RIAA expert Jacobson: full text
p2pnet.net news:- Below is a break-out of the deposition given by RIAA expert witness Dr Doug Jacobson to Ray Beckerman, acting for Marie Lindor in UMG v. Lindor.
Lindor, a Brooklyn, New York, home health aide, is a self-confessed computer fool who doesn’t know one end of a PC from another.
But according to Warner Music, EMI, Vivendi Universal and Sony BMG, the members of the Big 4 music cartel, she’s an illegal online distributor of their copyrighted music.
Go here for the original numbered ASCII text, and here fror a .pdf
“Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy ‘investigation’ and ‘junk science’ upon which the RIAA has based its litigation war against the people,” Lindor’s lawyer, Ray Beckerman, told p2pnet.
“The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense.”
This is probably the first example of a case in which members of Net communities, notably people who post on slashdot and Groklaw, actively helped a lawyer frame the questions he needed to ask and, “Were deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers’ responses,” Beckerman says.
This document was created by hand, so any mistakes are probably ours.
If you’re a techie and you have any thoughts on this, Beckerman would like to hear from you. Contact him at rbeckerman[at]anfeliu.com.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK
UMG RECORDINGS, INC., et al,
DEPOSITION of Expert Witness, DR. DOUGLAS W. JACOBSON, held at the offices of Vanderberg & Feliu, LLP, 110 East 42nd Street, New York, New York, pursuant to
Notice, before ELIZABETH SANTAMARIA, a Notary Public of the State of New York.
Reported by: ELIZABETH SANTAMARIA JOB NO. 54123
A p p e a r a n c e s :
HOLME ROBERTS & OWEN LLP
Attorneys for Plaintiffs
1700 Lincoln Street
Denver, Colorado 80203-4541
BY: RICHARD L. GABRIEL, ESQ.
VANDENBERG & FELIU, LLP
Attorneys for Defendant
110 East 42nd Street
New York, New York 10017
BY: RAY BECKERMAN, ESQ.
ALSO PRESENT: ZI MEI
IT IS HEREBY STIPULATED AND AGREED that the filing and sealing of the within deposition be, and the same are hereby waived;
IT IS FURTHER STIPULATED AND AGREED that all objections, except as to the form of the question, be and the same are hereby reserved to the time of the trial;
IT IS FURTHER STIPULATED AND AGREED that the within deposition may be sworn to before Notary Public with the same force and effect as if sworn to before a Judge of this Court;
IT IS FURTHER STIPULATED that the transcript is to be certified by the reporter.
DOUG LAS W. JACOBSON, called as a witness, having been duly sworn by the Notary Public, was examined and testified as follows:
EXAMINATION BY MR. BECKERMAN:
Q. Please state your name for the record.
A. Dr. Douglas W. Jacobson.
Q. What is your business address?
A. 2215 Coover Hall, Iowa State University, Ames, Iowa 50011.
Q. Dr. Jacobson, are you yourself an engineer?
A. Yes.
Q. By what body are you certified as an engineer?
A. By no professional society.
Q. No professional society? Is there any organization that has certified you as an engineer?
A. No.
Q. Are you part of any peer regulatory body?
A. I don’t quite understand what you mean by –
Q. Are you part of any body the members of which are peer-regulated?
A. Can you give me an example of what you are –
Q. A lawyer, an architect, an accountant. I thought an engineer had to be certified by a peer-regulated body.
A. To be called a professional engineer they do.
Q. So are you not a professional engineer?
A. I do not have a PE license.
Q. You are the founder of the Palisade Systems?
A. That’s correct.
Q. What other titles do you hold within that organization?
A. Chief technology officer.
Q. And are you a member of the board of directors?
A. Yes.
Q. Are you a shareholder?
A. Yes.
Q. What percentage of the shares of that company do you own?
A. I believe it’s about 3 percent.
Q. Palisade Systems sells software products to universities, businesses and other institutions that maintain networks; is that correct?
A. Yes.
Q. Do these products include products which are intended to combat file sharing through — we are going to be using that term a lot. Withdrawn. These products include products that are intended to combat peer-to-peer file sharing of copyrighted works; is that correct?
MR. GABRIEL: Objection to form. You can answer the question.
A. Yes.
Q. Is one of the reasons that these organizations buy these products the avoidance of lawsuits?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I don’t — since I’m not on the marketing side, I really can’t testify to why a particular client buys the product.
Q. Have you been quoted in press releases issued by the company as to reasons to buy the product?
A. Yes.
Q. And in those press releases have you stated that one of the reasons to buy the product is to avoid lawsuits?
A. I very well could have. I do not — without seeing one of the press releases.
Q. Is one of the reasons to buy these products to avoid copyright infringement lawsuits?
MR. GABRIEL: Objection to form.
A. That would be a reason to buy one of the products.
Q. And have you specifically referred to lawsuits by the RIAA as one of the types of lawsuits that they could avoid by buying these products?
A. To my recollection, I have not.
Q. Is it true that the RIAA backs the software that was co-licensed between your company and Audible Magic?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I do not know what arrangement Audible Magic and the RIAA have entered into.
Q. Are you aware that an officer of Audible Magic was introduced to government officials in Washington by representatives of the RIAA?
A. No.
MR. BECKERMAN: I would like to mark as Defendant’s 1 a press release from Palisade Systems, Inc. bearing the headline “Peer-to-Peer File Sharing Struggles Intensify in Universities.”
(Defendant’s Exhibit 1, press release from Palisade Systems, Inc. bearing the headline “Peer-to-Peer File Sharing Struggles Intensify in Universities,” marked for identification, as of this date.)
Q. Is this press release genuine?
A. It was released by the company.
MR. BECKERMAN: I would like to mark as Exhibit 2 a one-page press release of Palisade Systems, Inc. dated April 21, 2004. The headline is “Instantly Stop
Illegal P2P With PacketSure 3.”
(Defendant’s Exhibit 2, one-page press release of Palisade Systems, Inc. dated April 21, 2004, marked for identification, as of this date.)
Q. Is this press release genuine?
A. Yes. It was released by the company.
Q. Going down to the third paragraph, which purports to have a quotation from you, would you tell us if that quotation is accurate?
A. Yes.
MR. BECKERMAN: I would like to mark as Exhibit 3 a two-page article dated April 19, 2004 by David Chappelle entitled “Newest PacketHound release eliminates
illegal trading of copyrighted files.”
(Defendant’s Exhibit 3, two-page article by David Chappelle dated April 19, 2004, marked for identification, as of this date.)
Q. Who is Steven Brown?
A. Steven Brown, what was his title? He was our marketing individual at Palisade. I don’t remember his exact title.
Q. Was he authorized to speak for Palisade Systems to the press?
A. Yes.
Q. I direct you to the fifth paragraph and ask you whether that is an accurate statement of something that was said by Steven Brown.
MR. GABRIEL: Objection. Lack of foundation.
A. I have no way of knowing firsthand that Steven Brown said that.
Q. Do you agree with the statement “Some P2P applications can evade certain security tools”?
A. Yes.
Q. Do you agree with the statement of Mr. Chappelle contained in the third paragraph that “Detecting and stopping copyrighted materials from being shared illegally eliminates the liability faced by organizations associated with file sharing”?
MR. GABRIEL: Objection to form. Lack of foundation.
A. Can you repeat the question?
Record read.)
A. Since I’m not a lawyer, I’m not sure I can comment on being a liability and the absolute elimination of it.
Q. I call your attention to the ninth paragraph, starting with the word “instead.”
A. Okay.
Q. Do you agree with that paragraph?
MR. GABRIEL: Objection to form. Lack of foundation.
A. Yes, I would agree with that.
MR. BECKERMAN: I would like to mark as Exhibit 4 an article dated April 21, 2004, of C/net News.Com., entitled “New Tool Designed to Block Song Swaps.”
(Defendant’s Exhibit 4, C/net News.com article dated April 21, 2004, marked for identification, as of this date.)
Q. Do you agree with the statement in the second paragraph, the first paragraph that’s not in bold, which says that the song filtering software is backed strongly by the Recording Industry Association of America, RIAA?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I have no firsthand knowledge of whether or not the RIAA has strongly backed Audible Magic software.
Q. Do you have any reason to believe that they have?
MR. GABRIEL: Object to the form.
