Free Declaration - District Court of Delaware - Delaware


File Size: 154.6 kB
Pages: 12
Date: May 23, 2006
File Format: PDF
State: Delaware
Category: District Court of Delaware
Author: unknown
Word Count: 3,331 Words, 21,232 Characters
Page Size: Letter (8 1/2" x 11")
URL

https://www.findforms.com/pdf_files/ded/8308/170.pdf

Download Declaration - District Court of Delaware ( 154.6 kB)


Preview Declaration - District Court of Delaware
Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 1 of 12

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE CORPORAL B. KURT PRICE, et al., Plaintiffs, v. COLONEL L. AARON CHAFFINCH, et al., Defendants. : : : : : : : : :

C.A.No.04-956-GMS

UNSWORN DECLARATION OF STEPHEN M. BUNTING, UNDER 28 U.S.C. § 1746 I, Stephen M. Bunting, CCFT, EnCE, hereby depose and state as follows: 1. I make this declaration on my own personal knowledge and I will testify hereto if

called as a witness. 2. I am a Captain in the University of Delaware Police. I am an experienced

computer forensics examiner. My qualifications as a computer forensics examiner are attached at Tab A. I have personal knowledge of the facts contained in this declaration and, if called as a witness, I am competent to testify as to those facts. 3. By way of introduction, I was originally appointed by the Court to examine the

computer formerly used by retired Colonel Chaffinch of the Delaware State Police. (See Tab B Order dated 4/20/06). 4. As Delaware's PI licensing act has recently been interpreted to require licensing

of individuals conducting computer forensics work for hire, the task was subsequently sent to an out-of-state examiner to avoid conflicts with the current interpretation of this law. The work was completed by Warren Kruse of AON Consulting in Eatontown, New Jersey and he submitted a

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 2 of 12

preliminary report to the court with copies to both the plaintiffs and defendants. It is my understanding that this report, as submitted, was confusing and provided no summary or conclusions. Plaintiff's counsel has sent me a copy of the reports and asked me, in essence, what it all means and would I be willing to clarify the report for the benefit of the Court. 5. That being said, I am submitting this as a favor to the Court with the only purpose

being that of clarifying the content of the Kruse report. My only caveat is that it is being submitted with the understanding that I have not seen the entire contents of the hard drive and am therefore basing my conclusions only on the content of the report submitted to the court. 6. The report begins with samples of data found in the unused disk area [ 1) & 2)],

unallocated clusters [ 3)], and volume slack [ 4)]. The reports notes in index three [ 3)] that there are "random characters found in the Unallocated clusters up to and including last physical sector of machine"; "Random characters may be evidence of a final pass of a DOD wipe of the hard drive': and "relivant [sic] to the size of the unallocated space on the disk, there is a small amount of data in the Unallocated clusters". 7. The unallocated clusters is an area of the hard drive that is currently not being

used to store file data. On a drive that has been subjected to considerable use, as an older Windows 98 computer would have experienced, this area would be loaded with data from files that have been created and subsequently deleted. That this area contains very little "data" relative to its size and is instead filled with randomly generated data strongly suggests that it was subject to wiping, which means that data present was intentionally overwritten to remove it. 8. The Volume slack is an area between the last cluster of the partition and the end

of the partition. Generally, the operating system doesn't write user data to this area and finding randomly generated data in this area is significant and suggests wiping. The unused disk area is 2

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 3 of 12

area found near the end of the drive that is not partitioned and is therefore not normally written to by the user. Randomly generated data found here is significant and suggests wiping. 9. On page sixty six (66) there is a diagram representing the directory structure of

the volume. There are entries that appear to be user names of DSP division personnel, most of whom appear to be from Troop 4. These entries appear to be security certificates (CLR Security Config) for users who have logged on to this system. There are entries for: · douglas.reed · sean.moriarity · Darhl.Snyder · Darren.Short · LESLIE.GROW · danny.wright · william.groton · bernard.miller · jonathan.welch · ed.justiniano · john.caskey · josh.austin 10. There is no entry for Aaron.Chaffinch or anything resembling that user name.

Such would again suggest that the data for user Chaffinch was deleted. 11. The most significant finding in the report is found on page 57, which is the listing

of the number of search hits found for each of the key words. For the keyword "Chaffinch", there were 12 search hits found. Beginning on page 47, four of those search hits are shown within the context of their associated data. None of those four search hits would suggest they were placed there by user "Chaffinch", but rather subsequent users of the machine. 12. When a computer is used extensively by a particular user for a significant period

of time (months / years), their name is stored tens of thousands of times on the hard drive. For example, on Friday May 19, 2006, on a drive of nearly the same size, I did a search for the first

3

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 4 of 12

and last name of a user, both of which were unique names. In the unallocated clusters alone, the names of the user appeared over 40,000 times. The near absence of the user name "Chaffinch" (appearing only 12 times) stands as strong evidence that the drive in question was wiped after user Chaffinch last used this computer. ___. ___. ___. ------------------------------------------------------------------------------------------------If the Court has any questions, I can be available via phone or in chambers if you

wish to discuss this matter further.

STEPHEN M. BUNTING

I declare under penalty of perjury that the foregoing is true and correct. Executed on May 21st , 2006.

4

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 5 of 12

Tab A

About Our Staff

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006 Page 6 of 12 http://128.175.24.251/forensics/about_smb.htm

ABOUT OUR STAFF

Brief Abstract of Staff Member Knowledge, Skills, and Abilities Relating to Computer Forensics

Return to Main Forensics Help Page

Stephen M. Bunting, CCFT, EnCE
Captain - University of Delaware Police Email

Captain Bunting is an experienced computer forensics examiner, having conducted examinations of computer systems for the University of Delaw are Police as w ell as federal, state, and local law enforcement and prosecutorial agencies. He is also a trained and experienced forensic video analyst using the Ocean Systems dTective® and Avid softw are systems. He is a frequent lecturer and instructor on computer forensics, cyber-crime, and incident response. Captain Bunting has testified as a computer forensics expert. He w as the recipient of the 2002 Guidance Softw are Certified Examiner Aw ard of Excellence for receiving the highest test score on his certification examinations. He is an EnCase Certified Examiner (Guidance Softw are) and a Certified Computer Forensics Technician (HTCN). Captain Bunting has been a sw orn police officer in the State of Delaw are for over thirty years. He created and developed the University of Delaw are Police Department's Computer Forensic Lab. He has taught computer forensics for Guidance Softw are, makers of EnCase, and taught as a Lead Instructor at all course levels, including the Expert Series w ith particular emphasis on "Internet and Email Examinations" course. He has been a presenter at several seminars and w orkshops, the author of numerous "w hite papers", a coauthor of EnCase Computer Forensics - The Official EnCE: EnCase Certilfied Examiner Study Guide published by Sybex (Wiley), and maintains a w ebsite for cyber-crime and computer forensics issues. Certifications: Certified Computer Forensic Technician, High Tech Crime Network, original certification 9/27/2001 EnCase Certified Examiner, Guidance Software, original certification 4/4/2002, re-certification 4/4/2004 State of Delaware Council on Police Training Certified Police Officer (1975) Mem berships and Affiliations: The Law Enforcement & Emergency Services Video Association, member since October 2004 Infragard ­ secure member of the Wilmington, Delaware Chapter since June 2004. High Technology Crime Investigation Association - member since August 2002. High Tech Crime Network - member from September 2001 to date.

National White Collar Crime Center - designated agency contact person for agency membership in the organization - January 2001 to date.
Form al Education and Degrees: University of Delaware - Computer Applications Certificate ­ Concentration in Network Environments - August 2004 Wilmington College - Bachelor of Science Applied Professions / Business Management - May 1986

1 of 3

5/20/2006 6:56 PM

About Our Staff

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006 Page 7 of 12 http://128.175.24.251/forensics/about_smb.htm

Delaware Technical and Community College - 52 credit hours in the Criminal Justice Program University of Delaware - Associate in Art - May 1973 Publications and White Papers: Encase Computer Forensics--The Official EnCE: Encase Certified Examiner Study Guide - Wiley - January 2006 EnCase Internet and Email Examinations - Guidance Software Publication (Version 4 Series - 2004) - contributing author Creating Paperless EnCase Computer Forensic Reports on CD - August 2003 Disabling the Yahoo Login Script for Viewing in Forensic Reports - May 2003 Examination of Photoshop Text Layer Metadata in Support of Forged Document Examinations - January 2003 "Meeting the Training Needs Imposed by Internet Crime", The Informant, publication by the National White Collar Crime Center, March 2001 Issue. "Meeting the Training Needs Imposed by Internet Crime", IADLEST Newsletter, January 2001 Issue. Classes and presentations Captain Bunting has conducted: Identity Theft and Cyber Safety - DuPont Experimental Station Staff - March 14, 2006 - Wilmington, DE. Computer Forensics for Prosecutors - Delaware Attorney General Staff - September 22, 2005 - Lewes, DE. First Response Issues for Crimes Involving Computers - Hosted by the U.S. Attorney's Office - September 16, 2005 - Dover, DE. Examination of Photoshop Layer Data - Fairfax, VA - RCFG GMU 2005 - August 15 & 18, 2005 - Guest Lecturer Cyber-sabotage, Espionage, & Other Security Threats, February 23, 2005, Lorman Education Services, Newark, DE Computer Forensics in the Courtroom, January 7, 2005, Widener University School of Law, Wilmington, DE Computer Forensics for Prosecutors - Delaware Attorney General Staff - September 30 - October 1, 2004 - Dewey Beach, DE. Forensic Examination of Peer-to-Peer Client Software Artifacts -NJSP High Tech Crime Unit. September 22, 2004, Trenton, NJ. Introductory Computer Forensics Guidance Software - Sterling, VA Jun 29 - Jul 2, 2004 (32 hrs) Lead Instructor Internet / Email Examinations Guidance Software - Sterling, VA Jun 22 - 25, 2004 (32 hrs) Lead Instructor Email Examinations Lab at CEIC 2004 Myrtle Beach, SC Jun 6 - 9, 2004 (7.5 hrs - five presentations) Lead Instructor Photoshop Layer Metadata Examinations CEIC 2004 Myrtle Beach, SC Jun 8, 2004 (1.5 hrs) Guest Lecturer Introductory Computer Forensics Guidance Software - Sterling, VA Apr 27 - 30, 2004 (32 hrs) Lead Instructor Internet / Email Examinations Guidance Software - Sterling, VA Mar 30 - Apr 2, 2004 (32 hrs) Instructor Internet / Email Examinations Guidance Software - Sterling, VA Feb 3-6, 2004 (32 hrs) Instructor Introductory Computer Forensics Guidance Software - Sterling, VA Jan 6-9, 2004 (32 hrs) Lead Instructor Internet / Email Examinations Guidance Software - Sterling, VA Nov 18-21, 2003 (32 hrs) Instructor Introductory Computer Forensics Guidance Software - Sterling, VA Oct 21-24, 2003 (32 hrs) Instructor Intermediate Analysis & Reporting Guidance Software - Sterling, VA Sept 9-12, 2003 (32 hrs) Instructor Introductory Computer Forensics Guidance Software - Sterling, VA Aug 12-15, 2003 (32 hrs) Instructor Introductory Computer Forensics Guidance Software - Sterling, VA July 8-11, 2003 (32 hrs) Instructor Intermediate Analysis & Reporting Guidance Software - Sterling, VA June 17-20, 2003 (32 hrs) Instructor Internet / Email Guidance Software - Sterling, VA May 6-9, 2003 (32 hrs) Instructor Intermediate Analysis & Reporting Guidance Software - Sterling, VA Mar 4-7, 2003 (32 hrs) Instructor Introductory Computer Forensics Guidance Software - Sterling, VA Feb 25-28, 2003 (32 hrs) Instructor Internet Safety for Children - Winter / Spring 2003 semester offering through the University of Delaware Continuing Education Division CyberStalking and Related Crimes Involving Computers: October 7, 2002 in Newark, DE. Computer Crime Issues for Prosecutors: - Presented to the Wicomico County States Attorney's Office (4/20/01) and to the Attorney General's Office for the State of Delaware Sex Crimes Unit (10/4/02). Computer Forensics: - during the spring semester 2002, supervised and directed an independent course of study in computer forensics for a University of Delaware senior majoring in computer science. Program was under the auspices of Professor Chien-Chung Shen. Student is now employed with Price, Waterhouse, Cooper in the computer forensics division. The Internet as an Investigative Tool: Presented at the University of Delaware (5 presentations: 12/5/00, 1/8/01, 8/6/01, 8/13/01, & 8/26-27/02 ), at the Eastern Shore Criminal Justice Academy (3 presentations: 2/16/01, 3/8/01, and 3/20/01), and at Mount St. Mary's College (6/26/02). Computer Crimes: 1st Responder Issues - course developed and presented to the University of Delaware Police as a 2 hour block during in-service training. Presented May 31, 2001, June 7, 2001, May 30, 2002, and June 5, 2002. Training Captain Bunting has received includes: Advanced Windows Intrusion Investigator's Course (40 hrs) Adobe Photoshop for Forensic Video Analysts ( 16 hrs) Regional Computer Forensics Group Seminar (40 hrs) Cell Seizure (16 hrs) PDS Seizure (16 hrs) Enterprise Security & Vulnerability (36 hrs) SYTEX - February 27 ­ March 3, 2006, FBI Academy, Quantico, VA Resolution Video - December 14-15, 2005 - Reston, VA RCFG / HTCIA - August 15-19, 2005 - GMU - Fairfax, VA. Paraben - May 18 - 19, 2005 - Newark, DE Paraben - May 16 - 17, 2005 - Newark, DE USSS / SEARCH - April 18-22, 2005 in Cherry Hill, NJ

2 of 3

5/20/2006 6:56 PM

About Our Staff

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006 Page 8 of 12 http://128.175.24.251/forensics/about_smb.htm

Access Data FTK Advanced Internet Training Course (24 hrs) Ocean Systems: dTective (Advanced Video Forensic Analysis ) (16 hrs) Advanced UNIX Intrusion Investigator's Course (40 hrs) EnCase EnScript Programming (32 hrs) Networks and Networking for Agents / System Security and Exploitation (80 hrs) Law Enforcement Video Association Annual Training Conference 2004 (16 hrs) NIJ Law Enforcement Technology Institute 2004 (40 hrs) Computer and Enterprise Investigations Conference / TechnoSecurity Conference 2004 (28 hrs) Ocean Systems: dTective (Advanced Video Forensic Analysis ) (16 hrs) Ocean Systems: Introduction to Forensic Video Examinations (24 hrs) Access Data FTK Intermediate Training Course (24 hrs) EnCase Expert Series: Internet & Email Examinations (32 hrs) EnCase Advanced Computer Forensics (32 hrs) Introduction to Programming Concepts (Visual Basic 6) (50 hrs) Computer and Enterprise Investigations Conference 2002 (16 hrs) Regional Computer Forensics Group Seminar (40 hrs) ILook Computer Forensics Software (24 hrs) Firewalls and Virtual Private Networks (16 hrs) Internet Investigations and Child Exploitation Overview (8 hrs) Techno-Security 2002 Conference (28 hrs) Enterprise Networks (50 hrs) EnCase Advanced Computer Forensics (32 hrs) LAN (Local Area Networks) (50 hrs) EnCase Intermediate Computer Forensics (32 hrs) Techno-Security 2001 Conference (28 hrs) WAN (Wide Area Networks) (50 hrs) Advanced Data Recovery and Analysis Course (40 hrs) The Internet as in Investigative Tool (8 hrs) Basic Data Recovery and Analysis Course (40 hrs)

Access Data - March 15 ­ 17, 2005 in Dover, DE. Ocean Systems - Feb. 24 ­ 25, 2005 in Burtonsville, MD. SYTEX - December 6 ­ 10, 2004, Ellicott City, MD. Guidance Software - November 16 ­ 19, 2004, Sterling, VA. SYTEX - October 18 ­ 29, 2004, Ellicott City, MD. LEVA - October 6 ­ 7, 2004 Washington, D.C. NIJ - July 11 ­ 16, 2004, Washington, D.C. Guidance Software - June 6 ­ 9, 2004 in Myrtle Beach, SC. Ocean Systems - May 6 ­ 7, 2004 in Burtonsville, MD. Ocean Systems - May 3 ­ 5, 2004 in Burtonsville, MD. Access Data - April 5 ­ 7, 2004 in Dover, DE. Guidance Software - February 4 - 7, 2003 in Sterling, VA. Guidance Software - January 21- 24, 2002 in Sterling, VA. University of Delaware Course - Wilm, DE ­ Fall 2002 Guidance Software - September 16-17, 2002 Chantilly, VA. RCFG / HTCIA - August 12-16, 2002 - GMU - Fairfax, VA. ACES / FBI / IRS / NCFS - July 23-25, 2002 Orlando, FL. CSI / NIPC / FBI - May 22-23, 2002 MSP - Columbia, MD. SEARCH - April 6, 2002, CCU - Conway, SC. The Training Company April 7-10, 2002 - Myrtle Beach, SC University of Delaware - Wilm, DE - Spring 2002 Guidance Software - February 19-22, 2002 - Leesburg, VA. University of Delaware - Newark, DE - Fall 2001 Guidance Software - August 7-10, 2001 - Leesburg, VA . The Training Company April 22-25, 2001 - Myrtle Beach, SC University of Delaware - Newark, DE - Spring 2001 NW3C October 23-27, 2000 - Fairmont, WV. NW3C / IFCC October 12, 2000 - Fairmont, WV. NW3C July 24-28, 2000 in Myrtle Beach, SC.

This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations. This field is rapidly evolving and changing as technology marches forward. It is, therefore, intended to be a growing and evolving resource. As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site. My email address is [email protected] . Thank you. This site created and maintained by: Captain Stephen M. Bunting, CCFT, EnCE University of Delaware Police Phone 302-645-4334 Email: [email protected]

3 of 3

5/20/2006 6:56 PM

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 9 of 12

Tab B

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 10 of 12

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE CORPORAL B. KURT PRICE, et al., ) ) Plaintiffs, ) ) v. ) ) COLONEL L. AARON CHAFFINCH, et al. ) ) Defendants. ) ____________________________________) ) SERGEANT CHRISTOPHER D. ) FORAKER, ) ) Plaintiff, ) ) v. ) ) COLONEL L. AARON CHAFFINCH, et al. ) ) Defendants. )

C.A. No. 04-956 (GMS)

C.A. No. 04-1207(GMS)

ORDER WHEREAS, on April 12, 2006, the court issued an Order (D.I. 134) directing the defendants to engage and finance an independent expert consultant to determine whether Colonel L. Aaron Chaffinch's ("Chaffinch") computer hard drive can be recovered; WHEREAS, the Order also directed the parties to submit to the court the names and qualifications of at least two independent expert consultants; WHEREAS, on April 18, 2006, the court held a pretrial conference in the above-captioned matters, during which the parties discussed possible expert consultants; WHEREAS, at the pretrial conference, the court directed the parties to reach an agreement on an expert consultant; and

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 11 of 12

WHEREAS, on April 19, 2006, counsel for the defendants filed a letter (D.I. 139) stating that both parties are amenable to the appointment of Stephen M. Bunting, CCFT, EnCE, Captain of the University of Delaware Police ("Captain Bunting"), as the expert consultant; IT IS HEREBY ORDERED that: 1. Stephen M. Bunting, CCFT, EnCE shall be appointed to examine Chaffinch's computer hard drive. 2. Captain Bunting shall report his findings directly and exclusively to the court for in camera review. Captain Bunting may report his findings by mail, fax, or email to the following: The Honorable Gregory M. Sleet, 844 N. King St., Lockbox 19, Wilmington, DE 19801; fax: (302)573-6472; or email:

[email protected].

Dated: April 20, 2006

/s/ Gregory M. Sleet UNITED STATES DISTRICT JUDGE

2

Case 1:04-cv-00956-GMS

Document 170

Filed 05/23/2006

Page 12 of 12

CERTIFICATE OF SERVICE I, Stephen J. Neuberger, being a member of the bar of this Court do hereby certify that on May 23, 2006, I electronically filed this Declaration with the Clerk of the Court using CM/ECF which will send notification of such filing to the following:

Robert Fitzgerald, Esquire Montgomery McCracken Walker & Rhoads, LLP 123 South Broad Street Philadelphia, PA 19109 Richard M. Donaldson, Esquire Montgomery McCracken Walker & Rhoads, LLP 300 Delaware Avenue, Suite 750 Wilmington, DE 19801

/s/ Stephen J. Neuberger STEPHEN J. NEUBERGER, ESQ.