Newark, N.J.--The defense's forensics investigator took the stand Wednesday, telling the jury there simply wasn't enough evidence available about the March 2002 attack on UBS PaineWebber's servers to know for sure who was behind the incident.
Kevin Faulkner, a senior consultant with Protiviti, Inc., a risk management consulting company based in Menlo Park, Calif., had the daunting job of being the defense's first witness. He followed the government's forensics expert, Keith Jones, who wrapped up five strong days on the stand last week, explaining the technical details of the case to the jury and standing up to two days of contentious cross-examination. This is the defense's first time at bat in the federal criminal trial of Roger Duronio, a 63-year-old former systems administrator accused of sabotaging the UBS computer network. The trial has entered its fifth week in U.S. District Court.
''I couldn't look at all the data,'' said Faulkner, when defense attorney Chris Adams questioned him about having backup tapes instead of forensic mirror images to analyze in the case. ''They were just the active data and they weren't all the active data. When I ran it, it asked for Tape 2 but there was no Tape 2 The information for the [central server] wasn't a forensic image. To preserve digital evidence, a forensic image is best practice.''
A backup tape is a duplicate copy of all the files on a hard disk. With a backup, files are updated to a tape on a periodic basis. In contrast, a forensic mirror image is a bit-by-bit copy of everything on the machine. It's analogous to taking a photograph and can contain more information than is captured on an average backup tape.
Faulkner said he had 6.5 gigabytes of data on the backup tapes to work with from the central server, which had a capacity of up to 30 gigabytes. It wasn't clear how much data was on the server immediately before the network was attacked, but the backup tapes didn't cover it all. In his testimony last week, Jones said there was some data missing but he added that he was able to recover a majority of it for the servers he was examining.
''I'd certainly prefer to see more forensics images,'' said Faulkner. ''You want to review the system to make sure what is believed to have happened actually happened. Plus, you want to gather evidence on the who, what, and when of what happened.''
All along, Adams has been pushing the idea that backup tapes of the damaged servers were insufficient for forensics analysis. First he said the data on them couldn't be trusted because they were handled by employees at @Stake, Inc., the first forensics company brought in on the case. @Stake had employed hackers and Adams questioned several witnesses about whether hackers could be trusted with critical evidence.
Adams also repeatedly questioned Jones, director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va., about the validity of using backup tapes instead of mirror images. Jones testified that it wouldn't have done much good to take bit-by-bit images of damaged servers--especially when all the files had been deleted off of them.
Jones also testified that having more data from the servers would not have changed what information he gleaned from the backup tapes. Jones said he was able to follow a digital trail from Duronio's home IP address through the company VPN and into specific servers where the code was planted--all during the times the code was created or modified.
Faulkner testified Wednesday that logs of any kind are poor forensics evidence.
The government built its forensics trail at least in part using UBS' VPN logs, WTMP logs, which show what time users log in and out, and SU (Switch User) logs, which show when users switch from their normal logon names to root user. The code, Jones explained, could only be planted by a root user, which, on a Unix system, is a super user with all-encompassing privileges.
Faulkner said the logs can't be trusted as a form of evidence because too many of them can be edited by a root user. And he added that there are different means of access, for example, that aren't recorded in a specific log. Faulkner said user history logs can be edited by a root user, as can SU logs and command logs, which record what commands were made on the system.
''The logs are more for accounting,'' he told the jury. ''They're not designed for investigative purposes because they don't log everything.''