A. Could you rephrase the question?
Q. What is the problem with the question?
A. Restate the question and then I will tell you.
Q. You said you had no firsthand knowledge. Now I am asking you whether you have any reason to believe that the RIAA did, in fact, back the software strongly.
A. I have no firsthand knowledge that they have.
Q. Did you ever see this article?
A. I don’t recall seeing the article on the web.
Q. Did you see any articles or press releases saying that the RIAA backed the software strongly?
A. I don’t recall seeing any.
Q. So this is the first you’ve heard of it? Is that your testimony?
MR. GABRIEL: I object to the form. He said what he said.
A. I have no firsthand knowledge that they have strongly backed — I don’t have any firsthand knowledge that they strongly backed the software, Audible Magic software.
Q. Do you have any other knowledge that they backed it?
A. Not to my recollection.
Q. Going down to the second paragraph that’s not in bold and the sentences which purport to quote you, would you tell me whether those are accurate quotes.
A. Yeah.
Q. Now, going down to the fourth paragraph starting with the word “during,” is it your testimony that you have no knowledge of RIAA executives helping to guide Audible Magic CEO Vance Ikezoye around federal government offices advocating the song blocking technology as a tool for stopping copyright infringement on file swapping networks?
MR. GABRIEL: Object to the form of the question.
A. Could you please read the question back again.
(Record read.)
A. I have no knowledge that that took place.
Q. What is the relationship, if any, between the RIAA and Palisade Systems, Inc.?
A. There is no relationship.
Q. Has Palisade Systems, Inc. had any dealings with any agents of the Recording Industry Association of America?
A. I believe that our chief operating officer had discussions with the RIAA back in the early 2000s.
MR. BECKERMAN: I would like to mark as Exhibit 5 a press release from ZDNet entitled “File-Swap Killer Grabs Attention.”
(Defendant’s Exhibit 5, press release from ZDNet entitled “File-Swap Killer Grabs Attention,” marked for identification, as of this date.)
Q. Do you know what ZDNet is?
A. Yeah.
Q. What is ZDNet?
A. It is an online publication, is my understanding.
Q. Have you ever used ZDNet for anything other than reading?
A. Personally, not to my knowledge I haven’t.
Q. You’ve never downloaded any software from ZDNet?
A. Not that I can recall.
Q. Have you never heard of ZDNet as a source of software?
A. Not that I recall.
Q. And what is ZDNet News?
A. My understanding is it’s an online publication that I believe they send out to e-mails to the subscribers.
Q. Have you ever had any dealings with the University of Rochester?
A. Define the university.
Q. Excuse me?
A. I don’t quite understand when you say the university.
Q. Have you ever had any dealings with officials of the University of Rochester?
A. Personally I have not, no.
Q. Has Palisade Systems?
A. Personally I have no knowledge of that.
Q. What do you mean personally you have no knowledge of that? Do you have some other kind of secondhand knowledge of it?
A. Not that I recall, but I do not keep close tabs of what the marketing or the sales force does.
Q. Has Palisade Systems had any dealings with the University of Rochester?
A. Not that I recall.
Q. Did the provost of the University of Rochester attend a demonstration of the Audible agic software at RIAA headquarters in January of 2004?
A. Not that I know of, but …
Q. Do you agree or disagree with the statement that the RIAA has helped the company, meaning Audible Magic, gain entree to official Washington circles?
MR. GABRIEL: Object to form. Lack of foundation.
A. I have no knowledge of what the RIAA has done to help Audible Magic.
Q. Is it a fact that Audible Magic entered into a cross-licensing agreement with Palisade Systems, Inc.?
A. That’s correct.
Q. What was the software designed to do?
A. What software?
Q. Song filtering software created by Audible Magic, software that was mentioned in the press releases I just showed you.
A. Audible Magic’s software is designed to examine audio data and determine if it matches a database of copyrighted materials.
MR. BECKERMAN: Would you read back the question.
(Record read.)
Q. Do you feel you have answered that question?
A. I answered the question of what Audible Magic software was designed to do.
Q. Is it song filtering software?
MR. GABRIEL: Object to the form.
A. Define what you mean by filtering.
Q. What is filtering? Withdrawn. Is it your testimony here under oath you do not know what the word “filtering” means?
MR. GABRIEL: Object to the form. Argumentative.
A. The term has many different uses. I’m trying to –
Q. Is the audio designed by Audible Magic designed for song filtering?
MR. GABRIEL: Object to the form. Lack of foundation.
A. Will you repeat the question.
(Record read.)
A. I can’t testify to what their design team chose to design their software to do.
Q. So is it your testimony that you do not know if this software has any application to blocking song trades on peer-to-peer file sharing networks?
MR. GABRIEL: Object to the form. That’s a different question. You can answer the question.
A. Which application?
Q. The same one we’ve just been talking about. The application designed by Audible Magic, which was cross-licensed to Palisade Systems.
A. The Audible Magic code that was licensed by Palisade does not block traffic.
Q. What does it do?
A. It identifies traffic content.
Q. Is it able to identify song files?
A. It is able to identify — it is able to identify — It is able to analyze files and determine if those files match the signatures that are stored in their database.
Q. And was it marketed by Palisade Systems as something that could identify and stop illegal file trades in real time without any requirement for individual users to be identified?
A. Yes, their code coupled with our code.
Q. And was it marketed by Palisade Systems as something that could block specific illegal file trades?
A. Yes.
Q. Now, you are the chief technology officer of Palisade?
A. That’s correct.
Q. So you would be knowledgeable about technology work between your company and Audible Magic, is that not true?
MR. GABRIEL: Object to the form.
A. Define what you mean by technology work.
Q. Development of computer programs.
Q. Did your company work jointly with Audible Magic to develop the first network appliances that identified copyrighted works on the fly combined with the ability to block individual trades?
A. Our company worked with Audible Magic to develop a product to stop peer-to-peer traffic as identified by Audible Magic’s proprietary code.
Q. And you are testifying here today that you have no idea how the RIAA reacted to this work that you are doing?
A. That’s correct.
Q. Have the press releases issued by Palisade Systems referred to the RIAA?
MR. GABRIEL: I object to the form. Lack of foundation.
A. I’m sure that some of our press releases have probably mentioned the RIAA.
Q. In what capacity?
MR. GABRIEL: Same objections.
A. I don’t recall any direct quotes out of any of the press releases.
Q. Did you ever meet with the CEO of udible Magic?
A. I recall meeting him in just a short meeting when he visited Palisade, but I was not part of the negotiations.
Q. Did you discuss the software?
MR. GABRIEL: The question is whether Dr. Jacobson talked to the CEO about the software? I’m just clarifying the question.
Q. Did you discuss the software?
MR. GABRIEL: I object to the form.
A. I can’t recall whether I did or didn’t.
Q. Have you formed an opinion as to whether Marie Lindor personally uploaded any copyrighted files to anyone?
A. The computer whose IP address has been identified as being registered to Ms. Lindor has been shown to have made songs available, copyrighted material available to the internet community through peer-to-peer software.
MR. BECKERMAN: I move to strike the answer as nonresponsive. Would you read back the question.
(Record read.)
MR. GABRIEL: Is there a question pending?
MR. BECKERMAN: Yes. I’m waiting for an answer to the question. It calls for a “yes” or “no” answer.
MR. GABRIEL: I object. It does not. He answered the question.
MR. BECKERMAN: Are you directing him not to answer the question?
MR. GABRIEL: No, no.
THE WITNESS: Would you repeat the question.
(Record read.)
MR. GABRIEL: My objection was he just answered. You can answer it again.
A. Again, the computer registered to Marie Lindor had made available songs through peer-to-peer software, therefore making them available.
MR. BECKERMAN: I am going to say this once and I am not going to repeat it. We are here, we have a limited time. I am on page 1 of about 40 pages of notes. If this kind of gamesmanship is going to be continued, we will never get through even a fraction of this deposition and we will just have to continue it. But I have no intention of accepting that type of answer. If that’s the way you are going to play this, then we will be here all day. It calls for a “yes” or “no” answer and there is no reason to be playing games in answering a question that was not asked. He will be asked questions that may relate to what his answer was, but he has not answered the question that was asked of him and it calls for a “yes” or “no” and I expect an answer to it.
MR. GABRIEL: It is a nice speech, Ray. The witness answered the question. I object to the characterization of gamesmanship. Because you don’t like the answer doesn’t mean it is gamesmanship. The witness has answered, he has his opinions. And if you want to argue with me or the witness, we will be here all day or we will leave.
