 16 Q. What's your current position? 17 A. I'm a lead cyber security engineer, and I manage about five 18 employees. 19 Q. Does that management role have a title? 20 A. Yes, it does. 21 Q. What do you do at MITRE as a lead cyber security engineer? 22 A. I'm a contractor to the Federal Bureau of Investigation. 23 Q. What does it mean to be a contractor to the FBI? 24 A. For me, I perform the role of a computer scientist for the 25 bureau. It's essentially a government-funded It's called a group leader. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 910 K2bWsch2 Leedom 1 Q. And how long have you been doing that? 2 A. For most of my time in the company. 3 Q. Do you work within any particular unit at the FBI? 4 A. Yes, I do. 5 unit. 6 Q. And is unit that within a particular FBI division? 7 A. Yes, it's in the cyber division. 8 Q. What is the cyber division of the FBI? 9 A. FBI's cyber division investigates cyber cases or I support A unit called the technical analysis 10 computer-related cases. 11 Q. 12 within that division, is that correct? 13 A. That's correct. 14 Q. What is that unit? 15 A. That unit supports FBI investigations. 16 support different field offices around the country. 17 field offices in -- all over different states, and they 18 primarily work on their own local issues. 19 there will be special agents or computer scientists that need 20 assistance with their cases either for technical reasons or 21 staffing reasons, and we support them in that. 22 Q. Are you familiar with the FBI's cyber action team? 23 A. Yes, I am. 24 Q. Is that also referred to as the CAT team? 25 A. Yes, it is. And you said that you're in the technical analysis unit More notably, we There's And occasionally, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 911 K2bWsch2 Leedom 1 Q. What is the FBI's CAT team? 2 A. The CAT team is the FBI's incident-response fly team. 3 Q. You used two terms there. 4 response? 5 A. 6 they have some kind of hack into their network, incident 7 response is the operation where you go in and use threat risk 8 and live system analysis to figure out what happened on the 9 network. First, what's an incident Incident response means if a company is compromised, if 10 Q. And you also said fly team? 11 A. Yes. 12 to go at a moment's notice and goes all over the country and 13 sometimes all over the world. 14 Q. Do you also support the FBI's CAT team? 15 A. Yes, I do. 16 Q. How do you do that? 17 A. I wrote the system on deployment, and as part of the 18 technical analysis unit, when the bureau fly team -- it's 19 essentially made up of special agents and computer scientists 20 all over the country. 21 they can get sent out, and sometimes if they have too much 22 evidence to analyze, they can send it back to us at 23 headquarters, and we assist them with that. 24 Q. 25 is that correct? A fly team essentially means that this team is ready When they're, like, on the on-call list, And you said sometimes you're deployed with the CAT team, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 912 K2bWsch2 Leedom 1 A. That's correct. 2 Q. What do you mean deployed with the CAT team? 3 A. Deployed means I get to join them on the mission. 4 Q. Approximately how many times have you been deployed with 5 the CAT team? 6 A. Five or so times. 7 Q. And generally how quickly is the CAT team deployed with 8 cyber security? 9 A. It could be in a matter of hours to days, depending on the 10 situation. 11 Q. 12 team? 13 A. Yes, I do. 14 Q. Could you please explain? 15 A. Specifically, our team in the technical analysis unit, we 16 do software development for the CAT team. 17 worked on multiple different ways to parse and triage forensic 18 information from a network. 19 response you're only going to be able to be on the ground for a 20 few days, so you have to be able to process as much evidence as 21 possible and get the best information that you can out of it; I 22 support a development project that works to meet those goals. 23 Q. 24 many investigations or cases have you assisted the FBI with? 25 A. Have you also helped develop forensic tools for the CAT Specifically, we've Since the nature of incident Putting the CAT team aside, in total, approximately how Over my last six years or so with the bureau, between 50 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 913 K2bWsch2 Leedom 1 and 100 or so. 2 Q. What types of investigations have you supported? 3 A. I've supported criminal cases, counterintelligence cases, 4 other malware analysis-related cases, like nation-state 5 malware, and some insider-threat cases. 6 Q. Generally, what was your role in those investigations? 7 A. As a computer forensic analyst. 8 Q. Have those investigations involved the analysis of computer 9 networks? 10 A. Yes, many of them have. 11 Q. Approximately how many? 12 A. Dozens. 13 Q. What about the analysis of virtualized computers? 14 A. Yes. 15 Q. Approximately how many of the investigations involved 16 virtualized computers? 17 A. Dozens of those as well. 18 Q. What about malware? 19 A. Slightly less. 20 incident response-related deployments involved some sort of 21 malware. 22 Q. 23 nation-state hacking? 24 A. 25 It depends on the situation. Most of the And have you participated in investigations involving I have. MS. SHROFF: I'm sorry, your Honor. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I had trouble 914 K2bWsch2 1 Leedom hearing. 2 THE COURT: Nation-state hacking. 3 MS. SHROFF: Sorry, your Honor. 4 THE COURT: That's OK. 5 A. Yes, I have. 6 Q. And what's nation-state hacking? 7 A. Nation state is just simply another term for a country or 8 another entity that's significantly well funded and has access 9 to a lot of resources. 10 Q. Approximately how many investigations involving 11 nation-state hacking have you participated in? 12 A. Significantly less. 13 Q. What about investigations involving database 14 reconstruction? 15 A. Very many. 16 Q. What do you mean by database reconstruction? 17 A. Pretty much all web services nowadays run databases. 18 on your Windows machine you use at home, the web browsers use 19 different databases, so those need to be analyzed for content. 20 Q. What about investigations involving insider threats? 21 A. I've worked very few, one that I can think of specifically. 22 Q. And what is an insider threat? 23 A. An insider threat is when you have an employee of a company 24 or someone that works for a company and they're trusted with 25 certain special information and they breach that trust and Maybe five or less or so. I'd say dozens. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Even 915 K2bWsch2 Leedom 1 either leak that information to someone else or sell it, 2 something like that. 3 Q. And I think you said you've worked on one in particular? 4 A. Yes, I have. 5 Q. Which investigation is that? 6 A. The Harold Martin case, where he took information from the 7 NSA. 8 Q. What was your role in that investigation? 9 A. We had an incident-response deployment that was -- 10 11 MS. SHROFF: Your Honor, we have an objection. have a sidebar, please? 12 THE COURT: 13 MS. SHROFF: 14 (Continued on next page) Yes. Thank you. 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 May we 916 K2bWsch2 Leedom 1 (At sidebar) 2 MS. SHROFF: Your Honor, I'm sure the government can 3 qualify this witness without eliciting information about a very 4 recent case where there was a guilty verdict. 5 Martin case is something that would be easily accessible to the 6 jury. 7 Harold Martin case that has any co-relationship to this case, 8 and to talk about a clear case where there's already a finding 9 of guilt is just too prejudicial to Mr. Schulte. I mean, it's not like -- there's nothing about the 10 11 The Harold MR. LAROCHE: We don't plan to elicit anything about the case itself. 12 MS. SHROFF: You may not. 13 MR. LAROCHE: 14 MS. SHROFF: We're not even talking about -But there is no reason to talk about 15 another defendant. 16 He doesn't have to mention the lead case. 17 mention the NSA. 18 He can just say I worked on another case. THE COURT: He doesn't have to I think he can go into it by way of 19 background, explaining what he did, why he's going to be an 20 expert. 21 MS. SHROFF: Background is fine. He could say I 22 worked on a case. 23 especially since this man also worked at the NSA. 24 reason. 25 He doesn't have to talk about the NSA, THE COURT: He worked at the NSA? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 There's no He was there as a 917 K2bWsch2 1 Leedom summer intern, correct? 2 MS. SHROFF: 3 THE COURT: 4 MS. SHROFF: Yes, he was. For three months? Two months? I'm just saying there's really no reason 5 for him to talk about a specific defendant in a case. 6 necessary. It's prejudicial. 7 THE COURT: 8 MR. LAROCHE: 9 THE COURT: 10 It's not How much longer do you have with this? We're over already. Let's go. (Continued on next page) 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 918 K2bWsch2 Leedom 1 (In open court) 2 THE COURT: 3 MR. LAROCHE: Mr. Laroche. Thank you, your Honor. 4 Q. In addition to your work at MITRE, do you have any 5 certifications in forensic analysis? 6 A. Yes, I do. 7 Q. What types of certification do you hold? 8 A. I have the GIAC, the certified forensic examiner 9 certification. 10 Q. What is that? 11 A. It's the simple certification that covers everything from 12 imaging hard drives and collecting evidence in a correct 13 fashion to Windows forensics. 14 Q. 15 cyber security? 16 A. Yes, I have. 17 Q. Approximately how many of those types of training have you 18 received? 19 A. I've taken dozens of courses on the matter. 20 Q. What are some of the types of training that you've 21 received? 22 A. 23 courses; instant-response courses, technical courses related to 24 how the basic system internals of computers work, hardware 25 hacking, things like that. Have you received any training on forensic analysis or Everything from programming courses to cyber security SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 919 K2bWsch2 Leedom 1 Q. 2 your case work? 3 A. Yes, I have. 4 Q. What are some of the awards that you've received? 5 A. I received a directors award related to the tool that I 6 mentioned that we've developed for the instant-response team. 7 That tool received the attorney general's award from the 8 Department of Justice, so we were recognized in a similar 9 fashion. 10 Have you received any awards or recognition at MITRE for I've also received several other awards for my department 11 just in support of cases that I've worked. 12 Q. You said the directors award? 13 A. No. 14 Q. Sorry. 15 award. 16 A. Correct, from my company. 17 Q. And what is the directors award? 18 A. The directors award is one of the highest awards you can 19 receive from our division. 20 Q. 21 that? 22 A. Yes, it was. 23 Q. What is that award? 24 A. That's a very highly respected award within the Department 25 of Justice from the FBI. The attorney general's award. But I think you said you received the director's Is that correct? You mentioned the attorney general's award was related to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 920 K2bWsch2 Leedom 1 Q. Other than from MITRE, have you received awards from anyone 2 else for your case work? 3 A. Yes, I have. 4 Q. Who else gave you awards? 5 A. I received an award from the Polish national -- military 6 counterintelligence service for a deployment that we did with 7 them. 8 Q. Generally speaking, what did you receive that award for? 9 A. I received that award -- we helped them with an 10 incident-response situation out of the country about a year 11 ago. 12 Q. 13 networks? 14 A. Did that assistance involve forensic analysis of computer Yes, it did. 15 MR. LAROCHE: Your Honor, the government would offer 16 Mr. Leedom as an expert in digital forensics and computer 17 science. 18 THE COURT: 19 MS. SHROFF: 20 Any objection? We do have an objection, your Honor. But may I just ask two voir dire questions? 21 THE COURT: Yes. 22 VOIR DIRE EXAMINATION 23 BY MS. SHROFF: 24 Q. 25 in computer sciences? Sir, what is the highest level of education that you have SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 921 K2bWsch2 Leedom 1 A. I have a bachelor's of science in computer science. 2 Q. And is it fair to say that you do not have a master's of 3 science in computer technology? 4 A. That is correct. 5 Q. And obviously, if you don't have a master's, you don't have 6 a Ph.D., is that correct? 7 A. That's correct. 8 Q. And you have no specific knowledge or any expertise in any 9 of the computer systems at CIA, correct? 10 A. Could you elaborate a little more? 11 Q. Well, before you were hired on this case, you were never 12 part of the CIA, correct? 13 A. Correct. 14 Q. You had no access to any of their computers, correct? 15 A. That's not entirely accurate, but -- 16 Q. OK. 17 before you were retained on this case? Tell us, sir. 18 MR. LAROCHE: 19 THE COURT: What was your access to CIA computers Objection. Overruled. 20 A. Certain assets throughout the intelligence community are 21 shared for intelligence purposes, so something -- news 22 reporting, things like that. 23 Q. News reporting? 24 A. Things like that, yeah. 25 Q. What does that mean, news reporting? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 922 K2bWsch2 Leedom 1 A. 2 for review. 3 Q. So they gave you access to DevLAN -- 4 A. No. 5 Q. -- before you were retained for this case? 6 A. No. 7 Q. How about access to Confluence? 8 A. Not on their network, no. 9 Q. How about access to any of their computer networks? 10 A. Not on DevLAN, no. 11 Q. Did you receive any training about DevLAN before you 12 arrived on this case? 13 A. No. 14 Q. Do you have any training whatsoever from your undergraduate 15 Information on just different intelligence that's available college on DevLAN? 16 A. No, not for DevLAN specifically. 17 Q. I'm sorry? 18 A. Not for DevLAN specifically. 19 Q. OK. 20 used or is in use at the CIA? 21 A. No, not for a specific network at the CIA. 22 Q. Right. 23 are about to testify is the training you got as a result of you 24 preparing for testimony on this case, correct? 25 A. Do you have any network training on a network that was So your only training about the topics on which you That's inaccurate. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 923 K2bWsch2 OK. Leedom 1 Q. Well, tell us what other thing you got to prepare for 2 the testimony about the DevLAN network about which you are 3 going to testify in this case. 4 A. 5 years working with the bureau on operational-type engagements, 6 I have significant experience working with both computer 7 networks, varying companies that host different variety and 8 types of computer networks and their basic operation. 9 principles are the same to any network, even the networks at During my undergraduate degree program and my past six Those 10 the CIA. 11 Q. 12 that you learned in college and then the principles that you 13 learned from working on other networks, not at the CIA, 14 essentially are the same principles that apply to the network 15 that you're about to testify to, which is DevLAN. 16 correct? 17 A. That is correct. 18 Q. OK. 19 learned about other networks and you're able to apply what you 20 learned about other networks to the DevLAN network about which 21 you are going to testify, correct? 22 A. That's correct. 23 Q. So basically the principles about how general networks work 24 and how the DevLAN network works are essentially the same, 25 correct? OK. So your testimony sitting here today is the principles Is that Did I correctly understand you? So there isn't much of a difference between what you SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 924 K2bWsch2 Leedom 1 A. That's accurate, yes. 2 Q. It's accurate, right? 3 A. Yes. 4 MS. SHROFF: OK. 6 THE COURT: Yes. 7 MS. SHROFF: 8 Your Honor, given the fact that the witness has 5 9 Could I have just one second, your Honor? Thank you. testified that his knowledge of the DevLAN network is informed 10 by his knowledge of other non-DevLAN, non-CIA networks, we 11 withdraw our objection to him becoming an expert. 12 THE COURT: 13 MS. SHROFF: 14 THE COURT: 15 MS. SHROFF: 16 You withdraw your objection? I do. He's recognized as an expert then. Thank you very much, your Honor, for the voir dire. 17 THE COURT: You're welcome. 18 BY MR. LAROCHE: 19 Q. 20 became involved in the investigation of the DevLAN network? 21 A. Yes, there was. 22 Q. And did that involve the Vault 7 and Vault 8 disclosures? 23 A. Yes, it did. 24 Q. What is Vault 7 and Vault 8? 25 A. To my knowledge, Vault 7 and Vault 8 were leaks of So let's start there. Did there come a time when you SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 925 K2bWsch2 Leedom 1 classified information from the CIA; specifically, the DevLAN 2 network. 3 Q. 4 investigations? 5 A. 6 believe it was late March 2017, maybe early April. 7 Q. 8 develop an understanding as to whether the information in Vault 9 7 and Vault 8 was stored on any particular computer network? And when did you become involved in the Vault 7 and Vault 8 I personally became involved in the investigation, I Based on your participation in that investigation, did you 10 A. Yes, I did. 11 Q. What computer network was that? 12 A. It was stored on the DevLAN network. 13 Q. And is that a CIA computer network? 14 A. Yes, it is. 15 Q. Now, before the Vault 7 and Vault 8 disclosures, did you 16 have access to DevLAN? 17 A. No, I did not. 18 Q. Why not? 19 A. It was a classified internal agency network. 20 Q. What were your responsibilities in connection with the 21 Vault 7 and Vault 8 investigation? 22 A. 23 to the agency to assist them with investigating what happened. 24 Q. 25 network diagrams and documentation of the DevLAN network? Primarily, we had sort of incident response-type deployment As part of your responsibilities, have you also reviewed SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 926 K2bWsch2 Leedom 1 A. To some extent, yes, I have. 2 Q. And I think you said that your first role was incident 3 response. 