case 3:15-cv-02401-hz document 120-13 filed 06/22/17 page ... › ... · case 3:15-cv-02401-hz...

1

1 ROUGH DRAFT TRANSCRIPT NOT CERTIFIED

2

3 This real-time draft is unedited and

4 uncertified and may contain untranslated

5 stenographic symbols, an occasional reporter's

6 note, a misspelled proper name and/or

7 nonsensical word combinations. All such entries

8 will be corrected on the final, certified

9 transcript.

10 Due to the need to correct entries prior to

11 certification, this real-time draft transcript

12 is to be used ONLY for the purpose of augmenting

13 counsel's notes and is not to be used or cited

14 in any court proceeding or distributed to any

15 other parties.

16

17

18

19

20

21

22

23

Exhibit 13 page 1

Case 3:15-cv-02401-HZ Document 120-13 Filed 06/22/17 of 149

24

25

2

1

2

3 ARBITRATOR CROW: Mr. Rote, you are up.

4 MR. ROTE: Very well. We have brought our

5 first expert, Mr. Mark Cox to testify this

6 morning.

7 ARBITRATOR CROW: Mark.

8 MR. ROTE: Cox. We did provide his

9 curriculum vitae the other day. I think you

10 still have it.

11 ** sworn sworn **

12 Q. BY MR. ROTE: Will you please state your full

13 name for the record.

14 A. It's Mark Donald Cox.

15 Q. And what is your profession?

16 A. I'm a computer forensic specialist.

17 Q. What is your computer forensics examiner status

18 entail?

19 A. Basically what I end up doing is using forensics

20 tools that I have been trained in and have been

21 working with for several years, providing

Exhibit 13 page 2


22 computer forensics, including recovery of

23 deleted files, doing histories of activities

24 behind computers and just generally looking at

25 computers and find being out what has happened,

3

1 what's present and things that are odd or don't

2 seem right.

3 Q. What's your current position?

4 A. My current position is a forensics specialist

5 with evolve discovery.

6 Q. And how long have you held that position?

7 A. Evolve discovery recently purchased In2iTive

8 technologies. So I've been with evolve only

9 since June and that's when they acquired

10 In2iTive technologies. I was with In2iTive

11 technologies for two years and then have been

12 with other forensics companies for four, 5 years

13 prior to that.

14 Q. Can you describe your education and experience

15 in the field of forensics?

16 A. My education is I have gone through the guidance

17 soft wares training as far as the in case

18 software, their beginning, intermediate and

19 advanced courses. I've also taken forensics

20 courses through excess data, specifically forExhibit 13 page 3


21 their forensics tool kit, both their basic

22 course and also their windows forensics

23 specialist course.

24 Q. Okay. Were you asked to perform forensic

25 examination of data contained in data storage

4

1 devices related to this matter?

2 A. Yes, I was.

3 Q. And did you perform that analysis?

4 A. Yes, I did.

5 Q. Please describe the processes by which you

6 examined and the processes by which you acquired

7 the data?

8 A. There were two devices. One was a 60 gigabyte

9 hard drive. And when I received that I created

10 a forensic image of that using in case and

11 performed the analysis on that. There was also

12 a second device which was a 120 gigabyte hard

13 drive, and for that one I received a forensic

14 image from Steve Williams. And after I received

15 that I basically went through, verified the

16 authenticity of the image to ensure it had not

17 been changed or altered in any way to ensure

18 that it was a true forensic image of the 120

Exhibit 13 page 4


19 gigabyte hard drive.

20 Q. Did you also receive a forensic scan of the 60

21 gig hard drive?

22 A. Yes, I did, at a later date I did receive a,

23 another forensic image of the 60 gigabyte that

24 had been performed at an earlier time by Steve

25 Williams.

5

1 Q. The process you described in examining that

2 data, that hard drive, is that a customary and

3 accepted practice within your profession?

4 A. Yes. Just that we use that to ensure that the

5 forensic images that have been created have not

6 been altered in any way.

7 Q. Did you consider other information in performing

8 your analysis?

9 A. In relation to.

10 Q. Such as testimony?

11 A. Yes, I did. I was looking, I was given portions

12 of Mr. Zweizig --

13 Q. Mr. Zweizig?

14 A. Zweizig, sorry.

15 Q. Zweizig.

16 A. Given portions of his testimony and reviewed

17 that and developed reports based upon someExhibit 13 page 5


18 oddities that I found there.

19 Q. Please tell Mr. Crow what specific issues you

20 were asked to address.

21 A. Oh, basically I generated three reports based

22 upon the attempting to find the e-mails on the,

23 yes, e-mails up on the 60 gigabyte hard drive

24 and then also there was statements about

25 forensically recovering fox profiles and that

6

1 files could be recovered. And so I evaluated

2 that in relation to what was on the 120 gigabyte

3 hard drive and then also the last was looking at

4 the 120 gigabyte hard drive to try to determine

5 the usage patterns over three different time

6 periods as to how the computers were used or

7 potentially used during those time periods.

8 Q. Based on your training and experience and your

9 examination of the data you have described, are

10 you able to conclude with a reasonable degree of

11 scientific certainty whether the 120 gig hard

12 drive was used during the period between mid

13 May 2003 through or on or about November 12,

14 2003?

15 A. Everything that I saw on the 120 gigabyte hard

Exhibit 13 page 6


16 drive pertaining to that time period is, I would

17 say, conclusively indicates that the hard drive

18 was being used during that time period.

19 Q. Mr. Zweizig testified that the hard drive in

20 question, the 120 gig hard drive in question had

21 been reformatted and placed in fire proof

22 storage at the end of May 2003. So your

23 conclusion is that it was used during that

24 entire period of time?

25 A. Yes. The reformatting that I was able to find

7

1 occurred at a later time and the hard drive

2 prior to that all indications are it was being

3 used as a secondary hard drive.

4 Q. Okay. So if we look at Exhibit 141 on that

5 issue, do you have a copy of your report?

6 A. Yes, I do.

7 Q. Exhibit 141 is the report on the examination of

8 the 120 gig hard drive, and specifically I

9 believe Exhibit 2?

10 ARBITRATOR CROW: Page two, is that --

11 MR. ROTE: Exhibit 2 would be page 12.

12 ARBITRATOR CROW: Exhibit 2?

13 MR. ROTE: Page 12 of Exhibit 141. I'm

14 sorry.Exhibit 13 page 7


15 Q. BY MR. ROTE: There's 21 pages of this exhibit;

16 is that correct?

17 A. Yes, I believe so.

18 Q. And these, this is a representative sample of

19 the information that you found, is that also

20 accurate?

21 A. That is correct.

22 Q. So there's a great deal more data that you

23 wouldn't produce, there would have been

24 thousands of pages?

25 A. Yes.

8

1 Q. So can you tell us, for example, on this

2 exhibit, actually it's identified as Exhibit 3,

3 I believe, page 12. Would you talk to us about

4 last access and file created dates, those items

5 in column B and C.

6 A. Last access is generated by the operating

7 system. And basically it's the last time the

8 file was touched in some manner by the operating

9 system. Now, that may be something that the

10 operating system itself was doing or more

11 generally and more specifically something that

12 the user of the computer was doing that caused

Exhibit 13 page 8


13 the last access date to be recorded to that

14 time. Generally system files are going to be as

15 a result of the windows operating system, doing

16 something, but the user generated files is

17 generally when the user last had access to those

18 files.

19 Now, the file created time and date is when

20 the file is actually created on that hard drive.

21 And that file created time does not change.

22 Last access times will change as the file is

23 accessed, file created time stays the same while

24 it's on that hard drive.

25 Q. So you would have expected that the file

9

1 creation dates would all have been before the

2 middle of May 2003?

3 A. If it was not used during, during May, then yes,

4 I would, file creation dates would have been

5 before.

6 Q. And the same conclusion would be with respect to

7 last access as well, all of those dates would

8 be --

9 A. Yes.

10 Q. Okay. Again, to reaffirm, restate your

11 conclusion, was that it was reformatted onExhibit 13 page 9


12 November 12th, 2003?

13 A. I believe it was November 12th. I'd have to

14 reference that. Pretty sure it was

15 November 12th from memory right now.

16 ARBITRATOR CROW: Is there something on that

17 exhibit that refers to that, well I guess there

18 are a lot of 11 twelves. So I understand. Go

19 ahead. I'm sorry.

20 Q. BY MR. ROTE: Well, so again, to kind of restate

21 your conclusion or reaffirm your conclusion, to

22 a scientific certainty this hard drive was in

23 place, being used, from mid May 2003, continued

24 to be used until it was reformatted on November

25 12, 2003?

10

1 A. From all indications that is a true statement.

2 Q. All right. Let's go to your report with respect

3 to the fox profiles, which is Exhibit 142. The

4 purpose of this analysis is to discuss in some

5 length how easy or difficult it is to recover

6 certain key files once reformatting has taken

7 place. Can you tell us and describe that

8 process and how difficult that is?

9 A. At the beginning of the computer age, as it

Exhibit 13 page 10


10 were, if a file was deleted it was deleted and

11 essentially it was gone. Windows came along and

12 kind of changed the definitions of a deleted

13 file so that now generally when people talk

14 about deleted files, they're talking about files

15 that they have deleted, which goes into the

16 recycle bin.

17 Now, if a file is in the recycle bin, it's

18 not actually deleted. It's just placed into a

19 different folder. So it is very easy to restore

20 that file. All you really essentially need to

21 do is go to the recycle bin and either select

22 that file and tell it to restore or you

23 literally can just drag and drop that file into

24 a different folder and it's back, it's in its

25 entirety, it was never gone.

11

1 If you go into the recycle bin and you

2 delete a file out of the recycle bin or you use

3 the empty recycle bin feature, then that file

4 truly does become deleted. And so a, as a side

5 note, a third way of deleting a file is a, it's

6 called a shift delete. And that's where you use

7 the shift button and hit the delete and that

8 completely bypasses the recycle bin.Exhibit 13 page 11


9 So those are basic definitions of what

10 deletion is.

11 ARBITRATOR CROW: So if you hit the shift

12 delete button you've actually deleted it as you

13 have suggested was at the beginning of the

14 computer age; is that correct?

15 THE WITNESS: Yes.

16 ARBITRATOR CROW: Thank you.

17 THE WITNESS: There's no record that the

18 file was there as it were.

19 Now, on the low level side, the, when a file

20 is deleted in windows, all it's doing is saying

21 to windows marks the spaces that were occupied

22 by that file as available. It doesn't actually

23 go in there and delete or remove the file so

24 that it's unrecoverable. It just says to

25 windows, if you have a file that you need to

12

1 copy to the hard drive, these spaces are

2 available to write to.

3 So that's why forensics can go back and if

4 it hasn't been over written in any way, you can

5 a lot of times collect the entire, restore the

6 entire file. So that's generally, you know,

Exhibit 13 page 12


7 considered, you know, a forensics and recovery.

8 But if windows uses any part of the file

9 that was previously, or any part of the hard

10 drive that was previously occupied by the file

11 that was actually deleted as it were, then that

12 file will not be recoverable because parts of it

13 will have been over written. Now, you may be

14 able to recover parts of the file but you're not

15 going to be able to recover all of it.

16 Q. BY MR. ROTE: This particular hard drive was

17 reformatted, however. What is the implication

18 with respect to reformatting? Does it make that

19 more complicated to recover a file?

20 A. What reformatting does, during the formatting

21 process what ends up happening is the windows

22 operating system, and we're just dealing

23 specifically with windows right here, will build

24 a table of space on the hard drive that's

25 available to be written to. When it's initially

13

1 formatted, as far as the operating system is

2 concerned, there's nothing on that hard drive.

3 So it just builds this table and says this

4 entire hard drive is available to be written to.

5 It does not actually over write the entireExhibit 13 page 13


6 hard drive. It only uses maybe two to 5 percent

7 of the hard drive to create this file table.

8 So, if you reformat a hard drive, then you,

9 forensically you can go back and you can recover

10 files that were present on that hard drive

11 before, but again, the, it's, it has to make

12 some assumptions when it's trying to do that and

13 those assumptions are not always borne out and

14 actually recovering the entire file.

15 Q. So forensically recovering a file is not as

16 simple as it sounds?

17 A. No. It's not. It's, I mean, there's programs

18 out on the internet that says we can recover

19 files and everything like that, but that's a

20 very basic and it doesn't it, just basically it

21 goes out there and it tries to find a, any

22 indications that the file existed in a master

23 file table. And so it makes, they generally

24 fail on the side that we're not going to recover

25 it if we're not 100 percent sure. So it doesn't

14

1 get a lot of the files. Now whereas you go in

2 with a forensics program, you can go in there

3 and it makes a more, a much deeper examination

Exhibit 13 page 14


4 of the hard drive and it looks for things such

5 as file signatures. And what those are, many

6 files at the very beginning of the file will

7 have two or three characters that tell it

8 exactly what type of file it is. So that a

9 forensic recovery will go in there and part of

10 it, it will look to see if it can find parts of

11 the file table and if it can find parts of a

12 file table, it will use that to try to analyze

13 parts of the hard drive to see if it can recover

14 files that way. It will also go in there and it

15 will look for these file signatures, trying to

16 find files that were particular to that type of

17 file and it will attempt to recover it that way.

18 The problem is, it has to make assumptions

19 as to where the entire file is located. And

20 many times those assumptions do not bear out and

21 you cannot get all files in 100 percent

22 recoverable.

23 Q. Can you, you noted that the files were deleted

24 and then of course the hard drive had been --

25 ARBITRATOR CROW: We're now talking about

15

1 the 60 gigabyte.

2 MR. ROTE: The 120 gig.Exhibit 13 page 15


3 ARBITRATOR CROW: So some files on the 120

4 had been deleted.

5 MR. ROTE: Yes. And the entire hard drive

6 had been reformatted. On November 12th.

7 ARBITRATOR CROW: Okay.

8 MR. ROTE: Can you, do you have any idea as

9 to the combination of processes, when a file is

10 deleted and on top of that the entire hard drive

11 is reformatted, that I presume makes it even

12 more complicated?

13 THE WITNESS: Yes it makes it even more

14 complicated. Because if a file is just deleted,

15 there's still the master file table that

16 forensically we may be able to go into and

17 determine where the files were located. But

18 once it gets reformatted, that master file table

19 is essentially gone. There may be segments that

20 are left over, but the, that's only partial, you

21 know, partially recoverable. And so --

22 ARBITRATOR CROW: Take a minute if you

23 would, Mr. Cox, and explain what reformatting

24 means to me.

25 THE WITNESS: What reformatting is, taking a

16

Exhibit 13 page 16


1 brand new hard drive, you can't use it because

2 it's, there's no structure to it. When you

3 reformat or when you format a brand new drive,

4 what it does, it will go in and it will take the

5 hard drive and it will put a structure to it. A

6 structure that the operating system understands.

7 So that essentially it's building a catalog of

8 every location on the hard drive where it can

9 store data.

10 ARBITRATOR CROW: All right. Then when you

11 say there was a reformatting on 1112 oh three,

12 are you able to, by examination of the 120

13 gigabyte hard drive, include what the original

14 formatting was?

15 THE WITNESS: The original formatting, I can

16 look at the original or the information that's

17 on the hard drive and I can interpret it with a

18 N T F S formatting structure, which is the

19 windows formatting structure.

20 ARBITRATOR CROW: So your answer is yes.

21 THE WITNESS: Yes. Yes. I'm sorry.

22 ARBITRATOR CROW: All right. Then when it

23 is reformatted, you can determine what the

24 original format was.


17

Exhibit 13 page 17


1 ARBITRATOR CROW: Tell me how this hard

2 drive was reformatted and how it differed from

3 the original format.

4 THE WITNESS: What ends up happening is when

5 it is reformatted, the original catalog as it

6 were is no longer available. So that when you

7 reformat, you are making a brand new catalog.

8 Now, forensically we can go in there and we

9 can look at the hard drive and by essentially

10 over laying an N T F S structure to it, then we

11 can see the structure that was underneath. Even

12 though we may not have the original catalog from

13 the format because we know what it was formatted

14 with before, then we can make the

15 interpretations necessary to go back and see the

16 files that were located on there before.


18 Q. BY MR. ROTE: Typical activity on reformatting

19 is to erase as much as possible the hard drive;

20 is that true?

21 A. For the average computer user, when you say that

22 you've reformatted a hard drive, their

23 understanding is that everything's gone.

24 Nothing's recoverable.

25 ARBITRATOR CROW: That's the intention.

Exhibit 13 page 18


18

1 THE WITNESS: Yes.

2 ARBITRATOR CROW: All right.

3 THE WITNESS: But for the, for the people

4 that are more knowledgeable about the operating

5 system and how, you know, things work, they

6 understand that reformatting will not erase all

7 data underneath. It just makes it much more

8 difficult to get to.

9 ARBITRATOR CROW: Okay.

10 Q. BY MR. ROTE: Messes it all up?

11 A. Essentially.

12 Q. Meshes it all up. But if I were to look at a

13 hard drive after the reformat, and I wouldn't

14 see anything?

15 A. No. You would not see anything by looking at it

16 through windows. It's a brand new hard drive as

17 far as it is concerned.

18 Q. I'd like to go on to Exhibit 140 and talk about

19 the 60 gig hard drive and the analysis you

20 performed again with respect to that hard drive

21 as well as the analysis you did on the forensic

22 image of that 60 gig hard drive. Can you kind

23 of restate, you've been asked to perform certain

24 specific analysis. Can you restate what your

Exhibit 13 page 19


25 conclusions were with respect to 60 gig hard

19

1 drive?

2 A. Basically this was the 60 gig hard drive, the

3 analysis entailed use of the 60 gig hard drive

4 for a e-mail computer. In other words, sending

5 or receiving e-mail. So what initially was

6 basically go in there and try to find any e-mail

7 container files generally PST's or, you know,

8 Outlook, PST's being Outlook, DBX as being

9 Outlook express. As I understand these were the

10 programs that were being used.

11 Now, the initial analysis found as on be

12 Exhibit 1, it basically only found four

13 different PST files. And as we've discussed

14 before, the last access file created, the file

15 created is when the file was actually created on

16 that hard drive. And based on Exhibit 1, the

17 PST files that was, there's only -- Let me

18 rephrase this. There were no PST files that

19 could be found that hard drive that could have

20 been used by Max during the time period that he

21 said it was in use. And that the first PST that

22 was actually created was after the hard drive

23 had been returned to Tim Rote.Exhibit 13 page 20


24 So not finding a PST, doesn't mean that it

25 wasn't there. It just means that it couldn't be

20

1 found. So then a search was performed of the

2 hard drive to attempt to try to find any

3 residual e-mail fragments that could have been

4 associated with Max. The, that analysis did not

5 find any fragments on unallocated space anywhere

6 that could be tied in with Max.

7 This is the, not finding anything, if it was

8 used as an e-mail computer, is extremely unusual

9 because it's very difficult to get rid of

10 everything. And so, you know, I would expect

11 something to have been sitting around. I have,

12 I have recovered e-mail fragments three to

13 five years old. And not just one or two, but,

14 you know, several. And so finding absolutely

15 nothing, to me, indicates that this hard drive

16 was never used as an e-mail computer by Max and

17 that there was not anything that I could find

18 that associate e-mail with Max during this time

19 period.

20 Q. So let's kind of peel the onion here. If a PST

21 files had, in an archive file had been brought

Exhibit 13 page 21


22 over from the 120 gig hard drive, for example,

23 that archive file of e-mails would still be

24 there. If it had been deleted you would have

25 been able to find that?

21

1 A. If it had been deleted I would have found some

2 indication of it somewhere, whether it was an

3 unallocated, or unallocated is basically the

4 deleted files, or there's also another area that

5 we call slack files. This is areas of the hard

6 drive that files, when they are written to an

7 area, if they do not completely override a file

8 that was there previously is called a slack

9 file. And so it's, or slack area. That's where

10 the even had the drive or the PST been there and

11 it was over written, there would still be

12 something in the slack area if the, if it was

13 not completely filled you mean.

14 ARBITRATOR CROW: Let me ask you this.

15 THE WITNESS: I know it's getting very

16 technical.

17 ARBITRATOR CROW: Did you do a similar

18 search for e-mails on the 120 gigabyte hard

19 drive.

20 THE WITNESS: No, I did not search forExhibit 13 page 22


21 e-mails on the 120.

22 ARBITRATOR CROW: So you don't know whether

23 it was used for e-mail delivery at all.

24 THE WITNESS: No. I do not know. The

25 answer is no.

22

1 ARBITRATOR CROW: All right. Thank you.

2 Q. BY MR. ROTE: The 60 gig hard drive, go to again

3 page three of this exhibit, the very top entry,

4 the recovered folders NWT employee Outlook dot

5 PST, again according to your exhibit, that file

6 was created on November 13, 2003, at 12:27 a.m.

7 in the morning?

8 A. Correct.

9 Q. That's correct. And if there had been a

10 previous Outlook express file with the same

11 name, would that have shown up?

12 A. With the same name, it might have. It might not

13 have. It would depend on how the, how

14 recoverable as it were that it was in the, on

15 the hard drive.

16 Q. If the e-mails on this hard drive had been

17 simply cut and pasted to a different hard drive

18 or medium, you would still find fragments?

Exhibit 13 page 23


19 A. You would still find fragments of the e-mails,

20 yes.

21 Q. So it doesn't matter if they were deleted or if

22 they were cut and moved to a different hard

23 drive, you would still find fragments?

24 A. I would expect to find fragments, yes.

25 Q. And again, your experience on that is you found

23

1 fragments three or 5 years later?

2 A. That's correct.

3 Q. During your examination you looked at the 60 gig

4 hard drive that had been in use for a period of

5 time but you also looked at a forensic scan that

6 had been created just about a year, three months

7 after that hard drive was received. Did you

8 find any differences?

9 A. There were differences, but as far as the

10 e-mail, there was no differences and still did

11 not find anything even though it was, a scan had

12 been taken at an earlier time.

13 Q. Okay. Very good.

14 ARBITRATOR CROW: Let me interject here now

15 if I might and I'd like to have both counsel,

16 Mr. Rote, assuming you're counsel, respond. I

17 do recall from the testimony that Mr. ZweizigExhibit 13 page 24


18 testified that the 120 gigabyte hard drive

19 failed in some respect and was not in use during

20 a period of time we're talking about. And I

21 believe I recall that he then used the 60

22 gigabyte hard drive that is now being discussed

23 and it was the one that would have received or

24 sent e-mail. Am I correct in that.

25 MS. MARSHALL: I believe so.

24

1 MR. ROTE: That is his testimony.

2 ARBITRATOR CROW: All right. Thank you. Go

3 ahead.

4 MR. ROTE: The only other thing that we

5 have, I have a chain of custody form as

6 Exhibit 144. I just wanted to turn over to you,

7 Mr. Crow. The forensic scans that you received

8 were performed by Steve Williams? Steve

9 Williams had those forensic scans and made those

10 available.

11 THE WITNESS: Yes for the 120 and the early

12 60 gigabyte.

13 Q. The early 60 scan. He'll be here to testify

14 pretty quick. All right. Well, then to sum up,

15 I think the important point that we want to

Exhibit 13 page 25


16 emphasize here is that, is that e-mails generate

17 a substantial amount of activity and that in my

18 experience with Outlook it can only become so

19 big before you have to archive files. It's

20 usually when it's set up it takes only so much

21 space on a hard drive. Is that accurate?

22 A. That is, that is true with the stipulation as to

23 the type of, the way you set up Outlook. The, I

24 don't know what version of Outlook was being

25 used. Early versions you could only have a

25

1 maximum of two gigabyte before you would

2 actually corrupt the PST. Later versions, if

3 you set up the, set it up for an expanded

4 version, then there's essentially probably 128

5 gigabyte limit as the size of the file.

6 Q. So when you archive a folder though I just want

7 to make sure we're clear on this. When you

8 archive e-mails just because that Outlook file

9 is continuing to be used and deleted e-mails are

10 being over written, the archived e-mails are not

11 over written?

12 A. No. No.

13 Q. They have to be actually deleted. And then the

14 chances of recovery are very high on those?Exhibit 13 page 26


15 ARBITRATOR CROW: Are very what?

16 MR. ROTE: High.

17 THE WITNESS: If I can talk about an OST,

18 not OST, a PST right now, a PST, when you delete

19 an e-mail in a PST, essentially all that's being

20 done is it is being removed from the viewer.

21 You cannot see that PST. PST is actually a

22 database. The e-mail is still contained inside

23 the PST. And so just deleting an e-mail does

24 not remove it.

25 ARBITRATOR CROW: How about overriding it?

26

1 Do you over write the e-mail.

2 THE WITNESS: You do not over write the

3 e-mail.

4 ARBITRATOR CROW: You just simply delete it.

5 THE WITNESS: You delete it and it's still

6 in the database and it can be recovered from

7 that database.

8 ARBITRATOR CROW: And what you're saying is

9 someone with your skills with recover that

10 deleted e-mail.

11 THE WITNESS: Very easily.

12 ARBITRATOR CROW: Okay. Thank you.

Exhibit 13 page 27


13 MR. ROTE: Okay. That is, that is all we

14 have for Mr. Cox.

15 ARBITRATOR CROW: Cross-examination.

16 Q. BY MS. MARSHALL: Yes. Thank you. Mr. Cox, my

17 name is Linda Marshall. I represent Mr. Zweizig

18 in this case. And I will, I just want to make

19 sure that I understand that Steve Williams is

20 going to be here to testify?

21 MR. ROTE: Yes, he is.

22 MS. MARSHALL: Okay. Otherwise I would ask

23 questions of Mr. Cox that --

24 MR. ROTE: He will be here any time.

25 MS. MARSHALL: Okay. Thank you.

27

1 Q. BY MS. MARSHALL: Well, Mr. Cox, with

2 professional witnesses my practice is to

3 approach your testimony in a slightly different

4 way than other witnesses. You understand that

5 you're here today to help Mr. Crow understand

6 some very technical information; is that

7 correct?

8 A. Yes.

9 Q. Okay. You understand that your purpose here

10 today and your testimony is not to choose up

11 sides but to help us all understand thisExhibit 13 page 28


12 technical information; right?

13 A. Okay.

14 Q. Is that the way you've approached your

15 testimony?

16 A. That, everything I've said in my testimony is

17 things that I found and there's based upon your

18 findings and no other influence as it were has,

19 the findings are there and they haven't been

20 altered to fit any particular scenario.

21 Q. Okay. Well, my practice then is to go through

22 the testimony that you've actually given and

23 then of course when I come here I don't know

24 exactly how your testimony is going to be. So I

25 come prepared with other questions. And just so

28

1 that you know what I'm doing is I want to walk

2 through your testimony first and then I'm going

3 to go to the things that I am interested in as

4 well.

5 A. Okay.

6 Q. So let's go back to your testimony at the

7 beginning of your testimony. Your, I believe

8 your testimony about your own experience and

9 your own, your own profession is that you have

Exhibit 13 page 29


10 been in forensics or forensic examining for how

11 long?

12 A. I've been in forensic examiner I think it was

13 from 2003.

14 Q. To the present?

15 A. Yes. Yes. I'm sorry.

16 Q. All right. And your focus in that time has

17 been, as I recorded it and you can correct me,

18 number one, the recovery of files, number two,

19 creating histories of activities within the

20 computer, and number three, if you see something

21 that's odd or doesn't seem right, to try and

22 figure out what really happened.

23 A. Okay.

24 Q. Is that it?

25 A. That's basically, that's what I testified to.

29

1 But, you know, computer forensics is much more

2 involved than that. I mean, there's entire

3 books written on the process.

4 Q. Sure?

5 A. So it does entail more than that. But yes.

6 Q. Okay. But going back to that first, the first

7 part that you have some expertise in, did

8 northwest direct, which is the company that'sExhibit 13 page 30


9 the party to this litigation, did northwest

10 direct, anyone from northwest direct ever

11 approach you in November of 2003 to help them

12 recover any files, programs or data from any of

13 their computers?

14 A. In November 2003 I wasn't even living in Oregon.

15 Q. Okay. And November of 2003 was the company

16 In2iTive?

17 A. In2iTive.

18 Q. In2iTive, was it in existence?

19 A. No, it was not in existence at that time.

20 Q. Okay. All right. But that would be the type of

21 thing that had you been in Portland, you would

22 be available to do; is that correct?


24 Q. Okay. If a company basically was in dire

25 straits because something had been in the

30

1 computer and now it didn't seem to be, you would

2 be the type of person that they would come to to

3 help them not in litigation, but in operation to

4 recover that material; is that right?

5 A. That would depend upon the circumstances. There

6 are some things that we could attempt to do.

Exhibit 13 page 31


7 Our specialty is not file recovery as it were.

8 We can recover files. Depend being on the

9 situation, we might advise them to send it to a

10 specialty company that can literally open the

11 hard drive up in the class four clean room and

12 change out heeds, things like that. So again,

13 we don't, we cannot make the statement that we

14 can recover all the files. Even if we looked

15 at -- Sorry.

16 Q. No. That's okay. I was just moving my hand?

17 A. I thought you were stopping me.

18 Q. No. I won't stop you.

19 A. But even somebody approaches us, we do not tell

20 them that we can recover all their files.

21 Q. Okay. I didn't want to stop you but I do want

22 to be clear that I'm asking you about your own

23 personal qualifications.

24 A. Okay.

25 Q. Okay. And my question was if, or should have

31

1 been, if this company came to you in November of

2 2003 and indicated to you that they could not

3 find files, programs or data on their computers

4 that they believed should be there, it's your,

5 you're competent to take on that assignment,Exhibit 13 page 32


6 aren't you?

7 A. I would take on that assignment, but one of the

8 things I would tell them is I cannot guarantee

9 that I will be able to get all the files or any

10 of the files.

11 Q. Okay.

12 A. One of the things that we do is we know that any

13 time a hard drive is run, it could cause damage.

14 If the drive is damaged to begin with. So we

15 always use a write blocker. So if it starts

16 up --

17 ARBITRATOR CROW: Before you get into a

18 procedure.

19 THE WITNESS: Okay.

20 Q. I'm just looking at your qualifications?

21 A. Okay. Yeah.

22 Q. I don't want I want to know what kind of

23 questions I can ask you.

24 A. Okay.

25 Q. So is your answer that you are qualified to

32

1 recover files from computers? Understanding

2 that no guarantees that you can in every

3 instance, but that's one of your qualifications?

Exhibit 13 page 33


4 A. I would answer yes.

5 Q. Okay. And then the second area that you talked

6 about was developing histories of activities on

7 computers. And I'd like to understand a little

8 bit more about what your qualifications are to

9 develop histories. What histories?

10 A. You can go in and look at a hard drive, the

11 information's on there, and tell generally

12 develop somewhat of a timeline of what happened

13 when.

14 Q. Okay. So it's one of your, one of your areas of

15 expertise is that you could help us figure out

16 date and time of a particular activity with a

17 computer; is that correct?

18 A. Yes.

19 Q. You seem a little hesitant?

20 A. Well I hesitate because, you know, a yes or no

21 statement is you know 100 percent yes, hundred

22 percent no. There's not, it's not, you know,

23 100 percent cut and dry because every hard drive

24 is different much and there's how many hard

25 drives in the world? So the answer to your

33

1 question is yes I can do that with the

2 understanding that not every hard drive is goingExhibit 13 page 34


3 to be the same and results are going to be...

4 Q. Okay. Now, when you're answering, I appreciate

5 that you're thinking of hard drives but I'm

6 thinking of any kind of storage device, hard

7 drive, floppy, external drive, C D, there are

8 other kinds of storage devices.

9 A. Yes.

10 Q. So are you qualified to help us determine the

11 date and time of a particular file or document

12 on any of those drives or do you have some

13 limitations there?

14 A. If it's an electronic data on standard medium

15 available to the general public and in some

16 medium that' not, yes, we can recover files.

17 Q. Okay. Now I'm not talking about recovering

18 them?

19 A. I know. I'm getting confused here. We're

20 talking at this point timelines.

21 Q. Okay. And I'm not talking about anybody but you

22 when you say we, I want it understood that I'm

23 asking you about you.

24 A. Yes.

25 Q. Okay.

34

Exhibit 13 page 35


1 A. Me.

2 Q. All right. So the third thing that I think you

3 mentioned was that if you're looking at the hard

4 drive through your forensic equipment and you

5 see something that seems to me, seems to you to

6 be odd or it just doesn't seem right, that you

7 have the skill to try to figure that out as

8 well; is that correct?

9 A. Yes.

10 Q. Okay. And has that occurred at times in your

11 practice?

12 A. Yes.

13 Q. Okay. Has it occurred in this case?

14 A. Based upon the testimony that I reviewed, yes,

15 it was odd.

16 Q. Okay. Well, when you were actually looking at

17 the drives that you were looking at, did you see

18 anything odd or something that didn't seem

19 right?

20 A. As far as?

21 Q. Anything. I'm just asking if you remember

22 seeing anything odd that caused you to perhaps

23 go back to Mr. Rote and say, we ought to look at

24 this a little bit more carefully.

25 A. The, looking at the -- There's nothing

35

Exhibit 13 page 36


1 particularly odd about those particular hard

2 drives other than the situation that they're

3 supposed to have come from. If the, the odd

4 thing about the 120 gigabyte hard drive was that

5 it was reformatted and was never used.

6 Generally you think about a drive being

7 reformatted, it's because you want to use T

8 okay. So it was never used, which is a little

9 bit, you know, odd. But then putting that in

10 place with the testimony, then yeah, things

11 weren't, things weren't connecting properly.

12 Q. When -- Did you review the testimony of

13 Mr. Zweizig because you had noticed something

14 odd about the hard drive or did you examine the

15 hard drive because you had noticed something odd

16 about Mr. Zweizig's testimony? I'm trying to

17 figure out which came first.

18 A. The examination of the hard drive was based upon

19 or the reports were generated based upon the

20 testimony of Mr. Zweizig. And so from the oral

21 communications with previous counsel and

22 Mr. Rote, the situations of the hard drive at

23 that point was noted as being odd.

24 Q. Maybe I didn't, I probably didn't ask a very

25 clear question.

Exhibit 13 page 37


36

1 A. Okay.

2 Q. But let me ask it in, first of all, did

3 Mr. Rote, can we assume that it was Mr. Rote

4 that engaged you for this testimony today?

5 A. Let me clarify just a little bit. Sometimes I

6 may seem hesitant on my answers. It's because I

7 don't really know the, in this instance I am a

8 computer forensics specialist. I don't deal

9 well with the public as it were. So who

10 actually has hired us, I believe it was

11 Mr. Rote, but that is something that is taken

12 care of by our business manager.

13 Q. I see?

14 A. And then the job is taken, is given do me, look

15 for these things. That's what I do.

16 Q. Okay. Well, that clears it up. Then what

17 exactly were you asked to look for in the

18 testimony of Mr. Zweizig?

19 A. The testimony in relation to the 60 gigabyte

20 hard drive was that the, it was used as e-mail,

21 as an e-mail computer. The 120 gigabyte was --

22 Q. Okay. Let me stop you there because I may not

23 have asked that specifically. I'm just talking

24 about Mr. Zweizig's testimony. Someone handed

Exhibit 13 page 38


25 you a copy of the transcript of Mr. Zweizig's

37

1 testimony. What did they ask you to do with

2 that transcript?

3 A. They handed me portions of the transcript. I do

4 not have the entire transcript. They handed me

5 the portions and they said, this is his

6 testimony. Would you read it over and see if

7 you see anything. And that's what I did.

8 Q. Okay. So the transcript came first, not the

9 issue with the hard drive; is that correct?

10 A. The issue with the hard drive referring to?

11 Q. Any issue.

12 A. The... The analysis that was being performed

13 was we initially asked to, we being the company.

14 I'm sorry. Me. It was handed off to, to look

15 at these hard drives and see if we found, trying

16 to answer your question. But like for the 120

17 gigabyte hard drive, this hard drive was

18 reported to have failed. Is there any activity

19 on it?

20 Q. Okay. Let me try one more time?

21 ARBITRATOR CROW: Can I, since I'm the one

22 who really needs to understand this.

23 MS. MARSHALL: Sure.Exhibit 13 page 39


24 ARBITRATOR CROW: I'm sorry to interrupt but

25 let's, as I understand it, if you take a look at

38

1 a computer, there would be nothing particularly

2 odd if the computer were out of service for a

3 certain amount of time. You wouldn't just

4 examine a computer itself. Okay. Nobody was

5 using the computer. Is that fair?

6 THE WITNESS: Yes.

7 ARBITRATOR CROW: And then as I understand

8 it, you reviewed Mr. Zweizig's testimony and

9 learned from Mr. Zweizig's testimony that the

10 120 gigabyte hard drive had been out of service

11 from May 2003 to November 2003.


13 Q. And then in looking, let's take a look at

14 Exhibit 141, Exhibit 3. That would be page one

15 of Exhibit 3. And if you'll take a look at line

16 17. Are you there?

17 MR. ROTE: Page 12 of that exhibit,

18 Mr. Crow.

19 ARBITRATOR CROW: Yes. Page 12 of the

20 exhibit. It's page one of 21 and Exhibit 3 to

21 that. Are you there.

Exhibit 13 page 40



23 ARBITRATOR CROW: So if we look at line 17,

24 although you wouldn't find anything particularly

25 unusual about a computer that sat idle for some

39

1 period of time, but when you're told it was idle

2 for a certain period of time and then in

3 examination of the computer you learned, for

4 instance, at line 17 that a file was created on

5 that computer during the period of time you were

6 told or you, I guess you were told it was out of

7 service, you would find that unusual or odd and,

8 in fact, your conclusion would be that it was

9 used because a file was created at that time.


11 ARBITRATOR CROW: Am I getting this at all.

12 THE WITNESS: Yes, that's correct.

13 ARBITRATOR CROW: All right. Thank you. Go

14 ahead.

15 Q. BY MS. MARSHALL: All right. Thank you. With

16 that in mind, let's move on to your examination

17 of the, sorry. I have to go backwards. I'm

18 just going to go sequentially through your

19 testimony so that I don't get completely

20 confused here. Let's go to your examination ofExhibit 13 page 41


21 the 60 gigabyte hard drive then?

22 A. Okay.

23 ARBITRATOR CROW: And that would be exhibit?

24 One 40?

25 MR. ROTE: Yes.

40

1 ARBITRATOR CROW: All right. Thank you.

2 Q. BY MS. MARSHALL: All right. And it's my

3 understanding that you looked at the, you

4 examined the 60 gigabyte hard drive in order to

5 find out whether it contained any evidence of

6 e-mails, e-mail traffic; is that correct?

7 A. Specifically evidence of e-mail to or from Max.

8 Q. Okay. And in this case Mr. Rote delivered an

9 actual computer to you; is that correct?

10 A. Yes.

11 Q. And that was the Sony hard drive that

12 Mr. Zweizig was reported to have used?

13 A. The 60 gigabyte, yes. I believe it was a Sony.

14 Q. And you removed the 60 gigabyte hard drive from

15 that computer and you took an image of it?

16 A. Correct.

17 Q. Correct? And when did that occur? When did you

18 actually take this image?

Exhibit 13 page 42


19 A. I would need to refer to the chain of custody

20 because whether it was the same day or the day

21 after that we received it. I believe it was the

22 same day.

23 Q. Please be my guest. I think it's an exhibit in

24 the case.

25 ARBITRATOR CROW: Exhibit 144.

41

1 THE WITNESS: I included the spreadsheet.

2 This is an internal document on, starting with

3 page two, and so basically on four ten oh nine

4 is when we imaged, when I imaged that particular

5 hard drive.

6 Q. BY MS. MARSHALL: All right. And you were aware

7 that Mr. Williams, Steve Williams, had

8 previously imaged the 60 gigabyte hard drive,

9 were you not?

10 A. At that time, no.

11 Q. Are you now?

12 A. I am now, yes.

13 Q. Okay. So now you're aware that in, on May 5th

14 of 2005, Steve Williams took a forensic image of

15 the --

16 ARBITRATOR CROW: What is the date Linda?

17 I'm sorry.Exhibit 13 page 43


18 MS. MARSHALL: May 5th, 2005.

19 Q. BY MS. MARSHALL: Took a forensic image of the

20 60 gigabyte hard drive? Yes --

21 A. Yes. Yes.

22 Q. As far as you were aware, is Mr. Williams

23 qualified to take an image of a hard drive?

24 A. As far as I'm aware, yes.

25 Q. Okay. Have you since learning that Mr. Williams

42

1 took an image of the hard drive at that time,

2 have you since reviewed his reports about what

3 he found?

4 A. I have reviewed his reports, yes.

5 Q. Okay. And have you compared what he found with

6 what you found in your, on your forensic

7 examination?

8 A. My analysis is based upon what I found. His,

9 any of his findings are not influence my

10 findings as it were.

11 Q. Well, one of the things that you were qualified

12 to do is to identify things that look odd or

13 questionable. Did you see any differences

14 between the, how he reported the 60 gigabyte

15 hard drive and what you found when you took an

Exhibit 13 page 44


16 image three years later?

17 A. Basically what I did was I took and compared the

18 two images. I reviewed his reports. But his

19 findings are, you know, are not relevant to

20 what, relevant may be the wrong word, but

21 they're not --

22 ARBITRATOR CROW: I think you're not

23 answering her question. I think the question

24 was was there a difference between the two

25 findings and if so what was it? Not whether he

43

1 was right or wrong, but was there a difference

2 in what was a difference? Am I right.

3 MS. MARSHALL: That's correct, yeah.

4 THE WITNESS: At this point I can't say

5 because I don't have his statement, I don't have

6 his reports in front of me. So I'm not sure

7 what his findings were in relation to what my

8 findings were.

9 Q. BY MS. MARSHALL: Well, in fact, when

10 Mr. Williams took his image of the 60 gigabyte

11 hard drive in May of 2005, he did find e-mail

12 traffic on the 60 gigabyte hard drive that you

13 could no longer find in 2010 when you took your

14 image, isn't that the truth?Exhibit 13 page 45


15 A. I would need to go back and look at his report.

16 I do believe his report may have stated there

17 was some e-mail traffic but it was not directly

18 tied to Max, that it, please correct me if I'm

19 wrong, but that it was not e-mail that was

20 directed -- Let me rephrase this, that Max was

21 in the chain but it was actually not Max's

22 e-mail. It was found but it was actually

23 somebody else's e-mail that had Max's e-mail

24 address on it.

25 ARBITRATOR CROW: Were you able to find that

44

1 e-mail traffic on your own image that you took

2 later.

3 THE WITNESS: I did not, I did not look for

4 that.


6 Q. BY MS. MARSHALL: Okay. So am I to understand

7 then is that whatever you saw in Mr. Williams'

8 report at that seemed to suggest there were some

9 e-mail traffic, when you examined the image that

10 you took, you did not go to the effort of

11 looking specifically for the files, the e-mail

12 PST files or what's the other extension?

Exhibit 13 page 46


13 A. DBX.

14 Q. DBX files. Okay. You did not go looking for

15 those specific PST files, did you?

16 A. What I did, I went looking for any PST file that

17 was on the drive.

18 Q. And you found none?

19 A. I found the two PST's and the two DBX's that's

20 in the report.

21 Q. Okay. So your answer is that, whether you

22 looked for them or not, whatever the PST and DBX

23 files that Mr. Williams saw, you didn't see

24 three or 4 years later?

25 A. I cannot answer that because for one, I need to

45

1 refer to his report. I do not know, I do

2 remember him, his report mentioning there was

3 some references to Max, but I do, if I remember

4 correctly, it was not actually Max's e-mail on

5 that hard drive.

6 Q. When you did your, performed your search of the

7 60 gigabyte hard drive, how did you go about

8 searching for e-mails that might have been

9 associated with Max Zweizig?

10 A. Basically what I did was I took Max's e-mail

11 address and developed a search on that andExhibit 13 page 47


12 searched both allocated, unallocated, slack

13 space, every area of the hard drive, and then

14 also went and used just his name as it were and

15 searched that and found no instance of those

16 being present in relation to e-mail connected

17 with him.

18 Q. Were you aware that Mr. Zweizig had two e-mail

19 addresses within the company?

20 A. I knew of the northwest direct. I forget

21 exactly what the extension S I knew of that one.

22 And the other one at this time I do not recall

23 that there was a second e-mail address.

24 Q. Okay. Well if there were two e-mail addresses,

25 would it be necessary for you to do a search on

46

1 each of them or would your search for one pull

2 up references to the other?

3 A. It depends what the second one was, if it, if it

4 matched in any way my search, it would have

5 found the other one.

6 Q. Where did you get your information as to what

7 e-mail addresses you were going to search for?

8 A. It was communicated to me over the telephone. I

9 don't really know. I don't know whether it was

Exhibit 13 page 48


10 previous counsel or Tim Rote himself.

11 Q. In any case, if you searched for either one of

12 Mr. Zweizig's e-mail addresses and his name, Max

13 Zweizig --

14 A. I searched for just Max.

15 Q. For just Max. Okay.

16 A. Yes.

17 Q. If you made that search in May of this year,

18 isn't it likely that you would have gotten hits

19 on those same, that same e-mail traffic that

20 Mr. Williams got hits on in May of 2005?

21 A. It is likely. But, I was doing a search in

22 relation to finding e-mails connected with being

23 sent to or from Max on this hard drive. I'm not

24 splitting hairs. It's, it's the way I, it's the

25 way I operate. Okay. So what I'm going

47

1 through, if I have a specific criteria that I'm

2 looking for, I will look for that criteria.

3 It's me.

4 Q. Okay. Let me just ask you this a little bit

5 differently. Can you say, can you say with any

6 degree, reasonable degree of scientific

7 probability as a result of your examination of

8 the 60 gigabyte hard drive that you wereExhibit 13 page 49


9 provided, can you say that there was no e-mail

10 activity on that hard drive where the word Max

11 was used? In other words, whether he was the

12 recipient, the sender or just in an e-mail

13 string, can you say that that, those types of

14 e-mails with Max simply did not exist on the

15 hard drive in 2010?

16 ARBITRATOR CROW: 20009.

17 MS. MARSHALL: I believe it's May of this

18 year.

19 ARBITRATOR CROW: You're correct. I'm

20 sorry.

21 THE WITNESS: I cannot answer your question

22 because that's not the analysis that I did. The

23 analysis that I did was is there indication that

24 Max used the 60 gig hard drive as his e-mail

25 computer? I know that's not exactly your

48

1 question. That's the question I can answer.

2 Okay.

3 ARBITRATOR CROW: Well in examining the 60

4 gigabyte hard drive in looking to determine

5 whether there was any e-mail traffic with Max as

6 he's, I think his e-mail address, you concluded

Exhibit 13 page 50


7 there was none; is that correct?

8 THE WITNESS: I concluded there was no

9 e-mail to or from Max that could tie that e-mail

10 to being used on that computer as Max's e-mail

11 computer.

12 ARBITRATOR CROW: I'm not sure I understand

13 this, Mr. Cox. Was there e-mail traffic to or

14 from Max on that computer or was there not.

15 THE WITNESS: I know I'm frustrating the

16 answers.

17 ARBITRATOR CROW: I'm just trying to

18 understand. You're not frustrating. I want to

19 understand.

20 THE WITNESS: I can't answer that question

21 because I don't know because my, maybe it's my

22 mental or whatever --

23 ARBITRATOR CROW: Isn't that what you were

24 asked to determine?

25 THE WITNESS: I was asked to determine if

49

1 the 60 gigabyte hard drive was used by Max as

2 his e-mail computer. I did not find no

3 communication of that. If there was e-mail

4 communication that had Max in it, I didn't pay

5 attention to it because it was not, let meExhibit 13 page 51


6 rephrase this. It's not the way it sounds. I

7 did not pay attention to it because it did not

8 tie Max, that e-mail account to that computer.

9 ARBITRATOR CROW: Go ahead, Ms. Marshall.

10 THE WITNESS: It was tied to a different PST

11 as it were.

12 Q. BY MS. MARSHALL: In your examination you talked

13 about Exhibit 140. So I'd like to have it in

14 front of you if you will.

15 A. Okay.

16 Q. And specifically I'd like to refer to the third

17 page of Exhibit 140.

18 A. Okay.

19 Q. Which is I think what you testified about. And

20 in performing your examinations, am I

21 understanding you correctly, your testimony I

22 believe was that when you searched for

23 Mr. Zweizig's e-mail address and form the term

24 Max, that these are the only four files you

25 found?

50

1 A. No.

2 Q. Okay. What are these four files?

3 A. These four files are e-mail containers on the

Exhibit 13 page 52


4 hard drive. Okay. For one these were ruled out

5 as being usable by Max because their file

6 creation date is after the time frame that he

7 would have had.

8 Q. I just may not be asking this clearly enough.

9 A. Okay.

10 Q. All I want to know is whether your testimony was

11 that after you performed your examination, that

12 these are the only four receptacles, if you

13 will, in which the term Max --

14 A. No.

15 Q. Appeared?

16 A. No.

17 Q. Okay.

18 A. Okay. These are four e-mail containers that

19 were on the hard drive.

20 Q. There were others?

21 ARBITRATOR CROW: Are there other e-mail

22 containers on the hard drive.

23 THE WITNESS: These are the only four e-mail

24 containers on the hard drive. There were no

25 others.

51

1 ARBITRATOR CROW: There were none during the

2 period of time that Mr. Zweizig would have beenExhibit 13 page 53


3 using the computer, is that what your testimony

4 is?

5 THE WITNESS: Yes. There was none that I

6 was able to find on that hard drive using my

7 forensics tools that could have been used by

8 Mr. Zweizig as his e-mail container from May

9 until November.

10 Q. BY MS. MARSHALL: All right. Now, in respect to

11 each one of these receptacles, I'm sure that's

12 not the technical term, but if we can adopt it

13 it will be easier for me. In terms of each of

14 these four receptacles, did you open them and

15 examine their content?

16 A. Okay. Let me think. I don't, I don't believe I

17 actually did open them, no, because of the file

18 creation date being that they were not something

19 that would have been in use by Max as his e-mail

20 container. Now.

21 Q. I'm sorry?

22 A. My search would have gone through those and

23 would have looked at those.

24 Q. Your software?

25 A. Yes.

52

Exhibit 13 page 54


1 Q. Okay. But in your report that you gave to

2 Mr. Crow you stated that you were, this it was

3 virtually certain, based on these four

4 receptacles, that there was no e-mail traffic

5 associated with Mr. Zweizig.

6 A. No. My report that I gave him was that there

7 was virtual certainty that the hard drive was

8 not used, which would have included those four,

9 but those four were not the only things that

10 were looked at. The entire hard drive was

11 searched to attempt to find any residual

12 fragments of e-mails to or from Max that would

13 have tied this hard drive to Max using it as his

14 e-mail computer.

15 Q. And did you find any?

16 A. I found none on the hard drive that tied Max

17 using this as his e-mail computer.

18 ARBITRATOR CROW: I've got to stop there.

19 I'm not sure what is meant by tied to. Were

20 there e-mails from and to Mr. Zweizig? And I

21 guess the tied to is kind of over my head.

22 THE WITNESS: Okay. What my examination

23 entailed was did Max use this computer hard

24 drive as his e-mail computer?

25 ARBITRATOR CROW: Can you answer me this

53

Exhibit 13 page 55


1 question, were there e-mails on that computer

2 from or to Mr. Zweizig at any time? Can you

3 answer that question.

4 THE WITNESS: I cannot answer that question

5 because that is the --

6 ARBITRATOR CROW: I thought that's why we

7 were here.