MR. BECKERMAN: I am going to ask the question one more time and if I do not get an answer to it, we will eventually seek a ruling on that and we are going to seek a ruling on all questions that we do not receive answers to, all questions to which we do not receive answers to, and then we will have a continued deposition.
MR. GABRIEL: You reserve whatever you want, Ray, and seek whatever rulings you want. The witness answered the question and I submit this is browbeating the witness into trying to get the witness by arguing with me. This is not serving any purpose.
BY MR. BECKERMAN:
Q. Have you formed an opinion as to whether Marie Lindor personally uploaded any copyrighted files, “yes” or “no”?
MR. GABRIEL: Objection. Form. Asked and answered twice.
Q. Dr. Jacobson, would you please answer the question.
A. I have twice already answered the question.
Q. Are you refusing to answer the question?
MR. GABRIEL: Objection. Argumentative. He answered the question.
MR. BECKERMAN: We will seek a ruling on that.
Q. Have you personally formed an opinion as to whether Marie Lindor personally downloaded any copyrighted files?
A. The computer whose IP address who has been identified as belonging to Marie Lindor made copyrighted material available through peer-to-peer software — made the material available through peer-to-peer software.
MR. BECKERMAN: We also will seek a ruling on that and we will seek a ruling on all follow-up questions which would have resulted from a “yes” or “no” answer. I move to strike the nonresponsive answer that was given.
Q. Based upon your examination of the hard drive which you examined, what evidence did you find that inculpated Marie Lindor personally?
MR. GABRIEL: Object to the form. Lack of foundation.
A. Would you please define the second-to-last word.
Q. “Her”?
A. No, “inculpated.” Would you please define that for me.
Q. Do you not know what the word “inculpated” means?
A. That’s correct.
Q. Are you familiar with the word “exculpate”?
A. No.
Q. What is your educational background?
A. Computer engineering.
Q. Well, which school did you attend? Did you get a Bachelor’s degree?
A. Yes.
Q. What school?
A. Iowa State University, science and technology.
When did you graduate?
A. With which degree?
Q. When did you get your Bachelor’s degree?
A. 1980.
Q. Do you have any other degrees?
A. I hold a Master of Science in electrical engineering.
Q. When did you get that?
A. 1982.
Q. Any other degrees?
A. A Doctor of Philosophy, Ph.D., in computer engineering.
Q. When was that?
A. 1985.
Q. And you are associate professor at Iowa State University?
A. That is correct.
Q. And you do not know what the word “exculpate” means?
A. That’s correct.
Q. Based upon your examination of the hard drive which you examined in this case, what evidence did you find that supported or would support a conclusion that Marie Lindor had personally uploaded any files?
A. The hard drive that I examined showed no evidence of any peer-to-peer software or MP3 music files.
Q. So is it correct to say that there was nothing on the hard drive that tended to prove that she had uploaded or downloaded anything?
A. There was nothing on the hard drive that indicated there was any peer-to-peer software.
Q. Hypothetically, had you discovere KaZaA software and song files or remnants of KaZaA software or song files resembling those that had appeared in a screen shot, would that have tended to support a finding that she had downloaded or uploaded copyrighted files?
A. That would have supported a claim that that computer was used to make files available.
Q. So it would have supported a finding that the computer whose hard drive you examined had been used for that purpose?
A. Correct.
Q. It would not have supported a finding, would it, as to whether Marie Lindor herself had used those programs or files?
MR. GABRIEL: Object to the form. Lack of foundation.
THE WITNESS: Please read it back.
(Record read.)
A. That’s correct.
Q. Hypothetically, had you discovered substantial deletions, would that have supported a finding that there had been the use of KaZaA file sharing to download or upload copyrighted files?
MR. GABRIEL: Object to the form. Lack of foundation.
A. Had I found substantial deletions of the KaZaA software and music files, that would have supported it.
Q. Had you discovered that the hard drive had been entirely reformatted would that, in your view, have supported a finding that the computer had been used for uploading or downloading copyrighted works?
MR. GABRIEL: Same objections.
A. Had the computer been reformatted, there would have been no conclusion that I could have drawn as to what was on the computer prior to formatting.
Q. Hypothetically, had you discovered substantial defragmentation of the hard drive, would that have supported a finding that the computer had been used to upload or download copyrighted works?
MR. GABRIEL: Same objection.
A. If that’s all I had found, no, that would not have supported.
Q. So you have concluded that the hard drive that you examined was not used for KaZaA file sharing; is that correct?
A. That’s correct, as I testified or as I — in one of my documents, yes.
Q. Are you aware of any evidence of anything that would point to Marie Lindor personally having done something as opposed to any other person?
MR. GABRIEL: Objection to the form. Lack of foundation.
A. I have examined evidence that shows that the computer registered to the IP address belonging to Marie Lindor was used to share copyrighted material.
Q. But other than that, other than the fact that the computer was used, as you say, is there any evidence to show what natural person, what individual was the one who actually did it?
A. No.
Q. Do you know what processes and procedures MediaSentry employed?
A. I do not know the inner works of MediaSentry processes and procedures.
Q. Do you know what software they used?
A. No.
Q. Do you know if it was well known off-the-shelf software or if it was proprietary software?
A. Again, I do not know the inner workings of MediaSentry’s operations.
Q. Do you know if their software had been peer-reviewed or published or anything like that?
A. Not that I’m aware of.
Q. Have you ever testified as an expert in a deposition?
A. No.
Q. Have you ever testified as an expert in a trial?
A. No.
Q. Have you ever testified as an expert in any other type of proceeding?
A. I testified in front of a school board.
Q. As an expert?
A. Yes.
Q. On what subject?
A. A teacher was accused of viewing pornography at school.
Q. There was no judge?
A. No.
Q. There was no arbitrator or judicial type of person conducting it? It was just a school board?
A. Yes.
Q. Has any judge or jury ever found your methodology to be unreliable?
A. I’ve never been in front of a judge, so no.
Q. Has any judge or jury ever found your methodology to be reliable?
A. Again, I’ve never been in front of a judge.
Q. Has anyone other than the RIAA ever hired you to do a forensic examination of a hard drive?
A. Yes.
Q. Who?
A. That school board. I’m currently working on a –
MR. GABRIEL: Why don’t you wait until the ambulance passes.
MR. BECKERMAN: I don’t think we –
MR. GABRIEL: It may take a while.
MR. BECKERMAN: This is New York, Richard. This isn’t Denver. We could be here all day.
MR. GABRIEL: Just try to keep your voice up.
A. I am currently working on two forensic cases that are ongoing. I’ve done quite a bit of forensic work for law enforcement which I do pro bono.
Q. When were you first hired to do forensic work on a hard drive?
MR. GABRIEL: Just for clarification, when you say hired, does that include the pro bono work he’s talking about?
MR. BECKERMAN: Yes.
A. On a hard drive, probably in the late ’80s.
Q. And who was that?
A. The Iowa State University. I’ve done quite a bit of forensic work helping out various individuals at the university.
Q. What law enforcement agency hired you to do a forensic examination of a hard drive?
A. Again, I did it with no compensation. I do all my forensic exams for law enforcement through the Iowa State University police department. However, they take in cases from other jurisdictions. I don’t always know the jurisdiction that brought the case in.
Q. And they have never used you as a witness?
A. No. We never — they’ve always settled.
Q. Apart for doing things for people at Iowa State University how many times have you been — and apart from the RIAA, how many hard drives have you done forensic examinations of?
A. By outside the university, do you also mean outside the Iowa State Police Department?
Q. No.
A. I maybe misunderstood the question. Can you restate the question or repeat the question?
Q. I will restate the question. Apart from your work for the RIAA and your work for people at Iowa State University, how many hard drives have you been hired to do a forensic examination of?
A. Probably half a dozen. It’s been over such a long period of time.
Q. What software did you use?
A. In the latest ones I’ve been using EnCase.
Q. Which edition of EnCase?
A. I’m using 5.
Q. What did you use before?
A. I would use various Hex editors and then — before it was — before we had sophisticated software. Sometimes I would write software to recover.
Q. When did you start using EnCase 5?
A. I don’t remember the date that it came out. Prior to that I was using version 4.
Q. When did you start using that?
A. Probably about three years ago.
Q. Has anyone other than the RIAA ever hired you to opine on whether a particular computer had been used for uploading or downloading copyrighted works?
A. Copyrighted works?
Q. Yes.
A. No.
Q. How long have you been using your present method of determining whether a particular computer has been used for uploading or downloading copyrighted works?
A. About a year and a half.
Q. When did you learn your present method of determining whether a particular computer has been used for uploading or downloading copyrighted works? Or did you develop it yourself?
A. Clarification. Are you talking about exams on the hard drives or just the process, the entire process?
Q. Well, you have a method, do you not?
A. I have a method for examining hard drives and I have a method for reviewing the MediaSentry material.
Q. So these are two different things? One isn’t tied into the other?
A. They are two different processes.
Q. Okay. So let’s break it down. Your method of — The MediaSentry materials are gathered through the internet?
A. Yeah. MediaSentry gathers the material through the internet.
Q. How did you learn your method of interpreting — withdrawn. Are you able — I am having a little difficulty with this conceptually. You are breaking it down into two separate processes. Is it your testimony that there is a way to detect whether a computer has been used for uploading or downloading copyrighted works without both looking at the MediaSentry material and the hard drive?
A. Yes.
Q. Let’s break it down, then, into two separate things. How did you learn your method of determining from the MediaSentry materials whether a particular computer has been used for uploading or downloading copyrighted works?
A. It was a process that I developed.
Q. You developed it on your own?
A. Yes.
Q. How did you learn your method of determining from a hard drive whether a particular computer has been used for uploading or downloading copyrighted works?
A. Well, the forensic examination process I learned through self-study and through the forensic examiner’s exam.
Q. Now, am I correct that you were doing this for law enforcement before you were a certified forensic examiner?
A. That’s correct.
Q. And when did you become a certified forensic examiner?
A. September ‘04.
Q. And why did you become a certified forensic examiner?
A. Two reasons. One is to be able to better work with the law enforcement and the other is to help support our university’s educational mission, since we teach computer forensics.
Q. Wouldn’t a third reason be that it might give you standing to testify in a court of law as to your forensic examinations of hard drives?
A. That I would tie in with the first reason, to work better with law enforcement.
Q. What about your private work for the recording industry of America?
A. I was a certified examiner before I was engaged by the recording industry.
Q. Isn’t it a fact that you were engaged by the RIAA in 2002?
A. It was in September ‘05.
Q. You were not doing any work for them in 2002?
A. No. My first work for them was in the fall of 2005. I can’t remember my first trip to Kansas City.
Q. And you weren’t doing any work for them in 2003?
A. No.
Q. And you weren’t doing any work for them in 2004?
A. I started working with the law firm in the fall of 2005.
MR. BECKERMAN: Off the record.
(Discussion off the record.)
Q. Has your method of determining from the MediaSentry materials whether a particular computer has been used for uploading or downloading copyrighted works been tested by any testing body?
A. Not that I have submitted.
Q. Do you know anyone else that is using your method, other than you?
A. Not that I’m aware of.
Q. Has your method of determining through the MediaSentry materials whether a particular computer has been used for uploading or downloading copyrighted works been subjected to any form of peer review?
A. Not that I’m aware of.
Q. Has your method of determining from the MediaSentry materials whether a computer has been used for uploading or downloading copyrighted works been published?
A. No.
Q. Is there a known rate of error for your method?
A. No.
Q. Is there a potential rate of error?
MR. GABRIEL: Object to the form.
A. I guess there is always a potential of an error.
Q. Do you know of a rate of error?
A. To my process, no.
Q. Are there any standards and controls over what you have done?
A. No.
Q. Have your methods been generally accepted in the scientific community?
A. The process has not been vetted through the scientific community.
Q. Have you had communications with MediaSentry?
A. Not that I recall.
Q. Have MediaSentry’s methods been tested by any testing body?
A. I don’t know.
Q. Have MediaSentry’s methods been subjected to any form of peer review?
A. I don’t know.
Q. Have MediaSentry’s methods been published?
A. I don’t know.
Q. It’s a fact, is it not, that MediaSentry’s methods are secret?
MR. GABRIEL: Objection of lack of foundation.
A. I don’t know.
Q. Is there a known rate of error for MediaSentry’s methods?
A. Not that I’m aware of.
Q. So when you evaluate the MediaSentry materials you are assuming them to be accurate?
A. Yes.
Q. Is there a potential rate of error for MediaSentry’s methods?
R. GABRIEL: Object to the form.
A. There is always a potential for an error.
Q. Are there any standards and controls over MediaSentry’s methods?
A. I don’t know.
Q. Have MediaSentry’s methods been generally accepted in the scientific community?
MR. GABRIEL: Object to the form. Lack of foundation.
A. Not that I know of.
Is MediaSentry peer-regulated?
A. Not that I know of.
Q. Apart from your work on RIAA litigations against owners of internet access accounts, have you engaged in research on determining whether specific individual computer users engaged in copyright infringement through peer-to-peer file sharing?
MR. GABRIEL: I’m sorry. I lost the question. Could you repeat it, please?
Q. Apart from your work on the RIAA cases, have you engaged in any research on methods of determining whether specific individual computer users engaged in copyright infringement through the use of P2P file sharing?
A. Yes.
Q. And what kind of research was that?
A. Obviously there was some research done through Palisade as part of its product rollout dealing with how to identify the individuals within an organization. One of my grad students also worked on the project to identify users of peer-to-peer software, although that was focused more on child pornography than it was copyright material.
Q. I would like to leave aside research that may have been done by others. I mean to ask whether you personally have engaged in research.
A. Through Palisade as part of product development.
Q. Is that something that is research which is private and proprietary?
A. No. The piece I did is no longer used as the technology, so it’s not.
Q. Was it ever published?
A. No. At the time it was proprietary to Palisade.
Q. And now it’s been replaced by other methods?
A. Yes.
Q. Apart from your work on the RIAA cases, have you engaged in any research on methods of determining whether specific computer hard drives contained evidence of copyright infringement through peer-to-peer file sharing?
A. No.
Q. Do any of your three reports — by “three reports” I’m referring to the April 7th initial report, the December 19th declaration that you signed and the October report which you did not sign. Do any of those three reports discuss the possibility of any alternate explanations other than copyright infringement?
MR. GABRIEL: Object to form to the extent that they speak for themselves. You can answer the question.
A. Please read the question. I didn’t understand.
(Record read.)
A. Alternate explanations to?
Q. Your conclusions.
A. No. I’m sorry. I said, “No.”
Q. Did any of the three reports discuss any alternate explanations other than KaZaA appearing on a file owned by Marie Lindor?
MR. GABRIEL: Object to the form. They speak for themselves.
A. What do you mean by KaZaA appearing on a file?
Q. I’m sorry, I misspoke. Do any of your three reports discuss the possibility of any alternate explanations other than KaZaA appearing on a computer owned by Marie Lindor?
A. No.
Q. Are you, as we sit here, capable of thinking of some alternate explanations?
A. Yes.
Q. Can you think of any possible infirmities in MediaSentry’s methods as we sit here?
MR. GABRIEL: Object to form and foundation. I’m sorry.
A. I don’t have an inner knowledge of their methods so I…
Q. Can you think of any possible security vulnerabilities in the computer that was in Marie Lindor’s apartment?
MR. GABRIEL: Object to form and foundation.
A. Repeat the question. Read it back.
(Record read.)
A. I didn’t examine the hard drive that was given to me for security vulnerabilities, so I can’t attest to what vulnerabilities may have been present in that hard drive.
Q. As we sit here, can you think of any possible security vulnerabilities in the computer that was in Marie Lindor’s apartment?
MR. GABRIEL: Objection to form. Lack of foundation.
A. Read that back.
Record read.)
A. Can you read it one more time.
(Record read.)
A. I’m sure the possibility exists there were security vulnerabilities. Again, I don’t know which ones would apply to that particular computer.
Q. And did your report discuss any of those possible security vulnerabilities?
A. No.
Q. Did you testify at an United States Senate committee in September of 2003?
A. Yes.
Q. Did you make this statement? “In summer of 2000 we introduced PacketHound which is designed to detect, monitor and block unauthorized peer-to-peer applications.”
A. That sounds like — that sounds like a statement I made.
Q. Did you make this statement? “There are no effective controls regarding content provided on a peer-to-peer network.”
A. Again, that sounds like a statement I made.
Q. And did you make this statement? “Both the provider and the requester of the file are not easily detected.”
A. Again, that sounds like a statement that was in that testimony. I don’t have the testimony in front of me, so I …
Q. Did you make this statement? “These technologies are not designed for the home users.”
A. Again, that sounds like a statement that was in the testimony.
Q. Did you make this statement? “This leaves individuals on their own to solve the problems of peer-to-peer networking.”
A. Again, that sounds like a statement that was in the testimony.
Q. Did you make this statement? “Which naturally leaves us to the question, what is the homeowner to do?”
A. Again, that sounds like something that was in that testimony.
Q. Did you make this statement? “Unlike web filtering, where certain sites can be blocked and web access can be monitored, peer-to-peer traffic cannot be filtered based on its content. This leaves a home user no choice but to either allow peer-to-peer activity and all of its associated risks or not allow any peer-to-peer applications on their machines.”
A. Again, that sounds like what was in that testimony.
Q. Are you familiar with Steven Gottlieb of the RIAA?
A. I’ve heard the name but that’s it.
Q. Do you agree with this statement which I will represent to you he made on November 15, 2004 in comments he provided to the Federal Trade Commission?
“P2P services often configure their software to share content by default. What users often do not know is that they may be sharing their tax records, financial records, health records, business records, e-mail and other personal and private material.” Do you agree with that statement?
A. Oh, I’m sorry. Yes.
Q. Do you agree with this statement, which I represent to you was made by Mr. Gottlieb? “As an additional matter P2P software may, upon installation, automatically search a user’s entire hard drive for content, files that users have no intention of sharing may end up being offered to the entire P2P network.”
A. Yes.
Q. Do you agree with this statement which I represent to you was made by Mr. Gottlieb? “Continued sharing of personal information is hard to avoid and is facilitated by confusing and complicated instructions for designating shared items.”
A. Yes.
Q. Do you agree with this statement also made by Mr. Gottlieb? “A study by Nathaniel S. Good and Aaron Krekelberg at HP Laboratories showed that the majority of the users were unable to tell what files they were sharing and sometimes incorrectly assumed they were not sharing any files when in fact they were sharing all files on their hard drive.
MR. GABRIEL: Object to the form. Lack of foundation.
A. I guess I can’t quantify some, most, all. I’m sorry.
Q. Are you familiar with the report by Nathaniel Good and Aaron Krekelberg at HP Laboratories?
A. No.
MR. GABRIEL: When we get to a good stopping point, can we take five? It’s been an hour and a half.
MR. BECKERMAN: Sure.
(Recess taken.)
Q. Your reports state your conclusions; is that correct?
A. Yes.
Q. And they state that your conclusions were based upon — Withdrawn. I shouldn’t lump the three together. The April report states that conclusions were based upon the materials that had been provided to you by MediaSentry plus a few other documents; is that correct?
A. Yes.
Q. Does that report explain how you formed your conclusions from those documents?
A. Not in any detail.
Q. How many reports have you issued for the RIAA?
A. Maybe 200. I don’t know, don’t recall the exact count.
MR. BECKERMAN: I would like to leave a space in the record for that number. TO BE FURNISHED: ____________________________________________________
Q. How many of those reports concluded that there was in fact downloading or uploading of plaintiff’s copyright files?
A. All of the — yes, all of the reports.
Q. How much time did you spend on each report?
A. A typical report takes me about 45 minutes.
Q. And how much time did you spend on the April 2006 report in this case?
A. Without seeing the billing records, I can only guess but I think it was 45 minutes.
Q. How much time did you spend preparing the unsigned October report?
A. That was — not that one. I’m sorry. I was pointing to something on your desk. I probably shouldn’t do that.
MR. GABRIEL: After you looked at the hard drive he is asking about.
THE WITNESS: Okay. Thank you.
Q. Would you like me to show you a copy?
A. No. I just wanted to clarify between the two reports that — Again, without looking at the billing records, I would say probably two to four hours.
Q. And how much time did you spend on the December 19th declaration?
A. Maybe 15 minutes.
Q. If a hard drive had been used for peer-to-peer file sharing with KaZaA, would your forensic inspection have allowed you to see whether a file sharing program had been downloaded or installed?
A. If the program was present on the hard drive, a forensic examination would have shown that.
Q. Similarly, if the hard drive had been used for peer-to-peer file sharing with KaZaA, would your forensic inspection have allowed you to see whether there was a shared files folder on the computer?
A. Yes.
Q. And, again, if the hard drive had been used for peer-to-peer file sharing with KaZaA, would your forensic inspection have shown you whether there were audio files or remnants, or evidence thereof, of the files that MediaSentry had observed?
A. Yes.
Q. Under those same circumstances, would your forensic inspection have allowed you to see whether a party had attempted to delete file sharing programs or other files?
A. Yes.
Q. Now, a dynamic IP address is allocated very often for a short period of time; is that not correct?
A. It depends how you define “short.”
Q. Well, you yourself used that technology, did you not?
A. Yes.
Q. So what is the shortest it could be? There is no shortest, is there? It could be for a split second?
A. A computer can request and release.
Q. It could be for hours or it could be for seconds or –
A. It could be for days, yes.
Q. Would it be possible to have the same dynamic IP address assigned to three people during one minutes?
MR. GABRIEL: Object to the form.
A. It’s possible.
Q. Now, the users of a peer-to-peer network often think they are anonymous when they distribute files. Isn’t that true?
A. In my opinion, a lot of users feel that they are anonymous.
Q. In your April 7th report you say that in reality they can be identified using the IP address. Is that not what you said in your report?
A. Yes, sir.
Q. That’s not exactly true, is it?
A. I guess I’m not clear what you mean by that.
Q. Well, it’s true, is it not, that there can be more than one computer operating under a single IP address?
MR. GABRIEL: Object to the form.
A. As I talked about it in the report with public IP addresses, in order for the internet to function there can only be — every public IP address has to be globally unique within that window of time.
Q. But there can be more than one computer operating behind that IP address?
MR. GABRIEL: Same objection.
A. Every — I don’t understand what you are asking. Every device connecting to the public internet has to have a global unique address.
Q. And a device doesn’t have to be a computer, does it?
A. That’s correct.
Q. It could be a router, correct?
A. Yes.
Q. It could be a wired router?
A. Yes.
Q. It could be a wireless router?
A. Yes.
Q. And if there is a firewall, under most circumstances no one would know the various computers or devices behind the router, would they?
MR. GABRIEL: Object to form.
A. It depends on the type of router.
Q. Is it possible for more than one device to be operating behind a single IP address?
A. Yes.
Q. Now, when we get to the devices, some of the devices are computers. Is that not correct?
A. Yes.
Q. And is it possible for a computer to have more than one user?
A. Yes.
Q. So, in other words, when a person is engaged in peer-to-peer file sharing, it’s not the person that could be identified by an IP address, is it?
MR. GABRIEL: Object to the form. Lack of foundation.
Q. Isn’t it the MAC address that is identified?
MR. GABRIEL: Object to form.
A. I don’t understand the follow-on statement.
Q. Do you know what a MAC address is?
A. Yes.
Q. Can a router have a MAC address?
A. Yes.
Q. If I had ten different companies operating behind a router and I had a properly functioning firewall or firewalls, would anybody in the wide network actually know what was behind the router with the properly functioning firewall?
MR. GABRIEL: Object to the form. Lack of foundation.
A. It’s possible to determine who is behind that, so to say that there is no way to know is not true.
Q. How could you find out?
A. Potentially based on the activity coming out. There is lots of ways that attackers could use to determine what is behind a firewall.
Q. But one method to identify that person would not be the IP address. The IP address alone would not tell you that, would it?
A. Would not tell you what?
Q. What individual was sharing files.
A. By “individual” do you mean flesh-and-blood person?
Q. Yes.
A. The IP address tells you the identity of the computer.
Q. It actually doesn’t tell you the identity of the computer. It tells you the identity of the device.
A. That’s correct.
Q. And it doesn’t actually tell you the identity of the device. It tells you a MAC address?
MR. GABRIEL: Objection to form.
A. IP address does not tell you a MAC address.
Q. How could it tell you the identity of the device? How would you identify a device other than by a MAC address?
A. Every device in the public internet is configured with an IP address.
Q. Which would link to what?
A. Which links to the device.
Q. And how do you identify the device on the internet?
A. Again, every device is identified through its IP address. The MAC address is only valid from one local connection to another.
Q. What is the one thing unique about each device?
MR. GABRIEL: Object to the form.
A. Unique to it or that uniquely tells them apart?
Q. That tells them apart.
A. On the internet the only requirement for uniqueness is the IP address.
Q. So when you say that in reality they can be identified using the IP address, your testimony is that it’s not the user that can be identified, it’s a computer that can be identified? Is that your testimony? Or is your testimony that it is the computer on the network device that is interfacing with the wide network?
A. The IP address identifies the computer or device that is connected to the wide — to the internet.
Q. And the device might be a network card?
A. Generally network card doesn’t have an IP address. The computer is what has the IP address.
Q. The device might be a router?
A. That’s correct.
Q. In that report you said that the IP address of the computer can be captured by a user during a search or file transfer. Now, you don’t exactly mean of the computer; you mean of the computer or network device, right?
A. In the peer-to-peer file transfer the device running — the computer running the peer-to-peer software reports its IP address along with — in addition to that, the IP address of the — if it is behind a router that separates public and private addresses, then the IP address of the public internet will also be shown.
Q. But when you said that the IP address of the computer offering the files for distribution can be captured by a user during a search or file transfer, you didn’t really mean the computer. You meant the computer or network device?
A. In order for the peer-to-peer software to work, you have to have the identity of the machine holding the music or holding the data.
Q. Even if it’s going through a router? You’re saying there is more than one IP address going through a router?
A. The peer-to-peer software will present an IP address within the data payload of the IP packet.
Q. Well, what I’m trying to understand is why in your report, referring to your April report, it seems to me that when you were making general descriptions of the technology involved, you kept saying computer or network device but then when you were coming to your conclusions about the defendant, then you all of a sudden started talking about computers and you left out network devices. I was wondering why. Do you agree with that, what I am saying?
A. Yes.
Q. Why did you do that? Why did you stop mentioning network devices?
A. Because in an examination of MediaSentry data, I concluded that it was a computer at that IP address.
Q. And how did you come to that conclusion?
A. Through the MediaSentry traffic captures which shows the IP address of the actual computer and the IP address of the packet in transit across the internet, and those two IP addresses were both public and both matched.
Q. What is the document you are referring to for MediaSentry?
A. I think it was the download.text file or download log maybe they call it.
Q. The log for the user?
A. No.
MR. GABRIEL: Do you want to go off the record for a minute and find it?
MR. BECKERMAN: No. We are on the record.
Q. The Marie system log? Lindor, Marie system log?
A. No. That’s not the system log. It could be the download record.
Q. This one (indicating)?
A. Yes.
MR. BECKERMAN: I would like to mark as Exhibit 6 a printout of numbered pages 36 to 45.
(Defendant’s Exhibit 6, printout of numbered pages 36 to 45, marked for identification, as of this date.)
Q. So this tells you that there was no router?
A. This tells me that there was — yes. There was no router.
Q. How does it tell you that there was no router?
A. Through the two — If you look at the second chunk down, you will see the source address at the top and you will see the KaZaA IP address midway through that, and they match and they are both public IP addresses.
Q. You said they match?
A. Uh-huh. The 141.155.57.198.
Q. That’s the source?
A. And then down below you see the KaZaA IP?
Q. Yes.
A. It’s those two IP addresses.
Q. What does the first number indicate?
A. The first number of the IP address?
Q. Yes. No. The second line of that chunk that says “source.” What does that indicate?
A. That is the source address. That is where the packet came from.
Q. Now we go down to the next line you referred to, it says “KaZaA IP.” What does that refer to?
A. That is the IP address that the KaZaA software is running on, the IP address of the computer that the KaZaA software is running on.
Q. What is the next line?
A. A supernode. That’s the supernode that KaZaA is connected to.
Q. So, in other words, this went in directly through the supernode? So you are saying this transmission went through the supernode?
MR. GABRIEL: Objection to form.
A. No. This packet just indicates that — where the supernode is that KaZaA is talking to. The packet as shown by the second line is the actual source address of the internet packet.
Q. What is the next line, the KaZaA IP?
A. Oh.
Q. The line down below where you say the two numbers match, what is the meaning of that number?
A. Which one? The KaZaA IP?
Q. You said it is the same number.
A. Right.
Q. Where it says “KaZaA IP” and there is the same number.
A. As line 2, yes. That is the — that is the –
Q. What is the significance of that line?
MR. GABRIEL: Let him ask the question and then you answer. He asked what is the significance of that line.
A. Of the line “KaZaA IP”?
Q. Yes.
A. That is the IP address that the KaZaA software is using.
Q. And how is that determined?
A. It’s determined by the KaZaA software itself.
Q. Why wouldn’t those two numbers always be the same?
A. In the case of a router as you described earlier that has private addresses on the inside, you will see those numbers be different.
Q. So you are saying there can be different IP addresses for different devices behind the router?
A. Yes.
Q. What does the presence of the supernode line indicate?
A. It indicates the supernode, that the KaZaA software is used to perform the searches.
Q. So does this indicate that the computer that’s referred to on — whose IP address is referred to on the source line and the KaZaA IP line is not a supernode?
A. It indicates that that computer is communicating with that supernode in order to do the searches.
Q. And how did MediaSentry determine these numbers?
A. Line 2 of that section is the address that is carried within the data packet as it traverses across the internet. The line that starts “X-KaZaA-IP” is part of the data payload within that packet.
Q. And how do you know that? Didn’t you say you have never communicated with MediaSentry?
A. That’s correct.
Q. So how do you know that?
A. Because I understand how KaZaA operates.
Q. And how did you come to understand how KaZaA operates?
A. Through researching protocol.
Q. Starting when?
A. I can’t remember the exact date I started researching KaZaA. It was all part of the work Palisade did in the production of PacketHound.
Q. Are you familiar with the Ross studies of KaZaA?
A. Not offhand.
Q. You never read them?
A. I don’t recall without seeing one.
MR. BECKERMAN: I would like to mark as Exhibit 7 a study entitled “The KaZaA Overlay: A Measurement Study.”
(Defendant’s Exhibit 7, study entitled “The KaZaA Overlay: A Measurement Study,” marked for identification, as of this date.)
Q. So have you reviewed this report at any time?
A. Yes, I have.
Q. I direct your attention to Page 17 and I call your attention to in the middle of the page a sentence that starts with the words “later versions.” The statement says, “Later versions (KMDV 2.0+ and KaZaA-Lite) employ dynamic port numbers to evade firewalls.”
Do you agree with that statement?
MR. GABRIEL: Objection. Lack of foundation.
A. Yes.
Q. Going down to the end of that paragraph, I will read you the last sentence and ask if you agree with that sentence. “Since the KaZaA port numbers are
dynamic, it is very difficult to block KaZaA connections unless a very rigid filtering policy is employed at the firewall.” Do you agree with that statement?
MR. GABRIEL: Object to form. Lack of foundation.
A. Yes.
Q. Now I refer you to the first sentence of the next paragraph. “The reality of today’s internet is that a large fraction of peers reside behind NATs.” Do you agree with that statement?
MR. GABRIEL: Object to form. Lack of foundation.
A. I don’t have any way to know what fraction.
Q. Do you agree that NATs exist?
A. Yes.
Q. What is a NAT?
A. The term stands for network address translator. It is a router that on one side has a public IP address and on the other side maintains or has a set of what I want to refer to as private or sometimes inside IP addresses, which are addresses that are not allowed on the public internet.
Q. And do you agree that the existence of a network address translator makes it difficult to detect the IP address of specific computers behind the router?
MR. GABRIEL: Objection to form. Lack of foundation.
A. By router do you mean network address translator?
Q. Yes.
A. Yes.
Q. And do you agree that KaZaA has used a connection reversal in order to try to overcome that?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I agree with the definition that they specify in the article. I’ve never heard that specific term.
MR. BECKERMAN: I would like to mark as Exhibit 8 a one-page chart.
(Defendant’s Exhibit 8, one-page chart, marked for identification, as of this date.)
Q. Can you identify what that displays?
MR. GABRIEL: Object to foundation. He didn’t draft it. You can answer the question.
A. I don’t know the intent of it but it shows, as it’s labeled, a cable modem connected to the internet. And it shows a set of IP addresses, all of which are the private — designated as parts of the private IP address range.
