TechWeb

UBS Trial: Defense Suggests Witness Altered Evidence

Jun 30, 2006 (12:06 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=189900017


Newark, N.J. -- The prosecution's forensics expert in a computer sabotage trial here continued to buffet the defense's contentious line of questioning. New accusations Thursday were that Jones altered evidence and fudged his analysis to go along with the government's theory.

It was the fifth day on the stand and the second under cross-examination for Keith Jones, director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va. Jones continued to be questioned by Chris Adams, the lead defense attorney for Roger Duronio, a former systems analyst for UBS PaineWebber. Duronio is being tried on federal charges for allegedly building and planting malicious code that took down the main host server, along with about 2,000 branch servers, at the company four years ago.

Forensics investigator Keith Jones stood by his earlier testimony despite the defense attorney's accusations that Jones altered evidence.

Forensics investigator Keith Jones stood by his earlier testimony despite the defense attorney's accusations that Jones altered evidence.
In his first day of cross-examination on Wednesday, Adams questioned Jones about hackers involved in the initial forensics examination and the quality of the evidence that the investigator had to analyze. But in Thursday's even more heated exchange, the lawyer's questioning took a more direct, and personal, line about Jones himself. Adams asked whether Jones had based his work on faulty assumptions, if he had altered evidence, and if he had made efforts to force his findings to go along with the government's case.

In his approximately two and a half hours on the stand Thursday, Jones remained calm and stood by his findings.

At the start of Thursday's proceedings, Adams grilled Jones about making assumptions regarding the quality and validity of the backup tapes from the damaged servers that Jones used in his investigation. The tapes he had didn't include every bit of data on the servers but Jones had earlier testified that it was enough to supply evidence that Duronio had created and modified the malicious code on the UBS network.

''So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?'' Adams asked.

''The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough pieces to form the picture of the boat.'' Adams countered, ''But you might not see all the other boats around it.''

Jones replied, ''But the second boat won't get rid of the first boat. It's simple mathematics that when you add data, you don't subtract data… There was nothing in that data set that could remove the data I already had.''

The defense attorney also repeatedly questioned Jones about whether the forensics investigator had altered critical information on the backup tapes he had examined. Jones explained to the jury that restoring the data had left a new 'last accessed' date on a few of the tapes but that is normal for certain types of data formats and it didn't factor into his analysis.




Adams asked whether Jones' backup process changed the data.

''It changed the last access date,'' said Jones. ''It could have changed other data, as well,'' Adams suggested.

''No, it was just the last access that changed and that didn't factor into the investigation,'' Jones responded.

But later on in his questioning, when Adams was talking about the different versions of the malicious code that Jones analyzed, Adams went back to the last access date issue.

''Isn't it possible that the difference between the versions is caused by the data being altered… accidentally or intentionally?'' he asked. Jones again explained that nothing but the last access date was changed and it did not affect the investigation.

Then Adams asked the forensics examiner why he compared the logic flows of different pieces of code during his analysis, when he also was using MD5 hash, which is akin to looking for a program's digital fingerprint.

''Isn't it a fact, sir, that the reason you used the logic flow analysis was to fill in the gaps when you didn't get the analysis you wanted?'' asked Adams.

''That's not correct,'' Jones said. ''I use logic flow so I can compare two things that are not equal. Source code and binary code are not equal.''

Later in the morning, Adams tried to get Jones to say that whoever built and planted the code on the UBS network could have done it from outside of Duronio's home. Jones had testified earlier that IP address records and VPN gateway records led a direct trail from Duronio's home to the servers where the logic bomb was created or modified.

''Access to Mr. Duronio's home would not be required to put this on UBS?'' Adams asked. Access to Duronio's home would be required, Jones responded.

''If I had the VPN software, if I knew the network architecture, the security architecture, and I was knowledgeable in Unix and I had access to UBS, I could do this?'' Adams asked.

''Not in this case,'' Jones said.

''If I had these points but no access to his home, I could do this,'' Adams tried again.

''Unless Mr. Duronio invited you into his house on Christmas night, you could not,'' Jones countered. Even when Adams told Jones to ''put aside the evidence'' and decide if it could be done, the forensics investigator said it could not be done without ''leaving a trace.''