Title: Stip of Expected Testimony: Alex Withers

Release Date: 2014-03-20

Text: UNITED STATESOF AMERICAManning, Bradley E.PFCU.S.Army,HHC, U.S. Army Garrison,JointBaseMyerHendersonHallFortMyer,Virginia 22211STIPULATION OFEXPECTEDTESTIMONYMr.Ale^ WithersDATED: ^June2013It is hereby agreed by the Accused, Defense Counsel,andTrial Counsel, that ifMr. Alexwithers were present to testify during the merits and pre-sentencing phasesofthis court-martial,he would testify substantially as follows:1. Icurrently work as an Investigator in the IT Di-^isionofBrookhaven National Laboratory(BNL)in Upton, NY. SpecificaIIy,Iam part ofaCyher Security Incident ResponseTeam(CSIRT). lhave held this position for five years(since September of2008). Prior to that,Iworked as an AdvancedTechnology Engineer, responsible for helping to maintain the computersthat process data for our Relativistic Heav^y Ion Collider (RHIC) as well as theATLASComputing facility (RACE). BNL has the capacity to process large amounts of data through oursuper computer systems. According1y,in my previous position,Iwasft:irther responsible forhelping to manage the queue of^obs submitted fi-om institutions thr-oughout the wor1d,who seekBNL'sassistance in processing large amounts of data. Iheld that position for four years.2. IholdaBachelorsandaMasters degree in Computer Science. lalso hold three certificationsfi-om the computer security professional association Global Information Assurance Certification(GIAC)^oneinForensic Analysis, one in Incident Handling, and one in Intrusion Analysis.3.Ifirst became involved in this case afterldiscovered suspicious activ^ity on the desktop workstation computer assigned toaBNL employee identified as Mr. Jason I^atz. Based onBNL'sreport to federal law enforcement officials, investigators in the present case against PFCManning became interested in the contents ofthe BNL desktop computer assigned to Mr. ^atz,whichlcollected and forensically examined.4. In my CSIRTposition,Imonitor information system security for BNL. In early March of2009,Idiscovered the BNL desktop machine assigned to Jason I^atzhadaFirefox extension.An extension isaprogram that tuns within the Firefox internet hrowser and that enhances theuser'sabilities For example, an extension could allowauser to project his/her Intemet Protocol(IP) toadifferent location, and i:-outethroughadifferent IP address,so that his/her actions on theweb would appear to have originated in that location instead ofthe user'sactual location. In thisinstance, the extension on Mr. ^satz'smachine implied that Mr. ^atz had bypassed BNL proxyserv^ers designed to monitor BNL computers'internet traffic. Ifurther inv^estigated this activityby reviewing logs created by BNL reporting software. This review revealed that Mr. I^atz'sBNL desktop machine hadalarge amount ofSecure Shell (SSH) traffic. SSH isacomputerprotocol, or computer communication language, that facilitates secure or encryptedcommunications. This information,when taken in conjunction with my review ofBNL firewalllogs, suggested that Mr. I^atz was transferring files between his BNL machine and anotherPROSECUTION EXHIBIT^^^i^id^ti^^^^t^^^^1 PAGEOFFERED:PAGEADMITTED:^AGE ^ G P ^ PAGEScomputer outside his home using an SSH, or encrypted, connection.Iknowthe network to whichhe connected was not his home computer, as the IP address to which this connection was madedid not match his home IP address, ^hilelcould not tell which types offileswere transferred,having previously occupiedaduty position responsible for many of the same activities as Mr.^atz was then responsible,Iknt:iw it is possible forauser in Mr. ^atz'sposition to have hiddenfiles in the BNL system and to hav^e used the BNL computing power to run personal tasks. Forexample, the BNL super computer power could significantly reduce the amount oftime it wouldtake to decrypt an encrypted file withoutapassword. lalso knowthat the BNL desktop C D R ^and USB drives would have been enabled on his work computer. These could have been used totransfer data onto remov^able media.5. This, and other suspicious activity,resulted in further inv^estigation. U1timately,our systemdetected that Mr. ^atz'scompu^:er had accessedawebsite known to contain pirated files, ^ewere ahle to find this because Mr. ^atz upgraded toaweb browser that hadabug that allowedme to see what websites Mr. I^atz was visiting. Pirated files are illegally obtained files. Icannotrecall all ofthe websites visited by Mr. ^atz. The only one thatlremember specifically is PirateBay,awebsite that allows fi:or the improper downloading of monies and other entertainmentmedia. As this was against user agreement po1icy,the BNL system automatically blocked Mr.I^atz'sdesktopcomputer^esse:oitia11y removing it from the BNL system. The ensuinginvestigation included the collection ofMr.^atz'sBNL desktop computer fi:or forensic imagingand fiirther investigation. Iknow this becauselwas part of the team to report the initialsuspicious activ^ity to my supervisor Mr. James Fung. Ithen met with and accompaniedresponding law enforcement personnel to Mr.I^atz^sworkstation for the collection ofhiscomputer. Mr.I^atz: was present at the time we obtained the BNL computer. ItwasaDellOptiplex 9^0 computer withaLinux operating system, bar code number138^94. At the time ofcoIIection,we checked to make sure the computer did not contain any removable media devicessuch asathumb drive. Then, my CSIRTcoIleaguesandlaccompanied that computer to theforensic laboratory for forensic imaging by Mr.James McManus. Mr. McManus is an ITArchitect atBNL.^. Following this imaging process,our Cyber SecurityTeam further examined this forensicimage. Iknow our team examined it becauselparticipated in that examination. Ourinvestigation revealed that Mr. I^atz had password cracking software on his BNL desktopcomputer. AdditionaIly,the computer housed at least part of an encrypted.zip file,which, itappeared, Mr. ^atz had attempted to break into or decrypt using the brute force attack method.The brute force attack method means usingacomputer-generated or pre-generated list ofpossible passwords to crack an unknown password by running different passwords against thefile one atatimeatavery fast rate, ^ e d i d not hav^e the password to this file and so could notopen it. Our search also revealed movies that had been downloaded and saved to Mr.^atz'swork computer. Ido not recall whether WikiLeaks was mentioned in any way on Mr. ^atz'scomputer. This was priorto my hav^ing heard of^ikiLeaks,soImay not hav^e noted itssignificance at the time.7. At no time, prior to,during, or after the collection ofMr.^atz'sBNL computer didlalter itshard drive,its other components, or its contents in any way.Furthermore,Inever altered anyforensic image made from this computer in any way. At no point didlohserve anyone alter thecomputer, its hard drive,its other components, or its contents in any way. Likewise,Ihavenoreason to believe the evidence vt^as damaged or contaminated in any way.ASHDEN FEINMAJ, JATrial CounselJ-^trvvuM^^^^^-^^^THOMAS F. HURLEYMAJ, JADefense Counsel^E. MANNINGBlPFC, USAAccused

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh