Upload
mercer-island-reporter
View
309
Download
0
Embed Size (px)
Citation preview
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
1
UNITED STATES DISTRICT COURTWESTERN DISTRICT OF WASHINGTON
IN SEATTLE
----------------------------------------------------------
LONDI K. LINDELL,
Plaintiff,
v.
CITY OF MERCER ISLAND, etal,
Defendants.
)))))))))
No. C08-1827JLR
----------------------------------------------------------
HEARING
----------------------------------------------------------
BEFORE THE HONORABLE JAMES L. ROBART
March 21, 2011
APPEARANCES:
For the Plaintiff: Scott BlankenshipRick GoldsworthyNazik YoussefTHE BLANKENSHIP LAW FIRM
For the Defendant: Stephanie AlexanderSuzanne K. MichaelThomas P. HoltMICHAEL & ALEXANDER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
EXAMINATION INDEX
EXAMINATION OF PAGERICHARD CONRAD DIRECT EXAMINATION
By Ms. Michael:6
KATIE KNIGHT DIRECT EXAMINATIONBy Ms. Michael:
9
CROSS-EXAMINATIONBy Mr. Blankenship:
11
REDIRECT EXAMINATIONBy Ms. Michael:
16
MIKE KASER DIRECT EXAMINATIONBy Ms. Michael:
17
CROSS-EXAMINATIONBy Mr. Blankenship:
20
JONATHAN YEH DIRECT EXAMINATIONBy Ms. Michael:
27
CROSS-EXAMINATIONBy Mr. Blankenship:
48
ALAN MUCHMORE DIRECT EXAMINATIONBy Ms. Michael:
53
CROSS-EXAMINATIONBy Mr. Blankenship:
97
EXHIBIT INDEX
EXHIBITS ADMITTED PAGE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
3
THE COURT: The clerk will call this matter.
THE CLERK: Case C08-1827, Londi Lindell versus
City of Mercer Island. Counsel, please make your
appearance.
MR. BLANKENSHIP: Scott Blankenship for
Ms. Lindell.
THE COURT: Do you want to introduce the other
people at the table?
MR. BLANKENSHIP: Yes. Nazik Youssef, Allison
Goodman, Londi Lindell and Rick Goldsworthy.
MS. MICHAEL: Your Honor, Suzanne Michael for the
defendants, along with Stephanie Alexander and Tom Holt.
THE COURT: Thank you. Counsel, we are here on
the defendant's motion to dismiss for spoliation of
evidence, found in our docket at 319. I can tell you that
I have had an opportunity at this point to read all of the
material that both of you have filed. That would be the
motion filed by the City, and the supporting materials
that go with it. And I have reviewed the plaintiff's
opposition to the motion, and the supporting materials
that accompany it.
As is my usual practice in these matters, I will
accept as evidence all of the declarations which have been
filed. That would be much more Mr. Holt. I am not sure I
will get all of these. Mr. Weibling, Ms. Goodwin,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
4
Ms. Youssef, Ms. Lindell and Mr. Goldsworthy. I may have
left one back in chambers.
I will ask you, if we call live witnesses, not to
repeat the testimony which is found in the declarations,
but to proceed to cross-examination, or if you have
additional material that is not in the declaration that
you want to present in connection with the motion. So
that will hopefully speed us up some.
The second thing I would like to say is to once
again just ask you to remember your decorum. It is really
not good advocacy, and yet both sides are guilty of it,
because you obviously feel very passionately about this.
Not everything is a misrepresentation, not everything is
incredibly inflammatory, not everything is conclusory, not
everything is pure fiction. You know, lying, thieving,
malfeasance, bad faith, particularly when you are talking
to me, they don't help you. They make me to think less of
all of you. You can do it, but it just causes me think
less of all of you. When you get to a jury, they are
really going to toast you for it because they don't think
adults behave that way.
I thought about ways to control that. The best I
came up with was to start a list of banned words and fine
you $25 every time you use one of those banned words. And
at least my tentative list includes: Incredibly
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
5
inflammatory, conclusory, pure fiction, bad faith. We
will just not do that. And, frankly, at some point, if
need be, in front of the jury I will sanction both of you
for just that kind of behavior. It doesn't have a place
in the courtroom.
Having said that, this is the City's motion.
Ms. Michael, you are taking the lead?
MS. MICHAEL: Yes, your Honor, I am.
THE COURT: Please call your first witness.
MS. MICHAEL: May I ask that witnesses that are
going to be testifying be excluded while others are
testifying?
THE COURT: Yes.
MS. MICHAEL: Anybody that expects to be a
witness, please step outside.
MR. BLANKENSHIP: My only concern with that, your
Honor, is these are technical computer issues, and I would
like to have Ms. Goodman here just so if something comes
up that is new that I don't understand, she would be able
to help me respond to it.
THE COURT: Do you want to respond to that?
MS. MICHAEL: Your Honor, we have had about four
hours to review all of the materials they filed this
morning. So we are already playing on an unlevel playing
field, I guess I would say. To have their expert witness
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
6
get to listen to our expert witness and tailor testimony
as a result I think would be unfair.
THE COURT: I will permit Ms. Goodman to stay. I
will invite your witness to come in, although he may be
called first, which we will get to anyway. That way we
will attempt to have somewhat more of a level playing
field. It seems this would be more expedient, if each
side hears what the other says about it. Your first
witness is?
MS. MICHAEL: Mr. Richard Conrad.
THE COURT: Thank you.
Whereupon,
RICHARD CONRAD
called as a witness, having been first duly sworn, was
examined and testified as follows:
THE CLERK: State your name for the record and
spell your last name.
THE WITNESS: Richard N. Conrad, C-O-N-R-A-D.
MS. MICHAEL: Your Honor, before I start with
Mr. Conrad, I know the court has allowed Ms. Goodman to
stay. May I ask that the other computer tech people --
THE COURT: The other tech people are out.
MS. MICHAEL: Thank you, Judge.
DIRECT EXAMINATION
By Ms. Michael:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
7
Q. Would you state your name and spell your last name for
the court reporter?
A. Richard M. Conrad, C-O-N-R-A-D.
Q. And what is your address, sir?
A. 4418 77nd Avenue Southeast, Mercer Island, Washington.
Q. And what is your job with the City of Mercer Island?
A. I am the city manager of the City of Mercer Island.
Q. Was that your position throughout Ms. Londi Lindell's
tenure?
A. Yes.
Q. I want to discuss the laptop computer that remains in
Ms. Lindell's possession. How did she come to get that
laptop, sir?
A. The specific laptop that we have been talking about
was purchased by the City at Ms. Lindell's initiation to
be a laptop that she would use in the course of doing
business for the City.
Q. As I understand, she had a previous laptop, but it
needed to be replaced; is that right?
A. That's correct. There was another laptop that she had
sought, and actually I required that she have in
connection with some time off that she took in 2005, 2006.
Q. In order --
MR. BLANKENSHIP: Your Honor, my understanding
was that you didn't want us to be addressing the ownership
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
8
of the laptop at the hearing. It seems like that is
exactly what we are doing right now.
THE COURT: I am assuming this is going to be
some foundation, and then we will cut it off. As I have
said from the start, the question of who owns the laptop
isn't in federal court.
MS. MICHAEL: Your Honor, we can short circuit it
if Ms. Lindell will acknowledge she has used the laptop
for both City purposes as well as information with regard
to her lawsuit and her claims.
MR. BLANKENSHIP: She has already declared that.
THE COURT: That is in her declaration.
MS. MICHAEL: Fair enough. Sometimes it has been
denied.
THE COURT: We don't need those rejoinders.
Let's stay on the facts.
MS. MICHAEL: I apologize, your Honor. The next
witness -- Mr. Blankenship might have some cross.
MR. BLANKENSHIP: I don't have anything, if it
was about the ownership of the laptop, which is about all
I heard.
THE COURT: Mr. Conrad, you may step down.
MS. MICHAEL: The City would call Katie Knight.
Your Honor, I have an exhibit to mark.
THE COURT: Why don't we wait until we get the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
9
witness sworn in.
Whereupon,
KATIE KNIGHT
called as a witness, having been first duly sworn, was
examined and testified as follows:
THE COURT: You have an exhibit you wish to give
the clerk?
MS. MICHAEL: I do.
THE COURT: You may approach.
THE CLERK: Would you state your name for the
record and spell your last name?
THE WITNESS: Katie Knight, K-N-I-G-H-T.
DIRECT EXAMINATION
By Ms. Michael:
Q. Ms. Knight, can you tell us your address?
A. 12950 297th Place Northeast, Duvall, Washington,
98019.
Q. What is your title at the City of Mercer Island?
A. I am the city attorney for Mercer Island.
Q. Was there a period of time in 2008 where you came to
have access to Londi Lindell's desktop computer?
A. Yes.
Q. Can you tell us what period of time that was?
A. Approximately mid-February to about mid-April.
Q. And what was your purpose in accessing her desktop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
10
computer?
A. There was ongoing concern that Ms. Lindell was
continuing her campaign, so to speak, against the city
manager. The need was felt to observe what she was doing.
Q. And in your ability to access the laptop -- I'm sorry,
the desktop computer, what did you discover?
A. I learned that she was having frequent conversations
and forwarding e-mails to Pete Mayer. She was also
preparing her case essentially against the City on the
desktop computer.
Q. Was there anything else about the desktop that caused
you any concern?
A. In reviewing the documentation, obviously I was
concerned that she was preparing her mediation and her
briefing and structuring what appeared to be a case
against the City. There was also missing documentation on
there.
Q. What do you mean by "missing documentation"?
A. She had some files located on it. I think she had a
mediation folder. And there would be certain -- I don't
know if they were shortcuts. I am not very techie, but
there would be certain shortcuts to a file, where if you
clicked onto it, the information would not be located
there, even though it indicated it should be there.
Q. Did you ever receive any sort of message from the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
11
desktop when you accessed it, and, if so, what kind of
message?
A. To the best of my recollection, it was something like
"shortcut not found" or some sort of shortcut to another
file. And I believe I determined or learned somehow that
there probably needed to be a CD or a DVD or a flash drive
put in to access additional information that might be
located with the shortcut.
Q. So there was information that had been on the desktop
that you were not able to access; is that right?
A. Correct.
MS. MICHAEL: I have no further questions. Thank
you. I did want to ask the one question about the exhibit
I marked, which is the e-mail policy.
By Ms. Michael:
Q. Showing you Exhibit Number 1. As the City Attorney,
can you tell us what employees are told with regard to
their right to privacy with regard to City-provided
material?
A. That they will not have any expectation of privacy in
the use of the City-provided computers, materials and
software.
MS. MICHAEL: Thank you.
THE COURT: Mr. Blankenship.
CROSS-EXAMINATION
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
12
By Mr. Blankenship:
Q. Good afternoon, Ms. Knight.
A. Hello, Mr. Blankenship.
Q. If I understand your testimony, you were basically
secretly going into Ms. Lindell's computer and removing
information without notifying her; is that right?
A. I was not removing any information.
Q. You were searching it without telling her; isn't that
right?
A. I was reviewing the work that she was doing on her
City computer, correct.
Q. What was your role at this time? Had you become the
City Attorney?
A. I was the acting City Attorney.
Q. Had you received your $40,000 raise yet for replacing
Bob Sterbank?
A. I don't think I ever got a $40,000 raise, counsel.
Q. You got a significant raise, though, didn't you?
MS. MICHAEL: I would object, your Honor. It is
beyond the scope.
MR. BLANKENSHIP: It goes to credibility.
THE COURT: I will permit the question. I think
we need to move on.
By Mr. Blankenship:
Q. You got a significant raise when you went from
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
13
assistant attorney to City Attorney, didn't you?
A. I got a series of steps over a period of three years.
And I was doing two jobs.
Q. Can you give me an approximate about what the change
was in your pay?
A. I think as the acting City Attorney I might have been
bumped up $10,000 or so.
Q. So were you aware of a time when Mike Bolasina
provided Ms. Lindell with documents in order for her to
prepare for her mediation?
A. Yes.
Q. And you have been -- Are you aware that the documents
that were in the mediation file have been produced to
you -- to the City?
MS. MICHAEL: Object, your Honor. That is not
completely accurate.
THE COURT: We will take that up on redirect
examination.
By Mr. Blankenship:
Q. Are you aware that any documents that were saved under
a folder that says "mediation" were actually produced
through discovery?
A. Through discovery? I'm sorry, discovery in the
mediation itself or discovery subsequently after the
lawsuit was filed?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
14
Q. In this case.
A. I believe that -- I'm not sure I understand what
you're asking. The documents that were in the body of
what I was reviewing?
Q. Right. You referenced a mediation folder. I guess my
questions to you is, are you aware that all the documents
that were in the mediation folder were documents that were
produced by Ms. Lindell?
A. I don't know if I can answer. There were tens of
thousands of pieces of paper that were produced. I know
there were some from Ms. Lindell. But I think we
received -- Some of them are drafts. I would say, no, I
don't believe that all of those were produced, frankly.
Q. Were you aware that Mike Bolasina told Ms. Lindell to
prepare for the mediation?
A. I believe so. He knew I was going through these.
Q. But he also told Ms. Lindell that she should prepare
for the mediation?
A. I don't know if he told her that or not. You would
have to ask him.
Q. You basically identified this e-mail and internet use
policy document, correct?
A. Correct.
Q. You would agree that an expectation of privacy -- that
somebody would have an expectation of privacy in a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
15
computer that they used after their employment ended,
wouldn't you?
A. It depended on who owned the computer. If it was a
City-owned computer, no.
Q. So your personal computer, do you think you have a
right to privacy with respect to it, or should I be free
to go through everything on your personal laptop?
MS. MICHAEL: Object, your Honor. This is far
afield.
THE COURT: I will sustain the objection. It is
also argumentative, counsel.
By Mr. Blankenship:
Q. Isn't it true, though, that you have and you had
access to all of the e-mails that Ms. Lindell sent from
her Mercer Island e-mail account, right?
A. From everything she had on the desktop.
Q. It is not only on the desktop. The City of Mercer
Island has a server, don't they?
A. Correct.
Q. And the server would keep track of e-mails, would it
not?
A. As far as I understand it, yes.
Q. So to the extent there were e-mails that were sent
from Ms. Lindell's City e-mail, the City would have access
to it, correct?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
16
A. Correct.
Q. And as you sit there, you have no knowledge or
information that Ms. Lindell had any other e-mail accounts
that she was using, other than the City e-mail account, do
you?
A. I believe she was using Bill Hansen's e-mail account.
There were e-mails she sent from the City server to Bill
Hansen, which was her home account. And I had received
some from her in the past from that account.
Q. Other than Hansen, though, do you agree with
Ms. Lindell's declaration that she wasn't using a personal
e-mail account at all until after she was fired?
A. I didn't have a chance to review her declaration.
MR. BLANKENSHIP: Thank you, Ms. Knight.
REDIRECT EXAMINATION
By Ms. Michael:
Q. Are you familiar with the Llindell at live dot com
account?
A. No.
MS. MICHAEL: I have no further questions. Thank
you.
THE COURT: Anything further, Mr. Blankenship?
MR. BLANKENSHIP: No, your Honor. Thank you.
THE COURT: You may step down.
MS. MICHAEL: The City would call Mike Kaser.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
17
Whereupon,
MIKE KASER
called as a witness, having been first duly sworn, was
examined and testified as follows:
THE CLERK: Please state your name and spell your
last name.
THE WITNESS: Mike Kaser, K-A-S-E-R.
DIRECT EXAMINATION
By Ms. Michael:
Q. Good afternoon, Mr. Kaser. Would you tell us your
address, please?
A. 7030 Carmichael Avenue Southeast, Snoqualmie,
Washington 98065.
Q. And what is your position with the City of Mercer
Island?
A. I am the information services manager.
Q. And how long have you been the information services
manager?
A. Since 2006.
Q. I am going to short circuit a lot of what you and I
discussed, because the court has ruled that the issue of
Ms. Lindell utilizing -- getting the laptop from the City
and utilizing it is not going to be part of this hearing.
So I will move right into another area. The area I want
to move into is, in your work with the City are there
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
18
occasions where users will have a bug or a virus or some
issue with the operation of their computer?
A. Yes.
Q. What do they do if they have an issue with a virus or
a bug or something? What is your role?
A. Typically we will get the help desk to help them, or
our antivirus system will let us know whether they do or
not, if it has detected something. Depending on the issue
specifics, we will either do a simple scan or go grab the
computer and do some more troubleshooting to solve the
problem.
Q. Have you ever in your work operated, because someone
reports a virus or a bug, something like CCleaner, that
selectively destroys or removes data?
A. No.
Q. At the City of Mercer Island, are there ever times
that you do intentionally destroy data on a computer, and,
if so, when?
A. Yes, there is. Through our standard surplus cycle, as
we replace computers, bring computers in, we completely
wipe the hard drives, and/or we send the hard drives off
to a Shred-It type company that will destroy the hard
drive for us before we deliver the computer to recycling.
Q. Why do you do that?
A. So no City data leaves the City and falls into someone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
19
else's hands. We don't do anything that exciting at the
City of Mercer Island, but kind of standard practice.
Q. Why is it you don't selectively remove data from
computers that have viruses or bugs?
THE COURT: Counsel, we are going to need you to
slow down. You will need to pause periodically to
breathe.
Ms. Michael
Q. Mr. Kaser, why is it that at the City of Mercer
Island, when you are troubleshooting and trying to find
out if there is a virus and whatnot that you do not
selectively remove data from a computer with a program
such as CCleaner?
MR. BLANKENSHIP: Your Honor, I would object to
foundation, that this witness even knows what CCleaner is.
There is a presumption to the question.
THE COURT: I will sustain the objection. Lay
the foundation.
By Ms. Michael:
Q. Can you describe your knowledge with regard to
products such as CCleaner and what they are designed to
do?
A. Sure. We are not specifically -- I am not
specifically familiar with CCleaner itself. I am familiar
with a large variety of computer software and things that
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
20
are used to either wipe a computer or clear a cache or how
to work with the registry and that type of stuff, just out
of general computer knowledge or working in this industry
for ten years now. So not CCleaner specifically, but from
what I have read about CCleaner, it is not the only type
of software out there like that.
Q. And is that the type of software that you have some
general familiarity with? If not the specific CCleaner
product, other types?
A. Yes. We don't use anything like CCleaner in our
troubleshooting or wiping of data at the City.
Q. And why is it that you don't use anything like
CCleaner or any other data destruction type device?
A. Our purpose in getting rid of data is to completely
wipe the hard drive. We write zeros to it, meaning there
is nothing recoverable on it, including the operating
system, because we are delivering it off to be recycled.
MS. MICHAEL: I don't have any other questions.
Thank you.
CROSS-EXAMINATION
By Mr. Blankenship:
Q. Hello, Mr. Kaser.
A. Hello.
Q. How long have you worked for the City of Mercer
Island?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
21
A. About seven years now.
Q. And I want to go back to some of your testimony when
you were talking about wiping hard drives. Do you
remember that testimony?
A. I do.
Q. If I understand your testimony, if you wipe a hard
drive, you cannot recover data from it after that; is that
correct?
A. In theory. The way that we wipe them, yes.
Q. So you would expect if a hard drive was wiped, that
you wouldn't be able to recover data from it the way you
wipe it, right?
A. Yes. In the way that we wipe them, yeah.
Q. And what program do you use to wipe computers at
Mercer Island?
A. We have used -- it is called DOD Wipe. Essentially it
stands for Department of Defense Wipe. But it is a
product that's -- I think it was developed by Symantec,
and it essentially goes in and writes zeros to the hard
drive.
Q. Basically it overwrites all of the data on the hard
drive, right?
A. It writes zeros to the hard drive.
Q. Which would eliminate all of the data in the free
space, correct?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
22
A. Essentially it writes zero to every sector on the hard
drive. Not just the free space, but all space.
Q. So you wouldn't be able to recover documents from
Mercer Island on that laptop, for example, right?
A. We have not gone through the practice of forensically
trying to rebuild any of these hard drives, so I couldn't
conclusively say that. But in theory, yes, you would not
be able to recover any data off of the drive that we wiped
with --
Q. Is that based on your personal knowledge as you sit
there, and based on your understanding of how things work,
once something is wiped, it is not recoverable, correct?
A. Using the software that we use, yes.
Q. And you have never used CCleaner, right?
A. No.
Q. About how much of your work entails repairing
computers for people, employees?
A. Are you looking for a percentage of time?
Q. Sure.
A. Roughly, maybe 30 percent.
Q. So you don't send out the computers at Mercer Island
to a place like PC Doctor; is that correct?
A. No. We do all of our work in-house.
Q. Did you ever work with Londi Lindell?
A. Yes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
23
Q. Did you ever work with her and the laptop?
A. Yes.
Q. Do you recall transferring data from one laptop to the
other for her?
A. Yes.
Q. And do you recall that data including personal
information, such as family things and stuff with her
kids?
A. I don't really recall all of the contents of that
data. We transfer data from people's old computers to
their new computers in our standard process all the time.
Q. You would agree, sir, that it was more than just work
data? There was personal data on there, too, wasn't
there?
A. I don't recall exactly what was on there.
Q. Does Mercer Island use like a remote desktop program
that allows somebody to log on from home and log into
their desktop at work?
A. We do.
Q. Isn't it true that Ms. Lindell had a desktop at work,
right?
A. It is.
Q. And that she used the laptop computer to remote access
into the desktop, right?
A. I couldn't say that. Normally people who have laptops
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
24
don't remote control their desktops. It is people who
don't have laptops from home that will remote control
their desktops at work.
Q. It is your testimony -- When I use remote desktop, I
am actually on my desktop computer. Is it your testimony
that Mercer Island doesn't log on remotely to their
desktop computer?
A. Most of the time people don't have a laptop and a
desktop; they have one or the other. So for those who
don't have a laptop, they will remote control their work
desktop from whatever home computer they are using. For
the users that have a laptop, typically it is also their
work station, and they have a dock station, which wasn't
in this case. I wouldn't recommend to somebody who has a
laptop, per se, to necessarily connect to their desktop at
work, because their work laptop may also already have the
software that they need or the access to the network that
they need. There might not be a reason to connect to the
work desktop also.
Q. Wouldn't it make more sense to log into the server?
You would agree that in any case Ms. Lindell would be
logging into the server when she was accessing work
through her laptop, correct?
A. To the first part of your question, I wouldn't say it
would make more sense, because her laptop would be part of
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
25
our network anyway, meaning it is joined to our domain and
has access to all of the stuff. All she would need to do
is establish a connection to our network, and then her
laptop would behave just as a desktop might. I'm not
quite sure what you mean by connecting to the server.
Q. I could be mistaken about how it works. I appreciate
your information on that. Did you ever search
Ms. Lindell's laptop? Did you ever remove data from it or
inspect it?
A. No.
Q. Were you doing that with her desktop?
A. There may have been a time where we scanned her
workstation, after she left, for anything. I don't
recall.
Q. Do you know in this case that there are allegations
that Ms. Lindell wiped her hard drive?
A. Yes, I do.
Q. And would you expect that she would be able to recover
data from a hard drive that was wiped?
A. Using a computer software program like CCleaner, my
understanding is that it does not wipe the computer. It
simply wipes selective things, like your registry, keys
that are no longer used, browser cache, that type of
stuff. I was not aware that she wiped the computer in,
say, the same sense that I am describing for the City's
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
26
practice of recycling the computers.
MR. BLANKENSHIP: Thank you, sir.
MS. MICHAEL: No additional questions, your
Honor.
THE COURT: You may step down.
MS. MICHAEL: We would call Jonathan Yeh.
Whereupon,
JONATHAN YEH
called as a witness, having been first duly sworn, was
examined and testified as follows:
THE CLERK: Will you state your name for the
record and spell your last name, please?
THE WITNESS: Jonathan Yeh, spelled Y-E-H.
MS. MICHAEL: Your Honor, I have a series of
documents I would like to have marked as either one
exhibit or each separately, if the court has a preference.
I don't. These are from Mr. Yeh's file with regard to his
communications with the Blankenship Law Firm.
THE COURT: Mr. Blankenship, have you seen these
documents?
MR. BLANKENSHIP: Counsel, are these the
documents that were produced by this witness?
MS. MICHAEL: They are. They are a selection of
them. I have all of them, but I will only be asking about
a selection.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
27
MR. BLANKENSHIP: If those are the documents,
your Honor, then I have seen them. I don't have them with
me.
THE COURT: All right. You may mark them as one
exhibit.
MS. MICHAEL: Thank you, your Honor. I will go
ahead and give Mr. Blankenship -- I ended up with extra
copies, but each one I will be talking about is in there.
So there are three copies of each one I have been talking
about.
DIRECT EXAMINATION
By Ms. Michael:
Q. Mr. Yeh, would you tell us your address, please?
A. Our business address is 157 Yesler Way, Third Floor,
Seattle, Washington 98104.
Q. And what is your profession, sir?
A. I am an attorney.
Q. And do you have a special expertise in computer work?
A. The firm specializes in electronic discovery and
computer forensics work.
Q. Are you the technical person that gets in and does
that kind of work?
A. It depends. Mostly not. We have a computer software
technician and engineers that do most of the actual
hands-on work. Depending on staffing issues, sometimes I
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
28
will perform some of the functions.
Q. And have you had a chance to review the file in this
case that Blank Law & Technology has on this matter?
A. I have.
Q. When was Blank Law & Technology retained?
A. I believe in early November 2010.
Q. And by whom were they retained?
A. By the Blankenship Law Firm.
Q. Would you look, please, sir, at your Bates number 1 of
Exhibit A-2. It appears that you might have been retained
on or about November 8th by the Blankenship Law Firm; is
that correct?
A. I believe so, yes.
Q. When was it that you came to understand that you were
actually supposed to be the independent third-party
forensic examiner the court had ordered?
MR. BLANKENSHIP: Object to foundation.
THE COURT: Overruled. I think I will be able to
track what I did.
THE WITNESS: I believe that was made aware to me
somewhere around just prior to Christmas time via a letter
from your firm.
By Ms. Michael:
Q. And we sent a letter November 15th of 2010, indicating
that we believed you were the independent forensic firm.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
29
That is not part of Exhibit A-2 because that is not part
of your communications with the Blankenship Law Firm.
Does that refresh your memory about when you were notified
that in fact you were supposed to be the independent
expert?
A. Sure. I don't have that letter in front of me, but it
is a dated letter.
Q. Fair enough. I understand you entered into an
engagement agreement with the Blankenship Law Firm; is
that correct?
A. Yes.
Q. Would you please look at your Bates number 8? That is
an e-mail from you, dated November 8th of 2010. When you
say, "We will then begin extracting the active files,"
what were you telling Mr. Goldsworthy?
A. Basically, when you have a computer hard drive, there
are files that are sort of, I guess, active versus deleted
and fragmented space. So we were extracting just the sort
of active files for processing into a database.
Q. Do you typically as a forensic examiner get asked to
extract only the active files?
A. It sort of depends on the project. Sometimes yes,
sometimes no.
Q. So as a forensic examiner, sometimes somebody will
actually ask you to clone the hard drive and only pull
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
30
active files?
A. Yes.
Q. How often does that happen?
A. It is hard for me to say percentage wise. It does
vary from case to case.
Q. Active files are something I personally can pull off
without any special expertise; isn't that right?
A. It depends how you mean "pull off." A lot of times
people will copy off active files themselves. But it
changes what we call the metadata on the files a lot of
times. Even just pulling off the active files, people
will engage our firm to make sure these things remain
intact.
Q. But "active files," you don't require any special
software to get the active files, do you?
A. No.
Q. So I could do it at my desktop at work?
A. Yes.
Q. At some point, as I understand it, the Blankenship Law
Firm gave you a list of search terms that they had come up
with; is that right?
A. Yes.
Q. And then later on you were given far more search terms
that we did in collaboration with the Blankenship firm?
Is that your understanding?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
31
A. Yes.
Q. I would like to ask you to look, please, at Exhibit --
Bates Stamp 17 of Exhibit A-2. It is an e-mail dated
November 9th of 2010. Down at the bottom you were telling
Mr. Goldsworthy of the Blankenship Law Firm in the second
paragraph, "I have been told that there is very little
e-mail on the laptop. I don't know if that is relevant or
surprising to you or not, but many of these kinds of
matters focus on e-mail, so I thought I would mention it
in case it was a surprising fact." Do you see that?
A. Yes, I do.
Q. Do you recall talking with Mr. Goldsworthy about that?
A. I recall writing this e-mail. I do not recall that we
had any additional discussion on that subject.
Q. At this point in time had the technician that was
actually searching the Lindell laptop had conversations
with you about what he was or was not finding?
A. Yes.
Q. And are they memorialized in writing anywhere?
A. Not other than the sort of general description here in
this e-mail.
Q. One surprising fact you are finding is there is very
little e-mail; is that right?
A. Sure. Yes.
Q. If you would next look at your Bates number 21,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
32
please, an e-mail dated November 9th? And it indicates
that "they," which I assume means the Blankenship firm,
and please correct me if I'm wrong, "would like the
following tagging buttons." And they list four, which are
"produce, responsive, nonresponsive, privileged slash work
product." What does this mean, "tagging buttons," with
those four categories?
A. Basically we had been asked to create a database of
the files from Ms. Lindell's laptop. Once that is up
there, the reason you create that database is for the
attorneys to review the various documents that are in
response to search terms.
And once they do, they usually have some sort of
tagging function. The online display has these little
buttons so you can say this document is responsive, this
document should be produced, and that tells us what to do
with the documents later.
Q. And so they were going to tag these as produced,
responsive, nonresponsive or privileged?
A. Yes.
Q. To your knowledge, did that occur?
A. I wasn't there, but I believe so.
Q. Do you have any way of knowing if the City was
provided with all of those documents?
A. All of which documents?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
33
Q. Produce, nonresponsive, responsive or a privilege log
for the privilege?
A. No.
Q. I want to ask you to please look at Bates number 27
from the documents that you provided. My copy has a
slight handwritten note I have covered up. This is an
e-mail down at the bottom, November 10th, to Rick
Goldsworthy from you. It indicates, "I notice your review
team has marked some files for production and just wanted
to give you a heads up on production time lines." Do you
see that?
A. Yes, I do.
Q. My question is, do you recall discussing what files
they didn't want you to produce?
A. No. Our job is just whatever gets marked "produce,"
we produce. I wasn't given any instructions about what
specifically was not to be produced.
Q. Do you still have records that would establish what
you did produce to the Blankenship firm -- in what format
all the documents were produced?
A. I believe the database that we set up for them is
still sitting there.
Q. Would you please look next, sir, at Bates number 29?
It is an e-mail, November 14th, from I guess -- Is
Mr. Tsuji a technician?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
34
A. No, he is another attorney in the firm.
Q. Is he another technical person as well?
A. It is a small firm, so we sort of have mixed roles,
all of us. Mr. Tsuji is sort of the head of the technical
department.
Q. And Mr. Tsuji indicates he wants to give you an update
on this case. "Come find me first thing in the morning."
Do you remember what his update was on November 14th?
A. Not just off the top of my head, no.
Q. Do you recall having any discussions at any time with
the Blankenship firm about things that you were either
puzzled by, other than the lack of e-mails? Anything that
you were puzzled by or found intriguing or wanted to bring
to their attention?
A. No.
Q. If you would look next, please, at Bates number 45?
Down at the bottom is an e-mail from you to Rick
Goldsworthy. You are asking him, "How would you like us
to produce the new data set for review? We can just turn
over a CD with the native files or we can process the
files and upload them to your existing database. We can
upload them as a separate subdatabase." And then
Mr. Goldsworthy responds, "I think having the documents
uploaded to the database would be more expedient and
transparent and efficient, especially considering the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
35
review process we previously engaged in."
What exactly did you do for the Blankenship Law Firm
on January 5th?
A. I believe the reason I sent this e-mail is at this
point it became a little vague as to who was paying our
bills for what, and therefore who I needed obtain
authorization from for what. So basically I consulted
Mr. Goldsworthy and Mr. Youssef to sort of determine how
they wanted to review this new set of files.
After I sent this e-mail, I believe I recall sending
an e-mail to your firm and you sort of describing the same
process, and whether or not you authorized the payment,
the cost of this. If I remember correctly, you didn't.
So what we ended up doing was just producing a CD with
just the native files, instead of doing the database.
Q. Isn't it accurate to say that the Blankenship firm had
access to your database and the City was not offered that?
A. The database of the original documents that we had
processed, yes.
Q. And if we can look at the next page of that document,
the same date, the same e-mail. It says, "So, for
instance, if you already marked a large number of
documents, responsive, nonresponsive or privileged,
et cetera, and those identical documents are also in the
new set, we can port over the tags to the new subdatabase
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
36
so that you would not have to re-review those documents."
What are you telling Mr. Goldsworthy would occur?
A. Originally when we had the database and pulled off the
active files, they reviewed them and tagged them however
they would have tagged them. So once we had this new set
of native files -- Because the search terms, some of them
overlapped, some of them didn't, probably some of these
search results from the two sets. If we had uploaded them
into another sub-database, we would have been able to
match up which ones they already reviewed and which ones
they already tagged, and just sort of copy over those
designations to the new database, just to save the time of
reviewing those documents again.
Q. Again, this is directed only to the Blankenship Law
Firm, the City was not involved in this?
A. At this point, no.
Q. If you would look next, please, at Bates number 55, an
e-mail from Mr. Goldsworthy to you, dated Monday,
January 24th. That states, "I just wanted to follow up
with you regarding when you think you will be able to send
us a spreadsheet listing all of the withheld files. Will
you be able to send that over today?" Do you see that?
A. Yes.
Q. Did you send them a spreadsheet of all of the withheld
files?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
37
A. Yes, we did.
Q. Does the spreadsheet indicate which ones they had
tagged as responsive, nonresponsive, privileged, or do you
recall?
A. I believe the spreadsheet was just a straight export
of the metadata fields, and FTK, the program we were using
at that point to search the data for those files. At that
point, they weren't in a database. You wouldn't have been
able to tag anything specifically.
Q. So what are the "withheld files" you are referencing
in this e-mail?
A. I believe at this point, when we didn't do the
database for the second time around, we produced all of
the files that had been responsive, the native files, just
on a CD. And so they then came back and identified a list
of files that they just designated as withheld. And we
found those files, pulled them from the set that was from
the CD. And then using FTK, extracted -- produced a
spreadsheet of the metadata of that subset of files.
Q. Do you still have the withheld files or are those in
the Blankenship possession?
A. They were produced to the Blankenship firm, but we
keep an archive copy.
Q. You do have an archive copy?
A. Yes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
38
Q. If you would look, please, at Bates number 56 of A-2,
an e-mail thread dated January 26th, at the bottom, from
you to Mr. Goldsworthy. It starts, "When you confirm that
you are asking me to produce these three files," and you
list three files, "the LKL chronology, the Egger's short
report," and then something that has some numbers and
letters. And you are told up above, "Those are the
correct documents that we want you to produce." Do you
see that?
A. Yes.
Q. So they had been withheld initially, and then you were
allowed to produce those to us; is that right?
A. I believe so, yes.
Q. Were you told why those particular ones, out of all
the withheld documents, were allowed to be produced?
A. No.
Q. If you would look, please, at Exhibit 58 of Exhibit
A-2, a February 25th e-mail thread, from Alex Harmon to
you. Who is Alex Harmon?
A. He is a computer technician in our firm.
Q. And Mr. Harmon indicates, "Under USB storage
device --" First of all, what is a USB storage device?
A. Basically your computer has what are called USB ports.
It is a little slot on the side you can connect various
devices to it. So it is like a thumb drive or any of
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
39
these portable data storage devices.
Q. So if I wanted to download information from my
computer, I could put in a USB drive, download some
information and maybe take it to another computer?
A. Or vice versa.
Q. Or download information into the computer from the
thumb drive?
A. Yes.
Q. And did it used to be more prevalent to do CD burning
techniques rather than thumb drives or USB drives?
A. I don't know what you mean by "used to be more
prevalent."
Q. Have USB drives or thumb drives become more popular in
the last few years?
A. I don't know. In my own personal usage, yes. But
other than that, I can't say industry-wide. I don't
really have an opinion on that.
Q. Do people sometimes burn information to CDs?
A. Yes.
Q. So you can do the same type process, where you take
information off a computer, burn it to a CD, and then you
take the CD to another computer?
A. Yes.
Q. And so that way you have arguably removed obvious
evidence of documents that were on the computer by
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
40
downloading them to either a thumb drive or a CD? I say
"obvious evidence," to a nonforensic examiner person.
A. Sure. Let me make sure I am getting your question.
Are you saying it is obvious when you do that or --
Q. For example, if I download a file from my computer to
a thumb drive, then there is no obvious evidence that the
file was there because now it has been removed?
A. I wouldn't really say that is true. Usually people --
Not usually. I mean, the process can be, you can copy
things over, you can move things over, you can cut and
paste things over. Depending on what method you use, you
will either leave the original copy on your computer as it
is, or you will move it off, but at that point usually
what the computer does is it just tags that as being
deleted, and it is still there, but it is hidden from
view.
Q. Hidden from view. Right. And so in this e-mail from
Mr. Harmon to you, he is looking at USB storage devices.
He indicates, "I found multiple results, including USB
thumb drives and iPods." Do you see that?
A. Yes, I do.
Q. So he is just reporting to you the findings of his
research?
A. Yes.
Q. And he goes on to say down below, "I identified
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
41
multiple instances that may indicate CD burning activity
from February to November of 2010." Do you see that?
A. Yes.
Q. Did you discuss that with anyone at the Blankenship
firm?
A. I sent sort of a condensed version of this e-mail to
both Blankenship, and then eventually to your firm.
Q. I see that you sent it to Blankenship's firm on
February 28th, where you are identifying essentially what
Mr. Harmon told you. And that is Bates number 62.
A. Yes.
Q. I don't see that we are on that e-mail.
A. No. At this point the process that we agreed on is we
would provide that information first to the Blankenship
firm, in the case it revealed anything that was privileged
or otherwise -- basically privileged, so that they would
have a chance to review it first before we produced it to
you.
Q. Under "CD burning," you are indicating that you
examined the Windows system event log for evidence of IMAP
CD burning events, and identified multiple instances that
could indicate burning activity from February to
November 2010. Do you see that?
A. Yes.
Q. Do you have any reason to believe the fellow that told
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
42
you that was the case was inaccurate?
A. No.
Q. If you would look, please, at number 59. This is
dated March 1st, the date that we got the third and final
CD from your office. Do you remember that?
A. I do.
Q. And on this one, again, from Mr. Goldsworthy to
Mr. Yeh. It indicates they have removed the information
that you sent to them, and they would like you to now
produce the following documents and files from
Ms. Lindell's laptop computer that were previously
withheld by Ms. Lindell. And then there is a listing of
several files numbers. Do you see that?
A. Yes.
Q. Did they tell you why they were authorizing you to
release that group of files from the withheld files?
A. No.
Q. Again, it is not your concern what they are
withholding and why; is that right?
A. Yes.
Q. At this point in time, on March 1st, did you perceive
that you were the independent forensic examiner retained
by the court, or did you perceive that you were an expert
hired by the plaintiff?
A. At this point we believed we were sort of a neutral
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
43
party that was basically subject to instruction from both
sides.
Q. Although you would check with the other side if we
made a request, correct?
A. Yes.
Q. And in the past, if the Blankenship firm had made a
request, you didn't check with us, did you?
A. That would be before your letter.
Q. Is this the first time that you have been in a
situation where you were first retained by a party, and
then put in the spot where you perceive yourself as
neutral, or do you do that on other occasions?
A. It has happened before. It is not that common, but
yes, it has happened before.
Q. And do you see any issues with ethical -- Strike
that. Never mind.
I have just a couple more of these documents to ask
you about, and then a few follow up questions and I will
be finished, Mr. Yeh.
These seem to be a bit out of order, but this is the
Bates number order I got. This is Bates number 78, an
e-mail from Mr. Goldsworthy to you, dated January 21st.
It states, "Attached are two lists containing the files we
are withholding from defendants. The only two files that
are not on the attached lists that we also want to exclude
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
44
are the two I reviewed yesterday and I asked you to pull."
And there are two files listed. "Please withhold those
files as well. Also, please generate an Excel spreadsheet
of the withheld files, including the file names and paths,
and produce the rest of the files to the City." Do you
see that?
A. Yes.
Q. And did you do as they instructed?
A. Yes.
Q. And if you would look at number 79, an e-mail thread
from Mr. Goldsworthy to you, Tuesday, January 18th. It
says, "I am attaching five separate documents containing
separate lists of files we have reviewed from plaintiff's
laptop computer that should not," underscore not, "be
produced to defendant City at this time. The attached
lists contain approximately 339 files we wish to exclude
from production. Once you have excluded these files,
please produce the balance of the 'produced' files to the
defendant." Do you see that?
A. Yes.
Q. Do you know why they were withholding some of the,
quote, "produced files" from the defendant?
A. No, nothing was explained to me.
Q. I would like to ask you about one of these
spreadsheets that was provided that Mr. Muchmore will talk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
45
a bit more about. I have copies.
MS. MICHAEL: Your Honor, may I have a document
marked?
THE COURT: Yes. You may approach.
THE CLERK: A-3.
By Ms. Michael:
Q. Do you have A-3 in front of you, sir?
A. Yes, I do.
Q. I would like you to look at the section I am about to
highlight from the screen, "French art presentation
66923." Do you see that?
A. Yes.
Q. That number is 66926 in the log that we were given.
Do you know why that would be -- why the numbers would be
out of sequence like that?
A. Which set of documents is this?
Q. This is from the Lindell laptop native production.
And Mr. Muchmore will have testimony about this as well.
I am wondering if you know why there is a gap in the
numbering.
A. I'm sorry. Can you tell me again what you are asking?
Q. You bet. The one that I have highlighted that says
"French art presentation," and then it has the number
669226 -- I'm sorry, the number is 669223 on your
document. On the spreadsheet that we have got, the number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
46
is 66926 (sic). Do you know why that would be?
A. I don't. The number itself is something that is added
by FTK. It is not in the original file. They should
match up between the spreadsheet that goes with this list
of files and the file name here.
Q. And if they don't, what are the explanations for why
they don't match up?
A. It could be a lot of different things, particularly
with this particular production. Prior to the production,
we had a software crash internally. I don't know if you
recall my mentioning that to you. And so we did end up
having to reindex the drive. And so when we pulled some
of the things out, the original numbers might have been
changed. I don't know if that applies to this situation.
Other explanations for why sometimes the numbers
differ, sometimes there are different fragments of the
same document that might have the same file name but have
different numbers. Again, as to this particular file,
whether either of those explanations apply or not, I can't
tell you just right off the top of my head.
Q. Can you confirm that 669223 represents the forensic
toolkit ID number; is that right?
A. Yes.
Q. We found, and Mr. Muchmore will talk about this, the
numbers after approximately 520,000 do not match the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
47
produced slash privilege log and the file listing. Other
than the fact that you had an issue with your hard drive
or something, why would that be?
A. I really can't speculate without looking at what is
going on.
Q. There are documents in the production and privilege
log that Mr. Muchmore will address that do not appear on
the file listing. Why would that be?
A. There are documents here in the production --
Q. In the production that we have received and the
privilege log that do not appear on the file listing. Why
would that be?
A. Again, without being able to compare the two, I can't
explain that right now.
Q. What do shortcut files tell a forensic examiner such
as yourself?
A. It depends. For instance -- It depends on where they
are located, it depends on what they are a shortcut to.
Q. What kinds of information can you obtain as a forensic
examiner from shortcut files?
A. Well, basically that the document at some point was
linked to that shortcut. Whatever the destination of that
shortcut link is, was at some point accessed using this
computer.
Q. And let me know if I get over your head in any way
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
48
here. Can you not tell when a document was created?
A. I don't believe so.
Q. Can you tell when it was accessed?
A. Again, I think you are a little beyond what I would be
qualified to testify on.
Q. So this is beyond your scope of expertise?
A. Yes.
MS. MICHAEL: Your Honor, I don't think I have
anything else for Mr. Yeh at this time. Thank you.
CROSS-EXAMINATION
By Mr. Blankenship:
Q. Good afternoon. I want to just ask you about this
database and see if I can clear up what the database is
for. Why in the first instance -- What would be the
reason for creating a database for online access?
A. It just simplifies the review process. There are all
sorts of reasons you would create a database.
Q. Is it fair to say it would make the search more
efficient and the ability to go through the documents
easier?
A. The documents that you have, yes, in the database.
Q. And did you understand that part of what you were
charged to do by the court was to work with my office to
make certain that we didn't produce privileged documents
and privileged files?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
49
A. At what point are you talking about?
Q. I am talking about once you became an independent
forensic examiner.
A. Yes. Part of our role is to help you identify what is
privileged and what should and should not be produced for
that reason.
Q. At any point, did anyone from my office ask you to
improperly withhold something or express concerns to you
about anything relating to your job or what you did?
MS. MICHAEL: Object to the form, your Honor.
THE COURT: Overruled.
THE WITNESS: To whether or not anything was
withheld improperly, I can't tell you. I was just told to
withhold a certain set of documents based on ID numbers,
and based on file names, and we did.
Mr. Blankenship:
Q. Is it fair to say you weren't involved in the
decision-making as to whether something was privileged or
not privileged?
A. No, we weren't involved.
Q. I want to go to the issue of e-mail. And there was
some testimony about not seeing a lot of e-mail. Do you
remember that testimony or the e-mail that reflected that?
A. Yes, I do.
Q. Isn't it true that, unless you have Outlook or Outlook
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
50
Express, web-based e-mail wouldn't be captured or
downloaded on the computer?
A. That is true.
Q. If, for example, Ms. Lindell had used Hotmail, and she
just used it on the web, would you expect or not expect to
find her e-mails on the computer?
A. Normally you would not expect to find that much
e-mail. Sometimes you will find little bits and pieces
here and there. As a whole -- I guess in my previous
e-mail when I said it was surprising, I mean, it is just
that there wasn't e-mail on there. It didn't account for
the fact whether she used Outlook. I wasn't aware of any
sort of behavior she engaged in.
Q. At any point did someone say, hey, here is what this
case is about, here is what the issues are, here is what
we expect to be on the e-mail, or did we basically ask you
to mine information from the computer?
A. Basically we were asked to pull off certain kinds of
files, and then search them.
Q. And if I understand your testimony, there was only one
database, right?
A. Yes.
Q. But whatever you would have put in a database the
second time, which would have made things more efficient,
you produced in the CD-ROM, correct?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
51
A. I may have misspoke just now. There were in fact two
databases. There is only one via Relativity, the online
platform. The other is an FTK database that is in a
separate, more forensically-geared software. There are
two databases. The first one we did for your firm was in
a product called Relativity. And this had the online
functionality.
Q. So if there weren't -- If I understand what you are
saying, you had your own internal database, and then when
we hired you to make sure that we had located all the
active files on the computer, you made a database so we
could quickly and efficiently find things that were
responsive and privileged, and not have to open and close
each one of them with special software? Is that fair to
say?
A. Yes.
Q. Since there wasn't a third database, you know, with
respect to the documents that you were doing the broader
search that involved the City, there were no tags because
there was no third database, correct?
A. I guess the second database I was talking about, the
one in the FTK software, that is the one we used to do the
searches for the City's requests after the 15th or
whatever. So in that database -- That software does not
have that kind of functionality. Well, it does, but it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
52
wasn't utilized.
Q. I know that earlier you testified that anybody could
get on a computer and find active files. I kind of want
to understand. When you said that, do you mean without
any type of forensic software? Is that what you mean?
A. I believe so. You have files on your computer on your
desktop that you can click to them and copy them to
anything you want to. You obviously don't need any
special forensic software for that. I mean, Windows has a
search tool that you can click on and ask for it to find
files under certain terms. It is slow and it is clunky,
but it is possible to find.
Q. You have to know, though, that it is there and how to
use it, correct?
A. Yes.
Q. And just to let you know, you found stuff that we
hadn't found. I mean, we did our best.
MR. BLANKENSHIP: I don't have any further
questions. Thank you.
MS. MICHAEL: I have no further questions, your
Honor.
THE COURT: You may step down.
MS. MICHAEL: We would call Alan Muchmore as our
next witness.
Whereupon,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
53
ALAN MUCHMORE
called as a witness, having been first duly sworn, was
examined and testified as follows:
MS. MICHAEL: May Mr. Muchmore have a moment to
set up his laptop? He has a PowerPoint presentation.
THE COURT: Yes.
THE WITNESS: Is there a place for me to plug
this in? Would it be possible for me to testify from
another location?
THE COURT: You will have to be able to manually
manipulate it.
MS. MICHAEL: If I can just take a moment with my
paralegal, your Honor?
THE COURT: Counsel, we are running long. I
expect this witness is going to be here for a while.
While you sort through this, we will take a break. We
will be in recess.
(At this time a short break was taken.)
THE COURT: You may proceed.
MS. MICHAEL: Thank you, your Honor.
DIRECT EXAMINATION
By Ms. Michael:
Q. Mr. Muchmore, would you state your address for the
record?
A. 5518 17th Avenue Northeast, Seattle, Washington 98105.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
54
Q. Would you please tell us about your background and
credentials?
A. I have been working in the field of computers and IT
since about 1986, professionally. At the time, it would
be summer jobs or jobs while I was in school, until I got
out. And then I worked in the IT department in Houston.
And in 1991, I moved to Austria to write antivirus
software in the emerging field of antivirus. When I came
back and went to law school, I again worked in IT during
the summers and during the school year for extra money.
When I came to Seattle, I started working for law firms.
So starting in about the year 2000, I formed Muchmore
Consulting, where I began working for a number of
different law firms, that for my business included
providing IT support, networks, but also at that time
helping them with their cases when they touched upon
computer issues, performing forensic evaluations. And
then starting about six years ago, I started working as an
expert witness.
Q. And in the materials we received today, the
plaintiff's expert, I believe her last name is Goodman,
indicated that you have referred work to her. Do you
recall referring work to her, and, if so, can you tell us
the circumstances?
A. There have been circumstances where we have referred
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
55
work to each other. I can think of two circumstances in
which there were drives or computers that needed to be
analyzed in a very timely fashion that just fell right
when I was on vacation, and I asked her to help with
those. I can think of a couple of other instances,
including one very recently, in which the attorney asking
for an expert was very close to me and decided that I
would not work well as an independent expert. So I
referred that to her. There have also been instances
recently in which there were items, say, extracting
e-mails from a server, that Alice has referred to me.
Q. Do you think she is more or less qualified than you in
the field of forensic examination of computers?
A. The work together -- We worked together in one
particular case in which she analyzed drives. And
everything -- my work with her has indicated she is
completely competent and knowledgeable enough to be a
forensic examiner. But I wouldn't have any knowledge that
would say she is more or less so than I.
Q. Thank you. Your resume is already in front of the
court, so I don't want to go into any more detail. I
would like to ask you -- And I know you have a PowerPoint
presentation. Can we talk about CCleaner and what it
does?
A. Certainly. When I first noticed the CCleaner software
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
56
on this machine it caught my eye because I had heard of,
but I was not particularly familiar with it. So, of
course, one of the first items that I did is go to their
website and read about how they describe the software.
The company that creates it is called Piriform.
Q. Before we go any further -- I don't mean to interrupt
you, but let me ask you this: How did it come to
your attention -- I think I left out a little
foundational information. Would you describe the three
disks that you got and how you ultimately came to realize
that CCleaner had been used?
A. Of course. So the initial two CDs that were received
from the Blank Law Firm contained individual documents
that had been -- or other files that had been exported
from their forensic toolkit software. So those were the
initial two. But then the third CD, that I believe was
March 1st, included what I understood to be a complete
file listing of all the different objects in their
forensic toolkit database, which represents what it found.
Now, that listing did not include the contents of the
files or the contents of anything, just the metadata about
the files.
We were also provided with the registry information
from that computer. The registry is the database that
Windows maintains that lists settings. It lists the color
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
57
of your background, it lists the positions of your icons,
but also individual software programs that run on it, not
by Microsoft, but Adobe Acrobat, or in this case,
CCleaner, can actually store their settings in that
registry.
Q. So it wasn't until March 1st that you were provided
any information that gave you the knowledge that CCleaner
had been utilized; is that right?
A. No. Yes. Excuse me. That is right, I had not.
Q. Let's talk first, and use your PowerPoint as you need
to to discuss CCleaner, what it does and why it was of
concern to you?
A. What I determined about CCleaner was first by looking
at their website and how the software company described
the software. I also read some third-party reviews. And
then I conducted a number of tests where I actually ran
CCleaner on a test computer to see how it behaved. As the
company describes it, it is a free program designed to --
they mention to protect your privacy by removing
information from the computer. And basically removing
information is what it does. It is all that it does.
MR. BLANKENSHIP: Your Honor, are we going to go
over old ground with the witness? This is all in his
declaration about what CCleaner is, how it works.
THE COURT: I think on both of these witnesses I
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
58
would like to hear the whole story.
MR. BLANKENSHIP: Okay. Sounds good.
THE WITNESS: So three of the items that caught
my attention are the ones that are discussed in this case,
and we will discuss more, are the first items where it
removes the shortcut files.
By Ms. Michael:
Q. And why is that important?
A. The shortcut files --
Q. I am going out of order. Just tell me how you get to
it.
A. Shortcut files -- I will discuss that more in just a
moment. But basically those can include information about
when documents were accessed and where they were accessed
from, and also information about documents no longer on
the computer. It also, "it" being CCleaner, removes the
internet cache files that has information about websites
that someone on the computer has visited, and usually the
contents of those websites.
Q. For example, if I wanted to research how to -- what a
forensic examination of a computer means, and then used
CCleaner, would there be evidence that I had in fact done
that research?
A. Before running CCleaner, there is a great likelihood
that the evidence of which sites you visited you could
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
59
read about and the contents on there. After CCleaner --
As I said, the purpose of CCleaner is to remove
information of that type. So web mail, such as use of
Hotmail or Yahoo Messages, where a person reads the e-mail
through a web browser as opposed downloading in a program
like Outlook or Outlook Express, the temporary internet
files are usually the primary source of information about
usage of that e-mail or what e-mails were accessed.
Q. So all of the Llindell at live dot com e-mails, if
CCleaner was used, what happens to those?
A. I'll have a more detailed description of that in just
a moment. The third option that we have discussed is that
it has the option to wipe information about files that
have already been deleted from the free space of a
computer. And I will show some more information about
that also.
So the first item is the shortcut files. So basically
what a shortcut file is, as Mr. Yeh testified, it is just
a file in the background that has a dot LNK. You usually
never see that. It just refers to another file on the
computer or a file that was accessed from that computer.
It shows -- I think I just mentioned this, it can show
to a forensic examiner documents that had been on the
computer, but no longer are on the computer. It can show
oftentimes documents that were accessed from a USB drive
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
60
or a CD drive, and instances, including times and dates,
about when a document that is still on the computer might
have been actually accessed that would otherwise be lost.
Each case is different, each examination is different,
but there have been examinations in which the shortcut
files that I am referring to were the primary piece of
evidence that was useful in conducting time lines about
documents and what was added when.
Just to show what these shortcut files are, why they
are there: They are not in Windows, as far as I know, to
assist a forensic examiner. That is just a side benefit.
So on this particular test computer, I just created a Word
document. At the very top you can see that I actually
called the document -- This is another Word document, and
wrote that in the body. So if you would advance?
I am logged on in this case as User1. In the folder,
"My Documents," which is just a predefined folder that
Windows sets up as a convenient place to put documents, I
have saved the Word document. And this is another Word
document. And you can see it has information about when
these files were created and when they were modified. So
the first document was both created and modified at 7:36.
This is another document created at 7:37, and last
saved -- modified at 7:38.
Now, if you click the start button, which is missing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
61
off of this screen, by default Windows XP has a little
section here that says "My Recent Documents." And if you
click on that, then you can see these two documents.
In this case it is a pristine test computer that I had
just loaded Windows on. So there were no other documents
here. But you can see these two particular documents that
I had opened up in Word. And this is the reason that the
shortcut files are here. Again, it is not to assist me as
an examiner, as far as I know, but to allow the user to
see what documents. So, say, you had -- say, both
documents weren't just in the "My Documents" folder, say
they were in different locations or different areas, it
can kind of nicely put all in one location where those
documents are so that someone can go back and pull them up
again.
In this case, I held down the shift button and pressed
delete to delete the document. And the significance of
the shift button is it bypasses the recycle bin, so it
actually deletes it. At that point the document has been,
in the parlance I would use, deleted from the computer.
There are no normal means that just a normal user without
using specialized software could use to get that document
back.
But when I click the start button you can see that
that reference to "this is another Word document" is still
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
62
there. The shortcut file that provided that documentation
about the recently used documents did not go away when I
deleted the document.
Now, this folder is a little different. It is a
folder that is normally hidden from the user. But you can
see that it is referring to User1, which is the person
that -- the user name that I was logged in as. And then I
went to the hidden folder of "recent." And in this case,
it shows the shortcut file. This is another Word
document.
It also shows the date -- not the date the document
was created or the date that the document was modified,
but the shortcut file itself. So, unfortunately, in this
example they mirror what was there for the document. But
say I created the document yesterday, and then I opened
the document today, the shortcut file might have
information about it.
Now, you can see here that the little icon has this
little arrow. It is showing Windows as hiding the dot LNK
extension, but you can see from this little arrow that
this is not a Word document, it is one of these LNK files.
Go ahead. When I clicked "file" in the properties
option, we can see some of the data that is contained
inside this recent document file. And that data is this
target. It is cut off at the end here, but you can see
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
63
that the "My Documents" folder is where that file
originally was located. So even though we are looking at
a shortcut file that is in this "Recent" folder, the
original Word document was located in my documents. So
that is a piece of information we can tell.
If that document of the same name had been located on
a USB drive or a CD drive, there likely would be other
shortcut files there that would indicate that that same
document of the same name was located in those other
places.
So when we are doing a forensic examination, I don't
click on these one by one, but we have software that can
basically find all of these files, and in some cases it is
going to be hundreds or thousands, and just very
automatically create a spreadsheet that tells all these
documents -- dates that they were created, modified,
accessed and also the locations. Again, as I was saying,
in some cases I have been able to create a time line based
almost exclusively on these shortcut files.
As I just alluded to, generally what I will find is --
on a computer that has been continually in service for
four or five years, I will generally find hundreds of
these files. There will be more of these for the recent
weeks or months, but they will usually go back to the
beginning of the computer usage.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
64
I actually just tested this over the weekend. I
logged on to a number of my clients' computers, found some
that were several years old, and confirmed my recollection
that there were cases where I found 800, 900 different
shortcut files.
In this case, I started up the CCleaner software on
this test computer. And you can see on the left the
CCleaner software actually shows the different options
that by default are checked. And I will go over this a
little bit more. One of the items is the recent
documents. That is checked by default.
So I clicked on the button here. So the actual
starting of the program did not clean anything. When I
start the program, it just shows these settings. It shows
what the options are, but it is actually when you click
this "run cleaner" button that it actually starts removing
information off and it pops up this little warning box
warning you this process will permanently delete files
from your system.
So in this case, there wasn't very much information on
this machine, but the circled area I have shows under
"Recent Documents" there were two files, and that those
were removed.
Q. The two files you had created that day?
A. Excuse me. The recent documents referring to those
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
65
two files. So one of those documents was deleted, one of
those documents was still on the hard drive, but those
shortcut links to refer to them were gone. And this is
the same folder we were looking at before, and those two
shortcut files were gone.
So this is a spreadsheet that includes information
from the file listing that was provided from the Lindell
laptop. What I had done is asked for -- I think, as was
alluded to, there were over 700,000 different lines on
this spreadsheet. So to find information I would need to
run queries that would allow me to draw up the pertinent
information.
So what I asked for in this case was link files that
were in a folder called "Recent" in the Lindell profile.
What I found were about 254 different shortcut files.
What I noticed was the earliest of these shortcut
files was created on August 23rd, which I had previously
found, and stated in my declaration, that I had found
evidence that CCleaner program had been run on August
21st.
When I say "the program had been run," at that point
in my analysis I could tell from the registry, and I will
get into this more, that someone had brought up the
CCleaner program. Initially I couldn't tell that anyone
had pressed the button to clean. But to me, the fact that
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
66
abruptly these link files that are 250 and roughly two and
a half months of use, and they abruptly end just within
two days of running that software, suggests that CCleaner
or another program of the same functionality had been run
at that time.
Q. And so there were no link files that predate 8/21 of
2010 or 8/23 of 2010 on the laptop; is that right?
A. Well, link files, as we said, are used for other
purposes. They are used to show the programs in your
start menus. But there were not any located in the
Lindell profile under these recent folders, which
indicated to me that they had been cleaned.
So this is just the bottom part of the spreadsheet
showing many of the lines were skipped. But it actually
goes down to 253. The two is cut off there. It just
shows in that short period of time there was a great deal
of information generated about documents that were
accessed on the computer. But, again, all of that
information prior to that date --
Q. August 23rd?
A. August 23rd, exactly.
So moving on to the next point that I mentioned about
CCleaner, which is the temporary internet net files. So
as you are using your web browser -- By default most web
browsers, including Internet Explorer, which is built into
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
67
Windows, actually store a copy of most of the information
that is downloaded over the internet.
Again, the purpose of this is not to assist the
forensic examiner; the purpose is to speed up your access
to a web page. In most cases accessing information over
the internet can be hundreds of times slower than off the
hard drive. So when you go to Hotmail and it shows you
graphics and information, it downloads those once, and
then saves that information in this cache file.
So this information for use of the forensic examiner
does show information about what websites you visited.
And there is other information that helps with that. It
shows information about the contents of the web pages that
you visited.
So, again, in some cases -- Whereas, in some cases
the shortcut files were the primary piece of evidence,
there have been cases I have been involved in in which
these temporary internet cache contains a picture of what
websites were visited or what e-mails were visited that
was the primary piece of information.
So in this case, as you discussed with Mr. Yeh, there
did not seem to be many e-mails stored on the computer in
a program such as Outlook or Outlook Express.
After talking with you, our understanding was that the
web mail was the primary source for the plaintiff to
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
68
access e-mail. So in that case, we did turn our attention
to what might be showed by these temporary internet files.
And, again, we found that they were discontinued. But I
will discuss that more.
Q. So the Llindell at live dot com, that would be a
web-based e-mail?
A. That is my understanding.
Q. And it would be in the temporary internet files?
A. Well, information -- Think of the temporary internet
files as just a snapshot of what you are seeing on the
screen. So live mail dot com or Hotmail dot com might
have thousands of messages there, but each time you look
at either a directory listing of e-mails or an individual
e-mail, then it is just taking -- think of it as a
snapshot or a picture in time of what you saw on the
screen. So if there is a thousand e-mails there, and you
have browsed through 30 of them recently, those 30 e-mails
would be, most likely, snapshots of those on the computer.
So it can store the messages, the contents.
It very often also includes the attachments to files,
because if you double click on the attachment to a file to
open it up, say, in Word, it has to download it first,
store it on your hard drive, and then open it up. So it
will usually keep that information.
So I created just for illustration purposes a Hotmail
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
69
account. I logged in. It was AH Muchmore at Hotmail
dot com. And then I sent myself 2 e-mail messages. There
was a third e-mail message that was already there that was
a nice little welcome.
So I opened those -- I didn't get screenshots, but I
opened those e-mails and viewed them on the screen. And
in doing so, when I went to look at the temporary internet
files, I found that just that activity had created 138
different files. Now, most of these files didn't contain
any words or text from it, but some of them did.
The place these were located, again, you can see these
are stored in the user profile for User1. So all of this
activity that is being stored is being stored in my User1
profile and in folders underneath. You can see the
folders are local settings, temporary internet files, the
content IE5, IE standing for Internet Explorer, and then
there is a folder that has sort of an eight-character
pseudo random number. So this is a snippet of these
files; not a complete listing, but just shows what they
look like.
This is a little harder to read. But this is a
snippet of the temporary internet files from the Lindell
laptop. Again, what I -- the method I used to extract
these was to look for files that were in a folder under
Llindell, and also under a folder that had temporary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
70
internet files.
Q. If I could interrupt you now. I wanted to ask you
about Exhibits 2 and 3 to Ms. Goodman's declaration.
Would this be an appropriate time?
A. Let me finish the one note. It shows here creation
dates and modify dates. It shows that this folder,
temporary internet files, was created in 2006, which was
probably around the time the laptop was put in service.
But it also shows that some of these were recreated on
August 21st, which to me, in the tests I ran, was
consistent with the operation of CCleaner.
When I ran it on my test computer I found that some of
these same files were dated at the time. Not that
CCleaner actually popped up on the screen to look at the
options that I showed you, but when the actual button to
run the CCleaner program and remove files was run.
And then I noticed that it was down on -- basically a
little bit on the 28th, but on August 31st and later we
started seeing a rather complete listing of these
temporary internet files. That suggested to me that web
browsing was taken up in earnest on this computer again
starting at that date, August 31st, and appeared to
continue until the computer was turned over to Blank.
Q. Is this a good time for the Goodman declaration?
THE WITNESS: Yes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
71
MS. MICHAEL: Your Honor, may I have exhibits
marked?
THE COURT: Yes.
By Ms. Michael:
Q. Which page would you like to start with, Mr. Muchmore,
of Exhibit 2?
A. I think the page marked 3 of 4.
MS. MICHAEL: I think I need to hand a copy up to
the court. May I approach?
THE COURT: What is it?
MS. MICHAEL: This is Exhibits 2 and 3 to
Ms. Goodman's declaration, filed this morning.
THE COURT: I have it. Thank you.
By Ms. Michael:
Q. All right. Mr. Muchmore.
A. The page that I have shows 19 of 22 and Page 3 of 4.
Basically it shows a folder listing from a Hotmail
account. As I said, this isn't most likely a folder
listing of the account as it exists now, but a snapshot in
time of the moment it was viewed.
It shows the dates of August 2009, and then
August 25th, and yesterday, and then another day, which
suggests to me that it was probably viewed in August
of 2009.
So you can see here, if you go down about ten items, I
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
72
just picked a random item, there is one that says it was
from TicketMaster, and your ticket order, and gives a
ticket order. And then there are several orders before
and after that, other messages.
Now, two pages later, maybe three pages later, there
is a snapshot of this same Hotmail account, which I
understand was just taken a few days ago. And one of
those messages is highlighted. But what I noticed is
several of these other messages that were on the previous
page I showed you are also on this page. And that
basically means that they were not deleted.
What I was able to -- at least it appeared, it is not
a very rigorous analysis, but this seems to show that
there was an e-mail from TicketMaster that existed in that
e-mail box in August of 2009, that does not now.
Q. And this is in the B. Hansen e-mail account; is that
right?
A. Correct. So there is no reason -- I am not
suggesting that deletion is relevant to this case, but I
just think that is a good illustration of the way that we
can use this, that is, can be a way to find out if there
was an e-mail that someone forgot about or who knows what
that had been deleted from that account, is no longer
there. But it is important evidence that can be found
that indicates that file -- that message was there once.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
73
So what happened is, since these temporary internet
files had been cleaned off of this machine, we lost
potentially a tremendous amount of information about which
items had been in that e-mail address and were no longer
there.
So the third point goes to kind of a description. You
have heard of descriptions of deleted files, wiped files,
free space and such. What I am trying to do here is just
give a little bit of information about what this all
means.
Basically what you are looking at is a simplified
version of a hard drive. It is just a platter, like an LP
or 45 record. And the information is actually on that
disk, and it has a hole in the middle. A hard drive could
hold billions, dozens of billions, and modern drives
trillions of pieces of information. That is too much even
for a modern computer to deal with individually. So the
information is gathered together into sectors and
clusters, which are units of data, in which a file might
be stored. So in this case, I think I have 32 different
sectors of data, and that is each of these items, each of
these little blocks.
So in this case, a Word document might be in this
block. The Word document itself might only occupy half of
it, and the rest of it is extra. Windows will still
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
74
allocate this whole block to the Word document so it
doesn't have to keep track of too much information.
So here the dark blocks indicate areas that have files
on it, the light blocks are empty or free space.
This black box, and I am simplifying a little bit, but
basically this one box is containing the information about
all the files stored on the computer. So this is our file
table. I am mimicking the "My Documents" folder that I
showed you a few slides ago. There was a hidden file
called "desktop" and then "Word document." This is
another Word document.
Basically what is contained here is the titles of the
documents that are on the machine. And that is where the
information about the create date and modified date is
stored. It also is pointing to the location on the drive
where the contents are stored.
This black box that I told you about that has this
listing, it doesn't have the contents of any Word
documents. It doesn't have the contents of any web caches
or the target or link files. All it does is tell that
information about where the computer can find it.
Just as I illustrate here, the contents of the Word
document are in that little yellow box.
So what happens when I deleted an item, it didn't
remove any of this information that we are looking at
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
75
right now. It just drew a little virtual line through
that listing, which told Windows that, first, that
document is now designated deleted, and, second, that
yellow spot which was dark and actually used is now a
light spot that is available for wiping.
So if I deleted my file, and then at the moment I
deleted it I yanked the power cord out and didn't do
anything else, that is probably fully recoverable. The
information about when it is created, when it is modified
and the title is probably recoverable, and the free space,
just because it hadn't had the opportunity to override it.
But then what starts to happen is, as you use your
computer, even if you don't create a document or save it,
Windows will start to create files in the background,
temporary internet files, shortcuts, log files, other
information. It is just going to pick a place to store
the file information. And the next one that is created
might overwrite. This is another Word document. Or it
might overwrite a different one. Likewise, it might
overwrite this area of the hard drive or it might
overwrite this area. There are no certainties about which
ones will be overwritten. There is just -- We know that
they will be overwritten, and the more you use the
computer, the more activity there is, the more this
information is going to be overwritten.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
76
So what we were discussing in wiping free space is not
the same type of free space wiping or the same type of
wiping operation that was discussed by Mr. Kaser for
wiping those hard drives. So that is, if you want a hard
drive, and have absolutely nothing else, you need a
relatively unsophisticated program to just write zeros
over the whole hard drive.
As far as I can tell, what is a little more -- what is
a little more tricky for software is to have a program
that just overwrites the free space without overwriting
the other information.
When the free space option is checked, what the
CCleaner purports to do -- I have not tested -- I have
tested the operation of some cleaning software, but I did
not do this one. What it purports to do is actually go in
and just take the contents of all these files. So,
whereas, if the wipe free space had not been run, I would
definitely expect, after a bit of time, much of it, most
of it, some amount of it would have been overwritten. The
wipe free space just takes it a step further and says all
of it is going to be overwritten. At least that is how it
is designed to work.
Q. We will talk about the two purposes of CCleaner, the
regular options, and then the wipe free space very
shortly. What is next?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
77
A. This section just goes more to what I found, both in
the way the CCleaner operates and what I found on the
computer. So basically it is software that can be easily
downloaded, displays these options and we will see how it
is used.
What I did was actually -- I actually downloaded it
onto this computer. I didn't download the newest version,
I downloaded what appeared to be the version that was on
the laptop at the time that it was turned over to Blank.
I actually ran some of the other versions just to test
it out, but this is version 2.33.1184. And when you first
run it, what it shows you is, as I mentioned before, the
information that it is proposing to clean. And these are
the Windows options. Some of these are checked.
And I believe the next slide shows some other
applications. It can remove information regarding
Microsoft Office, such as Word or Excel, and other
information from Yahoo, Adobe, etcetera.
Now, what has happened when we have installed this
software is -- I am showing you something that people
would normally never see when using their computer; and
that is the registry. And this is using the registry
editor, which is just a program that is built into
Windows.
And as I was saying, the registry is a database of
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
78
information just about the computer, the setup, the way
programs run and operate. Typically it doesn't store
content or data, but just information about the program.
And what happened on my computer is it created this
CCleaner section in software, which is generally -- that
section is reserved for -- not Windows to write to, but a
program to write to about itself.
Q. And that's how you could tell that CCleaner was used
on Ms. Lindell's computer; is that right?
A. That's how I could tell it was installed.
That was in the machine section, which is common to
all users.
And then in this section there is an area called H key
current user. The way that is designed, starting with
Windows XP, for different people to log onto a computer
using a different account. In this case I had User1 or
admin. But you can see different wallpaper, you can have
different Outlook e-mail, you can have different settings.
And that is -- You can also -- If you go to the "My
Documents" folder, you can see different documents. That
is accomplished by having these different user profiles.
The heart of this is having this section of the
registry that shows current user. Any settings here apply
to that user, but not the other users on the computer.
Q. Are you talking about the use of CCleaner only
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
79
applying to the user profile?
A. Well, I am mentioning that this folder for Piriform,
and the one under it for CCleaner, this is generated under
this user profile. The other user on this computer did
not contain any information. What we can use this for is
to tell some information about what user -- the person
that was logged into the computer, when they were running
the CCleaner software.
So in this case, before I had even run -- when I first
run it, before I had done anything with it, it shows me
the language I selected, the installation, which is 1033,
which is the Windows code for English. It shows this
update key information. In my testing I wasn't able to
see what that update key referred to, but when I installed
or used it under a profile for the first time, it did list
that update key with the date and time. So in this case I
was on March 19th at 2:46 p.m.
It also created -- This is where -- That was the
database of information about the software. It also
created a folder. It shows the date and time that folder
was created. It shows when the CCleaner folder and
program files were copied onto that machine.
MR. BLANKENSHIP: Your Honor, I can shortcut this
a little bit. We are not disputing that CCleaner was run
in the most basic form. All of this is stuff we have
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
80
stipulated to. What we are disputing is whether or not
the free space was wiped. None of this is disputed, what
is being said so far.
THE COURT: I think it goes beyond the free space
was wiped. We have got shortcuts, temporary internet
files. I am going to hear this, because it goes to the
very heart of the dispute.
MS. MICHAEL: Thank you, your Honor. It does.
Go ahead, Mr. Muchmore.
THE WITNESS: I will try to speed it up here. I
went back to CCleaner and clicked on the option for old
prefetched data. What happened is, at that time, under
the user profile for User1, it created that entry for old
prefetched data.
In several tests I ran what appeared to happen
is, under a particular user profile, when someone changed
one of those default options, either by turning one off or
turning one on, it created a registry key of that name,
and showed true if it was checked or false if it was not
checked.
By Ms. Michael:
Q. What is prefetch data?
A. Prefetch data is information about what programs have
been run on the computer and when. It contains
information about how often I run Paint versus Adobe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
81
Acrobat versus Angry Birds or some other program. The
reason it is there, again, is not to help a forensic
examiner, but it can tell information about what and how a
computer was used.
So I went through and clicked on all of these advanced
options. And then what happened is it showed all of these
advanced options, and it showed that I checked them all as
true.
So in my test case I clicked on the run cleaner
button, and it popped up a warning to let me know this
will permanently delete files from your system. Again,
removing data from the system, as far as I can tell, is
what CCleaner does. That's all it does. It is just
giving you that warning. I clicked okay. It started to
give me a progress bar. And since in this case I had
selected wipe free space, it took a few minutes to wipe
the free space.
So when it was done, you can see that on this test
computer, it removed 451 temporary internet files, some
temporary files. I am not sure if there are any shortcut
files at this time. And that process, including wiping
this computer, took six minutes and 45 seconds.
So the time taken to wipe a computer, six minutes is
on the fast time. It can take hours to do. But there
have certainly been instances, say, for a case I remember
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
82
a couple of years ago, I was requested to wipe the free
space on eight different computers because people had
copied information they shouldn't have. And the time it
took to wipe these actual drives for these people ranged
from a few hours to, in a couple of the cases, less than
ten minutes, to actually wipe the free space. It just
depends on how much empty space -- It is not how big the
hard drive is, but how much empty space is on that
computer.
So I unchecked the option to wipe free space. I think
I have it slightly out of order here. But basically at
that point it changed the wipe free space to false. I can
tell at some point I clicked on that wipe free space
option because it appeared. The appearance of that entry
showed me it had once been clicked and then it had been
unclicked.
I am now looking at some of the same registry
information, not through the Windows program but through a
forensic software, the access data software. And the two
things that it does that the Windows software doesn't do
is allow me to view registry information from another
computer, but it also tells me this last written time.
This last written time for this CCleaner key in the
machine section seems to correspond with when CCleaner was
first installed. In this case, it was 21:45 Universal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
83
Time.
One thing that bears keeping track of is, a lot of
these stamps are created with Universal Time, which is
seven hours ahead of Seattle in Daylight Savings Time, and
eight hours otherwise. So in this case it was seven hours
ahead.
Now, this portion of the computer registry is the
registry -- it shows it at a different name, but it is the
registry for the user in which I was logged in.
It shows that this key for the Piriform software -- it
again shows that essentially in my test, but usually
within a second or two of the other one, the other key for
the entire machine.
So now we are going back to looking at the final
version of my registry after doing the operations of which
I showed the screen save. Again, it shows this wipe free
space had been clicked on, and then I unclicked it. So
basically from all the tests I ran, it appears -- and this
is not inconsistent with other software I had seen, that
if no one ever clicked that option, that option just
doesn't appear. If someone clicked on it and then
unclicked it, it shows it as false.
Go back one. Lastly, is this -- This time, for the
CCleaner, seems to like -- I don't know that it pins it
down exactly, but it doesn't seem to correspond with the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
84
installation of CCleaner, but seems to correspond with its
actual usage.
So this is the Lindell laptop. Again, this is showing
on the machine portion of the computer the CCleaner was
created. And this is showing at March 11th. And it is
showing 8:40 Universal Time, which would correspond to
12:40 Seattle time. I put a little footnote in my
declaration that these times -- saying this indicated to
me that this was done at 12:40 was resting on assumptions
that oftentimes I can verify, but I could not at this
time, that the forensic toolkit software that Blank used
was set certain ways, that the computer was set with the
correct time zone, et cetera. But that's what it seems to
be showing me.
So this is the administrator profile of the Lindell
laptop. And, again, the creation of this registry
information was -- on the administrator profile seems to
match up to the time that the CCleaner was first
installed. So from this information, it appeared to me
that the person who was installing the CCleaner software
was logged in as -- when they went to log into the
computer, were logged in as administrator.
And this is what I based my -- based the portion of my
declaration -- where I mentioned at that time on March
11th, someone had selected all of these advanced options,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
85
and then unselected the wipe option.
Now, what I thought was interesting is that -- I don't
have a screenshot here, but there was information in the
program files that showed that the CCleaner was later
updated. But in the Llindell profile in August, this time
someone logging in -- these keys were first created on
August 21st by someone logging in as Llindell.
Q. So in March, somebody logged in as administrator and
ran CCleaner, and in August, somebody logged in as
Llindell and ran CCleaner?
A. That is what it appears to me. Go ahead. Do one
more.
The one item that I thought was very interesting is,
in all of my tests, the settings -- if you set up CCleaner
while logged in as one user, and then run it as another,
none of those settings as to which boxes were checked or
unchecked seemed to carry over from one user to another.
So the fact that these show the same options suggested
to me that, independently, when someone logged in as the
other account in August, they went through the same
routine of checking all the advanced options, and at some
point after that was checked, unchecking it again. So
basically twice the election was made to check that
option, and then to uncheck it again the next time.
Q. And so if there were more than one user on this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
86
laptop, what is your understanding of what would happen if
logged in as Llindell when the boxes are checked? What
happens to the other user's information?
A. I will show you that in a moment. I think it is the
next slide. That was a question that came up. I went to
their website and looked at the CCleaner "frequently asked
questions." It showed -- it had the question, "Does it,"
being CCleaner, "clean all the user accounts on the
computer?" So the question being: If you are logged in
as administrator or M. Kaser, does it clean the
information from those subfolders for the other users? It
says, "At the moment CCleaner supports cleaning the
current user's account only." Basically what that is
telling me is that CCleaner doesn't clean the information
from the other account.
But I didn't trust it, so I ran a test. I logged into
my test computer as administrator, ran CCleaner, and see
that it cleaned 146 temporary internet files. So I went
to the temporary internet files for administrator, and I
found that the files that were there were in fact gone,
and what I had found before, that some of these files that
track information were created. But then I found under
that User1, the temporary internet files were still there.
So basically my takeaway from that is that in March,
when it was -- when the CCleaner was run under the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
87
administrator profile, it would not have likely removed
the temporary internet files or the shortcuts for the
Lindell log-on or the Llindell log-on, but when that was
run in August, it most likely did.
Q. So if Ms. Lindell on March 11th or March 12th had
advised the court that CCleaner had been run on part of
the computer, and then thereafter not used the computer
any further, what is your expectation of what kind of
information we would have today?
A. My expectation is, just from what I have seen, is that
those temporary internet files, those shortcut files, that
information would have been, just under the normal usage
of the computer, as if the CCleaner essentially had not
been run, at least according to that log-on.
Let me just say, it appears that most of the activity
over the last two or three years had taken place under
that log-on of Llindell.
Q. Go ahead.
A. That was it.
Q. That's your last slide?
A. Yes.
Q. Do you have any information that indicates to you --
Whether or not the free space was wiped or not really
isn't the total battle here. Do you have information that
tells you whether it was or was not wiped?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
88
A. From the information we have, it has been hard to see
whether it was wiped. In this case, unlike most of the
forensic examinations, we did not have access to the
actual computer itself. We received these file listings.
From the file listings that were received, there were not
a large number of data card files or there were not a
large number of deleted files, which would be atypical.
Now, it is unclear to me at this point whether we just
did not receive a complete listing from the Blank Law
Firm, or whether there weren't very many files. So
basically I tried not to use that information on making
this judgment. I put forth the information about the
options that were selected, what we were able to tell just
from the use of CCleaner, and made inferences from there
as to whether someone actually clicked on that wipe option
or not.
Q. Regardless of whether they wiped it, and we will talk
about what information you would need at this point to
determine if they actually did wipe the computer, what
information was deleted simply by the running of CCleaner
in both March and August?
A. Particularly after the August, but in the March,
again, the way -- from the slide that I showed you that
had the picture of the hard drive, as soon as a
computer -- as soon as a file is deleted, then that puts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
89
it available for overwriting.
Basically, as I mentioned on the temporary internet
files, for example, what I will normally see when I look
at a machine are many files from the last few months, and
I will see some from older periods of time. I showed you
that little subfolder that contains files. Sometimes
Windows or Internet Explorer just seems to forget about
one of those and leaves it there. So two or three years
later I will look at the computer and there might be a
very complete record of the web browsing/surfing from two
or three years earlier, and it might be spotty from other
times.
So basically as soon as these files are deleted,
whether wiped or not, they put them available for free
space where the information about the timing of it can
start to be overwritten, the information about the
contents of it in free space is much more difficult to
access at best, but will start to be overwritten at worst.
If you delete a thousand files, and use the computer, and
come back three months later, some percentage of those
files are going to be irretrievably lost. It just varies
under the circumstance how many, but there would be some.
Q. And the use of CCleaner did what to that ability?
A. It would greatly accelerate, at the very least, the
rate at which this information would be lost. Again, had
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
90
CCleaner not been run, I would have expected to find
shortcut files going back for four or five years. I would
have expected to find these temporary internet files.
From what we found, there is very little information
there. My expectation is that was due to the effect of
CCleaner.
Q. I asked Mr. Yeh about the numbers after approximately
520,000 in the forensic toolkit ID that we were provided.
If they don't match the produced or the privilege log for
file listings, do you have any idea why that would be?
A. The only explanation I can think of -- the only one
from my experience is that once those numbers are created
in a case, they don't change. So all I could think of is
that case was rescanned, and that somehow the options or
the files that it found were different the second time it
was scanned from the first time it was scanned, so that
there might have been files on one listing that were not
on the other listing.
Q. There are documents in the production and privilege
log that do not appear on the file listings. Do you know
why that would be?
A. No. The only two explanations that I have been able
to think of are, one, the rerunning of the file listing
occurred after those files were given to the Blankenship
firm for review and did not appear, or that, second, we
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
91
did not get a complete file listing from the forensic
toolkit software.
Q. If we wanted to determine whether or not the computer
actually had the wiping feature activated and utilized,
what would you need to do that work?
A. It can be hard to determine. Sometimes by giving the
full image of the computer to analyze. Sometimes you can
just see absolute evidence that this must have been wiped.
But in most cases -- It is hard to prove what is not
there. Since the wiping removes information -- again, it
is not always impossible, but most times it is very
difficult to look at that -- to even look at the free
space, particularly if it has been used for several weeks
afterward, and make that determination.
So if you asked me, this computer, was this wiped
yesterday before it had been used much, then the answer is
probably yes. Whether you could determine whether it was
wiped after several more weeks of usage, maybe you could,
maybe you couldn't.
Q. And if somebody had activated the wipe button, and
then a few minutes later decided not to do that and hit
the don't activate the wipe button, what would happen?
Can you interrupt the wiping process, I guess?
A. I tested that out, and did. If I checked the wipe
free space, and hit the button to start cleaning the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
92
computer, it gave that progress bar. In my case, it was
only six minutes. But I wasn't able to hit cancel on that
option, and then at that point about half of the
information in the free space presumably would have been
wiped. I was able to uncheck the wipe free space button,
run the CCleaner again, and it just removed the
information and left that computer half wiped.
Q. I've got this document with the small print. Can you
tell us, in general, what is this document, and is it
useful to you?
A. That was a spreadsheet that I created from the file
listing that included what seemed to be actual document
files, Word document spreadsheets, PDFs and the like, from
the user-created areas on the computer.
Most of those listings are documents that, if a person
turned on the computer and logged in as Llindell, they
would see.
Q. So these are still available on the computer, but
information CCleaner removed is no longer available for
review?
A. Right.
MS. MICHAEL: May I mark this, your Honor, and
pass it up to the court?
MR. BLANKENSHIP: I object to her passing
something up to the court that I can't --
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
93
MS. MICHAEL: I will make a copy.
THE COURT: Do you intend to question the witness
about it?
MS. MICHAEL: I was not going to ask --
THE COURT: Why don't we mark it as an exhibit?
MS. MICHAEL: I have a copy. Sorry.
By Ms. Michael:
Q. In browsing through that, did you find evidence that
there was a fair amount of work on the computer involving
the Lindell lawsuit?
A. From my basic understanding of the lawsuit, there did
seem to be some folders, such as a folder called
"mediation," and several folders underneath it that --
again, my understanding of the lawsuit is somewhat basic,
but did seem to be related to the legal work or related to
the underlying items that the case is about.
MS. MICHAEL: I will leave it for the court to
peruse to see how much of that does relate. Did I forget
anything, Mr. Muchmore?
THE WITNESS: Not that I can think of.
MS. MICHAEL: Thank you. No more questions.
THE COURT: Before you get started, let's take a
moment here. May I safely assume you are not going to
finish your cross-examination of this witness and put on
your expert by 4:30?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
94
MR. BLANKENSHIP: That is probably safe. I am
feeling bad about Blake Weibling, who is sitting outside.
I wish we could get him on today before the day ends and
he has to miss work again.
THE COURT: I am sure you will be handsomely
compensating him.
MR. BLANKENSHIP: I don't know about
"handsomely."
THE COURT: Why don't you go ahead and step down
for a moment? Mr. Blankenship, why don't you have a seat.
We will do this informally. You can talk by sitting down.
We are not going to get through today. I think
that is obvious at this point. The next opportunity that
I have to see you is next Monday at 10:00, which is your
pretrial conference. I think you are slotted for an hour
for the pretrial conference.
Mr. Blankenship, do you know how many witnesses
you are going to call?
MR. BLANKENSHIP: I had planned on calling three
witnesses.
THE COURT: When in doubt, always ask the
parties. Mr. Blankenship, how would you like to proceed?
Do you think we can get Mr. Weibling through your direct
examination?
MR. BLANKENSHIP: Yes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
95
THE COURT: How long will that take?
MR. BLANKENSHIP: I don't think it will take --
With the court's guidance with respect to the declaration,
I can get him on and off pretty quickly.
THE COURT: I want to make sure everybody gets a
full opportunity. I have looked at the case law again,
and none of the options are attractive to the plaintiff's
case, and therefore I want to give you every opportunity
that you deserve in order to present your case fully. In
fairness to the City, I want to make sure they have their
opportunity to put on their case.