Q. Going back to the study, Exhibit 7, I call your attention to Page 21, a paragraph bearing number 7, and I’m going to the last two sentences and I am going to ask if you agree with this statement. “KaZaA uses dynamic port numbers along with” –
A. I’m sorry. I am not finding it.
Q. Page 21, there is a paragraph number
A. Okay. I’m sorry.
Q. I am asking if you agree with this statement. “KaZaA uses dynamic port numbers along with its hierarchical design to avoid firewall blocking.” Do you agree with that?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I know KaZaA uses dynamic port numbers. Whether that was the original design intent to avoid firewalls would be a fair assumption.
Q. The next sentence, do you agree with that statement ? “Furthermore, it uses connection reversal to allow NATed peers to share files.”
MR. GABRIEL: Objection to form. Lack of foundation.
A. Yes.
Q. When you studied KaZaA, did you familiarize yourself with the concept of pollution on KaZaA?
A. No.
Q. Do you know what pollution is on KaZaA?
A. My understanding is it is putting things out into the network KaZaA that either misrepresents the content or for some reason is not what it says to be.
MR. BECKERMAN: I will mark this as Exhibit 9. It is a paper entitled “Pollution in P2P File Sharing Systems.”
(Defendant’s Exhibit 9, paper entitled “Pollution in P2P File Sharing Systems,” marked for identification, as of this date.)
Q. Going to the first page, the right-hand column, the first full paragraph, the first sentence starts with “One sabotage technique.” I will ask if you agree with this statement.
MR. GABRIEL: I’m sorry. Where are you? I got it.
Q. “One sabotage technique that is particularly prevalent today is that of pollution.” Do you agree with that statement?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I don’t have any knowledge that as they define pollution it is prevalent on the peer-to-peer systems.
Q. Are you aware that one of MediaSentry’s areas of business is pollution?
A. No.
Q. Are you aware that MediaSentry is in the business of sending out decoy files?
MR. GABRIEL: Objection to form.
A. No.
MR. GABRIEL: Sorry. Belated objection to the form.
Q. Excuse me?
A. No.
Q. I turn you to the second page, the first full paragraph. About two-thirds of the way down in the paragraph there is a sentence that starts “We will see that.” I call your attention to that sentence and ask if you agree with this statement. “We will see that pollution is indeed pervasive with more than 50 percent of the copies of many popular recent songs being polluted in KaZaA today.” Do you agree with that?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I have no way of knowing if that’strue or false.
Q. So is it your testimony that you are not knowledgeable about pollution?
MR. GABRIEL: Objection to form.
Q. Are you knowledgeable about pollution?
A. Only to the extent that I know what it is.
Q. And that’s the sole extent of your knowledge?
A. Yes.
Q. And are you familiar with the distinction between content pollution and metadata pollution?
A. I just now read their classification.
Q. Is it the first time you ever learned of the distinction between those two terms?
A. Yes.
Q. So it would be fair to say that your expertise does not extend to the nature and extent and methods of pollution on KaZaA?
A. Yes.
Q. When you in your report refer to analogizing an IP address to a return address and a send address on a letter, would you say that analogy is somewhat incorrect?
A. There is probably no perfect analogy but it’s a reasonable analogy to use for a lay explanation.
Q. Is it fair to say that your postal address is to your home whereas an IP address would be more like an address to a timeshare that you might occupy for a split second or for a minute?
MR. GABRIEL: Objection to form.
A. The IP address delivers to a device or location.
Q. But not a person?
A. That’s correct.
Q. And not for any given amount of time, just as long as the internet connection stays on line?
R. GABRIEL: Objection to form.
A. Define what you mean by internet connection.
Q. You don’t know what I mean by an internet connection?
A. There are multiple definitions.
Q. Why don’t you give me the most common meaning.
A. There is an application layer connection which is used by individual applications to communicate.
Q. With a dynamic IP address is the person using it still using it after he’s disconnected from the internet?
MR. GABRIEL: Objection to form.
A. Depending on how they are connected, the dynamic address may be dropped.
Q. You’re saying they could end their connection to the internet and still — and the dynamic IP address stays in effect and then if they turn it back on, they could pick up the same exact dynamic IP address? Is that your testimony?
MR. GABRIEL: Objection to form. Lack of foundation.
A. If the device that issues the dynamic address can detect the other device being turned off, then the dynamic IP address can be released. Otherwise, the dynamic address could still be assigned to that device.
Q. Now, with a decentralized peer-to-peer network, it’s your statement in your report that a request is sent to each neighbor and each neighbor sends the request to the next neighbor and so on. Did you mean that literally?
A. You said decentralized?
Q. Yes.
A. Yes.
Q. To neighbors? What do you mean by neighbors?
A. The decentralized peer-to-peer software referred to the peer-to-peer entities that they talked directly to as neighbors.
Q. So you are using it figuratively to describe other computers?
A. Yes.
Q. You say the semi-decentralized peer-to-peer network uses a central index server. Is that correct?
A. Yes.
Q. And that if one server node quits, the other nodes can still function?
A. Yes.
Q. Now, when you access a screen shot, are you accessing a file or are you accessing an index of files?
A. When you query the server, what you get is an index of the files.
Q. Now, is it your testimony that every time you see a screen shot in KaZaA, you’re seeing files that are on a single ordinary node?
R. GABRIEL: Objection to form.
A. There are many ways you can query KaZaA, one of which is to ask all the files that are contained on a particular machine.
Q. How would you frame such a query?
A. You frame the query with the address of the machine that contains the information.
Q. And do you know how MediaSentry queried?
A. I don’t know the exact techniques that they used.
Q. Now you said in your report that you will demonstrate how defendant’s internet account and computer were used. Would you now demonstrate for me how you can — show me how you can demonstrate that the defendant’s computer was used?
A. Which line of the report are you?
Q. What?
A. Which line of the report are you referring to?
Q. Paragraph 15.
A. Would you restate the question.
(Record read.)
A. Identifications through the IP address to demonstrate which computer it is.
Q. No, I’m asking you to demonstrate it now for me. You said, “I will testify to the procedures and results obtained by MediaSentry coupled with the information complied by defendant’s ISP to demonstrate the defendant’s internet account and computer were used to download and upload copyrighted music from the internet using the KaZaA peer-to-peer network.” Please demonstrate for me that defendant’s computer was used to download and upload copyrighted music.
A. I can demonstrate through the MediaSentry material.
Q. Okay.
A. I don’t have the MediaSentry material.
MR. BECKERMAN: We will mark as Exhibit 10 a two-page printout, page numbers 46 to 47.
(Defendant’s Exhibit 10, two-page printout of page numbers 46 to 47, marked for identification, as of this date.)
MR. BECKERMAN: We will mark as Exhibit 11 a printout, page numbers 49 to 87.
(Defendant’s Exhibit 11, printout of page numbers 49 to 187, marked for identification, as of this date.)
MR. BECKERMAN: And you already have Exhibit 6 and we have Exhibit 12, which is a screen shot, pages 199 to 224.
(Defendant’s Exhibit 12, printout of pages 199 to 224, marked for identification, as of this date.)
MR. BECKERMAN: And we will mark as Exhibit 13 a one-page printout marked as page number 48.
(Defendant’s Exhibit 13, one-page printout of page numbered 48, marked for identification, as of this date.)
MR. BECKERMAN: And we will mark as Exhibit 14 a printout of pages numbers 188 through 198.
(Defendant’s Exhibit 14, printout of pages numbers 188 through 198, marked for identification, as of this date.)
Q. Now would you please demonstrate how you can show that it’s the defendant’s computer that was used.
MR. BECKERMAN: Off the record.
(Recess taken.)
Q. Please demonstrate that the defendant’s computer was used.
MR. GABRIEL: If I can ask you, if you refer to an exhibit, please say what the exhibit is.
THE WITNESS: Yes.
Q. Before we go into that, let me just ask you something. When you say “defendant’s computer” in your report, you’re referring to the computer that was accessed by MediaSentry; is that correct?
A. I’m referring to the — yeah, the computer with the IP address shown in Exhibit 6 that we discussed earlier.
Q. And it’s your contention that the computer as to which you examined the hard drive is a different computer than the one that was accessed by MediaSentry; is that correct?
A. Yes.
Q. Now, going to the first computer, how do you know that it was defendant’s computer?
A. We don’t have the Verizon information in front of me. By using the subpoenaed records from Verizon they show –
Q. They were asked — I’m sorry. I cut you off. They were asked to identify the owner of an account that had used an IP address; is that correct?