4 A. That's correct. 5 Q. Could you just explain generally what you mean by that? 6 A. We were there to assist in trying to figure out if there 7 potentially were any, like, nation-state hacking attempts, any 8 malware active on the network, things like that. 9 Q. Did that role transition over time? 10 A. Yes, it did. 11 Q. How did it transition? 12 A. As we were supporting and became more knowledgeable about 13 the network, my role transitioned into more of a computer 14 scientist role supporting the investigation itself. 15 Q. 16 this investigation, did you examine forensic files and data 17 from the DevLAN network? 18 A. Yes, I did. 19 Q. Did that include reviewing the computer the defendant used 20 to access DevLAN while working at the CIA? 21 A. Yes, it did. 22 Q. Did it also include reviewing servers connected to DevLAN? 23 A. Yes, it did. 24 Q. Approximately how much time have you spent over the past 25 two and a half-plus years reviewing those materials? Is that correct? Now, as part of your responsibilities and participation in SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 927 K2bWsch2 Leedom 1 A. Countless hours. 2 Q. Have you formed an opinion as to some of the defendant's 3 activities on the DevLAN network in April of 2016? 4 A. Yes, I have. 5 Q. I want to focus your attention on April 20, 2016. 6 reached an opinion as to the defendant's activities on the 7 DevLAN network that day? 8 A. Yes, I have. 9 Q. What are some of the opinions that you've reached about the Have you 10 defendant's activities on April 20, 2016? 11 A. 12 virtual machine, which was running on the OSB ESXi server. 13 then reverted that virtual machine to the 4/16 backup that 14 you've heard about ISB having had made before they changed the 15 passwords. 16 after the passwords were changed. 17 stayed in a reverted state for a little over an hour, and the 18 defendant copied the Confluence backups from the Altabackup 19 server. 20 On April 20, 2016, the defendant accessed the Confluence He That backup gave him access to the machine again During that time the machine Also during that time, the defendant deleted many log files 21 both on the ESXi server itself and on the virtual machine by 22 reverting to the previous snapshot and deleting it. 23 Q. 24 also review the Vault 7 and Vault 8 disclosures that were 25 posted by WikiLeaks? Now, as part of your role in this investigation, did you SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 928 K2bWsch2 Leedom 1 A. Yes, I have. 2 Q. I want to focus on the initial disclosure, made on March 7, 3 2017. 4 A. Yes. 5 Q. Do you have an understanding about where that information 6 came from on the DevLAN network? 7 A. Yes. 8 Q. And how do you know that? 9 A. I reviewed it. 10 Q. How much of Confluence, approximately, was disclosed by 11 WikiLeaks on March 7, 2017? 12 A. All of it. 13 Q. Based on your analysis in this case, have you reached an 14 opinion as to what Confluence files were provided to WikiLeaks? 15 A. Yes, I have. 16 Q. What is your opinion? 17 A. It was the, those March 3 backup files. 18 That was Confluence data. MR. LAROCHE: Ms. Hurst, can you please show the 19 witness, the parties and the Court what's been marked as 20 Government Exhibit 1703, please. 21 Q. Mr. Leedom, do you see that on your screen right now? 22 A. Yes, I do. 23 Q. Do you recognize this? 24 A. Yes, I do. 25 Q. What is it? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 929 K2bWsch2 Leedom 1 A. 2 this. 3 Q. And did you assist in preparing this presentation? 4 A. Yes, I was. 5 Q. And does this summarize some of the exhibits you reviewed 6 as part of this case? 7 A. Yes, it does. 8 Q. Will it help you explain your opinions as you testify 9 today? 10 A. 11 12 It's a presentation that I've put together to help explain Yes, it will. MR. LAROCHE: Your Honor, the government would offer Government Exhibit 1703 as a demonstrative. 13 THE COURT: Ms. Shroff. 14 MS. SHROFF: 15 we have a pending objection. 16 THE COURT: 17 MS. SHROFF: Subject to that objection -- 18 THE COURT: 1703 is received in evidence. 19 MR. LAROCHE: 20 (Government Exhibit 1703 received in evidence) 21 MR. LAROCHE: Your Honor, I just remind the Court that Yes. Thank you, your Honor. If we could publish that to the jury. 22 Q. Now, Mr. Leedom, is your presentation broken up into 23 different parts today? 24 A. Yes, it is. 25 Q. And what is the first part? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 930 K2bWsch2 Leedom 1 A. This is a basic overview of the DevLAN network, covering 2 some of the basic features, basic configurations, things like 3 that. 4 Q. What do you mean by basic configurations? 5 A. Tried to present this in a way that's more towards the 6 layman and doesn't include, like, for example, complex diagrams 7 from SSPs, things like that. 8 9 MR. LAROCHE: Let's go through the part 1 DevLAN overview, if we could go to the next slide, please. 10 Q. This slide is titled "networking overview"? 11 A. Yes. 12 Q. And the first sub-bullet is firewalls? 13 A. Uh-huh. 14 Q. What are firewalls? 15 A. In its simplest term, firewall is a physical piece of 16 hardware that's on a network that limits activities on those 17 networks between different machines. 18 Q. And the next sub-bullet is switches? 19 A. Yes. 20 Q. What are those? 21 A. A switch is one way to connect computers to each other, 22 essentially. 23 Q. And finally, routers? 24 A. Routers are ways to connect, that you would connect 25 multiple different networks together. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 931 K2bWsch2 1 Leedom MR. LAROCHE: Let's go to the next slide. 2 Q. What is this slide showing? 3 A. This is a simple diagram of how DevLAN was laid out. 4 Q. And if you could, just start at the left with the box that 5 starts DevLAN and just explain to the jury what each of the 6 boxes are meant to represent. 7 A. 8 essentially a switch that's just representing the different 9 connections between all the computers on the DevLAN network. Yes. So the box on the left, see if I can draw, this is 10 There was a firewall that was limiting access, certain accesses 11 to what we've seen in the full version of this exhibit, the 12 Hickok network here, in the gray. 13 network on the right over here. 14 MR. LAROCHE: Thank you. And then we have the COG Let's go to the next slide, 15 please. 16 Q. Slide 4 is titled "operating systems"? 17 A. Yes. 18 Q. Generally, what's an operating system? 19 A. An operating system is the software that runs on top of the 20 hardware on your computer. 21 Q. What types of operating systems were run on DevLAN? 22 A. DevLAN had three major types, which is essentially all of 23 the available operating systems. 24 we've seen here. 25 system. The first is Linux, which It's a very popular open-source operating You can access it from either a graphical user SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 932 K2bWsch2 Leedom 1 interface, or most commonly, as we see in this case, it's on 2 servers that were running on the network. 3 There's also the Windows operating system, which is 4 developed by Microsoft, which has a graphical user interface 5 that many of you have seen. 6 Q. What is MacOS? 7 A. MacOS is developed by Apple, similar graphical user 8 interface operating system. 9 10 And MacOS. MR. LAROCHE: Let's go to the next slide, slide 5, THE WITNESS: Yes. please. 11 12 Q. What is this slide meant to convey? 13 A. I just want to show here the different types of operating 14 systems that were in place on different parts of network. 15 most of our Windows machines and potentially Mac machines would 16 be located in the DevLAN user section, so different users would 17 have different machines based on the type of work they were 18 doing. 19 to MacOS, you would have probably a Mac machine; same for 20 Windows and also Linux there. 21 So, Like, for example, if you were working on tools related The Active Directory server, which we'll just represent in 22 this little box here, that maintained, like, access controls 23 for the network. 24 Microsoft Windows. 25 That's a Windows server running a version of And then the management servers across the network, like SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 933 K2bWsch2 Leedom 1 ESXi server, Stash server, I believe the Hickok server, these 2 were Linux-based machines. 3 MR. LAROCHE: Thank you. We'll go to the next slide, 4 please. 5 Q. Slide 6 is titled "virtualization"? 6 A. Yes. 7 Q. What's virtualization? 8 A. Virtualization in respect to computers is essentially a way 9 of running a computer inside of a computer. 10 Q. And the first sub-bullet here is a virtual machine? 11 A. Yes. 12 Q. What's that? 13 A. So, A virtual machine, like I said, is a way to run a 14 computer inside of a computer. 15 running on servers. 16 you want with free software. 17 environment, this is used to help both aid development and have 18 higher uptime. 19 Q. You said production environment? 20 A. Yes. 21 Q. What i's that? 22 A. When I say production environment, I typically mean in some 23 kind of server infrastructure for machines that are meant to be 24 accessed by multiple users and are meant to be relatively 25 stable so that they provide a service that, you know, doesn't This isn't limited to just You can do this at home on your laptop if Typically, in a production SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 934 K2bWsch2 Leedom 1 get turned off every night when you go home. 2 Q. And you also used the term "uptime"? 3 A. Yes. 4 Q. What does that term refer to? 5 A. Uptime just refers to how long a service has been running. 6 So, if you say a service has high uptime, it means it doesn't 7 crash often, it maintains relatively stable. 8 Q. The next sub-bullet is ESXi servers? 9 A. Yes. 10 Q. What are those? 11 A. ESXi is a, what we call a hypervisor. 12 operating system, a type of Linux operating system that is 13 developed by a company called VMware. 14 purpose is to host virtual machines. 15 Q. The next sub-bullet is VMware vSphere? 16 A. Yes. 17 Q. What does that refer to? 18 A. VMware vSphere is a way to manage virtual machines on this 19 ESXi server. 20 Q. What do you mean by a way to manage virtual machines? 21 A. So, what you would do to -- if you wanted to access a 22 virtual machine, one way you could do it is by launching the 23 vSphere application either through double-clicking the 24 application on your Windows machine or navigating to a web 25 service that provides the same level of access. It's a type of And it's used, its sole SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 935 K2bWsch2 1 Leedom You can go into that application, view a list of all the 2 machines running on the server. 3 refer to, the term is "shelling in" to the machine, which is 4 you click a little -- a little box, and it would actually give 5 you, like, a little window into that computer where you can 6 move the mouse and things like that, if it had a graphical user 7 interface. 8 9 You can actually what we would It's just a way to manage those machines. You could create snapshots, revert snapshots, add more memory to a machine, more 10 hard drive space, things like that. 11 Q. And then finally, VMware vCenter? 12 A. Yes. 13 Q. What does that refer to? 14 A. Yeah, vCenter is a management application that goes kind of 15 along with vSphere and ESXi. 16 management part of the ESXi server. 17 MR. LAROCHE: It just helps add access to the Let's go to the next slide, slide 7. 18 Q. This is entitled "Atlassian suite." What is Atlassian? 19 A. Atlassian is the name of a company. 20 Q. And did DevLAN run certain Atlassian services? 21 A. Yes, they did. 22 Q. What services? 23 A. They ran than mainly five Atlassian services that are 24 listed here on the slide. 25 Q. Can you give a brief description of each of those services? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 936 K2bWsch2 1 2 A. Leedom Yes. so, Confluence, as we've heard -- it's a Wiki. It's used 3 for user collaboration, so if you want to share information 4 with other users, essentially just a place to post information. 5 Each user has their own specific page. 6 pages for other users to see. 7 other users, things like that. 8 9 Users can make other Users can restrict pages from Stash, Bamboo and Jira kind of go together. software development package. This is a So, as a software developer, you 10 write code, so this code needs to be stored in had a way that 11 can both be, you know, backed up and have different revisions 12 and allow multiple people to contribute to the project. 13 Stash allows you, Stash provides some services to support 14 some of the different types of software we call version control 15 software. 16 is called Git. 17 on the system to have access to these source-code repositories 18 or projects and contribute to them, make changes and do it in a 19 stateful way. 20 In this specific case, the type of version control And it essentially just allows multiple users This ties into Bamboo. Bamboo is what we call in the 21 software development industry a continuous integration 22 platform. 23 code and you feel like you've done for the day, maybe you've 24 added a feature, like a new button on a web page, you will 25 commit your code and it will go up to Stash and be saved. Essentially what you do is if you're writing your SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And 937 K2bWsch2 Leedom 1 then that code can get transferred automatically into Bamboo, 2 which will run it for you and tell you if it's working like you 3 intended to or if there were any errors. 4 for. 5 Q. What about Jira? 6 A. So, Jira is -- it's an issue tracker. 7 it referred to as, like, a help desk. 8 that are using your software or even other developers that are 9 working on your software, you want to keep track of different, 10 maybe, problems you're having, what you plan to fix in the next 11 few months, feature requests, things like that. 12 Q. And finally, Crowd? 13 A. Crowd is an integration to the Atlassian suite of programs 14 that is designed to integrate mainly with Windows Active 15 Directory, which manages all of the user accounts on a network. 16 It essentially allows you to kind of plug it into that, and it 17 can handle interfacing those permissions with the rest of the 18 Atlassian products. 19 MR. LAROCHE: That's what that's I think we've heard So, if you have users Let's go to the next slide. 20 Q. Does this slide show where the various Atlassian services 21 were being run on DevLAN? 22 A. Yes, it does. 23 Q. And can you explain that? 24 A. Yes. 25 machines running on the ESXi server. So, Confluence and Bamboo, here, are both virtual SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 938 K2bWsch2 1 2 Leedom Stash and Crowd were both running on a physical Stash server. 3 And then Jira was running on a physical Hickok server. MR. LAROCHE: If we could just zoom in on the ESXi 4 server, please, on the top left there. 5 Q. 6 machines? 7 A. That's correct. 8 Q. Is that different than running directly on the server? 9 A. Yes, it is. 10 Q. Just explain the difference there. 11 A. So, a virtual machine is essentially its own self-contained 12 little personalized computer. 13 it and it will freeze everything that's happening. 14 restart it. 15 computer. 16 time it gets, how big the hard drive is. 17 And you said Confluence and Bamboo were running as virtual It's significantly different. You can push a pause button on You can You can turn it on and off like you would a normal You can define how much memory it gets, how much CPU We've heard about snapshots. You can take a snapshot, 18 which is essentially like a backup in time of how the server 19 was, so if you're about to make a drastic change and it went 20 poorly, you could revert back to that and have the machine back 21 where it was when you accessed it. 22 23 24 These are just different computers that are all virtualized for ease of use. (Continued on next page) 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 939 K2B3SCH3 Leedom - Direct 1 Q. Then on the right side of this box, there's developmental 2 VMs? 3 A. Yes. 4 Q. What is that meant to refer to? 5 A. There were, so this is a development network, particularly 6 for offensive capabilities, you need a way to test these tools, 7 some of them require networked computers. 8 entire, you know, fake computer network inside of a cluster of 9 virtual machines on the server to test your tools. You can generate an You can 10 install specialized operating systems and things for the 11 targets that you're trying to attack, and it's just how you use 12 the virtual machines in that way. 13 Q. 14 "file storage." 15 A. 16 as network attached storage. 17 sits in the server room and has a ton of hard drives connected 18 to it to store their data. 19 Q. And the next sub-bullet is "backups." 20 A. Yes. 21 Q. What are backups? 22 A. Backups are, in this case referring to backups for the 23 Atlassian suite. 24 restore a server, should the server ever, ever, you know, 25 completely crash beyond being able to recover it. Let's go to the next slide. Slide nine. It is titled And the first is NetApp server. What's that? A NetApp server is essentially a big NAS which is defined It is essentially a server that They're copies of data that you would need to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It would be 940 K2B3SCH3 Leedom - Direct 1 all the files you need to restore that to its state as of the 2 time you took the backup. 3 Q. 4 NetApp server? 5 A. Yes it did. 6 Q. If we can just zoom in on that in the bottom middle of the 7 screen, please. 8 A. 9 that individuals users had to store their personal data. Let's go to the next slide, please. Did DevLAN have a What was the NetApp server used for on DevLAN? Primarily three things. There were user home directories Just 10 to back it up in case, you know, their machine went down or 11 whatever happened. 12 used to talk to the Atlassian services and store their backup 13 files. 14 on the network in another share as well. 15 Q. 16 controls." 17 A. Yes. 18 Q. Generally, what are access controls? 19 A. Access controls are how you limit the operations of 20 different users on the network. 21 Q. And first bullet here is "domain controller"? 22 A. Yes. 23 Q. What's that? 24 A. As I mentioned previously, the domain controller on DevLAN 25 was a type of technology called Windows Active Directory. There's the Altabackup share, which was And there was a method for delivering completed tools Let's go to the next slide. Slide 11 is titled "access SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It's 941 K2B3SCH3 Leedom - Direct 1 from Microsoft. It basically has a bunch of different user 2 accounts and different roles for those users. 3 user that's domain admin. 4 anything on the network. 5 developers, which might have different types of permissions. 6 Q. The next sub-bullet is "user authentication." 7 A. Yes. 8 Q. What does that refer to? 9 A. Many applications like Crowd interface with this domain You may have a That means they can do pretty much You may have users which are just 10 controller over a protocol called LDAP. 11 the computers to talk to each other and make sure that users 12 are using the -- that users are enforced with authentication. 13 Q. And the third bullet is "secure shell." 14 A. Yes. 15 Q. And defined as SSH? 16 A. Correct. 17 Q. What does that refer to? 18 A. SSH is a way to interact and remote into machines using the 19 command line. 20 back to the days before computers had like a mouse and like 21 icons to click on. 22 That's essentially what the command line is. 23 It is just a way for When I say command line, I mean, if you think It was just a keyboard and a terminal. I think you've heard to it referred to earlier in 24 these proceedings as like the DOS command prompt from back in 25 the day. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 942 K2B3SCH3 1 Leedom - Direct It is essentially a way you type on the terminal and 2 can connect to different remote service -- different computers 3 remotely. 4 you can use what's called a public private key pair. 5 essentially just large numbers that are related mathematically. 6 And if you wanted to access a server with a public private key 7 pair, you'd first need to generate a key pair that's your own. 8 And then you receive two parts, you have a private key, which 9 you keep private and keep to yourself. You can do this with a user name or a password. Or These are And you have a public 10 key. And you can place this public key on servers that you 11 want to have access to, and it knows how to ask you when you go 12 to log into it for your private key, and that's how you 13 authenticate to the server. 14 Q. Are they also referred to as SSH keys? 15 A. Yes, they are, that's another name for them. 16 Q. The last bullet on here is "file share permissions." 17 A. Yes. 18 Q. What does that refer to? 19 A. Permissions on the file share could be enforced through 20 LDAP, which is the Active Directory server, or through other 21 means. 22 Q. 23 case, have you attempted to determine approximately how many 24 DevLAN users there were in April of 2016? 25 A. Let's go to the next slide. As part of your review in this Yes, I have. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 943 K2B3SCH3 Leedom - Direct 1 Q. How did you go about doing that? 2 A. We received information from a backup copy of the domain 3 controller. 4 computer accounts were dumped out of that into a big 5 spreadsheet, and I analyzed that to determine how many users 6 were active. 7 Q. As of when? 8 A. As of April 2016. 9 Q. Let's go to the next slide. And all of the, like, all of the user accounts and And it's about 200 users. Now, earlier we talked about 10 the home folders on the NetApp; do you recall that? 11 A. Yes. 12 Q. Slide 13 shows Government Exhibit 1207-60. 13 exhibit from? 14 A. This is from the NetApp server. 15 Q. What part of the NetApp server is this showing? 16 A. This is where all the home folders were on that share. 17 this is where an individual user would store their data if they 18 wanted to back it up, for example. 19 Q. 20 can we just zoom in on the top maybe quarter there. Where is that If we could just zoom in on the exhibit, please. 21 Just to start at the top. So Actually, There is an offline_vault. 22 A. Yes. 23 Q. You see that? 24 A. From my understanding, the DevLAN network had like two 25 NetApp machines running. What's that refer to? Typically in an enterprise network, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 944 K2B3SCH3 Leedom - Direct 1 you have backups of sometimes even your backups, for both fail 2 over, and in the case of a network like DevLAN where you were 3 potentially developing malicious tools if something accidently 4 maybe deleted the files from your file server, you would need a 5 way to come back to that. 6 From what I understand from participating in the 7 investigation, after a certain amount of time, I'm not sure if 8 it was weekly or daily, they would do a mirror from the main 9 NetApp server on to the offline vault which was sitting right 10 next to it in the server room. And that's what is restored 11 here. 12 Q. Zoom out again. 13 A. These are individual user folders on the NetApp server. 14 Q. Let's go to the next slide, please. 15 "administrators." 16 A. Yes. 17 Q. Were there different types of administrators over the 18 DevLAN network? 19 A. Yes, there were. 20 Q. Generally, when you hear the term "administrator," what do 21 you understand that to refer to? 22 A. 23 providing other users access to a machine or maintain the 24 machine itself. 25 Q. What are each of these folders reflecting? This slide is titled An administrator is someone who has access either to Let's go to the next slide, please. I want to focus on two SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 945 K2B3SCH3 Leedom - Direct 1 types of administrators on DevLAN. Were there Atlassian 2 administrators? 3 A. Yes, there were. 4 Q. What are those administrators? 5 A. Atlassian administrators had access to things like the 6 Atlassian web services. 7 would be able to add and remove different users permission for 8 pages for Stash, add and remove users from projects, perform 9 basic administrative duties. So for Confluence, for example, they In some cases if a service was 10 broken, they could go into the virtual machine for the 11 Atlassian server and fix things. 12 Q. What about server administrators. 13 A. Server administrators are kind of your like tiptop level of 14 administrators. 15 servers themselves, they'll be able to go in and fix problems, 16 any hardware changes, things like that you'd have to make to a 17 server, types of things we are talking about. 18 Q. 19 ESXi server that was running Confluence and Bamboo? 20 A. Yes, I did. 21 Q. As of April 20, 2016, who did that server belong to? 22 A. April 20, that server still belonged to OSB. 23 Q. We're showing you Government Exhibit 1202-5. 24 exhibit from? 25 A. These administrators will have access to the Let's go to the next slide, please. You talked about an This is from the Confluence web server. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Where is this 946 K2B3SCH3 Leedom - Direct 1 Q. What is it showing? 2 A. This shows information about how to connect to different 3 virtual machines on the ESXi server. 4 Q. 5 infrastructure VMs. 6 osb.devlan.net? 7 A. Yes, I do. 8 Q. What does that name refer to? 9 A. This is the ESXi server itself. If we can just zoom in on the bottom quarter starting with You see the first line that starts It is the host name for 10 the server. 11 Q. As we go over, there is a user name column with root. 12 A. Yes. 13 Q. What does root refer to? 14 A. Root in the Linux world is essentially another name for the 15 administrator account. 16 Q. Then next to that there is a password? 17 A. Yes. 18 Q. What's that password for? 19 A. That's the password to log into the root account for the 20 ESXi server. 21 Q. On the right there is "additional notes." 22 A. Yes. 23 Q. It says "Connect via vCenter" then there is an @ and an 24 address? 25 A. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 947 K2B3SCH3 Leedom - Direct 1 Q. What's vCenter? 2 A. VCenter, this is the web application. 3 to vSphere. 4 virtual machines, create new ones, delete them, things like 5 that. 6 Q. 7 go to the next slide. 9 It lets you go into the server and access the We can pull that back out, please. 8 It behaves similarly The next slide, let's Slide 17. I want to talk for a moment about access to the final products. 10 A. Yes. 11 Q. Again, where are the final products located? 12 A. So the final products is a share that's on the NetApp 13 server for tool delivery. 14 Q. 15 Exhibit 1207-49. 16 A. This is from the NetApp server. 17 Q. What is it showing? 18 A. This is showing one of the shares, the EDG main share from 19 the NetApp. 20 Q. 21 binary gold copies"? 22 A. Yes. 23 Q. What are those? 24 A. These are the delivered completed tools from the work at 25 EDG. I'll circle it here. Let's go to the next slide. This slide has Government Where is this exhibit from? You see there a folder at the bottom, "source code and SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 948 K2B3SCH3 Leedom - Direct 1 Q. As part of your investigation, did you determine the 2 controls or file permissions on that folder? 3 A. Yes, I did. 4 Q. Let's go to the next slide. 5 Exhibit 1207-50. 6 A. Yes, I do. 7 Q. What is this showing? 8 A. This is, if you would essentially right click that folder 9 on Windows Explorer and click "properties," this is the screen Slide 19 has Government You see that? 10 that would come up. 11 Q. 12 folder? 13 A. 14 the folder, the different attributes for the folder, and in the 15 security tab you can see what people have access to the folder. 16 Q. You see the size there? 17 A. Yes, I do. 18 Q. What's the size of this folder? 19 A. It's a little over one terabyte. 20 Q. Let's go to the next slide, please. 21 shows you Government Exhibit 1207-52. 22 A. 23 properties, these are the different user groups that would be 24 on the domain controller for different users that would have 25 access to that folder. What types of things do the properties tell you about a It tells you the size of the folder, the number of files on This slide, slide 20 What is that exhibit? So, this is, if you start digging down through those SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 949 K2B3SCH3 Leedom - Direct 1 Q. Did the defendant belong to any of these groups? 2 A. No, he did not. 3 Q. Would the defendant have been able to copy the gold source 4 folders? 5 A. 6 account. 7 Q. 8 moment about access to the NetApp backups or Altabackups. 9 A. Yes. 10 Q. So let's go to the next slide. 11 Exhibit 1207-49 again. 12 correct? 13 A. Yes, we did. 14 Q. Where is the Altabackups folder on this slide? 15 A. It's not on this slide. 16 Q. Why not? 17 A. It was a separate share. 18 these folders, it was separate. 19 Q. You said "separate share"? 20 A. Yes. 21 Q. What do you mean by that? 22 A. On the NetApp server itself, you can set up, like, separate 23 volumes that are shared in different ways that can have 24 different permissions and different accesses. 25 separate one of those. No, he would not have had access to it with his DevLAN Let's go to the next slide, please. I want to talk for a This is the government We just saw this a second ago. Is that It wasn't in the same share as SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Altabackup was a 950 K2B3SCH3 Leedom - Direct 1 Q. Let's go to the next slide, on slide 23, and there is 2 Government Exhibit 1207-8. 3 A. Yes. 4 Q. Where is this exhibit from? 5 A. This exhibit comes from the Confluence virtual machine that 6 was running on the ESXi server. 7 snapshot, that BK 4-16-2016 snapshot. 8 Q. 9 What does this text reflect? You see that? This is specifically from the If we can zoom in at the bottom on the highlighted text. 10 A. 11 on the server. 12 wanted the server to automatically mount a folder location. 13 Like a remote folder location on the server every time it's 14 rebooted or you run the mount command. 15 Q. So, is this a mount point? 16 A. Yes, it's another way to refer to it. 17 Q. What's a mount point? 18 A. A mount point is a point on the server where you can access 19 an external resource. 20 The first part of this, this is just saying what server you 21 want to connect to and what share or folder on that server you 22 want to connect. 23 24 25 So, this file in the exhibit is a file called FStab that's This is where you would make an entry if you If we go through this piece by piece. In this case it's the 10.3.1.70/Altabackup. Second part of this is the local folder on the server itself where you want to tie that network location to. The next part of this says what type of, like, file SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 951 K2B3SCH3 Leedom - Direct 1 system protocol you are going to use to connect to it. 2 case it's NFS. 3 In this Then the rest of this are permissions to the mount 4 command. 5 Q. On the left there is 10.3.1.70? 6 A. Yes. 7 Q. What is that? 8 A. That's the IP address of the NetApp server. 9 Q. Where is this mount point located? 10 A. On the NetApp server, it's one of the volumes on the NetApp 11 server. 12 /mount/Altabackup. 13 Q. 14 correct? 15 A. Yes. 16 Q. What server are you referring to? 17 A. This is from the Confluence virtual machine. 18 Q. When you referred to a Confluence virtual machine, do you 19 also sometimes refer to it as a Confluence server? 20 A. Yes, I do. 21 Q. Why do you refer to it like that? 22 A. A virtual machine can be -- typically the word "server" is 23 reserved for machines that are, have a significant amount of 24 resources available to them. 25 providing some kind of, like, a division level resource or a Locally it's in this folder that's called I think you said it was mounted to a server; is that Or a machine that's just SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 952 K2B3SCH3 Leedom - Direct 1 resource that multiple people are accessing. That's just what 2 a server is. 3 and a lot of people are using it, that's why we call it a 4 server. 5 Q. 6 machine? 7 A. You would navigate to it in the terminal. 8 Q. Could a regular user access that mount point? 9 A. No. So since it's hosting a service called Confluence How do you access the mount point on a Confluence virtual Regular users on DevLAN only had access to the 10 Confluence web service, which wouldn't display any kinds of 11 folders or files from the server itself. 12 Q. 13 mount point? 14 A. 15 to manage the server. 16 Q. How would you log in that way? 17 A. You could either use vSphere to go in and click on the 18 virtual machine and open up a shell to that server. 19 you'd have to enter the user name and password for the 20 administrative account on the server. 21 utility and a public private key to log into the server. 22 SSH with a password to log into the server. 23 Q. 24 on DevLAN? 25 A. So, what would you have to be logged into to access this You would have to be logged into the administrative account And then Or you could use the SSH Or Were there other mount points for other Atlassian services Yes, there were. They were all contained in inside of SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 953 K2B3SCH3 Leedom - Direct 1 Altabackup. 2 Q. Where were those mount points located for those services? 3 A. They were mounted on the other Atlassian servers. 4 Q. What privileges would you have needed to get to those mount 5 points? 6 A. 7 the actual underlying server that could see those folders. 8 Q. 9 Exhibit 1207-36. The same as Confluence, administrative privileges to access Let's go to the next slide. Slide 24 is showing Government Where is this exhibit from? 10 A. This is from the NetApp server. 11 Q. What's it showing? 12 A. These are different folders that were in the Altabackup 13 folder. 14 Q. 15 Confluence virtual machine; is that right? 16 A. Yes. 17 Q. If you had access to that mount point, could you get to the 18 Altabackups? 19 A. Yes, you could. 20 Q. That was on a Confluence virtual machine; is that right? 21 A. That's correct. 22 Q. Would that limit you to the Confluence backups? 23 A. No, you'd have access to the other backups as well. 24 Q. Let's go to the next slide, please. 25 exhibits, Government Exhibit 1207-27 and 1207-30. On the last slide we were looking at a mount point on a This slide has two SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Where are 954 K2B3SCH3 Leedom - Direct 1 those exhibits from? 2 A. 3 Altabackup. 4 Q. 5 you tell us, there is a type in the middle there. 6 A. Yes. 7 Q. What types of files are these? 8 A. So, sql, it stands for structured query language. 9 type of database file. These are from the Confluence backup folder on the Let's just zoom in there on the left exhibit, please. Can Sql file? It is a Specifically, the type of database that 10 the Confluence server used to store its information. 11 Q. 12 which is the name of the backup. 13 A. That's correct. 14 Q. Approximately how often were the Confluence -- withdrawn. And then let's start at the left, there is a name column 15 Is that right? How often was Confluence backed up? 16 A. It was backed up daily. 17 Q. How do you know that from this slide? 18 A. We can see from the time stamps of the backups that they 19 were, they finished backing up just before 6:30 every morning. 20 Q. You see there is a date modified column? 21 A. Yes. 22 Q. What is that? 23 A. This is the time that the file was last written to. 24 Otherwise, the contents of the file were last changed. 25 Q. You see next to type there is a size column? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 955 K2B3SCH3 Leedom - Direct 1 A. Yes. 2 Q. Approximately how large are these sql files? 3 A. They are about 400 megabytes apiece. 4 Q. What about date accessed, what's that? 5 A. Date accessed is the last time the file was accessed. 6 this particular instance, based on what's changed here, this 7 would have been the last time the database was -- when it was 8 pushed to the backup server. 9 modifying a file. Read operations, copy operations, Just about anything you do to a file will 10 update that date accessed time. 11 Q. What about date created, what's that? 12 A. That's the time that the file was created. 13 Q. Let's zoom out, please. 14 slide, still. 15 In And then zoom in -- sorry, last And zoom in on the other side, please. This in the type has winRAR archive; do you see that? 16 A. Yes. 17 Q. What types of files are these? 18 A. So, these are, they are zip files. 19 of the Atlassian services, to make a complete backup of them, 20 you would need a copy of the database, and you would also need 21 a copy of what we see here is like the home folder for the 22 individual service. 23 specifically stores things like server configuration 24 information, how the server is supposed to run. 25 this is where your page attachments would be stored. When you have a -- most This home folder for Confluence SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Things like So, if on 956 K2B3SCH3 Leedom - Direct 1 Confluence you attached a picture to a page, it would be stored 2 in this home folder. 3 restore the server to its state, if you are going to use it as 4 a backup. 5 Q. 6 slide is "Some Confluence Backup Files As Of July 27, 2016." 7 Do you see that? 8 A. Yes. 9 Q. What's that meant to convey? 10 A. This is just like a snip of some data from, like, the 11 previous slide. 12 Q. 13 Exhibit 1207-27, please. 14 And you need both pieces to be able to We can go to the next slide, please. The title of this Then, let's take a look just on the top starting at the top Just zoom in, I'm sorry. Have you reviewed the backup files for Confluence that 15 are contained in the Altabackups folder? 16 A. Yes, I have. 17 Q. Has there been any time when you've seen a different date 18 accessed time than date modified and date created? 19 A. Only in one instance. 20 Q. Does that appear on this slide? 21 A. Yes, it does. 22 Q. Can you explain this? 23 A. This for this March 3 backup, which I'll attempt to -- 24 there we go. 25 4/20/2016 at 5:42 p.m. Here we'd seen this file was accessed on SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 957 K2B3SCH3 Leedom - Direct 1 Q. Let's zoom in and zoom in on the bottom exhibit, please. 2 Same question. 3 modified and date created? 4 A. 5 for 4/20/2016 at 5:43 p.m. 6 Q. 7 Stash backups? 8 A. Yes, I have. 9 Q. And the title of this is "Earliest Available Stash Backup Yes, I do. Do you see a different date accessed and date It is for the March 3 backup, again, and it's Let's go to the next slide. Have you also reviewed the 10 Files As Of July 27, 2016." 11 A. Yes. 12 Q. What's that meant to convey? 13 A. This is just to show that when we arrived on site, the 14 earliest backups from Stash we were able to get were from 15 May 1st, 2016. 16 Q. Why is that? 17 A. If you look to the right on the size column, you'll notice 18 that these are very large. 19 Since this contained all the project source code, these were 20 really big. 21 to save on space, it's not hard to imagine that these were the 22 ones that were removed first, just for storage purposes. Like 210 gigabytes compressed. So, from like a system administration standpoint, 23 MS. SHROFF: 24 THE COURT: 25 Do you see that? Objection to the imagination. It is a phrase of speech. overruled. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Objection is 958 K2B3SCH3 Leedom - Direct 1 Q. Let's go to the next slide, please. 2 "Navigating to the Altabackups." 3 1203-13 appears on this slide. 4 This slide is titled And Government Exhibit First, where is this exhibit from? 5 A. So, this exhibit comes from a virtual machine on the 6 defendant's DevLAN computer. 7 session that was recovered from what we call unallocated space 8 from inside that virtual machine. 9 Q. This is some activity from a Let's pause there and just talk about first the virtual 10 machine part of that. 11 A. Yes. 12 Q. You said it's from a virtual machine on the defendant's 13 DevLAN computer? 14 A. That's correct. 15 Q. What does that mean? 16 A. Like I mentioned earlier, you don't have to just run a 17 virtual machine on a server. 18 computer. 19 Linux called Ubuntu which is one of the more popular free Linux 20 distributions. 21 like that. 22 You can run it on your own In this case, we can see that this was a version It has a graphical user interface and things Inside of this virtual machine we were able to recover 23 what's essentially deleted data. 24 one of the sessions. 25 Q. And of that data is part of You said this is from the unallocated space of that virtual SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 959 K2B3SCH3 Leedom - Direct 1 machine? 2 A. Correct. 3 Q. Generally, what is unallocated space? 4 A. So, on most modern file systems, on computers, when you 5 click the delete key on a file, it doesn't go and actually 6 erase all the contents of that file. 7 different types of file systems it behaves a little 8 differently. 9 file as deleted. 10 It, depending on But in most cases, it essentially just marks that And but the actual clusters or blocks on disc where that file was originally stored still contain that data. 11 So, as a forensic analyst, we can go in and look at 12 those unused blocks or clusters and recover the original data 13 that used to be there. 14 Q. 15 you see that? 16 A. Yes. 17 Q. Can you circle that? 18 A. Yes, I can. 19 Q. What does that refer to? 20 A. That's an evidence tracking number that was used just to 21 identify the defendant's DevLAN work station. 22 Q. Is that tracking number E0001? 23 A. Yes it is. 24 Q. Next to that there is a dash Ubuntu X64. 25 A. Yes. You see on the bottom left of this slide there's E0001. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Do 960 K2B3SCH3 Leedom - Direct 1 Q. What does that refer to? 2 A. This is the virtual machine on the defendant's DevLAN work 3 station. 4 operating system. 5 Q. Next to that is "unallocated space log." 6 A. Yes. 7 Q. What does that refer to? 8 A. This refers to the data that we recovered from unallocated 9 space inside of that virtual machine. Like I mentioned before, it's an Ubuntu Linux The X64 just means it is a 64-bit variant. 10 Q. 11 the top quarter, please. 12 A. Yes. 13 Q. Can you walk us through what that first line is showing. 14 A. This first line shows what appears to be the bottom of a 15 FStab file, which we saw a few slides ago. 16 actual shell session, so if you were typing in the terminal, 17 this is the output and types of commands you would see. 18 So let's just look at this log. Just so we can zoom in on Start at the top left. This is from an So, same as the FStab file, before we see the IP 19 address for the Altabackup server, the share name, the place it 20 would be mounted locally, and the file system type. 21 Q. What about the next line. 22 A. So this next line I'll go through it piece by piece so we 23 can talk about it. 24 So this root@dev01. Root is the user that you are 25 currently signed into in this session. And then the @dev01 is SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 961 K2B3SCH3 Leedom - Direct 1 the host name of the computer that you're logged into. Dev01 2 in this case is the Stash server. 3 representation of the home directory for that root user that 4 you're in. 5 this CD/mount/altabackup, CD is a command in Linux which stands 6 for change directory. 7 my directory to the directory location/mount/altabackup. 8 Q. What about the next line? 9 A. So this shows that that command that was previously This little tilde here is a And then the command that's to the right of this, So, all this is saying is, please change 10 successful, because now instead of this little tilde we have 11 this notifying us we are in a folder called Altabackup. 12 the command that's run here is the LS command, which stands for 13 list, which just asks the computer to show a list of files in 14 that directory. 15 Q. Then there is a line below that. 16 A. Yes. 17 Q. What's that show? 18 A. This is just showing the result of that list command. 19 as you've seen previously in the other slides, inside the 20 Altabackup there is folders for Bamboo, Confluence, Crowd, 21 Jira, Stash, and then that test.txt file. 22 Q. Then below that? 23 A. Below that, this is changing the directory to the Stash 24 folder inside of Altabackup. 25 Q. Then finally the last line here? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Then So, 962 K2B3SCH3 Leedom - Direct 1 A. Then the last line just listing the contents of that Stash 2 folder. 3 Q. 4 command? 5 A. Yes, I do. 6 Q. Where is it? 7 A. It's below here. 8 backup files for Stash. 9 Q. If we could zoom out. You see the output of that list I'll draw an arrow. Let's go to the next slide, please. This is just the This is just titled 10 "DevLAN Network Documentation." Generally, what is network 11 documentation? 12 A. 13 the network is organized, what certain data protections or 14 protocols are in place on the network. 15 network -- you might hear it called network topology, so 16 different router switches, computers, how things are plugged 17 together. 18 Q. 19 case? 20 A. 21 paperwork that said what restrictions would be on the network 22 and how it was laid out. 23 Q. 24 incorrect? 25 A. Network documentation is paperwork that just displays how How different the What are some of the network documents you reviewed in this I've reviewed some of the SSPs, which are like the security Are there any portions of those network documents that are There are some incorrect portions. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 963 K2B3SCH3 Leedom - Direct 1 Q. Can you give us an example? 2 A. One example is I know at least some IP addresses from some 3 of the SSPs didn't quite match up to what I saw on the network 4 when we were reviewing it. 5 Q. 6 your presentation related to the defendant's DevLAN computer? 7 A. Yes, it is. 8 Q. Let's talk about that computer. 9 looking at, slide 31, is titled "ownership" and it shows Let's go to the next slide, please. Is the second part of The first slide that we're 10 Government Exhibit 1202-2. 11 A. Yes. 12 Q. Where is this exhibit from? 13 A. This exhibit is from the -- so the DevLAN's computer was a 14 Windows workstation. 15 Windows Registry. 16 Windows stores information about the computer. 17 And Windows has something called the It is essentially like a database where In this case, we're looking one of the keys in the 18 registry. That just says who the registered owner of that 19 machine is. 20 when you would install Windows on a computer, it will ask you 21 what's your name. 22 Q. You see the top line refers to registered owner Schuljo? 23 A. Yes. 24 Q. What's that? 25 A. That's the defendant's user name. This is something that's configurable. Typically That's what this is. Josh Schulte. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Just kind 964 K2B3SCH3 Leedom - Direct 1 of, yeah. 2 Q. 3 Government Exhibit 1202-2. 4 A. Yes. 5 Q. Where is this exhibit from? 6 A. This is also from the registry on the defendant's DevLAN 7 workstation. 8 registry hive. 9 Security Account Manager. Let's go to the next slide, please, slide 32. Showing This is specifically from what we call our A registry file called SAM, which stands for This shows what user accounts were 10 available to access that computer and the number of log-ins 11 that those user accounts had. 12 So if we take a look at the Schuljo account, we can 13 see there were 1343 log-ins to that computer. So it's clear, 14 this just shows it was the defendant's computer. 15 Q. And when is the last log-in? 16 A. The last log-on date was October 27, 2016. 17 Q. Let's go to the next slide, please. 18 "Workstation IP Address is 10.3.2.165." 19 A. Yes. 20 Q. Just generally, what's an IP address? 21 A. An IP address is the way that computers talk to each other. 22 It's like an addressing system. 23 normal conversation. 24 And there is a service that runs on like the Active Directory 25 server that takes a host name, which we'll discuss here, and This slide is titled It's typically not used in You use something called a host name. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 965 K2B3SCH3 Leedom - Direct 1 converts that to an IP address. So you don't have to remember 2 the string of numbers, you can just say what the plain text 3 host name is. 4 Q. 5 exhibit? 6 A. 7 showing the host name and IP address of the defendant's DevLAN 8 workstation as of April 12, 2016. 9 Q. What's a host name? 10 A. A host name is a human readable name for a computer. 11 Essentially, the name of the computer. 12 Q. How is a host name set? 13 A. It's configurable. 14 you can change it. 15 Q. Who does that? 16 A. The owner of the computer. 17 Q. What's the host name of this computer? 18 A. The host name for this computer is KingJosh-PC.devlan.net. 19 Q. Do you see at the bottom there you circled the IP address? 20 A. Yes, I did. 21 Q. What is that? 22 A. This is the IP address of this computer. 23 activities that this computer was performing on the network, 24 this is the IP address that would be shown, and you can know it 25 belonged to this computer. This is showing Government Exhibit 1203-48. What is this This exhibit is an excerpt from a log file in VMware, just You can enter a command to change it or SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So if you saw 966 K2B3SCH3 Leedom - Direct 1 Q. What's the date of this file? 2 A. The date of this file is for April 12, 2016. 3 Q. Let's go to the next slide, please. 4 Government Exhibit 1209-2. 5 A. Yes. 6 Q. Where is this exhibit from? 7 A. This is from the ESXi server. 8 recovered that portions of it were deleted. 9 Q. At the bottom it says "OSB ESXi server-unallocated space." 10 A. Yes. 11 Q. Does the server also have an unallocated space file? 12 A. Yes. 13 refer to as the space on a server that's either marked as free 14 or currently not in use by any other files. 15 Q. 16 highlighted? 17 A. Yes. 18 Q. What is this exhibit showing? 19 A. This is just showing that there's a log-in through vSphere 20 from the defendant's workstation on April 15. 21 Q. And a log into what? 22 A. To the ESXi server through vSphere. 23 Q. Let's go to the next slide. 24 defendant had a virtual machine on his DevLAN computer? 25 A. This slide shows This is another file that we It's not necessarily a file. It is just what we You see at the top of the screen there is the IP address You also said that the Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 967 K2B3SCH3 Leedom - Direct 1 Q. Is that referred to here as the Ubuntu X64? 2 A. Yes, it is. 3 Q. Is that virtual machine assigned a different IP address? 4 A. Yes, it is. 5 machine either use MAT, which lets it use the same IP as your 6 host computer, or in this case you can have it set to a bridged 7 mode where it can get its own IP address from the network. 8 That's how it was configured in this case, and that's why the 9 IP address is different. It's configurable. You can have a virtual 10 Q. This slide has excerpts of 1203-19. 11 A. This is from unallocated space. 12 we call a lease. 13 service called DHCP, which is dynamic host configuration 14 protocol. 15 network, it has to get an IP address to talk to other computers 16 on the network. 17 These are the logs on the virtual machine that store 18 information related to the IP address that that computer 19 received. 20 Where are they from? These are remnants of what The Windows Active Directory server runs a It essentially, when you plug a computer into a And the server handles handing those out. We'll show a couple different ones just to cover a 21 handful of days to show the IP address for this virtual machine 22 remained 10.3.2.35. 23 Q. 24 date does this reflect the IP address was 10.3.2.35? 25 A. Just staying on the left photo that you just circled. This is, if we look down here at renew. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 What I won't explain 968 K2B3SCH3 Leedom - Direct 1 all of these separately. 2 basically, when a computer gets an IP address, it doesn't just 3 hold on to it forever. 4 DHCP. 5 renew its IP address to the server so you don't end up with 6 like 20 computers that have the same IP address and you have 7 issues with your network. 8 That's -- this is just seconds, I think it is 24 hours. 9 then it will automatically try to renew its IP address at this 10 But, if we look at the renew time, At least when it's configured to use It is kind of required by standard to reach out and That's configured by a lease time. And time, in this case 4:18. 11 So what this is just showing is that around 4/18/2016, 12 the IP address for the virtual machine was 10.3.2.35. 13 through the next few slides, we see it was the same IP for a 14 long time, so it just didn't change. 15 Q. 16 now. 17 Let's go to the next slide. Again, let's go on the right So, what was the IP address as of April 19? 18 A. April 19 it was the same IP address. 19 Q. And the next slide. 20 April 20? 21 A. The same IP, 10.3.2.35 and same for the 21st. 22 Q. We can go to the next slide. 23 MR. LAROCHE: 24 THE COURT: 25 As we go This 10.3.2.35. What was the IP address as of This might be a good time to break. We'll take our luncheon recess now. Resume at 1:30. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 969 K2B3SCH3 1 (Jury excused) 2 THE COURT: 3 letter of Mr. Leedom? 4 MR. ZAS: 5 THE COURT: 6 Ms. Shroff, do you want to take up your I couldn't hear you. I asked Ms. Shroff, did she want to take up her letter about Mr. Leedom. 