Title: Stip of Expected Testimony: Sean Chamberlin

Release Date: 2014-03-20

Text: UNITED STATESOF AMERICA^.Manning, Bradley E.PFCU.S.Army,HHC, U.S. Army Garrison,JointBaseMyerHendersonHallFortMyer, Virginia 22211STIPULATION OFEXPECTEDTESTIMONYMr.SeanChamherlin^June 2013It is hereby agreed hy the Accused, Defense Connsel,andTrial Cottnsel, that ifMr, SeanChamherlin were present to testify dt^ring the merits and pre-sentencing phases ofthis courtsmartial, he would testify st^hstantially as follows:I.lamaSystems Administrator for the S^ shop ofthe 902d Military Intelligence (MI) Grottp onFort Meade, Maryland, The 902d MI Gronp performs counterintelligence functions. My sectionis responsible for providing ITsupport tor all unit servers,In this capacity,Ihttild new serversand maintain old ones. lhave worked in this capacity for ten years. Before thatlwas activedTity military for nine years and wasaStaff Sergeant whenlleft the Army. For the lastfi^eofmy nine years of active duty ser^ice,Ihad the Military Occupational Specialty (MOS) 33^,which is Intercept Electronic^arfare Systems Repair. Inthatcapacity,Iwasasystemsadministrator. Tofulfill my current tnnction,Iha^e received SecLirity Plus training and ha^ecertifications in nnmerons Microsoft server types. lalso holdaBachelor'sdegree in InformationSystems from the University ofPhoenix.2. Ifirst became in^ol^ed in the present case in JTtIyof2011when my supervisor Mr. RobertConner, the Site Lead for InformationTechnology at the 902d MI Gronp, requested thatlpullMicrosoft Internet Inti:^rmation Services (MllS)weh server audit e^ent logs for the contacting IPaddresses 22 225,41.22 and 22 225.41 40 between thedates November 2009 and May 2010.MIIS are application logs that are specific to the web ser-^er. Audit logs arearecord of theactivity that occnrs on the server and enahle system administrators like me to track what ^sers doon the wehsite. Andit logs contain data that is ai.itomatica1Iy written to them onadaily basis.Flere, the at.idit logs record file activity onaweb server from the United States Governmentcomputer assigned to the IP address199.32.48 154,isacompi.iter dedicated to processingclassified information at the SECRET le^el. This is the IP address for theACIC wehsite onSIPRNET3. This data shows what IP addresses accessed onr system within that date range. An IP addressis part oftheTransmission Control ProtocoI^Intemet Protocol (TCP/IP). Aprotocolisthestandard language used to communicate o^eranetwork. TCP/IP is the most common^^langt^age" that compt^tersttse to commnnicate overthe Intemet. An IP address is the method ofidentityingaspecific computeronanetwork.4. An IP address allows t^s to know which computer onagi^en network accessed onrser-^er. Inthis case,Ipnlled eighteen log files for the abo-^e IP address and date range. The files are namedthe following: ex0911191og:ex0912011og:ex0912141og:ex0912171og:ex0912211og:ex0912291og:ex1002071og:ex1002091og:ex100211 1og:ex100214 1og:ex1003011og:/^^PROSECUTION EXHIBIT 1 ( for identificationPAGE OFFERED:^ PAGE ADMITTED:PAGE 1 O F l PAGESex100302 1og:ex100308 Iog:ex100315 Iog:ex10031^ Iog:exI003171og, which istheautomatic naming contention ofMicrosoft based on date. The files display in text format. Thefiles contain 8^ entries fcir the IP addressof22.225.41.22 and 28 entries for the IP address of^^•^22 225 41 40 The firstentryfor 22225 41 22 or 22 225 41 4 0 i s I 9 N o v e m b e r ^ ^ ^ ^ ^ ^ ^ ^ ^5. These logs are on our external wehser^er,which is one ofthe ser^erslamresponsihle formaintaining. The weh server and the logs are located in what is commonly referred to as the^^DM^",which is the area between our intemal system and the SIPRNET. Ipulled the data usingasearch window and searching the IP address for the gi^en date range. Thenlsearchedtorthetwo requested IP addresses. Ithen put the files into an intemal investigation folder and had themhumedtoadisc. Ilooked at the disc to verify that they were the logs thatlpnlled.^. lam familiar with these logs because of my work asasystems administrator. Afterlpnlledthe logs,they were ht^medontoarewritable disc by another individual. Ireviewed the contentsofthe disc to ensure it contained the logs thatlpulled. The disc labeled ^^Log Files 902^^ MI2011^000^" contain the logs thatlpulled. Prosecution E^hihit^^ for Identification isacopyofthis disc. lattested to the authenticity ofthese logs on2I June 2012(BATESni^mher:00449439). Ipulled the logs from the server and did not alter the content ofthe logs in any way.lhave no reason to believe anyone else would ha^e modified the logs in any way while they areon the server as permissions to the ^^DM^" are very limited.^^^^^^^i^^i^^B^^^^^ANGELM O^RGAARDCPT,JAAssistantTrial CounselTHOMAS HURLEYMAJ,JADefense Counsel^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^BRADL^^ MANN^^^PFC, USAAccLtsed


Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh