About the Post

Author Information

Day 33: Crash Course in Computer Forensics and English


Day 33: Crash Course in Computer Forensics and English

Defense Witness Mark Spencer
The defense put Mr. Mark Spencer on the stand today – a computer forensics expert with a BA in criminal justice and has taught numerous courses on civil cases and corporate litigation. He is the president of Arsenal Consulting, a computer forensics firm used by the defense team in this case. In January 2010, the firm was tasked with reviewing a myriad of forensic images obtained from Tarek’s hard drives, as well as those from the UK, floppy disks, CDs and other sources. Any data in Arabic was passed on to a translator. He examined information obtained from laptop hard drives “Dell ‘06”, “Dell ‘07”, and “Dell ‘08”, as well as the desktop, on which there were 5 user accounts – Ahmed Mehanna, Tariq, Mehanna, Second Account, and Administrator. When asked whether he could tell who was at the keyboard when an item was downloaded on the computer, Mr. Spencer responded that this was not possible, and could only be determined based on contextual information (i.e. signing into another user account) or witness accounts in this case. He agreed that there was no video footage of anyone sitting in front of the computer to determine exactly who the user was at any point.
Mr. Spencer emphasized the tremendous volume of electronic material he was given to comb through, including documents, images, music, program files, videos, etc. He distinguished between active and inactive space on the computer. Active space, he said, is live, allocated space, as opposed to inactive space, which refers to deleted material, files in the trash bin, etc., explaining that files in inactive space are often times damaged. He also defined the “web folder cache” for the jury, describing it as a folder where the web browser “quietly stores elements of a webpage”. Users may or may not have actually accessed or seen images located in the cache, as the computer automatically downloads these images without the user’s knowledge. The hard drives each held 20 gigabytes of information – 60 GB total only for the Dell laptop. Spencer equated this amount of data to approximately 60 pickup trucks of books, and would take about 250 years to review all of the forensic information available. When asked whether it was impossible to review all of that data, he responded that it was “theoretically possible, but practically impossible”, and that 700 GB (total forensic images, CDs, etc.) amounted to 70,000,000 pages of information. Defense attorney Sejal Patel then showed a table displaying image statistics from Dell ’06, ’08, and ’09. It showed the number of government exhibits used that were among the thumbnail images in the cache folder – images not overtly or intentionally stored.

 

2006

2008

2009

Number of Government Exhibits (images/pics)

158

8

3

How many inactive space

151

7

1

Thumbnail dimensions

95

1

3

The table clearly showed that the vast majority of the images shown by the government were found in inactive space – i.e. that hidden folder that secretly downloads and stores random stuff on your computer. Mr. Spencer clarified that images recovered from inactive space need to be put in context – there is no way to know who took it, what it depicts, who threw it away, etc. For instance, his forensic analysis revealed that the “Sawt-al-Jihad” magazine – a document Evan Kohlmann said was found on Dell ’06 – was actually contained within a compressed file, and that there was no evidence that the document had ever been opened at all. The analogy was made of accusing someone of reading a magazine that was sent to them, when it fact it had been left in an unopened box in the driveway.

Ms. Patel then asked Spencer about various encryption programs, including TOR – “an onion routing system” to increase security and privacy; Privoxy – “a non-caching web proxy between the internet and a web browser”, used for scrubbing out all ads, and often installed with TOR; Window Washer – a commercial product used to “clean up” windows computers; and Trillion – a chat client that combines instant messaging accounts. He testified that all of these are freely available and not illegal. Window Washer and Trillion were installed on Tarek’s laptop, but there are no reports that TOR or Privoxy were ever used. FBI Agents Daily and Williams analyzed and processed the electronic data.
Patel: “Do you need forensics training to analyze electronic data?”
Prosecution Objects.
Spencer: “It’s not that simple. Electronic evidence has a context, and computer forensics expertise is important to develop that context.”
The defense then showed a serious of random thumbnail images recovered from the inactive space on Tarek’s laptop, including pictures of football players, babies, athletes, the CVS logo, Michael Jackson, Chuck Norris, Superman, Garfield, Bush, and Shakira, among others.

Aloke Chakravarty Cross-Examination of Mark Spencer
Chakravarty established that, in addition to the images found in inactive space, there were also hundreds, if not thousands, of images in active space, and that data never stored in active space is automatically transferred to inactive.
Chakravarty: “The bottom line is that this is data that was on the computer. The only issue is how it got on the computer that you’re unsure about.”
He also asked the witness about the folders found on Tarek’s computer, including folders entitled “Iraq” and “Afghanistan”, “My Work”, and “Translations”. He said that the chart of image statistics exhibited by the defense only included thumbnail images, not videos, mp3s, translations and IM chats, which were in active space. Chakravarty mentioned the thumbnail images that included images of the WTC on 9/11, several of OBL, Zarqawi and other mujahideen. Thumbnails are passively downloaded while searching the web, but Chakravarty asserted that “one would have to navigate to that website for that to happen”. Spencer responded that this was true, “generally speaking”, but said there was “a caveat related to malware”. In an attempt to prove that much of the electronic data was also purposely downloaded, the prosecutor showed the “downloads.rdf” file – a 39-page long list of dates, times, and file names of downloaded files. He also said that Tariq was the only active user in 2006, that the “Ahmed Mehanna” account was inactive, and that “the hard drive was substantially different in 2008-2009 than in 2006; all jihad videos were gone, the Trillion software was gone”. The prosecution asked Spencer if he knew of the IM chats in which Tarek explained how to use the “onion router” TOR (“TOR and privoxy allow users anonymity on the internet, correct?), to which Spencer replied that he didn’t read the chats; he only identified them and passed them along. Chakravarty then asked Spencer about his background and that of his company, Arsenal Consulting. Spencer testified that he had not worked in law enforcement except for his time at the DA’s office, that his company has 2 full-time employees, as well as other part-time employees.  There were up to four people working on Tarek’s case at one time, and five in total who reviewed electronic data for the case.
Chakravarty: “So you are testifying on behalf of what your company did, not just what you did?”
Spencer: “A mixture.”
Chakravarty then asked about what methods his company used to verify the results of their forensics work. The witness responded that they follow a “methodology of industry best practice”, and used a variety of tools to verify results, listing the Access Data Forensics tool kit among many others (approx. half a dozen other programs). Chakravarty pointed out that the federal agents had also used to Access Data program in their analysis of the electronic material.
Chakravarty: “Why use all of these tools?”
Spencer: “This case was one of our most important, and we the need to analyze the material aggressively.”
Chakravarty then, perhaps taking pointers from the defense team, asked the witness how much he was being paid for his work in the case. The witness responded that he had billed over 1,000 hours, which came to a total of $325,000.

Sejal Patel Re-Direct of Mark Spencer
Patel: “Why did you bill 1,000 hours, Mr. Spencer?”
Spencer: “Because of the vast volume of electronic data – 19 forensic images of hard drives, 35 types of other forensic images, other outside data, reports from other experts, 700 GB of forensic images ALONE. The scope was very, very broad in this case. Initially, I had to review everything. Sometimes we were asked to take something off the table, and then later told to put it back on the table.”
In response to the prosecution’s attempt to poke holes in the credibility and qualifications of Spencer’s company and employees, she asked about the background and credentials of the other full-time employee at the company – a woman with a degree in computer science and various certifications and experience indicating significant work in computer forensics.
Patel: “No offense to me, but would you hire me at your firm?”
Spencer: “No.”
Patel: “Why not?”
The prosecution objects. Judge sustains. No further questions.

Direct Examination of Dr. Thomas Connolly by Defense Attorney Janice Bassil
The defense next called Dr. Thomas Connolly to the stand, professor of English at Suffolk University since 1986 and at the Tufts graduate school program in drama. Dr. Connolly holds a PhD in drama from Tufts and an English degree from Boston Univeristy, has studied extensively US and UK literature, and has written three books that were published by “academic publishers”. Ms. Bassil asked about the process of publishing, and the issue of “peer review” that had been inaccurately described by prosecution witness Evan Kohlmann. Using as an example one of his published books, Dr. Connolly explained that he was required to submit a transcript to be peer reviewed. After waiting almost a year after submission, he received two anonymous reviews (peer review does not consist of the feedback/opinions of your friends (“peers”)? Who would’ve thought.), both favorable, and was able to move forward with the publishing process. He has also submitted dozens of papers to academic journals, and testified that peer reviews take several months and are always anonymous.
Dr. Connolly’s role in this case was to make comparisons between transcripts and translations of the video, “Expedition of Umar Hadid”, and to examine the translation of the “Wa Yakoon” document. The defense then showed an exhibit of the translation, as well as Dr. Connolly’s marked-up copy, indicating the discrepancies he found between the video subtitles and the transcript. Many of the differences seemed to indicate stronger, more graphic or extreme language use in the video’s subtitles, such as “heavy slaughter” as opposed to the word “damage” in the transcript. He also indicated multiple words that were spelled the British way, rather than the American way – “realise”, “honour”, words that would be “normal in British English, but unusual for an American to use”. He also noted the use of the British word “queues” instead of “lines” (as in, standing in line), and the use of the phrase “All praise is for Allah” in the video subtitles, versus “Praise be to Allah” in the transcript.
Bassil: “In your expert opinion, what is the educational background of the person who did this translation?
Objection by Auerhahn. Judge sustains.
Bassil: “In your experience studying British and American literature, what is your opinion on where the person who did this translation was educated?”
Objection by Auerhahn. Judge sustains.
Bassil: “Did an American do this translation?”
Objection by Auerhahn. Judge sustains.
After four objections by the prosecution are all sustained, Bassil persistently presses on with her questioning, causing Auerhahn to desperately call for a sidebar. Back from sidebar, Bassil rewords her question again.
Connolly: “Yes. The person who translated this was either trained in the UK or taught by a teacher trained in British English.”
Bassil: “And what is your understanding of Mr. Mehanna’s education?”
Objection by prosecution. Sustained.

Attention was then turned to another document that has been shown multiple times by the prosecution as an example of the work translated by Tarek, entitled “Wa Yakoon Ad-Deen” (“And the Religion Will Be”). Connolly pointed out countless instances of the word “organisation”, spelled consistently the British way (with an ‘s’) rather than the American way (with a ‘z’), in addition to the words “recognised”, “honour”, “honourable”, “labourers”, “publicise”, and “savour”, all with British spelling. He also indicated the grammatical error in consistent usage of the word “there” instead of “their”, the spelling of “cow boys” as two words rather than one (incorrect in both American and British English), and the phrase “Allah is my reckon!” – a phrase which “makes no sense in either British or American English”.
Bassil: “Based on your expertise in English, are you able to provide an opinion on whether the author was educated in British or American language?”
Connolly: “Yes. This person was not educated in American English.”
Bassil: “Or even whether English was this person’s native language?”
Prosecution Objects. Judge sustains. But Connolly manages to get his answer in right before/during the objection.
Connolly: “I strongly doubt it”.

Jeffrey Auerhahn Cross-Examination of Thomas Connolly
Prosecutor Jeffrey Auerhahn was visibly irritated as he began a confusing, disjointed, incoherent attempt at cross-examination. He established that the “Wa Yakoon” translation was found on Tarek’s computer, and that there was no way of knowing whether it was a first, second or third draft. Connolly agreed that he did not know if there was one draft or multiple, that he was only given this document to examine. “So you can’t tell if this is the result of multiple drafts, but if it were, you believe that at some point someone British had a role in drafting this document?” Connolly said that the language used indicated that someone British had written the document.
Auerhahn: “Are you familiar with the word ‘lorry’ in British English?
Connolly: “Yes.”
Auerhahn: “What does it mean?”
Connolly: “Truck.”
Auerhahn: “So presumably somebody British would use the word ‘lorry’ instead of ‘truck’?”
Connolly: “Yes.”
Auerhahn then skips to a passage in the document in which the phrase “truck drivers” is used, claiming that this indicates that someone American had written it (never mind the hundreds of examples of British words prevalent throughout the document).
Connolly: “It’s not that simple. It’s an informal word…”
Auerhahn, cutting off the witness; visibly angry, rude, and condescending: “I haven’t finished my question. Let me finish my question, sir. This is how this works. I ask the question. And you answer either yes, no, or ‘I can’t answer that’.”
Connolly: “I can’t answer that.”
An increasingly frustrated Auerhahn then pulled up a chat between Tarek and Abu Mundhir in which Abu Mundhir sent the “Wa Yakoon” document to be further edited. Auerhahn noted that of the British and American spellings of words, neither is more right or wrong than the other, they are just different styles.
Auerhahn: “So if the author was collaborating with someone in the UK, he could leave the British spelling as it is, since it isn’t incorrect. Isn’t that true?”
Connolly: “I can’t answer that.”
Auerhahn: “He could choose to leave those in the final document?”
Connolly: “I can’t answer that.”
Auerhahn belabored the point of American and British collaborators in an astonishingly inarticulate and rambling tirade that left the witness exasperated and confused, needing to ask for clarification on multiple occasions, shaking his head in disbelief at this sophomoric affront to the English language. Sticking to his instructions from Auerhahn, Dr. Connolly kept his responses brief.
Auerhahn: “Do you know Tibyan Publications?”
Connolly: “No.”
Auerhahn: “Do you know if there were multiple drafts or collaborators on this document?”
Connolly: “No.”
Auerhahn: “Do you know if the author started from scratch or received a draft from someone else?”
Connolly: “I can’t answer that.”
Auerhahn: “Would it affect your analysis to know whether someone from the UK worked on this translation? Don’t you want to know if Abu Mundhir is British? Don’t you want to know if more than one person collaborated on this project?”
Connolly, clearly annoyed at this point: “No. I looked at a document and was asked to evaluate it AS A DOCUMENT. And to determine whether it was written in American or British English. I determined that it was British English.”
Auerhahn, showing the chat: “Do you know who Abu Sabaaya is?
Connolly: “No. I was not given this information.”
Auerhahn: “EXACTLY. IS there any reason you wouldn’t want the facts to interfere with your analysis?”
Defense objects. No further questions.

Kareem Abu-Zahra’s Employment Woes
At this point (around 11:45), Judge O’Toole dismissed the jury in order to settle with the counsels issues regarding government witness Kareem Abu-Zahra and concerns regarding his employment at UMass- Lowell being in jeopardy as a result of his testimony. The defense team wanted to ascertain whether Abu-Zahra was promised something (i.e. that his job would be protected) in return for his testimony, and whether this impacted his testimony in any way. In the absence of the jury, Defense attorney Jay Carney called Fbi case agents Thomas Daly and Heidi Williams, the two primary agents in the investigation, to the stand. Daly, a sergeant with the Lowell Police Department who is currently on assignment with the Boston FBI JTTF, took the stand first. He testified that he first interviewed Kareem Abu-Zahra in 2006, and that he had gotten to know him well “in a work-related setting”. When asked how many times he had contact with Abu-Zahra between 2006 and November 2011, the prosecution objected. Abu-Zahra testified in court a total of four days, the first of which was Monday, November 28th. Agent Daly picked Abu-Zahra up every day he testified in court and gave him a ride to the courthouse.
On Tuesday morning, the day after his first day testifying, he expressed concern to Daly in the car about “what people at work thought of him”, and was worried that he had been contacted by “his boss’s boss”, who told him to call her before returning to work. Daly testified that Abu-Zahra had never before expressed concern about his job, but that morning he was concerned. The “boss’s boss” was Patricia McCafferty, the vice-chancellor of the university. Daly had also been contacted by Ms. McCafferty, but Abu-Zahra “brought it up first”. He reiterated multiple times that Abu-Zahra was not so much concerned about his continued employment, but rather what his co-workers thought of him as a result of this case, because a co-worker had talked to him at some point about people’s concerns. Daly’s testimony was confusing and disjointed, as he switched from talking about Vice-chancellor Patti McCafferty, to Lieutenant Melissa Mullen of the Lowell Police Department, without making the distinction. Apparently he also had a conversation with Ms. Mullen regarding these same concerns – that people were “concerned about Kareem coming back to work and concerned about a threat to the university”. Daly told Mullen that he “did not know of a threat” and that he would inform them if he did, but that he also could not say for sure that there wasn’t a threat; that Abu-Zahra had been cooperative in the investigation; and that he had severed his ties with the people he was involved with in 2004. Carney asked why Daly felt it necessary to offer all this information, and whether he was trying to console the lieutenant or assuage her fears. Daly either did not understand it or intentionally avoided it; either way, eloquence and clarity are clearly not his strong suit.
Carney asked if Daly expected Ms. Mullen to relay this information to Vice Chancellor McCafferty. He responded that she did mention Ms. McCafferty by name, and that he did expect that the information would reach her, but that is not why he said it.
Carney: “Did you expect that she would be satisfied by this information?”
Daly: “She probably wouldn’t be satisfied because I didn’t say he’s not a threat.”
Carney: “Why did you say he stopped associating with the people he was involved with? Did you think it would calm her?”
Daly: “I don’t know if it would calm her or not.”
Carney: “By giving this information, did you think you were helping Abu-Zahra to keep his job?”
Daly: “I don’t know. I don’t know if it was helpful or not. I don’t know their rules on hiring or firing people.”
Carney: “Who was the first person you spoke to regarding Abu-Zahra’s employment?”
Daly: “I don’t know.”

It’s interesting to note that the government’s agents had so much trouble recalling conversations from two weeks ago, while their witnesses could remarkably remember, in impressive detail, the events from 8 years ago. Daly apologized that he could not recall the conversations in detail, as they had taken place two weeks ago. Carney expressed surprise at the lack of attention paid to a presumably important event – “You’re having a conversation with a witness currently on the stand, possibly the key witness in this case, about his concern about his job. You’d been contacted. You did not think that was important enough to take notes?”
Daly said that his conversation with the Vice Chancellor was similar to the one he had with the lieutenant. McCafferty had said that some people at the university had expressed concerns after reading tweets by the Free Tarek campaign (Hell yeah! We got a shout-out!) regarding Abu-Zahra’s testimony. Daly told her the same thing he told Mullen – that if there was a known threat he would tell her, that Abu-Zahra had stopped associating with his group of friends and that he had been cooperative. He couldn’t tell her anything else and couldn’t discuss the testimony. He did, however, report these conversations to his supervisor, James Marinelli, and prosecutors (Auerhahn, Chakravarty, and Groharing) came to the Lowell office that night (Nov. 28). Carney tried to ask about the conversation that took place with the prosecutors that night. The prosecution objected three times, all sustained.
Carney: “This is important, your honor. Because I didn’t receive word of this until last week. And If the prosecutors knew that night, I want to know why I didn’t also get a call that night.”
Judge O’Toole urged Carney to “get to the crux” of the issue – what, if anything, was promised to the witness that may have affected his testimony. Daly testified that he did not say anything to Abu-Zahra to calm him about his job, and that he did not write a report about it because he “didn’t think he was required to”. Daly spoke to Mullen again on Wednesday, at which point she said that his job was now in jeopardy, and wanted to know if he had done anything related to the case. Daly couldn’t comment. Carney asked if there were any conversations about job concerns during the ride to the courthouse on the fourth day of Abu-Zahra’s testimony. Daly responded “not that I can remember”, but that Abu-Zahra mentioned receiving an email of support from a female colleague.
Heidi Williams took the stand next. She has been a special agent with the FBI for 7.5 years. She was not involved in giving Abu-Zahra a ride to court – that was solely Agent Daly’s responsibility. She said that she was aware of his job concerns, but that he mostly expressed concern of what people at work thought of him because he had received numerous phone calls from people expressing surprise at his testimony. She also mentioned (perhaps in the hope of eliciting sympathy?) that ever since Tarek’s arrest, Abu Zahra, as well as his wife and parents, had been ostracized by people in the Muslim community who called him a “traitor”. She was aware that Lieutenant Mullen and Vice Chancellor McCafferty had spoken with Daly, but Abu Zahra had not expressed a concern about losing his job to her. Abu Zahra started to take it more seriously on Wednesday morning, when he was called for an administrative meeting prior to going back to work. However she, like Daly, emphasized that his “primary concern was how to socialize with people at work”, rather than the prospect of losing his job. Williams said that she did not indicate that they would call the university and didn’t think there was anything they could do on his behalf. She eventually said that if the US Attorney’s Office could call, it would have to be after the trial.
Carney: “What could be done on his behalf?”
Williams: “I still have no idea what could be done.”
She said that Abu-Zahra’s testimony had already concluded at this point. She talked to the US Attorney’s office, but not regarding what they would do. (There are so many holes in this story.)
The day concluded with counsels debating the credentials and the testimony of Dr. Marc Sageman, MD PhD – a process that Evan Kohlmann (sans MD or PhD) did not have to go through. The judge struck an entire three pages from the Dr. Sageman’s testimony, citing “irrelevance” as a justification. Attorney Bassil made the point that the government “has done the best they could to frighten the jury with pictures and videos out of context; our experts are putting it in context”. The judge did not seem to be swayed by her arguments, and acquiesced to many of the government’s demands. Dr. Sageman will take the stand tomorrow, although his testimony will be restricted.

Advertisements

No comments yet.

Readers are encouraged to respectfully share their perspectives. Please comment!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: