Jun 30, 2006 (12:06 PM EDT)
UBS Trial: Defense Suggests Witness Altered Evidence

Read the Original Article at InformationWeek

1   2  
Newark, N.J. -- The prosecution's forensics expert in a computer sabotage trial here continued to buffet the defense's contentious line of questioning. New accusations Thursday were that Jones altered evidence and fudged his analysis to go along with the government's theory.

It was the fifth day on the stand and the second under cross-examination for Keith Jones, director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va. Jones continued to be questioned by Chris Adams, the lead defense attorney for Roger Duronio, a former systems analyst for UBS PaineWebber. Duronio is being tried on federal charges for allegedly building and planting malicious code that took down the main host server, along with about 2,000 branch servers, at the company four years ago.

Forensics investigator Keith Jones stood by his earlier testimony despite the defense attorney's accusations that Jones altered evidence.

Forensics investigator Keith Jones stood by his earlier testimony despite the defense attorney's accusations that Jones altered evidence.
In his first day of cross-examination on Wednesday, Adams questioned Jones about hackers involved in the initial forensics examination and the quality of the evidence that the investigator had to analyze. But in Thursday's even more heated exchange, the lawyer's questioning took a more direct, and personal, line about Jones himself. Adams asked whether Jones had based his work on faulty assumptions, if he had altered evidence, and if he had made efforts to force his findings to go along with the government's case.

In his approximately two and a half hours on the stand Thursday, Jones remained calm and stood by his findings.

At the start of Thursday's proceedings, Adams grilled Jones about making assumptions regarding the quality and validity of the backup tapes from the damaged servers that Jones used in his investigation. The tapes he had didn't include every bit of data on the servers but Jones had earlier testified that it was enough to supply evidence that Duronio had created and modified the malicious code on the UBS network.

''So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?'' Adams asked.

''The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough pieces to form the picture of the boat.'' Adams countered, ''But you might not see all the other boats around it.''

Jones replied, ''But the second boat won't get rid of the first boat. It's simple mathematics that when you add data, you don't subtract data… There was nothing in that data set that could remove the data I already had.''

The defense attorney also repeatedly questioned Jones about whether the forensics investigator had altered critical information on the backup tapes he had examined. Jones explained to the jury that restoring the data had left a new 'last accessed' date on a few of the tapes but that is normal for certain types of data formats and it didn't factor into his analysis.