Free Response to Motion - District Court of Delaware - Delaware

, Case 1:04-cv—O1394-G|\/IS Document 152-3 Filed O1/31/2006 Page 1 of 4
IN THE UNITED STATES DISTRICT COURT
I IN AND FOR THE DISTRICT OF DELAWARE
CAPTAIN BARBARA L. CONLEY, :
l Pramarr, Z I I h
v. C.A. No. 04-1394-GMS
COLONEL L. AARON CHAFFINCH,
· Individually and in his ofhcial capacity as the :
Superintendent, Delaware State Police; et al. 1
_ _ _ Defendants, _
AFFIDAVIT OF ROBERT C. MOSES I
I. Aftiant is a Lieutenant in the Delaware State Police. He has been a police
officer since 1981, and a Detective since 1986. He is the officer-in-charge of the
Delaware State Police High Technology Crimes Unit.
2. Your Afliant has been invo_lved in numerous computer—related
investigations and has drafted and executed search warrants pursuant to those
investigations. Your Affiant Moses has extensive training in computer related
investigations. Your Afliant is certified by the Intemational Association of Computer
Investigative Specialists to conducted forensic examination on computers used in the
commission of a crime.
3. Afliant has reviewed the Plaintifl"s Fourth Request for Production of
Documents, as it pertains to electronic data recovery. ·
4. The Delaware Department of Teclmology and Information (DTI) is the
email services provider to the Delaware Department of Homeland Security and the
Delaware State Police. In addition DTI provides email services to all other state
agencies, public schools, certain local government agencies and the military. DTI
conducts full backups of all Exchange servers every month. Each day, DTI performs
what is called an incremental backup containing approximately one trillion bytes of data.
The incremental backup stores all tiles that have changed since the last full backup or
incremental backup. Performing a forensic image of all DTI mail servers and backup
files, as requested by the plaintiff, would be impracticable due to the size of the data and

A Case 1:04-cv-O1394—GI\/IS Document 152-3 Filed O1/31/2006 Page 2 of 4
the proprietary software used by DTI. However, data contained within individual mail
folders, servers and backup tapes, could be extracted by DTI in the original standard
Microsoft Outlook format.
U 5. The State of Delaware uses Microsoft Exchange servers for email based
collaboration as well as scheduling, contact, and task management capabilities. The user
comiects to a Microsoft exchange server through a personal computer, workstation, or a
mobile device where he sends or receives email messages. In Microsoft Exchange a
protile is created for each user which provides access to the mailbox and folders. One of
the advantages of Microsoft exchange server is that all email is stored on the server. This
allows the user to access his folders from any computer connected on the state system or n
through the lntemet. Therefore, the better approach would be to extract data contained
within the individual Microsoft Exchange folders of the defendants, which would
comprise a fraction of the huge volume of data imaged.
6. We know that searching and seizing information from computers often
requires the examiner to seize most or all electronic storage devices to be searched later
by a qualified computer expert in a laboratory or other controlled environment. This is
true because of the sheer volume of evidence, technical requirements, and concerns over
preservation of original media.
_ 7. Computer storage devices can store the equivalent of thousands of pages
of information. This may require searching authorities to examine all stored data to
determine which particular files are responsive to the discovery request. This sorting
O O process can take weeks or months, depending on the volume of data stored, and it would
be impractical to attempt this kind of data search on site.
8. Searching computer systems for evidence is a highly technical process
requiring expert skill and a properly controlled environment. The vast array of computer
hardware and software available requires even computer experts to specialize in some
systems and applications, so it is difticult to know before a search which expert is
qualified to analyze the system and its data. In any event, however, data search protocols
are exacting scientific procedures designed to protect the integrity of the evidence and to
recover even "hidden," erased, compressed, password—protected, or encrypted files.
Since computer evidence is extremely vulnerable to inadvertent or intentional

__ Case 1:04-cv-O1394—GI\/IS Document 152-3 Filed O1/31/2006 Page 3 of 4
modification or destruction a controlled enviromnent is essential to its complete and
accurate analysis.
9. The volume of data stored on many computer systems and storage devices
will typically be so large that it will be impractical to examine every file. A single
megabyte of storage space is the equivalent of 500 double-spaced pages of text. A single
gigabyte of storage space, or 1,000 megabytes, is the equivalent of 500,000 double— _
spaced pages of test. Storage devices capable of storing in excess of 15 gigabytes of data
are now commonplace in desktop computers. Consequently, each non-networked,
desktop computer found during a search can easily contain the equivalent of 7.5 million
pages of data, which if printed out would completely {ill a lO’x’l2’xl0’ room to the
ceiling. Therefore, the only way that a forensic examiner can do a detailed examination
is by searching the computer media for key words pertaining to the scope of the
investigation. This method is preferred by the courts because it reduces (but does not
eliminate) encroachment on any private third—party information that may also be held on
the computer system. However, the plaintiff` s Fourth Request for Production fails to set
forth criteria for such a search.
10. Conducting an examination on the original evidence media should be
avoided. Rather, examinations should be conducted on a forensic copy of the original
evidence files. If possible and practical a forensic copy is made from the original
computer systemlmedia. Creating the copy and ensuring that it is true and accurate
involves a subset of the principle. The forensic examiner must make a decision as to how
to implement this principle on a case—by-case basis. The determining factors in that
decision include the size of the data set, the method used to create it, and the media on
which it resides.
ll. Plaintiffs request for data in ASCII format is inappropriate, because all
metadata would be lost in the conversion process, including such things as links and
attachments. Such a request is contrary to proper forensic procedures, in that the data
would be modified from the original or lost.
p I2. Plaintiffs request for hard copies, in addition to electronic copies, would
i ‘ be extremely burdensome due to the sheer volume of material sought, as well the
I inability to properly authenticate such copies or to prevent the risk of alteration.

_ Case 1:04-cv-01394-Gl\/IS Document 152-3 Filed O1/31/2006 Page 4 of 4
Moreover, the plaintiff would be in a position to generate her own copies from the
electronic data provided.
I3. I have secured and imaged all electronic storage devices contained within
the computers assigned to Secretary Mitchell and Colonel MacLeish. By infomation and
belief, the computer formerly assigned to Colonel Chaflinch was cleaned of all data, and
the hard drive erased, upon his departure, according to standard Delaware State Police
practice.
' 14. I have determined that neither Secretary Mitchell, Colonel MacLeish, nor
Colonel Chaflinch were issued computers for home use by the State of Delaware.
15. I have contacted the State of Delaware Department of Technology and
Information and have requested that the electronic mail accounts of Secretary Mitchell,
Colonel MacLeish, and Colonel Chaflinch be preserved and provided to me in a standard
Microsoft Exchange format.
16. The data I have secured will be retained in my possession, but will not be
read, analyzed, searched by myself or other employees of the HTCU, absent court order
or direction of counsel.
BE IT REMEMBERED that on this éé-);_ day of A l]]Qmb% , 2005
personally appeared before me, the Subscriber, a Notary Public for the State and County
aforesaid, ROBERT C. MOSES, who, being by me duly swom according to law did
depose and say that the foregoing statement is correct to the best of his knowledge,
information and belief.
ROBERl C. MOSES
SWORN TO AND SUBSCRIBED before me on thiS·2Q·..day of MGI} . , 2005.
¤» l GM- Lan)