8 THE WITNESS: Well, the analysis that I did

9 was to see if Max had used this as his computer.

10 Now, if there was like a cc to Max that was tied

11 to a different PST or something of that --

12 ARBITRATOR CROW: What do you mean by tied

13 to?

14 THE WITNESS: Is -- Let's take number, the

15 last one, the Outlook PST file created 1129 '05.

16 ARBITRATOR CROW: All right.

17 THE WITNESS: For that account, if somebody

18 had sent, if the user of that account had sent

19 an e-mail out to maybe say Tim Rote and also to

20 Max Zweizig, that e-mail would be tied back to

21 that particular Outlook PST. It's associated

22 with the user of that PST. So that is not

23 actually Max's PST. It was just used to send an

24 e-mail to Max. That e-mail to Max did not come

25 back to Max's account on this computer. And I'm

Exhibit 13 page 56


54

1 just using that one as an example. Obviously it

2 was '05.

3 ARBITRATOR CROW: Can you tell me from your

4 examination of the 60 gigabyte hard drive,

5 whether there was an e-mail from Mr. Rote to

6 Mr. Zweizig in October 2003.

7 THE WITNESS: From this computer, or from

8 the analysis that I did, no, not on this

9 computer.

10 ARBITRATOR CROW: Okay. Thank you. No

11 there was none or no you didn't, you aren't able

12 to --

13 THE WITNESS: I don't know the answer to

14 that one.

15 ARBITRATOR CROW: Thank you. Go ahead.

16 THE WITNESS: That's not what my analysis

17 was entailing.

18 Q. BY MS. MARSHALL: And is that because you

19 weren't asked to make, do that examination?

20 A. Yes. Basically I, you know, the area of

21 interest was did Max use this as his e-mail

22 computer.

23 Q. Okay. If we wanted to know the answer to that

24 question and I, do you have an understanding

Exhibit 13 page 57


25 that as to what our purpose is today in terms of

55

1 the issues in this case?

2 A. What is your question?

3 Q. That's -- Thank you for asking me to rephrase

4 that.

5 I want you to assume for the purposes of

6 answering my questions that our interest here is

7 to find out, number one, when a particular

8 letter was written, specifically whether it was

9 written on October 2nd, 2003, or whether it was

10 written at some time after October 28th, 2003.

11 Number two, when a particular e-mail was created

12 and sent, and specifically whether it was

13 created and sent on October 2nd, 2003, or

14 whether it was created and sent after

15 October 28th.

16 Now, are your qualifications, would your

17 qualifications permit you to examine the 60

18 gigabyte hard drive and determine whether the

19 e-mail I referred to, that was either created on

20 October 2nd and sent or not, whether it was ever

21 received by this hard drive or on this hard

22 drive?

23 A. I could go back and do that analysis, yes.Exhibit 13 page 58


24 Q. Okay. But you were never asked to do that?

25 A. No. I was asked -- we have already been over

56

1 that.

2 Q. Let me go back to Exhibit 140 for just a minute.

3 And specifically the first, I'm interested in

4 the recovered folder, NWT employee Outlook PST,

5 the very first line.

6 A. Okay.

7 Q. Okay. Do you know who the NWT employee is?

8 A. That is a user account on the computer.

9 Q. Okay. And who is the human being associated

10 with that user account?

11 A. I believe, I think, okay, I'm not positive, I

12 think it was associated with T wrote or R wrote

13 T something like that.

14 Q. So that would be Mr. Rote?

15 A. But I would have to go back and verify that.

16 Q. Did you, did you, do you have somewhere to

17 verify that from?

18 A. I don't have it here, no. I would have to go

19 back and do the analysis.

20 Q. Okay. So you would have to do some analysis in

21 order to answer that? You don't have it on a

Exhibit 13 page 59


22 piece of paper somewhere?

23 A. No, I do not.

24 Q. All right. Now, that particular receptacle

25 indicates the file was created on November 13,

57

1 2003, at 1227 -- 1227 and 18 seconds.

2 A. Okay.

3 Q. A.m..

4 A. Okay.

5 Q. Do you know, you understand that's the middle of

6 the night?

7 A. Yes.

8 Q. Okay. Do you know whether that's Pacific time

9 or eastern time?

10 A. That would be based on, that should be Pacific

11 time.

12 Q. Okay. Because the time reported here, your

13 forensic tools will convert everything into

14 local time?

15 A. Generally, yes.

16 Q. Wherever you're located?

17 A. Yes. Depends how it's set up. But generally.

18 Q. And when exactly were you told that Mr. Zweizig

19 handed over the computer to Mr. Rote?

20 A. I don't know. I'm thinking.Exhibit 13 page 60


21 Q. That's fine.

22 A. I don't know exactly when, when the hand over

23 happened. I couldn't answer that at this point.

24 ARBITRATOR CROW: It's okay. We know.

25 Everybody in the room knows except you.

58

1 THE WITNESS: Okay.

2 Q. BY MS. MARSHALL: You made the assumption that

3 this computer was, well let me ask you, what

4 assumption did you make as to whether the

5 computer was in Mr. Zweizig's hands when this

6 supposed change made or in Mr. Rote's hands?

7 A. I don't know that I made an assumption what is,

8 I'm not sure what your question is. Are you

9 questioning the search that was done?

10 Q. Well, I'm going back to your testimony. And if

11 I'm not mistaken, you testified that, your

12 testimony seemed to me anyway to be that all of

13 the files that you found created were created

14 after the computer was given back to Mr. Rote

15 for the company. So the question of 12:00 a.m.

16 is --

17 A. I'm confused. I made a statement --

18 ARBITRATOR CROW: Were all the e-mail files

Exhibit 13 page 61


19 you found on the computer created on 11-13-03 or

20 after? You found no files created before that

21 time; is that correct?

22 THE WITNESS: I found no files that, that

23 associated Max with this hard drive, him having

24 used it as an e-mail hard drive. I'm not,

25 obviously I'm not explaining something properly

59

1 here.

2 Q. BY MS. MARSHALL: It may be that I'm just not

3 understanding. Let me try it a different way.

4 When you look at the first line on Exhibit 140,

5 page three, that Outlook PST, that's a

6 receptacle for e-mails; right?

7 A. Yes. Yes.

8 Q. Okay. And are you making the assumption that

9 when that file was created, the computer was in

10 Mr. Zweizig's possession and control or within

11 Mr. Rote's possession or control?

12 A. No. I'm not making that assumption.

13 Q. Do you have any idea which way it is?

14 A. I don't know.

15 Q. Okay. Well I want you to assume that Mr. Rote

16 did not pick up the equipment, did not pick you

17 mean the 60 gigabyte hard drive which wasExhibit 13 page 62


18 sitting in the Sony vie oh, until sometime

19 between 9:00 and noon on November 13th.

20 A. Okay.

21 Q. Okay. So this e-mail receptacle that you found

22 would seem to have been created when the 60

23 gigabyte hard drive was still in Mr. Zweizig's

24 possession; correct?

25 A. Based on what you said, yes.

60

1 Q. Okay. So that would seem to suggest that there

2 were some e-mails or at least this receptacle of

3 e-mails on the 60 gigabyte hard drive that when

4 it was returned by Mr. Zweizig, doesn't it?

5 A. That suggests that there was a e-mail container,

6 receptacle that was created at that time. There

7 were no e-mails or fragments on that hard drive

8 associating Max having used that computer as his

9 e-mail computer to send and receive e-mails.

10 Q. Yeah. Well I just want to focus on this one

11 receptacle for a minute.

12 A. Okay.

13 Q. Did you open the, did you open it up, look in?

14 A. That one I would fail to put in my report, I

15 should have. I would, I cannot say with

Exhibit 13 page 63


16 100 percent certainty that I opened it but I

17 think I did. But that is not a, I cannot make

18 the statement definitively yes or no on that.

19 However, I can say that when the search was,

20 when I did my searches, it would have searched

21 inside of that one.

22 Q. All right. I want to talk about what you did

23 though.

24 A. Okay. The other thing is the creation of this

25 on the 13th would not have erased completely the

61

1 e-mail communication that may or supposedly took

2 place between what was it, May and November.

3 The, putting this PST on here or creating this

4 PST at this particular time creates, if there

5 was another Outlook PST by the same name for the

6 same user, it would only have created a small

7 portion. It would have only used a small part.

8 It probably would -- Do you want me to continue?

9 Q. Now you're speculating, aren't you, about what

10 you did or didn't see and what did or didn't

11 happen?

12 A. No I'm not speculate.

13 Q. But you didn't open this receptacle to see if

14 Mr. Zweizig's e-mails were there?Exhibit 13 page 64


15 A. I don't know if I did or not. What I do know is

16 that I performed my search and there was no hits

17 in that.

18 Q. Okay.

19 A. E-mail.

20 Q. All right. So, in any case, you didn't look in

21 a receptacle where there could have been some

22 e-mails, but your tools told you they aren't in

23 there. Am I understanding that correctly?

24 A. Correct.

25 Q. Okay. So you didn't know that the computer was

62

1 still in Mr. Zweizig's possession when this was

2 created?

3 A. Can I make a clarification?

4 Q. Sure.

5 A. You made the statement that I didn't look in

6 there. All right. I do not know if I looked in

7 there or not.

8 Q. Okay.

9 A. Okay.

10 Q. All right. If I'm not mistaken now, you weren't

11 aware that on November 13th when this receptacle

12 was created, that the computer was still in

Exhibit 13 page 65


13 Mr. Zweizig's possession and control and your

14 tools told you that there wasn't anything

15 relevant in there. Okay.

16 A. Correct.

17 Q. What if I told you that if you did look in that

18 PST, what you would find would not be e-mails of

19 Mr. Zweizig but would be e-mails by a gentleman

20 named Joe Jaffe?

21 A. Okay.

22 Q. Have you heard that name before?

23 A. I've heard that name, yes.

24 Q. Have you met Mr. Jaffe?

25 A. No, not that I know of.

63

1 Q. So if you make the assumption for me that, give

2 me the benefit of being correct on that, if you

3 opened, actually opened that receptacle, you

4 would find Mr. Jaffe's e-mails.

5 A. Okay.

6 Q. And if you also make the assumption that when

7 that receptacle was created, according to your

8 forensic tools, shortly after midnight on the

9 13th, that the computer was in the possession of

10 Mr. Zweizig, does that seem like one of those

11 oddities that you're qualified to resolve?Exhibit 13 page 66


12 A. The use of the e-mail after turn over of the

13 computer, while I'm not exactly sure what I'm

14 trying to say here. To answer your question, it

15 was odd that the PST was created at this time.

16 I knew it was in around the time of when it was

17 being turned over. But, my analysis did not

18 find any e-mails tying Max to using this hard

19 drive as his e-mail computer.

20 Q. Let's just go with this, Mr. Jaffe is or was at

21 that time located in Eugene, Oregon; is that

22 correct?

23 A. I have no idea.

24 Q. Okay. I'll ask you to make the assumption that

25 he was located in Eugene, Oregon, around

64

1 midnight of 2003, when his e-mails, again I'll

2 make, we'll make the assumption, when his

3 e-mails were somehow dumped into this receptacle

4 on Mr. Zweizig's computer, which was in New

5 Jersey. Now, do those facts seem like we ought

6 to investigate them? They seem odd, don't they?

7 A. Making the use of the -- I'm not saying it's not

8 odd. Okay. I'm not saying that maybe it

9 shouldn't be checked into. But when you make

Exhibit 13 page 67


10 the statement dumped into --

11 Q. That's a layman's statement.

12 A. That implies to me that at that particular time,

13 just, you know, within minutes after this

14 Outlook was created, somebody grabbed a bunch of

15 e-mails and dropped them in there. Are you

16 saying that's what --

17 Q. I should ask you, how could this happen? How,

18 well first of all, how is an Outlook PST

19 created, looking at this first line, this first

20 folder, NWT employee Outlook PST, how does that

21 PST get created on a computer? Is it done

22 sitting at the computer?

23 A. Effectively, yes.

24 Q. Can it be done remotely?

25 A. If you were to use some type of remote software,

65

1 yes, you could do did remotely.

2 Q. Do you know whether there was any remote

3 software on this computer?

4 A. I do not, I cannot say for a hundred percent

5 sure, no.

6 Q. Are you familiar with PC anywhere?

7 A. Yes, I am.

8 Q. Okay. What is your familiarity as to what oneExhibit 13 page 68


9 can do with PC anywhere?

10 A. PC anywhere basically is used to allow

11 connecting to another computer, logging in as a

12 particular user, and then being as if you were

13 actually sitting at the computer doing the work.

14 Q. Okay. So I'll ask you to assume that this 60

15 gigabyte hard drive was loaded with PC anywhere

16 and was running at 12:27 a.m. Pacific, on

17 November 13th and I will let you to assume that

18 someone was, Mr. Jaffe, maybe someone else, we

19 don't know, do we?

20 A. Okay.

21 Q. Okay. Was somewhere else. Would it be possible

22 for them to log in to Mr. Zweizig's computer and

23 make any kind of changes?

24 A. So we also would have to assume that at midnight

25 the computer was turned on.

66

1 Q. Right.

2 A. And was sitting there.

3 Q. I think that was in my hypothetical?

4 ARBITRATOR CROW: Well apparently it was,

5 wasn't it.

6 MS. MARSHALL: Looks like it.

Exhibit 13 page 69


7 ARBITRATOR CROW: It was turned on at

8 midnight.

9 THE WITNESS: Yeah.

10 ARBITRATOR CROW: All right. Go ahead.

11 Q. BY MS. MARSHALL: Go ahead.

12 A. All right.

13 Q. Would it be possible for someone to log in

14 through PC anywhere onto this computer and make

15 changes?

16 A. Yes, you could.

17 Q. Okay. Now, if that person wanted to create a

18 PST file, would it be possible for them to

19 create a PST file?

20 A. Yes, you should be able to.

21 Q. Okay. And if the person wanted to create that

22 PST file as a new Outlook I hate to use the word

23 receptacle but I don't know a better word?

24 A. That's fine.

25 Q. Would it be possible for them to accomplish that

67

1 remotely?

2 A. To create a new PST file.

3 Q. Yes.

4 A. Yes, they should be able to.

5 Q. At midnight on 2003?Exhibit 13 page 70


6 A. (No audible response.)

7 Q. Have you ever used PC anywhere?

8 A. Yes, I have.

9 Q. So have you been on the remote side or the

10 receiving side?

11 A. Both.

12 Q. Okay. So you know that when you go into, when

13 you log into PC anywhere, in the middle of the

14 night in this case, if nobody else is around,

15 it's, you can do anything that the user can do

16 sitting at his or her desk; is that correct?

17 A. Yes.

18 Q. And even if the user on the other end, which you

19 said you've been on the other end of that, too,

20 even if he's at his desk, in this case at 12:27

21 a.m., which would be 3:27 a.m. in New Jersey;

22 right?

23 A. Okay.

24 Q. Okay. Even if he happened to be at his desk, he

25 might not even know that you were in there;

68

1 correct?

2 A. That I think is an inaccurate statement.

3 Q. Okay.

Exhibit 13 page 71


4 A. Because if you were sitting at your desk and

5 somebody comes in PC anywhere, they virtually

6 have control of your computer. So if you're

7 sitting in front of the computer, presumably

8 you're doing something and somebody else logs

9 in, they're trying to do something --

10 ARBITRATOR CROW: Would you lose control of

11 your computer.

12 THE WITNESS: It depends on the setup of PC

13 anywheres. There are different settings. Some

14 of them you share and then whoever -- The local

15 user has control, has primary control. If the

16 local user is not doing anything, then the

17 remote user can have it. So in other words if

18 the local user is using the mouse, the remote

19 cannot use the mouse. If the remote is using

20 the mouse and the local user moves it, he

21 immediately gets control back.

22 So, but again, it depends on different

23 settings. There is the settings where you can

24 log in and the local user can observe but they

25 don't have control. Or it can just blank the

69

1 screen out completely.

2 Q. BY MS. MARSHALL: Okay. Well, let's same theExhibit 13 page 72


3 user in this case. I'm giving you a

4 hypothetical?

5 A. Okay.

6 Q. It's 3:27 in the morning. So I'm not suggesting

7 that it's likely, but let's say the user on the

8 other end is deep in computer information about

9 dispose and is trying to see if things are

10 correct on paper and that sort of thing, would

11 it be the case if somebody else is working on PC

12 anywhere remotely, that it, that the person

13 locally would literally have to look up and

14 notice that the mouse is moving on his computer?

15 A. If that was the only thing was happening was the

16 mouse moving, you know, you could overlook that

17 very easily, yes. I agree.

18 Q. Sure. But if something else was happening, they

19 would be able to see what was happening? In

20 other words, if somebody were creating an

21 Outlook PST, for example, the local person would

22 see the same thing that the person remotely was

23 seeing. They'd see the screen?

24 A. Yes.

25 Q. They'd see the Outlook, they'd see, oops,

70

Exhibit 13 page 73


1 something is happening to Outlook et cetera?

2 A. Yes, they would see that. It would come up on

3 the screen if the setting was so that you could

4 view the screen.

5 Q. Okay. Now, assume those same facts, that we

6 have a person who has access to this computer

7 through PC anywhere. And by the way there are

8 other programs like PC anywhere, aren't there?

9 A. Yes.

10 Q. Okay. Were you aware whether there were any of

11 those other programs in use by this company?

12 A. No, I'm not aware what the company uses.

13 Q. Okay. But in any case, let's say the person is

14 working in 12:27 a.m. Pacific time and the

15 computer was on, okay, and the user,

16 Mr. Zweizig, was not at his desk or was not

17 working on the computer or just didn't know what

18 was going on with the computer, would it be

19 possible for that person to remotely remove

20 Mr. Zweizig's e-mail files?

21 A. Yes, it should be possible.

22 Q. Okay. Why don't you tell us how it would be

23 possible.

24 A. My hesitation was basically trying to figure out

25 if there were limitations on the security

71

Exhibit 13 page 74


1 clearances, but there shouldn't have been. So

2 what you would end up doing is you would have to

3 first, if there were more than one PST

4 associated with the particular user and you

5 wanted to delete one, you would have to make

6 sure that was not the primary PST. Then you

7 could remove the account inside of Outlook. You

8 could remove the account from Outlook and then

9 delete the files, delete the PST.

10 If Outlook is not open, then you know where

11 the PST file is located, you should be able to

12 delete it with no restriction.

13 Q. Okay. So if I'm understanding you correctly, a

14 person at 12:27 a.m. Pacific, 3:27 a.m. eastern,

15 could go into this computer and delete all of

16 Mr. Zweizig's e-mail files; is that correct?

17 A. Yes.

18 Q. Okay. Now, when I say delete, I know that

19 you're thinking that that doesn't mean they're

20 absolutely gone. I should be able to find them

21 somewhere.

22 A. Correct.

23 Q. You should be able to find some at least

24 fragments of them somewhere; correct?

25 A. Correct.

Exhibit 13 page 75


72

1 Q. But aren't there ways where a person can wipe

2 out a file in such a way that you and none of

3 the rest of the experts that we're going to have

4 testify could find fragments of those e-mails?

5 A. There are ways to forensically wipe files,

6 correct.

7 Q. Okay. In fact, there's software to do that

8 correct?

9 A. Yes.

10 Q. And, in fact, there was software in this system

11 that could do just that, wasn't there?

12 A. I would have to take your word on that. I don't

13 know.

14 Q. Are you familiar with a program called PG? PGP?

15 A. PGP.

16 Q. PGP. What is that?

17 A. That's pretty, that's more of a, as I

18 understand, I have not used it but it's more of

19 a, actually I'm thinking of something else. PGP

20 is --

21 Q. What does it stand for?

22 A. I'm not sure. I was thinking of a different

23 program. And so I can't make any kind of a

24 statement on PGP. I have not used it and I'm

Exhibit 13 page 76


25 not cognizant of all the programs.

73

1 Q. All right. If I said the first two words pretty

2 good and I just can't think of the third one, I

3 apologize for that. Pretty good? Okay. We'll

4 come back to that.

5 A. Okay.

6 Q. But in any case there is software that a

7 knowledgeable person could even remotely go into

8 the Outlook, go into Mr. Zweizig's e-mail files

9 and simply wipe them off of the desk?

10 A. Yes.

11 Q. And they could do that remotely?

12 A. Yes.

13 Q. Let's go back to Exhibit 140. I'm interested in

14 the column called last accessed, August 30,

15 2008.

16 A. I must have the wrong -- Oh, last accessed

17 August 30, 2008. Yes.

18 Q. That is associated with that very first PST

19 file.

20 A. Yes.

21 Q. Last accessed, 2008, would that be the last time

22 before you accessed them that this NWT employee

23 did something with that PST?Exhibit 13 page 77


24 A. Yes.

25 Q. Okay. And the things that the NWT employee

74

1 could have done at that time would include

2 creating, modifying, moving, printing, saving,

3 those kinds of functions?

4 A. Yeah. At that point it was presumably it was

5 opened up and whatever you can do inside you can

6 do at that time.

7 Q. Okay. Is there any way that you can tell what

8 that person was doing, opening up that

9 particular receptacle in August of 2008?

10 A. No.

11 Q. Did you do any examination to try and find out?

12 A. No. That was not my examination did not entail

13 that.

14 Q. All right. I'm still sort of walking through

15 your testimony. So now I want to go to your

16 testimony about the fox profiles.

17 A. Okay.

18 Q. I think that's Exhibit 142. When you were asked

19 to look for the fox profiles on the 120 gigabyte

20 hard drive, did you have any conversation with

21 anyone at the company, Mr. Rote or otherwise,

Exhibit 13 page 78


22 about exactly what you were looking for on the

23 120 gigabyte?

24 A. There was conversation and basically it was,

25 there was fox profiles on the hard drive and

75

1 what is, you know, could they be recovered.

2 Q. Okay. Were you told that someone wanted to

3 recover them for some reason?

4 A. That, I think there was a conversation at one

5 time saying that there was allegations, I'm

6 sorry. Allegations is the wrong word. There

7 was communications that fox profiles could be

8 fully recovered and that there wouldn't be any

9 problem with them. And so that, and then that

10 was the basis of what I was looking at.

11 Q. All right. Did anyone ask you to perform any

12 kind of a forensic examination on the 60

13 gigabyte hard drive, the one that was installed

14 in the work station that Mr. Zweizig used up

15 until the end of his employment?

16 A. The e-mail. But we've covered that. What is

17 your question?

18 Q. Well I'm talking about fox profiles now.

19 A. Oh, fox pro.

20 Q. Yes. Did anyone ask you to try to recover anyExhibit 13 page 79


21 fox profiles from the 60 gigabyte?

22 A. No.

23 Q. Assuming that, again I'll ask you to assume,

24 that until sometime between nine and noon on

25 November 13, 2003, that Mr. Zweizig used the 60

76

1 gigabyte hard drive in his computer in order to

2 do his work in fox proceed. If you had been

3 asked to examine that hard drive in order to

4 find out whether there was still fox profiles on

5 that hard drive, could you have done it?

6 A. Yes, I could have done an analysis for those.

7 Q. In the same way that you did the analysis to try

8 and find out whether there was any e-mail

9 traffic; correct?

10 A. Yes. I could have done it that way. And

11 easier, there are several different ways I could

12 have done it.

13 Q. But you didn't do that?

14 A. As far as procedure we don't, you're not

15 interested in. As far as analyzing the 64 fox

16 profiles, no.

17 Q. I want to ask you a few questions about the

18 passage of time. If you had examined the 60

Exhibit 13 page 80


19 gigabyte hard drive in, say, 2004 or 2005,

20 within a year or two of when it was given back

21 to the company, and if you were asked to

22 determine whether any fox proceed applications

23 were deleted prior to the time it was given back

24 to you, is that an assignment that you could

25 have performed?

77

1 A. Yes, I could have performed that.

2 Q. Okay. And what would you have done?

3 A. Basically, I'm going to ask for some

4 clarification. You're saying the fox proceed

5 program. Are you meaning the actual fox pro

6 program that was used to write fox profiles or

7 are you talking about fox profiles that are user

8 generated.

9 Q. Thank you for clarifying that. I'm talking

10 about programs that Mr. Zweizig would have

11 written in fox pro?

12 A. Okay.

13 Q. And applications he may have, forms that he may

14 have set up or applications he may have created

15 and files or data that he may have created, if

16 you were given that assignment and the computer,

17 within a year or so after it was turned back,Exhibit 13 page 81


18 could you have done a forensic examination and

19 determined whether prior to turning it back he

20 had, I shouldn't say wiped, but he had deleted

21 any of those programs or files?

22 A. Yes, I could have done that analysis.

23 Q. And what would you do?

24 A. The one thing that I would do is basically,

25 there's, bring the image in and look for

78

1 extensions that pertain to fox pro. Okay. The

2 other, so that would have been just an

3 immediate, are there any, you know, viewable

4 files. The other would be to run a process

5 called recover files. And when that process

6 does is it will actually look for known

7 signature headers within the files and

8 identifies them anywhere on the hard drive. And

9 then the final analysis that I would have

10 undertaken would be to try to determine what the

11 fox pro signature files are and then put those

12 into my own process and run the process again

13 for any that may have been missed by the

14 automated method.

15 Q. Okay. And if you did that analysis, would you

Exhibit 13 page 82


16 be able to tell whether those files had been

17 deleted before or after Mr. Zweizig turned the

18 computer back, to the company?

19 A. Some probably yes, others absolutely not.

20 Q. All right. Let's take the ones that you say

21 absolutely not. Why not?

22 A. Because that would be looking into, that would

23 be part of the finding the file signature. I

24 would be able to find that this file was there,

25 but because it had been partially, completely

79

1 over written, it's record in the master file

2 table had been over written, there's no way that

3 I can associate dates with it. Dates even in

4 the unallocated that are close to where those

5 fragments are are very unreliable because you

6 don't really know what, at what time that

7 particular fox profile was actually accessed.

8 Q. Okay. And do you have any sense of how many

9 files that would affect?

10 A. On the 60 gigabyte hard drive?

11 Q. Yes.

12 A. No. Really it all depends on different factors

13 such as when it was deleted, how it was deleted

14 and then usage of the computer.Exhibit 13 page 83


15 Q. Okay. Let's stay with this, the files that you

16 will said you absolutely could not recover or

17 could not decide when they had been deleted, I

18 guess was my term. If you had access to the

19 computer the day it was turned over, you could

20 figure out how many files you could recover;

21 right?

22 A. Yes.

23 Q. Okay. But if the computer was put back into

24 service is I think what you're saying, the

25 longer it was in service, the more usage it had,

80

1 the less you could see; is that right?

2 A. Yes.

3 Q. All right. So if I'm not mistaken, by 2004 and

4 2005, if the computer had been put back into

5 service on November 14th or 15th or 16th,

6 whatever, you know, close to the time that was

7 returned to the company and had been used

8 continuously until 2005, let's say, would there

9 be a certain number of program, when I say

10 programs, I'm talking about the user generated

11 programs, that you simply couldn't see, you

12 couldn't decide whether they had been deleted or

Exhibit 13 page 84


13 not?

14 A. That is all going to be based on usage. Light

15 usage, you know, it's, the lighter the usage,

16 the more you're going to be able to see.

17 Q. Was this, as far as you could tell, was the 60

18 gigabyte heavily used or not?

19 A. Can't answer that question. I don't know.

20 Q. Okay.

21 A. I'm sorry.

22 Q. All right. Well, if I'm not mistaken, I think

23 what you're saying is that as the computer

24 continues to be used, if a file has been

25 deleted, then the computer's going to start

81

1 overwriting it and eventually even a skilled

2 person in your shoes, a skilled person with your

3 tools and your experience and your knowledge, is

4 not going to be able to tell what really

5 happened when Mr. Zweizig had the computer; is

6 that correct?

7 A. It's going to become harder and harder to find

8 the files, yes.

9 Q. All right. If you have the computer to examine

10 as a forensic examiner in 2005, in May of 2005,

11 you can see certain things. But if you don'tExhibit 13 page 85


12 have it until 2009 and the computer's in use the

13 whole time, you would expect that a lot more had

14 been over written in that period of time,

15 wouldn't you?

16 A. I would expect that parts had been, how do I say

17 it, I don't want to use the word lot because I

18 don't know how the computer was used, I would

19 expect there would be more that would be

20 unrecoverable, yes.

21 Q. Okay. So the person that's looking at that

22 computer in 2009 versus the person looking at

23 the computer in 2005, the person that doesn't

24 get the computer until 2009 is at a distinct

25 disadvantage isn't he as a forensic examiner?

82

1 A. Yes.

2 Q. You'd much prefer to be the person looking at

3 the computer in 2005?

4 A. That is true.

5 Q. I wanted to talk just a little bit about your

6 testimony about reformatting. If I'm not

7 mistaken, you said that reformatting does not

8 over write the entire hard drive, that it simply

9 reorganizes it. Am I understanding that

Exhibit 13 page 86


10 correctly?

11 A. The reorganizing is the, it does not reorganize

12 what was on there before. It just prepares it

13 to accept new files as if no files existed

14 before.

15 Q. Is there something in the forensic information

16 in the computer, the forensic evidence that

17 tells you when the computer is reformatted?

18 A. Yes.

19 Q. Okay. And that you said was when?

20 A. Was at that in my report here? Yes, somewhere.

21 October 12, 120 gig. Yes. I'm sorry.

22 November 12, 2003.

23 Q. And so you assumed that the computer had been

24 reformatted on November 12th of 2003; is that

25 correct?

83

1 A. No, I did not assume that. That's what, that's

2 what the analysis indicates.

3 Q. All right. Tell me what analysis you did to --

4 A. When you go in there and when you reformat a

5 hard drive, it has to put in the infrastructure

6 as it were to record or to build the catalog for

7 all the files that presumably will be added

8 later. There are specific files that areExhibit 13 page 87


9 created at the time the computer is reformatted.

10 And so when you reformat, those specific files

11 are created, they have a creation date and time.

12 That is what I'm looking at is when those files

13 that are created when formatting the hard drive.

14 Q. Did you look for the possibility that

15 Mr. Zweizig had reformatted the file as he said

16 in May or June of 2003?

17 A. I saw no indication of any other reformatting

18 because the formatting --

19 Q. No. My question was did you look for it?

20 A. Did I look for reformatting at an earlier time?

21 When I am -- I did not -- To answer your

22 question, I did not look for a particular

23 reformatting, no, time, other than what I was

24 able to see.

25 Q. But you read Mr. Zweizig's testimony where he

84

1 said that the computer crashed in May of 2003

2 and he recovered as much as he needed to do his

3 job and he did that over a period of several

4 weeks. And once he completed that and assumed

5 he was going to get, he had gotten all he was

6 going to get, he reformatted the drive so that

Exhibit 13 page 88


7 it could be used. Didn't you read that

8 testimony?

9 A. Yes, I read the testimony.

10 Q. Okay. So he testified he reformatted the drive

11 in either May or June of 2003. But you didn't

12 look to see if that was true?

13 A. I did not see any indication of formatting at

14 that time. Also I believe his testimony was I

15 reformatted it at some time.

16 Q. Okay. Well, let me ask you to assume that,

17 assume the facts that Mr. Zweizig reformatted

18 the 120 gigabyte hard drive sometime in late May

19 or June. I guess that's really all you need to

20 assume.

21 A. Okay.

22 Q. Assume that that happened.

23 A. Okay.

24 Q. Okay. Number one, could you have determined

25 from the 120 gigabyte in your examination if

85

1 that was true or not?

2 A. Possibly.

3 Q. Okay. Number two, you didn't look because you

4 weren't asked to; right?

5 A. Correct.Exhibit 13 page 89


6 Q. Okay. Am I correct in understanding your

7 reports that you were asked to figure out

8 whether or not user created programs in fox pro

9 had been, had been, could be recovered from the

10 120 gigabyte hard drive?

11 A. Yes.

12 Q. Okay. As a practical matter, if a client came

13 to you and said we can't get our programs up, we

14 can't get our fox pro to work, okay, wouldn't

15 you look to the simplest, quickest and most

16 effective way to find those programs and get

17 them back into use?

18 A. Let me rephrase your question as I understand

19 it. If somebody wants to recover their files,

20 they're going to go and find the cheapest way

21 and quickest way to get them back.

22 Q. Well, the most expedient way, whether it's cheap

23 or not, but to get them back; is that correct?

24 And that's what you'd advise them to do isn't

25 it?

86

1 A. No.

2 Q. Okay.

3 A. My advice is basically how important are those

Exhibit 13 page 90


4 files?

5 Q. Okay.

6 A. All right. If they're family pictures, do you

7 want to pay $800,000 to get your family pictures

8 back? Maybe you do.

9 Q. Let's say they are files that are absolutely

10 unequivocally essential for the running of the

11 business. The business has to stop if you can't

12 get those files back.

13 A. Then I have been in that situation and I have

14 recommended that they go to companies that

15 specialize in that and they specialize in that

16 only. And --

17 Q. You'd send them somewhere else?

18 A. I sent them, yes, I've sent them out.

19 Q. Let me just ask you if it would be reasonable

20 then. Wouldn't it be reasonable for them, the

21 lay people, to maybe look for other places that

22 those fox pro applications were stored. Perhaps

23 they were backed up. Isn't that a possibility?

24 A. That's a possibility but I can't make a judgment

25 or statement on that at all.

87

1 Q. Isn't that something you would recommend to a

2 company, that they have, if, for reallyExhibit 13 page 91


3 important computer stuff, that they have it

4 backed up?

5 A. You're asking me to go into the position of a

6 network administrator or something along that

7 line. I can make, I can make assumptions and I

8 can say that, but I only know how, you know, we

9 operate.

10 Q. Okay. You don't know whether there were

11 external back ups for the fox profiles that you

12 were looking for on the 120 gigabyte; is that

13 correct?


15 Q. You don't know whether that, the programming and

16 information resided on other hard drives in the

17 company, do you?


19 Q. You don't know whether that same information,

20 the true and correct information resided on

21 backup tapes on location in the company, do you?

22 A. Completely out of my scope. I don't know.

23 Q. Okay. And you don't know whether that same

24 information resided on backup tapes that were

25 off site, do you?

88

Exhibit 13 page 92



2 Q. Okay. The only thing that you can tell us from

3 your analysis of the 120 gigabyte with respect

4 to fox profiles is that you couldn't recover

5 them from the 120 gigabyte?

6 A. I couldn't recover all of them.

7 Q. You could recover some but not all?

8 A. Yes.

9 Q. And it would be a little bit more difficult to

10 recover it from the 120; right?

11 A. It -- More difficult in relation to what? The

12 ones that I easily recovered? The ones that I

13 can't recover?

14 Q. Well, wouldn't it be fair to say that it would

15 be more difficult to recover programming from

16 the 120 gigabyte than it would be to simply go

17 to some other computer within the company on

18 which those files reside?

19 A. Yes, it would be more difficult, but... I'm

20 trying to think of what I'm trying to say at

21 this point. Never mind. It completely went out

22 of my head.

23 MR. ROTE: Are we almost to a breaking

24 point? I realize we're on a tight schedule.

25 Can we take at least five minutes.

89

Exhibit 13 page 93


1 ARBITRATOR CROW: Yes, we can. Go off the

2 record.

3 (Break taken from * to *.)

4 ARBITRATOR CROW: You ready to go?

5 MS. MARSHALL: I am.

6 ARBITRATOR CROW: Go ahead.

7 Q. BY MS. MARSHALL: I want to explore with Mr. Cox

8 Exhibit 144, which I believe is something called

9 a chain of custody form.

10 A. Okay.

11 Q. Is this something that your company routinely

12 uses to control the hard drive, the drives, the

13 software, et cetera, that comes into your

14 company so that everything can go back out to

15 the client? Is that what this is for?

16 A. Yes. Basically we, when something is delivered

17 to us, then we as a company assume control of it

18 and then when we give it back, the control is

19 given back to the recipient.

20 Q. Okay. So are we, just taking this first page,

21 the description desk top computer, Sony and then

22 you have a model number and a serial number, you

23 received this personally; is that correct?

24 A. If my, can I, I don't have a copy.

25 Q. I would like to have the exhibit in front of

Exhibit 13 page 94


90

1 you, if you will?

2 A. Yes. I received it.

3 Q. Okay. And that was on April 10th of 2009; is

4 that correct?

5 A. Yes.

6 Q. And you received it from Mr. Rote?

7 A. Yes.

8 Q. If I'm reading this correctly, then on May 6th

9 of 2009 you gave it back to Mr. Rote; is that

10 correct?

11 A. Correct.

12 Q. And is this, is this a practice that you

13 continued to follow at your new company?

14 A. Yes.

15 Q. The chain of custody of a particular computer

16 is, in addition to just the value of the

17 computer that's sitting in front of you, it has

18 forensic implications as well, doesn't it?

19 A. I don't quite understand your question. I'm

20 sorry.

21 Q. Well, when you examined this desk top computer,

22 you want to make sure that you are examining the

23 actual computer that was used by Mr. Zweizig;

24 correct?

Exhibit 13 page 95


25 A. I want to examine the computer that was given to

91

1 me.

2 Q. Well that's all you have to examine.

3 A. Okay.

4 Q. But when the standpoint of a forensic examiner

5 it's very important that you know that at least

6 the hard drive that you have in your hands is

7 the actual hard drive that was used by the user

8 in issue, in this case Mr. Zweizig; is that

9 correct?

10 A. I will answer with a clarified yes at this point

11 if I can.

12 Q. Clarified in what way?

13 A. Again, it is, when I am given a device, I may

14 not know who it belongs to. Okay. I receive a

15 device. And I am told basically we need that,

16 you know, analyzed for this or this or this.

17 Q. Okay.

18 A. Okay.

19 Q. But for our purposes here where we're trying to

20 really get at the truth as opposed to just what

21 a procedure took place, it's important to know

22 where that computer has been, what's happened to

23 that computer before it was placed into yourExhibit 13 page 96


24 hands, who's touched it, who's not touched it

25 and when, all of those things are important to

92

1 know aren't they?

2 A. They are important in relation to how the

3 analysis might be conducted. They're not

4 important in relation to the chain of custody.

5 Q. Okay.

6 A. Whip get the chain of custody, I receive it.

7 That chain of custody obviously does not say who

8 had it when or anything like that.

9 Q. Sure. And so the only thing you can testify

10 about today is what happened to this laptop when

11 it was in your custody?

12 A. Yes.

13 Q. Right? You can't tell us what happened to it

14 the day before or the day after it was returned

15 to northwest direct by Mr. Zweizig; right?

16 A. I can't say exactly what happens because I one'

17 there, yes, that is correct.

18 Q. And it was returned, I'm going to ask you to

19 assume that it was returned on November 13th of

20 2003. So it's been almost six years, 7 years

21 ago. There are a lot of things that can happen

Exhibit 13 page 97


22 to that computer in that time, aren't there?

23 A. Yes.

24 Q. A lot of changes at that could be made on the

25 computer; right?

93

1 A. Yes.

2 Q. On the hard drive. Then is there a chain of

3 custody here for the 120 hard drive?

4 A. I don't have that chain of custody. That's...

5 Q. Well, why don't you go to page four.

6 A. Okay.

7 Q. All right. This is for a, an 80 gigabyte hard

8 disk, which is different --

9 A. Yes.

10 Q. Than a hard drive; right?

11 A. No. Same thing.

12 Q. Okay. Hard drive. And it does not appear to

13 have been received by you?

14 A. No. That was received by Steven Wallace, who

15 was an employee of In2iTive technologies.

16 Q. Okay.

17 ARBITRATOR CROW: I am apparently looking at

18 the wrong page.

19 MS. MARSHALL: On page four.

20 ARBITRATOR CROW: Exhibit 144.Exhibit 13 page 98


21 MS. MARSHALL: One 44, page four, I think.

22 ARBITRATOR CROW: That's my page four.

23 MR. ROTE: Is it six.

24 MS. MARSHALL: Maybe it's page six. Maybe

25 I'm just reading it wrong.

94

1 ARBITRATOR CROW: Yes. I've got it.

2 Q. BY MS. MARSHALL: In any case it's an 80

3 gigabyte hard disk. Is it possible that this

4 particular piece of hardware has nothing to do

5 with this case?

6 A. I don't think so.

7 Q. Okay. Well of what significance is an 80

8 gigabyte hard disk?

9 A. This 80 gigabyte hard disk contained an image of

10 that Steve Williams had created and was

11 delivered to our office in May to use or to

12 basically evaluate.

13 Q. Okay. So am I correct in assuming that this 80

14 gigabyte hard drive contained what you have

15 described, contained an image of what you have

16 described as the 120 gigabyte hard drive?

17 A. Yes.

18 Q. All right. And when I'm looking at your chain

Exhibit 13 page 99


19 of custody, it was received from a Steve, do you

20 know who that is? Steve Wyman maybe?

21 A. Williams.

22 Q. I'm sorry. I'm really having a hard time

23 reading this document I guess. Okay. So you

24 received it directly from Steve Williams on

25 May 20th of 2010.

95

1 A. Yes.

2 Q. Okay. Do you know why you did not simply

3 receive the 120 gigabyte hard drive on May 20th

4 of 2010?

5 A. No, I do not know why I did not receive the 120.

6 Q. As a forensic examiner, wouldn't you prefer to

7 be examining the hard drive that's at issue?

8 A. As a forensic examiner, having the original 120

9 would have been nice. But, having a verifiable

10 forensic image is sometimes what we end up

11 doing.

12 Q. Okay. Nice or preferable, do you prefer to have

13 the original hardware?

14 A. This is my personal preference. Okay. I would,

15 would agree, I would prefer to have it but then

16 I'm slightly paranoid also. So I would prefer

17 to have it, but if I can get a forensic image, IExhibit 13 page 100


18 understand the value and the integrity of a

19 image that is created by in case.

20 Q. But doesn't it, isn't this one of those issues

21 that when you said one of the things you were

22 particularly skilled at was spotting audit tees?

23 Isn't it sort of odd that northwest direct would

24 not deliver the hardware to you?

25 A. No.

96

1 Q. They gave you the Sony Vaio.

2 A. I right now in my office have forensic images

3 that were delivered to us instead of the

4 hardware.

5 Q. Is it possible that the hardware in this case,

6 the 120 gigabyte hardware no longer exists?


8 Q. Is it possible that it was somehow damaged or

9 corrupted in some way at some time in the time

10 that has passed between 2003 and 2010?

11 A. Be complete speculation on my part. I have no

12 idea.

13 Q. Did you ask anybody why you don't have the 120

14 gigabyte hard drive in your hands?

15 A. No, I did not.

Exhibit 13 page 101


16 Q. Now, you said that if you could get a verifiable

17 image of the hard drive, that would be

18 satisfactory to you; is that correct?

19 A. Yes.

20 Q. What did you mean by verifiable?

21 A. Basically I'd do the same thing, got this hard

22 drive in there, it contained a forensic image.

23 So I basically took that forensic image,

24 extracted it out of the hard drive, and then ran

25 it through in case. And in case has a

97

1 verification process that it runs and it checks

2 both the MD-5 of the entire hard drive and it

3 does a CRC 32 of segments of every segment of

4 that image. And if there's been any changes at

5 all, it comes up with an error saying this is

6 not a correct, correct image. Something has

7 become corrupted or something, somebody has

8 tried to change something. And so when I ran

9 that verification process on this image, it came

10 up with no alerts, no alarms, no errors.

11 Q. Okay. Am I understanding you correctly that

12 when you run, when you, let's just use this as

13 an example, when you received the 80 gigabyte

14 hard drive, that, that you created an image ofExhibit 13 page 102


15 that hard, that information that was on that

16 hard drive?

17 A. Yes.

18 Q. Okay. So basically Mr. Williams at some point

19 took an image and it's on this hard drive. He

20 gives you the hard drive. And now you're

21 creating an image from the image; is that

22 correct?

23 A. Yes.

24 Q. And the verification that you're talking about,

25 if I'm understanding you correctly, is whether

98

1 there's anything that has happened in the

2 process of you taking that image?

3 A. No.

4 Q. In other words, the minute you started to the

5 minute you ended it hasn't changed?

6 A. No. The verification I'm talking about is the

7 forensic image that is on the 80 gigabyte hard

8 drive. I ran a verification on that 120

9 gigabyte hard drive image.

10 Q. What does it verify?

11 A. It verifies exactly what I said. It verifies

12 the MD-5 which is a file signature as it were,

Exhibit 13 page 103


13 that nothing has changed. An MD-5 is generated

14 when the image is initially created. And if

15 even anybody goes in there and tries to change

16 even one single byte, the MD-5 will be

17 different. So verification of the 120 gigabyte

18 image, MD-5 matched. There was no problems

19 there. And that's an overall. And then the

20 verification also entails a CRC 32, which is a

21 verification that the, it looks at small

22 segments of the, of the hard drive instead,

23 excuse me, the image, other than looking at the

24 overall, you know, we got the overall MD-5 and

25 then the CRC 32 looks at smaller segments to

99

1 verify that none of this smaller segments,

2 basically it's a double verification. So I

3 verified that the 120 gigabyte image was a good

4 image.

5 Q. Okay. Now, until you said good image, I think I

6 followed you. But now I have to ask you a good

7 image of what? A good image of the original or

8 a good image of another image of an original or

9 some remote, an image, four or five images ago?

10 A. This would have been an image of the original

11 hard drive. This is not an image of an image ofExhibit 13 page 104


12 an image.

13 Q. Your verification is that the image of the

14 original hard drive can be, excuse me. Let me

15 back that up. You can verify that the original

16 image of the hard drive can be verified in your

17 process so that you can say with reasonable

18 scientific probability that nothing has happened

19 to, nothing, nothing has happened with that bit

20 stream, if you will, from the time it left the

21 original hard drive until it resides on your

22 machine?

23 A. I can verify that this is a good forensic image,

24 that the image that was created, the state of

25 the hard drive when this image was created is

100

1 the state that I see in this forensic image.

2 The image itself has not changed. Nobody has

3 modified the image, nobody has done anything to

4 the image.

5 Q. Maybe I am, I don't mean to misinterpret you,

6 but let me give you a hypothetical. Let's say

7 the hard drive, the original hard drive was

8 returned to the company on 1113, 2003, and then

9 Mr. Williams took his image of the original hard

Exhibit 13 page 105


10 drive in December of 2004. Can you say with a

11 reasonable degree of scientific probability that

12 there were no changes to the 120 gigabyte hard

13 drive between its presentation to Mr. Rote on

14 November, in November of 2003 and the time that

15 Mr. Williams took his image in December of 2004?

16 Can you say that with a reasonable degree of

17 scientific probability?

18 A. I don't think I have even insinuated that. What

19 I have said is that the image of the hard drive

20 when it was taken, and if that was in 2004, the

21 image, this image from when that drive was

22 imaged, this image is good.

23 Q. Well, let's extend that hypothetical then.

24 Let's say that Mr. Williams took an image of the

25 120 gigabyte hard drive in December of 2004 and

101

1 you don't have the image that he took in

2 December of 2004. You have a subsequent image

3 of that image. Can you tell whether you have

4 the actual image of the image he took?

5 A. What do you mean by a subsequent image?

6 ARBITRATOR CROW: Do you have the image of

7 the hard drive that Mr. Williams took in 2004?

8 THE WITNESS: Yes.Exhibit 13 page 106


9 ARBITRATOR CROW: Is that the image you

10 have.


12 ARBITRATOR CROW: And you can verify that.


14 ARBITRATOR CROW: What you cannot say is

15 whether from the time he picked it up in 2003

16 and the image that he took in 2004, something

17 happened to the computer.


19 ARBITRATOR CROW: You have no knowledge.

20 THE WITNESS: I have no idea what happened

21 to that. But the image he took, I have and it

22 is verifiable that that is the image.

23 Q. BY MS. MARSHALL: Okay. And do you know whether

24 what you have is the original image that he

25 took?

102

1 A. You can take an in case image, because it's

2 completely encapsulated within itself, you can

3 take and you can copy that a thousand times and

4 it's going to be the exact same thing.

5 Q. Okay.

6 A. So in that respect it's the original that he

Exhibit 13 page 107


7 took. It doesn't matter how many times it was

8 copied.

9 Q. Okay. All right. Now I told you I would walk

10 through the testimony you gave this morning and

11 ask you some questions but then I came prepared

12 with some questions. And one of the questions

13 that I would like is whether you brought your

14 file with you?

15 A. Which file?

16 Q. How many files do you have related to this case?

17 A. You mean reports?

18 Q. No. I mean your file, your expert file, your

19 notes, your studies.

20 A. I have my reports.

21 Q. Do you have anything other than your reports?

22 A. I believe that's probably work product. Does

23 that need to be turned over?

24 Q. Well, I'd defer of course to the arbitrator, but

25 you have now testified --

103

1 ARBITRATOR CROW: Yes. She has a right to

2 see your file.

3 THE WITNESS: I only brought my reports.

4 MR. ROTE: Mr. Cox's testimony is rebuttal

5 testimony. Does it extend to even rebuttalExhibit 13 page 108


6 testimony.

7 ARBITRATOR CROW: Once the expert testifies,

8 his file is, should be available for examination

9 by opposing counsel, yes.

10 Q. BY MS. MARSHALL: Okay. Well, I would like to

11 have your file even arch the fact. And that

12 would include any notes that you took or any

13 analysis that you performed?

14 ARBITRATOR CROW: Everything you have that

15 relates to this examination or to your

16 discussions with Mr. Rote or counsel needs to be

17 turned over.

18 THE WITNESS: Okay. Then is it permissible

19 to turn it over to Mr. Rote?

20 ARBITRATOR CROW: Yes.

21 THE WITNESS: Okay. Then I will do that.

22 Q. BY MS. MARSHALL: Okay. You've already

23 testified with respect to the computer evidence

24 degrading over time and with use, I believe. I

25 want to ask you some additional questions as far

104

1 as what are the limits of forensic examination,

2 limits of your examination. In this case date

3 and time is an issue. We want to know when a

Exhibit 13 page 109


4 particular e-mail was created and sent actually.

5 And so date and time is very important. You

6 understand, don't you, that when the computer is

7 loaded with the operating system, in this case

8 windows, that the date and time is set in there.

9 But from -- And that' the date and time that the

10 computer will operate on until some human being

11 tells it otherwise. Is that correct?

12 A. Yes and no.

13 Q. Explain.

14 A. A human can change it or it can be set up to

15 automatically maintain the proper time based on

16 connections to the internet time.

17 Q. Okay. But when the computer is performing a

18 particular function, if a human being tells it

19 it's Thursday, 2001, if my computer is operating

20 and I tell it properly that it's 2001, it's

21 going to operate as if it's 2001; correct?

22 A. Yes, provided it's not set to automatically

23 correct the time.

24 Q. Okay. So provided the computer is not set to

25 over write me, I can tell it any date or time I

105

1 want to; is that correct?

2 A. Yes.Exhibit 13 page 110


3 Q. And in windows, windows has made that

4 particularly easy, hasn't it?

5 A. Yes.

6 Q. You're familiar with the windows operating

7 system?

8 A. Yes.

9 Q. Are you familiar with Microsoft office products?

10 A. Yes.

11 Q. So you're familiar with Microsoft word ask

12 Microsoft Outlook?

13 A. Yes.

14 Q. And are you aware that those are the products

15 that were in use by this company and Mr. Zweizig

16 in particular?

17 A. Yes.

18 Q. Okay. So if I, let's give, let's just set up a

19 hypothetical. I have a computer sitting here.

20 I do have a computer sitting here. It is loaded

21 with the windows product and with the Microsoft

22 product. What would I do in order to create a

23 document that would appear to be created in

24 October of 2003?

25 A. All you would need to do is reset the date and

106

Exhibit 13 page 111


1 time and create your file. And it's going to

2 record the date and time that it thinks it is.

3 Q. That I tell it to.

4 A. Yes.

5 Q. Okay. And it's not hard to do, is it?

6 A. No.

7 Q. I could do it. Anyone sitting in this room

8 without regard to qualifications could make that

9 change. You don't have to be a forensic

10 examiner to do it?

11 A. No.

12 Q. But you, and if you did that, if, for example, I

13 sent e-mails or an e-mail after I had told the

14 computer that the date is now October 2nd, 2003,

15 what will the e-mail coming out of Outlook say

16 as far as what date it is?

17 A. How are you sending the e-mail? Is it Outlook

18 through an exchange server?

19 Q. I am sending it out of Microsoft Outlook.

20 A. Okay.

21 Q. And I am sending it through an ISP?

22 A. Okay. Generally what happens is the date sent,

23 I haven't looked at this for a while. There's a

24 date sent. There's three dates that are

25 transmitted. There's a date sent, date received

107

Exhibit 13 page 112


1 and there's a third date I cannot remember.

2 Q. Okay. Before you get too complicated, I'm just

3 asking about what the actual e-mail will look

4 like to me as a layman. Okay. I am the sender

5 of the e-mail. Is the e-mail that I see on my

6 computer screen going to say October 2nd, 2003?

7 A. I do not, I really do not remember if the date

8 is shown on Outlook when you're sending it. Do

9 you understand what I'm saying is this.

10 Q. Fair enough?

11 A. I'm not sure if the date is actually displayed.

12 Q. But you know when you receive an e-mail in

13 Outlook --

14 A. Yes.

15 Q. -- And you open it and it does tell you the date

16 and time there; correct?

17 A. Yes.

18 Q. If you received my e-mail after I had recent my

19 computer, the e-mail you received will say

20 October 2nd, 2003; correct?

21 A. That's the third date I'm not sure about.

22 Because I would have to, I know I've looked at

23 it before. I do not, I apologize, have the

24 exact thing. But when an e-mail is sent, there

25 is a date that is associated with the date that

Exhibit 13 page 113


108

1 it's sent. When it gets to the e-mail server,

2 there is another date that is set, which is the

3 date that the e-mail server is set to. And then

4 there's a receive date and I am not sure where

5 that date is being pulled from. But there

6 actually, there are three dates in there. And

7 so I cannot say what date is going to show on

8 the receiving end until I go back and reverify

9 my --

10 Q. Okay. Well that's why I asked you whether, you

11 know, when you said that you could be of

12 assistance in creating a timeline of what

13 events, what activities were taking place in

14 that computer, that's what I'm asking you is

15 whether you could help us at least in terms of

16 what you would do if you were asked to do it, to

17 figure out what the true and actual date of a

18 document created on, in Microsoft, in Microsoft

19 word or the true and actual date created for an

20 e-mail in a Microsoft environment. Let me ask

21 you a few more questions to see if we can get

22 anywhere in that regard. If you wanted to know

23 when a particular document was actually created

24 and when a particular document was, or when a

Exhibit 13 page 114


25 particular e-mail was actually created, okay,

109

1 aside from looking at the document, you know

2 that there is data created in the computer or in

3 the software that me as an average person never

4 sees, that relates to the date and time;

5 correct?

6 A. Yes.

7 Q. Okay. If, if, going back to my hypothetical I

8 change the date on my computer, let's say the

9 date is actually November 2nd, 2003, but I want

10 it to say October 2nd, 2003. Let's say I change

11 the date and then sent the e-mail. The data

12 that's in the computer that the software creates

13 I never see will say that it was created and

14 sent on October 2nd, 2003, won't it?

15 A. I cannot answer that positively until I go back

16 and check what I was speaking about with the

17 date on the e-mail server. Because I know there

18 is a date, a third date on that e-mail server

19 and I was not aware I was going to be asked

20 this.

21 Q. I'm sorry.

22 A. So I need to go back or I would need to go back

23 and research that to find out if that e-mailExhibit 13 page 115


24 server brings back a date and assigns it to the

25 e-mail on the local computer from the sending

110

1 computer. I can't answer that.

2 Q. Okay. Maybe you could help us just with the

3 questions that one should ask if you really want

4 to get to the truth. Okay. The first question

5 you want to ask is whether the e-mail travels

6 through an ISP or server; correct?

7 A. That would be good to know.

8 Q. Okay. Because if the e-mail was actually sent

9 and did travel through a server, you'd go to

10 that server and find out the real date that the

11 e-mail passed through the server, wouldn't you?

12 A. Without going back and doing complete research,

13 I don't think so. Generally e-mail servers do

14 not keep e-mails.

15 Q. Well we're just looking for the date and I'm

16 just asking you for the questions how we might

17 go about getting to the truth.

18 ARBITRATOR CROW: Well I think he answered

19 that he wouldn't go to the server because the

20 server doesn't retain the e-mail; is that

21 correct?

Exhibit 13 page 116


22 THE WITNESS: Correct.

23 ARBITRATOR CROW: So that's one question he

24 would not ask.

25 THE WITNESS: There's more than 100

111

1 different configurations.

2 Q. BY MS. MARSHALL: Would you go to the ISP and

3 find out what information they had about the

4 date that the e-mail was sent?

5 A. Again, depending on the configuration the ISP

6 may not keep the e-mail at all.

7 Q. But is that what you suggest we might do?

8 A. If you're going to go to an ISP, then up need to

9 do it in a expedited manner because they do not

10 keep their e-mails around.

11 Q. What's expedited in your view?

12 A. I can't answer for all of them, but I know for,

13 for, let me rephrase that. For several that we

14 have looked into, they don't retain more than

15 30 days.

16 Q. Do you have experience actually determining

17 whether the date on an e-mail is correct,

18 whether the date it was created or sent is

19 correct?

20 A. The examinations of e-mails, I mean, you look atExhibit 13 page 117


21 the e-mail and, again, you look for oddities,

22 something that doesn't zinc upright. Now, if

23 it's, I have had e-mails that have been sent but

24 weren't delivered until two hours later. Well

25 going back and looking at things, it's, yeah, it

112

1 got delayed. The server was down or something

2 type of thing. So I'm not exactly sure how to

3 answer your question.

4 Q. Okay. Well, let's say we wanted to find out

5 when the e-mail was created. One of the things

6 that you would suggest that we do is look at the

7 metadata in the e-mail; is that correct?

8 A. Yes.

9 Q. But given my hypothetical, if I changed the date

10 on my computer before I created the e-mail, the

11 metadata would tell us that the date was

12 October 2nd, 2003, wouldn't it?

13 A. Maybe. I need to do the research. I can't

14 answer that definitively.

15 Q. Okay. Well, would you look anywhere else?

16 A. I will say one date, one of those three dates

17 will show the date on the local computer.

18 Q. Okay. Is there anyplace else that we can look

Exhibit 13 page 118


19 in the computer to try and figure out when that

20 e-mail was actually created or a particular

21 document was actually created so that we can get

22 past this idea that I changed the date in my

23 computer? Anyway to get past that?

24 A. All files that are created at the time, if the

25 date is manually set to a different date, all

113

1 files that may be related, temp files or

2 whatever, are going to be reflecting that date.

3 If the file, if the date is setback to a normal

4 date, it's still going to reflect the time

5 created that it thought it was, that the

6 computer was told that it was by the user. So

7 the created date is still going to show that

8 incorrect date. So, no. I mean, for the

9 initial creation, there's no other way that

10 you're going to find it.

11 Q. Well, let me suggest that we look at the logs in

12 the computer. Isn't there, aren't there logs

13 that keep track of virtually every activity that

14 the operating system performs sequentially?

15 Have you ever looked at any of those logs?

16 A. Yes, I have. Not necessarily. Windows does not

17 keep logs of everything that's going on becauseExhibit 13 page 119


18 if it did that, it would soon fill up the hard

19 drive and there would be no room for files. So

20 a lot of the logs aren't going to be kept.

21 Q. If I change the date and time in my computer,

22 does it, does that reflect in a log somewhere?

23 A. You can look at the, there's different areas

24 inside the registry that you can look at. It

25 won't tell you what, if it's even recording,

114

1 because, even if it's recording, it will not

2 tell you what date you set it to. It will only

3 tell you what date you set it from.

4 Q. Okay. But it will tell you that I fiddled with

5 the date and time in my computer, won't it? If

6 you get to it quickly enough?

7 A. It will tell you that the time was accessed. It

8 may not necessarily, it doesn't tell you that it

9 was actually changed. It will tell you the last

10 time that that feature was accessed.

11 Q. Okay. So if we really wanted to know when my

12 e-mail was created, whether it was October 2nd

13 or November 2nd or some other date, okay, we

14 could go to the date that we suspect or

15 somewhere around that in the registry or in one

Exhibit 13 page 120


16 of these logs and we could see if the computer

17 recorded that the date and time feature had been

18 accessed, couldn't we?

19 A. Using one of your words, hypothetically, yes.

20 Q. Okay. We'd have to do it before that

21 information got over written though, wouldn't

22 we?

23 A. Yes. If it was a file that was getting over

24 written. Now, if it's a log, logs generally

25 only, a lot of times only go to a certain size.

115

1 So the log files not being over written. The

2 log file is still there but the contents of the

3 log file may change.

4 Q. You're telling us that the log itself might

5 rollover like a tape?

6 A. Yes.

7 Q. So that it --

8 A. Yes. So in that aspect, yes, there is a time

9 limit on what could be done.

10 Q. Yeah. So if you wait too long, you could not

11 verify whether or not the computer, I'd access

12 the computer, accessed the date and time, is

13 that what you're saying?

14 A. What I'm saying is that the log file may overExhibit 13 page 121


15 write it self. Okay. If it's a log file or if

16 it's a file that we have found that doesn't have

17 a lot of entries in it, it will be around for

18 years.

19 Q. If the log file had over written itself or had

20 looped or whatever is the proper term.

21 A. Okay.

22 Q. -- as a forensic examiner, is there anyway that

23 you can recreate it or recover it from some

24 hidden space somewhere? Is there any corner of

25 the computer?

116

1 A. Generally not.

2 Q. Okay. Does your firm get involved or I should

3 say do you get involved in advising clients in

4 terms of preservation of evidence?

5 A. I generally do not.

6 Q. Okay. Now, you do have some knowledge with

7 respect to the documents that we're talking

8 about in this case, don't you, the October 2nd,

9 what was called maxterm.doc letter?

10 A. I have seen them.

11 Q. And also the October 2nd exit time e-mail?

12 You've seen that too, haven't you?

Exhibit 13 page 122


13 A. I think I've seen that, yes.

14 Q. Okay. I'd like for you to take a look at what

15 we've marked as Exhibit 182. Exhibit 182, I

16 believe, is a declaration that you prepared in

17 this case.

18 A. Okay.

19 Q. This is titled second declaration of mark D Cox

20 and it was, the date of it is July 14, 2009. So

21 that's just last July; right?

22 A. Oh. You're asking me.

23 Q. Yes.

24 A. The date is, I'm sorry. Where did you find the

25 date?

117

1 Q. Right next to your signature.

2 ARBITRATOR CROW: At the end of it.

3 THE WITNESS: Okay. Yes. 14 July.

4 Q. BY MS. MARSHALL: And then the letter that we're

5 talking about is attached to the declaration,

6 the very next, the next document.

7 A. Okay.

8 Q. All right. So you became familiar with this

9 October 2nd, 2003, letter, at least in 2009. Is

10 that correct?

11 A. Yes.Exhibit 13 page 123


12 Q. Okay. And you, did you perform a forensic

13 examination of any kind to analyze this letter?

14 A. I don't recall that I did.

15 Q. Well, if you had performed a forensic

16 examination, would you have prepared a report?

17 A. If I had performed a forensic examination and

18 report had been requested, I would have done a

19 report.

20 Q. But you don't remember performing any

21 examination?

22 A. I do not remember performing a forensic

23 examination of it.

24 Q. It would appear that the main part of your, the

25 thrust I guess of your declaration is to respond

118

1 to a particular exhibit that had been presented

2 by Justin McAnn in the summer judgment motion?

3 A. Okay.

4 Q. Does that bring back a recollection?

5 A. I remember looking at the -- Yes.

6 Q. Okay. So you remember looking at his report and

7 you remember writing this declaration?

8 A. Yes.

9 Q. But in connection with that, do you have any

Exhibit 13 page 124


10 recollection of either taking an image yourself

11 or looking at the image that someone else had

12 taken of any computer device?

13 A. I do not believe -- I'm trying to remember. I

14 do not remember ever actually getting an

15 electronic version of this letter.

16 Q. Okay. So in this affidavit or in this

17 declaration basically you had an exhibit, a

18 paper exhibit from Mr. McAnn that showed that

19 there were differences between the metadata or

20 the internal data of the document and the

21 document that was actually printed on paper?

22 A. Okay.

23 Q. And that's what you were giving an upon. And

24 here it would appear that your opinion was that,

25 that the explanation that was given by Mr. Rote,

119

1 that he created the letter on October 1st and

2 saved it to a floppy disk and then took it home

3 and made some edits to the letter, didn't save

4 them but made the edits, printed it and then

5 exited the document in the floppy that you were

6 saying that that's, that is consistent with,

7 that his version of the facts were consistent

8 with what you were seeing in that forensicExhibit 13 page 125


9 image; correct?

10 A. Yes.

11 Q. All right.

12 A. It was not a forensic image.

13 Q. You were not looking at a forensic image?


15 Q. You were looking at a picture of one?

16 A. I was looking at, yes.

17 Q. First of all, when one creates a document, even

18 if you're creating a document on a floppy disk,

19 does the computer that the floppy disk is

20 inserted into, does that computer record any

21 information about your document?

22 A. Generally you go to create a document and it

23 will be a temporary file created, yes.

24 Q. Okay. So the computer that creates the

25 document, other than the floppy in the hard

120

1 drive of the computer, it will make a record

2 which is called a temporary file; correct?

3 A. Yes.

4 Q. Of that document. And if you go to that

5 computer, the original created computer, you can

6 discover that temporary file; right?

Exhibit 13 page 126


7 A. With a qualified yes because temporary files are

8 exactly that, temporary.

9 Q. Sure.

10 A. They are subject to being over written rather

11 quickly, over written.

12 Q. All right. But if you get to it quickly enough,

13 that temporary file will independently of the

14 floppy disk, tell you when the document was

15 created unless that computer's date and time had

16 been changed; is that right?

17 A. Okay. Yes.

18 Q. But we've already covered the fact that you

19 could, if you get to it in time, you can find

20 out whether the date and time had been changed

21 by looking at the logs. So if you really wanted

22 to know the date that my October 2nd letter, the

23 October second letter was written, you would

24 need to go back to the original computer on

25 write it was written; correct?

121

1 A. That would be the best way. But, I would not

2 give a, I would not give a lot of expectation

3 that you would be able to recover it. If you

4 did it immediately, probably a high expectation.

5 The more that you wait, I mean, it could be, theExhibit 13 page 127


6 more that you wait, the more difficult --

7 Q. If you wait a year, makes it difficult. If you

8 wait --

9 A. Probably.

10 Q. -- six years be and it's in use, it's almost

11 impossible, isn't it?

12 A. Correct.

13 Q. Now, in addition to the temporary files that are

14 created in the creating computer, I'm not talk

15 being about the floppy, but the computer itself,

16 the hard drive, in addition to the temporary

17 files, there are what are called auto save

18 files?

19 A. Yes.

20 Q. Okay. And what does that mean?

21 A. Basically there is a feature in windows that if

22 you're writing a document, that it will save a

23 copy of it. So in case the computer was to

24 crash or not even the computer, but the program

25 you're using were to crash, when you start it

122

1 back up you may be able to save or you may be

2 able to recover up to the last auto save.

3 Q. And it does that automatically without you doing

Exhibit 13 page 128


4 anything; right?

5 A. It does it automatically if it's set. It

6 usually it is set, but it's something that,

7 yeah, you're probably not going to be aware of

8 that's going on.

9 Q. Sure. And in order to determine whether it was

10 set, you'd have to look at the particular

11 computer, wouldn't you?

12 A. Yes.

13 Q. Yeah. How frequently does the computer

14 automatically save your work for you, to save

15 you from yourself?

16 A. I can't answer that in a 100 percent positive

17 certainty. I think it's ten minutes. But, I

18 don't know that 100 percent.

19 Q. Is it possible that it might be every three

20 minutes?

21 A. I --

22 Q. As a default?

23 A. I would have to go back. I don't know. Can't

24 answer it.

25 Q. Do you know whether you can change the default I

123

1 guess, whether you can change it from --

2 A. I believe you can.Exhibit 13 page 129


3 Q. Okay. So, now we have two things in the

4 original computer that might help us decide when

5 that document was really created. There's a

6 third and that's called metadata, isn't it?

7 A. The metadata you're referring to the data that's

8 inside the document itself.

9 Q. Inside the document, inside the original

10 computer?

11 A. There is metadata and it will be part of the

12 document that gets saved. Is that what you are

13 proposing there?

14 Q. Uh-huh.

15 A. Okay.

16 Q. If I create the document on a computer, not on a

17 floppy but on a computer?

18 A. Okay.

19 Q. And I save the document to the computer.

20 A. Yep.

21 Q. The computer will contain metadata about that

22 document; correct?

23 A. The document will contain metadata about the

24 document. The computer itself doesn't hold it.

25 Q. The Microsoft windows and Microsoft office will

124

Exhibit 13 page 130


1 contain the metadata; is that correct? Am I

2 missing this here?

3 A. Yeah. And I don't want to confuse anymore.

4 Obviously the metadata is on the computer

5 because the document is on the computer but the

6 metadata is part of the document itself. So

7 you're looking for the metadata, you will look

8 inside the area where that document is located.

9 Q. All right. Now, would that be true if we really

10 wanted to find this and we went back and got

11 that computer that it was created on, would it

12 have metadata if I saved it and I hadn't even

13 given it a name yet?

14 A. You have to give it a name to save it.

15 Q. Well, let's say I just hit the save button, what

16 will Microsoft office call the document?

17 A. That I am not sure. It might, I would have to

18 look.

19 Q. Have you ever seen doc dot doc I guess --

20 A. Doc dot doc.

21 Q. Does that seem to refresh?

22 A. Yes.

23 Q. If you figure out a name?

24 A. But I don't know if that is the default. What

25 I'm saying is I can't answer that question

125

Exhibit 13 page 131


1 positive or negative because I would need to

2 look.

3 Q. Okay. But in any case, if we had the computer

4 and we went into, you, as a forensic examiner

5 because I couldn't do it, but if you went into

6 that computer, you could actually see that

7 document that had been saved and more

8 importantly you could see the metadata

9 associated with that document; right?

10 A. Yes.

11 Q. And that metadata might also help us in

12 determining the date the document was created?

13 A. Correct.

14 Q. All right. With metadata as with what you've

15 talked about before, the longer you wait and the

16 more the computer is used, the less likely

17 you're going to be able to find the metadata

18 that you need?

19 A. For a particular document?

20 Q. Yes.

21 A. If the document is deleted, yes. If the

22 document is not deleted, the metadata does not

23 disappear.

24 Q. Okay. So if we had the computer that this Max

25 dot doc document was created on, if we had it

Exhibit 13 page 132


126

1 here today, is it why you can testimony that you

2 could hookup your forensic tools, you could find

3 the document and you could tell us the date and

4 time that that document was first saved?

5 A. If the document was on that computer and it had

6 not been deleted, there would be a creation date

7 inside the metadata.

8 Q. Okay. And if it had been deleted?

9 A. If it had been deleted, then it comes back to

10 can it be found. If it can be found, then the

11 metadata will still be inside there if you

12 recover the whole thing. If you can't recover

13 the whole thing, you still may be able to find

14 some dates but you got to be suspect of anything

15 that's there.

16 Q. But you have got to have that first computer

17 don't you or the hard drive from it?

18 A. Yes.

19 Q. Okay. Now, let's assume for the purpose of your

20 testimony that the October 2nd letter was

21 created on a computer which I can't describe and

22 we don't have and it was saved to a floppy.

23 A. Okay.

24 Q. If you wanted to find the date and time that it

Exhibit 13 page 133


25 was created, is there information on the floppy

127

1 that you would look for?

2 A. On the floppy, again, you would look for the

3 file. It will record when that file was

4 created, last accessed, and it will also contain

5 the metadata inside the document that's on the

6 floppy.

7 Q. Okay. Like what metadata?

8 A. Generally the default metadata is the user that

9 created or the user account that created the

10 document and I believe there's also a creation

11 date and --

12 Q. Will it tell us the computer on which the

13 document was created?

14 A. I do not know. I would have to go look and see

15 what automatic the metadata is.

16 ARBITRATOR CROW: Was there a floppy created

17 in this instance?

18 MS. MARSHALL: There was a floppy or a copy

19 of a floppy that was presented as the evidence

20 of the creation of the October 2nd letter.

21 ARBITRATOR CROW: Where is it? Do I have it

22 as an exhibit?

23 MS. MARSHALL: You have parts of it as anExhibit 13 page 134


24 exhibit. We don't know whether the floppy still

25 exists. We don't believe our expert ever

128

1 actually saw the real floppy.

2 ARBITRATOR CROW: When was the floppy

3 created.

4 MS. MARSHALL: I don't mean to be evasive

5 but we don't know. What we have is evidence

6 that the floppy that was produced to our expert

7 simply contained a copy of a document with a

8 limited amount of metadata and that there be

9 would have been an original floppy that was

10 never produced that was the document that the

11 October 2nd letter was actually saved to.

12 ARBITRATOR CROW: Did you examine such a

13 floppy.

14 THE WITNESS: No.

15 ARBITRATOR CROW: I'm not quite sure where

16 you are going with this witness.

17 MS. MARSHALL: Okay. I understand. I just

18 thought maybe he could help us with what to look

19 for. So I'll move on.

20 I apologize but you've covered a number of

21 things that I was going to ask already so I

Exhibit 13 page 135


22 don't want to repeat them.

23 Let me go back to what you can help us with

24 in terms of the e-mail. And we've already

25 talked about the ISP. If the e-mail is actually

129

1 sent, it will go to the ISP and perhaps the ISP

2 provider will have some data; is that correct?

3 THE WITNESS: Possibly.

4 Q. If the address that you're sending the e-mail to

5 is still active, in other words --

6 A. Okay.

7 Q. -- today [email protected] was still active

8 and we sent him an e-mail, it would go through

9 and it wouldn't come back so we would assume it

10 went through; is that correct?

11 A. Yes.

12 Q. Let's say it's not active and we sent him an

13 e-mail at that address, what would happen?

14 A. Different e-mail servers are going to operate

15 differently. Some of them are just going to

16 drop the e-mail. I mean, this is from personal

17 experience. All right. If you wanted a in

18 depth analysis, I can't give that to you.

19 Personal experience, some E males mail servers,

20 ISP, whatever you want to call them, will dropExhibit 13 page 136


21 the e-mail. Some will send an e-mail back

22 saying it could not be delivered. Some will

23 continue to try for a certain amount of period.

24 Just depends on how the particular E males mail

25 servers providers set their up.

130

1 Q. All right. If the address no longer exists and

2 the ISP bounces it back or sends you a bounce

3 back e-mail, is that like any other e-mail, if

4 that happened, would you be able to forensically

5 discover it?

6 A. Maybe, maybe not. If the e-mail gets bounced

7 back, you should be able to. But it's not

8 necessarily that you're going to get the e-mail

9 back.

10 ARBITRATOR CROW: I think what she's asking

11 is if there's a bounce back e-mail, unable to

12 serve, would you be able to find that? Is that

13 your question.

14 MS. MARSHALL: Yes. Please.


16 Q. BY MS. MARSHALL: Just like any other e-mail; is

17 that correct?

18 A. Yes. If it's a normal e-mail, it's essentially,

Exhibit 13 page 137


19 I mean we look at it as an e-mail that basically

20 got sent to you by the internet or the e-mail

21 provider saying this e-mail did not get

22 delivered.

23 Q. Okay. You did perform a forensic analysis to

24 look into whether, when the exit time e-mail was

25 created and sent, didn't you?

131

1 A. Yes.

2 Q. And you prepared a declaration, I believe, to

3 that effect and submitted it for summary

4 judgment in this case?

5 A. Yes.

6 Q. And that is Exhibit 184, dated May 27, 2009.

7 A. Okay.

8 Q. Oh, is that marked up? I'm sorry. We may have

9 submitted some exhibits that have some

10 marginality on them that shouldn't be there

11 that's not a part of the exhibit.

12 ARBITRATOR CROW: I can't find Exhibit 184

13 if that's what we're talking about.

14 MS. MARSHALL: One 84. Does your exhibit

15 have --

16 MR. MARSHALL: They all do.

17 MS. MARSHALL: Well then let's not use them.Exhibit 13 page 138


18 That was inadvertent.

19 Q. BY MS. MARSHALL: Why don't you give that back

20 to me then.

21 ARBITRATOR CROW: If I had it I would give

22 it back to you. I have one 82 but I can't find

23 one 84.

24 MS. MARSHALL: Well, we'll --

25 ARBITRATOR CROW: No, I don't find one 84.

132

1 MS. MARSHALL: Okay. Well, if you locate it

2 maybe you will give it back to us.

3 ARBITRATOR CROW: I'll return it.

4 MR. ROTE: Would you like me copy as well.

5 MS. MARSHALL: Yes, please. And we'll clean

6 that up for later.

7 ARBITRATOR CROW: No. No one 84.

8 MS. MARSHALL: Okay. No problem.

9 Q. BY MS. MARSHALL: Let me ask you if you recall

10 when you performed your forensic examination of

11 the exit time e-mail, you took an image of

12 Mr. Rote's laptop; is that correct?

13 A. Yes.

14 Q. Okay. And you performed your examination, or

15 your forensic analysis on that image; is that

Exhibit 13 page 139


16 correct?

17 A. Yes. I performed a forensic analysis.

18 Q. You make me nervous when you say that.

19 A. I make me nervous.

20 Q. Did you or did you not perform a forensic

21 analysis on the bit stream image that you took

22 off of the laptop?

23 A. Yes. I performed a forensic analysis. Okay.

24 There's thousands of analysis you can do is what

25 I was trying to say.

133

1 Q. I see?

2 A. I performed a specific analysis.

3 Q. And what specific analysis did you perform?

4 A. Basically it was looking at the, to find a

5 particular e-mail and having found it, to draw a

6 conclusion as to what I thought the, I believe

7 it was the time that it was sent.

8 Q. Okay. And you concluded from your analysis that

9 it was sent on October 2nd, 2003? You recall

10 that?

11 A. I do not recall the exact date.

12 Q. In performing your analysis, do you recall

13 examining the logs in the laptop to determine

14 whether the time on those, on that computer hadExhibit 13 page 140


15 ever been tampered with or more specifically had

16 been tampered with in October, November of 2003?

17 A. In relation to that e-mail, I remember being

18 asked to analyze the e-mail for when, I believe

19 it was the, basically when it was sent. And so

20 based upon that e-mail is when I drew my

21 conclusions.

22 Q. Based upon the metadata in the e-mail?

23 A. Yes.

24 Q. Okay. But not based upon an analysis of the log

25 to see if the computer's time, date had been

134

1 changed?

2 A. No. I did not perform that analysis.

3 Q. Okay. And you did not check to determine

4 whether the e-mail went through a server or an

5 ISP; right?

6 A. No.

7 Q. And you did not check the recipient computer,

8 which would have been the 60 gigabyte hard drive

9 that you have now seen. You did not check to

10 determine whether the e-mail was received on

11 that computer, did you?

12 A. At that time for that, when that analysis was

Exhibit 13 page 141


13 done, no, I don't believe I did.

14 Q. Okay. So this was a limited analysis, a limited

15 examination?

16 A. Yes.

17 Q. Right?

18 Your I A S I C, is that the proper letters

19 for your certification?

20 A. No. Mine is E N C E.

21 Q. I'm sorry. Okay. All right. So your

22 examination was limited to determining just the

23 metadata in the e-mail itself?

24 A. That's what I was asked to examine.

25 Q. Did you suggest that you be allowed to look

135

1 further than that, broaden your examination?

2 A. I don't recall.

3 Q. Did you think about it, that maybe we should

4 look further than just the metadata in this

5 e-mail?

6 A. I do not recall.

7 Q. All right. The reports that you've presented

8 here today, the report regarding the examination

9 of the 60 gigabyte hard drive and the 120, you

10 prepared those last week, didn't you?

11 A. They were finalized last week, yes.Exhibit 13 page 142


12 Q. Last weekend, in fact, last Saturday?


14 Q. Three of them and on Sunday the third; right?

15 A. I believe so, yes.

16 Q. Is there a reason that you were performing these

17 analysis this late in the game?

18 A. The testimony, parts of the testimony of Max

19 that were given to me was in, to answer

20 questions that was raised to me.

21 Q. When were those questions raised to you?

22 A. Approximately a week or more before.

23 Q. Okay.

24 A. I finalized the reports.

25 Q. All right. So you were asked to do these

136

1 analyses approximately two weeks ago. You

2 finished your analysis, provided your reports to

3 Mr. Rote on Saturday and Sunday of last week?

4 A. Yes.

5 Q. In your report on your analysis of the 60

6 gigabyte hard drive, I believe at some point you

7 say that it's almost certain that this drive was

8 not used by Max Zweizig for e-mail.

9 A. Yes.

Exhibit 13 page 143


10 Q. Do you remember writing that?

11 A. Yes, I do.

12 Q. Well, in fact, that's not, that's a little bit

13 of an overstatement, isn't it? Because any

14 e-mails that existed on that file could readily

15 have been wiped out during the night on

16 November 13th, 2003; right?

17 A. I did not see any indications on that hard drive

18 of forensic wiping of the hard drive. Generally

19 you're looking at an image and things will stand

20 out like how come this same character comprises

21 massive amounts of the hard drive. I did not

22 see any of that at all.

23 Q. Did you specifically look for it?

24 A. I specifically look for that every time I do an

25 analysis.

137

1 Q. And you did not find it?

2 A. I did not find any indication that events like

3 that had occurred.

4 Q. But you did find some indication that someone

5 had been into that account during the night on

6 November 13, 2003, so that Mr. Jaffe's --

7 A. Someone had created that account.

8 Q. -- e-mails residing on that computer from thatExhibit 13 page 144


9 point on, even though Mr. Jaffe never had access

10 until after 2003? Or excuse me. After

11 November 13, 2003?

12 A. I cannot agree with that statement because I

13 need to go, I would need to look at that PST. I

14 do believe I opened it but I cannot say that as

15 we have covered before. I can't say for sure

16 that we did.

17 Now, so to that extent, if Jaffe's e-mails

18 are in there, then basically it would be, if

19 there was a question of when they got in there,

20 there would be analysis need to be done to

21 attempt to determine when those e-mails were put

22 into there.

23 Q. And that's possible to do, isn't it?

24 A. That is possible, yes.

25 Q. You testified a bit about the reformatting of

138

1 the 120 gig and I forgot to ask you whether,

2 what effect change being the date in the

3 computer for any other, for any reason would

4 have on reformatting? In other words, if I

5 changed the date in my computer and then I

6 reformatted?

Exhibit 13 page 145


7 A. The reformat would reflect the date that the

8 computer is set to.

9 Q. Okay. So if I set the computer to November 12th

10 or November 13th or whatever, that's date the

11 reformatting is going to reflect in the data

12 that you'd look at?

13 A. Yes.

14 Q. I think I'm almost finished. I just want to

15 make sure I haven't missed something. When you

16 look at a file in a computer and you are

17 attempting to determine the activity that's

18 taken place, isn't it true that there's nothing

19 there that's going to tell you with any

20 scientific certainty who was at the keyboard

21 when that activity occurred.

22 THE WITNESS: That is true. You can only

23 generally know what account was signed into.

24 Q. Okay. And in this case the account NWT employee

25 is pretty generic, isn't it?

139

1 A. Yes, it is.

2 Q. Is that pretty common to find in companies that

3 just a generic account name like that?

4 A. Yes and no. Depends on the company. Companies

5 I have seen that are very strict in theirExhibit 13 page 146


6 security, I have seen as it were public accounts

7 that people could log into, just maybe to allow

8 access to the internet. I'm not saying in this

9 case, but that is, that is, I have seen that.

10 Q. Have you seen other, other places where

11 Mr. Jaffe's name has been associated with NWT

12 employee as the account owner?

13 A. I can't answer that in that I am not sure. I

14 have seen his name. I do not remember if it was

15 associated with a particular account.

16 Q.

17 MS. MARSHALL: That's all I have.

18 ARBITRATOR CROW: Mr. Rote, I'm sympathetic

19 to the cost of bringing an expert back and

20 forth. And I'm not going to require you to

21 redirect your expert at this time because of the

22 length of the cross-examination and my limited

23 time to be here this morning.

24 MR. ROTE: I understand.

25 ARBITRATOR CROW: So if you would like to

140

1 delay your redirect until you have some time to

2 reflect on it and bring Mr. Cox back, that's

3 fine.

Exhibit 13 page 147


4 MR. ROTE: I would like to do that.

5 ARBITRATOR CROW: Then what I'm going to ask

6 the parties to do, again counsel to give me a

7 schedule of your calendars for the month of

8 October and it would appear that we're going to

9 need at least two days from what has happened

10 today. So I will need that from both of you.

11 If you can get that to me early next week, we

12 will schedule another two days for some time in

13 October.

14 MR. ROTE: Okay.

15 MS. MARSHALL: Are you suggesting that you

16 have no time left in September?

17 ARBITRATOR CROW: I will be gone out of the

18 office on Tuesday, Wednesday Thursday of next

19 week and that doesn't leave much of September,

20 I'm afraid.

21 MR. ROTE: I'm off to Virginia as well.

22 MS. MARSHALL: I see. Okay.

23 ARBITRATOR CROW: So I apologize for the

24 fact that we have to abort today and I am

25 sensitive to the expense, Mr. Rote, of bringing

141

1 an expert witnesses back and forth and I

2 apologize for that. So we are in recess.Exhibit 13 page 148


3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

Exhibit 13 page 149


case 3:15-cv-02401-hz document 120-13 filed 06/22/17 page ... › ... · case 3:15-cv-02401-hz...

Documents