1028 K2C3SCH1 2 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK ------------------------------x 3 UNITED STATES OF AMERICA, 4 v. 1 5 JOSHUA ADAM SCHULTE, 6 7 S2 17 Cr. 548 (PAC) Defendant. Trial ------------------------------x New York, N.Y. February 12, 2020 9:15 a.m. 8 9 Before: 10 HON. PAUL A. CROTTY, 11 District Judge -and a jury- 12 13 14 15 16 17 18 19 20 APPEARANCES GEOFFREY S. BERMAN United States Attorney for the Southern District of New York BY: MATTHEW J. LAROCHE SIDHARDHA KAMARAJU DAVID W. DENTON JR. Assistant United States Attorneys SABRINA P. SHROFF JAMES M. BRANDEN Attorneys for Defendant -andDAVID E. PATTON Federal Defenders of New York, Inc. BY: EDWARD S. ZAS Assistant Federal Defender 21 Also Present: 22 23 24 Colleen Geier Morgan Hurst, Paralegal Specialists Achal Fernando-Peiris John Lee, Paralegals Daniel Hartenstine Matthew Mullery, CISOs, Department of Justice 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1029 K2C3SCH1 Leedom - Direct 1 (In open court; jury present) 2 THE COURT: 3 Please be seated. Good morning. Mr. Laroche. 4 MR. LAROCHE: 5 THE COURT: 6 Happy Lincoln's birthday. Thank you, your Honor. Mr. Leedom, I want to remind you, you're still under oath. 7 THE WITNESS: Yes, sir. 8 MR. LAROCHE: Ms. Hurst, can you please bring up 9 10 Government Exhibit 1703 and go to slide 66, please. PATRICK LEEDOM, 11 called as a witness by the Government, 12 having been previously sworn, testified as follows: 13 DIRECT EXAMINATION (Continued) 14 BY MR. LAROCHE: 15 Q. 16 changes on the DevLAN network that occurred on April 16, 2016. 17 A. That's correct. 18 Q. What were some of the changes that were made to Confluence 19 that day? 20 A. 21 were all deleted and replaced with a single key. 22 administrative password was changed. 23 Q. Confluence was running on a server; is that correct? 24 A. That's correct. 25 Q. Was that an ESXi server? Mr. Leedom, yesterday you testified as to some of the On Confluence, the SSH public keys that were on the server SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And the 1030 K2C3SCH1 Leedom - Direct 1 A. Yes, it was. 2 Q. Who did that server belong to? 3 A. It was OSB's ESXi server. 4 Q. On April 16, 2016, were certain changes made to that server 5 itself? 6 A. Yes, they were. 7 Q. Please summarize those changes. 8 A. On the ESXi server, the administrative password was 9 changed. 10 Q. There is a sub-bullet down at the bottom that says "Schulte 11 SSH key not removed." 12 A. That's correct. 13 Q. What is that meant to convey? 14 A. That the defendant's public key that was on the ESXi server 15 was not removed. 16 SSH after 4/16. 17 Q. 18 administrators do anything to the system? 19 A. To the ESXi server? 20 Q. Let's start with Confluence. 21 Confluence? 22 A. 23 passwords were changed on 4/16, they made a snapshot before 24 making the changes, but they just changed the passwords after 25 that. So he still had access to that server over Prior to making these changes on April 16, did the Did they do anything with The server was migrated on the 25th, but after the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1031 K2C3SCH1 Leedom - Direct 1 Q. What do you mean they made a snapshot before making the 2 changes? 3 A. 4 passwords, just in case there were any issues that arose from 5 the passwords that they changed or the keys they deleted. 6 Q. 7 used by the defendant on April 15 to log into that server; is 8 that correct? 9 A. That's correct. 10 Q. Let's go to slide 84, please. 11 yesterday, correct? 12 A. Yes, we did. 13 Q. You testified that this is from the auth. log of the ESXi 14 server; is that correct? 15 A. That's correct. 16 Q. Can you show us where the administrative session was 17 started on April 15 by the defendant? 18 A. 19 here. 20 Q. 21 number? 22 A. Yes, there is. 23 Q. What is that up? 24 A. That's the work ID for the defendant's session that will be 25 logged with commands that the defendant ran in the shell log. A snapshot was made before they changed any of the You also testified that the SSH key on the ESXi server was The session started here. We looked at this file And then the session was opened In that number there is a -- in that circle there is a 766 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1032 K2C3SCH1 Leedom - Direct 1 Q. How do you know this was the defendant's administrative 2 session? 3 A. 4 address from the defendant's DevLAN workstation, the Ubuntu 5 virtual machine on his workstation, and we have a fingerprint 6 from his private key which was encrypted. 7 Q. What's a fingerprint from his private key? 8 A. It's just the unique identifier that matches the public key 9 that was on the server, with the private key that he had on his We can tell from two places, primarily. We have the IP 10 virtual machine. 11 Q. 12 talking about some of the activities on April 18, 2016. 13 that correct? 14 A. That's correct. 15 Q. I think you left off talking about certain administrative 16 logins to the server itself by the defendant. 17 A. Yes, that's correct. 18 Q. Does this page reflect such a login? 19 A. Yes, it does. 20 Q. Starting with the top exhibit, what time did the defendant 21 login as an administrator to the ESXi server? 22 A. 23 is right here. 24 Q. Then did he log out of the session at some point that day? 25 A. Yes, he did. Let's go to slide 76, please. You left off yesterday Is Is that correct? He logged in at 11:12:08 in the morning, and the time stamp SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1033 K2C3SCH1 Leedom - Direct 1 Q. When did he log out? 2 A. He logged out at 1:47. 3 Q. As an administrator of the ESXi server, what types of 4 things could the defendant do on the system? 5 A. 6 snapshots, delete snapshots, list snapshots, power machines on 7 and off; things like that. 8 Q. 9 slide yesterday. Primarily, manage the virtual machines, things like create Let's go to the next slide, please. We also looked at this Isn't that correct? 10 A. I believe so, yes. 11 Q. Where is this slide from? 12 A. This is from the ESXi server, it's from the hostd log. 13 Q. What does it reflect? 14 A. This is a login by the defendant using his DevLAN user 15 credentials, so non-administrative credentials. 16 Q. A login to what? 17 A. To the ESXi server through vSphere. 18 Q. So different than the type of login on the previous slide? 19 A. That's correct. 20 Q. Let's go to the next slide, please. 21 Government Exhibit 1209-3. 22 A. 23 space. 24 Q. What does it show? 25 A. It shows a connection over vSphere from the defendant's This slide has Where is this exhibit from? This was from the ESXi server recovered from unallocated It is a fragment of a log file. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1034 K2C3SCH1 Leedom - Direct 1 workstation at about 11:12 a.m. on 4/18. 2 Q. 3 has Government Exhibit 1209-18. 4 A. 5 log file. 6 Q. What's that top slide show? 7 A. This is showing a login from the defendant's workstation as 8 the root administrator user. 9 Q. Let's go to the next slide, please. This slide at the top Where is this log file from? This is also from the ESXi server. This is from the hostd A few slides ago we saw root login at approximately 10 11:12 a.m.; is that correct? 11 A. That's correct. 12 Q. Is this the same login? 13 A. Yes. 14 Q. Were there two logins or one login at 11:12 a.m.? 15 A. There were two logins; one was shortly after the other. 16 Q. Is this the second login? 17 A. Yeah, that's correct. 18 Q. How do you know this is a different login? 19 A. We can match up the login and log out, like time stamps for 20 the sessions, and determine that there were two separate 21 logins. 22 Q. At what time did he log out of this session? 23 A. Is it just me or it's flashing here? 24 Q. Did you lose the screen? 25 A. Yes. It's flashing in and out. Okay. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Maybe it's just me. 1035 K2C3SCH1 Leedom - Direct 1 Now I have nothing. 2 THE COURT: 3 MR. LAROCHE: 4 A. Oh. Do you have a hard copy for him? Yes, your Honor. Let me see if I can move it. 5 THE COURT: 6 A JUROR: 7 THE COURT: 8 A JUROR: Now it's gone completely. Does the jury have the same problem? No. You can see? Yes. 9 Q. Mr. Leedom, we're on slide 79. 10 A. Give me just a second. 11 second. 12 THE DEPUTY CLERK: 13 THE WITNESS: I can draw but there's no -- just a Mr. Leedom, anything? No. 14 A. I've got slide 79. 15 Q. We'll go through the hard copy, that's fine. 16 jurors still have it. 17 A. 18 about. 19 Q. 20 11:12 a.m. as root. 21 A. That's correct. 22 Q. You just testified that there were two logins at 23 11:12 a.m.; is that correct? 24 A. Yes, that's correct. 25 Q. At what time approximately did the defendant log out of Okay. I think the I'll try and explain geographically what I'm talking So, we're on slide 79 and we see another login at Is that correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1036 K2C3SCH1 Leedom - Direct 1 this session? 2 A. About 11:43 a.m. 3 Q. Let's go to the next slide, please. 4 This shows Exhibit 1209-3 again. 5 Now we're on slide 80. Where is this exhibit from? 6 A. This is from the ESXi server recovered from unallocated 7 space. 8 Q. Again, what is this showing? 9 A. This is showing a connection from the defendant's 10 workstation to the ESXi server over vSphere and we can see -- 11 Q. For what login does this show? 12 A. I'm sorry. 13 Q. Sure. 14 A. This shows the login at 11:12 a.m. 15 Q. This is a server-side log; is that correct? 16 A. That's correct. 17 Q. On the previous slide, that was also a server-side log; is 18 that correct? 19 A. That's correct. 20 Q. Let's go to slide 81. 21 1202-3. 22 A. 23 downloads folder. 24 Q. What does this exhibit show? 25 A. This shows that a web page was downloaded of a specific Could you repeat the the question? What login does this show? This is showing Government Exhibit Where is this exhibit from? This is from the defendant's DevLAN workstation in his SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1037 K2C3SCH1 Leedom - Direct 1 page on Confluence at -- on April 18, at 2:01 p.m. 2 Q. What page was downloaded by the defendant? 3 A. The page name was the OSB's ESXi server page. 4 Q. Let's go to the next slide, please. 5 that the defendant downloaded, this page? 6 A. Yes, this is part of it. 7 Q. Where is this from? 8 A. This is, this is a picture of, if you open that file, this 9 is what you get. Is this the exhibit 10 Q. If we can zoom in on the infrastructure VMs at the bottom. 11 As of -- before April 16, 2016, what was the root password for 12 the ESXi server? 13 A. Before April 16, the root password was My Sweet Summer. 14 Q. Did that change? 15 A. Yes, it did. 16 Q. When did it change? 17 A. It changed on April 16, when they reset the passwords. 18 Q. Did it remain My Sweet Summer? 19 A. No, it did not. 20 Q. Let's go to the next slide, please. 21 Government Exhibits 1209-21 and 22. 22 from? 23 A. This is from the ESXi server. 24 Q. What is this showing? 25 A. This is showing a login as the root account to the ESXi This is showing Where are these exhibits SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1038 K2C3SCH1 Leedom - Direct 1 server through vSphere. 2 Q. Whose login is it showing? 3 A. It is the root login, so the administrator login. 4 Q. By who? 5 A. From the defendant's workstation. 6 Q. How do you know that? 7 A. We have his IP address, if you look in the top-right-hand 8 corner. 9 Q. At what time did he log in? 10 A. About 7:17 p.m. 11 Q. At what time did he log out? 12 A. About 7:47 p.m. 13 Q. If we go to the next slide, please. 14 come up several times; is that correct? 15 A. That's correct. 16 Q. We just talked about several administrative logins to the 17 server on the last few slides, correct? 18 A. That's correct. 19 Q. Does this slide reflect a different kind of administrative 20 login? 21 A. 22 the server itself. 23 Q. This a session that was given an ID 766; is that right? 24 A. That's correct. 25 Q. Did you see any evidence of the defendant using this Yes. We've seen this slide This slide only shows logins with the password for Or the SSH key to the actual server itself. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1039 K2C3SCH1 Leedom - Direct 1 administrative session on April 18, 2016? 2 A. Yes, I did. 3 Q. Let's go to the next slide and take a look at that. 4 slide has Government Exhibit 1203-43. 5 highlighted text there. 6 A. Yes. 7 Q. First, where is this exhibit from? 8 A. This is from the defendant's DevLAN workstation in his 9 Ubuntu virtual machine recovered from unallocated space. This There is some 10 Q. Let's zoom in on the highlighted section, please. What do 11 these lines show? 12 A. 13 server by the defendant, and we know that from this session ID, 14 the 766 number, on April 18, which we know from the time stamp 15 on the left. 16 Q. 17 server administrative session? 18 A. Yes, over SSH. 19 Q. What are some of the reasons these commands were recorded 20 in the unallocated space of the defendant's computer? 21 A. 22 output to the defendant's screen, that we were able to recover, 23 at some point, he viewed the contents of the shell.log file and 24 we have those here. 25 Q. These lines show commands that were entered on the ESXi Do these reflect commands that were run using the ESXi Since we have a record of the actual text output that was If we can zoom out again. At approximately what time did SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1040 K2C3SCH1 Leedom - Direct 1 the defendant run these commands? 2 A. About 6:08 p.m. 3 Q. So let's go to the next slide. 4 we know it was that defendant's administrative session that was 5 being used. 6 I want to walk through how So let's start with the first point. What is that point meant to convey? 7 A. On April 15, there was a login to the ESXi server which 8 we've seen multiple times from the auth. log file, which used 9 his encrypted private key. 10 KingJosh3000. 11 Q. 12 was 11130766." The password to that key was The second bullet says "Work ID assigned to that session 13 What's the significance of a work ID for that session? 14 A. So, work IDs are assigned to a session when the session is 15 open. 16 IDs, so two users would never have the same work ID. 17 don't change while the session is active, so for the entire 18 time the session is active the work ID will remain the same. 19 And they're saved in that shell.log file, of which a piece we 20 were just currently viewing, to attribute commands to a 21 particular session. 22 commands on the server. 23 Q. 24 shell.log? 25 A. I'll cover a couple in the next points. They're unique They So you can know who was running what You've mentioned shell.log several times. What is Shell.log is a log file on ESXi that keeps command history SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1041 K2C3SCH1 Leedom - Direct 1 for commands that were run on the server. 2 Q. 3 activity? 4 A. Oh, it's extremely important. 5 Q. Why? 6 A. It's one of the few places where you can actually see what 7 commands a certain user was running on a system. 8 Q. 9 never ended." Is that type of log file important to auditing user And the last point says "The work ID session ending in 766 10 A. That's correct. 11 Q. How do you know that? 12 A. We never have a log in the auth. log file that says the 13 session was closed and that the session disconnected. 14 Q. 15 87 which is Government Exhibit 1209-8. 16 from? 17 A. 18 location for the shell.log file called file slack. 19 Q. 20 file slack? 21 A. That's correct. 22 Q. What's file slack? 23 A. So, file slack in most modern file systems, when the 24 computer allocates space for a file, the -- there is a certain 25 minimum amount of space that has to be allocated for that file So let's go to the next slide, please. We're now in slide Where is this exhibit This exhibit is from the ESXi server in a recovered file If we can zoom in on that exhibit, please. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You said it's 1042 K2C3SCH1 Leedom - Direct 1 to be stored. You'll hear them referred to as blocks or 2 clusters. 3 of change, they get larger and smaller inside that cluster. 4 And when things are deleted from that file, you can go to the 5 cluster where that file was stored, and look after the file is 6 supposed to end, and find additional data in that cluster. 7 A good analogy is if you have like a shoebox with When a file is modified, the parts of the file kind 8 shoes in it. The shoes are like the resident part of the file 9 that you would see if you opened it on your computer, and the 10 file slack would be the space that's the empty space in the box 11 around the shoes. 12 Q. So what did each of the lines on this exhibit show? 13 A. Each of these lines is a different command that was entered 14 on the ESXi server. 15 defendant. 16 Q. How do you know that? 17 A. All of these lines are tagged with the work ID from the 18 session that the defendant initiated. 19 Q. This isn't the actual shell.log, is it? 20 A. It's not the shell.log that appears on the server to this 21 day. 22 Q. Is there a shell.log that appears on the server today? 23 A. Yes, there is. 24 Q. Does that shell.log reflect these entries? 25 A. No, these entries are not in that file. And all of these lines belong to the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1043 K2C3SCH1 Leedom - Direct 1 Q. Do you have an opinion as to why that is the case? 2 A. Yes, I do. 3 exactly what you guys have blown up. But there is a bit of 4 white space towards the top corner. The last command before 5 that white space is VIshell.log. 6 systems is a, it is a command for a text editor. 7 allow you to edit the contents of a file. 8 telling, seeing it especially as the last entry in this case 9 and not seeing these entries in the original file. If you can look at the, there is, I don't know Now, VI command on most Linux So this would And it's very It is 10 indicative that they were deleted. 11 Q. 12 shell.log? 13 A. No, it's not. 14 Q. Why not? 15 A. It's, like I mentioned before, it's one of the only ways 16 you can attribute commands that a certain user was running on 17 the server. 18 Q. 19 this. 20 the command lines. 21 A. That's correct. 22 Q. When was this command run? 23 A. This command was run at 6:37 p.m. on April 18. 24 Q. By whom was it run? 25 A. By the defendant. Is it standard practice to delete command history from And you would never delete those commands. Let's go to the next slide, please. Let's just zoom in on So, showing you a portion of the last exhibit, one of SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1044 K2C3SCH1 Leedom - Direct 1 Q. Did you see evidence of this command on the defendant's 2 DevLAN computer? 3 A. Yes, we did. 4 Q. Let's go to the next slide and take a look. 5 this slide shows that same command from Government Exhibit 6 1209-8. 7 A. That's correct. 8 Q. At the bottom there is Government Exhibit 1203-44. 9 that? So the top of Is that correct? You see 10 A. Yes, I do. 11 Q. Where is that exhibit from? 12 A. The bottom exhibit is from the defendant's DevLAN 13 workstation from his Ubuntu virtual machine recovered from 14 unallocated space. 15 Q. 16 command run on the OSB ESXi server? 17 A. 18 root@OSB. 19 Q. What command was run? 20 A. This is a file listing command. 21 we've seen before. 22 to show me all the files in this specific folder, the folder is 23 /var/run/log. 24 Q. 25 top of the page that command line? Just focusing on that exhibit. How do you know this is a If you see the front of that bottom exhibit, it says That's how we know it was the OSB server. It's similar to the ones It is essentially just telling the computer Let's go to the next slide. On slide 90. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You see at the 1045 K2C3SCH1 Leedom - Direct 1 A. Yes, I do. 2 Q. What's the rest of the exhibit showing here? 3 A. This is showing part of the output from that command. 4 Q. Let's go to the next slide, slide 91. 5 have Government Exhibit 1209-8, that command line. 6 bottom exhibit showing? 7 A. 8 command. 9 Q. At what time approximately was that LS command run? 10 A. The command was run in about 6:37 p.m. 11 Q. How do you know that? 12 A. If you look at the third line up from the bottom, you can 13 see the VPXA.log file in the file listing, and just to the left 14 of it there is a time stamp for the last time that file was 15 modified. 16 inside of the log folder on the ESXi server are updated every 17 second, if not faster than that, which updated this modify 18 time. 19 the LS command was run. 20 Q. 21 testified earlier that that was in UTC time; is that correct? 22 A. That's correct. 23 Q. How do you know that? 24 A. When the time stamp's displayed this way in kind of an 25 extended format, the Z is appended to show that it's in UTC Again at the top we What's the This is the completion, so the last couple rows of that LS And as I testified earlier, some of the log files So it gives us a fairly accurate time stamp as to when So, let's focus on the top exhibit for a moment. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You 1046 K2C3SCH1 Leedom - Direct 1 time. 2 Q. 3 is the 22:37 three lines from the bottom. 4 A. Yes. 5 Q. There's no Z next to that. 6 A. No, it's not. 7 Q. What time zone is that? 8 A. It's in UTC time. 9 Q. How do you know that? 10 A. So the LS command is meant to display things in a 11 convenient and easily readable way. 12 provided here, it just displays like the simple time and it 13 doesn't give, like, the time zone information. 14 files on the ESXi server were -- the time stamps are going to 15 be displayed in UTC. 16 Q. 17 were run on April 18. 18 Again, is this another command line from that shell file slack? 19 A. Yes, it is. 20 Q. Is this the next command that was run after the command we 21 just saw? 22 A. Yes, it is. 23 Q. If we can just focus on that bottom command. 24 LS-AL//VAR. 25 A. Then just look at the bottom exhibit for a second. There Do you see that? With the flag that's been But all the log Let's look at one more example of some of the commands that We can go to the next slide, please. That's correct. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It's 1047 K2C3SCH1 Leedom - Direct 1 Q. What are the two back slashes there? 2 A. The two -- they're actually forward slashes, but the two 3 forward slashes, it could just be a typo. 4 the files at slash var, you just have to give one slash. 5 Q. 6 command; is that correct? 7 A. Not to my knowledge, no. 8 Q. Did you see evidence of this command being run on the 9 DevLAN land's computer? You would, to list So you wouldn't need to do two forward slashes to run the 10 A. Yes, I did. 11 Q. Let's take a look at that. 12 What is the bottom exhibit showing? 13 A. 14 that we just reviewed two slides ago, and the command 15 immediately following that. 16 Q. At approximately what time was that second command run? 17 A. I don't believe the time stamp's on this slide, but it 18 would be some time after 6:37 p.m., the output of this list 19 command should list the exact time. 20 Q. 21 slashes? 22 A. Yes, it does. 23 Q. Is that the same command that appears in the file slack? 24 A. Yes, it is. 25 Q. Let's go to the next slide. Go to the next slide, slide 93. So the bottom exhibit is showing the end of the command Do you see the bottom slide also has the two forward This slide is titled "Recap, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1048 K2C3SCH1 Leedom - Direct 1 April 18, 2016." 2 with the top bullet, some of the things that happened on DevLAN 3 that day. 4 A. 5 and 11:12:18 in the morning, the defendant logged in as root to 6 the ESXi server. 7 8 Sure. If you could just walk us through, starting So, at the beginning of April 18, at about 11:12:08 At 11:43 a.m., the defendant logs out as root to one of those sessions. 9 Around 12:59 p.m. the defendant e-mails Anthony 10 stating that "It seems like overnight all my permissions on the 11 servers themselves revoked." 12 13 At 1:47 p.m., the defendant logs out as root to the other session on the ESXi server. 14 15 At 2:01 p.m., the defendant downloads the old ESXi server page from Confluence. 16 17 At 7:17 p.m., the defendant logs in as root to the ESXi server again. 18 Between 6 and 7:44 p.m., the defendant used his 19 administrative session, that's the SSH session from the shell 20 log that we've been viewing for the last few slides, to view 21 various log files on the server. 22 Q. 23 the activities on April 20, 2016. 24 is titled "Overview." 25 Let's go to the next slide. I'd like to talk about some of Go to slide 96. This slide Generally, what is this slide meant to convey? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1049 K2C3SCH1 Leedom - Direct 1 A. This is just a simple overview of the activities that 2 occurred on April 20. 3 Q. 4 bullet reflect? 5 A. 6 privileges on the ESXi server to revert the Confluence virtual 7 machine to a snapshot that was created on April 16, 2016. 8 Q. 9 have had to Confluence? Let's start with the first bullet. What does the first So, at 5:35 p.m., the defendant used administrative In its reverted state, what accesses would the defendant 10 A. All of the administrative accesses, since this snapshot was 11 taken before the passwords were changed. 12 Q. Why is that? 13 A. All the passwords were still in place on the server, 14 because they hadn't been changed or deleted yet. 15 Q. 16 had access to the mount points for the Altabackups? 17 A. Yes. 18 Q. How would he have gotten to the mount points at that point? 19 A. He could have simply navigated to the /mount/Altabackup 20 folder on the server. 21 Q. 22 reflect? 23 A. 24 state for a little over an hour until approximately 6:51 p.m. 25 Q. In Confluence's reverted state, would the defendant have The second bullet, sorry. What does the second bullet So, the Confluence virtual machine remained in the reverted Would that have been enough time for the defendant to copy SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1050 K2C3SCH1 Leedom - Direct 1 a backup of Confluence? 2 A. Yes, it would have. 3 Q. What about a backup copy of Stash? 4 A. Yes, it would have. 5 Q. Let's go to the third bullet. 6 A. At about 5:43 p.m., the March 3, 2016 Confluence backup 7 file was accessed in the Altabackups folder on the NetApp 8 server. 9 Q. What's that meant to convey? How do you know that that file was accessed around that 10 time? 11 A. The access time for the file was updated on the server. 12 Q. What computer actions would update the accessed folder? 13 A. File reads and copies in this case. 14 Q. Do you have an opinion as to what computer action caused 15 the date accessed to update at that time? 16 A. Yes, I do. 17 Q. What is your opinion? 18 A. It was a file copy. 19 Q. By whom? 20 A. By the defendant. 21 Q. What are some of the reasons for that opinion? 22 A. The defendant was in a location that had access to those 23 backups. 24 see all the log files related to things that would tell us how 25 those accesses happened from that server being deleted, as well And then shortly after, we see the file accessed. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 We 1051 K2C3SCH1 Leedom - Direct 1 as all of the -- well, not "all," but many log files from the 2 ESXi server also being deleted. 3 Q. 4 bullet meant to convey? 5 A. 6 duration of that reversion and shortly after, the defendant 7 deleted logs of his activities. 8 Q. 9 please. So let's talk about that for a second. What is the fourth Between about 5:50 and 6:58, so this encompasses the Let's walk through April 20. Let's go to the next slide, This slide has Government Exhibit 1067 which is an 10 e-mail sent on April 20, 2016, at 12:06 p.m. From Mr. Weber to 11 EDG staff. 12 Can you please read the text of that e-mail. 13 A. Yes, I can. "All, on Monday, April 25, at 6 a.m., ISB will 14 be migrating the Bamboo and Confluence servers to new hardware 15 and will need to power them down for a limited amount of time. 16 To ensure no work is lost, please log out of Confluence and 17 Bamboo when you depart on Friday. 18 will cause any issues for you, feel free to contact me." 19 Signed Jeremy Weber. 20 Q. 21 Government Exhibit 1069, an e-mail sent on April 20, 2016, at 22 3:58 p.m. If this maintenance window Let's go to the next slide, slide 98. 23 This slide has Can you please read the first two sentences of this 24 e-mail. 25 A. Yes, I can. "On Monday, 25 April, from 0600 to 1000 hours, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1052 K2C3SCH1 Leedom - Direct 1 the Atlassian suite (in particular the Bamboo and Confluence 2 servers) will be unavailable due to maintenance. 3 be transferring the data to new servers/hardware to bring the 4 DevLAN Atlassian suite under SED/ISB configuration management 5 in accordance with EDG best practices." 6 Q. 7 Bamboo off the ESXi server that OSB was running have on 8 somebody's ability to use Confluence and Bamboo on that server? 9 A. SED/ISB will Now, what impact would the transfer of Confluence and Well, they wouldn't be on that server anymore. They were 10 migrated to a different server. 11 Q. 12 server, and Confluence and Bamboo were no longer there, could 13 they do anything to those virtual machines anymore? 14 A. No, they would not be able to. 15 Q. Let's go to the next slide, please. 16 Government Exhibit 1202-13. 17 A. Yes. 18 Q. Where is this exhibit from? 19 A. This is from the defendant's DevLAN workstation from a log 20 file that logged chat logs from a protocol chat application 21 called IRC. 22 Q. What is IRC? 23 A. It stands for Internet Relay Chat. 24 chat application where you can talk to users between different 25 computers. If someone had administrative privileges to OSB's ESXi So this slide contains It's just a text based SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1053 K2C3SCH1 Leedom - Direct 1 Q. Where were these chats found? 2 A. These chats were found on the defendant's workstation in a 3 log file that was logging records of the chat messages sent on 4 various channels. 5 Q. Let's look at the top portion of this slide, please. 6 A. Yes. 7 Q. What does this show? 8 A. This shows some administrative type commands being run for 9 the IRC server. The first command AOP, and AOP is like an 10 administrative operator on IRC, so it's just a user that has 11 permissions to modify the channel, set like message of the day, 12 things like that. 13 the people who have those permissions. 14 output from that, showing those users. 15 The list command shows the list of all of And this is just the After the list command, there's an attempt to remove 16 the user Jeremy Weber from the OSB channel operator's list. 17 And then an error from the server saying that the syntax is 18 wrong. 19 to delete someone from that list. 20 Q. Let's go to the bottom part of this slide, please. 21 A. So at the first part of this bottom slide, and we can see 22 it from the end of the top slide, where it gives the correct 23 version of the command. 24 "remove," you need to use the word "DEL" for delete instead. 25 We have a operator for channel OSB delete Weber, so it will Essentially, the word "remove" is not the correct way Essentially instead of the word SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1054 K2C3SCH1 Leedom - Direct 1 delete this user from OSB as an administrator, and then the 2 server says "permission denied." 3 After that -- "permission denied" just means the user 4 who tried to do the delete didn't have permission to make the 5 deletion. 6 himself, give him all the permissions required to perform this 7 deletion action, and you can see that it's successful. 8 now an IRC operator. Global from operator server Schuljo is 9 now an IRC operator. Then we see the user Jeremy Weber is After that, we see the defendant set permissions to You are 10 deleted from four or five different channels. 11 Q. 12 April 20? 13 A. They were about 4:06 p.m. 14 Q. Let's go to the next slide, please. 15 on the previous slide? 16 A. Yes, it is. 17 Q. Let's go to the next slide. 18 1202-12. 19 A. 20 log from IRC from the defendant's DevLAN workstation. 21 Q. What does this show? 22 A. This is showing another channel that the defendant deleted 23 Jeremy Weber from. 24 listing of the access to that channel and a list of the users 25 who have admin access. At what time approximately did these actions occur on Is this just a zoom in This is Government Exhibit Where is this exhibit from? This is from the same place as the last exhibit, it is a The Bamboo channel, specifically, and then SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1055 K2C3SCH1 Leedom - Direct 1 Q. Okay. 2 "April 20, 2016, Recap Before 5 p.m." 3 Let's go to the next slide, please. This is titled Does this just reflect the e-mails and the chat 4 deletions we just viewed? 5 A. Yes, it does. 6 Q. Let's go to the next slide. 7 we're talking about activities between 5 and 5:30 p.m., is that 8 right? 9 A. That's correct. 10 Q. What does this slide summarize? 11 A. At about 5:18 p.m., Rufus's key was accessed. 12 defendant connected a Sandisk USB device to his Ubuntu virtual 13 machine. 14 titled bkup for the Confluence virtual machine. 15 Q. 16 slide, slide 104. 17 this exhibit from? 18 A. 19 specifically the defendant's home folder. 20 Q. What is this file showing? 21 A. This is a private key file for like an SSH public private 22 key pair for a different user on the DevLAN network called 23 Rufus. 24 Q. You see there is an accessed down near the bottom? 25 A. Yes, I do. Still on April 20, 2016, and At 5:19, And at 5:29 p.m. the defendant created a snapshot So let's walk through each of those. We go to the next This is Government Exhibit 1207-1. Where is This is a file on the NetApp server in the home folder, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1056 K2C3SCH1 Leedom - Direct 1 Q. What does that reflect? 2 A. This reflects the last time that this file was accessed. 3 Q. What types of computer actions will update the accessed? 4 A. Quite a few. 5 to view the properties, if you used this file with an 6 application, things like that would update the accessed time. 7 If you copied the file to somewhere else. 8 Q. Let's go to the next slide. 9 10 You could, if you right clicked on the file MS. SHROFF: Your Honor, may I just have one minute with Mr. Laroche? 11 THE COURT: 12 MR. LAROCHE: 13 (Counsel conferring) 14 MS. SHROFF: 15 MR. LAROCHE: 16 THE COURT: 17 corrections here on the fly. 18 Yes, if Mr. Laroche wants to talk to you. Sure, your Honor. Thank you, your Honor. We're all set, your Honor. We're trying to make some technical MR. LAROCHE: Sure. Understood. 19 A. Are we on slide 105? 20 Q. Yes, we are thank you. 21 1203-54. 22 A. Yes, I do. 23 Q. Where is this exhibit from? 24 A. This exhibit is from the defendant's DevLAN workstation 25 from a log file that comes from that Ubuntu virtual machine This slide has Government Exhibit Do you see that? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1057 K2C3SCH1 1 Leedom - Direct that we've been discussing on his workstation. 2 MR. LAROCHE: If we can just zoom in on the log file, 3 Ms. Hurst. 4 Q. What is this log file showing? 5 A. So this, the VMware log file will show when external 6 devices are connected to virtual machines. 7 is showing that some USB devices were passed through from the 8 host computer to the virtual machine on that computer. 9 Q. In this case, this I think the title of this slide has a Sandisk USB device; 10 is that correct? 11 A. That's correct. 12 Q. Can you point out that Sandisk USB device in this exhibit? 13 A. Yes. 14 name, Sandisk Extreme. 15 Q. You see next to found device there is a T8R2? 16 A. Yes, right above it. 17 Q. What does that mean? 18 A. That's a separate device. 19 devices in total. 20 Tableau, Tableau is a company that makes forensic hardware 21 devices. 22 It's right in the middle. You see USB found device, Then some serial number information. This log is showing three The first device, T8R2, to my knowledge is a It is a write blocker. So I'll explain a write blocker quickly. You use a 23 write blocker when you want to prevent a computer from making 24 changes to external media. 25 into the write blocker and you try to write changes to the USB So, if you plug like a USB drive SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1058 K2C3SCH1 Leedom - Direct 1 drive, it won't let you do that. 2 pure. 3 It keeps it forensically The third entry here you see virtual Bluetooth 4 adapter. That is just a VMware stock Bluetooth adapter. It's 5 not really of consequence in this log for what we're looking 6 at. 7 Q. 8 being on the USB device? 9 A. What significance, if any, is there to a write blocker If the write blocker is connected to the USB, it means data 10 couldn't be written to the USB device. 11 Q. 12 Exhibit 1202-16. 13 A. 14 This is one of those VI client logs, so this is a log related 15 to activities taken in that vSphere application. 16 Q. Where are VI client logs stored? 17 A. They're stored on the client. 18 DevLAN -- the defendant's DevLAN workstation. 19 Q. Are they also stored on the server? 20 A. VI client logs are not stored on the server. 21 Q. What does this log show? 22 A. This log shows, so the way that the vSphere application 23 works, if you click a button on the UI, it makes a request to 24 the server and the server has to send back a response. 25 this case, we're looking at a list of snapshots, so if you Let's go to the next slide. Only read from it. This is showing Government Where is this exhibit from? This exhibit comes from the defendant's DevLAN workstation. So in this case the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So in 1059 K2C3SCH1 Leedom - Direct 1 clicked the button on vSphere to show available snapshots or 2 manage snapshots for the Confluence virtual machine, this is 3 the data that server is sending back. 4 clicked, the server sent back that there were two snapshots 5 available for that virtual machine at 5:29 p.m. on April 20. 6 Q. Who ran these commands? 7 A. The defendant. 8 Q. How do you know that? 9 A. This is a VI client log from the defendant's workstation, So, when that button was 10 from his vSphere. So they wouldn't be from, like, another 11 machine or something like that. 12 Q. How many available snapshots were there at 5:29 p.m.? 13 A. Only two snapshots. 14 Q. You see where it says "virtual machine snapshot: 57"? 15 A. Yes, it's in that bottom third of the image. 16 Q. What does the 57 refer to? 17 A. 57 is the machine identifier for the Confluence virtual 18 machine on the ESXi server. 19 Q. 20 1202-17. 21 A. 22 defendant's DevLAN workstation. 23 Q. 24 this log file showing? 25 A. Let's go to the next slide. This has Government Exhibit Where is this exhibit from? This exhibit comes from a VI client log file on the If we can just zoom in on the text there, please. What is So this is showing when a snapshot is created on the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1060 K2C3SCH1 Leedom - Direct 1 virtual machine through the vSphere application. 2 Q. At what time was a snapshot created? 3 A. At 5:29 p.m. 4 Q. On what day? 5 A. April 20, 2016. 6 Q. What was the title of that snapshot? 7 A. The name of the snapshot was bkup. 8 fourth line of the log, you can see name, bkup, name just in 9 the element. If you look at the 10 Q. Who names the snapshot? 11 A. The user that makes the snapshot names the snapshot. 12 Q. Let's go to the next slide, please. 13 Exhibit 1203-25. 14 A. 15 the Ubuntu virtual machine recovered from unallocated space. 16 Q. 17 showing? 18 A. 19 screen, when from the defendant's administrative SSH session on 20 the ESXi server, at some point, he viewed the contents of one 21 of the server logs on the server that was eventually deleted, 22 and we're just seeing the contents of that server log file 23 here. 24 "initiated lazy snapshot, bkup:3." 25 server-side confirmation that a snapshot was being created. This is Government Where is this exhibit from? This exhibit is from the defendant's DevLAN workstation in If we could zoom in on the text, please. What is it So since we have the activity that was displayed on the Specifically, if you look at the top line, you can see This is just the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1061 K2C3SCH1 Leedom - Direct 1 Q. You said it reflects a server-side log. Is that correct? 2 A. That's correct. 3 Q. You also referenced that those logs were deleted? 4 A. Yes. 5 Q. Who deleted those logs? 6 A. The defendant deleted the logs. 7 Q. Let's go to the next slide, please. 8 Exhibit 1209-7. 9 A. This is Government Where is this exhibit from? This is from the ESXi server itself, recovered from 10 unallocated space. 11 Q. What is it showing? 12 A. This is showing another, just another server-side 13 confirmation that a snapshot was requested and created by the 14 root user. 15 see user equals root. 16 the snapshot to be created. 17 transitions that the machine has to go through to create the 18 snapshot. 19 machine. 20 bottom in part two, it shows that the snapshot was completed. 21 Q. 22 snapshot titled bkup? 23 A. Administrative permissions. 24 Q. How do you know that? 25 A. If you see, look at the second line about halfway in, you If you see the second line about halfway in, you That just says the root user requested Then it shows some of the state It also shows that this is the Confluence virtual And then at the bottom, I don't know if -- at the What permissions did the defendant use to create the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1062 K2C3SCH1 Leedom - Direct 1 can see user equals root, and that's how we know it was the 2 root user who made these actions. 3 Q. 4 space of the ESXi server. 5 A. That's correct. 6 Q. Do those logs come from any particular type of file on the 7 ESXi server? 8 A. 9 line, it says "info hostd." You stated that this exhibit comes from the unallocated Yes. Is that correct? We can see about a third of the way in on the first The log file this would have been 10 in is log file called hostd.log. 11 Q. 12 ESXi server? 13 A. No, it does not. 14 Q. Why not? 15 A. It was deleted by the defendant. 16 Q. Let's go to the next slide, please. 17 recap of 5 p.m. to 5:30 p.m., is that correct? 18 A. 19 Does the hostd log file exist on the current state of the We're almost there. This slide just has a Now I just can't draw. Yes, it does. 20 Q. This is slide 110 that you're on; is that correct? 21 A. That's correct, yes. 22 Q. Let's go to the next slide, which is titled "Overview of 23 5:30 p.m. to 6:55 p.m." 24 25 What are some of the things that happened during that time frame? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1063 K2C3SCH1 Leedom - Direct 1 A. During that time frame, the defendant, at 5:35 p.m., 2 reverted the Confluence VM to that 4-16-2016 snapshot. 3 Between 5:35, after that snapshot was reverted, and 4 about 6:51 p.m., Confluence remained reverted in that reverted 5 state for a little over an hour. 6 7 At 6:51 p.m., the defendant reverted back to this bkup snapshot that we saw he just created. 8 9 At 6:51 p.m., we see the defendant listing all of the available snapshots for the Confluence virtual machine. 10 And then at 6:55 p.m., the defendant deletes that bkup 11 snapshot by erasing all the activity on the server for that 12 last hour. 13 Q. 14 slide 112. 15 log? 16 A. Yes, it is. 17 Q. What does this show? 18 A. This is showing the snapshot reversion to the first 19 snapshot, the BK 4-16-2016 snapshot. 20 So let's walk through each of those steps. It has Exhibit 1202-18. MR. LAROCHE: We can go to Is this another VI client If we can just zoom in, Ms. Hurst, on 21 the top three lines, please. 22 Q. How do you know that from the top three lines? 23 A. At the end here, this is the name of the snapshot. 24 then this "show warn" here, the way the -- this server client 25 interact works with vSphere, this likely popped up some kind of SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And 1064 K2C3SCH1 Leedom - Direct 1 visual warning and the message for that warning was "Confirm: 2 Current state of the virtual machine will be lost unless it has 3 been saved in a snapshot. 4 Q. 5 revert to the snapshot BK 4-16-2016? 6 A. 5:35 p.m. on April 20. 7 Q. Let's go to the next slide, please. 8 this another closer version of the same slide from before? 9 A. Revert to snapshot BK 4-16-2016." If we can zoom out, please. No. At what time did the defendant This is 1202-19. Is This is the reversion about an hour later to the bkup 10 snapshot. 11 Q. So it is a different reversion? 12 A. Yes, it is. 13 Q. What reversion does this show? 14 A. This is showing the reversion to that bkup snapshot, 15 otherwise known as snapshot 3 at the end of that hour period. 16 Q. 17 machine will be lost unless it has been saved in a snapshot." 18 A. Yes, I do. 19 Q. What's that mean? 20 A. The way running a virtual machine works, if you ever go 21 from one saved state to another saved state, you lose all of 22 the current activity that has been occurring on the server 23 since the last snapshot was taken. 24 25 You see at the top it says "Current state of the virtual So, at a high level what happened was the defendant created a snapshot like as things are right now. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And then so 1065 K2C3SCH1 Leedom - Direct 1 that saves the state of how things were at that point. 2 the bkup snapshot. 3 on 4/16 when accesses were available, and then stayed on that 4 chain for a while, for a little over an hour. 5 reverted everything back to where they were at the beginning, 6 when the bkup snapshot was made. 7 snapshot to show there was like no evidence of that snapshot 8 being made. 9 Q. And then reverted to an earlier time, back And then And then deleted that So, what impact would the reversion back to bkup have on 10 evidence of things that happened during the reversion? 11 A. 12 during the reversion. 13 That's It would erase all evidence of everything that happened (Continued on next page) 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1066 K2cWsch2 Leedom - Direct 1 BY MR. LAROCHE: 2 Q. And why is that? 3 A. Since there's no -- and it tells you. 4 has been saved in a snapshot. 5 of what happened there, you would have to take an additional 6 snapshot to save that period of activity. 7 didn't happen, there's -- there's -- all that activity's lost. 8 9 MR. LAROCHE: Q. It says unless it If you wanted to save activity But since that Let's go to the next slide, please. This is showing Government Exhibit 1202-20. Is this 10 another VI client log from the defendant's computer? 11 A. Yes, it is. 12 Q. What does this log show? 13 A. So, similar to before when we saw a listing of snapshots, 14 this is when the defendant clicked the button on vSphere that 15 said, like, manage snapshots, and this is the server response 16 just saying: 17 one do you want to work with? 18 Q. 19 were available? 20 A. There's three snapshots. 21 Q. Which snapshot was the snapshot titled "BKUP"? 22 A. It's snapshot 3, which we can see right here. 23 Hey. I've got three snapshots available. Which At this point, at 6:51 p.m. on April 20, how many snapshots MR. LAROCHE: 24 Q. 25 client log? Let's go to the next slide, please. This has Government Exhibit 1202-21. Is this another VI SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1067 K2cWsch2 1 A. Leedom - Direct That's correct. 2 MR. LAROCHE: Let's zoom in on this, please. 3 Q. What is this log showing? 4 A. This is another warning message from vSphere that says: 5 "Confirm delete. 6 snapshot?" 7 3. 8 9 Are you sure you want to delete this And then this snapshot is in reference to snapshot And then at the bottom end of this, we see that the snapshot deletion was completed at 6:55 p.m. 10 Q. And snapshot 3 was the BKUP snapshot, is that correct? 11 A. That's correct. 12 Q. And does this reflect that it was successfully deleted? 13 A. Yes, it does. 14 MR. LAROCHE: OK. Let's go to the next slide, please. 15 Q. And we looked at this slide yesterday, is that correct? 16 A. Yes, we did. 17 Q. And this is from Confluence, is that right? 18 A. Yes. 19 virtual machine. 20 Q. 21 snapshots. 22 A. Yes, it does. 23 Q. Where is the snapshot 3? 24 A. It is not on this list. 25 Q. Why not? This is a configuration file for the Confluence I think you stated yesterday this shows the available Is that right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1068 K2cWsch2 Leedom - Direct 1 A. 2 tracked in the available snapshot list. 3 It was deleted as a snapshot on the system so it's not MR. LAROCHE: Let's go to the next slide, please. 4 Q. 5 testified about, about some of the things that happened during 6 that time frame, is that correct? 7 A. 8 9 And this slide just has a recap of the things that you That's correct. MR. LAROCHE: Q. Let's go to the next slide. This is titled "April 20, 2016, activities between 5:29 10 p.m. and 7:00 p.m." Now, we just talked about some activities 11 during that time frame, is that correct? 12 A. Yes, we did. 13 Q. Were you able to identify other activities that occurred 14 during that time frame? 15 A. Yes, I was. 16 Q. And how were you able to do that? 17 A. Primarily through the unallocated space from the Ubuntu 18 virt. machine on the defendant's DevLAN workstation that 19 recorded history of his SSH session to the ESXi server on April 20 20. 21 Q. 22 that meant to convey? 23 A. 24 SSH session to run the list command for log files, and the size 25 total of those files was about 28,030. Let's look at the first bullet here, at 5:29 p.m. What is This is saying the defendant's -- the defendant used that SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1069 K2cWsch2 1 Q. 2 Leedom - Direct Let's look at that list command. MR. LAROCHE: Let's go to the next slide, please. 3 Q. 4 this exhibit from? 5 A. 6 machine on the defendant's DevLAN workstation. 7 Q. And what is it showing? 8 A. This is showing a list command with the flags ALTR. 9 Q. And what privileges were used to run this list command? 10 A. This was the root administrative session on the server 11 through the SSH connection. 12 Q. How do you know that? 13 A. We know that from the prompt; we see root@OSB. 14 Q. And where is the defendant listing log files? 15 A. The folder here is quite long. 16 This is showing Government Exhibit 1203-1. And where is This is from the unallocated space in the Ubuntu virtual I'll circle it. This is the main log file location for the ESXi server. 17 This "VMFS/volume/" big number "/log" is the path to that 18 location. 19 Q. And you said main log file location, is that right? 20 A. Correct. 21 Q. What do you mean by that? 22 A. So, by main log files, I just mean the ESXi server logs. 23 The server also keeps log files for individual virtual 24 machines that it operates, but those are going to be stored 25 specific to those virtual machines. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1070 K2cWsch2 1 Leedom - Direct MR. LAROCHE: Let's go to the next slide please. 2 Q. What is this slide showing? 3 A. This is showing a, just a continuation of the output from 4 that LS command. 5 MR. LAROCHE: Let's go to the next slide, please. 6 Q. What is this showing? 7 A. This is showing the end, so at the very bottom, the 8 completion of that LS command. 9 Q. And approximately when was that list command run? 10 A. That list command was run at 5:29 p.m. 11 Q. How do you know that? 12 A. We can see that from the time stamps of the modified times 13 of these files. 14 updated very, very frequently. 15 them are updating -- actually, they're all updating pretty 16 frequently. 17 Q. Do you see at the bottom the bottom row has shell.log? 18 A. Yes, I do. 19 Q. What significance do you take from the 5:29 p.m. attached 20 to the shell.log? 21 A. 22 And we know the shell.log file stores command history 23 information for commands that were entered into the server. 24 this says that, like, the current, most, like, recent entry on 25 that file will be from a command run at 5:29 p.m. And like I said earlier, these files get And you can see that all of That means that the shell.log file was updated at 5:29 p.m. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So 1071 K2cWsch2 Leedom - Direct 1 Q. 2 command? 3 A. 4 kilobytes or megabytes. 5 512-byte blocks that the files inside it occupy. 6 way that LS kind of gives you a rough file-size estimate of 7 what's in the folder. 8 MR. LAROCHE: 9 And what was the total log files that came from this list It was 28,030. It's the number -- that number's not like It's the count, number of individual It's just a If we can just go back one slide -- or two slides, please. 10 Q. What was the actual command that was run, the LS command? 11 What was it? 12 A. 13 I believe, the first two earlier. Yeah. 14 So, it's LS, and then the flags, which I described, MR. LAROCHE: Sorry. 15 second. 16 Q. LS/ALTR, is that correct? 17 A. That's correct. 18 MR. LAROCHE: LS-ALTR. We'll come back to that in a Let's go to slide 123. 19 Q. Exhibit 1203-2, where is this from? 20 A. This is from unallocated space in the Ubuntu virtual 21 machine on the defendant's DevLAN workstation. 22 Q. What is this showing? 23 A. This is showing an entry for the shell.log file -- well, an 24 entry from the shell.log file from April 20. 25 Q. And do you see the 11130766? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1072 K2cWsch2 Leedom - Direct 1 A. Yes, I do. 2 Q. What is that number? 3 A. This is the identifier that we've been referring to. 4 That's the defendant's SSH session to the ESXi server that was 5 initiated on April 15. 6 Q. At what time does this log file reflect activity being run? 7 A. This time is 5:29 p.m. on April 20. 8 Q. And what command does it reflect being run at 5:29 p.m.? 9 A. The LS-ALTR command. 10 Q. What is the significance of this exhibit to your opinions? 11 A. This shows us that the defendant was on the ESXi server in 12 that same session that he created on 4/15 on April 20. 13 know from the time stamp on the previous slide that this is the 14 command that was entered that updated the modified time of that 15 shell.log file. 16 MR. LAROCHE: And we Let's go to the next slide. 17 Q. And this is the auth.log that you've talked about several 18 times, is that right? 19 A. Yes, it is. 20 Q. And again, can you circle the 766 session that you just 21 referred to? 22 A. Yes, I can. 23 Q. Can you circle the defendant's IP address connected to that 24 session? 25 A. Yes, I can. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1073 K2cWsch2 Leedom - Direct 1 MR. LAROCHE: OK. Let's go to the next slide. 2 And let's go to the next one, 125. 3 Q. 4 p.m." 5 point. 6 A. Yes, I do. 7 Q. What is that meant to convey? 8 A. This is showing the time that that Confluence backup file, 9 both the database file and the home directory, were accessed in 10 This is also titled "activities between 5:29 p.m. and 7:00 And you see at the bottom there there's a bolded bullet Do you see that? Altabackups. 11 MR. LAROCHE: Before we go to that, let's go to the 12 next slide. 13 Q. 14 2016, snapshot." 15 to the system? 16 A. 17 machine to everything it was before they changed the passwords 18 on 4/16. 19 Q. 20 been reset? 21 A. 22 with; the original password to the server. 23 mount point was still there, and it stayed throughout the whole 24 time. 25 as well. This is titled "The defendant's reversion to the April 16, What effect would that have on his accesses It essentially resets the access to the Confluence virtual And so what are some of those privileges that would have All of the SSH keys were still available to be logged in It never got removed. The Altabackup It was still there as of April 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1074 K2cWsch2 Leedom - Direct 1 And, yeah, just essentially the credentials and everything 2 that you would need to access it is what you would have needed 3 on April 16 or before that. 4 Q. 5 machine, could a regular user access the mount point to the 6 backups? 7 A. No, they could not. 8 Q. Why not? 9 A. Because the mount points can only be accessed by an And without administrative access to the Confluence virtual 10 administrative user in a, like, terminal or shell session with 11 the server. 12 view an article wouldn't be able to access those files. 13 Someone browsing to the Confluence web page to MR. LAROCHE: Let's go to the next exhibit, please. 14 Q. Showing you portions of 1207-27 and 1207-30, and I want to 15 focus on the top exhibit. 16 MR. LAROCHE: If we could zoom in on that. 17 Q. Looking at the March 3, 2016, SQL file for Confluence, what 18 is the date-accessed time? 19 A. The date-accessed time is April 20, 2016, at 5:42 p.m. 20 MR. LAROCHE: 21 Q. 22 accessed? 23 A. 24 p.m. 25 Q. If we could go to the bottom exhibit. Same question for the TGZ file; at what time was it The March 3 TGZ file was accessed at 4/20, 2016, at 5:43 And at what time did the defendant revert Confluence to the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1075 K2cWsch2 Leedom - Direct 1 4/16, 2017, snapshot? 2 A. About seven or so minutes prior, at 5:35 p.m. 3 Q. Now, as part of your review in this case, have you reviewed 4 the Altabackups folder for Confluence? 5 A. Yes, I have. 6 Q. Other than the March 3, 2016, backup file, have you 7 identified any other backup file that had an access time that 8 did not match the date-modified time and date-created time? 9 A. 10 No, I did not. MR. LAROCHE: Let's go to the next slide. 11 Q. I want to talk about some more activities that happened 12 during the reversion. 13 A. Yes, I do. 14 Q. What does that convey? 15 A. This is talking about some more activities that the 16 defendant performed on the ESXi server using that SSH session 17 from the 15th. See the third sub-bullet there? 18 MR. LAROCHE: Let's take a look at that. 19 Let's go to the next slide, please. 20 Q. What is this exhibit from? 21 A. This is from unallocated space from the Ubuntu virtual 22 machine on the defendant's DevLAN workstation. 23 Q. And what command was run by the defendant? 24 A. This is another LS-ALTR command. 25 Q. Is this the same log folder that he listed files before? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1076 K2cWsch2 Leedom - Direct 1 A. Yes, it is. 2 Q. And when he listed files before, what was the total log 3 files, approximately? 4 A. I believe it was 28,000. 5 Q. And what is the total log files from this list command? 6 A. It's 30,000. 7 Q. Were you able to determine at the approximate time this 8 list command was run? 9 A. Yes, I was. 10 MR. LAROCHE: Let's go to the next slide. 11 Q. What is this showing? 12 A. This is showing the end, the bottom of that list command. 13 I'll explain -- 14 THE WITNESS: Can we go back to the previous slide? 15 MR. LAROCHE: Sure. 16 slide. 17 A. 18 those commands. 19 Let's go back to the previous So, the -- I just want to explain the last two flags for We haven't discussed them yet. So, we discussed previously that when you use the list 20 command with the A flag it shows you all the files in the 21 directory. 22 things like time stamps, permissions, things like that. 23 flag sorts those in time order by modified time. 24 flag just reverses that sort. 25 this way, everything at the bottom of that command is going to The L flag shows you details for those files, The T And the R So when you run the command in SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1077 K2cWsch2 Leedom - Direct 1 be the most recently modified files kind of all lumped 2 together. 3 OK. You can go to the next slide. 4 So, this is showing the end of that command with all of the 5 most recently modified files. And we can see from, like, VPXA 6 log specifically, the time stamp that this LS command was run, 7 based on the modified time, is at 5:55 p.m. on April 20. 8 Q. 9 listed on the right, VPXA, syslog, storagerm, RHTTP proxy, host Now, you see that there's a number of log files that are 10 D, hostd-probe, is that correct? 11 A. 12 Yes. MR. LAROCHE: Let's take a look at what happens next 13 on the system, if we can go to the next slide. 14 Q. 15 5:55 p.m., is that correct? 16 A. That's correct. 17 Q. Let's take a look at what happens next. 18 log file from the unallocated space? 19 A. Yes, it is. 20 Q. And is this a continuation of the unallocated space from 21 the previous slide? 22 A. Yes, it is. 23 Q. And how do you know that? 24 A. Well, we can see here, right above -- it's been cropped. 25 So, he had just conducted the list command at approximately Oh, OK. Sorry. Is this another Oh, it's doing it again. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1078 K2cWsch2 Leedom - Direct 1 Q. That's all right. 2 A. Go ahead. 3 Q. Just look at your hard copy. 4 A. Well, what slide is this? 5 Q. It's 132. 6 A. OK. Just a second. 7 OK. Apologies. 8 If you look at the host D probe, what we can see, that that 9 We're fine. file modified time is 5:55 p.m., so the command was run 10 sometime after this. 11 Q. 12 command? 13 A. 14 this RM space vpxa.log. 15 Q. What is the RM command? 16 A. The RM command, in Linux, is essentially the delete 17 command. 18 And what's the next command that was run after the list This command that you can see it on the far right, it's So this just says delete the file named vpxa.log. MR. LAROCHE: Look at the commands immediately after 19 the RM vpxa.log command, if we can go to the next slide. 20 Q. What are the next set of commands run by the defendant? 21 A. These are more file-deletion commands. 22 Q. Can you walk through these? 23 A. Yes, I can. 24 25 Here, we have the first six: RM, RHTTP proxy, host D. RM vmauthd, syslog, storage And then the sixth one is host-probe. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1079 K2cWsch2 1 Leedom - Direct Immediately after host-probe, we get an error from the RM 2 command. 3 not a file in that folder actually called host-probe. 4 likely a typo. 5 If you remember from a slide ago, there's -- there's This is It should be hostd-probe. And then there's three more deletions after for SDRS 6 injector, VMK warning and VM kernel. 7 Q. 8 log files would show? 9 A. Generally speaking, what are some of the things that these So, as we can see, especially from the frequency that these 10 files are updated, these files contain pretty much all the core 11 system logs for the ESXi server. 12 like activities that are happening to virtual machines, whether 13 they're turned on and off; maybe some, like, hardware-level 14 networking information; devices connected to the server. 15 seen a lot of events from the host D log, when we look at 16 log-in events from the vSphere or vCenter services. 17 the bulk of all of the auditing for the ESXi server. 18 Q. 19 reviewing forensic materials? 20 A. Yes, it would be very helpful. 21 Q. Why? 22 A. 'cause it contains a lot of -- well, almost all of the 23 auditing information that we have for what happened on the 24 server. 25 of these log files from places like unallocated space. So this would show you things We've This is Would those types of logs be of assistance to you in And without that, we have to try and recover fragments SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1080 K2cWsch2 Leedom - Direct 1 Q. Do you see on the bottom there's a deletion for 2 vmkernel.log? 3 A. That's correct. 4 MR. LAROCHE: Let's go to the next command that's run. 5 Slide 134. 6 Q. 7 slide? 8 A. Yes, I do. 9 Q. What's the next command that's run? 10 A. Another list command with the same flags we discussed 11 earlier, the ALTR flags. 12 Q. What is the total for this list command? 13 A. The total is 17,413. 14 Q. Is that different from the total from the previous list 15 command? 16 A. Yes. 17 Q. Why? 18 A. Because, as we can see from the previous two commands, a 19 lot of files were deleted from this folder, so when LS is 20 reporting the estimated file size for the folder, it's going to 21 be significantly lower since a lot of files were deleted. 22 Do you see that VM kernel deletion at the top of this It's a little over half as much. MR. LAROCHE: Let's go to the next slide and look at 23 some of the command output for that list. 24 Q. Did this command, list command, complete? 25 A. It did not complete. The portion of unallocated space had, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1081 K2cWsch2 Leedom - Direct 1 one of the blocks that was contiguous in this piece of space 2 that was recovered had been reassigned to a different part of 3 the operating system or a file. 4 strange characters at the very bottom; it's just showing that 5 part of this command is missing. 6 MR. LAROCHE: So, you can see all the And let's go to the next slide. 7 Q. Is this another portion of the unallocated space? 8 A. Yes. 9 Q. And is this a similar list command to the one we just saw? 10 A. Yeah. 11 that was run shortly after the last command. 12 Q. And does this command complete? 13 A. Yes, it does. 14 It's not the exact same command. MR. LAROCHE: It's a command Let's go to the next slide. 15 Q. And what is this showing? 16 A. This is just showing the end of the output of that list 17 command. 18 Q. 19 created, correct? 20 A. That's correct. 21 Q. Where are the log files that the defendant deleted several 22 slides ago? 23 A. They're not here. 24 Q. Why not? 25 A. They were deleted. So the end of the output shows the most recent logs SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1082 K2cWsch2 Leedom - Direct 1 Q. At what time, approximately, was this list command run? 2 A. About 5:57 p.m. 3 Q. Do you see in the highlighted text the third line from the 4 bottom has hostd-probe? 5 A. Yes. 6 Q. Why is that there? 7 A. That's there because as we saw in the list of deletion 8 commands, the defendant attempted to delete host-probe, where 9 the correct file name was hostd-probe. 10 MR. LAROCHE: Let's go to the next slide, slide 138. 11 Q. 12 reversion? 13 A. Yes, it does. 14 Q. And the bottom bullet, does that reflect the last list 15 command we just saw that you spoke about? 16 A. Yes, it does. 17 Q. Let's look at some additional commands that were run that 18 night. 19 A. Yes, it is. 20 Q. And what is this showing? 21 A. This is showing three more file deletions on the ESXi 22 server. 23 Q. What files were deleted? 24 A. The VPXA.0, VPXA.1 and VPXA.2. 25 Does this slide summarize some of the activities during the Is this another file from unallocated space? MR. LAROCHE: And let's go back to 137 for a moment. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1083 K2cWsch2 Leedom - Direct 1 Q. This is the list command that we just saw that was run at 2 approximately 5:57 p.m. 3 A. That's correct. 4 Q. Are those VPXA logs on this list? 5 A. Yes, they are. 6 MR. LAROCHE: Is that right? Let's go back to slide 139. 7 Q. At approximately what time did the defendant delete these 8 VPXA logs? 9 A. Sometime after 5:57 p.m. 10 Q. How do you know it was after 5:57 p.m.? 11 A. If we look at the top line of this snip here, we can see 12 that the shell.log from that last list command was last edited 13 at 5:57 p.m. 14 MR. LAROCHE: Let's go to the next slide. 15 Q. We talked earlier about VI client logs. Do you remember 16 that? 17 A. Yes, I do. 18 Q. What were some of the things we saw from the VI client logs 19 on April 20? 20 A. 21 deletion, listing of snapshots, log-ins, things like that. 22 Q. And whose VI client logs were they? 23 A. They were the defendant's VI client logs. 24 Q. Now, is this a portion of the VI client logs? 25 A. This here? The VI client logs had snapshot-reversion history, snapshot No, this is not. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1084 K2cWsch2 Leedom - Direct 1 Q. What is this? 2 A. This is from unallocated space from the defendant's virtual 3 machine on his DevLAN workstation, and this specifically is the 4 recovered session from his SSH session from April 15. 5 MR. LAROCHE: Let's take a look at the top of the 6 highlighted text, if we could zoom in on that. 7 Q. 8 on the server, correct? 9 A. That's correct. 10 Q. What does this command reflect? 11 A. So, this is a command that we haven't seen yet, so I'll 12 explain it. 13 You said this was recovered from the administrative session So, this is the find command. It's a command in Linux 14 that's used to search for files. 15 for files by the name of the file. 16 In this case we're searching This little slash here after the find command is just 17 specifying the directory on which you want to search for files, 18 and a single forward slash with nothing after it, in Linux, 19 just says, like, search the root of the file system. 20 like, your Windows machine, you might be familiar with the C 21 drive. 22 drive of a Linux machine. 23 So, on, Slash on a Linux machine is essentially like the C The argument that's given to the name flag is the file name 24 you want to search for, and you're able to use things like 25 wildcards if you may not know the entire name of the file. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So 1085 K2cWsch2 Leedom - Direct 1 we see VI client dash star, the little asterisk. That star is 2 a wildcard, meaning if you find a file that's called, like, VI 3 client-1 or VI client-2, those would all be captured with that 4 wildcard command. 5 Q. 6 log? 7 A. 8 would be search everywhere on the whole server for things that 9 are called this. And where was the defendant searching for the VI client At the root of the file system. Another way to say that 10 Q. On the server itself, is that correct? 11 A. Yeah, on the ESXi server. 12 Q. What was the output of this command? 13 A. We can see directly below it didn't return any results, so 14 it wasn't able to find any files. 15 Q. Why wouldn't it return any results? 16 A. Well, if it was unable to find any files with that name, it 17 would return no results. 18 Q. And are there VI client logs on the server itself? 19 A. No, there's not client logs on the server. 20 find client logs, especially client logs that are named VI 21 client, on a client machine, like the defendant's workstation. 22 MR. LAROCHE: 23 run. 24 down, please. 25 Q. You'll only Let's look at the next command that's If we could just zoom in on the bottom. What's the next command that's run? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Yup. From there 1086 K2cWsch2 Leedom - Direct 1 A. So, the next command that's run is the same command as 2 before, except instead of searching on the whole file system, 3 we're only going to search in, like, this specific folder for 4 VI client logs. 5 Q. And again, were there any results to this command? 6 A. No, there were not. 7 Q. Why not? 8 A. Because there weren't any VI client logs found in that 9 folder. 10 MR. LAROCHE: 11 I'm sorry. 12 Let's go to the next slide. Let's just go back up one slide for a moment and just zoom in on the bottom few lines there. 13 THE WITNESS: That would slide 140. OK. 14 Q. Just focusing you on the bottom where it has an LS command, 15 do you see that on the bottom on 140? 16 A. Yes, I do. 17 Q. Where is that command being run? 18 A. That command's being run on the ESXi server. 19 Q. And where particularly is the defendant trying to list 20 files? 21 A. Oh, a directory called /var/log/VMware/journal. 22 MR. LAROCHE: 23 Q. 24 exhibit? 25 A. Let's go back to the next slide. Do you see that same list command at the top of this Yes, I do. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1087 K2cWsch2 Leedom - Direct 1 Q. And what's the next command that's run by the defendant? 2 A. This is another find command, searching on slash, which is 3 the root of the server. 4 In this case, if you look at the name flag and then the 5 actual file name that's given, in parentheses, it's exactly the 6 same except for the dash is omitted, so this just says is 7 anything -- look for any files starting with VI client. 8 Q. And what's the next command after that VI client search? 9 A. It's the same command run again. 10 MR. LAROCHE: Let's go to the next slide, please. 11 Q. What is this exhibit showing? 12 A. This is showing another LS ALTR list command. 13 Q. And where was this list command run? 14 A. On the ESXi server. 15 Q. And what is the total from this list command? 16 A. 16,529. 17 Q. And we just looked at a list command several slides ago 18 that had log files in the range of 17,000, is that right? 19 A. That's correct. 20 Q. Why is this list total lower? 21 A. More of those vpxa.0, dot 1, dot 2 files were removed, so 22 this is reflecting that. 23 MR. LAROCHE: Let's go to the next slide. 24 Q. What is this showing? 25 A. This is showing the output from that command, the LS SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1088 K2cWsch2 Leedom - Direct 1 command on the previous slide. 2 Q. 3 this output? 4 A. They're not on the output. 5 Q. Why not? 6 A. Because they were deleted. 7 Q. At what time, approximately, was this list command run? 8 A. About 6:16 p.m. 9 Q. How do you know that? 10 A. If you look at the very bottom, you'll see this dot. 11 discussed it briefly yesterday. 12 Linux, in the folder structure, represents the current 13 directory. 14 is updated when files are added or removed from the directory. 15 So that dot was updated the last time a file was removed, which 16 was when those VPXA 0, 1, 2s were deleted. 17 Q. And what's the next command that's run on this slide? 18 A. So, this is another find command. 19 thing that we're searching for. 20 files of a certain name, this dash-newer flag says look at a 21 specific file and find me all files that are -- that have been 22 modified more recently than that file, so find me newer files 23 than this one. 24 25 And where do those VPXA 0, VPXA 1 and VPXA 2 logs appear on We The dot, like a period, in And the modification time stamp of that directory This is a different Instead of, like, looking for The file that's given to this is this vmksummary.log file, and if you look at the time stamp for the modified time for SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1089 K2cWsch2 Leedom - Direct 1 that log file, you'll see it's UTC 2100 hours, which is 5 p.m. 2 EST. 3 have been modified since 5 p.m. April 20, EST. 4 Q. At what time did the defendant revert the system? 5 A. The system was reverted about 5:35 p.m. So this just says show me all files on the server that 6 MR. LAROCHE: Go to the next slide, please. 7 Q. What is this exhibit showing? 8 A. This is showing another list command and a file deletion 9 after that list command. 10 Q. Let's start with the list command. 11 files from that list command? 12 A. It's 16,529. 13 Q. And at what time was this list command run, approximately? 14 A. About 6:16 p.m. 15 MR. LAROCHE: What is the total log Let's zoom in on the bottom part of this 16 exhibit. 17 Q. 18 defendant did? 19 A. The defendant deleted the hostd-probe log. 20 Q. How do you know that? 21 A. We see an RM, a remove command, for that log file. 22 After the list command was run, what was the next thing the MR. LAROCHE: Let's go to the next slide. 23 Q. Do you see the top highlighted text there? 24 A. Yes, I do. 25 Q. And that shows the removal that you just testified about, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1090 K2cWsch2 Leedom - Direct 1 is that correct? 2 A. That's correct. 3 Q. What's the next command the defendant runs? 4 A. Another list command, sorted by time. 5 Q. And what's the total now for log files? 6 A. It's a little lower. 7 Q. And why is it lower? 8 A. It's lower because that hostd-probe file was deleted. 9 MR. LAROCHE: 10 It's 15,891. Let's go to the next slide. And the next slide, please, 147. 11 Q. What is this slide meant to convey? 12 A. This is just an overview of what we've been talking about, 13 about the defendant deleting different log files and some of 14 the file-size changes for the directory in which he deleted 15 those logs. 16 Q. 17 been located? 18 A. 19 that main log folder for the server itself, not specific to any 20 of the virtual machines on the server. 21 Q. 22 machines, is that right? 23 A. 24 25 Now, the log files that he's been deleting, where have they So, all of these log files have been on the ESXi server in You talked about different logs being created for virtual That's correct. MR. LAROCHE: Q. Let's go to the next slide. Let's start on the top command here. First, where is this SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1091 K2cWsch2 Leedom - Direct 1 exhibit from? 2 A. 3 virtual machine on the defendant's workstation, the same spot 4 we've been getting all the rest of this activity. 5 Q. 6 vmware.log? 7 A. That's correct. 8 Q. What is that showing? 9 A. This is just showing that a log filed called vmware.log is 10 This exhibit is from the unallocated space from the Ubuntu And at the top there's a root@OSB and at the end an RM being deleted. 11 There's an important thing to note here. If you look just 12 to the left of the RM command, you'll see that our folder has 13 changed, so we're no longer in that main folder for ESXi. 14 We've moved to the folder for his Confluence virtual machine, 15 and inside that folder, that's where logs specific to that VM 16 are stored. 17 Q. What is vmware.log? 18 A. We've seen it previously in the presentation. 19 information related to activities on that virtual machine. 20 think the most recent example was when we looked at that USB 21 device activity from the defendant's virtual machine. 22 the type of thing that's stored in the log file. 23 Q. 24 command he ran? 25 A. It stores I That's After the defendant deleted vmware.log, what's the next A list command that shows the contents of this Confluence SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1092 K2cWsch2 Leedom - Direct 1 folder. 2 Q. 3 defendant? 4 A. 5 down -- well, I take that back. 6 7 We can't date them on this slide specifically. Lower At the last line we can see the date for the time that that deletion happened, which was 6:38 p.m. 8 9 Approximately when were these commands run by the MR. LAROCHE: four lines. So let's focus on that, I guess, last If we could zoom in, please. 10 Q. Is this another list command? 11 A. Yes, it is. 12 Q. And where is he running this list command? 13 A. He's running the list command still inside the Confluence 14 virtual machine folder on the ESXi server. 15 Q. And what's the total? 16 A. So, the total is the estimated, like, approximate file size 17 for all the files in this folder. 18 number's a lot larger than it was in the previous slides for 19 the logs for the ESXi server, and that's because for the 20 Confluence virtual machine, this stores the actual -- the 21 actual machine. 22 memory for the machine. 23 all have to have all of the state for their own snapshot about 24 what happens. 25 log files for the server. You'll notice that the So there's a virtual hard disk here. There's And then there's the snapshots, which Those are quite large. And then, of course, the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1093 K2cWsch2 1 Leedom - Direct MR. LAROCHE: Let's go to the next slide. 2 Q. Is this showing the output from that LS command? 3 A. Yes, it is. 4 Q. Now, the defendant appeared to run another list command on 5 this slide, is that correct? 6 A. That's correct. 7 Q. Now, what's the total from that list command? 8 A. You'll notice it's -- it starts with 405 instead of the 9 previous total, which was 422, which we can see at the top 10 here. It's been -- it's, you know, significantly reduced in 11 size. 12 Q. What caused the large deletion of files? 13 A. This is when that snapshot 3 was deleted. 14 MR. LAROCHE: Let's take a look at that. Go to the 15 next slide. 16 Q. 17 correct? 18 A. That's correct. 19 Q. Were these the types of VI client logs the defendant was 20 searching for on the server? 21 A. Yes. 22 Q. And remind us. 23 A. This was recovered from the defendant's DevLAN workstation. 24 Q. And what does this log show? 25 A. This is that -- I believe we looked at it earlier. Now, we're back looking at the VI client log, is that Yes, it was. Where was this log recovered from? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 This is 1094 K2cWsch2 Leedom - Direct 1 showing the prompt that the defendant received when he was 2 going to delete that snapshot-3 snapshot, which was the BKUP 3 snapshot, at 6:55 p.m. on April 20. 4 MR. LAROCHE: Let's go to the next slide. 5 Q. Where is this exhibit from? 6 A. This is from the unallocated space from the Ubuntu virtual 7 machine on the defendant's DevLAN workstation showing that 8 administrative session to the ESXi server itself. 9 Q. And what command is run on this screen? 10 A. Another list command. 11 Q. And the total is still at 405, that long number, is that 12 correct? 13 A. Yes. 14 Q. What are some of the things that this list command shows? 15 A. So, this shows all the files in that folder. 16 that the dot file, like we discussed when files are added or 17 removed from the folder gets the time stamps updated -- you'll 18 notice it said 6:55 p.m. 19 snapshot 3. 20 of course, the file size changed, so we know that this is just 21 confirming that that third snapshot was deleted. 22 You'll notice You'll also notice that there's no There's just snapshot 1 and snapshot 2. MR. LAROCHE: 23 Q. 24 bolded bullets there? 25 A. And then, Let's go to the next slide, please. What is this slide meant to convey, just focusing on the Yeah, the first and last bolded bullets are just showing SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1095 K2cWsch2 Leedom - Direct 1 that that snapshot was deleted, and we can just confirm it 2 based on the file size from the list commands that were run. 3 MR. LAROCHE: Let's look at some of the more 4 unallocated space. Can we go to the next slide. 5 Q. What command is run at the top of this slide? 6 A. It's another LS command. 7 the last slide, just showing the full output. 8 Q. At approximately what time was this command run? 9 A. 6:55 p.m. 10 Q. After running this list command, what did the defendant do? 11 A. If you look at the last two lines here -- I'll draw a line; 12 box them off -- he deleted two VMware log files. 13 Q. And where did he delete those from? 14 A. The Confluence virtual machine directory. 15 Q. Now, I think you testified, several slides ago, the 16 defendant had already deleted vmware.log from Confluence, is 17 that right? 18 A. Yes, he did. 19 Q. Why did he do it again? 20 A. Well, if you look at the file output, there's another 21 VMware log file there. 22 Q. Why was there a regenerated vmware.log? 23 A. So, you'll see all these in other cases too -- 24 specifically, we'll look at the VMware logs. 25 they're labeled, like, five, six, seven, eight, nine? I think it's the same one from SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You see how That's a 1096 K2cWsch2 Leedom - Direct 1 feature of -- most Linux servers have something that's called 2 log rotation. 3 on the service that's performing it, but in this case, for the 4 VMware log specifically, the VMware log is rotated out and 5 archived as one of these numbered versions and then the 6 original, like, non-numbered version is there with the most 7 recent stuff. 8 power state is changed, and when you revert to a snapshot, it 9 affects the power state of the virtual machine and causes this 10 log-rotation event to happen, which regenerates, in this case, 11 the vmware.log file. 12 Q. 13 and vmware.log on this slide. 14 A. 15 Now, what causes log rotation is different based It's rotated out any time a virtual machine If you could just circle the time stamps for the vmware-9 Try again. I think that's the best I can do. 16 Q. And what are those approximate time stamps? 17 A. That's the last time that log file is modified. 18 6:51 and one's at 6:38. 19 Q. And are those the two log files the defendant deleted? 20 A. That's correct. 21 Q. If you go above vmware-9 log. 22 above that? 23 A. Yes. 24 Q. And so that's not even on April 20, is that correct? 25 A. No. One's at And just the next time stamp This is the April 16 time stamp. It's from before. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1097 K2cWsch2 1 Leedom - Direct MR. LAROCHE: Understood. Let's go to the next slide, 2 please. 3 Q. 4 vmware.log? 5 A. That's correct. 6 Q. What's the next command that's run? 7 A. It's another list command. 8 Q. And is that total different than from the previous slide? 9 A. Yes, it is. 10 Q. Is it lower? 11 A. Yeah, it's lower. 12 Q. Why? 13 A. Because the vmware.log and vmware-9 log were deleted. 14 At the top of this slide, you see the deletion for MR. LAROCHE: Let's go to the next slide. 15 Q. And is this just a summary of some of the things that you 16 just testified about? 17 A. Yes, I did. 18 Q. Let's keep going through the unallocated space. 19 of this, there's the removal for the hostd-probe.log. 20 remember testifying to that earlier? 21 A. Yes, I do. 22 Q. Did the defendant run a list command after that? 23 A. Yes, he did. 24 Q. And what was the total there? 25 A. 15,891. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 At the top Do you 1098 K2cWsch2 Leedom - Direct 1 Q. And approximately when did he run that list command? 2 A. At 6:58 p.m. 3 next slide. 4 Q. Let's take a look at the next slide. 5 A. You can see that here. 6 Q. And where was this list command run? 7 A. So, we're back in the log folder for the ESXi server, so 8 not the Confluence virtual machine. 9 Q. And do you see the next log there? 10 A. The vmware.log here? 11 Q. Yes. 12 A. Yes. 13 Q. What's the next command the defendant ran? 14 A. He deletes the vmware.log file for the ESXi server. 15 Q. Is this a different VMware log than what the defendant 16 deleted earlier that night? 17 A. 18 The time stamp for the file's probably on the Yes, it is. Each virtual machine will have their own file called 19 vmware.log. This is essentially, like, the master VMware for 20 the whole server. 21 Q. 22 next command he ran? 23 A. 24 shell.log. 25 Q. After the defendant deleted the vmware.log, what is the He ran another find command to look for files newer than And again, what does shell.log show? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1099 K2cWsch2 Leedom - Direct 1 A. Shell.log shows commands that were entered into the ESXi 2 server. 3 Q. 4 deleted? 5 A. Yes, I did. 6 Q. What did you see? 7 A. The activity from April 20 was deleted and all the activity 8 from the 18th was deleted. Did you see evidence that part of the shell.log were 9 MR. LAROCHE: Let's go to the next slide, please. 10 Q. The title of this slide is "Badge records." What's the 11 first bullet conveying there? 12 A. 13 file that we just looked at was deleted, at 6:58 p.m. 14 Q. 15 that? 16 A. Yes, I do. 17 Q. What's that from? 18 A. This is an entry from the badge records from the CCI 19 office. 20 Q. And what do those badge records reflect? 21 A. They show when employee's badged into the building and left 22 the building through the turnstiles or one of the, like, guard 23 gates. 24 the day. 25 the alarm system, and then similarly, when you would arm the This is just the last time that VMware folder -- I'm sorry, Now, there's an excerpt at the bottom there. Do you see And it also shows when employees unlocked vaults for So, you have to go in and put your PIN in and disarm SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1100 K2cWsch2 Leedom - Direct 1 alarm system and lock the vault at the end of the day. 2 Q. At what point would you lock the vault? 3 A. You'd lock the vault when you're the last employee to leave 4 that vault for the day. 5 MR. LAROCHE: Let's take a look, if we can zoom in on 6 this portion of the badge records. 7 Q. Who is this a badge record for? 8 A. This is a badge record for the defendant. 9 Q. And what does it show? 10 A. This shows that -- this is a close action, meaning the 11 system was armed and that the PIN and, like, password to 12 perform the arming action was accepted. 13 terms, this says that the defendant closed the vault on April 14 20 at 7:07 p.m. 15 MR. LAROCHE: 16 OK. So this, in layman's Let's zoom out again. Let's go to the next slide. 17 Q. 18 like to review some of those with you. 19 things that happened before the defendant reverted Confluence? 20 A. 21 employee, his project key, which was in defendant's home folder 22 on the file server, was accessed. 23 We've talked about a lot of activities on April 20. I'd What are some of the So, before Confluence was reverted, at 5:18, Rufus, another A minute after that the defendant connected a San Disk USB 24 to his Ubuntu VM on his workstation. And at 5:29 p.m., the 25 defendant created a new snapshot for Confluence titled "BKUP." SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1101 K2cWsch2 1 Leedom - Direct MR. LAROCHE: Now let's go to the next slide. 2 Q. 3 7:00 p.m.? 4 A. 5 back to that 4/16 snapshot. 6 7 What are some of the things that happened between 5:30 and At 5:35 p.m., the defendant reverted the Confluence server From 5:35 to 6:51, the Confluence VM remained reverted, so that's a little over an hour. 8 Between 5:42 and '43, that backup was the Confluence SQL 9 file and the TAR.GZ file, were accessed from the Altabackup. 10 And from 5:55 to 6:58, the defendant also deleted various 11 log files from the ESXi server and the Confluence log folder. 12 Q. 13 that happened on April 20? 14 A. 15 reverted back to that BKUP snapshot that he made. 16 deleted that BKUP snapshot, which erases all the activity of 17 what happened on the machine. 18 Lost my screen again. 19 OK. 20 At 6:58, he deleted the vmware.log from the ESXi server log 21 And finally, slide 161. What are some of the other things So, towards the end of that hour period, the defendant He then And then he deleted the -- Just a second. It's back. folder, and then he locked and left the vault. 22 MR. LAROCHE: Let's go to slide 162. 23 Q. Now, you talked about various logs that were deleted by the 24 defendant on April 20, 2016? 25 A. Yes, I did. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1102 K2cWsch2 Leedom - Direct 1 Q. Now, the first bullet says "from the ESXi server folder," 2 is that correct? 3 A. That's correct. 4 Q. Does that list out those various log files that were 5 deleted? 6 A. Yes, it does. 7 Q. And then down at the bottom there's a bullet, "from the 8 Confluence folder," is that right? 9 A. That's correct. 10 Q. Does that list the various files the defendant deleted from 11 the Confluence folder? 12 A. Yes, it does. 13 Q. Let's talk about some of those log files. 14 things would the VMware log show? 15 A. 16 virtual machines on the server, so if there were power-state 17 changes made to the VMs, like turned on or off or things 18 connected to them, that would be in the VMware log. 19 Q. What about VM kernel? 20 A. The kernel log shows, like, low-level information for the 21 server, like device discovery, storage information, networking 22 and driver information. 23 when virtual machines start and stop. 24 Q. What does device discovery mean? 25 A. So, device discovery, if you remember from the log file What types of So, the VMware log shows logs related to the operation of It also shows some information for SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1103 K2cWsch2 Leedom - Direct 1 that we were looking at, that showed the USB plugged in, that's 2 essentially like a device discovery. 3 Q. Are those external devices; is that the type of thing? 4 A. Typically, yes. 5 Q. What about host D? 6 A. Host D is -- it's a service log, showing communication 7 between that vSphere server and the VI client server, so this 8 shows when clients are logging in and out of the vSphere 9 application. 10 Q. And Syslog? 11 A. Syslog has more service logs, so these are, like, changes 12 that are made to the server. 13 MR. LAROCHE: Let's go to the next slide. 14 Q. What about storagerm logs; what would those show? 15 A. The storagerm logs are just data-storage logs, so things 16 happening to the data storer's storage information server, 17 things like that. 18 Q. What about the next bullet? 19 A. The RHTTP proxy shows there's -- sorry. 20 for a second. 21 My screen went out It shows if there's any HTTP, which is essentially, like, 22 web-traffic, connections that are proxied on behalf of other 23 services. 24 just to say -- it's just some logging information about how the 25 web service is running. This is kind of, like, lower-level network jargon SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1104 K2cWsch2 Leedom - Direct 1 Q. And VPXA, what would those logs show? 2 A. VPXA has vCenter-specific logs. 3 MR. LAROCHE: And let's go to the next slide. 4 Q. What about the first bullet; what would those logs show? 5 A. The SDRS injector logs are more data storage-related logs. 6 Q. And hostd-probe? 7 A. That's more most host management logs. 8 like, a heartbeat kind of responsiveness checker, so it just 9 kind of makes sure the service is up. This one's more of, 10 Q. And VMK warning? 11 A. The warning log shows, like, alert messages and warnings 12 for the server. 13 MR. LAROCHE: And let's go to the next slide. 14 Q. 15 deleted. 16 A. Sure. 17 Q. What types of things would that log show? 18 A. So, as we discussed several times previously, pretty much 19 anything that happens to the virtual machine itself gets stored 20 in the VMware log file. 21 snapshots are made; some, like, data-transfer information 22 sometimes, based on how that was done; things connected to the 23 VM. 24 25 Let's talk about VMware for the Confluence folder that was MR. LAROCHE: Q. So, when it gets turned on and off; Let's go to the next slide. Now, earlier you testified that the defendant connected a SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1105 K2cWsch2 Leedom - Direct 1 San Disk USB device on April 20, 2016, at around 5:19 p.m., is 2 that correct? 3 A. Yes. 4 Q. Sure. 5 A. 167? 6 Q. Yes. 7 A. OK. 8 Q. And this is the San Disk device that was connected on April 9 20, is that correct? Give me a second. I've got to -- We're on slide 167. 167? I'm here. 10 A. Yes, it is. 11 Q. And was that before the reversion? 12 A. April 20? 13 Q. Yes. 14 A. It was connected right before, a few -- like, ten minutes 15 before. 16 Q. Right. 17 A. Yes, I have. 18 Q. What, if anything, does that image of that USB device show? 19 A. It shows that it was formatted on April 21. 20 Have you reviewed an image of that USB device? (Continued on next page) 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1106 K2C3SCH3 Leedom - Direct 1 Q. 2 think from this image; is that correct? 3 A. That's correct. 4 Q. Can we just zoom in on that. 5 formatted? 6 A. 7 erasing data on the disc to use it with something else. 8 a Windows machine, you plug a flash drive in and you right 9 click on it in Windows Explorer and you can click "format." Let's go to the next slide, please. There is an excerpt I What does to mean to be So, formatted can be simply, you're essentially like So, on It 10 just changes up and updates the file system on the disc. 11 Q. At what time was this formatted? 12 A. So, this device was formatted on April 21, 2016, at about 13 11:46 a.m. 14 15 MR. LAROCHE: Your Honor, this would be a good time to break if we can. 16 THE COURT: 17 (Jury excused) 18 (Continued on next page) We'll take our morning recess. 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1107 K2C3SCH3 1 Leedom - Direct MR. ZAS: Your Honor, can I make a request. Can we 2 get an extra 10 minute on this break. 3 to talk to Mr. Schulte about some of this testimony yesterday, 4 so we'd like to spend a few minutes in pens just before we 5 resume. 6 THE COURT: 7 MR. ZAS: 8 (Recess) 9 (Continued on next page) We didn't get a chance All right. Thank you, sir. 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1108 K2C3SCH3 Leedom - Direct 1 (In open court; jury present) 2 THE COURT: 3 MR. LAROCHE: 4 All right, Mr. Laroche. Thank you, your Honor. Ms. Hurst, if we could briefly go back to slide 26, please. 5 THE COURT: 6 MR. LAROCHE: 7 BY MR. LAROCHE: 8 Q. 9 correct? What slide? 26. We've obviously seen this slide several times; is that 10 A. That's correct. 11 Q. I just want to ask you a question about the tgz files. 12 A. Sure. 13 Q. Is that a type of zip file? 14 A. Yes, it is. 15 Q. Just generally, what does that mean? 16 A. So, tgz stands for a G zip tarball file. 17 of zip compression, and a tarball is way to represent like 18 multiple files as one file. 19 saw it when -- excuse me. 20 backup script. 21 directory into a single file. 22 Q. 23 larger when unzipped? 24 A. Yes, it would. 25 Q. Let's look at the next slide, 27. A G zip is a type It's a command that you run. We We saw it when we went over the It essentially like zips up the whole home So the Confluence tgz file, fair to say Confluence would be Is this reflecting Stash SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1109 K2C3SCH3 Leedom - Direct 1 backups? 2 A. That's correct. 3 Q. We talked about this yesterday a little bit. 4 A. Yes. 5 Q. How big approximately is the tgz or tar file for a Stash 6 backup? 7 A. The zipped backup is over 200 gigabytes. 8 Q. As an unzipped file, approximately how large would that be? 9 A. It's bigger. It's quite large. I don't remember exactly how large. It's 10 been a while since I've unzipped one, but less than 500 gigs. 11 Q. 12 to switch gears a little bit to talk about the tool Brutal 13 Kangaroo. Thank you. 14 Let's go back up to slide 169, please. I want So let's go to the next slide. You remember yesterday we saw some of these audit log 15 files for Brutal Kangaroo? Do you recall that? 16 A. Yes, I do. 17 Q. Are these the same types of audit log files? 18 A. Yes, they are. 19 Q. So let's just walk through these. 20 showing? 21 A. 22 event for project admin. 23 myself. 24 Q. 25 Kangaroo? What is the top file This is showing a permission, project permission granted I'm sorry. I'm drawing all over For the defendant from Dave. So Dave was giving the defendant admin access to Brutal SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1110 K2C3SCH3 Leedom - Direct 1 A. Yes. 2 Q. When approximately did that happen? 3 A. This was at about 1:03 p.m. on May 26. 4 Q. What about the bottom log file, what does that show? 5 A. So, at 1:33 p.m., the defendant modified and removed 6 permissions for the user Christopher from Brutal Kangaroo. 7 Q. 1:33 p.m. on the same day? 8 A. That's correct. 9 Q. Let's go to the next slide, please. Is this another audit 10 log file? 11 A. Yes, it is. 12 Q. What does this reflect? 13 A. So this is showing that the defendant, and this is his IP 14 address, is making an update to the status of different 15 branches of the Brutal Kangaroo project. 16 Brutal Kangaroo project had two branches, a develop branch and 17 a master branch. 18 Specifically, this I'll explain that briefly. So in computer programming, like, software development 19 in a team of people, you'll have -- there's different ways you 20 can go about doing it, different kind of industry standard 21 practices. 22 you'll have two different branches of code. So you'll have two 23 different places where your code will live. You'll have the 24 master branch, where you only push like working solid versions, 25 so that's your version 1.2, your 1.3, version 2.0 software. But in the case we're going to talk about here, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1111 K2C3SCH3 Leedom - Direct 1 And you'll have another branch where you do development in the 2 meantime. 3 The reason you do that is so that no one pushes code 4 to the master branch that could potentially break what users 5 down the line are using. 6 In previous testimony, we've heard the, like, follow 7 the pull request model. That's how you would push code into 8 these branches, and it gets usually peer reviewed to make sure 9 that those kind of changes wouldn't happen. 10 Q. So what is this log file showing? 11 A. This is showing these two branches are having their status 12 updated to read only from like a read write state. 13 meaning that the project's kind of frozen so no one can 14 contribute to it. 15 Q. 16 relating to Brutal Kangaroo? 17 A. Yes, it is. 18 Q. What does this activity show? 19 A. This is showing the defendant from his IP address removing 20 permissions, specifically write permissions from a specific 21 group, and that group is the sg-OSB group. 22 Q. 23 correct? 24 A. Yeah, the permissions being removed. 25 Q. Did you see any audit logs reflecting the defendant giving Let's go to the next slide, please. Just Is this more log files So this is showing a removal of permissions; is that SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1112 K2C3SCH3 Leedom - Direct 1 anyone else access to Brutal Kangaroo? 2 A. Giving access? 3 Q. Did you see any evidence of him giving access back? 4 A. I don't believe so. 5 Q. Let's go to the next slide. 6 testimony is about the leak itself. 7 A. That's correct. 8 Q. You stated earlier as part of your investigation you 9 reviewed the Vault 7 and Vault 8 disclosures by WikiLeaks; is No, he removed access for these projects. The last part of your 10 that right? 11 A. Yes, I have. 12 Q. I want to focus on March 7, 2017. 13 have an understanding about where that information came from on 14 DevLAN network? 15 A. Yes, I do. 16 Q. How do you know that? 17 A. I've reviewed both the content of the leak and content from 18 backups on the DevLAN network. 19 Q. Where did that content come from? 20 A. It came from Confluence. 21 Q. How much of Confluence, approximately, was disclosed on 22 March 7, 2017? 23 A. All of the page contents and attachments, things like that. 24 Q. Let's go to the next slide, please. 25 investigation in this case, have you identified potential ways That disclosure. Do you Based on your SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1113 K2C3SCH3 Leedom - Direct 1 in which an individual could obtain all of Confluence from 2 DevLAN? 3 A. Yes, I have. 4 Q. What are some of those ways? 5 A. So there's three main ways that you can go about taking 6 data from Confluence if you wanted to walk out with it. 7 The first is what we call a web scrape. The second 8 would be taking the whole Confluence virtual machine from the 9 server. And the third would be to take the backup files from 10 Altabackup. 11 Q. 12 web scrape of Confluence? 13 A. 14 scraping a website can mean anything from like taking the 15 screenshot of it to making a, like, lower-level request, like 16 from the command line to retrieve like the source of the page. 17 Let's walk through each of those. What do you mean by a So, in computer science and computer security terms, And what we mean by this method would be someone would 18 over time, either by manually going to every single page, they 19 would take a screenshot, or Confluence actually has a page 20 export function where you could make like a PDF of the page. 21 Either doing that for every single page on the whole server or 22 writing a script to automate that process. 23 Q. 24 of all of Confluence on DevLAN? 25 A. What privileges would you have needed to take a web scrape So, for all of Confluence, you would have needed some level SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1114 K2C3SCH3 Leedom - Direct 1 of administrative privileges, because you're doing this from, 2 like, your user session through the web browser. 3 pages are restricted to certain users. 4 to view all the pages, unless you had all those permissions. 5 Q. How long approximately would this method have taken? 6 A. It's going to vary wildly, depending on what type of 7 method's used. 8 like one at a time, making PDFs, this would be a significant 9 amount of time, because there's thousands of pages. 10 And certain So you wouldn't be able If you are going through every single page, If you write a script to do the process, it could be 11 completed in any number of days, it just depends on how fast 12 you make requests to the server and how fast it can respond. 13 Q. 14 of Confluence was taken? 15 A. No, it's not. 16 Q. What are some of the reasons for that opinion? 17 A. Primarily, and we'll see towards the end of this 18 presentation, there's content that was posted on WikiLeaks that 19 appears like on the page that would never appear on the pages 20 as it was displayed to a user on DevLAN. 21 Q. 22 machine. 23 A. 24 directly off of the ESXi server, you can make an export of the 25 Confluence virtual machine. Is it your opinion that a web scrape was the way that all Let's talk about the second method, copying a virtual Yes, through vSphere, or conversely by copying files So, you basically, you log into SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1115 K2C3SCH3 Leedom - Direct 1 vSphere and you click on the Confluence VM, you right click on 2 it and there's an option that's called something that's usually 3 like export to OVA or OVH. 4 their appliance export file. 5 Those are just VMware's name for The problem with this is you have to turn the machine 6 off and stop it before you can make this kind of an export. 7 So, for that reason, primarily, and for some other reasons 8 we'll discuss later about page content that was disclosed, I 9 don't think it was taken from the virtual machine like that. 10 Q. And approximately how large is the Confluence virtual 11 machine? 12 A. I believe it's about 200 gigabytes. 13 Q. Is that larger than the backup files? 14 A. Significantly. 15 Q. How large was the Confluence backup file approximately? 16 A. I believe the database was about 400 megs, and I think the 17 home folder was maybe like two and a half gigabyte, something 18 like that. 19 Q. 20 the Confluence backup files. 21 A. Yes. 22 Q. How would someone do that? 23 A. So the Confluence back up files were in two places. 24 were on the Confluence server itself in this dot, hidden dot 25 backup folder, and they were also on the file share on the Let's talk about the third method on the screen. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Copying They 1116 K2C3SCH3 Leedom - Direct 1 NetApp in the Altabackups folder. 2 Q. How would someone copy it from those folders? 3 A. You would need a location that had the Altabackup server 4 mounted, or it would be inside in this case for Confluence, 5 inside the Confluence server itself, to copy off of those 6 backup files. 7 Q. 8 folders, the SQL file and the tarball file? 9 A. That's correct. 10 Q. Would you need both of those files? 11 A. Yes, would you need. 12 Q. Why? 13 A. So, as we'll see later on, there's content -- the SQL 14 database contains a lot of the page content information for the 15 Confluence service. 16 things like all the attachments for the pages, server 17 configuration, information, things like that. 18 Q. 19 files was the way that all of Confluence was stolen from 20 DevLAN? 21 A. Yes, it is. 22 Q. What are some of the reasons for that opinion? 23 A. Namely, they mostly pertain to elements that we can see in 24 the pages on WikiLeaks, and some of the issues that were 25 surrounding the SQL database backup file itself. You mentioned two files that were in the Altabackup But, the home folder zipped file has Is it your opinion that taking these Confluence backup SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1117 K2C3SCH3 Leedom - Direct 1 Q. Let's talk about that for a second. Issues with the SQL 2 backup file? 3 A. Yes. 4 Q. Can we go to the next slide. 5 Scripts." 6 A. 7 list of commands for the computer to run. 8 is a file that's just used to back up data from the Confluence 9 server. This is titled "Backup Remind us what is a backup script. So a script on Linux is essentially plain text file with a So a backup script These scripts were set up in a fashion on the computer 10 that they would run daily. I believe it was at like 6:25 a.m. 11 every day, the script would run, and would back up the files 12 and push them off to Altabackup. 13 Q. 14 the next slide. 15 A. 16 creating that zipped up home folder and doing the export from 17 the database. 18 Q. Where was it located? 19 A. This is on the Confluence server itself. 20 Q. Generally, what did this script do? 21 A. This script takes a few arguments and navigates to the 22 place where Confluence stores its data. 23 backup file with the date and the name of the service, in this 24 case Confluence, and it zips up -- I can circle it here. 25 uses the tar command to create a zip file for the whole home So let's take a look at one of those scripts. We can go to What is this? This is the shell script that does the heavy lifting of And then it names the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It 1118 K2C3SCH3 Leedom - Direct 1 folder for the Confluence service. And then it makes a dump of 2 the SQL database, the MySql database that's storing the rest of 3 the information for the service. 4 Q. Was there an error in this script? 5 A. There was. 6 Q. Let's go to the next slide, please. 7 A. So it has to do with the MySql dump command. 8 look at one of the SQL backups from the Confluence folder on 9 Altabackup, you'll notice in the middle of one of the tables -- What was the error? If you take a 10 so databases are organized into tables and rows inside those 11 tables. 12 stops halfway through, and there's nothing else after it. 13 reason that happens is there's what we call a character and 14 coding error. 15 a way that the computer translates -- like, if you see, like, 16 if you type the letter A on the screen, the way it translates 17 that letter into binary that the computer can read, there's 18 various different ways it can do that. 19 the data in the database synced up to be storing that data in 20 the same way as, for example, like how you're viewing the 21 system when you're using it, when you do exports such as this 22 and you don't set it to a specific encoding, you can run into 23 certain errors. 24 25 So, one of the tables, you'll notice it kind of just The Character and coding in computer systems is just And if you don't have And that's just a long way of saying that these backup files all had this error, which meant that about, you know, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1119 K2C3SCH3 Leedom - Direct 1 three-quarters of the way through the process of backing up the 2 database, it hit this error and then stopped. 3 after that point were not included in the backup. 4 saved the backup up to that point. 5 Q. What types of tables were missing? 6 A. The tables that were missing were actually very important 7 tables. 8 names for different users that were in Confluence to internal 9 database values, which are essentially these long strings of And any tables But it still They have to do with the user mapping info for user 10 user identifier numbers. So, any, like, it's the main way you 11 would attribute certain users to certain pages and comments, 12 things like that. 13 Q. 14 Confluence Pages from the Altabackup Files." 15 talk about that process for a moment. Let's go to the next slide. 16 This is titled "Building So I'd like to What types of things would you have to do to 17 reconstruct the Confluence Altabackup files? 18 A. 19 they like landed on your desk, the first thing you'd do is 20 you'd look and see what the file name is. 21 were named, they had the word "Confluence" in the name. 22 quick Google search of that, you could see it was an Atlassian 23 product. 24 instructions on how to restore from backups. 25 would see that these appear to be like the backup files you Sure. So if you got, if you got these two backup files and So, the backup files They actually offer like a free trial. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So a And they have Reading that, you 1120 K2C3SCH3 Leedom - Direct 1 would need to restore it. And if you put them in and go 2 through the restore process, through like the recommended 3 method from Atlassian, it would fail. 4 database is incomplete. 5 everything. 6 Q. What do you mean by fail? 7 A. It would -- you would try to restore from the backup, and 8 it would -- it just wouldn't work. 9 Q. And that's because that So it's unable to completely restore Like, how would it not complete? So, if that method did not work, how would you reconstruct 10 the database? 11 A. 12 the associated home folder, and start reconstructing the data 13 manually. 14 Q. 15 How you go about doing it manually. 16 things you would need to know to reconstruct the database 17 manually? 18 A. 19 backup files. 20 another's, you know, essentially just a zip file of some files 21 and folders. 22 You would manually have to go into that database file, and Let's go to the next slide and talk through that process. What's one of the first First thing you have to know is how data is stored in these We have two backup files, one is a database and So, the first thing we'll do is take a look at that 23 database file. The database file has all of the page content 24 that you'd find on a Confluence page. 25 those pages were in, user names, comments on pages, locations You'd have the order SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1121 K2C3SCH3 1 Leedom - Direct on disc to where attachments for pages were. 2 So if you put a picture on a page, you'd have, like, 3 the path to where that picture is stored. Confluence pages 4 have a concept of page revision history. 5 you have a page that a lot of people are editing over the 6 course of a couple years, it could have like 20 different page 7 revisions. 8 an earlier version or restore if someone deleted something 9 accidently. 10 own pages. 11 is essentially like a, you think of maybe a project or 12 something like that. 13 to look through the database and figure out how all these 14 relationships work. 15 Q. 16 analysis to figure out how the database stores information? 17 A. I did. 18 Q. How long did just that process take for you? 19 A. Just the process of reviewing the database and figuring out 20 how it worked, I probably spent about a week on it, and I had 21 the benefit of kind of knowing what to look for. 22 had some other analysts who had looked into this in the past. 23 Q. 24 be the next step in actually constructing the database? 25 A. So you could have, if So this is just to go back, if you wanted to view There's ownership of pages, so certain users might There is a concept of a space in Confluence which Those can own different pages. You have Some are easy and some are not. As part of your work in this case, did you conduct that Because we After you determined how Confluence stored data, what would Once you know how everything works, and what you want to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1122 K2C3SCH3 Leedom - Direct 1 use out of it, you'd have had to figure out a way to get that 2 into some kind of web page for people to view. 3 normally, on a Confluence server, it is going to do all that 4 for you. 5 that information out and display it in a useful way. 6 Q. 7 fact that the user related tables were not included? 8 A. Significantly more difficult. 9 Q. Why? 10 A. The way that Confluence stores page reference information, 11 it changes some of the values between some of the different 12 tables. 13 user identifier numbers back to their space IDs, the page IDs 14 for pages that they created, it can be very difficult to figure 15 out who might have owned a certain page, or, you know, 16 something as simple as what a user's name might have been. 17 Q. 18 those relationships? 19 A. 20 script to parse that database file and create some kind of -- a 21 bunch of HTML pages off that. 22 Q. 23 appeared on DevLAN? 24 A. No. 25 Q. What would be different? Because So you're going to have to figure out how to pull Would this process have been made more difficult by the And without knowing -- being able to directly map the How would you actually reconstruct it after determining all The most expedient way and way to do it would be to write a Would this process have restored Confluence to the way it SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1123 K2C3SCH3 Leedom - Direct 1 A. There would be significant differences in formatting. 2 There's a lot of dynamic content that Confluence provides. 3 There are a lot of what I'm calling, like, template macro 4 objects in the database on the page. 5 little bits of computer code that the Confluence server sees, 6 and says, oh, okay, this says I need to make a pretty table 7 graphic here and then fill it with this information. 8 you're unable to ascertain how that works, then that's going to 9 be missing. 10 Q. 11 slide. These are like kind of So, if Things like that. So let's look at some of those differences on the next 12 Now, the first bullet says "User names are not 13 available." What is that meant to convey? 14 A. 15 the database. 16 users aren't there, the only way you can glean what a user's 17 name would have really been is from the title of a page. 18 a user named their page like "Pat's Home Page," then you could 19 probably assume that Pat was the one who wrote the page. So, this is for talking about things that are missing from 20 Since the user mapping tables with the names of So if I think there have been maybe one or two other tables 21 that had a couple of bits and pieces of user information. 22 the main table where that were stored were not included in the 23 backup. 24 Q. 25 individuals' names from the agency? Did some of the posts by WikiLeaks on March 7 include SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 But 1124 K2C3SCH3 Leedom - Direct 1 A. Some posts in the body content had names. Most of the 2 names were redacted though. 3 Q. What do you mean by included it in the content? 4 A. There were a few pages in the actual, like, main body of 5 the page that had names in it that missed the redaction pass 6 that WikiLeaks ran over it. 7 Q. 8 there was an error in that script? 9 A. Why would those names be available in a SQL database if So that would have been something someone would have just 10 manually typed in. And didn't use one of the features to, 11 like, embed a link to that user's page when they referenced the 12 user name. 13 Q. 14 SQL database? 15 A. Yes, it was. 16 Q. So that was not a table that was missing? 17 A. No, it was not. 18 Q. So, the third bullet says "No Confluence images, pictures, 19 or other features." 20 A. 21 you know the pretty, like, Confluence web page with the title 22 bars and all their pictures, none of that would be available 23 from the database because that's all built by the server. 24 Q. What about dynamic elements, what is that referring to? 25 A. So dynamic elements can mean anything from, like, the code When you say the content, was the content included in the What does that refer to? So, we'll see some pictures in some following slides, but, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1125 K2C3SCH3 Leedom - Direct 1 that I mentioned that's stored on the page, it has to get 2 executed by the server, to things like, you know, clicking the 3 drop down and changing permissions for pages, or, you know, 4 adding new pages. 5 Q. And page formatting? 6 A. So, the page formatting itself is going to be drastically 7 different. 8 used to design web pages, that's actually stored in the 9 database. Things like that. To some extent, the HTML, like the program language So you can pull that content out, and kind of put it 10 in as is, and it will keep the basic structure of how the body 11 content of the page was stored. 12 We have an example of this. Anything beyond that, 13 like, what color the text should be, how big it should be, what 14 font it should be, how wide should the margins be, things like 15 that, that's not going to be stored there. 16 Q. 17 internet. 18 A. Yeah, that's correct. 19 Q. What's this showing? 20 A. This is what Confluence looks like when it's running. 21 kind of shows all of the different buttons you can click, how 22 it -- how like body content for pages looks. 23 those little code elements, so, little boxes like this and 24 this. 25 have to manually account for when you were reconstructing the Let's take a look at a regular Confluence page from the To be clear, this is not from DevLAN, correct? Tables like this. This is a picture off of Google. This When I mentioned Those are types of things that you'd SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1126 K2C3SCH3 1 Leedom - Direct database, and it might be very difficult to do. 2 When I say like dynamic elements, I mean things like 3 what I just showed you as well as obviously, like, buttons to 4 operate on the page, and things like that are not going to be 5 available in your reconstructed version. 6 Q. 7 look at the next slide. 8 A. 9 DevLAN. Let's take a look at an example from DevLAN itself. Let's What is this showing? This is a screenshot from one of the Confluence pages on And you can see it's very similar in form factor and 10 layout to the page we were just looking at. 11 Q. 12 WikiLeaks. 13 A. 14 some -- it's a basic page. 15 information on it. 16 have been to pull the basic body content out of the database 17 and make a page of it. 18 Q. 19 file? 20 A. 21 numbers, this little kind of quote block, even some of the 22 spacing some of the, like, title information, things like that. 23 That's stored in the page formatting in the database. 24 you really have to do is copy it out and put it in an HTML file 25 and open it in a web browser, and it will do the rest for you. Let's look at some examples of what actually posted to What is this exhibit showing? This is showing a page from WikiLeaks that just contains There is not a whole lot of I just wanted to show how easy it would Why would that have been easy with the Confluence backup All these things, like the indentation here and the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 So, all 1127 K2C3SCH3 Leedom - Direct 1 Q. Is this an example of where WikiLeaks formatted the body 2 content correctly? 3 A. 4 It essentially is what determines, like, what a web page makes 5 certain colors of text on the page, what font it is. 6 the WikiLeaks style sheet applied. 7 color green as this and this. 8 Things like that. 9 make it look a little nicer. To some extent, yes. 10 There -- we call it a style sheet. This has That's why this is the same The text is the same font. So they applied their style sheet to it to But I'll show you as far as formatting perspective 11 that it's pretty much exactly as it was in the database. 12 Q. Let's look at the next slide. 13 A. This is just a very simple example. 14 row out of the database that has the body content data for this 15 page and just pasted it into a text file and opened it with a 16 web browser. 17 in the exact same manner that it's formatted on WikiLeaks. 18 Q. Sorry. 19 A. Out of the Confluence database backup file. 20 Q. So the actual backup file that was on DevLAN? 21 A. Yes. 22 Q. Let's look at the next slide. 23 What is this showing? 24 A. 25 it's, it's identical except for the one I made, I didn't apply What is this showing? I literally copied the And it, you can see it formats everything almost You copied this out of where? Let's compare these two. This is just a side-by-side comparison. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You can see that 1128 K2C3SCH3 Leedom - Direct 1 any kind of style sheet to it. 2 the WikiLeaks style sheet. 3 Q. 4 WikiLeaks omit information that would have been contained in a 5 full Confluence virtual machine? 6 A. Yes, they did. 7 Q. I'm showing you a slide with Government Exhibit 10. 8 see that? 9 A. Yes. 10 Q. The title of the slide is "User ID in WikiLeaks Page 11 Contents." 12 A. Yes, I do. 13 Q. In what ways is this slide different than how it would have 14 been displayed on DevLAN? 15 A. 16 would ever like display to a user or even an administrator in 17 the web view, to be honest. 18 internally in the database to reference other parts of the 19 database and different values. 20 And the one on WikiLeaks has So... Let's go to the next slide. Did other pages posted by Do you Do you see that? This big ff808 number is not something that Confluence This is a number that's used When WikiLeaks, just having the database was parsing 21 through it, since they couldn't map these numbers back to 22 actual user names, there are pages for certain users who they 23 can only reference by this value. 24 the Confluence, like, the Confluence web server on DevLAN, you 25 would never see this ff808 number. If you searched for this in SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1129 K2C3SCH3 Leedom - Direct 1 Q. Are there different ff808 numbers for different users on 2 Confluence? 3 A. Yeah, each user has its own unique user identifier number. 4 Q. Does this page also omit anything else that would have 5 appeared on DevLAN? 6 A. 7 formatted, I don't think this is a page that existed at all. 8 You see how they kind of have a placeholder for assigned 9 spaces? I think this page specifically, especially the way it's There's, like, no data in it, and assigned pages. This 10 is more like a list of all things that have to do with this 11 user name and less of a construction for that user 12 specifically. 13 Q. 14 posted on WikiLeaks? 15 A. 16 from that Confluence database, SQL database backup file. 17 Q. 18 "Incorrect Page Number Association." 19 Exhibit 7-1. 20 A. Yes. 21 Q. Is this another page from WikiLeaks? 22 A. Yes, it is. 23 Q. Is this also from the March 7, 2017, posting? 24 A. It is. 25 Q. In what ways is this page different from how it would have What conclusions, if any, have you drawn from this page as I've drawn that they rebuilt this page and the other pages Let's go to the next slide, please. This is titled And it has Government SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1130 K2C3SCH3 Leedom - Direct 1 been displayed on DevLAN? 2 A. 3 That page doesn't exist. 4 what I think happened was, when WikiLeaks was going through the 5 database, since they don't have user information, it can be 6 pretty difficult to pin exactly, you know, what page belonged 7 to a specific user. 8 lot of Mac related tools. 9 has a bunch of pages that have to do with MacOS tools. So, on DevLAN, there's actually no page called MacOS X. What happened, at least my opinion, There was a user who happened to work on a So, naturally, their user space page These 10 tools didn't ever belong to like a top-level page called MacOS 11 X. 12 these pages. The page they belonged to was the name of the user who made 13 So, when WikiLeaks was going through and looking at 14 what was here, they just assumed incorrectly that this was a 15 page that was made for MacOS X notes, not a user's page on 16 notes. 17 Q. 18 "Missing/Deleted Pages." 19 There is a red box around Ghidra; do you see that? 20 A. Yes. 21 Q. Why is there a red box around Ghidra? 22 A. This page is a deleted page. 23 Confluence page for this user on DevLAN, you wouldn't see this 24 Ghidra page. 25 page, go into the trash can, and, you know, manually restore Let's go to the next slide. This is titled The top exhibit is still Exhibit 7-1. If you browse to the You'd actually have to go as that user into the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1131 K2C3SCH3 1 Leedom - Direct that page for it to show up. 2 So, this shows that either on purpose or by accident, 3 WikiLeaks restored deleted pages that were found in the 4 database when they made the dump. 5 This page was created on, like, September 16, 2015. 6 It was created on the 15th and deleted on the 16th, shortly 7 afterwards. 8 Q. 9 that you've been circling. Or made the post, excuse me. I'm sorry. At the bottom there, there is a Government Exhibit 1207-94 10 A. Yes. 11 Q. Where is that from? 12 A. So, this is an actual entry from the Confluence, like -- 13 excuse me, that March 3 Confluence SQL database backup file. 14 This is one of the tables. 15 "content." 16 the way. 17 content table for names that were something like Ghidra 6.0.10, 18 and this is the results of that. 19 Q. Why were you looking at the March 3, 2016 backup file? 20 A. Because that's the backup file that I believe was posted on 21 WikiLeaks. 22 Q. 23 "Missing Template and Design Elements." 24 Government Exhibit 8-1. 25 A. This is specifically a table called This is the SQL query I ran to generate this, by And I was basically searching all pages in the Let's go to the next slide, please. This is titled And it's showing What is this showing? So, I believe this is the last example. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Remember when I 1132 K2C3SCH3 Leedom - Direct 1 circled some of those pretty looking tables and, like, colorful 2 entries inside the tables on the site from Google. 3 script that they wrote to rebuild this didn't really account 4 for all of that. 5 So, the Some were accounted for, but others were not. If we circle this top part here, you see we have the 6 title of this page, and then this detail is missing. The first 7 time I saw, like, a note like that in the page, that's usually 8 kind of indicative of a script having had kind of parsed 9 through this and it was either unable to figure out what was 10 there, or what seems like here, hey, the details for this 11 object aren't there. 12 But, after taking a look at the SQL database itself, 13 it was clear that the script was just unable to parse this -- 14 "parse" meaning process -- this template macro code thing. 15 Q. 16 Now there is an overlay of Government Exhibit 1207-93. 17 A. Yes. 18 Q. What's that showing? 19 A. So, this is from the body content of this page. 20 said before, it is essentially all HTML web page code. 21 this is what's missing from this details missing section. 22 Let's look at that. Let's go to the next slide, please. Why is it called details? Like I And Well the name of this 23 template is called "details," so that's why that's there. 24 then for whatever reason they couldn't process everything 25 inside here, which is just a small little table. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And So this would 1133 K2C3SCH3 Leedom - Direct 1 have been a table, kind of similar to this table below, except 2 it just has a date column, and like a participants column. 3 a date, time and some user names. 4 And This is another good example of this is how a user 5 name is stored in the database. So, even if this were to be 6 reconstructed, they'd have to go and figure out what this ff808 7 number belonged to, and then either replace it with a user name 8 if they were able to find one, or just leave it as is. 9 is, this link, when you see this link, that's when Confluence This 10 sees that, it says, oh, okay, I need to go resolve this to 11 something that a human can understand. 12 Q. 13 Altabackup files; is that correct? 14 A. Yes, it is. 15 Q. What impact, if any, did these exhibits have on your 16 opinion that the data provided to WikiLeaks was from backups? 17 A. 18 5:42 p.m. and 5:43 p.m. for the two files specifically. 19 know that that falls into the activity that we have from the 20 defendant, that was, you know, purposefully reverting to the 21 Confluence virtual machine to a time when he had access to it, 22 doing something for over an hour. 23 during that time. 24 files on the ESXi server itself were deleted, the log files for 25 the Confluence server were deleted, and all the activity of Let's go to the next slide, please. This is the Confluence So, we know that the date accessed was from 4/20 at And we These files are accessed And then shortly after that, all the log SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1134 K2C3SCH3 1 Leedom - Cross that session are gone. 2 MR. LAROCHE: 3 THE COURT: 4 MS. SHROFF: 5 THE COURT: 6 CROSS-EXAMINATION 7 BY MS. SHROFF: 8 Q. No further questions. Thank you. Ms. Shroff. Thank you, your Honor. You're welcome. Could we pull up, please, Government Exhibit 1203-54. 9 So you see that line, sir, that starts 10 2016-04-20T17:19:23. You see that line? 11 A. Yes. 12 Q. Okay. 13 A. The first line here, right? 14 Q. I don't know if it is the first line. 15 I'm starting. 16 A. Okay. 17 Q. So, that line, sir, says, if you keep following, right, it 18 says "USB: 19 A. Yes. 20 Q. And then it has a little bracket. 21 A. I believe so, yes. 22 Q. Okay. 23 A. Yes. 24 Q. Okay. 25 of numbers, super family storage. Found device." Good. Name: It is the line where Correct? You with me? And then it says Sandisk. Then there is a backslash. Correct? Extreme vid colon, bunch SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1135 K2C3SCH3 1 Leedom - Cross You with me there? 2 A. Yes, ma'am. 3 Q. And then there is a whole continued line of numbers, right? 4 A. That's correct. 5 Q. And then it says "found device." 6 A. Correct. 7 Q. "Found device" means that that's when the USB is found, 8 right? 9 A. Correct. 10 Q. Okay. 11 it -- and I think John or Achal will get it for you -- 206-04, 12 you see that? 13 A. Yes, ma'am. 14 Q. It keeps going, correct? 15 A. Hmm-hmm. 16 Q. You see that line, it still says "USB found device." 17 with me? 18 A. Yes. 19 Q. Okay. 20 okay. 21 A. Yes, ma'am. 22 Q. Then it has this number. 23 A. Yes. 24 Q. You with me? 25 A. Yes. Right? So, then, you see that line that says right above You I don't do this very often, so just be patient, Then there is a bracket. It says "name," correct? T8R2, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1136 K2C3SCH3 Leedom - Cross 1 Q. Okay. Then it continues, right? 2 A. Correct. 3 Q. Okay. 4 numbers. 5 A. Yes. 6 Q. And you agree with me both say 04. 7 A. Yes. 8 Q. April? 9 A. Yes. 10 Q. Okay. 11 right? 12 A. Yes. 13 Q. And then there is a number 20T17:19 on both sides, right? 14 A. Yes. 15 Q. And then both sides also say colon 23, correct? 16 A. Yes. 17 Q. And then there is a dot. 18 A. Yes. 19 Q. And then there is 441, correct? 20 A. Yes. 21 Q. And there is another dot. 22 A. Yes. 23 Q. No, no, there is a dash. 24 A. Yes, it's a dash. 25 Q. Dash 04, right? So, could you just do me a favor and look at the two The date, you agree with me, both say 2016? Then it says dash, both of them say the same thing, Correct? Don't say yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 That's a dash. 1137 K2C3SCH3 Leedom - Cross 1 A. Yes. 2 Q. And then colon? 3 A. Yes. 4 Q. 00? 5 A. Correct. 6 Q. Same time to the nanosecond. 7 A. Yes. 8 Q. I keep getting this wrong. 9 A. Correct. 10 Q. I keep calling it San. 11 exactly at the same time to the nanosecond. 12 A. Yes. 13 Q. Okay. 14 A. Hmm-hmm. 15 Q. They are going to pull this up for you. 16 You with me? 17 A. Yes, ma'am. 18 Q. 20907-4? 19 A. Yes. 20 Q. What time is that, by the way? 21 A. 5:22 EST. 22 it's EST. 23 Q. Keep going. 24 A. Yes. 25 Q. You keep following that line it ends with "speed super"? It's Sandisk, right? Sandisk, and the right block Let's just see if we can go down. Correct? You with me? 2016-04-20T1722. It has the minus four at the end so you know You see that says "USB:found device"? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1138 K2C3SCH3 Leedom - Cross 1 A. Yes. 2 Q. Go down, keep continuing. 3 right-hand bottom -- you with me? 4 A. Yes. 5 Q. What does it say there? 6 A. "Disconnected." 7 Q. "Disconnected:1"? 8 A. Correct. 9 Q. Okay. 10 A. That's correct. 11 Q. This is my exhibit, 1203-54, in its bigger form. 12 A. Correct. 13 Q. You showed the jury on your slide deck the same thing, and 14 then you cut off the "disconnected" part. 15 A. Correct. 16 Q. What time is that USB disconnected? 17 A. It was disconnected at 5:22, about three minutes after it 18 was connected. 19 Q. 20 your reversion. 21 A. Sure. 22 Q. And then tell me if that USB disc, Sandisk, disconnected 23 before the reversion or not. 24 A. Oh. 25 Q. Before the reversion, right? And then it says on the And then gives you a bunch of keys below? Let's show them again then, why don't we, the timings of Before. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1139 K2C3SCH3 Leedom - Cross 1 A. Yes, ma'am. 2 Q. So it's out? 3 A. Correct. 4 Q. Not inserted? 5 A. Correct. 6 Q. Taken out? 7 A. Yes. 8 Q. You didn't show it to them. 9 A. It was not -- 10 Q. No, no, no. 11 A. Correct. 12 Q. You showed it to them? 13 A. Correct. 14 Q. No. 15 A. Not the removal, no. 16 Right here on the left? I'm sorry, could you repeat? 17 Q. You cut it off, did you not, sir, on the left side? 18 A. Yes. 19 disconnect. 20 Q. It's not intentional? 21 A. No. 22 Q. Okay. 23 Right. 24 25 But not intentionally cut off to remove the Well, let's talk about that. It's slide 105. Let's put the whole slide in. Who made the slide? A. I made the slide. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1140 K2C3SCH3 Leedom - Cross 1 Q. How many hours did you spend making the slide deck? 2 not talking just about 105. 3 it. 4 A. A lot. 5 Q. Well, you are going have to quantify a lot. 6 nothing to me. 7 A. Maybe, let's say, 40 hours over the course of a few months. 8 Q. 40 hours? 9 A. Maybe more. 10 Q. Come on. 11 A. Probably more? 12 Q. Let's try it this way. 13 A. I don't remember specifically. 14 Q. It's okay, it's okay, we have all day. 15 it. 16 Remind us, would you? 17 A. Around March or April 2017. 18 Q. March or April 2017, right? 19 A. Correct. 20 Q. And when you first started, sir, you used the word 21 "deployed." 22 your case? 23 A. Correct. 24 Q. Right. 25 A. No. Okay, take your time. I'm Think about All of these slide decks. A lot means Quantify it. Really? Don't worry about Let's start with when you started work on this case. To me that just meant you go somewhere, right? It's not like you are going to the Army, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 In 1141 K2C3SCH3 Leedom - Cross 1 Q. Okay. So, you start off and you go to work and you are 2 sent to help the CIA out, correct? 3 A. That's correct. 4 Q. You are a contractor for a company? 5 A. Yes. 6 Q. I'm sorry. 7 employee of the company and contracted to the FBI, or are you 8 an employee of the FBI and contracted to the company? 9 A. The first one. 10 Q. So you work for a company? 11 A. Correct. 12 Q. The company has a contract with the FBI, correct? 13 A. Yes, we do. 14 Q. And then you were sent out to work on this case, and then 15 you presented this unintentionally cut off slide 105? 16 A. Correct. 17 Q. Okay. 18 were just sent there not in an expert capacity, right? 19 A. I disagree. 20 Q. You were sent there knowing you were going to be hired as 21 an expert to testify in this case? 22 A. No. 23 Q. Oh. 24 case, correct? 25 A. I'm a little confused about that. Are you an And when you first went there to help them out, you Okay. So, you were just sent there to work on the Correct. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1142 K2C3SCH3 Leedom - Cross 1 Q. And when you got there in March of 2017, did you realize 2 that the CIA had been unaware of this data given to WikiLeaks 3 for almost a year or did you learn that a year later? 4 A. I learned it during the investigation. 5 Q. Okay. 6 were you sent to help the FBI or were you sent to help the CIA 7 or are they the same? 8 A. 9 the CIA just to determine what happened. And when you were sent off to help these people, I support the FBI. But we were there to help the -- assist 10 Q. You support the FBI, but you were -- okay. So, you were 11 sent -- did you actually physically go to the CIA? 12 A. Yes. 13 Q. And you met with the people at the CIA, correct? 14 A. Correct. 15 Q. And when you went there, were you sent along with the FBI 16 agents in this case? 17 A. No, not the -- well, some of them. 18 Q. Some of them. 19 on the left-hand corner? 20 A. Not at the beginning. 21 Q. Not at the beginning? 22 A. No, ma'am. 23 Q. How about Special Agent Schlesinger; was he there? 24 A. Not at the beginning, no. 25 Q. And how about Special Agent Evanchec; was he there? How about Special Agent Donaldson over there SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1143 K2C3SCH3 Leedom - Cross 1 A. Yeah, I believe Rick was the first one I'd seen. One of 2 the agents prosecuting the case. 3 Q. How about somebody named Mr. Berger; was he there? 4 A. Mr. who? 5 Q. Mr. Berger? 6 A. Yes, he was. 7 Q. He was there, right? 8 A. Correct. 9 Q. You started in March of 2017 working with all of these 10 folks from the FBI and the CIA, correct? 11 A. Not all. 12 Q. I mean, you know, as the judge said before, it's a phrase. 13 Folks from the FBI? 14 A. Correct. 15 Q. Folks from the CIA? 16 A. Correct. 17 Q. Okay. 18 of 2017, until now, you've never consulted with the defense, 19 correct? 20 A. That's incorrect. 21 Q. You've consulted with us or you've given us discovery? 22 Those are two different things. 23 with us. 24 A. Oh, I'm sorry. 25 Q. Okay. Is it fair to say, sir, that from the time of March "Consulted" meaning you work SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1144 K2C3SCH3 Leedom - Cross 1 A. I meant from like a discovery perspective. 2 Q. No, you never consulted with me, right? 3 A. No. 4 Q. I've never sat down, helped you make these slide decks that 5 were inadvertently cut off? 6 A. No, ma'am. 7 Q. So, you worked exclusively with the FBI, right, and the 8 CIA? 9 A. Yes. 10 Q. You met with them almost weekly for a while, correct? 11 A. Correct. 12 Q. You generated weekly reports for them, correct? 13 A. I did not generate a weekly report for them specifically. 14 But we did as a team gave weekly reports. 15 Q. Let's talk about this team. 16 A. FBI employees and the CIA analysts. 17 Q. Okay. 18 nine, 10? 19 A. E-mail chain? 20 Q. Hmm-hmm. 21 A. I'm sorry? 22 Q. The e-mail chains where you talk about when to meet, how to 23 meet, what we should do next, how we should get ready for the 24 case? 25 A. Who's on this team? So all told they're like how many of you, eight, How many were on that e-mail chain; do you remember? We had maybe, I think maybe at its high point 30 different SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1145 K2C3SCH3 Leedom - Cross 1 people working in the lab. 2 Q. 3 you generated what is called a monthly report? 4 A. That's correct. 5 Q. So every month you would tell them, hey, I'm still working 6 on the CIA case, and this is what I'm doing, right? 7 A. That's correct. 8 Q. And there came a point, did there not in this -- it's been 9 two years, right? Okay. And is it fair to say, sir, that for your company, More? 10 A. Almost three. 11 Q. Almost three. 12 monthly reports telling them you are doing all of this stuff 13 for the CIA on this case? 14 A. I'm sorry. 15 Q. Sure. 16 So for three years, you've been sending Could you repeat the question? Maybe I'll try and go slower. You wrote monthly reports each month, yes? And you 17 sent these monthly reports to your company, correct? 18 A. Hmm-hmm. 19 Q. Detailing the work you were doing for the CIA. 20 A. Correct. 21 Q. Okay. 22 A. Yes. 23 Q. And the CIA paid you -- not you directly, but your company, 24 correct? 25 A. Correct? And you got paid, right? No. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1146 K2C3SCH3 Leedom - Cross 1 Q. Oh. Then who did the CIA pay? 2 A. The CIA didn't pay me. 3 Q. No, no, I know you don't work for the CIA. 4 you don't work for the CIA. 5 company -- what is your company's name, MITRE? 6 A. MITRE. 7 Q. How did MITRE get paid? 8 A. Well, we're paid from the contract. 9 instance, our contract with the FBI. Okay. I don't work for the CIA. You testified My question is how did your Specifically in this 10 Q. So MITRE is a private company, you provide services 11 to the FBI, and the FBI's working with the CIA. 12 A. That's correct. 13 Q. Do you know by any chance for three years how much MITRE 14 got paid for all of this work? 15 A. I don't know. 16 Q. 500,000? 17 A. I don't work in contracts. 18 our budget. 19 Q. 20 how much you got paid. 21 money's coming in. Correct? I really don't know much about Oh, I'm not talking about your budget. I'm talking about That's not a budget, that's what I'm not asking about money you spent. 22 THE COURT: You want to know how much MITRE got paid? 23 MS. SHROFF: 24 THE COURT: 25 THE WITNESS: Yes. Do you know? I don't know. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1147 K2C3SCH3 1 Leedom - Cross THE COURT: He doesn't know. 2 Q. MITRE didn't have a contract with the FBI or the United 3 States attorney's office that you know of? 4 A. 5 value attached to it. 6 Q. 7 from the FBI, right? 8 A. That's fair. 9 Q. In fact, would you say that more than 60 percent of the We had a contract with the FBI. Okay. I don't know the dollar And it's fair to say MITRE gets a lot of business 10 work for that company comes from the FBI? 11 A. I don't believe that's accurate. 12 Q. Okay. 13 with people from the FBI and the CIA on a very regular basis, 14 correct? 15 A. Correct. 16 Q. And when you met with them, you had team meetings; is that 17 correct? 18 A. That's correct. 19 Q. And you had team meetings in person, team meetings over 20 Skype, and team meetings by phone, correct? 21 A. That's accurate. 22 Q. They gave you an office at the CIA, or a room to work in? 23 A. I worked in a lab. 24 Q. You worked in their lab, right? 25 A. Yes. Now, in addition to the monthly reports, you met SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1148 K2C3SCH3 Leedom - Cross 1 Q. 2 access to what is a full image of the FSO1 server? 3 A. Yes. 4 Q. And they gave you, did they not, access to the full image 5 of the Atlassian server, correct? 6 A. That's correct. 7 Q. They gave you full access, did they not, to Mr. Schulte's 8 workstation, correct? 9 A. Correct. 10 Q. You reviewed all of these -- I don't know, devices let's 11 just call it. 12 devices and wrote up your reports on each one of them, correct? 13 A. 14 did review all of the devices, yes. 15 Q. 16 were your sync-up efforts, correct? 17 A. To some extent, yes. 18 Q. You sent a lot of e-mails saying re sync-up effort. 19 And when you worked in their lab, did they give you full It's not precise, but you reviewed all of these I didn't specifically write a report for each one, but I Okay. And you e-mailed each other about what you called What is that; what is a sync-up effort? 20 A. I don't recall writing an e-mail with that title. 21 Q. Okay. 22 write it in your e-mail? 23 A. 24 tell you that we had sync meetings together. 25 Q. Do you know what a sync-up effort is when you would I don't know specifically what a sync-up effort is. Okay. Tell us about these sync meetings. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I can 1149 K2C3SCH3 Leedom - Cross 1 A. Sure. 2 Q. How many times did you have them in a month? 3 A. It was more frequent toward the beginning of the case. 4 think they started daily, may have moved to weekly, and then 5 eventually just scheduled individually. 6 (Continued on next page) 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I 1150 K2cWsch4 Leedom - Cross 1 BY MS. SHROFF: 2 Q. Right. 3 A. I believe so. 4 Q. Right. 5 picked up and peaked again, right? 6 A. Oh, more recently, yes. 7 Q. Now, in preparation for your testimony, the CIA set you up 8 with the Atlassian Confluence server, correct? 9 A. Correct. 10 Q. And then you and FBI personnel together reviewed it, 11 correct? 12 A. That's correct. 13 Q. And each time you reviewed it, you had a theory of 14 prosecution in mind, correct? 15 A. Uh, I was aware, yes. 16 Q. What do you mean you were aware? 17 A. Uh -- 18 Q. What does that mean? 19 A. I'm just saying that I was aware that the case was being 20 criminally prosecuted. 21 Q. Well, you were aware of more than that, sir, right? 22 A. Yes. 23 Q. I mean, they had a theory of prosecution that they shared 24 with you; you weren't kept in the dark. 25 right? And then they peaked again, correct? When you were preparing all these slides there, it You're their expert, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1151 K2cWsch4 Leedom - Cross 1 A. 2 while in this case. 3 Q. 4 don't worry. 5 Yes, but I didn't meet the attorneys here, I think, for a Oh, yeah, yeah. There were many of them. All of them -- My question is whoever it is that told you, they told you 6 what their theory of prosecution was, correct? 7 A. I believe so. 8 Q. Right. 9 it. They didn't say to you: Hey, we don't know who did They came to you and said, We think Josh Schulte did it 10 and this is how we're going to prove it, and you're going to 11 work with us. 12 A. That's an unfair characterization of what happened. 13 Q. OK. 14 A. I disagree. 15 Q. OK. 16 open-endedly tell you go find out who did it? 17 A. Yes, actually. 18 Q. Really? 19 A. Yes. 20 Q. OK. 21 A. So, like I mentioned earlier, when I initially showed up, 22 it was from an incident-response perspective, so -- 23 Q. Could you answer my question? 24 A. Yes, ma'am. 25 Correct? Unfair or not, that's basically what happened, right? Well, tell me how you disagree. Did they randomly, No, right? So tell us who else you looked at. MR. LAROCHE: He is answering the question. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1152 K2cWsch4 1 2 THE COURT: Q. Yes. Could you tell me -- 3 4 Leedom - Cross THE COURT: Could we have the last question read back, please. 5 (Record read) 6 MS. SHROFF: 7 MR. LAROCHE: 8 THE COURT: 9 THE WITNESS: No. Who else you looked at. And he's answering it. Tell us who else you looked at. I remember the question. It's fine. 10 So, when I initially showed up, it was from an 11 incident-response perspective, so we were looking at the every, 12 the entire network in its entirety -- 13 BY MS. SHROFF: 14 Q. 15 other than Mr. Schulte. 16 A. 17 administrators; other -- all the other user workstations on 18 DevLAN. 19 Q. 20 every workstation. 21 Sir, I asked you which person you looked at as a suspect That's my question. I think suspect's a -- we looked at all of the other We looked -- That's not what I asked you, sir. I'm sure you looked at My question is did the government not tell you that they 22 were prosecuting one person, and that was Mr. Schulte? 23 that what they told you? 24 A. 25 process worked. Isn't I think that's an unfair characterization of how the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1153 K2cWsch4 Leedom - Cross 1 Q. Sir, whether it's fair or unfair, could you answer my 2 question? 3 A. Yes. 4 Q. OK. 5 A. I learned at a point he was being prosecuted, yes. 6 Q. Right. 7 A. Correct. 8 Q. And the CIA identified him as the suspect, correct? 9 A. Correct. 10 Q. They did not tell you: 11 take a wild guess or go investigate, correct? 12 A. Not in those specific terms. 13 Q. In fact, in no terms did they ever tell you that, correct? 14 A. I disagree. 15 Q. You disagree? 16 investigated as a possible suspect. 17 workstation, an individual that they told you to look at other 18 than Josh Schulte. 19 A. Any of the other admins, for example. 20 Q. So they gave you a list of admins and they said all of 21 these people are possible suspects and we might prosecute any 22 one of them? 23 A. No, not in those specific words, but -- 24 Q. In fact, in no words did they ever tell you that, correct? 25 A. I disagree. Did they tell you they were prosecuting Mr. Schulte? And they identified him as the suspect, correct? We don't know who the suspect is, Tell me one other person's name that you Not a network, not a Is that what they told you? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1154 K2cWsch4 Leedom - Cross 1 Q. OK. So tell me one other name they told you. 2 A. I don't know the, like, the list of all the admin names 3 offhand, but there's -- 4 Q. 5 unfair, correct? 6 easy for you. You're the one who is telling me my characterization is So tell me, which other -- let me make it 7 Did they ever tell you an employee who took a screenshot of 8 what happened on April 20 and said, Hey, he's possible suspect; 9 take a look? 10 A. That's a fair characterization. 11 Q. They didn't tell you that, right? 12 A. That's a -- I would say that's a fair, like, 13 characterization of the investigation. 14 Q. Put aside fair or not. 15 A. Yes. 16 Q. Other than Mr. Schulte -- I'll try it another way. 17 Just answer my question, sir. Are you aware that the government had a theory that this 18 information was stolen in March rather than April of 2017 -- I 19 mean '16? 20 A. Yes. 21 Q. You're aware of that, right? 22 A. Yes. 23 Q. First, they had this whole theory that the information had 24 to have been stolen in March of 2016, correct? 25 A. I don't remember the specific details. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1155 K2cWsch4 Leedom - Cross 1 Q. You don't remember the details? 2 A. No. 3 Q. Do you remember if they filled out any search warrants with 4 that date? 5 A. I don't remember. 6 Q. Did they tell you that they filled out search warrants with 7 that date? 8 A. 9 believe I've reviewed the contents of the search warrants, I don't remember to that specific date, no. 10 like, in their entirety. 11 Q. 12 search warrants. 13 sir. I don't I'm not asking you if you reviewed the contents of any I'm asking you very simple questions here, 14 Did the FBI ever tell you that they were sure -- they were 15 so sure that they signed an affidavit and gave it to a sitting 16 federal judge -- that this information had been stolen not 17 during a reversion on April 20 but in March of 2016? 18 tell you that? 19 A. I don't remember. 20 Q. You don't remember? 21 A. No. 22 Q. Your testimony here is that from the moment you started on 23 this case, the only date you focused on as the date the 24 information was taken is April 20; is that your testimony? 25 A. No. That's incorrect. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Did they 1156 K2cWsch4 Leedom - Cross 1 Q. OK. So you didn't know about the March 2016 date, correct? 2 A. Correct. 3 Q. You didn't know about the search warrants, correct? 4 A. No. 5 Q. You didn't know how many search warrants the FBI filed with 6 that date telling a judge that's the date it was stolen, 7 correct? 8 A. No. 9 Q. So as the forensic investigator, you never, ever 10 investigated that date, correct? 11 A. I don't believe so. 12 Q. They never told you: 13 You're the forensic analyst working independently. 14 A. I don't remember. 15 Q. You'd remember that now, wouldn't you? 16 expert. 17 A. Yes. 18 Q. OK. 19 never told you that they had the wrong date? 20 A. Yes. 21 Q. OK. 22 who did your direct? 23 A. Maybe the last six months or so. 24 Q. Six months? 25 A. Maybe not quite that long. Hey, eliminate this date for us. Correct? I mean, you're an So is it possible that you don't remember because they How many months have you worked with Mr. Laroche here Maybe -- Like, directly, yeah. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 It's 1157 K2cWsch4 Leedom - Cross 1 been kind of on and off. 2 Q. For six months you've been talking to Mr. Laroche, right? 3 A. I believe that's accurate. 4 Q. Right. 5 now. 6 many hours did you spend with him? 7 A. In January? 8 Q. Right. 9 A. Uh, maybe 80. 10 Q. 80 hours? 11 A. Maybe less than that. 12 Q. OK. 13 A. Significantly less. 14 Q. And how about Mr. Kamaraju? 15 A. Same as Mr. Denton. 16 Q. And it's fair to say that your primary contact was with 17 Mr. Laroche and the other two stepped in and stepped out? 18 Correct? 19 A. That's accurate. 20 Q. And your testimony is, sitting here today, Mr. Laroche 21 never told you about any possible March 2016 date as the date 22 that table had identified as a date of theft, correct? 23 A. No. 24 Q. That is correct, right? 25 A. It's incorrect. And let's just stay focused -- we're in February Let's just stick with January of 2020. All told, how 80 hours, maybe. How about the man next to him; Mr. Denton? No. I mostly interacted with Mr. Laroche. That's incorrect. So, I do remember now the date, but just SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1158 K2cWsch4 Leedom - Cross 1 not from the beginning of the investigation when you were 2 referring to earlier. 3 recently, as we were preparing for trial. 4 Q. 5 investigation, but then you only heard about it when you were 6 preparing for trial; that's your testimony? 7 A. That's what I remember. 8 Q. That's what you remember? 9 A. Yes, ma'am. 10 Q. Hey, did you tell them -- 11 A. Did I tell them? 12 Q. -- should I go back and check the March 16 date? 13 tell them that? 14 A. No. 15 Q. OK. 16 stick to your investigation -- right, you looked at various 17 networks? 18 A. Yes, ma'am. 19 Q. You looked at various workstations, correct? 20 A. Correct. 21 Q. You looked at various software programs, correct? 22 A. Correct. 23 Q. And you looked at various databases, correct? 24 A. Correct. 25 Q. Could you tell me, what is a TOU-DNS database? I've heard about it, especially So you didn't hear about it through all of your Did you Now, in terms of your investigation -- let's just Correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1159 K2cWsch4 Leedom - Cross 1 A. OK. 2 Q. Sure. 3 A. I'm not, like, familiar with the T-O-U, but a DNS database 4 would mean to me, like, domain name service, so essentially a 5 database of host names, mapping to IP addresses. 6 Q. 7 prosecution team here that said that your search did not return 8 any useful results, what would be a useful result for you? 9 A. It would really depend on the situation. 10 Q. OK. 11 told about what the CIA's system was, but you were kind of 12 familiar with it because you're an expert in this field? 13 Correct? 14 A. In networks, yes. 15 Q. Yes. 16 Could you say that again a little slower, please? Do you know what a TOU-DNS database is? And if you looked at it and you sent an email back to the Now, you also testified, did you not, that you were And when you were given access to DevLAN, were you given a 17 mirror image to work with at the CIA? 18 A. Could you be more specific? 19 Q. No. 20 A. So, by mirror image, what does that encompass? 21 Q. Let me make it easy for you. 22 given. 23 A. 24 machines -- computers, servers -- that were available at the 25 time that we showed up to analyze. Sure. You tell me what you were We were given images of all of the DevLAN SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1160 K2cWsch4 Leedom - Cross 1 Q. All of them, correct? 2 A. Yes. 3 Q. Now, you testified that you were also given access to the 4 Atlassian server, right? 5 A. Uh, yes. 6 Q. OK. 7 named Berger to restore the Atlassian server? 8 that? 9 A. Yes. And do you recall that you worked with an FBI agent Do you remember I don't remember which server specifically you're 10 referring to. 11 Q. OK. 12 A. But we did restore a server together. 13 Q. And is it fair to say that the CIA gave you access all 14 throughout the three years you worked with them on this case? 15 Correct? 16 A. Yes. 17 Q. And working on this case itself, is it fair to say, because 18 I know you like that phrase, is a good professional opportunity 19 for you? 20 A. Yes. 21 Q. Right. 22 A. Yes, it does. 23 Q. It allows you to get more work from the FBI, correct? 24 A. Uh, I disagree with that. 25 Q. You do? Furthers your career, correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1161 K2cWsch4 Yeah. Leedom - Cross 1 A. I don't do our contracting, so I don't choose what 2 work we get or don't get. 3 Q. 4 asking you if it was a step toward getting more work from the 5 FBI for your company? 6 A. Uh, yes. 7 Q. And is it fair to say, sir, that you have attended as a 8 spectator, sitting in that block over there, the entire trial 9 up until this point? No, no. I'm not asking you what work you choose. I'm just Correct? 10 A. That's correct. 11 Q. You've sat through all of the testimony, is that correct? 12 A. That's correct. 13 Q. You've heard every single piece of testimony that came into 14 this trial through the people who work or worked at the CIA, 15 correct? 16 A. That's correct. 17 Q. And these are the people you come to court with every day, 18 yes? 19 A. Some of them, yes. 20 Q. You sit with them in that block, correct? 21 A. Correct. 22 Q. You have lunch with them, correct? 23 A. Correct. 24 Q. You talk with them on the break, correct? 25 A. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1162 K2cWsch4 Leedom - Cross 1 Q. In fact, on the break, Special Agent Evanchec gave you a 2 nice pat on the back after had left, correct? 3 A. Yes. 4 Q. And with them, you know exactly what testimony has come in 5 about Mr. Schulte, correct? 6 A. Correct. 7 Q. About the Atlassian servers, correct? 8 A. Correct. 9 Q. About DevLAN, correct? 10 A. Correct. 11 Q. About April 16 snapshot, correct? 12 A. Correct. 13 Q. April 20 snapshot, correct? 14 A. I don't believe there's a 20th snapshot. 15 defendant's snapshot, yes. 16 Q. 17 snapshot that you think is the defendant's snapshot, correct? 18 A. Correct. 19 Q. You weren't there on April 20, correct? 20 A. Correct. 21 Q. Right. 22 A. Yes. 23 Q. Right. 24 that's 105, correct? 25 A. It's not the defendant's snapshot. Aside from the It's an April 20 You know all of those facts, correct? And knowing all of those facts, you made this slide Correct. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1163 K2cWsch4 Leedom - Cross 1 Q. Right. And the slide that is cut off to not show the jury 2 that the San Disk was disconnected at 5:22 p.m., your testimony 3 was that that slide presentation was inadvertent? 4 A. My -- 5 Q. I just want a yes or no. 6 A. Yes. 7 Q. OK. Let me move on to a different topic, if I may. 8 Sitting here today, you are in agreement with me, are you 9 not, sir, that it is the government's theory that Mr. Schulte 10 created a snapshot of Confluence on April 20 at 5:29 p.m.? 11 Correct? 12 A. I believe that's accurate. 13 Q. Well, you tell me. 14 A. Well, I'd want to see a time stamp to confirm that that's 15 accurate. 16 Q. Take your time. 17 A. I don't have the snapshot. 18 that it's accurate. 19 Q. 20 mine? 21 A. 22 You're the expert. Go ahead. Check the time stamp. It was reverted 5:35, so before Do you have your slide deck there, or should I give you No. It's up. That's correct, 5:29 p.m. 23 Q. 24 April 20 snapshot and called it backup, correct? 25 And according to them, and you, Mr. Schulte created that MS. SHROFF: If you could pull up slide 107. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1164 K2cWsch4 1 Leedom - Cross Oh, there it is. Sorry about that. He's ahead of me. 2 Q. Slide 107 shows you that, correct? 3 A. Incorrect. 4 Q. Oh. 5 A. Well, it's not backup. 6 Q. My bad. 7 called B-K-U up. 8 should I call it BKUP; which one? 9 A. BKUP's fine. 10 Q. OK. 11 April 20 snapshot and called it B-K-U up, correct? 12 A. Correct. 13 Q. And according to all of you, Mr. Schulte then reverted, did 14 he not, to an earlier state, and that earlier state is 15 BK-4-16-16? 16 A. That's correct. 17 Q. I just want to get the timings down here. 18 OK. It doesn't show you the name there, backup? It's BKUP. It shows you a slide that is the backup. It's Is that how you want me to refer to it, or So on April 20, according to you, Mr. Schulte took an Correct? And according to you and the government, this is around 19 5:35 p.m. on April 20? 20 A. That's correct. 21 Q. OK. 22 Mr. Schulte's workstation was used to revert back to the April 23 20 snapshot of Confluence, correct? 24 A. That's correct. 25 Q. And that is the snapshot called BKUP, correct? And then, according to all of you, at about 6:51 p.m., SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1165 K2cWsch4 Leedom - Cross 1 A. Correct. 2 Q. OK. 3 time period on April 20 between 5:35 p.m. and 6:51 p.m. 4 A. OK. 5 Q. And just to make it easy on you, me and everyone else, 6 let's just call that the reversion period. 7 A. OK. 8 Q. And just to be sure you and I understand reversion the same 9 way, that is roughly the time when Mr. Schulte, according to 10 you, went to the April 16 snapshot and then returned back to 11 the 4/20 snapshot? 12 A. That's correct. 13 Q. OK? 14 A. That is the time, yes. 15 Q. Now, you and I agree, right, that Mr. Schulte did not 16 create the April 16 snapshot? 17 A. That's correct. 18 Q. The April 16 snapshot was created by a team of CIA 19 employees who came in to the CIA on that Saturday, April 16, 20 and created the snapshot, correct? 21 A. Correct. 22 Q. That was Jeremy Weber, is that right? 23 A. Yes. 24 Q. Mr. Tim, right? 25 A. Uh-huh. Now, let's see if we can focus your testimony to the OK? OK? Right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1166 K2cWsch4 Leedom - Cross 1 Q. And David? 2 A. Correct. 3 Q. By the way, have you met Mr. Weber? 4 A. I have, yes. 5 Q. And have you met Mr. Tim? 6 A. I don't believe I've met Tim. 7 Q. And how about Mr. Dave? 8 A. I have met Dave. 9 Q. And to stay focused, and back to this issue, this reversion 10 is the time that the government claims that Mr. Schulte 11 accessed the Confluence backup file, correct? 12 A. That's correct. 13 Q. And this Confluence backup file was on the Altabackup, 14 correct? 15 A. Correct. 16 Q. And according to you and the government, shortly afterward, 17 during this reversion period, the theory is that he also 18 accessed the Stash backup file, correct? 19 A. That would be correct. 20 Q. And both of you -- or all of you claim that he did this, 21 right, also by accessing the Altabackup? 22 A. Correct. 23 Q. So in essence, all of you agree that this period of time is 24 basically your crime-scene time, correct; this is the time of 25 the crime? Right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1167 K2cWsch4 Leedom - Cross 1 A. Correct. 2 Q. This is when, according to all of you, he's stealing the 3 data; this is the heist period -- you go to a bank, you heist 4 it, heist period -- he's heisting it, correct? 5 A. Correct. 6 Q. And I'm assuming that you don't disagree with their theory. 7 Correct? 8 A. Correct. 9 Q. Let me see if I can pull up for you Government Exhibit 10 1207-27 and Government Exhibit 1207-30. 11 going slower than normal, but this is not my bailiwick. 12 So just bear with me. 13 A. No. 14 Q. There are many columns here, and the government has shown 15 you these two exhibits several times, is that correct? 16 A. That's correct. 17 Q. And you see that column that's titled "name"? 18 A. Yes. 19 Q. OK. 20 A. So, this is the name of the backup file. 21 looked at the script, this name is generated based on that. 22 there's the time the file was made. 23 service and then whether it's the database or the home folder. 24 Q. 25 files these names, correct? OK. I apologize if I'm OK? You're fine. Just tell me, what exactly do these names mean to you? If -- when we So There's the name of the So it's fair to say that you don't know who gave these They're just names to you; right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1168 K2cWsch4 Leedom - Cross 1 A. No. 2 Q. Right. 3 correct? 4 A. Oh, correct. 5 Q. OK. 6 They were named by the backup script. There's not a human being who gave them the names, That's what I meant. Now, next to this column is a column that reads "date 7 modified," right? 8 A. That's correct. 9 Q. And there's a date modified on 1207-27 and there's a date 10 modified on 1207-30, correct? 11 A. Yes. 12 Q. And then next to that is a file type for each one of these 13 things, right? 14 A. Correct. 15 Q. There's a SQL file and a win -- I know you're particular, 16 so is it R-A-R or RAR? 17 A. WinRAR archive. 18 Q. SO those are the TWO types of files on Government Exhibits 19 1207-27 and 1207-30, correct? 20 A. That's correct. 21 Q. And then the column after that tells you the date these 22 files were accessed, right? 23 A. That's incorrect. 24 Q. Oh, I skipped size. 25 correct? How do you say that? It tells you the size of the files, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1169 K2cWsch4 Leedom - Cross 1 A. Yes. 2 Q. My bad. 3 A. That's all right. 4 Q. And then after that it tells you the date on which these 5 files were accessed, right? 6 A. Correct. 7 Q. And the last column tells you that these are the dates 8 these files were created, right? 9 A. That's correct. 10 Q. OK. 11 understand it a little better. 12 documents are simple Word documents, like a list that I made at 13 home. 14 A. Uh-huh. 15 Q. I don't know, a list of food items I wanted to buy or shoes 16 I wanted to buy, or whatever it is, books, whatever. 17 A. Uh-huh. 18 Q. I make a list. 19 I save it to documents on my computer. 20 A. Correct. 21 Q. And the date created is the date that I first made that 22 list, right? 23 A. For the, like, date-created column? 24 Q. Yeah. 25 A. Uh, yes. Sorry. Now, I'm just going to see if I can simplify this to Just imagine these two OK? OK. I put the Word document and I save it. Correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1170 K2cWsch4 Leedom - Cross 1 Q. Right. That's the date I first decided to make my shopping 2 list, correct? 3 A. Correct. 4 Q. Right. 5 that I either read my list or make a change to my list, 6 correct? 7 A. That's correct. 8 Q. That's the date modified, correct? 9 A. Uh -- reading it may not update the modified time, but OK. And then the date modified is a day or date 10 changing the content of it will. 11 Q. 12 the time, but if I change it it will change the time; that's 13 your testimony? 14 A. For the modified column? 15 Q. Yes. 16 A. It depends. 17 Q. OK. So you don't know? 18 A. No. It depends. 19 Q. OK. And then the date accessed would be the very last time 20 I read or saved that document, correct? 21 A. That's accurate. 22 Q. OK. 23 check what items are on my list, that's the date accessed that 24 will save, correct? 25 A. OK. So you don't think that if I read it it will change So the very last time that I go into the list and To some extent, yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1171 K2cWsch4 Leedom - Cross 1 Q. What do you mean some extent? 2 A. Well, so, the access time could be, like, the time it was 3 created if you were, like, putting the file on the server. 4 Q. 5 I have. 6 it saves with a new date as being accessed, correct? 7 A. Correct. 8 Q. And neither in your chart or my hypothetical is there a 9 column that says date copied, correct? I don't have a server. This is a simple Word document that The date I access it, if I open it and I re-save it, 10 A. Correct. 11 Q. There is no column that says date copied on 1207-27, 12 correct? 13 A. Correct. 14 Q. And there is no date copied on 1207-30, correct? 15 A. Correct. 16 Q. And all that this tells you is that someone -- you've 17 identified for yourself who, but someone opened or read or 18 accessed that column, correct? 19 A. Yes. 20 Q. OK. 21 anyone ever copied that file, correct? 22 A. Uh, that's not entirely accurate. 23 Q. Well, OK. 24 it. 25 A. So the accessed time alone does not tell you at all if Tell me how it tells you that somebody copied Well, the access -SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1172 K2cWsch4 Leedom - Cross 1 Q. Just listen to my question, please. OK? 2 A. Uh-huh. 3 Q. My question is, looking at the two exhibits -- 4 A. Uh-huh. 5 Q. -- putting aside the theory you all have floated for 6 yourselves -- 7 A. Uh-huh. 8 Q. -- just looking at the column, looking at the log -- 9 A. Uh-huh. 10 Q. -- does it tell you whether or not it was copied? 11 A. It could. 12 Q. Does it, sir? 13 subway and I say Mr. Expert, can you tell me if any of these 14 files were copied, you couldn't tell me, right? 15 A. That's inaccurate. 16 Q. Looking at these logs you can tell me if it's copied? 17 me how. 18 A. 19 difference between can't say that it was copied at all or could 20 have been copied. 21 copying. 22 Q. Really? 23 A. Yes. 24 Q. You think there's a difference in telling me it could have 25 been done, maybe it was done, perhaps it was done, and it was If I showed this to you, ran into you on a I can tell you that it could have been copied. Tell There's a The access time can be updated from file SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1173 K2cWsch4 Leedom - Cross 1 done, right? 2 A. Or it was not done. 3 Q. Those are very different things, right? 4 A. Correct. 5 Q. Or not done, correct? 6 A. Correct. 7 Q. So you can't tell me it was done, correct? 8 A. Correct. 9 Q. You can't tell me it wasn't done, correct? 10 A. That's correct. 11 Q. Right. 12 document showed you. 13 one -- Confluence blah, blah, blah-625 TGZ. 14 me is the date accessed that shows on the document, right? 15 A. That is correct. 16 Q. And if I could go back to the first two, 1203-54, if you 17 look at the timings here and you look at the timing of the 18 disconnected San Disk, the disconnected San Disk is at 5:22? 19 A. You can't tell. All you can tell is what that It showed you -- let's just randomly pick All you can tell Yes, that is correct. 20 MS. SHROFF: OK. Let's go back to the other one, to 21 the access log. 22 Q. Do you see anything there before the disconnect on 5:22? 23 A. Before? 24 Q. No, right? 25 A. No. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1174 K2cWsch4 Leedom - Cross 1 Q. OK. So the San Disk's already out? 2 A. That is correct. 3 Q. OK. So now your theory about it being copied -- 4 MS. SHROFF: 5 OK. You know what? I'll withdraw that. You can take that one down. 6 Q. Now, let me ask you something. You testified about the 7 ways that a computer can copy a file, right? 8 A. Uh, I believe so. 9 Q. OK. And as an expert, you would be able to agree with me 10 that one way to copy a file is to use what is called a copy 11 command, correct? 12 A. That is -- that is correct. 13 Q. Right. 14 computer savvy, a command is just telling the computer what you 15 want it to do, right? 16 A. Yes, that's correct. 17 Q. And the command is called an SCP command? 18 A. That's a different type of command. 19 Q. OK. 20 correct? 21 A. Yes, it is. 22 Q. And we've already established for all of us that Linux is 23 just like Word, just some people use Linux, right? 24 A. Yes. 25 Q. OK. And just for those of us who are not all that An SCP command is a command that's run on Linux, So the SCP command is a command that allows you to SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1175 K2cWsch4 Leedom - Cross 1 copy a file on Linux, right? 2 A. It's a little more complicated than that, but yes. 3 Q. Isn't it a command that lets you copy a file from Linux? 4 A. Yes. 5 Q. OK. 6 analysis -- for the last three years, right? 7 if there was any copy command, right? 8 A. On the server, yes. 9 Q. Everywhere. 10 A. Yes. 11 Q. You looked, right? 12 A. Yes. 13 Q. OK. 14 A. Yes. 15 Q. OK. 16 A. Uh, I'm sure there were copy commands used all over the 17 network. 18 Q. 19 that would allow you to sit here and testify that you have any 20 forensic indication of a file actually being sent a command to 21 copy. 22 it's clear now. 23 A. 24 referring -- 25 Q. And you looked when you were doing your forensic You looked to see I mean, you really looked, right? Did you find a copy command? Come on. Sir, I'm asking you if you found any copy command You know that's my question, and if it wasn't clear, Did you find such a command? No, not in respect to the Altabackup, which I think you're We're only talking about the Altabackups, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1176 K2cWsch4 Leedom - Cross 1 A. Well -- 2 Q. Did you find -- 3 A. I'm sorry. 4 Q. Did you find any -- 5 (Counsel conferred) 6 Q. Mr. Zas is kind enough to ask me to remind you that we're 7 still talking of that time period where I told you that we were 8 talking about that reversion period. 9 A. Yes. 10 Q. OK. 11 A. The answer to your question's no. 12 Q. You found no copy command, right? 13 A. I believe so, yes. 14 Q. No, no. 15 A. I'm sorry. 16 Q. Yes or no. 17 A. Yes. 18 Q. Yes, you found none? 19 A. Correct. 20 Q. They asked you to look to see if there was a copy command 21 during the reversion period, correct? 22 A. Correct. 23 Q. You wanted to find a copy command during the reversion 24 period, correct? 25 A. Right? That's correct. "I believe so" is a hard answer for me. You found none, right? Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1177 K2cWsch4 Leedom - Cross 1 Q. And you did not find one, correct? 2 A. That's correct. 3 Q. How long, according to you, was the reversion period? 4 A. Uh, it was over an hour. 5 minutes, I think. 6 Q. 7 time after, there's no forensic indication of any copy command, 8 correct? 9 A. Do you mean during? 10 Q. Just the reversion period. 11 A. OK. 12 13 And for that hour and 20 minutes, the time before and the No. MS. SHROFF: THE COURT: 15 MS. SHROFF: 16 THE COURT: 18 Your Honor, would this be a good time for our lunch break? 14 17 Maybe like an hour and 20 Yes. Thank you. We'll take our luncheon break now and resume at 1:30. (Continued on next page) 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1178 K2cWsch4 1 (Jury not present) 2 THE COURT: 3 You're on cross-examination now, so don't be talking to anybody on the government's trial team. 4 THE WITNESS: 5 THE COURT: 6 (Luncheon recess) Yes, sir. See you at 1:30. 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1179 K2C3SCH5 Leedom - Cross 1 AFTERNOON SESSION 2 1:30 p.m. 3 (In open court; jury not present) 4 MR. ZAS: Your Honor, just one quick matter. You 5 remember yesterday we talked about a possible instruction on 6 experts? 7 THE COURT: 8 MR. ZAS: 9 Yes. At this point in the case rather than at the end? 10 THE COURT: 11 MR. ZAS: Yes. I conferred with the government. I think 12 we're in agreement that a good time might be at the completion 13 of this witness's entire testimony. 14 THE COURT: I'm reconsidering whether I've got to 15 issue an instruction at all, and save it for when I give the 16 instructions at the end of the case. 17 Bring in the jury. 18 MR. ZAS: 19 THE COURT: 20 (Continued on next page) We prefer it now just because -Bring in the jury. 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1180 K2C3SCH5 Leedom - Cross 1 (Jury present) 2 THE COURT: 3 MS. SHROFF: All right, Ms. Shroff. Thank you, your Honor. 4 BY MS. SHROFF: 5 Q. 6 not, that you found no evidence of a copy command on 7 Mr. Schulte's desk top for the reversion period. 8 A. That's correct. 9 Q. Is it also true, and forensically accurate, that during the Now, sir, before we broke for lunch, you testified, did you Correct? 10 reversion period you found no forensic evidence of any storage 11 device connected or being connected to Mr. Schulte's 12 workstation, correct? 13 A. That's correct. 14 Q. And when we're talking about a storage device, we mean 15 something that would allow a person to exfiltrate data from one 16 place to another; is that correct? 17 A. Correct. 18 Q. To exfiltrate data, just so we're all clear, is to take 19 data or information out of a network or a computer, correct? 20 A. That's correct. 21 Q. So to exfiltrate data, you would actually need removable 22 media, correct? 23 A. Not necessarily. 24 Q. If it was an air gapped network, you would need removable 25 media, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1181 K2C3SCH5 Leedom - Cross 1 A. Yes. 2 Q. Okay. 3 period of 5:35 p.m. and 6:51 p.m., sir, you did not see any 4 evidence whatsoever of any removable media connected to 5 Mr. Schulte's workstation, correct? 6 A. Correct; yes. 7 Q. Let me ask you a quick question. 8 the April 20 dates and the logs, correct? 9 A. Correct. 10 Q. You looked and you focused on times and dates created and 11 times and dates accessed, correct? 12 A. I believe so. 13 Q. Right. 14 correct? 15 A. Yes. 16 Q. And by the way, do you know what a touch command is? 17 A. Yes, I do. 18 Q. What's a touch command? 19 A. The touch command is a command in Linux that you can use to 20 create new files. 21 files as well. 22 Q. 23 stamps, correct? 24 A. 25 times, but not the see time. Just want to be crystal clear. Between the time When you were looking at And then you looked at all the timings on a file, You can also use it to edit time stamps for When you say "edit time stamps," you mean change time Yeah, I believe you can change them, modify and access SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1182 K2C3SCH5 Leedom - Cross 1 Q. But when you say modify, change -- what was the other word 2 you used? 3 A. I think that was it. 4 Q. Okay. 5 the time that a file shows at the time it was accessed, right? 6 A. It can be used for that, yes. 7 Q. Right. 8 that the CIA has, at least in the EDG group, at least 200 9 developer, correct? So that means you can use a touch command, change By the way, you would agree with me, would you not, 10 A. That's accurate. 11 Q. Right? 12 A. Yes. 13 Q. Talented people, correct? 14 A. Yes. 15 Q. Smart people, correct? 16 A. Yes. 17 Q. All 200 know what a touch command is, right? 18 A. I don't know about that. 19 Q. Really? 20 what a touch command is? 21 You have doubts that somebody at the CIA knows Okay. Now, sir, you did not know Mr. Schulte on April 20, 22 correct? 23 A. No, I did not. 24 Q. And you were not at the CIA on April 20, correct? 25 A. No. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1183 K2C3SCH5 Leedom - Cross 1 Q. 2016, 2017, at all, correct? 2 A. No. 3 Q. Never saw him walk out with a removable device, correct? 4 A. No, I did not. 5 Q. Never saw him with a thumb drive walking out of the CIA, 6 correct? 7 A. No. 8 Q. You have no idea what the physical security was at the CIA 9 on April 20, 2016, until November 10, 2016, correct? 10 A. That's incorrect. 11 Q. 2016? 12 A. I was not, no. 13 Q. So you have no personal knowledge of what it was like, 14 correct? 15 A. From firsthand experience, no. 16 Q. Right. 17 A. Oh. 18 Q. Do you have personal knowledge, sir? 19 A. No. 20 Q. All you know is what somebody told you, correct? 21 A. That's correct. 22 Q. Everything somebody told you either came from the FBI, 23 correct? 24 A. Correct. 25 Q. Or the CIA, correct? You were there in April of 2016? That's personal knowledge. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1184 K2C3SCH5 Leedom - Cross 1 A. That's correct. 2 Q. Okay. 3 at the CIA, correct? 4 A. Correct. 5 Q. And there are many removable media that people at the CIA 6 use, correct? 7 A. Yes, that's correct. 8 Q. They use thumb drives? 9 A. Correct. 10 Q. Over and over again, right? 11 A. Yes. 12 Q. Right. 13 A. In some cases, yes. 14 Q. Right. 15 A. Correct. 16 Q. And then if there is a problem, you start over, correct? 17 A. Yes. 18 Q. Okay. 19 the thumb drive, right, if it doesn't work? 20 A. I don't know. 21 Q. You assume not? 22 A. Well, I didn't develop the tools myself. 23 Q. Oh, God no, but you spent hours and hours talking to these 24 people about developing tools, correct? 25 A. Now, you've talked a lot about all the work you did You use the thumb drive to create malware, correct? You test it out, correct? Every time you create malware, you don't throw out I would assume not. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1185 K2C3SCH5 Leedom - Cross 1 Q. Is it fair to say, sir, that one of the ways to erase a 2 thumb drive is what we call or you called zeroing a thumb 3 drive, correct? 4 A. I didn't use that term specifically, but yes. 5 Q. Zeroing a thumb drive means you delete every single file 6 from the thumb drive, right? 7 A. It's more in depth than that, but yes. 8 Q. It's not really more in depth than that. 9 there is zero file strokes on a disc. It just means That's it, right? 10 A. Yes. 11 Q. I think all the tech people -- never mind. 12 that. 13 I'll withdraw It is a fancy way of saying that you want to make sure 14 that when you use that thumb drive again, there's nothing on 15 it, right? 16 A. Correct. 17 Q. Okay. 18 would a developer zero a thumb drive? 19 A. I have no idea. 20 Q. Okay. 21 A. Not on that network, no. 22 Q. But -- on any network. 23 A. I do software development. 24 Q. Right, and you would zero a thumb drive before you reuse 25 it, right? And let me ask you this. How many times in a day That's because you're not a developer? It's just common practice, correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1186 K2C3SCH5 Leedom - Cross 1 A. It depends. 2 Q. Okay. 3 new project without zeroing it? 4 A. Yes. 5 Q. Why? 6 A. Like I said, I don't develop USB tools. 7 Q. Okay. 8 A. It really depends. 9 Q. Say it again? 10 A. It depends. 11 Q. Okay. 12 physically examine any thumb drives that Mr. Schulte used? 13 A. 14 them, but I had forensic images of them. 15 Q. You had a full forensic image, correct? 16 A. That's correct. 17 Q. How many thumb drives did you have a full forensic image 18 of? 19 A. A lot. 20 Q. A lot. 21 A. Over the network, there were -- dozens. 22 Q. Right, and you had physical -- I mean, you had access to 23 every one of those mirror images, correct? 24 A. Yes. 25 Q. In fact, you had access to the mirror images of almost You would reuse a thumb drive in starting a brand If you were developing a USB tool, you'd zero it? When you examined -- did you by any chance actually I had images of those thumb drives. I've seen pictures for How many is a lot? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1187 K2C3SCH5 Leedom - Cross 1 every network and every computer that you needed from the CIA, 2 correct? 3 A. Yes. 4 Q. And that very much informed your expert opinion here, 5 correct? 6 A. Correct. 7 Q. By the time you examined the -- let me call them the 8 Schulte thumb drives, okay? 9 A. Hmm-hmm. 10 Q. How many months had he been gone from the CIA? 11 A. Who? 12 Q. He had left the CIA by the time you examined them, correct? 13 A. Oh, the defendant? 14 Q. Yes. 15 A. Yes. 16 Q. I'm only talking about Mr. Schulte here. 17 A. Hmm-hmm. 18 Q. Okay. 19 in his desk drawer? 20 A. 21 physically see them myself. 22 Q. You didn't see them yourself? 23 A. No. 24 Q. For all you know, he just left them in his desk and left, 25 right? And by the way, where did you find the thumb drives I don't remember where they were found. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I didn't 1188 K2C3SCH5 Leedom - Cross 1 A. Yes. 2 Q. You just don't know? 3 A. Yeah, I don't know. 4 Q. Let's see if we can move on to Government Exhibit 1203-18. 5 Let me know when you're ready. 6 A. I'm ready. 7 Q. Okay. 8 squiggly thingy closed brackets DF-H? 9 A. Yes. 10 Q. Okay. 11 that highlighted portion, correct, on direct? 12 A. 13 sorry. 14 Q. You didn't cover it? 15 A. The black highlighted portion. 16 Q. You covered the portion that I'm not covering. 17 A. That's correct. 18 Q. I'm covering the portion you didn't cover. 19 A. Sure. 20 Q. Okay. 21 me that it is a simple command used to see how much disc space 22 is free? 23 A. That's correct. 24 Q. Okay. 25 correct? So you see that thing that says root@OSB colon And when you were testifying, you testified about I don't believe we covered the DF command. But, oh, I'm And this, this command, right, would you agree with And this is a very typical run-of-the-mill command, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1189 K2C3SCH5 Leedom - Cross 1 A. Correct. 2 Q. It is just a normal, regular run-of-the-mill command that 3 any system administrator would take, right? 4 A. That's correct. 5 Q. And this is just to see if there is free disc space, right? 6 A. Correct. 7 Q. And it has absolutely zero to do with copying of any data, 8 correct? 9 A. That's correct. 10 Q. Okay. 11 look, if we may, to Government Exhibit 1063. 12 wrong number. 13 You can take that down. Slide 70. Let's see if we can take a This is it? I must have the Sorry. You read that before, right? 14 A. Yes, I did. 15 Q. And you would agree, would you not, that a simple way to 16 test out if your keys are or are not working is to just try to 17 login somewhere, correct? 18 A. Yes, that's correct. 19 Q. Okay. 20 were revoked is to see if your keys are working again, correct? 21 A. Yes, that's correct. 22 Q. Okay. 23 adequate test for seeing whether or not your keys have been 24 removed? 25 A. One of the ways to make sure that your keys are or Would it be proper to try to use your keys as an Yes, it would. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1190 K2C3SCH5 1 Q. Leedom - Cross Right. 2 And that is in fact -- you can take that one down. That is in fact what your friend Mr. Weber did on 3 April 16, correct? 4 A. Yes. 5 Q. Okay. 6 keep records of whatever removable device is inserted or 7 removed into them? 8 A. Yes, that's true. 9 Q. And you, not you, only you, but a computer would keep track Is it fair to say that computers or workstations 10 of when a foreign disc is inserted in, correct? 11 A. Correct. 12 Q. And when it's pulled out, correct? 13 A. Correct. 14 Q. Now, I am just going to go back for a minute -- I'm sorry 15 to jump around -- to that Sandisk that you testified to. 16 A. Sure. 17 Q. Okay. 18 jury, do you know the size of that Sandisk? 19 A. Yes, I do. 20 Q. What is it? 21 A. I believe it's 64 gigabytes. 22 Q. You believe? 23 A. Yes. 24 Q. Okay. 25 A. Yes. Sitting here today, could you tell me, tell the Was there a 64 gigabyte in 2016? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1191 K2C3SCH5 Leedom - Cross 1 Q. How much data do you think you could load on to that, if in 2 fact it was not disconnected, which it was, and didn't have a 3 write block? 4 A. A little bit less than 64 gigabytes. 5 Q. And 64 gigabytes is, what, a quarter of what the government 6 is alleging was stolen, correct? 7 A. That's correct. 8 Q. It's not even a quarter, it's less than a quarter, right? 9 A. That's accurate. 10 Q. Okay. 11 right? 12 A. No. 13 Q. By the way, do you have any knowledge of how a tool gets 14 compromised? 15 A. By a tool, do you mean like a tool from EDG? 16 Q. Yeah. 17 A. Like, academically, but not like first hand. 18 Q. You don't know, right? 19 A. No. 20 Q. You don't know how many tools in the WikiLeaks disclosure 21 were or were not compromised, correct? 22 A. That's correct. 23 Q. Right. 24 which of the CIA's tools were compromised, correct? 25 certainly don't know, right? No way it would have fit on that little thumb drive, And in fact, you don't know if anyone else knew SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 You 1192 K2C3SCH5 Leedom - Cross 1 A. That's accurate, yes. 2 Q. Now, you testified and I think Mr. Laroche covered this 3 with you, this concept of unallocated space, right? 4 A. Yes. 5 Q. Unallocated space is just basically space that someone's 6 not using, correct? 7 A. That's a fair statement, yes. 8 Q. Right? 9 A. Hmm-hmm. 10 Q. Right. 11 space, right? 12 A. Yes. 13 Q. Any given workstation, there is unallocated space, correct? 14 A. Correct. 15 Q. In fact, if one of us went home tomorrow and decided to 16 find out if we had unallocated space on our computers, we would 17 be able to find that too, correct? 18 A. Correct. 19 Q. It is a person's job, if they are maintaining a system, to 20 make sure that there is ample unallocated space, correct? 21 A. If you wanted free space to store your files, yes. 22 Q. Well, don't you need free space to develop work? 23 A. Yes. 24 Q. You need free space to do work, correct? 25 A. Correct. That's all it is? So on any given network, there is unallocated SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1193 K2C3SCH5 Leedom - Redirect 1 Q. And we're all in the business of doing work, right? 2 A. Yes. 3 Q. You need unallocated space, right? 4 A. Yes. 5 6 MS. SHROFF: I have nothing further, your Honor. Thank you. 7 THE COURT: 8 MR. LAROCHE: 9 Mr. Laroche. Thank you, your Honor. REDIRECT EXAMINATION 10 BY MR. LAROCHE: 11 Q. 12 Ms. Shroff related to how this investigation was conducted. 13 A. Yeah, that's correct. 14 Q. Let me just ask you, was it a foregone conclusion that 15 Mr. Schulte was going to be charged in this case? 16 A. No. 17 Q. Why don't we talk through what happened at the beginning of 18 this investigation. 19 A. Sure. 20 Q. Now, you said that you were deployed to CCI; is that 21 correct? 22 A. That's correct. 23 Q. Can you tell us, when you first got there, what were some 24 of the things you did at CCI? 25 A. Mr. Leedom, you were asked a number of questions by No, it wasn't. So, we first arrived on site and we were just kind of SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1194 K2C3SCH5 Leedom - Redirect 1 trying to figure out how to -- we had a lot of people, so we 2 had to find a way to get them to work together and start 3 looking at the data. 4 the physical, like, imaging of computers. 5 started that process before I got there. 6 like, taking the physical hard drives and turning it into an 7 image that analysts can look at. 8 up that process, and we were trying to figure out a way to 9 tackle the large volume of data. 10 The FBI has a group that actually does So they came and had So, essentially, So, they were still finishing And myself, specifically, I was looking at it from an 11 incident response perspective. So, I didn't know at the time, 12 like, who may or may not have done it or even honestly what had 13 happened. 14 were given, and just see if there were any kinds of like 15 evidence of intrusion activity, or any kinds of like root kits 16 on the system, things like that. 17 first few weeks went for me. 18 Q. What type of intrusion activity were you looking for? 19 A. Specifically knowing it is the CIA, and like, obviously, 20 like, a nation state type activity. 21 Q. Is Mr. Schulte a nation state? 22 A. No, he's not. 23 Q. Why were you looking for nation state activity? 24 A. Because we, like I said, we didn't really know, at least I 25 wasn't like told initially, who or what they thought had So, my main concern was to look at the machines we That was kind of how the SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1195 K2C3SCH5 Leedom - Redirect 1 happened. So I was just looking at it kind from an outsider's 2 perspective what could have happened to the network. 3 Q. 4 administrators and you were cut off? 5 A. That's correct. 6 Q. Can you say what you were trying to say about the review of 7 the administrators' computers? 8 A. 9 to realize, like, what had been taken, and that it related to 10 some of what could have been the backup files or the stuff on 11 the ESXi server, we knew that those were kind of, like, since 12 they were servers, they were run by the administrators. 13 the, you know, first people on the list of people to see who 14 had access to it, of course, were these administrators. I think a few times you started to say reviewing the Shortly after going into the investigation, when we started 15 So we tracked these people down. So Several of them have 16 testified already. And those were the first machines that got 17 pulled to get looked at to start looking to see what happened. 18 Q. Why were you looking at the administrators' computers? 19 A. A normal user on the network wouldn't have the access 20 required to, you know, get in some of these different services. 21 Q. 22 the regular users' computers as part of this investigation? 23 A. Yes. 24 Q. Was that beyond Mr. Schulte? 25 A. Oh, yes. Let's talk about the regular users. Did the FBI look at SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1196 K2C3SCH5 Leedom - Redirect 1 Q. How far beyond Mr. Schulte? 2 A. A lot. 3 it was a very technically challenging problem to analyze and 4 review all of those machines thoroughly. 5 Q. Why? 6 A. When you have -- I don't remember the exact numbers, but it 7 was certainly -- like, we had over thousands and thousands of 8 terabytes worth of data from this network. 9 you know, you have hundreds of workstations, some users had There were, there were a lot of machines, it was -- I mean, imagine, 10 more than one workstation, and you have to look at all to try 11 and figure out, you know, what's useful, what's not. 12 Q. 13 administrators. 14 log files as part of their work at CCI? 15 A. None. 16 Q. You were asked a number of questions about this USB device. 17 A. Yes. 18 Q. If I recall your presentation, that was activities that 19 happened before 5:30 p.m., is that correct? 20 A. That's correct. 21 Q. Which slide of your presentation says that the data was 22 stolen on that USB device? 23 A. There's no slide that says that. 24 Q. Why not? 25 A. Because I don't believe that's what happened. On those other machines, let's just focus on the How many of the other administrators deleted SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1197 K2C3SCH5 Leedom - Redirect 1 Q. Why is that? 2 A. I did a lot of USB forensics on the machine, and also 3 reviewed the logs that we showed, and you know, and as 4 Ms. Shroff pointed out, the drive itself is only 64 gigabytes. 5 It would not have held all the data. 6 Q. 7 withdrew, and I think I knew the question she was going to ask, 8 and I am going to ask it to you. I think Ms. Shroff started to ask you a question that she 9 MS. SHROFF: 10 THE COURT: 11 MS. SHROFF: 12 Objection. How would he know? He is a good guesser. I think you should sustain that objection. 13 MR. LAROCHE: I'll ask the question. 14 Q. Does the fact that that USB device was removed before the 15 reversion change your opinion that the defendant copied those 16 backup files on April 20, 2016? 17 A. No, it does not. 18 Q. Why not? 19 A. Because of all of the other surrounding evidence. 20 the logged deletions, we have the access on the server, and 21 things like that. 22 other ways you can steal files from the network. 23 Q. 24 with the defense; do you remember that? 25 A. That's much more telling. We have There's many Now, you were asked a question about whether you consulted Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1198 K2C3SCH5 Leedom - Redirect 1 Q. You initially said yes? 2 A. Yes. 3 Q. Did there come a time when you agreed to meet with the 4 defendant's expert? 5 A. Yes. 6 Q. Do you see that individual in the courtroom today? 7 A. Yes, I do. 8 Q. Has he been here throughout the case? 9 A. Yes, he has. 10 Q. Who is that? 11 A. Mr. Bellovin. 12 Q. Why did you agree to meet with the defendant's expert in 13 this case? 14 A. 15 So, I went to speak with him just to kind of come to common 16 ground and figure out what we had that defense had wanted, and 17 what we could provide and what was available. 18 Q. 19 right? The discovery process was obviously difficult in the case. Fair to say to try to assist him in this case; is that 20 MS. SHROFF: 21 THE COURT: Objection. Overruled. 22 Q. Fair to say you were trying to assist him in this case; 23 isn't that correct? 24 A. That's correct. 25 Q. You were asked a number of questions about a copy command. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1199 K2C3SCH5 Leedom - Redirect 1 Isn't that right? 2 A. Yes. 3 Q. And whether you found a copy command on the system during 4 the reversion; is that correct? 5 A. That's correct. 6 Q. You were also asked a number of questions about logs 7 relating to storage devices. 8 A. Yes. 9 Q. And whether you found logs related to storage devices Correct? 10 during the reversion? 11 A. Correct. 12 Q. Can you just summarize for us the different types of logs 13 that the defendant deleted on April 20, 2016? 14 A. 15 pretty much all the core system logs for the server. 16 would have shown all the things Mr. Laroche mentioned, and, of 17 course all, you know, basic system activities at the time. 18 It's hard to say what is there because it's all gone. 19 that's the type of basic activity. 20 Yes. So, the defendant deleted from the server itself So it But, And then from the virtual machine itself, the same 21 types of logs, specifically, connections to the virtual 22 machine, things like that. 23 Q. 24 a copy command. 25 A. Would those types of logs have assisted you in identifying Yes, they would have. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1200 K2C3SCH5 Leedom - Redirect 1 Q. Would those types of logs have assisted you in identifying 2 a storage device? 3 A. Correct, they would have, yes. 4 Q. The other thing that the defendant did on the 20th was, 5 after the reversion was over, he reverted back to the bkup 6 snapshot; is that correct? 7 A. That's correct. 8 Q. Did that have any effect on your ability to review his 9 activities during that time? 10 A. It had a significant effect. 11 Q. What effect did it have? 12 A. All the activity during the one-hour reversion period was 13 erased. 14 Q. 15 command. 16 A. I do. 17 Q. You were asked whether that was a regular command to be run 18 by a system administrator? 19 A. Yes. 20 Q. What about all the log deletions on April 20, 2016. 21 that a regular command to run by an administrator? 22 A. No. 23 Q. Why? 24 A. The only time as an administrator that you would delete 25 logs is if they're too big to fit on the machine you're storing You were also asked about an administrative command, DF-H Do you recall that? Is In fact, it's highly irregular. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1201 K2C3SCH5 Leedom - Recross 1 them on. And from the, I mean, the DF command we saw, even 2 there, just there was plenty of space on the ESXi server, and 3 those logs aren't very big. 4 file size of the files in the Confluence virtual machine 5 folder. 6 weren't deleted because of a size issue. 7 you would delete log files is to hide activity. We saw even in comparison to the That log folder is very tiny. So clearly, they The only other reason 8 MR. LAROCHE: No further questions. 9 MS. SHROFF: 10 THE COURT: 11 RECROSS EXAMINATION 12 BY MS. SHROFF: 13 Q. 14 file deleted from Mr. Schulte's workstation? 15 A. From his actual -- the host, the Windows workstation? 16 Q. Right. 17 deleted, correct? 18 A. Your Honor, may I just ask one question? Just this once. Am I correct, Mr. Leedom, that there was not a single log The workstation that he used, not a single file was I believe that's accurate. 19 MS. SHROFF: 20 THE COURT: 21 (Witness excused) 22 THE COURT: 23 MR. KAMARAJU: 24 25 Thank you. You are excused, Mr. Leedom. Call your next witness. The government calls Michael, your Honor. THE COURT: Okay. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1202 K2C3SCH5 Michael - Direct 1 MS. SHROFF: 2 THE COURT: 3 THE DEPUTY CLERK: 4 THE WITNESS: 5 (Witness sworn) 6 THE COURT: 7 MR. KAMARAJU: 8 Thank you for the question, your Honor. You're welcome. State your name for the record. Michael. Please sit down. Okay, Mr. Kamaraju. Thank you, your Honor. MICHAEL, 9 called as a witness by the Government, 10 having been duly sworn, testified as follows: 11 DIRECT EXAMINATION 12 BY MR. KAMARAJU: 13 Q. Good afternoon. 14 A. Hello. 15 Q. Sir, are you currently employed? 16 A. Yes. 17 Q. Where do you work? 18 A. The Central Intelligence Agency. 19 Q. What's the current status of your employment with the CIA? 20 A. I'm on paid administrative leave. 21 Q. Do you know why you're on paid administrative leave? 22 A. No. 23 Q. In 2016, were you also employed by the CIA? 24 A. Yes. 25 Q. Were you on administrative leave at that time? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1203 K2C3SCH5 Michael - Direct 1 A. I'm sorry, what was the question? 2 Q. Were you on administrative leave at that time? 3 A. No. 4 Q. At that time, in 2016, were you employed in any particular 5 part of the CIA? 6 A. Yes. 7 Q. What part were you working in? 8 A. I was working inside of IOC's Engineering Development 9 Group. 10 Q. Looking around the courtroom, do you see anyone who worked 11 with you at EDG in 2016? 12 A. Yes. 13 Q. Can you describe where he's sitting? 14 A. He's in the back table, over there behind the computer 15 monitor. 16 Q. Can you see an article of clothing he's wearing? 17 A. Black jacket. 18 It is difficult, but yes. MR. KAMARAJU: Your Honor, the government would ask 19 that the record reflect that the witness has identified the 20 defendant. 21 THE COURT: Yes. 22 MR. KAMARAJU: Thank you. 23 Q. Sir, you mentioned you were in EDG at the time, right? 24 A. Yes. 25 Q. When did you first meet the defendant? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1204 K2C3SCH5 Michael - Direct 1 A. In 2013. 2 Q. How did you come to meet him? 3 A. We worked together. 4 Q. Within EDG, were you in a particular branch at that time? 5 A. Yes. 6 Q. What branch was that? 7 A. The Operations Support Branch. 8 Q. How would you describe your relationship with the 9 defendant? 10 A. We were friends. We were similar in age. Probably the 11 only ones at that time that were similar to that age. 12 Q. Did you guys socialize? 13 A. Yeah, we would go to the gym after work, we would play 14 video games together. 15 Q. Did you ever go to his house? 16 A. Yes. 17 Q. I think you testified you hung out outside of work; is that 18 right? 19 A. Yes. 20 Q. Did you ever have arguments with him while at work? 21 A. Yes. 22 Q. Did those arguments ever result in any confrontations? 23 A. Yes. 24 Q. Did they ever turn physical? 25 A. Yes. We would hang out outside of work. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1205 K2C3SCH5 Michael - Direct 1 Q. Could you just describe generally what happened. 2 A. Sure. 3 him back with a rubber band. 4 late at night. 5 before he could hit me back. 6 his desk. 7 Josh was looking at me, kind of coming towards me. 8 something came over me and I just hit him. 9 Q. On that day, Josh hit me with a rubber band, I hit This went back and forth until I hit him with a rubber band and then ran away He trashed my desk. I trashed And then I was backed up against Jeremy's desk and And That kind of atmosphere, playing pranks on each other, was 10 that common in OSB at the time? 11 A. Yes. 12 Q. Did there come a time when the defendant stopped working 13 with you in OSB? 14 A. Yes. 15 Q. Was he still working within EDG? 16 A. Yes. 17 Q. Where in EDG was he working? 18 A. RDB. 19 Q. Did you still see the defendant after he moved to RDB? 20 A. Less so, but yes. 21 Q. What was the defendant's reaction to his move to RDB? 22 A. He was unhappy about it. 23 Q. Do you know why he was unhappy? 24 A. Because he felt like it was a punishment for reporting the 25 issue with Amol. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1206 K2C3SCH5 Michael - Direct 1 Q. How do you know he felt unhappy about it? 2 A. He told me. 3 Q. Do you know a person named Jeremy Weber? 4 A. Yes. 5 Q. How did the defendant feel about Jeremy Weber after he 6 moved to RDB? 7 A. He was unhappy with him. 8 Q. Generally speaking, what was the reason for that 9 unhappiness? 10 A. He -- there was an argument over a project. 11 bring this project with him to the new branch, and Jeremy did 12 not want him to bring that project. 13 Q. How did you know that the defendant was angry at Mr. Weber? 14 15 MS. SHROFF: A. Josh wanted to Objection. He told me. 16 THE COURT: Overruled. 17 A. He told me. 18 Q. Did you ever speak with Mr. Weber about the defendant's 19 anger? 20 A. Yes. 21 Q. What did you talk about? 22 A. We didn't talk about his anger per se. 23 that he should remove all of Josh's admin accesses. 24 Q. Why did you ask Mr. Weber to do that? 25 A. I felt like Jeremy was kind of, like, setting him up. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 But, I told Jeremy I 1207 K2C3SCH5 Michael - Direct 1 knew that Josh was mad at Jeremy, and that he was putting him 2 in a position where Josh had the ability or the access to 3 change permissions on the project in question. 4 would do that because he didn't respect Jeremy's authority. 5 Q. 6 authority? 7 A. 8 although he didn't have, like, an official title, he was just a 9 developer like any of us. And that he What do you mean when you say he didn't respect Jeremy's Jeremy was kind of looked at like a senior developer, But he was -- he had been there 10 longer than us, and he led some of our development teams. 11 Q. Did that bother the defendant? 12 A. Yeah, he didn't think it was fair that this person without 13 an official title was getting to make calls about, you know, 14 who should take a project and those types of things. 15 Q. 16 you working in OSB at that time? 17 A. Yes. 18 Q. And by that time, had the defendant been moved to RDB? 19 A. Yes. 20 Q. Generally speaking, how did you communicate with the 21 defendant at work? 22 A. After the move? 23 Q. Sure. 24 A. Via instant messaging systems. 25 Q. Have you heard of something called Same Time? I'd like to direct your attention to April 20, 2016. After the move. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Were 1208 K2C3SCH5 Michael - Direct 1 A. Yes. 2 Q. What's Same Time? 3 A. Same Time is the instant messaging system we use on our 4 high side system. 5 Q. 6 the classified system? 7 A. Yes. 8 Q. Did you ever Same Time with the defendant? 9 A. Yes. When you say high side, just for all of us, does that mean 10 MR. KAMARAJU: Ms. Hurst, can we publish Government 11 Exhibit 719 which is already in evidence. 12 Q. It should show up on your screen, sir. 13 A. I see it. 14 Q. All right. 15 A. This is a Same Time log between Josh and myself. 16 Q. What's the date of this exchange? 17 A. It is April 20, 2016. 18 Q. You see the first message there? 19 A. Yes. 20 Q. What time was that message sent? 21 A. 17:46:52. 22 Q. Who sent it? 23 A. Josh. 24 Q. What did he say? 25 A. "When's gym." What are we looking at here? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1209 K2C3SCH5 Michael - Direct 1 Q. Was that unusual for the defendant to ask you to go to the 2 gym? 3 A. No. 4 Q. How often did you go to the gym together? 5 A. Four days a week. 6 Q. How did you respond? 7 A. I responded later with a -- oh, I said, "When do you want 8 to go." 9 Q. You mentioned later. 10 A. 17:47. 11 Q. Did he respond to your question at that time? 12 A. No. 13 MR. KAMARAJU: What time did you send your response? Ms. Hurst, can we pull up just for the 14 witness and the parties and the Court Government Exhibit 1255. 15 Q. I think it's on your screen now, sir. 16 A. I can see it. 17 Q. It is a little difficult, so let's blow up the left side of 18 the screen. 19 A. Yes. 20 Q. How do you recognize it? 21 A. It is a screenshot I took. 22 Q. What is it a screenshot of? 23 A. It a screenshot of, in the bottom you can see a VM being 24 reverted and then a snapshot removed. 25 Q. Do you recognize what we're looking at? It is a screenshot of a computer screen? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1210 K2C3SCH5 Michael - Direct 1 A. Yes, of my computer screen. 2 Q. What date and time did you take this screenshot? 3 A. The date was April 20, and time was 6:56 p.m. 4 Q. What year was that? 5 A. 2016. 6 7 MR. KAMARAJU: Your Honor, the government would offer Government Exhibit 1255. 8 MS. SHROFF: 9 THE COURT: We have no objection. 1255 is received in evidence. 10 (Government's Exhibit 1255 received in evidence) 11 MR. KAMARAJU: If we can publish that, Ms. Hurst, and 12 let's just focus on that part of the screen. 13 Q. 14 "recent tasks"? 15 A. Yes. 16 Q. Maybe if we can, can we blow that section up. 17 starting at the left. 18 "name"? 19 A. Remove snapshot. 20 Q. What's next? 21 A. Revert snapshot. 22 Q. What does it list the status as? 23 A. Completed. 24 Q. And who is it initiated by? 25 A. Root. Let's look at the bottom there. Do you see under the title Just What's the first entry there under SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1211 K2C3SCH5 Michael - Direct 1 Q. If we could scroll over a little bit. What's the start 2 time listed there? 3 A. Of which one? 4 Q. The top one. 5 A. The top one is 6:55 p.m. 6 Q. Can we scroll back. 7 A. Revert snapshot. 8 Q. What's listed as the target? 9 A. The INF Confluence. 10 Q. What's the status? 11 A. Completed. 12 Q. And who initiated it? 13 A. Root. 14 Q. What's the requested start time? 15 A. 6:51 p.m. 16 Q. Did the revert snapshot task happen before the remove 17 snapshot task? 18 A. Yes. 19 Q. Why did you take this screenshot? 20 A. I was concerned that Josh was using his permissions to do 21 something wrong. 22 Q. Did you try to figure out what was going on? 23 A. Yes. 24 Q. Did you try to look at any log files? 25 A. Yes. What's the second entry? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1212 K2C3SCH5 1 Michael - Direct MR. KAMARAJU: If we could zoom back out a little bit. 2 Q. Were you able to look at any log files? 3 A. No. 4 Q. On this screenshot, where would the log files appear? 5 A. Right in the middle where there is an entry at the top that 6 says "log entry." 7 if there were any. 8 Q. 9 entry." This is where I believe the logs would be, On the top-left corner, if we can blow up the phrase "log Is that what you were referring to? 10 A. Yes. 11 Q. If you would be able to see log files, they would have 12 appeared here? 13 A. I believe so. 14 Q. Did that seem strange to you that there were no log files 15 there? 16 A. Yes. 17 Q. Why did you think it was strange at first? 18 A. Just because, a system managing this many VMs should have 19 lots of logs. 20 Q. 21 there? 22 A. I did some more digging, yes. 23 Q. What did you think as a result of your digging? 24 A. I remembered that this account that I was using was a 25 regular user account, and I couldn't remember if the regular At first this was strange to me. Did you try to find out why there weren't any log files SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1213 K2C3SCH5 Michael - Direct 1 user accounts had administrative permissions to view logs. 2 Q. 3 it? 4 A. No. 5 Q. Why not? 6 A. I think there were a few reasons. 7 with Jeremy, I had had that conversation with Jeremy about 8 removing Josh's accesses, and Jeremy at that point told me stay 9 out of it. Did you talk to anyone about this screenshot when you took One being I had talked In addition, also, I didn't know for sure what 10 this, what this screenshot was 100 percent. 11 100 percent certain. 12 up that was just nothing and then add to the drama. 13 I wasn't So I didn't want to -- to bring something MR. KAMARAJU: Ms. Hurst, can we go back to Government 14 Exhibit 719. 15 Q. You remember we were looking at this exhibit before? 16 A. Yes. 17 Q. The time of the message where you said "when do you want to 18 go." 19 A. Yes. 20 Q. You told us it was 17:47; is that right? 21 A. Correct. 22 Q. Does that translate to 5:47? 23 A. Yes. 24 Q. You testified before that you didn't get a response. 25 What's the next message in this exchange? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1214 K2C3SCH5 Michael - Direct 1 A. I messaged Josh. 2 Q. And what time did you message him? 3 A. At 18:32, 6:32. 4 Q. Why did you send him this message? 5 A. To ask if he was ready to go to the gym. 6 Q. Did he respond to this message on this system? 7 A. No. 8 9 MR. KAMARAJU: Exhibit 726, please. Ms. Hurst, can we publish Government This is in evidence. 10 Q. Do you recognize this? 11 A. Yes. 12 Q. Generally speaking, what is this? 13 A. It is a chat log between myself and Josh on our DevLAN 14 system. 15 MR. KAMARAJU: Can we go to page 10 of the exhibit, 16 please. 17 Q. 18 17:34:18 or 5:34:18 on April 19, 2016? 19 A. Yes. 20 Q. Who is Schuljo? 21 A. Josh. 22 Q. Do you see it says "I wait for you on Same Time"? 23 A. Yes. 24 Q. Is this system the same as Same Time? 25 A. No. Do you see a message sent by the user account Schuljo at SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1215 K2C3SCH5 Michael - Direct 1 Q. What's difference between the two? 2 A. This is our chat system that's on DevLAN, which is a 3 completely different environment where we did all of our 4 coding. 5 Q. 6 into your DevLAN system to use this chat system? 7 A. Yes. 8 Q. Can we turn to page 11. 9 April 20, at 18:35:39 or 6:35 p.m.? So, let me try to make that clear. 10 A. Yes. 11 Q. Who sent that message? 12 A. I did. 13 MR. KAMARAJU: You have to be logged Do you see a message sent on Maybe if we can blow it up, Ms. Hurst. 14 Q. What did you say? 15 A. "Gym?" 16 Q. I think on Government Exhibit 719 you ask the same 17 question; is that right? 18 A. Yes. 19 Q. Why did you send this message? 20 A. Because, like I said before, we do all of our work on the 21 DevLAN system. 22 somebody on the DevLAN system because everyone at their desk 23 can take it differently, but usually your classified system was 24 somewhat out of view. 25 Q. So it's more likely you can get in contact with Did he respond to this message? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1216 K2C3SCH5 Michael - Direct 1 A. Yes. 2 Q. When did he respond to this message? 3 A. 18:37, 6:37. 4 Q. So, about how long after your first message? 5 A. A minute-ish. 6 Q. What did he say? 7 A. He said, "Yo. 8 Q. And what did you understand him to mean by that? 9 A. Do you want to go to the gym in 15 minutes. 10 Q. Did he explain why he didn't respond to your Same Time 11 message? 12 A. He did. 13 Q. Did you end up going to the gym with the defendant that 14 night? 15 A. Yes. 16 Q. Did you talk to him about what you had seen on DevLAN? 17 A. No. 18 Q. Why not? 19 A. Because I was not 100 percent sure, so I didn't want to say 20 something and then Josh get upset that I was accusing him of 21 something wrong, and that create a whole bunch of drama. 22 Q. Did the defendant ever stop working at the CIA? 23 A. Yes. 24 Q. When did that happen? 25 A. Months after moving to RDB. 15?" SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1217 K2C3SCH5 Michael - Direct 1 Q. Did you talk to him after he left? 2 A. Yes. 3 Q. Did you ever visit him in New York? 4 A. Yes. 5 Q. After the defendant left the CIA, did you learn of -- did 6 there come a time when you learned that EDG projects had been 7 compromised publicly? 8 A. Yes. 9 Q. When was that? 10 A. On the date of the leak. 11 Q. How did you find that out? 12 A. I was just at work and a news article came out, and then it 13 just got spread about really quickly. 14 Q. What was your reaction when you heard about it? 15 A. Kind of shock. 16 How -- concerned how much got leaked, how did this happen. 17 Q. Did you ever talk to the defendant about it? 18 A. Yes. 19 Q. Can you tell us what happened. 20 A. That night, when I got off work, I either had some text 21 messages or he sent me some text messages shortly after I got 22 off work, and he asked me, hey, man, you know, can't believe 23 that, what are you hearing about these leaks. 24 Q. Other than text messages, did you ever speak with him? 25 A. Yes. You just, like, can't believe this is real. I didn't reply to the text messages. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And so then he 1218 K2C3SCH5 Michael - Direct 1 called me. 2 Q. What did you talk about? 3 A. There was some light pleasantries in the beginning, how's 4 New York, whatever. 5 about this leak. 6 like. 7 Q. What did you understand him to mean? 8 A. That he had heard something about these leaks, and from 9 someone, and he didn't like what he had heard about it. 10 Then it was back to what are you hearing You know, I'm hearing some thing I don't MR. KAMARAJU: Ms. Hurst, can we publish Government 11 Exhibit 809, please. Can we go to page 10 of the exhibit. If 12 we can blow up the top part. 13 Q. 14 tool described in vendor report is in fact Bartender, a CIA 15 tool set for operators to configure for deployment"? 16 A. Yes. 17 Q. Is it true that Bartender is a CIA tool? 18 A. Yes. 19 Q. How do you know that? 20 A. I worked on it. 21 Q. How long did you work on it for? 22 A. Many years. 23 or said that he advocated for me to join the team because he 24 wanted me to work on this project. 25 Q. Sir, do you see where this document says, "Additionally, I was brought on in 2013. Jeremy described -- Prior to your testimony today, have you ever confirmed SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1219 K2C3SCH5 Michael - Cross 1 publicly that Bartender is a CIA cyber tool? 2 A. No. 3 Q. Why not? 4 A. Confirming any CIA tool brings danger to our operators, and 5 it makes it difficult for us to collect foreign intelligence. 6 When I first saw this, I just can't believe whoever wrote this 7 would write that. 8 types of things down in paper, especially if this letter was 9 not a classified document. 10 11 It's not something we do. MR. KAMARAJU: Putting these I have no further questions at this time, your Honor. 12 MS. SHROFF: 13 THE COURT: May I, your Honor? Yes, you may. 14 CROSS-EXAMINATION 15 BY MS. SHROFF: 16 Q. Good afternoon, sir. 17 A. Hello. 18 Q. So you testified when you took the stand that you are on 19 administrative leave. 20 A. Yes. 21 Q. And you were put on administrative leave from the CIA; is 22 that right? 23 A. Yes. 24 Q. And how many years had you been working there when they put 25 you on administrative leave? Correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1220 K2C3SCH5 Michael - Cross 1 A. Nine. 2 Q. You had been an employee for them for nine years? 3 A. Yes. 4 Q. And is it your testimony today, sir, that after nine years 5 of working at the CIA, the CIA put you on administrative leave, 6 and did not tell you why? 7 A. Yes. 8 Q. They didn't give you a reason? 9 A. No. 10 Q. They didn't tell you orally why they were putting you on 11 administrative leave? 12 A. No. 13 Q. They didn't tell you in writing why they were putting you 14 on administrative leave? 15 A. No. 16 Q. They just gave you no explanation as to why you were being 17 put on administrative leave? 18 A. Correct. 19 Q. Did they just come up to you one day and say, You're out, 20 you're on administrative leave, bye? 21 A. 22 Monday we'd like to meet you at a different entrance than you 23 normally come in. 24 division chief was there followed by two other people. 25 they told me your status has changed to paid administrative No. They called -- my division chief called me, and said And then on Monday when I went there, my SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 And 1221 K2C3SCH5 Michael - Cross 1 leave. 2 Q. And how long did this meeting last? 3 A. An hour, maybe two. 4 Q. So, for two hours, they sat down and talked to you, and in 5 those two hours, you walked out of that meeting still not 6 knowing why you were put on administrative leave? 7 A. They did not tell me. 8 Q. Did you ask? 9 A. Yes. 10 Q. Was there any formal procedure at the CIA by which you 11 could ask in writing or orally as to why you were being treated 12 that way? 13 A. I am not aware. 14 Q. Did you hire a lawyer to ask? 15 A. No. 16 Q. It is your testimony, am I correct, that at no time did the 17 CIA tell you that it was because of your conduct during this 18 investigation that they put you on administrative leave? 19 A. Correct. 20 Q. You did not know that? 21 A. They did not tell me that. 22 Q. Now, how many people were at this meeting that you 23 attended, sir? 24 A. Probably four or five. 25 Q. And you said your division chief was there? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1222 K2C3SCH5 Michael - Cross 1 A. Yes. 2 Q. Which division were you in at that time? 3 A. I was in the cyber operations group. 4 that. 5 Q. 6 You can just give me his first name if you want. 7 A. And could you just tell me who was your division chief? That's -- we're good with that? 8 9 MR. KAMARAJU: Your Honor, can I have one quick moment with Ms. Shroff. 10 THE COURT: 11 (Counsel conferring) 12 MS. SHROFF: 13 A division inside of Yes. Your Honor, may we just have a quick sidebar? 14 THE COURT: 15 (Continued on next page) Yes. 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1223 K2cWsch6 Michael - Cross 1 (At sidebar) 2 MS. SHROFF: 3 Mr. Kamaraju doesn't know if the person is covert or overt, so I can just move on from that. It's OK. 4 THE COURT: Mr. Kamaraju. 5 MR. KAMARAJU: 6 MS. SHROFF: It's OK. 7 THE COURT: All right. 8 MS. SHROFF: 9 Late last night, Mr. Kamaraju was kind enough to send I believe that's the witness's concern. I can handle that. I do have another issue, your Honor. 10 us a letter, telling us that this gentleman had been put on 11 administrative leave and that they were paying his airfare. 12 reached out immediately to the CISO, because we had subpoenaed 13 this witness and we had asked to speak to him. 14 time that we asked to speak to him, apparently he was not with 15 the CIA anymore; he was on administrative leave. 16 the walled attorney, and nobody told us that he was on 17 administrative leave. 18 THE COURT: 19 MS. SHROFF: I And during the We contacted It's news to me. I know, but I think that's inappropriate. 20 I think we're entitled to find out from the walled CIA person 21 why they were not called, why it was not made clear to us. 22 attribute no bad faith to Mr. Kamaraju, but to tell us the 23 night before, especially when I hadn't known ahead of time, 24 it's prejudicial to Mr. Schulte. 25 THE COURT: I Let's take this up -- you have a half an SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1224 K2cWsch6 1 hour. Michael - Cross Can you fill up a half an hour? 2 MS. SHROFF: 3 THE COURT: 4 MS. SHROFF: 5 (Continued on next page) OK. I'll fill it up. We can take this up at 3:00. Thank you. 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1225 K2cWsch6 Michael - Cross 1 (In open court) 2 THE COURT: 3 MS. SHROFF: Ms. Shroff. Sorry about that. 4 Q. You said that the meeting lasted about two hours? 5 A. Yeah. 6 between an hour and two hours. 7 Q. 8 you out after nine years of service? 9 A. Yes. 10 Q. OK. 11 A. Well, no. 12 did not have on me, so I had to go home, grab those items and 13 then bring it back. 14 Q. 15 working somewhere else now? 16 A. No. 17 Q. OK. 18 A. Yes. 19 Q. OK. 20 administrative-leave issue, we may come back to it later on, 21 but for now I'd like you to just focus on the first time that 22 you spoke to the FBI. 23 A. OK. 24 Q. And is it fair to say, sir, that the FBI contacted you 25 while you were an employee of the CIA? I don't know the exact amount of time, but somewhere And at the end of that meeting, did they just simply escort OK. They asked for my badge, some other items that I And you're working now, though, right? Are you But is the CIA paying you? Let me just take you back, setting aside this OK? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1226 K2cWsch6 Michael - Cross 1 A. Yes. 2 Q. And they asked to speak with you, correct? 3 A. Yes. 4 Q. And when they asked to speak with you, did they inform you 5 that talking to them was voluntary, or did they not tell you 6 that? 7 A. They told me. 8 Q. They told you it was voluntary, right? 9 A. Yes. 10 Q. And they told you your obligation was to tell them the 11 truth, correct? 12 A. Yes. 13 Q. And they also told you not to tell anyone that you were 14 talking to them, correct? 15 A. Yes. 16 Q. And in fact, they went a step beyond that; they told you 17 that they so didn't want you to tell anyone about you talking 18 to them that they made you sign what is called a nondisclosure 19 agreement, correct? 20 A. Yes. 21 Q. It's a typed-up form, correct? 22 A. Yes. 23 Q. And it tells you that you are voluntarily talking to the 24 FBI, right, but that you should tell no one? 25 A. Yeah. I don't remember what the form said, but yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1227 K2cWsch6 Michael - Cross 1 Q. And even though you don't remember what the form said, you 2 generally agree that you were not allowed to tell anyone that 3 the FBI was asking you questions, correct? 4 A. Yes. 5 Q. And you signed that form, right? 6 A. Yes. 7 the meeting. 8 Q. 9 meeting or that you'd met with the FBI; which one? I believe it was we could not discuss the contents of It was just so that you didn't discuss the contents of the 10 A. I believe it was just the contents of the meeting. 11 Q. Did you sign that form? 12 A. Yes. 13 Q. And when you signed that form, who was in the room with 14 you; do you remember? 15 A. An FBI agent. 16 Q. Who? 17 A. I don't remember which one. 18 Q. OK. 19 A. I think so. 20 Q. Did they set up that meeting with you, or no? 21 A. Did the FBI set up the meeting? 22 Q. Right. 23 A. No. 24 Q. They just sprung it on you and said, Hey, come on down? 25 A. Yes. Was there more than one FBI agent; do you remember? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1228 K2cWsch6 1 Q. 2 that particular day, right? 3 A. I believe so. 4 Q. OK. 5 FBI when you went down? 6 A. Uh -- 7 Q. I'll withdraw that. 8 9 OK. Michael - Cross And you were not anticipating meeting with the FBI on And did you think you had a choice in talking to the Let me ask you a preliminary question. Were you surprised that the FBI was there asking to speak to you? 10 A. No. 11 Q. Huh? 12 A. No. 13 Q. You were not surprised? 14 A. No. 15 Q. And at that time, when the FBI first approached you, you 16 were not on administrative leave, correct? 17 A. Correct. 18 Q. You were a full-time CIA employee, correct? 19 A. Correct. 20 Q. And you were not surprised, but you were not expecting the 21 meeting, right? 22 A. Correct. 23 Q. So you went downstairs and you met with the FBI? 24 A. Correct. 25 Q. OK. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1229 K2cWsch6 Michael - Cross 1 A. Went upstairs. 2 Q. Say it again. 3 A. Upstairs. 4 Q. Upstairs. 5 sorry about that. 6 OK. I don't know. I've never been there, but This was in March of 2017, right? 7 A. I do not remember the date. 8 Q. It's OK. 9 3550-02. 10 And you're right. Let me show you what is OK? Is this the nondisclosure agreement that you signed? 11 A. This is my signature. 12 Q. It is, right? 13 A. Yes. 14 Q. OK. May I just have it back. 15 Thank you. 16 Now, was it your understanding of signing this agreement 17 that you could tell people that the FBI had contacted you at 18 the CIA but that you couldn't talk about the contents of what 19 they asked you? 20 A. Yes. 21 Q. OK. 22 interviewing you at the CIA? 23 A. Yes. 24 Q. Are you sure? 25 A. I wouldn't, but yes. So you were free to tell people that the FBI was SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1230 K2cWsch6 Michael - Cross 1 Q. You wouldn't tell anybody that the FBI had come to 2 interview you? 3 A. Yeah. 4 Q. OK. 5 A. Uh, yes. 6 Q. Did you agree with what it said, or did you just sign it 7 because it was easier to sign? 8 A. 9 of the meeting. I wouldn't have a reason to tell anybody that. And did you read this before you signed it? I agreed with the principle of not discussing the contents 10 Q. OK. And after you signed this document, you sat down and 11 were interviewed by the FBI, right? 12 A. Yes. 13 Q. And when they started to talk to you about the -- when they 14 started the interview, did they tell you that there was a 15 distinction between the FBI asking you questions and anything 16 that the CIA did to you as a result of the interview? 17 A. Sorry. 18 Q. Sure. Can you restate the question? 19 THE COURT: 20 MS. SHROFF: It's a little bit confusing. It is confusing. 21 Q. The FBI was there in an investigatory, criminal capacity, 22 correct? 23 A. Correct. 24 Q. And the FBI had literally the ability to arrest not just 25 you but anyone, correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1231 K2cWsch6 Michael - Cross 1 A. Yes, with -- 2 Q. Right. 3 A. -- some -- 4 Q. And you know that, right? 5 A. Right. 6 Q. From even just watching a movie, you know that the FBI can 7 arrest people, correct? 8 A. Yes. 9 Q. And there's a distinction, then, between that kind of 10 questioning and questioning that could come from within the 11 CIA, correct? 12 A. Correct. 13 Q. I mean, your boss could interview you, question you and not 14 like the answers, but he couldn't arrest you, correct? 15 A. Correct. 16 Q. So they're two separate inquiries, correct? 17 A. Correct. 18 Q. And when the FBI started to talk to you, did they make a 19 distinction between the two separate inquiries for you? 20 A. I don't remember such a distinction. 21 Q. OK. 22 you remember. 23 A. 24 25 Let me show you a document, and maybe that will help Is that OK? Yeah. THE COURT: Do you have a question? BY MS. SHROFF: SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1232 K2cWsch6 Michael - Cross 1 Q. If you're ready, I can ask the question. 2 A. Sorry. 3 I'm just reading all the bullet points. OK. 4 Q. OK. Does this refresh your recollection that at least at 5 some point you learned that there was a distinction between the 6 FBI questioning you and the CIA questioning you? 7 A. Yes. 8 Q. OK. 9 A. This was not the first meeting, though. 10 Q. I understand. 11 A. OK. 12 Q. So somewhere down the line, when you met with the FBI again 13 is when they explained to you that there is a distinction 14 between a CIA questioning and an FBI questioning, right? 15 A. Yes. 16 Q. Let's just stay with the first time that you met with them, 17 right, the FBI. 18 A. OK. 19 Q. And when you first met with the FBI, they asked you 20 questions about your relationship with Mr. Schulte, correct? 21 A. Yes. 22 Q. They asked you a whole series of questions, correct? 23 A. Yes. 24 Q. And you did your very best to answer them, correct? 25 A. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Correct? 1233 K2cWsch6 Michael - Cross 1 Q. And how long did that interview last; do you remember? 2 A. I do not remember. 3 Q. It was a long interview, correct? 4 A. Yes. 5 Q. They asked you a series of questions, almost all of which 6 were about Mr. Schulte, correct? 7 A. Yes. 8 Q. They asked you how you knew him, correct? 9 A. I don't remember their questions. 10 Q. You don't remember the questions at all? 11 A. No. 12 Q. OK. 13 A. Yes. 14 Q. OK. 15 A. I don't remember the specific questions. 16 Q. Did they ask you about your relationship with him prior to 17 you and him working at the CIA? 18 A. 19 Before we came, before both of us started at the CIA? 20 Q. Right. 21 A. If we had known each other? 22 Q. Right. 23 A. Sorry. 24 Q. I don't want to talk over you. 25 A. Are you asking if they asked me if I had a relationship A long time. Do you remember they asked you about Josh Schulte? And did they ask you how you had known him? Prior to us working? I don't remember that question. Did the FBI -- You go. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1234 K2cWsch6 Michael - Cross 1 with Josh before we worked together at the CIA? 2 Q. Right. 3 A. I don't remember that question. 4 Q. And do you remember if they asked you about your work at 5 the CIA and how you came to them as an intern? 6 that? 7 A. No. 8 Q. All right. 9 A. Do you want me to read this whole thing? 10 Q. Well, just take a look at the second paragraph, and I think 11 the word "intern" might just pop out at you, if we're lucky. 12 A. I don't see the word "intern --" 13 Q. OK. 14 A. -- in the second paragraph. 15 Q. It's all right. 16 Do you remember The very first meeting is much of a blur. Let me give you 3550-01. You know what? OK? I'll move forward. Do you recall the FBI asking you just general questions 17 about where you were working, and which -- where Mr. Schulte 18 was working while you two were friends at the CIA? 19 A. Yeah. 20 Q. And you gave them background information on yourself, 21 correct? 22 A. Yes. 23 Q. And you gave them background information on Mr. Schulte, 24 correct? 25 A. Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1235 K2cWsch6 Michael - Cross 1 Q. And you were asked what your opinion was as to how the 2 information was leaked to WikiLeaks, correct? 3 A. I don't remember the specific question. 4 Q. OK. 5 document. 6 A. The last paragraph? 7 Q. Yes, please. 8 9 Well, why don't you take a look at the end of that MR. KAMARAJU: Your Honor, I would to object to Ms. Shroff eliciting an opinion of the witness. 10 THE COURT: Overruled. 11 A. I've read the last paragraph. 12 Q. They asked you, and you just basically told them what your 13 opinion was, right; it wasn't complicated? 14 A. 15 the release. 16 Q. 17 page 1? 18 A. The first page? 19 Q. Yes. 20 A. 3550-01. 21 Uh, the last paragraph states that I had nothing to do with No. Is that what -- I'm talking about the first page. Are you still on 3550-01. Right here? 22 Q. Yes. 23 A. OK. I've read the paragraph. 24 Q. OK. So they asked you an open-ended question, and you 25 tried your best to answer them, correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1236 K2cWsch6 Michael - Cross 1 A. Yes. 2 Q. And when you met with them, you had no idea, correct, how 3 this got to WikiLeaks? 4 A. Correct. 5 Q. And in fact, it is your position today that you really 6 don't know how the information got to WikiLeaks, correct? 7 A. Correct. 8 Q. And you told them it could be a technical penetration by a 9 foreign entity, correct? 10 A. Correct. 11 Q. And you told them it could be an inside job, correct? 12 A. Correct. 13 Q. It could be any person within the CIA, correct? 14 A. I didn't say that. 15 Q. How about by -- saying by a person or people? 16 A. Yes, I said that it was not -- I don't think I meant 17 anyone. I probably meant more someone closer to that data. 18 Q. So you thought it could be a person or people. 19 is plural, correct? 20 A. Correct. 21 Q. So it could be one person or it could be many people, 22 correct? 23 A. Correct. 24 Q. And then you said, did you not, to the FBI that you thought 25 it could be a human exploit, correct? OK. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 People 1237 K2cWsch6 Michael - Cross 1 A. Correct. 2 Q. And that you thought, and then they asked you about the 3 information itself that was leaked, right? 4 A. I -- it does say that here. 5 Q. Right. 6 remember. 7 A. Right. 8 Q. And then they asked you many, many questions, did they not, 9 about the physical security at the CIA, and then they also I understand, it's been a long time; you may not 10 asked you about the security on DevLAN, correct? 11 A. 12 don't remember questions about physical security. 13 Q. 14 meeting that anyone could check out a hard drive, bring 15 backpacks or bags in and out of the CIA building without being 16 searched? 17 A. 18 that here in this document, in the next page. 19 Q. OK. 20 A. It is true, yes. 21 Q. So even though there are all these armed guards standing 22 out with big guns, nobody really checks anybody coming in or 23 going out, correct? 24 A. Provided you have the proper identification. 25 Q. Right. I don't remember questions about security on DevLAN. OK. I Well, do you recall telling the FBI during that That is true. I don't know if I said that. It does say But it is true, correct? And the proper identification's just an ID, right? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1238 K2cWsch6 Michael - Cross 1 A. Yes. 2 Q. OK. 3 building; do you know? 4 A. No. 5 Q. Hundreds? 6 A. Yes. 7 Q. Thousands? 8 A. I'm really guessing here. 9 Q. OK. And how many people do you think have egress to that Yes? Now, you told them, did you not, that when you thought 10 of the system itself, the DevLAN system -- right -- that you 11 thought that the DevLAN system was the wild, Wild West, 12 correct? 13 A. 14 opinion like that, yes. 15 Q. 16 of people use the same phrase when describing DevLAN, correct? 17 A. 18 of DevLAN. 19 Q. And everybody called it the wild, Wild West, correct? 20 A. I don't know, but, yes, they would -- 21 Q. Well, you know what, you're not even there, so how do you 22 know everybody said? 23 A. Right. 24 Q. When people talked about DevLAN, that's the phrase they 25 used, correct? I don't remember specifically saying that, but I do have an OK. And it wasn't just your opinion, right? I mean, a lot Yes, all these coworkers, if we talked about the security SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1239 K2cWsch6 Michael - Cross 1 A. I don't know if they called it the wild, wild -- but yes, 2 the sentiment about it being the wild, Wild West, yes, people, 3 everyone, coworkers have that sentiment. 4 Q. 5 system wasn't locked down, correct? 6 A. Correct. 7 Q. And it's fair to say, is it not, that the system not being 8 locked down was partially a deliberate decision by the 9 management at the CIA? And the reason coworkers have that sentiment is because the Correct? 10 A. I don't know. 11 Q. You don't know? 12 A. No. 13 Q. OK. 14 some conversation about how people would want an open system so 15 that they could develop tools? 16 A. Yes. 17 Q. Right? 18 Is it fair to say that there was some discussion or And then that some people thought the system was too open 19 and left you at risk, correct? 20 A. Yes. 21 Q. I don't mean you personally. 22 A. Yeah. 23 always weigh those, the benefits versus the cons of that. 24 Q. 25 correct? I mean the CIA. Correct? In talks with other coworkers, people, we would Right. And management knew about these discussions, SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1240 K2cWsch6 Michael - Cross 1 A. I don't know. 2 Q. Well -- 3 A. Are we -- what level of management are we talking about? 4 Q. Just your boss, your immediate boss. 5 A. My immediate manager, yes. 6 Q. And at that time, in 2016, who was your immediate boss? 7 Just give me a first name, or whatever name that -- 8 A. Sean. 9 Q. Sean. And is it fair to say that there was, like, an easy 10 kind of -- it was an easy relationship with your boss, correct? 11 A. Yes. 12 Q. I mean, you could tell him I think that the system is too 13 wide open, correct? 14 something like that, right? 15 A. Yes, it was easy to talk to Sean. 16 Q. Right. 17 would be shy about sharing, correct? 18 A. Correct. 19 Q. And in fact, he wasn't shy about sharing anything; is that 20 fair to say? 21 A. Yes. 22 Q. And these are people that felt the system was not locked 23 down, correct? 24 A. Correct. 25 Q. In fact, as his close friend, or at least as a friend, he It wasn't like you were scared to tell him And it certainly wasn't something that Mr. Schulte SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1241 K2cWsch6 Michael - Cross 1 complained to you nonstop about many things at the CIA, 2 correct? 3 A. 4 about things that irked us at the CIA. 5 Q. 6 about the CIA, correct? 7 A. Yes. 8 Q. And you told him things that irritated you about the CIA, 9 right? Nonstop is a bit strong, but yes, we did have discussions Right. I mean, he told you about things that irritated him 10 A. Yes. 11 Q. It's a normal job thing, correct? 12 A. Yeah. 13 Q. And one of the things that he pointed out that he thought 14 was so silly or irritating is that it took forever to fill a 15 requisition form, correct? 16 A. Yes. 17 Q. And he also complained about the fact that he couldn't get 18 the system working as fast as he wanted it to work, correct? 19 A. Yes. 20 Q. And then he also complained to you about how he did not 21 think that the system was secure enough, correct? 22 A. 23 just talking about in general? 24 Q. I'm talking about DevLAN. 25 A. DevLAN? We -- are we talking about the specific system, or are we Yes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1242 K2cWsch6 OK. Michael - Cross 1 Q. And you had basically what is called a DevLAN box, 2 correct? 3 A. Yes. 4 Q. And he also had a DevLAN box, correct? 5 A. Yes. 6 Q. Everybody had a DevLAN box that worked in your group at 7 that time, correct? 8 A. No. 9 Q. No? 10 A. No. 11 Q. Oh, I'm sorry. 12 box? 13 A. Yes. 14 Q. Did all developers have a box? 15 A. Yes. 16 Q. And by box, you just mean -- that means something that 17 hooked you on to DevLAN, conversation? 18 A. Yes. 19 Q. And do you remember there being a conversation about how 20 developers were given free rein to use thumb drives at work? 21 A. A conversation about it? 22 Q. Yes. 23 A. I don't remember a specific conversation. 24 Q. But it's true, right? 25 A. We were -- we were supposed to go out and go to another Can you help me out? Most developers had a SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1243 K2cWsch6 Michael - Cross 1 team, ISB, and check out our thumb drives. 2 Q. Yes, but that's what you were supposed to do? 3 A. Yes. 4 Q. Nobody did that, right? 5 A. Most people did that. 6 Q. Most people did that; they checked out a thumb drive? 7 A. Yes. 8 Q. And what did they do after they used it? 9 A. You'd keep it. 10 Q. Did they check it back in? 11 A. No. 12 Q. OK. 13 A. Once you checked it out, it was yours to keep until you no 14 longer wanted it one. 15 Q. 16 another one? 17 A. Yes. 18 Q. If you misplaced it, you could go get another one? 19 A. Yes. 20 Q. There was no limit on how many thumb drives you could get? 21 A. Not that I was aware of. 22 Q. OK. 23 asked you specifically about thumb drives, that thumb drives 24 were in and out all the time? 25 A. OK. And if you lost that thumb drive, did you go get And is it fair to say that you told the FBI, when they Do you remember that? I don't specifically remember saying that. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 Could you point 1244 K2cWsch6 Michael - Cross 1 me to where you're at? 2 Q. Take a look at page 3, maybe. 3 A. I'm still not seeing it. 4 Q. OK. 5 A. Sorry. 6 Q. Well, you do agree with me, though, that people could -- 7 thumb drives were in and out of systems all the time? 8 A. Yes. 9 Q. OK. We -- we used thumb drives on a daily basis. And I'm correct, am I not, that the only training that 10 anybody at the CIA, or specifically within your group, received 11 on working or using thumb drives was a one-time training when 12 you started work there, correct? 13 A. When I first started -- 14 Q. Yes. 15 A. Yes. 16 Q. Right. 17 one-time training that when a person, you included, started 18 work at the CIA, you got a class on how to classify something? 19 Correct? 20 A. Yes. 21 Q. And they told you this is how you do it, they gave you a 22 guide and then they send you on your way, correct? 23 A. Yes. 24 Q. And that's how you decided you would mark something 25 classified or unclassified in an email, correct? And is it fair to say that it was also just a SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1245 K2cWsch6 Michael - Cross 1 A. Yes. 2 Q. OK. 3 you about Mr. Schulte, and you told them, did you not, that 4 Mr. Schulte was reliable? 5 A. Yes. 6 Q. You told them he was hardworking, correct? 7 A. Yes. 8 Q. And you told them that he had good security practices, 9 correct? Now, when you were meeting with the FBI, they asked Correct? 10 A. I don't remember specifically saying that, but -- 11 Q. All right. 12 paragraph. 13 A. OK. 14 Q. And in that paragraph, right, you say that he had good 15 security practices? 16 A. Yes. 17 Q. OK. 18 to talk to you, did they ask you about anybody other than 19 Mr. Schulte? 20 A. I don't remember. 21 Q. OK. 22 things, Mr. Schulte had filed several complaints to management 23 about a person named Amol, correct? 24 A. Yes. 25 Q. And that Amol and Mr. Schulte did not get along, correct? Well, take a look at page 3. It's the first Yes. Right? Now, let me just ask you something. When the FBI came And you told them that despite all of these positive SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1246 K2cWsch6 Michael - Cross 1 A. Correct. 2 Q. And then there were several FBI interviews asking you just 3 about Mr. Amol and Mr. Schulte, correct? 4 A. 5 Josh and Amol. 6 Q. OK. 7 A. In general, I remember, after I brought it up, they wanted 8 to know more about the situation. 9 Q. Uh, I don't remember a whole interview dedicated to just OK. Do you remember them asking you about it? Before I forget, let me just ask you something, 10 because I'd forgotten this question when I was talking to you 11 about thumb drives. 12 A. 13 the next day, just plug it back in? 14 Q. 15 to project 2, did you reuse the thumb drive, or did you just -- 16 A. We reused it. 17 Q. And before you would reuse it, would you reformat the thumb 18 drive? 19 A. Not all the time. 20 Q. Sometimes? 21 A. Sometimes. 22 Q. Would you clean out the project you were working on before 23 you get started? 24 A. Clean out the thumb drive is what you're saying? 25 Q. Right. OK? Did you reuse thumb drives? Like after you, like, reuse when you plug it out and then Right. Or if you finished project 1 and you're moving on SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1247 K2cWsch6 Michael - Cross 1 A. No, that wasn't standard procedure. 2 Q. So what did you do if the thumb drive had one project on it 3 and you wanted to start a second project on it? 4 A. If I was done with the first project -- 5 Q. Right. 6 A. -- depending on what that project did -- 7 Q. Right. 8 A. -- I would either wipe it securely or just delete the files 9 logically. 10 Q. Right. 11 A. Or -- 12 Q. Let's talk about that. 13 it? 14 A. Wipe it securely? 15 Q. Right. 16 A. That means to overwrite the data on the drive with new data 17 such that, so that now that old data can no longer be read. 18 Q. OK. 19 A. Correct. 20 Q. And what was the second thing you said? 21 A. Or if -- if I didn't care that the drive needed to be 22 secure, I would just logically delete the files. 23 Q. OK. And is that called zeroing a thumb drive? 24 A. No. That was the first thing. 25 Q. The first thing is called zeroing a thumb drive, and then What does it mean when you say wipe So you get rid of the old data, correct? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1248 K2cWsch6 1 the second thing is called just wiping? 2 A. 3 The second thing is just a normal, just how you would plug it 4 in and delete files. Just deleting. 5 6 Wipe means -- wipe implies a secure delete. THE COURT: Ms. Shroff, is this a convenient place to break? 7 MS. SHROFF: 8 THE COURT: 9 Please be seated. 10 Sure. Remember my instructions. Remember my instructions. 11 Don't do any research. 12 radio or the TV, ignore it. 13 14 15 Please be seated. Don't talk about the case. If you hear anything about it on the Keep an open mind, and I'll see you tomorrow morning at 9:00. (Continued on next page) 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1249 K2cWsch6 1 (Jury not present) 2 THE COURT: 3 MS. SHROFF: 4 THE COURT: 5 You're excused. 6 THE WITNESS: 7 THE COURT: 8 government now. 9 Your Honor, may we excuse the witness? Oh, yes. Leave all these documents here? Yes, leave all of it. Don't talk to the You're on cross-examination. (Witness not present) 10 11 Please be seated. THE COURT: OK. Ms. Shroff, do you want to take up what -- 12 MS. SHROFF: 13 THE COURT: 14 MS. SHROFF: Your Honor, I -OK. He's out of the courtroom. I don't mean to belabor this point, and 15 I, again, want to be clear I was informed last evening that 16 this gentleman, this witness, had been put on administrative 17 leave at some point by the CIA. 18 August of 2019. 19 I think it was June of -- Right? And the only, first reason I was given was that 20 somebody at the CIA told Mr. Kamaraju that that was because of 21 his conduct during the investigation. 22 One, I do not know why we were not told, because we 23 had subpoenaed this gentleman and asked if he would speak to 24 us, that he was in fact put on administrative leave. 25 the CISO, and I don't have an answer on that point. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 I asked 1250 K2cWsch6 1 Second, even if the CIA doesn't want to tell him why 2 they put him on administrative leave, I do think we are 3 entitled to know why because of the flag, so to speak, that 4 they've set out by saying that it was his conduct during this 5 investigation. 6 Now, unlike many of the 302s that I've read in this 7 case, where everybody said, Oh, it had to be Mr. Schulte, this 8 gentleman actually at one point, early on in the process, said 9 that it wasn't Mr. Schulte; he didn't think it was Mr. Schulte; 10 that Mr. Schulte was hotheaded but not a traitor, and then 11 slowly, slowly, slowly, his story started to morph a little, 12 but he never quite got to saying it was Mr. Schulte. 13 Now, I don't know -- I honestly don't know -- what the 14 thinking of the CIA is, but I do think it's fair for us to know 15 what their thinking was as to why they put him on 16 administrative leave. 17 CIA or the government to produce to us those files, or at least 18 produce them to you for in camera reading so that you can 19 determine whether or not we should be entitled to them. 20 THE COURT: 21 MR. KAMARAJU: 22 THE COURT: 23 I'd ask the Court, please, to order the Mr. Kamaraju. Yes, your Honor. When was he placed on administrative leave? 24 MR. KAMARAJU: 25 THE COURT: August 19, 2019. OK. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1251 K2cWsch6 1 2 MR. KAMARAJU: Which was three days after the meeting that Ms. Shroff discussed. 3 I think one point we should make clear, he is still a 4 CIA employee. 5 not change that fact. 6 administrative leave come off administrative leave. 7 paid by the CIA, so he's a CIA employee. 8 on leave. 9 The fact that he's an administrative leave does There are situations where people on He's being Yes, currently he's The reasons for that leave -- actually, we produced 10 all of the underlying information to Ms. Shroff. 11 302s. 12 as I said to Ms. Shroff, as reflected in the 302s, there was a 13 concern about candor. 14 about candor have been produced. 15 It's videos of security. It is these It's the interview notes. And The materials underlying that concern Everything Ms. Shroff just said that she'd like to do 16 on cross-examination she can do. She's already spent a portion 17 of her time on cross-examination eliciting the fact that he 18 said positive things about Mr. Schulte during the first 19 interview. 20 he exonerated Mr. Schulte in any way, but still, to the extent 21 she wants to elicit the time line of events, she's able to do 22 that. 23 that he was telling a positive story about Mr. Schulte until 24 events went a certain way and the CIA took action, she's able 25 to do that. I don't quite agree with her characterization that To the extent she wants to try and make the argument SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1252 K2cWsch6 1 THE COURT: Why was he put on administrative leave? 2 MR. KAMARAJU: It's because exactly that, your Honor. 3 It's because, as I understand it, there were concerns about his 4 candor, which we disclosed in the letter that we sent. 5 actions were the result -- 6 THE COURT: 7 MR. KAMARAJU: 8 THE COURT: 9 What letter did you send? I'm sorry, your Honor? What letter did you send? I don't recall getting a letter. 10 11 The MR. KAMARAJU: No, no, your Honor. It's the letter informing Ms. Shroff. 12 THE COURT: Oh, Ms. Shroff. 13 MS. SHROFF: 14 MR. KAMARAJU: OK. I got it last night, your Honor. Yes, but all of the materials that 15 underlie those concerns -- for example, there's a video of an 16 interview he did with the CIA investigator about the fight that 17 he testified about; he refused to talk about that fight. 18 That's an example of something that generated the security 19 video. 20 our files with respect to anybody that had access to the DevLAN 21 system, any kind of security concerns that related to 22 mishandling of classified information with respect to that 23 system. 24 25 And she has those materials. We produced everything in He doesn't have any of those. THE COURT: From your standpoint, Mr. Kamaraju, Ms. Shroff can go into all this on her cross-examination? SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1253 K2cWsch6 1 MR. KAMARAJU: She's certainly entitled to question 2 his credibility on cross-examination, and she's certainly 3 entitled to question whether he has a bias or feels pressured 4 to tell a story, so to speak, which is what I understand her to 5 want to say. 6 decision-making of the CIA. 7 But I don't think she's entitled to the internal MS. SHROFF: I'm not looking for the internal 8 decision-making of the CIA. I'm just trying to tell this jury 9 that if you don't roll the way the CIA wants you to roll, 10 they're going to throw you out, and of course, that's relevant. 11 And I don't think anybody who has had a job would consider 12 being on administrative leave -- 13 THE COURT: As I understand it, Ms. Shroff, the 14 government doesn't object to you going into the 15 cross-examination. 16 MS. SHROFF: No, I don't want to question about it on 17 cross-examination. I want to be able to show the jury not that 18 he lacked candor; I want to show the jury that because of what 19 he said, that the CIA didn't like it and the CIA retaliated 20 against him. That's my point, which is what they did. 21 MR. KAMARAJU: 22 MS. SHROFF: 23 MR. KAMARAJU: 24 MS. SHROFF: 25 be wrong. Well -- They -I'm sorry. I don't know. I apologize. I could be right. I could But the only way I'm going to know is if either you SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1254 K2cWsch6 1 let me read it or you read it. 2 read anything hardly in this case, I'll rely on you reading it. 3 I don't mind, but somebody's got to read it because the issue 4 here is the way the CIA reacts when they don't like something 5 somebody else does and that person is working for them. 6 different point, right? 7 candor. 8 telling a story that they don't like. 9 And since they never let me It's a It isn't about whether or not he had This is about what the CIA does to a person who is MR. KAMARAJU: Everything that Ms. Shroff said she 10 wants to be able to do she can do standing here right now. 11 can cross-examine the witness about: 12 this day X; you said to the FBI on this day X. 13 day, you said something different, isn't that right? 14 on this day the CIA put you on administrative leave. 15 THE COURT: You said to the FBI on Then on this And then Except what Ms. Shroff is saying is what 16 if there are documents where the CIA said: 17 enough of this guy; let's fire his ass out of here. 18 She MR. KAMARAJU: Sure. Hey, we've had I understand, your Honor, and we 19 double-check, but I do not believe there are any documents that 20 say that. 21 he's telling the wrong story. 22 your Honor. 23 24 25 The documents do not say, It's time to get this guy; MS. SHROFF: that. And we're happy to give them to Well, of course it's not going to say They're not that silly. MR. KAMARAJU: Well, then I don't know what Ms. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1255 K2cWsch6 1 Shroff's going to get from the documents. 2 MS. SHROFF: I don't know what it is. All I'm saying 3 is if he can read it, why can't I? 4 And if I can't read it, I'd just ask you to read it. 5 THE COURT: I'll read it. 6 MS. SHROFF: Thank you. 7 MR. KAMARAJU: 8 THE COURT: 9 MR. KAMARAJU: 10 THE COURT: I don't understand this. OK. Submit it for in camera review. We will, your Honor. Now, with regard to the experts and giving 11 an instruction, I've decided not to do that. 12 appropriate time for the instruction is when we hear 13 instructions. 14 I think the If you want a caution about the experts and how to 15 assess the testimony, you should have made a request to put it 16 in the preliminary instruction to give to the jury, but I think 17 any instructions now would put the thumb on the scale of 18 justice, so I'm not going to do it. 19 in the final charge to the jury. 20 MR. KAMARAJU: 21 We understand, your Honor. That's fine with us. 22 THE COURT: 23 MR. KAMARAJU: 24 MR. ZAS: 25 I will charge on experts ruling. Anything else? No. Just for the record, we object to that Our concern is we didn't want, sometimes juries take SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1256 K2cWsch6 1 experts as gospel, which is really the point of the 2 instruction. 3 the very end, which could be another several weeks. 4 object to the ruling. We just wanted them to know sooner rather than at 5 THE COURT: 6 MR. ZAS: 7 Several weeks? Well, when the trial's over. Whenever we get there. 8 THE COURT: 9 MR. ZAS: 10 So we When are we getting there? I think you're going to have to ask them, your Honor. 11 THE COURT: I will. 12 MR. ZAS: 13 MR. KAMARAJU: Thank you. We're going as fast as possible, your 14 Honor, but we do not anticipate it being several weeks. 15 Obviously, Mr. Leedom's testimony, he was a significant 16 witness. 17 who approaches his length, so I think we're hoping that -- 18 we'll have a better idea by the start of next week, but I think 19 we're hoping to be able to rest soon. 20 21 We've got a couple more, but I don't think anybody THE COURT: Are we working on Monday? 22 MS. SHROFF: 23 THE COURT: 24 MS. SHROFF: 25 Let's talk about the start of next week. No. It's a holiday, your Honor. We can work on holidays, Ms. Shroff. Oh, no, your Honor. Look, I was so good. I only crossed him for 30 minutes. SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1257 K2cWsch6 1 MR. KAMARAJU: We'll be working on Monday, your Honor, 2 so we don't have an objection. 3 plans are. I don't know what the jury's 4 THE COURT: 5 We know from our conversations that there's a number 6 Do we know? of jurors who have got plans for taking a long weekend. 7 MS. SHROFF: 8 MR. KAMARAJU: 9 Oh, thank God. I can imagine they want to get away from us. 10 THE COURT: 11 legitimate vacation schedule. 12 OK. 13 MS. SHROFF: 14 THE COURT: 15 16 17 Yes, they want to revert back to a I'll see you tomorrow morning at 9:00. Thank you, your Honor. When can I expect the package, Mr. Kamaraju? MR. KAMARAJU: We'll consult, and we'll walk it over this afternoon. 18 THE COURT: Thank you. 19 (Adjourned to February 13, 2020, at 9:00 a.m.) 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300 1258 1 INDEX OF EXAMINATION 2 Examination of: 3 PATRICK LEEDOM Page 4 Direct By Mr. Laroche 5 Cross By Ms. Shroff 6 Redirect By Mr. Laroche 7 Recross By Ms. Shroff 8 9 10 13 . . . . . . . . . . . . .1134 . . . . . . . . . . .1193 . . . . . . . . . . . .1201 MICHAEL Direct By Mr. Kamaraju . . . . . . . . . . . .1202 Cross By Ms. Shroff 11 12 . . . . . . . . . . . .1029 . . . . . . . . . . . . .1219 GOVERNMENT EXHIBITS Exhibit No. 1255 Received . . . . . . . . . . . . . . . . . . .1210 14 15 16 17 18 19 20 21 22 23 24 25 SOUTHERN DISTRICT REPORTERS, P.C. (212) 805-0300