7 MR. ZAS: I can handle it. As we said in the letter, 8 our objection was to the inadequacy of the expert notice by the 9 government. We got their expert notice in October of last 10 year, October 18. And we quoted the portions in our letter, 11 but there was no mention of an access to a March 3, 2016 backup 12 file. 13 at least supplemented, if they didn't know it then, they should 14 have supplemented that information. 15 to preclude that testimony as not adequately noticed. And we think under the rules, the government should have 16 THE COURT: 17 MR. LAROCHE: So we're asking the Court Mr. Laroche. Your Honor, just as an initial point, we 18 think the notice was more than adequate, given we identified 19 specific exhibits that Mr. Leedom relied on, which had that 20 March 3 backup as part of the exhibit when we gave exhibits in 21 August. 22 And to the notice point, defense counsel, after we 23 gave the expert notice, actually asked for a copy of the backup 24 itself, and we provided a copy of the March 3 backup itself to 25 defense counsel and the defense expert in September, many SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 970 K2B3SCH3 1 months ago. 2 backup would be at issue in this case is a little surprising. 3 So the idea they didn't know that the March 3 And if they're focusing on a revised exhibit that the 4 defense asked for that had the specific access time, as soon as 5 we provided that to them, we provided notes from Mr. Leedom 6 explaining his views of the document. 7 And, in advance of trial, we also gave them this 8 presentation, weeks before trial, which detailed all the 9 aspects of his testimony. 10 So they have been on notice for months, we believe, 11 but certainly when they got the presentation and other 12 materials in this case, and again, they asked for the actual 13 backup that they're now saying they didn't know that we would 14 be talking about. 15 also note that expert notice is not a script as to exactly what 16 that person is going to say. 17 So, we think they're well on notice. And I So, I think given the record here, it's pretty clear 18 that they just don't want the testimony which is damning to 19 Mr. Schulte to come in. 20 THE COURT: But that's not a basis to exclude it. I've considered the objection, I thank the 21 government for its elaboration. I'm going to deny the motion. 22 I don't think under Rule 16 you have to be as specific. 23 think the general notice that was given is more than adequate. 24 Certainly the notice that was given as elaborated on by 25 Mr. Laroche is more than adequate in the circumstances, so the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I 971 K2B3SCH3 1 application is denied. 2 How much longer do you have? 3 MR. LAROCHE: 4 the end of the day, your Honor. 5 hours. 6 7 MS. SHROFF: I think he is going to take us through I think probably two to three I have one matter to raise with the Court. 8 THE COURT: 9 MS. SHROFF: Yes. Your Honor, from the beginning of this 10 trial, I understand the Court has made some rulings on the 11 protective measures. 12 provided to the CISO in this case a list of attorneys that 13 wanted to be present within the courtroom. 14 literally only people at the Federal Defenders office who do 15 not have security clearance. 16 And today, after much follow up, we were told that the CISO 17 would not authorize the lawyers to come in from our office or 18 from the Federal Defenders office. 19 At the beginning of this trial we This list included For weeks we got no response. And then I got an e-mail from the Court's courtroom 20 deputy informing me that he had spoken with the CISO, and that 21 CISO's position was that no uncleared lawyer can be present in 22 this courtroom. 23 We believe that deprives Mr. Schulte from a public 24 trial, we believe that such a restriction is inappropriate, and 25 I raise this on the record to object. Thank you, your Honor. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 972 K2B3SCH3 1 THE COURT: They can certainly attend the open 2 sessions. 3 But if you don't have a security clearance, as I understand 4 what we've agreed to or what I've imposed in my order, is when 5 the courtroom is closed, you have to have a security clearance 6 in order to attend. 7 They're free to attend in the overflow courtroom. MS. SHROFF: Your Honor, there are reporters here. 8 There are people with no security clearance here. 9 attorney from the Federal Defenders office, I certainly do not And an 10 see any risk of such a lawyer attending this courtroom 11 proceeding. 12 13 THE COURT: I disagree with you, Ms. Shroff. I've made my ruling. 14 MS. SHROFF: Okay. One last thing that I just kind of 15 remind the Court. 16 we have laid out in writing to the video demonstration. 17 not sure Mr. Laroche intends to put that video in through this 18 witness. Mr. Schulte has a continuing objection that I'm But I just remind the Court that ruling is pending. 19 THE COURT: 20 (Recess) 21 (Continued on next page) Thank you. 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 973 K2bWsch4 Leedom - Direct 1 AFTERNOON SESSION 2 1:30 p.m. 3 THE COURT: Please be seated. 4 Let's call in the jury. 5 (Jury present) 6 THE COURT: Please be seated. 7 All right. Mr. Laroche. 8 MR. LAROCHE: 9 Ms. Hurst, if we can just start with slide 36, please. Thank you, your Honor. 10 Q. 11 the IP address assigned to the defendant's virtual machine. 12 that right? 13 A. That's correct. 14 Q. And on April 20 -- sorry. 15 Mr. Leedom, just before the break, we were talking about Let's start with April 19. On April 19, what IP address was assigned to his virtual 16 machine? 17 A. That would be 10.3.2.35. 18 Q. And that's 2016, is that right? 19 A. That's correct. 20 MR. LAROCHE: 21 Q. 22 virtual machine? 23 A. 24 25 On April 20, 2016, what IP address was assigned to his The same IP address, the 10.3.2.35. MR. LAROCHE: Q. Let's go to the next slide, slide 37. Let's go to the next slide, please. I want to change gears a bit to certain events that SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Is 974 K2bWsch4 1 Leedom - Direct happened on DevLAN in April of 2016. 2 MR. LAROCHE: Let's go to the next slide. 3 Q. Can you read this slide for the jury? 4 A. Yes. 5 Brutal Kangaroo and OSB libraries." 6 Q. 7 did you see evidence of these things occurring on DevLAN? 8 A. "April 4, 2016, the defendant loses privileges to And as part of your review of the materials in this case, Yes, I did. 9 MR. LAROCHE: Let's go to the next slide. 10 Q. Can you read the title of this slide, please? 11 A. Yes, I can. 12 permissions." 13 "Jeremy_abuse_of_power.pmg. 14 Q. And that's in quotes. 15 A. Yes. 16 Q. Why is that in quotes? 17 A. This is a name of a file that was found on the defendant's 18 computer. 19 Q. What computer was it found on? 20 A. The defendant's DevLAN workstation. 21 Q. And where was it found on the defendant's workstation? 22 A. In his documents folder. 23 Q. Where is this exhibit from? 24 A. This is an exhibit showing the permissions for a project on 25 Stash. "Changes to the defendant's project And then this is the name of a file, Do you see that? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 975 K2bWsch4 Leedom - Direct 1 Q. How do you know it's Stash? 2 A. We can see up here, in the top left-hand corner, this 3 Bitbucket, and then this is the Stash/Atlassian web -- website, 4 as it were. 5 MR. LAROCHE: Let's just zoom in, if we can, on the 6 left quarter of the screen where that picture is and Bitbucket. 7 That's perfect. 8 Q. 9 Can you circle Bitbucket. What is Bitbucket? 10 A. Bitbucket is just another word for -- it's the Atlassian 11 project that we've been calling Stash. 12 point. 13 Q. Is this a picture of Stash as it appeared on DevLAN? 14 A. Yes, it is. 15 Q. And what interface are we looking at to view Stash here? 16 A. This is through the web browser. 17 Q. What do you mean by through the web browser? 18 A. As you can see, like, at the top of the page, this is a 19 common web browser, and you can see the address of the server. 20 It's Stash.DevLAN.net. 21 MR. LAROCHE: It was renamed at some If you could clear those for a second. 22 Q. Do you see on the right of Bitbucket there's projects, 23 repositories, people and pull requests? 24 A. Yes. 25 Q. What's a project? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 976 K2bWsch4 Leedom - Direct 1 A. A project is essentially a source-code repository, so a -- 2 it's a place where you would store source code. 3 Q. And what about a repository? 4 A. A repository would be, like, an individual, like -- it's 5 the actual place that code goes. 6 different amounts of source code underneath them. 7 Q. And then you see there's a picture there of a kangaroo? 8 A. Yes. 9 Q. And below that it says Brutal Kangaroo? 10 A. Yes. 11 Q. What is Brutal Kangaroo? 12 A. It's the name of a project. 13 Q. And then to the right there, you see audit log in black? 14 A. Yes. 15 Q. What is this screenshot showing? 16 A. This is showing permissions, essentially a log file that 17 shows permissions that have been added or removed or changed 18 for this project. So you can have projects with 19 MR. LAROCHE: Let's zoom out again, please. 20 Let's go to the next page. 21 Q. This is still Government Exhibit 1202-1. 22 zoomed-in portion of that exhibit? 23 A. Yes, it is. 24 Q. Can you walk us through what this exhibit is showing? 25 A. This is just showing that on April 4, 2016, the following SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Is this a 977 K2bWsch4 Leedom - Direct 1 permissions were changed for the project. 2 permissions were modified, revoked and granted. 3 Q. And who made those changes? 4 A. These changes were all made by Jeremy Weber. 5 Q. And what changes were made to the defendant's privileges on 6 Brutal Kangaroo? 7 A. They were removed. 8 Q. And did someone else get privileges that day? 9 A. Christopher was granted project admin access to the 10 We can see different project. 11 MR. LAROCHE: Let's go to the next slide, please. 12 Q. 13 that? 14 A. Yes. 15 Q. Where is this exhibit from? 16 A. This is from the NetApp server inside of a folder in Jeremy 17 Weber's home directory, where they copied off some of the logs 18 from Bitbucket. 19 Q. And Bitbucket is Stash, is that right? 20 A. That's correct. 21 This is showing Government Exhibit 1207-53. MR. LAROCHE: 22 Q. 23 this is showing? 24 A. 25 Do you see Let's zoom in on this exhibit if we can. Can you walk us through, just starting at the top, what Yes, I can. So, this first part here, this is the IP address of the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 978 K2bWsch4 Leedom - Direct 1 user that made the change. 2 at, is the server-side equivalent of the page on the previous 3 slide, so these are just those -- this is just a log file for 4 the changes that were made. 5 Overall, this, what we're looking The IP 10.2.8.10 is Jeremy Weber's IP address, and as we 6 saw in the previous slide, there's different types of events. 7 For this first entry, this is a "project permission 8 modification requested event," which just means that project 9 permission has been requested to be changed. 10 This piece is the user that's requesting the change. 11 This is a time stamp. 12 In Linux machines and other servers, sometimes they'll 13 store time stamp information in a number that looks like this. 14 It's something called epoch time. 15 of seconds since January 1, 1970. 16 Q. 17 time? 18 A. Yes, we can. 19 Q. And how do you go about doing that? 20 A. There's many different ways. 21 milliseconds, so you can use any number of converters that can 22 just convert this into the current time, and this is sometime 23 on April 4. 24 Q. And next to that set of numbers is BK? 25 A. Yup. Sorry. It's essentially the number To pause you there, are you able to translate that I believe this is in So -SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 979 K2bWsch4 Leedom - Direct 1 Q. What does that refer to? 2 A. BK is -- this space in the log is saved for the project 3 that's being modified, so BK is the product identifier for 4 Brutal Kangaroo. 5 After this, we have this -- let me just clear this really 6 quick. 7 and the user who is being affected by that change. 8 9 We have the specific permission that's being changed These last two fields, at the end, here to here, have to do with, like, session ID information for the server and the user 10 session that made the change. 11 for this exhibit. 12 They're not explicitly important You can see the way these are organized, we first have -- 13 like, we have two events that are kind of paired together. The 14 first is a modification request, and then there's the actual 15 modification event. 16 write" for user Schuljo and the old permission and "project 17 admin" to "new permission project write." So we had a request to change "project 18 And then if you read through the rest of this, we can see 19 that, as it kind of bubbles down, at the end we have "project 20 permission revoked event" for Schuljo, meaning his access to 21 the project was removed. 22 Q. 23 events did those reflect? 24 A. 25 project admin for the Brutal Kangaroo project. And then it's, I guess, the last four lines there, what This is a permission grant for the Christopher user as SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 980 K2bWsch4 Leedom - Direct 1 Q. Who conducted these activities on the system? 2 A. Jeremy Weber. 3 Q. And are these the same activities that were reflected on 4 the previous slide? 5 A. Yes, they were. 6 MR. LAROCHE: 7 Q. 8 exhibit from? 9 A. 10 Let's go to the next slide, please. This is showing Government Exhibit 1207-53. What is this This is from the same location, on the NetApp in Jeremy Weber's home folder in the Bitbucket logs that they saved off. 11 MR. LAROCHE: And if we can zoom in on this exhibit 12 again. 13 Q. Let's just focus on the first four lines or so. 14 A. Yes. 15 Q. What do those logs reflect? 16 A. These are more permission revocations for the defendant by 17 Jeremy Weber, this time for the OSB libraries project. 18 MR. LAROCHE: OK. We can zoom out. 19 Let's go to the next page, please. 20 Q. As part of your review of materials in this case, did you 21 identify certain activities of the defendant on DevLAN on April 22 15, 2016? 23 A. Yes, I did. 24 Q. What were some of those activities? 25 A. One of them was that he attempted to mount the Altabackups SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 981 K2bWsch4 Leedom - Direct 1 to a different location. He tried to create a data storage for 2 the Altabackups on the ESXi server, and then the second was 3 that he logged in with an administrative session over SSH to 4 the ESXi server, using his public-private key pair. 5 Q. 6 administrative session are you referring to there? 7 A. 8 administrator. 9 Q. For what server? 10 A. For the ESXi server. 11 Q. And how did he log in to that administrative session? 12 A. Using SSH, through his Ubuntu virtual machine on his DevLAN 13 workstation. Just on the second bullet for a moment, what type of This is a server administrative session for the server 14 MR. LAROCHE: Let's go to the next slide, please. 15 Q. This is showing Government Exhibit 1209-9. Do you see 16 that? 17 A. Yes. 18 Q. Where is this exhibit from? 19 A. This is a log file from the ESXi server called host D. 20 Q. Let's just focus on host D for a moment. 21 A. Yes. 22 Q. What's the host D log file? 23 A. The host D log file contains information primarily related 24 to VMware vSphere and vCenter. 25 this presentation where it shows log-in events from those Specifically, we'll see it in SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 982 K2bWsch4 1 Leedom - Direct services. 2 MR. LAROCHE: Let's zoom in on this log file for a 3 moment. 4 Q. 5 left. 6 A. Yes. 7 Q. Just walk us through, first, the date and time of this log 8 file. 9 A. Why don't we start on the top two lines and just the top Sure. So, this is from 4/15, 2016, at 7:36:05 UTC, and 10 we're looking at a log-in -- let me clear this really quick -- 11 from a DevLAN user, the defendant, from this IP address. 12 this is just showing that he's logging in using vSphere. 13 Q. 14 UTC? 15 A. Correct. 16 Q. What's UTC? 17 A. UTC is the same as GMT or Greenwich Mean Time. 18 time zone, like, all other time zones are based off of. 19 we were to convert this into local time, we would subtract four 20 hours from it, so 7:36 would be 3:36. 21 Q. Do you see the user DevLAN/Schuljo? 22 A. Yes. 23 Q. What is that? 24 A. So, when you have an account on Active Directory, you'll 25 have a username and then the domain to which that username And The first thing you said on the time was a reference to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It's the So if 983 K2bWsch4 Leedom - Direct 1 belongs. 2 was Schuljo. 3 Q. And what is he logging into here? 4 A. He's logging into the ESXi server through vSphere. 5 would allow you to connect to different virtual machines and 6 manage those services. 7 In this case the domain was DevLAN and the username This If we look at the second line, this ticket issued for MKS 8 service to user. MKS stands for mouse, keyboard, screen. So 9 if you remember earlier, when I spoke about you could go into 10 vSphere and click on the virtual machine and get, like, a shell 11 session for it and then you would be presented with the actual 12 operating system of the virtual machine, this is saying that 13 action happened. 14 Q. Is this a log-in as a regular user or as an administrator? 15 A. This is a log-in as a regular user. 16 Q. How, if at all, would this file look different had the 17 defendant logged in as an administrator? 18 A. 19 equals" and this user here at IP address. 20 username being DevLAN Schuljo, for example, you'd see the word 21 "root." 22 Q. What does root refer to? 23 A. Root is the administrative user in a Linux computer. 24 25 If it was an administrator user, you would see this "user MR. LAROCHE: Q. Instead of the Let's zoom out again, please. This activity, this log-in, occurred at approximately what SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 984 K2bWsch4 1 time? 2 A. Leedom - Direct 3:36 p.m. 3 MR. LAROCHE: Let's go to the next slide, please. 4 Q. 5 exhibit from? 6 A. 7 specifically a log file for the vSphere client software. 8 Q. At the bottom it says VI client? 9 A. Yes. 10 Q. What does that refer to? 11 A. So, the VI client is, and we'll see it in logs here, like 12 where it says VI client, these are logs that are generated when 13 you use the vSphere application. 14 Q. The last slide was a server-side log, is that right? 15 A. That's correct. 16 Q. Where is this log from? 17 A. This log is from the defendant's workstation, otherwise 18 known as the client. 19 connections between that server and another computer, one will 20 be the client and one will be the server. 21 is from the client, or the defendant's workstation. 22 This slide is Government Exhibit 1202-7. Where is this This exhibit's from the defendant's DevLAN workstation, So, when you have a server and you have In this case, this It's important to note the difference, because there's 23 multiple exhibits from each. And when we see time stamps on 24 the client's side, here, they are in EST, Eastern Standard 25 Time, but the time stamps that we see on the server are in UTC. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 985 K2bWsch4 Leedom - Direct 1 Q. Why is that? 2 A. The server was just configured to operate that way. 3 Q. So let's take a look at the first two lines of this slide. 4 MR. LAROCHE: If we can zoom in on that, please. 5 Q. What are these two lines showing? 6 A. This is showing the defendant trying to create a NAS data 7 store on the ESXi server that could be used with other virtual 8 machines. 9 Q. Let's start first with what is a NAS data store? 10 A. So, I'll first explain what a data store is on ESXi. 11 A data store is simply a place where, a location where you 12 can store data, and what you could do in this case with a NAS 13 data store, which stands for network attached storage, is you 14 can create this object. 15 point to the Altabackup, and then you could attach that as a 16 virtual hard drive to other virtual machines to access that 17 data. 18 Q. What time did these activities take place? 19 A. At 3:47 p.m. on April 15. 20 Q. And where did he attempt to create the data store? 21 A. On the ESXi server. 22 Q. How do you know that? 23 A. We know it because that's how you create data stores, and 24 since this is a VI client log through vSphere and he's logged 25 in to vSphere through the ESXi server, that's where it's being In this case, we'll see that it was to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 986 K2bWsch4 1 Leedom - Direct created. 2 MR. LAROCHE: Let's zoom out again, please, and if we 3 could zoom in on just the rest of the exhibit, please. 4 Q. What is this showing? 5 A. This is the configuration information for the data store 6 that the defendant was trying to create. 7 the IP address of the server, the name of the share and what 8 they were going to call the name of the data store itself, in 9 this case backup, and the access permission, so -- This has things like 10 Q. What does a data store allow you to do? 11 A. It essentially allows you to access the content. 12 this case, it would allow you to access the content of 13 Altabackup through a data store called backup. 14 MR. LAROCHE: 15 Let's go to the next slide. So, in Let's zoom out again. 16 Q. Did the defendant successfully create this data store? 17 A. No, he did not. 18 Q. Showing you a slide with Government Exhibit 1202-8, what is 19 this exhibit from? 20 A. 21 which came from the defendant's DevLAN workstation from the VI 22 client log. 23 Q. 24 this slide? 25 A. This is a continuation of the log in the previous slide, And where is the IP address for the defendant's computer on It's not on this slide. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 987 K2bWsch4 Leedom - Direct 1 Q. Then how do you know the defendant conducted these 2 activities? 3 A. 4 and your client log on your machine is only going to show logs 5 of activities from things that happened on your machine. Because it's from the event we saw in the previous slide, 6 MR. LAROCHE: Let's zoom in on the highlighted 7 portions of this slide, please. 8 Q. What is this showing? 9 A. This is showing that the attempt to create the data store 10 ultimately failed. 11 Q. Why did it fail? 12 A. From this we can't tell why it failed other than that we 13 got a permission-denied error from the NFS protocol, from the 14 NetApp server. 15 Q. Are you familiar with the term "white list"? 16 A. Yes, I am. 17 Q. What does that refer to? 18 A. A white list is where you keep a list of machine names or 19 IP addresses that are allowed to explicitly access a service. 20 Q. 21 would the permission fail here? 22 A. Yes, that could be a reason why it failed. 23 Q. Why is that? 24 A. Because only services that were maintained in this white 25 list would be allowed to access that share. If the IP address for the server was not on the white list, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 988 K2bWsch4 1 Leedom - Direct MR. LAROCHE: If we could go to the next slide, 2 please. 3 Q. 4 Atlassian products? 5 A. Yes. 6 Q. Can you just draw a line from the Atlassian products to the 7 Altabackup to show where those mount points were located? 8 A. 9 10 Now, earlier you talked about the mount points for the Yes, I can. So, Confluence had one. Bamboo had one. Stash had one. Crowd -- this -- let me undo this. 11 Since these were a, these weren't virtualized services in 12 Stash and Crowd, so this mount point was actually up here from 13 the Stash server. 14 Q. 15 to be created on a server? 16 A. Yes. 17 Q. Can you show us what connection that would have provided to 18 the backups? 19 A. 20 And then from Hickok to Jira as well. The last two slides we saw a data store that was attempted Yes. I'm going to clear this. This would have gone from the ESXi server itself to the 21 backup. 22 Q. 23 that data store? 24 A. 25 the virtual machines on the ESXi server as essentially what And had that been successful, how would you have accessed You would have added it. You could have added it to any of SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 989 K2bWsch4 1 Leedom - Direct would be an additional hard drive. 2 MR. LAROCHE: Let's go to the next slide, please. 3 Q. This contains Government Exhibit 1209-13. 4 exhibit from? 5 A. This is a log file from the ESXi server. 6 Q. Where on the ESXi server was this log file found? 7 A. On the physical machine in the server log folder. 8 Q. Is there a particular log that this shows? 9 A. Yes. 10 Q. What's the auth.log? 11 A. Auth.log shows connection attempts and other information, 12 such as if a password's changed for the server, so what users 13 or IPs were connecting to the server, whether they were 14 authenticating with username or password or the SSH protocol. 15 Where is this This is what we call the auth.log. MR. LAROCHE: Let's zoom in on this exhibit, please. 16 Q. 17 2016-4-15? 18 A. Yes. 19 Q. Let's start there. 20 A. So, this line, and I'll kind of circle it a little bit 21 here. 22 Do you see on the left the third line down starts What is that line showing? This line is showing a connection attempt that is starting 23 from the IP address 10.3.2.35, in an attempt to authenticate to 24 the server. 25 Q. Whose IP address is that? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 990 K2bWsch4 Leedom - Direct 1 A. This is the IP address for the defendant's Ubuntu virtual 2 machine on his DevLAN workstation. 3 Q. What time did this connection attempt to take place? 4 A. This connection was initiated on April 15, 2016, at 7:38 5 UTC, so 3:38 p.m. 6 Q. Let's go down to the next line, please. 7 A. This says that the server was unaware of the current host 8 name that the IP address had. 9 was called ndb-testrange-4.devlan.net. The last time it had seen it, it It's a security feature 10 for SSH and authentication modules just to prevent something 11 called a man-in-the-middle attack. 12 that important for this. 13 server hadn't seen a connection from this IP address with a 14 host name it recognized. 15 Q. 16 key"? 17 A. 18 we can see the protocol that's being used to authenticate to 19 the server. 20 saying that it was being used with a public-private key pair 21 from this IP address; it's the same as above. 22 public-private key pair, this is the key fingerprint. This is -- yeah, it's not It's, it's -- it was just a -- the What's the next line down that starts "accepted public This is saying -- over here on the left a little farther, SSH, as we talked about, is secure shell. This is And for that 23 Now, a key fingerprint is a way to identify -- it's a 24 unique identifier for a specific public-private key pair, and 25 we know this to be the defendant's public-private key that's on SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 991 K2bWsch4 Leedom - Direct 1 his Ubuntu virtual machine. 2 Q. How do you know that? 3 A. I've calculated the fingerprint and compared it, and it 4 matches. 5 Q. 6 show? 7 A. 8 authenticated, and it was opened for the root user. 9 Q. Do you see on the right there is a UID equals zero? 10 A. Yes. 11 Q. What does that mean? 12 A. That's saying the, like, system service authenticated it 13 successfully. 14 Q. 15 there was a number in parentheses? 16 A. Yes. 17 Q. And it ends in 763? 18 A. Yes. 19 Q. Let's go down one more line. 20 A. Yes. 21 Q. Do you see that? 22 A. I do. 23 Q. What is that number? 24 A. This is an important number. 25 server, your session is tagged with a certain ID. Let's go down to the next line, please. What's that line This is saying that the session was successfully And then you do you see how the last few lines on the left That starts 766? I'll circle it here. When you log in to an ESXi SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 VMware calls 992 K2bWsch4 Leedom - Direct 1 this a work ID, and anything you do while you're in that 2 session --typing on the command line, things like that -- it's 3 logged with this identification number, and it's meant to take 4 back to this specific file to see who had logged in. 5 Q. 6 in any way? 7 A. Yes, it does. 8 Q. How does it relate to his IP address? 9 A. Since this is the work ID for this session that we've been Does that number now relate to the defendant's IP address 10 analyzing, we know that the activity that we see from this 11 session, which this identifier number is unique and is never 12 reused, came from 10.3.2.35. 13 Q. 14 of that line means? 15 A. 16 So on the line next to 766, can you explain what the rest Yes, we can. It says "session opened for 'root' on /dev/char/pty/t0." 17 This just means that it gave the requesting client, the 18 defendant's Ubuntu machine, a terminal session to the server. 19 Q. What do you mean by terminal session to the server? 20 A. Terminal session, so the T0 -- or the PTY. 21 stands for pseudo Teletype. 22 machines that you would use where it was just a keyboard and a 23 terminal window. 24 computing. 25 first available session. I believe it It's in relation to old terminal These are since virtualized now in modern So T0 essentially means that that's, like, the So if you were the only user to log SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 993 K2bWsch4 Leedom - Direct 1 in to a server, in most cases you would be assigned to terminal 2 zero. 3 Q. 4 766 -- ever close? 5 A. 6 the log file. 7 That's just showing what's been assigned here. Did this session -- the defendant's session, logged in as No. There's no evidence of this session ever closing in If I erase here for a second, there's a separate section, 8 lower on here. I won't go through every piece, but we can see 9 that it was opened here. And then when that session ends, 10 we'll see a pair for session closed and then another session 11 closed for that user. 12 Q. 13 opened? 14 A. 15 Jeremy Weber, which we know from this IP address, 10.2.8.10, 16 logged in to the ESXi server and changed the root password. 17 then logged out on the 18th, in the morning, which I believe 18 was the Monday afterwards. 19 Q. 20 root" there's a T1 at the end? 21 A. Yes. 22 Q. Why is there a T1? 23 A. There's a T1 because the T0 was already occupied by the 24 defendant's session. 25 on 4/15, and the session was open until the server was And just to focus on that other session, when was that one This is the session that was opened on 4/16, 2016, when He Do you see on the line where it says "session opened for So essentially, the defendant logged in SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 994 K2bWsch4 Leedom - Direct 1 repurposed on April 25, when they migrated the services over to 2 ISB. 3 Q. 4 says "session closed for root"? 5 A. Yes. 6 Q. And that's for the T1? 7 A. Uh-huh. 8 Q. Do you see a similar session closed for T0? 9 A. No. And do you see at the bottom there, second-to-last line, it 10 There isn't one. MR. LAROCHE: Let's zoom out for a second. 11 Q. When did the defendant log in as an administrator to the 12 ESXi server on April 15? 13 A. At 3:39 p.m. 14 MR. LAROCHE: Let's go to the next slide, please. 15 Q. 16 exhibit from? 17 A. 18 virtual machine on his DevLAN workstation from an allocated 19 space. 20 Showing you Government Exhibit 1203-18, what is this This is something we recovered from the defendant's Ubuntu MR. LAROCHE: If we can zoom in on the highlighted 21 portion, please. 22 Q. Let's just start at the top, root@OSB. 23 A. Part of what we were able to recover from the defendant's 24 virtual machine was the actual text input and output from his 25 session with the ESXi server that we just spoke about. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 What is that? This 995 K2bWsch4 Leedom - Direct 1 part -- we can't date these commands specifically. We just 2 know that they were run at some point after April 15, when he 3 logged in to the server. 4 discussed before, this root@OSB is just the username at what 5 server, so we know he's logged in as root on the ESXi server. 6 The little tilde shows he's in the home directory for the The first command he runs, as we've 7 root user. 8 that's available on most Linux operating systems. 9 is it shows you the last successful log-ins to -- to the 10 And this command, last, is a typical Linux command What it does machine. 11 Unfortunately, Linux is an open-source operating system and 12 can be customized by companies in different ways and support 13 different software. 14 available in the -- as a command on this ESXi server, so a 15 similar command to last that is available is the command "who." 16 And who just shows who is currently logged on to the server. 17 And in this case, it shows the root log-in from April 15 on T0 18 from the IP10.3.2.35, which is the defendant's DevLAN 19 workstation virtual machine. 20 Q. 21 command? 22 A. 23 keyboard and hit enter, and then the command text would be 24 displayed to you on the screen for the output of the command. 25 Q. In this case, the "last" command is not And just at a very basic level, what does it mean to run a So, running a command just means you typed it out on your What was the output of this "who" command? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 996 K2bWsch4 Leedom - Direct 1 A. It was this line where you see here where I circled stuff: 2 this root, the terminal, and the other information. 3 Q. And what does that output reflect? 4 A. This output shows that there's a user logged in to the ESXi 5 server as root, with this terminal identifier, with this IP 6 address, and the session was initiated at this time. 7 MR. LAROCHE: 8 Q. 9 that day. We can go to the next slide, please. This slide is titled "April 16, 2016," so I want to turn to Did you see evidence of any activities occurring on 10 DevLAN that day? 11 A. Yes. 12 Q. What did you see? 13 A. On April 16, passwords were changed and updated on the 14 Atlassian products and the ESXi server. 15 MR. LAROCHE: Let's go to the next slide, please. 16 Q. Now, this contains Government Exhibit 1209-16. Where is 17 this exhibit from? 18 A. 19 that stores public keys for SSH to be used with authenticating 20 to the server. 21 Confluence server that had six or so different public keys 22 available to use to log in, the ESXi server only had one key, 23 which was the defendant's public key. 24 Q. 25 exhibit schuljo@devlan.net? This exhibit comes from the ESXi server itself in the file Now, unlike the authorized-keys file from the Can you circle on the bottom right-hand corner of this SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 997 K2bWsch4 Leedom - Direct 1 A. Yes, I can. 2 Q. What does this mean? 3 A. This is the username of the user who created this key, the 4 key pair, when it was created. 5 Q. 6 What are those? 7 A. 8 number. 9 earlier. And there are an awful lot of numbers and letters here. This is a representation of what's essentially just a large This is a public key, which I discussed slightly It's mathematically related to the private key and 10 can be used to verify itself that way. 11 Q. And where was this public key located? 12 A. This public key was located on the ESXi server in the 13 authorized-keys file. 14 MR. LAROCHE: OK. Let's, if we can, go to slide 17. 15 Q. Just circle where this key was located. 16 A. This key was located on the actual server itself. 17 Q. And is this public key what was used to log in to an 18 administrative session on April 15 -- 19 A. Yes, it was. 20 Q. -- 2016? 21 Now, were there other keys located on Confluence? 22 A. Yes, there were. 23 Q. And just circle where they would have been located. 24 A. Those keys would be on the Confluence virtual machine 25 running on top of the ESXi server. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 998 K2bWsch4 1 Leedom - Direct MR. LAROCHE: Let's go to slide 53 for a moment. 2 Q. This has exhibit 1203-9. Where is this exhibit from? 3 A. This is from the defendant's DevLAN workstation in his 4 Ubuntu virtual machine. 5 Q. What is it? 6 A. This is the private key, which is the pair to that public 7 key that we were just looking at. 8 Q. What do you mean by a pair? 9 A. Like I'd mentioned before, a public-private key pair, 10 they're mathematically related so they can be used to log in 11 through the SSH protocol. 12 cryptography. 13 MR. LAROCHE: It's something called asymmetric Let's go to the next slide, please. 14 Q. Was the defendant's private key encrypted in any way? 15 A. Yes, it was. 16 key. 17 Actually -- so, this is the password for the Can we go back a slide? 18 Q. Sure. 19 A. And if you look at the top of the private key, you can see 20 whether the key's encrypted or not, and this shows us that it 21 was encrypted. 22 We can continue back to 54. 23 This was the password used to decrypt that key. What this 24 means is if you create a private key with a password, not only 25 do you have to have the private key to log in, but you have -SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 999 K2bWsch4 Leedom - Direct 1 it will prompt you for a password when you try to use it, and 2 if you don't know that password, you can't log in with it. 3 MR. LAROCHE: Let's go to the next slide, please. 4 Q. Showing you Government Exhibit 1207-2. 5 A. This is from the NetApp server in the defendant's home 6 folder. 7 Q. What is this exhibit showing? 8 A. This is a private key and public key that the defendant had 9 for another user on DevLAN called -- his name was Rufus. 10 Q. Where did Rufus work at the CIA? 11 A. I don't -- I don't recall. 12 don't remember which specific branch. 13 MR. LAROCHE: Where is this from? It was somewhere in EDG. I Could we go to the next slide, please. 14 Q. What's this showing? 15 A. This is the, just the public key for Rufus's key, also on 16 the NetApp in the defendant's home folder. 17 Q. Where was this found? 18 A. On the NetApp server in the defendant's home directory. 19 MR. LAROCHE: Let's go to the next slide, please. 20 Q. 21 exhibit from? 22 A. 23 machine backup, that was stored on the NetApp server when they 24 did the migration. 25 This slide has Government Exhibit 1207-92. Where is this This is from the Confluence backup, the whole virtual MR. LAROCHE: If we could zoom in on the exhibit and SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1000 K2bWsch4 Leedom - Direct 1 the black boxes to the right. 2 Q. What is this exhibit showing? 3 A. This is a configuration file for the Confluence virtual 4 machine. This shows the snapshots that were available for that 5 machine. We can see that there were three snapshots, snapshot 6 1, snapshot 2 and snapshot 4, and this is as of April 25, when 7 they migrated the service and made the backup copy. 8 dated using this "create time" high-low value. 9 machine-stored version of this. These are This is just a If -- you can go online and 10 look up how to convert this, and there's a Python script 11 available online, and you just essentially have to subtract 12 these two numbers and you can get the human-readable time 13 stamp. 14 The first snapshot is the snapshot that was created when 15 the Confluence instance was installed. 16 real quick. 17 I'm going to clear this Confluence installed. The second snapshot was when the backup was made before 18 they changed the passwords on April 16. 19 stamp is again reflected over here from April 16 at 1:42. 20 And that that time And then this snapshot 4 -- you'll notice we go from 21 snapshot 2 to snapshot 4. There's no snapshot 3 here because 22 that was a snapshot that the defendant had created and then 23 subsequently deleted. 24 snapshots it's made in the past, so when they made the snapshot 25 to back up before the network changed, it was given the number But VMware keeps track of how many SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1001 K2bWsch4 Leedom - Direct 1 4, and that was on April 25. 2 Q. Let's just circle snapshot 1 on this screen. 3 Snapshot 2. 4 And snapshot 4. 5 You said that snapshot 3 does not exist because it was 6 deleted? 7 A. That's correct. 8 Q. By whom? 9 A. By the defendant. 10 Q. Why is there a snapshot 4 if no snapshot 3 appears here? 11 A. VMware keeps track so it knows when the next snapshot was 12 made that it needs to be indexed as No. 4. 13 just as this so you can know how many times the machine's been 14 snapshot -- snapshotted in the past. 15 MR. LAROCHE: It's to show things Let's go to the next slide, please. 16 Q. This is showing Government Exhibit 1207-7. Where is this 17 exhibit from? 18 A. 19 authorized-keys folder. 20 Q. And what do each of these blocks of text reflect? 21 A. These are public keys from SSH public-private key pairs for 22 all of the different keys that were available to log in to 23 Confluence as of 4/16, before they changed the passwords. 24 Q. And where were these keys located? 25 A. There's a file in the SSH folder on Linux system that This is from the April 16 Confluence snapshot in the SSH SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1002 K2bWsch4 Leedom - Direct 1 stores what public keys are available. 2 keys. 3 MR. LAROCHE: It's called authorized If we can just flip back quickly to 4 slide 17. 5 Q. Just circle where these keys would have been located. 6 A. So, these keys were on the Confluence VM. 7 Q. This is different from the key we viewed earlier that was 8 the defendant's public-private key on the server, is that 9 correct? 10 A. That's correct. 11 MR. LAROCHE: We can go back to Government Exhibit 58. 12 Now, let's zoom in on the second-to-last key. 13 Q. What is this key? 14 A. This is another public key. 15 root@jira.ioc.local. 16 Confluence application. 17 Q. 18 it's on the Confluence virtual machine? 19 A. 20 this both from dev-01 and from Bamboo. 21 when the Atlassian services were set up or shortly after, it 22 appears that a public-private key pair was made for each of the 23 services and used in some way. 24 exactly how this was used, but you would need the private key 25 that was associated with each of these public keys to log in It's labeled as This key was likely generated on the Jira And what significance, if any, is there to the fact that If you zoom out again, we can see another, similar key to At some point, either We can't say for certain SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1003 K2bWsch4 Leedom - Direct 1 this way. 2 Q. 3 the Confluence virtual machine? 4 A. By using SSH. 5 Q. And would you have administrative access at that point? 6 A. Yes, you would. 7 Q. So if the defendant used his private key on April 16, 2016, 8 while this key was still there, would he have had 9 administrative access to the Confluence virtual machine? And if you had that private key, how could you log in to 10 A. Yes, he would, and the defendant's private key -- public 11 key is also here, up at the top. 12 Q. You talked about mount points earlier to the Altabackups? 13 A. Yes. 14 Q. Where was the mount point for Confluence located? 15 A. In the slash mount Altabackup folder on the Confluence 16 server, virtual machine. 17 Q. 18 the virtual machine, would you have had access to those mount 19 points? 20 A. If you used the SSH key shown on this slide to log in to Yes, you would have. 21 MR. LAROCHE: Let's go to the next slide, please. 22 Q. This is showing Government Exhibit 1207-18. Where is this 23 from? 24 A. 25 forensically speaking, we got to the network obviously after This is from the April 25 Confluence snapshot. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So, 1004 K2bWsch4 Leedom - Direct 1 this machine had been migrated, so our image of the Confluence 2 server came from that backup that they made when they 3 transitioned the Confluence and Bamboo machines to ISB on April 4 25. 5 this just shows us the authorized-keys file after the passwords 6 were changed on the 16th. 7 Q. 8 16, 2016? 9 A. So our most recent copy of that service was from here, and Is this the only authorized key in that folder after April Yes are. They deleted the rest of them -- well, they 10 deleted all of them and added this new key which was created. 11 Q. 12 folder after April 16, 2016? 13 A. 14 Is the defendant's key available in this authorized-keys No, it's not. MR. LAROCHE: Let's go to the next slide, please. 15 Q. 16 these exhibits from? 17 A. 18 the April 16 snapshot before they changed the passwords. 19 Q. And generally, what are these files? 20 A. There's two files that are represented here. 21 machine, the way user accounts and their passwords are related 22 are they're stored in two files. 23 file, which we have here on the left. 24 shadow file, which we have on the right. 25 This contains Government Exhibits 1207-10 and-11. What are These exhibits are from the Confluence virtual machine from On a Linux One's called the password The second is called the The password file stores user account names, what groups SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1005 K2bWsch4 Leedom - Direct 1 they're in, things like what default shell they have. 2 file on the right stores the password for those users. 3 And the You'll notice that on the right here, there's only two 4 accounts that have this big, like, long string of numbers in 5 it. 6 This is a hash of that password. The other accounts that are listed here, you'll see they 7 have a little asterisk. 8 assigned a password and can't be used to log in. 9 This just means that account was never (Continued on next page) 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1006 K2B3SCH5 Leedom - Direct 1 Q. What is this password for? 2 A. So, this password is for the actual root user account. 3 you were to log in through vSphere into the ESXi server, click 4 on the Confluence virtual machine, and then click the little 5 box that gave you a shell session into the Confluence VM, and 6 it would prompt you for a user name and a password. 7 would give it root, and the password, this is a hash of the 8 password. 9 password, because you wouldn't store the plain text password in 10 a file. 11 reuse it. 12 If And you A hash is simply a function to obfuscate the If someone got on the system they could see it and So, this slide is just to demonstrate, as we'll see I 13 believe on the next slide, that this password was changed. 14 Q. 15 exhibits; is that right? 16 A. That's correct. 17 Q. Do those exhibits reflect a password change? 18 A. Yes, they do. 19 Q. How do you know that? 20 A. So, this is from the April 25 snapshot of the Confluence 21 VM. 22 this slide to the last slide, you'll see that it was changed, 23 indicating the password was changed. 24 Q. 25 Confluence virtual machine. Let's go to the next slide, please. These are similar And if you compare this long hash for the root account on So we've been talking so far about changes to the Is that right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1007 K2B3SCH5 Leedom - Direct 1 A. That's correct. 2 Q. So what changes have we seen so far to the administrative 3 privileges on the Confluence virtual machine? 4 A. 5 machine were all deleted and a new one was placed in. 6 the administrator account, the actual user account on the 7 machine had its password changed as well. 8 Q. 9 Go to the next slide, please. We've seen that all of the public keys that were on the And then So let's now switch gears to the OSB ESXi server itself. 10 Were there any changes to that server on April 16, 11 2016? 12 A. Yes, there was. 13 Q. So we saw this slide, this exhibit several slides ago. 14 that right? 15 A. That's correct. 16 Q. You said that this is the auth. log from the ESXi server? 17 A. Yes. 18 MR. LAROCHE: Is If we can zoom in on the activity from 19 April 16, 2016, please. 20 Q. What is this showing? 21 A. This is showing the activity that Jeremy performed when he 22 logged into the ESXi server, and then changed the password for 23 the root account. 24 Q. 25 account. Can you circle how you know that he changed the root SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1008 K2B3SCH5 Leedom - Direct 1 A. Yes. 2 for root. 3 Q. 4 Jeremy? 5 A. We have his IP address which is 10.2.8.10. 6 Q. Were you able to confirm that password change? 7 A. Yes, we were. Again, how do you know this is activity that was done by 8 9 At the very last line here, we see password changed MR. LAROCHE: So let's zoom out for a moment and go to slide 63, please. 10 Q. Showing you Government Exhibit 1209-15, the top half of 11 this slide. 12 A. Yes, it is. 13 Q. Let's zoom in on that for a moment. 14 this? 15 A. 16 Confluence a few slides ago. 17 password for the accounts on the system. 18 Q. What is this file from? 19 A. This is from the ESXi server. 20 Q. Let's zoom out. 21 showing? 22 A. 23 show that the hash was changed and that, in fact, it was 24 changed from the password My Sweet Summer which existed on the 25 server prior to 4/16/2016 to a new password that we'll see Is that the exhibit? This is a shadow file. What type of file is We reviewed one similarly for This has the pass -- the hashed What's the bottom half of this screen I manually calculated the password for this hash, just to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1009 K2B3SCH5 Leedom - Direct 1 after 4/16. 2 calculated, it essentially takes your password, and then it 3 takes a random bit of data which is called a salt and it adds 4 that to your password to make it unique. 5 with a common hashing algorithm. 6 which algorithm was used in this case, I believe 6 is SHA-512. 7 It is just a mathematical function that generates this string 8 of numbers you see here. 9 We can do this by -- the way these hashes are And then it hashes it This $6 specifies exactly You can use a standard library in python which is a 10 scripting language to verify that plain text password matches a 11 hash. 12 Q. What is the password on this screen? 13 A. This password is My Sweet Summer. 14 Q. Could you verify that that changed? 15 A. Yes, you could, if you compared it to the new version. 16 Q. Were you able to do that? 17 A. Yes, I did. 18 Q. Let's go to the next slide, please. 19 showing? 20 A. 21 changed. 22 Q. 23 I don't think I asked. 24 25 So we're just doing that here. What is this slide This is showing the shadow file after the password was We can see here that the new hash matches. Go to the next slide, please. Sorry, just one slide back. What was the new password? A. The new password is up here a little more easy to read. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1010 K2B3SCH5 Leedom - Direct 1 I've been saying it as "To Make a Call" with some symbols in 2 it. 3 Q. 4 Exhibit 1209-16. Let's go to the next slide, please. 5 Showing Government Did we see this before? 6 A. Yes, we did. 7 Q. What is this? 8 A. This is the defendant's public key that is on the ESXi 9 server. 10 Q. Did this key remain on the ESXi server after April 16, 11 2016? 12 A. Yes, it did. 13 Q. Do you see evidence of the defendant using his 14 administrative access to that server after April 16, 2016? 15 A. Yes, we do. 16 Q. We'll come back to that later. 17 slide, please. 18 If we can go to the next This is titled "Recap, April 16, 2016." What is this 19 slide meant to convey? 20 A. 21 network, specifically to Confluence and the ESXi server when 22 they changed the passwords. 23 Q. What changes were made to the server itself? 24 A. The ESXi server itself? 25 Q. Yes. This is just showing the changes that were made to the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1011 K2B3SCH5 Leedom - Direct 1 A. The administrative root password was changed, but the SSH 2 key for the defendant was not removed. 3 Q. 4 attention to April 18, 2016. 5 that was? 6 A. I believe it was a Monday. 7 Q. Let's go to the next slide, please. 8 Government Exhibit 1095, a memorandum to Joshua Schulte from 9 Anthony Leonis dated Monday, 18 April 2016. Go to the next slide, please. So I'd like to turn your Do you know what day of the week This is showing 10 If we could go to the next slide, please. 11 Mr. Leedom, can you please read the text that's 12 excerpted here on this slide? 13 A. Yes, I can. 14 MS. SHROFF: Objection, your Honor. 15 beyond the scope of an expert's testimony. 16 nothing do with his expertise. 17 THE COURT: Okay. 18 MR. LAROCHE: This is far This slide has The objection is overruled. Thank you, your Honor. 19 Q. Please read it, Mr. Leedom. 20 A. Yes. 21 libraries (and any associated computer network exploitation CNE 22 related code libraries, development tools, etc.) will be 23 administered by a designated AED/OSB personnel until further 24 notice. 25 administrative rights to any project and/or system for which "Lastly, effective 0800 on Monday 18 April, the OSB Please do not attempt to restore or provide yourself SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1012 K2B3SCH5 Leedom - Direct 1 they have been removed. The undersigned has read and 2 understands the above." And we have the defendant's signature. 3 Q. 4 Exhibit 1063 which is an e-mail sent on April 18, 2016, at 5 12:59 p.m. from Joshua Schulte to Anthony Leonis, and the 6 subject is "ISB infrastructure permissions transfer." Let's go to the next slide, please. 7 Can you remind us what is ISB? 8 MS. SHROFF: 9 THE COURT: Showing you Government I have the same objection. Same ruling. 10 A. ISB is the infrastructure support branch, that, from what I 11 understand, managed some of the services that were in place for 12 EDG. 13 Q. 14 the excerpt that's on the screen. 15 A. The entire excerpt or just the first part? 16 Q. Let's start with the top sentence. 17 A. Okay. 18 been destroyed/revoked." 19 Q. And then, in the second paragraph, start with "it seemed." 20 A. "It seemed like overnight literally all my permissions 21 within the products were removed and all my permissions on 22 servers themselves revoked ... and all without anyone informing 23 me. 24 without my knowledge?" 25 Q. Let's go to the next slide, please. Can you please read "I verified that all private keys with access have Is there a reason to this sudden turnover that occurred Have you reviewed forensic activity on the network from SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1013 K2B3SCH5 Leedom - Direct 1 April 18, 2016? 2 A. Yes, I have. 3 Q. Did that include reviewing log files from the defendant's 4 DevLAN computer? 5 A. Yes, it did. 6 Q. What are some of the defendant's activities on the DevLAN 7 network on April 18, 2016? 8 A. 9 user as well as utilizing his session on the ESXi server which We see him logging in to vSphere as the root administrator 10 was initiated on April 15. 11 Q. 12 destroyed or revoked? 13 A. No, it was not. 14 Q. How do you know that? 15 A. We know that because it was used to authenticate with the 16 session on the server. 17 Q. 18 themselves revoked? 19 A. No, not all the servers. 20 Q. Which servers were they not revoked on? 21 A. The ESXi server. 22 Q. How do you know that? 23 A. His public key was still in the authorized keys file on the 24 ESXi server, which would allow him to have accesses to that 25 server. Was the defendant's private key to the ESXi server Were all of the defendant's permissions on the servers SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1014 K2B3SCH5 Leedom - Direct 1 Q. Did you see the defendant log in as the administrator to 2 the ESXi server after April 16, 2016? 3 A. Yes, through vSphere. 4 Q. What does that mean? 5 A. That means he utilized the root account and password for 6 vSphere to log in that way. 7 Q. 8 2016. 9 Government Exhibit 1203-16. So let's go through some of the activities on April 18, If we can go to the next slide, please. 10 I'm showing you Where is this exhibit from? 11 A. This exhibit comes from the defendant's DevLAN workstation 12 in his virtual machine recovered from unallocated space. 13 MR. LAROCHE: If we can zoom in on the top third of 14 the highlighted text, please. 15 Q. What does root@Josh-desktop mean? 16 A. Josh-desktop was the host name for his Ubuntu virtual 17 machine on his DevLAN work station. 18 he was logged in at the time these commands were run. 19 Q. What's the next set of commands on that line? 20 A. This is showing the folder that he was in, the dot SSH 21 folder, and he did a list command to show the files in that 22 folder. 23 Q. What's dot SSH refer to? 24 A. A dot in a folder in Linux means it is a hidden folder. 25 This folder is hidden by default, because it typically stores Let's start at the top line. And root was the account SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1015 K2B3SCH5 Leedom - Direct 1 private keys for users, and it's a simple but -- it is simple, 2 but it is a security mechanism for that. 3 Q. Below that there is a total 20? 4 A. Yes. 5 Q. What does that mean? 6 A. When you run the LS command and give it the -- the L flag, 7 I'll just explain both the flags. 8 9 A flag is like an argument for a command. So this just says run the list command and give me some extra information. 10 In this case, the A says list all files, including hidden 11 files. 12 command this way, you can get a total, and the total is the 13 number of 512 byte blocks that are occupied at the physical 14 file system level by the files in this folder. And the L says give me file details. 15 When you run the So, it is essentially just a quick way to sum up the 16 size of the files in that folder. 17 Q. Then, below "total" there is a DRWX. 18 A. Yes. 19 Q. What is that? 20 A. So, these are permissions for individual files and folders 21 in this directory. It's split up into three parts here. 22 try and circle it. It's going to be a little difficult. 23 So, this first is a special bit. Do you see that? I'll In this case a D 24 stands for directory. In Linux, you have folders, and 25 obviously at the command line level, you have to type to move SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1016 K2B3SCH5 Leedom - Direct 1 between different folders. 2 there is a little dot here. 3 shows you that's the current folder that you're in. 4 wanted to run a command, or like, let's say you had a script or 5 a file in that folder you wanted to run, you would append it 6 with a dot forward slash, meaning the folder I'm in accessed 7 this file. 8 9 So, if you see to the far right, That's just the way that the Linux So if you Something like that. Right below, we have a dot dot. folder directly above this one. This represents the So if you wanted to change 10 directories to the folder that is above you, you would use the 11 CD command, which is the change directory command. 12 give it the dot dot, which would move you up a directory. 13 We'll see some examples of those other commands later on. 14 And then But, this D bit here just indicates that this is a 15 folder. 16 right, ID_RSA and known_hosts, these are just text files. 17 These don't have the D in the front. 18 You'll notice there are the files over here on the The rest of this set of dashed lines, these are sets 19 of permissions for different things. 20 permissions for the owner of the file, the second is the 21 permissions for the group that the owner is in of the file, or 22 the group that the file is assigned to, excuse me. 23 the last set of three things here is the permissions for anyone 24 on the system for the file. 25 The first one is the And then So if we put it together for this ID_RSA file, this is SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1017 K2B3SCH5 Leedom - Direct 1 saying that the root user has read write access. 2 is the execute, which means it allows that file to be run as a 3 program. 4 have a dash. 5 This last bit That's not on this particular file, that's why we The group that that user is in, it's a little 6 confusing since the root user is in the group that's called 7 root, which is like the administrative group. 8 has read access. 9 That group just And then if you happen to log in and you're not the 10 root user, you fall into this everyone category, and you would 11 only have read access to this file. 12 Q. 13 there is SSH SSH root@Stash, do you see that? 14 A. Yes. 15 Q. What is that showing? 16 A. This is how you would instantiate the SSH command if you 17 are on the terminal and you wanted to log into the server. 18 this case we're asking to log in as the root user to the server 19 called Stash. 20 Q. 21 successful? 22 A. No, we can't. 23 Q. So let's zoom out. 24 of this log file. 25 A. So let's go down a couple lines to root@Josh-desktop, then In Can you tell from this log file whether this log-in was Not from what we have here. Then zoom back in on the middle portion Generally, what is this showing? This is another -- well, at the top we have a list command SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1018 K2B3SCH5 Leedom - Direct 1 showing the files in this folder again. This time it's just 2 formatted a little bit differently because it wasn't given 3 those AL flags. 4 log in as the root user to the Confluence server. 5 Q. 6 to the virtual machine? 7 A. Yes, I am. 8 Q. To be clear, were the defendant's SSH keys for the virtual 9 machine revoked? And below this we have another SSH command to When you refer to the Confluence server, are you referring 10 A. Yes, they were. 11 Q. Can you tell from this log file whether this log-in was 12 successful? 13 A. No, we cannot. 14 Q. So let's go to the last bit of text that's highlighted at 15 the bottom. 16 A. 17 lines here, the defendant attempted to use the host name for 18 Jira which was the human readable name which is Jira.IOC.local. 19 And his virtual machine didn't know how to resolve that. 20 the fallback is you have to manually enter the IP address for 21 the server, which is what he did here. 22 information to the server. 23 password to access. 24 after three failed password attempts, and he was unable to log 25 into the Jira server. What is this showing? This is showing a log-in to the Jira server. The first two So, This is just connection And then the server requests a And we see that the permission is denied SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1019 K2B3SCH5 Leedom - Direct 1 Q. Let's go to the next slide. Showing you Government Exhibit 2 1207-26. 3 A. 4 log file. 5 Q. What is this showing? 6 A. This is showing when the defendant's virtual machine at 7 10.3.2.35 attempted to log in over SSH to the Confluence server 8 on April 18, at 11:08 a.m. 9 Q. Why did that fail? 10 A. It failed because his public key was no longer on the 11 server. 12 Q. Was there another attempt attempted log-in at 11:13 a.m.? 13 A. There was. 14 Q. Can you explain what happened there? 15 A. We can see by the information in the log file that this 16 wasn't an SSH log-in, this was like a normal log-in. 17 can tell that from, when we see mention of the pam_unix module, 18 this is what handles authenticating user names and passwords on 19 a Linux system. 20 vSphere in the shell session, and was prompted with a password 21 user name and typed it in, and then in this case we have a 22 failed log on. 23 Q. So let's talk about the vSphere log on for a moment. 24 A. Yes. 25 Q. Please explain how the defendant would use vSphere to log Where is this exhibit from? This is from the Confluence virtual machine in the auth. So he was unable to authenticate to the server. And we And this is when someone tried to log in using SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1020 K2B3SCH5 Leedom - Direct 1 in. 2 A. 3 credentials to log into the ESXi server. 4 use your DevLAN user name and password, and it would let you 5 in. 6 virtual machines that are on the server, and you can select 7 one, in this case, the Confluence virtual machine. 8 would click on a little shell button. 9 this soon I think. So you double click the application and it asks you for Typically you would And then you'll be displayed with a list of all of the And you We have a picture of And then you would get into the, like, user 10 interface for that virtual machine, and you would log in that 11 way. 12 Q. 13 at the next slide, please. 14 What is this showing? 15 A. 16 this. 17 going to do this on DevLAN. 18 address or the host name of the ESXi server. 19 user name would be either root or your DevLAN user name. 20 then you'd have to put in your password and you'd click log-in. 21 Q. 22 97. 23 A. 24 unsuccessful in finding a good picture of the vSphere desktop 25 application to illustrate this. So, we do have a picture. It's the next slide. Let's look This is Government Exhibit 96. So this is a picture just from the internet I took to show So, here you would input the IP address if you were You would have to put the IP Let's go to the next slide. And then your And This shows Government Exhibit What is this showing? This is a picture taken from the internet. I was So, this is a picture of the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1021 K2B3SCH5 Leedom - Direct 1 VMware vSphere web client which was also in use on DevLAN. 2 information displayed is going to be almost identical. 3 The When you would log in through vSphere, on the left 4 here, under Navigator, we can see you would be displayed with a 5 the name of the ESXi server and the virtual machines that were 6 inside that server. 7 8 Now, just to remember, this is a demonstrative from the internet. 9 This isn't an actual picture from DevLAN. If you wanted to, for example, go to the Confluence 10 virtual machine, you would click on it, in this case, the 11 selected VM in this example is called standalone. And this 12 will show you the information about that machine. So you get 13 detailed diagnostic information like how much storage it has, 14 how much memory it has, how much CPU it's using. 15 And if you click this box here, this will give you 16 that shell session to the server. 17 click on this, and it would pop up another window, and you 18 could just type into that window and access the server that 19 way. 20 So you would essentially So when I say you're logging in through vSphere, this 21 is what I mean. 22 Q. 23 slide, please. 24 Where are these files from? 25 A. Let's go back to the DevLAN files. If we go to the next This has two exhibits, 1209-17 and 1209-20. These files are from the ESXi server. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1022 K2B3SCH5 Leedom - Direct 1 Q. Where on the ESXi server are they from? 2 A. In the log folder in a log file called host D.0. 3 Q. We saw that earlier. 4 file show? 5 A. 6 authentications through the vSphere and vCenter services. 7 if you made a log-in through vSphere, like I illustrated in the 8 last two slides, that type of log-in will be in this log file. 9 Q. So let's zoom in on the top, please. 10 A. This is showing a log-in for the user root from the 11 defendant's workstation IP address logging into the ESXi server 12 through vSphere. 13 client. 14 11:12 a.m. on 4/18. 15 Q. How do you know this is a root log-in? 16 A. It says user root, so we know that's the root user. 17 also know when the, in this case the user's attempting to 18 access the INF Confluence virtual machine. 19 that access is also logged here as the root user. 20 Q. 21 screen? 22 A. 23 as like a DevLAN user, it would say DEVLAN, all caps, slash and 24 then that user's user name, in this case DEVLAN/schuljo. 25 Q. What types of things does the host D The host D file, among other things, shows log-ins and So What is this showing? We know it's that because it says as VMware And its time stamp is 4/18, 3:12 Zulu. So that's We The user name of If he wasn't logged in as root, how would it appear on this As we had in a slide a few slides ago, if he was logged in Do you see there a DEVLAN/Matt? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1023 K2B3SCH5 Leedom - Direct 1 A. Yes. 2 Q. Is that what you're referring to? 3 A. Yes, that is. 4 Q. Let's zoom out. 5 A. This session ended on 4/18, it is the lower session here, 6 at 1:47 p.m. EST. 7 Q. Can you circle on the bottom session the IP address. 8 A. Yes, I can. 9 Q. The IP address ending in 165 relates to what computer? 10 A. This is the defendant's DevLAN workstation. 11 Q. What types of privileges do you need to log in as root? 12 A. Administrative. 13 14 THE COURT: When was this session logged out of? Server administrator privileges. Mr. Laroche, would this be a convenient place to break? 15 MR. LAROCHE: 16 THE COURT: Yes, your Honor. We're going to break now, ladies and 17 gentlemen. 18 anything about the case, don't talk about it, don't do any 19 research. 20 We'll see you tomorrow morning at 9 o'clock. Remember my standard instructions. Keep open minds. Don't read And leave your notebooks here. 21 (Jury excused) 22 (Continued on next page) 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1024 K2B3SCH5 1 THE COURT: Anything to take up? 2 MR. LAROCHE: Not from the government, your Honor. 3 MS. SHROFF: Your Honor, can I just have a minute? 4 THE COURT: 5 MS. SHROFF: 6 (Pause) 7 MR. ZAS: Yes. Thank you. Your Honor, we just wanted to flag 8 something. We haven't made a final decision, but it might be 9 useful, since this is a lengthy witness, for the Court maybe to 10 give an instruction, just a normal instruction on experts in 11 the middle of, trial. 12 13 14 THE COURT: Rather than to wait until the very end. What would it say? The standard instruction on experts? MR. ZAS: Essentially, yes. We could propose 15 something if that would be easier in writing. 16 something tonight. 17 18 THE COURT: All right. We can give you You gave me request to charge. Is it in the requested charges you've already given me? 19 MR. ZAS: I don't think -- 20 THE COURT: 21 MR. ZAS: I know I have a charge on experts. I don't think we had something specific in 22 our request. But, we can give you something short and 23 uncontroversial I think. 24 MR. LAROCHE: 25 THE COURT: We provided a proposed -- I know somebody did. I don't know whether SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1025 K2B3SCH5 1 it was the government or Mr. Schulte. 2 3 4 5 6 MR. LAROCHE: I know that the government has, your Honor. THE COURT: All right. I'll take a look at it. MR. LAROCHE: No, we think one should be included in the jury charge, your Honor. 8 THE COURT: 9 MR. LAROCHE: THE COURT: No. I mean, they request a charge now. We have no objection, your Honor. All right. Ms. Shroff, I note that today 11 was an open session, and the courtroom is not closed. 12 from Federal Defenders appeared. 13 14 15 16 17 MS. SHROFF: They did. they were turned back so they never came back. THE COURT: In the afternoon I was referring to. Tomorrow morning as well. MS. SHROFF: I didn't inform them, your Honor. out of time to inform them. 19 come, they were not allowed in. 20 sure this is the witness somebody would want to see. 21 disrespect. 23 Nobody They appeared in the morning, 18 22 Do you have any objection to a charge? 7 10 Or maybe both. I ran The other two times they wanted to But frankly, I'm not really No But -- THE COURT: I don't know which ones they'd want to see, but the courtroom will be more open than closed now. 24 MS. SHROFF: But would you want to sit through that? 25 THE COURT: Any time they want to come over, they're SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1026 K2B3SCH5 1 more than welcome. 2 MS. SHROFF: 3 THE COURT: 4 Can they come over for the next witness? No, it's closed. The next witness after that will be open, they're more than welcome. 5 MS. SHROFF: 6 THE COURT: 7 MS. SHROFF: 8 THE COURT: 9 (Adjourned until February 12, 2020, at 9 a.m.) Our objection is to the fact -I know. You've objected all the time. Thank you, your Honor. Thank you. 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1027 1 2 3 INDEX OF EXAMINATION Examination of: Page DAVID 4 Direct By Mr. Denton . . . . . . . . . . . . . 823 5 Cross By Ms. Shroff 6 Redirect By Mr. Denton . . . . . . . . . . . . 899 7 8 PATRICK LEEDOM Direct By Mr. Laroche 9 10 11 . . . . . . . . . . . . . 836 . . . . . . . . . . . . 908 GOVERNMENT EXHIBITS Exhibit No. 1703 Received . . . . . . . . . . . . . . . . . . . 929 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300