Ms. Michael, how many more witnesses do you have?
MS. MICHAEL: No more in our case-in-chief, your
Honor.
THE COURT: I suspect you would like to examine
Mr. Weibling, and you would like to examine Ms. Goodman?
MS. MICHAEL: Ms. Lindell and their expert, yes.
THE COURT: I don't think we can have
Mr. Weibling finished today. I would rather hear him as a
block. Why don't we have you start with Mr. Muchmore, and
we will go until about 4:15 and adjourn for the day? On
Monday we will resume with your examination of
Mr. Muchmore, and then go into your case.
I am not inclined to try to express any views,
because, as I tell all juries, you need to keep an open
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
96
mind until you have heard all of the evidence. It is very
important to me that we get this right. If that means
vacating your trial date -- I am not going to rush this
in order to try and shoehorn you in. I have an extended
cocaine importation case starting mid-April. I have two
trailing cases that were set for that. Things move
around. It is my intention to take you as quickly as we
can, as opposed to dropping you to the bottom of the
calendar.
I am hopeful that we are not looking at a lot of
out-of-town witnesses who are going to have availability
problems, since these are all local folks. Is that a
fairly accurate assumption?
MR. BLANKENSHIP: Your Honor, it is. There are
people, though, that are having difficulties with
April 4th. Like Marcella Reed, for example, I would have
to take her very quickly, because she was heading out on
the 6th. Bob Sterbank is in Hawaii. He is not available
until the 13th. It is spring break, so a lot of people
are taking off with their families. That is the extent of
the out of state, but that is the kind of issue we have
been struggling with with witnesses.
THE COURT: Ms. Michael, what is it like in your
case?
MS. MICHAEL: We can have our witnesses
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
97
available, your Honor.
THE COURT: Right now I think your trial date is
in real peril. I won't commit to that, but tell
Mr. Sterbank to buy another swimsuit.
We have your motions for summary judgment, we
have your motions in limine. I am not going to have you
start the trial until you have answers to those, because
you can't. I can't rule on those until I know the answer
to this. This string of dominoes is getting ready to fall
over.
The criminal matter started off at five days, it
expanded to ten days, it expanded to twelve days, it
expanded to 15 days, and then it shrank to twelve days.
The last time they were in here, which was this morning at
11:00, it sounded more like eight days. That will put you
in early May, which will, I guess, get us out of spring
break. I am sure someone is going to say, I have a trial
in King County Superior Court, as another reason why we
can't go then.
No, we are not going to finish today. We are
going to start again on Monday at 10:00.
Mr. Muchmore, you can retake the stand. We are
going to get in 15 minutes of questioning, and I am going
to take a hard break at 4:20.
CROSS-EXAMINATION
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
98
By Mr. Blankenship:
Q. Mr. Muchmore, hi.
A. Hello.
Q. Have you ever been in a situation like Blank Law,
where you basically were doing a forensic exam of a
computer, and the computer was the computer of someone
like Ms. Lindell, and you were dealing with their lawyers
to figure out which documents were privileged and work
product?
A. I believe so. I have been in a situation where I ran
searches, turned it over to one party for privilege
review, and then turned it over to another party, yes.
Q. It is pretty standard that that happens, even when you
are being hired and paid for by the other side, right?
A. These circumstances have not been standard in my
personal experience. Usually it has not been a neutral
third party. Usually I have been able to have access to
the computer, even if I am forwarding it to counsel for
privilege review.
Q. But it isn't uncommon, in fact it is quite typical,
that the person whose laptop is being examined, counsel
gets to assist with culling out privileged work product,
isn't it?
A. To conduct a privilege review?
Q. Yes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
99
A. In some cases, yes. That has not been in every case I
have been in, or even most.
Q. About how many times have you done like a forensic
examination of a computer, where you went in and carved
out drive free space?
A. I would say I have done dozens of computers.
Q. Ms. Goodman found in the drive free space a document
that was created in 2009. You saw that, right?
A. I did.
Q. And if there had been a wipe of the free space, you
wouldn't be able to recover documents from 2009 from the
free space, would you? If they were in March, as they
alleged occurred, and August of 2010 (sic), you wouldn't
be able to go into the free space in 2009 and find
documents like the exhibit that she attached to her
declaration, would you?
A. Do you mean you go into the free space in 2011?
Q. Yes.
A. And find documents that had been created in 2009?
Q. Right.
A. Yes, I would expect that you could.
Q. Even if it is wiped?
A. Absolutely.
Q. What is your basis for that?
A. It is only wiping the free space. The time the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
100
document is created is irrelevant to whether it would have
been wiped in free space. The time it was deleted is the
most important information in that case.
Q. The time that it was deleted. In this case, though,
did you find that document in your review?
A. I found the document in the files that were produced
by Blank, yes.
Q. And those files -- those documents -- those free space
documents were produced January 20th, weren't they, the
first batch?
A. Correct. No. I think we got those February 20th.
Maybe they were January. But, yeah.
Q. If you need to check, that's what I have noticed, that
they were --
A. The first CD batch, yes.
THE COURT: Mr. Blankenship you have used the
term "free space documents." I want to make sure everyone
has a common definition, including me.
By Mr. Blankenship:
Q. The drive free space is where all data goes, even if
it is deleted, correct?
A. From my little diagram -- free space is items that
includes parts of the drive where no data has ever been
stored or parts of the drive that a file was stored and
then that file had been deleted. That's the free space,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
101
yes.
Q. If CCleaner was ran in March and in August, wouldn't
the document that was the exhibit have been -- if it had
been a temporary internet file, wouldn't it have been
deleted when CCleaner was ran, even without checking the
box for the drive free space?
A. Not necessarily in both cases. That's the point that
I was making about the temporary internet files only in
the profile in which the CCleaner was run. So if most of
this surfing, to use it colloquially, web browsing took
place under the Lindell profile, for example, and the
CCleaner was run under administrator, then at that time it
would not have deleted the temporary internet files from
the Lindell profile.
So, say, in March it was run and wiped the free space
at that time -- This would be one scenario. I can think
of several others in which that document would not have
been deleted in March. But the free space could have been
wiped in March. But since that document had not yet been
deleted until August, the wipe of free space would not
have removed that document. That's one scenario.
Q. Do you know whether or not there were separate
profiles on the computer that were set up by the Lindells?
A. Yes. That was my testimony in my PowerPoint slides.
There were several profiles set up. There were profiles
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
102
for administrator, M. Kaser, others that were used before.
It appeared to me Ms. Lindell had been using the computer.
So it appeared to me that the Llindell profile had been
the one that had been used for most activity since she
received the computer, but in March, the CCleaner was run
against the administrator profile.
So, say, at that time the option to remove temporary
internet files and wiped free space was selected, in that
case it would have only removed temporary internet files
from the administrator account, thus leaving the one that
you found, wiped anything else that had been deleted at
that time. And then, say, in August, when it was run
under the Llindell account, then only at that time, in my
hypothetical, after the free space had been wiped, that
that particular file was deleted. Again, in that scenario
the file would not have been deleted, and thus that would
not have been free space when the computer was wiped in
March.
Q. But it was wiped twice according to you. Not wiped.
Let me back up. I will not concede that.
MS. MICHAEL: Objection, your Honor. Misstates
his testimony.
By Mr. Blankenship:
Q. Isn't it true, according to your review, you believe
that CCleaner was ran on two different occasions? Right?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
103
A. CCleaner was run on two different occasions, yes.
Q. Wouldn't that have been wiped -- Considering that was
the free space, and it was created in 2009, wouldn't the
wipe in August have wiped a document that was created in
2009?
A. Again, that is not what determines what is wiped. It
is not when the document is created that is important, it
is when it has been deleted that is important.
Q. But if I understand -- I mean, I will have to talk to
my expert about that. But my understanding -- You are a
little bit over my head here. But with respect -- You
are saying that even though something was in free space,
that was created in 2009, and even though you are
testifying it may have been wiped twice, that wouldn't be
dispositive of -- a preexisting document wouldn't be
dispositive of there being no wipe, as Ms. Goodman
declared under oath?
A. No. I think she overlooked a number of different
scenarios.
Q. Like what?
A. The first scenario is the one that I mentioned, say,
the free space was wiped the first time CCleaner was run,
but say the second time the removal of the shortcut files
and temporary internet files took place but it was not
wiped. A second scenario that seems possible is that the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
104
wipe might have been started, but then interrupted at some
point during its operation.
Looking at the information from the declaration of the
person at PC Doctor, that sort of seems to reinforce that
scenario in my mind. He mentioned that he typically does
not wipe the information. It wasn't clear to me exactly
why he would not once, but twice, click on the option and
then unclick on the option. But say he went through and
clicked on all those options, including wipe free space,
clicked on the run cleaner button, and then turned and
looked at something else and expected after one minute all
the CCleaner would have been completed. Say at that point
he realized that he had selected the option, and then
failed to unselect the option, and then hit the cancel
button, that is one scenario in which, even after a few
minutes, thousands of documents would have been wiped, but
not necessarily every document on the machine. That is
the second scenario that occurred to me.
THE COURT: All right. We are going to take a
break at this time, because I have a couple of questions.
When we resume, you are going to resume your examination
having had the opportunity to talk to your expert, which
probably makes better sense than us lawyers.
Is it going to be easier to determine the impact
of the CCleaner program if you are looking at the mirrored
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
105
hard drive that exists in this case or looking at the
three CDs?
THE WITNESS: I think it would definitely be
easier. Whether that makes it easy is hard to say. I
think, again, in most instances in which I suspect a
computer had been wiped, and then it had been continued to
be used for several weeks or months, you can't necessarily
tell anything for sure. But I think it is certainly
possible, by looking at the complete image of it, I could
make a determination. It would definitely give both
myself or Ms. Goodman more information to work from.
There would be fewer hypotheticals, fewer possibilities.
THE COURT: If I asked you and Ms. Goodman the
question of are there people in Seattle who are
technically competent to do that, how would you answer
that?
THE WITNESS: Technically competent to make a
determination about wiping?
THE COURT: Yes.
THE WITNESS: I think the wiping question can
be -- I think the answer is yes. I think the wiping
question can be much more of a -- By looking at the free
space itself -- It can be hard to have an objective
question that has an objective answer. It would be based
to a certain extent on hunches or what the person had seen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
106
before.
THE COURT: Let me ask you in a different way.
Who is your competition?
THE WITNESS: In the --
THE COURT: In Seattle. Are there other people
that do this besides the two of you?
THE WITNESS: Yes.
THE COURT: How long would it take?
THE WITNESS: I would think that several days
would be enough time. Probably less than that.
THE COURT: Counsel, we will be in recess in this
particular matter until 10:00 a.m. on Monday the 28th. At
that time Mr. Blankenship will resume his
cross-examination, having had ample time to get ready,
which hopefully means that we will be going faster.
Counsel, anything further the court can do today
to be of assistance?
MR. BLANKENSHIP: I guess, your Honor, it would
be helpful to know -- Are you saying you don't think it
is likely we will go forward on April 4th? Should I be
preparing witnesses all next week? Since we go first, it
is important to know the answer to that question.
THE COURT: Sitting here today, I will tell you
that if I am where I am right now, you are not going to
have a trial because I think there is a prima facie case
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
107
put forward that something happened to the computer. I
don't think you are denying the fact that something
happened to the computer. I am not comfortable that I
understand what it is. I can't rule on the motions and I
can't have the trial until I am comfortable with what
happened.
The last two questions I asked the witness may
suggest one alternative that I am considering, which is to
find someone who can have access to the mirrored hard
drive and conduct an independent examination on behalf of
the court. As Mr. Muchmore just said, that may just give
me one more opinion as opposed to an answer. But that
would be helpful. The answer is, I don't think you are
going.
MR. BLANKENSHIP: We have a pretrial lodging date
of Wednesday. We all spoke about moving that until
Friday, just because --
THE COURT: Why don't you not do anything on it.
I am going to relieve you of that obligation at this time.
You can't do a pretrial order until I rule on these
motions. And you can't -- We are back to the same loop,
I can't rule on these motions until I have an answer to
this question.
Counsel, out of fairness, I am not blaming anyone
for putting us in this situation. I understand, not
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Barry L. Fanning, RMR, CRR - Official Court Reporter
Suite 17205 - 700 Stewart St. - Seattle, WA 98101
108
withstanding protestations in the briefing, this stuff got
delivered late. It appears that everyone was diligent in
both attacking the problem and responding to the attack
since that time. It is just that we have a limited number
of hours between when this all started and the very
important upcoming dates, including the pretrial
conference. We will be in recess. Thank you, counsel.
(Adjourned)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
109
CERTIFICATE
I, Barry L. Fanning, Official Court Reporter, do herebycertify that the foregoing transcript is true and correct.
S/Barry L. Fanning
____________________________Barry L. Fanning