A. Yes.
Q. How would that tell you who owned the computer?
A. It tells me the individual who has the account that was associated with that IP address; therefore, that computer at the time.
Q. Let’s say — not me, that would be too improbable. Let’s say you had a visitor at your home and that visitor plugged into your internet connection with his laptop. Would that make his computer your computer?
A. Without knowing the configuration of your home network, I couldn’t.
Q. Let’s say you had a wired internet connection at your home, you had a cable modem and someone was visiting who had a laptop, a friend of yours or relative, and that person asked if they could plug in their laptop and check their e-mail. Okay? Now, the IP address would show up as your address, would it not? The dynamic IP address?
A. It depends.
Q. If I sent a query like the record industry sent to Verizon, I would get you, right? If you are the person who pays for the internet access at your home.
A. If the ISP allows multiple devices directly connected to their internet service.
Q. And it wouldn’t have been your computer, it would have been your friend’s or relative’s computer. Correct?
MR. GABRIEL: Object to the form. Lack of foundation.
A. The scenario you laid out. If the ISP allowed multiple IP addresses, then it would have associated an IP address with that particular device.
Q. So when you say it was defendant’s computer, you don’t actually have any knowledge as to whether it was defendant’s computer. All you know is that the defendant’s name is associated with the internet access account; is that correct?
MR. GABRIEL: Objection to form.
A. I know that the — yeah, the computer associated with that user account, an IP address was used.
Q. But you don’t know whose computer it actually was, do you?
A. No.
Q. But your report said it was defendant’s computer, so I think you will agree that that’s an imprecision in your report.
MR. GABRIEL: Objection to form. Lack of foundation. Misstates the report.
A. The report states that I have identified through the internet service provider the account holder of the IP address.
Q. The report says that you will demonstrate that it was defendant’s computer that was used. How can you demonstrate that the computer belonged to the defendant? You don’t know who it belonged to.
MR. GABRIEL: Objection to form. Lack of foundation.
Q. You are under oath.
A. It’s my opinion that given the information from MediaSentry and from Verizon, that that IP address was associated with the defendant and computers or at least in presence of the defendant.
Q. There are two parts to your statement. You say the defendant’s internet account and computer. Right now I’m not asking you about the internet account. I’m asking about the computer. You will agree, then, will you not, that when you said computer that you don’t actually know if it was defendant’s computer or not?
A. It is the computer associated with the account of the defendant.
Q. But you don’t know if it was defendant’s computer?
A. I know that the computer was associated with the defendant’s internet account.
Q. But you don’t know if the defendant owned it?
A. Nowhere is purchase information.
Q. And you do not know if the defendant ever used it?
A. I know that the computer associated with that address was used.
Q. Now, demonstrate how you know that that computer was used to upload and download copyrighted music from the internet.
A. Well, I know which computer through Exhibit 6. That is the primary piece of evidence. I know that material was downloaded through Exhibit 10. I know music was made available through Exhibits 10, 11, 12 and 14, and I know that the music was downloaded through Exhibit 11.
MR. BECKERMAN: I would like to mark as Exhibit 15 the undated October report.
(Defendant’s Exhibit 15, undated October report, marked for identification, as of this date.)
Q. When did you provide this report to Mr. Gabriel?
A. October 25th.
Q. Why did you not sign it?
A. It’s a draft.
Q. Why is it not dated?
A. It was a draft report.
Q. Have you ever submitted an unsigned or undated draft to Mr. Gabriel before?
A. I could have. I don’t recall.
Q. Have you ever submitted unsigned drafts or undated drafts to anyone in Mr. Gabriel’s firm before?
A. Again, I could have. I don’t recall.
Q. Is it your practice to submit unsigned, undated drafts before submitting your final reports to them?
A. The standard report goes in without their review.
MR. GABRIEL: I would like the record to reflect that there is a copying issue in Exhibit 15. Page DJ0069 was stamped “Draft.” I note in the copying the draft was too light to copy apparently.
Q. Did Mr. Gabriel tell you not to issue a final report, but to issue a draft instead?
A. Yes.
Q. Now, turning to Page DJ0071, Paragraph 17, the second sentence, which says, “I will testify based on the forensic examination of the hard drive that was copied from the computer owned by the defendant.” Now, are you saying there that the second computer which you claim is different than the first one was owned by the defendant also?
A. I’m lost in the second, first and –
Q. It’s your words. It’s your testimony. It’s your declaration, your unsigned draft which Mr. Gabriel asked you to submit to him so he could have input into the final. But this was your wording I assume. Right?
A. Yes.
Q. This was wording that was not fed to you by Mr. Gabriel?
A. Correct.
Q. So you say the computer owned by the defendant. Now you are saying that the second computer was owned by the defendant.
A. I’m saying the hard drive that I was given to examine was reported to have been owned by the defendant and I examined that hard drive and came up with that conclusion.
Q. So is it your testimony that she owned both computers?
MR. GABRIEL: Objection to form.
A. It’s my testimony that the hard drive contained no evidence of KaZaA and that hard drive was reported to have belonged to the computer owned by the defendant.
Q. What basis do you have for saying that the computer was owned by the defendant?
A. Based on the chain of evidence that — the chain of custody that followed the forensic disk.
Q. So it is your testimony that Marie Lindor, who is a home health aide who has never even used a computer, it is your testimony that she owns two computers?
MR. GABRIEL: Objection to form. Lack of foundation. Misstates testimony.
Q. Is that your testimony? She has never even used a computer in her life, that she owns not one, but two computers?
MR. GABRIEL: Same objection.
A. What I am stating is that the hard drive I examined, which was reported to have come — been owned by the defendant did not contain KaZaA or any of the copyrighted or any music files.
MR. BECKERMAN: Let’s mark as Exhibit 16 your April report.
(Defendant’s Exhibit 16, Dr. Douglas W. Jacobson’s April report, marked for identification, as of this date.)
Q. Now, on Page DJ0006, Paragraph 19, in the last line you use the words “being distributed.”
A. Yes.
Q. Were you using “distributed” in the legal sense of the word or in the generic sense of the word?
MR. GABRIEL: Objection to form.
A. I’m not a lawyer so I don’t know the legal — I guess I am not clear as to what difference you are trying to make between the two words.
Q. Where did you get the word “distributed”?
A. In that paragraph I’m referring to the fact that the files were on the peer-to-peer network and by the nature of the peer-to-peer network they are being distributed.
Q. Do you know of any instances in which they were distributed to anyone other than MediaSentry?
A. Given the nature of the peer-to-peer system, there is a high probability that they were — well, strike that. Distributed, they are being offered for distribution by the fact that they were on the peer-to-peer network.
Q. The question was whether they had actually been distributed, not whether they had been offered for distribution.
MR. GABRIEL: Objection to form.
A. The KaZaA program made those files available through the supernode. Anybody — Let me strike that and start over. The KaZaA program made the files available on her computer for distribution and given the nature of the peer-to-peer network and the number of users, there is a high probability that songs were actually uploaded from that computer.
Q. Do you have any knowledge of any specific instances of any uploads other than to MediaSentry?
A. No.
Q. In Paragraph 21 you use the words that the computer was registered to the defendant. How does a computer get registered to a person?
A. Through the IP address it is registered. Verizon indicated the subscriber.
Q. So you don’t mean that the computer was registered to the defendant. You mean the IP address was identified by Verizon as having been on the internet access account that was in the name of the defendant. Is that correct?
A. The IP address of, was registered to the defendant on said computer. So it says that the IP address.
Q. Not the computer. The IP address was registered?
A. That’s what 21 states.
Q. 21 states that the computer that had the IP address was registered to the defendant. “I will testify based on all of the
information” –
A. Right, right.
Q. So you don’t mean the computer was registered, you mean the IP address was registered?
A. Yes.
Q. Now, in Paragraph 22 you state that you could prove from the MediaSentry user log that the music found on the defendant’s computer was downloaded from other users on the internet. How would you have done that?
A. By using the metadata tags, in particular the description tag. For example, Page 0106.
MR. GABRIEL: What exhibit?
THE WITNESS: I’m sorry. Exhibit 11.
A. Page 10106 indicates in the description “ripped by” and had several — several cases “ripped by X7″ and so on, and that’s throughout the document.
Q. A metadata is text, is it not?
A. Yes.
Q. Metadata can be changed, can it not?
A. Metadata can be changed and is not present on original CD recordings.
Q. And it can be changed easily through commonly available software, can it not?
A. Yes.
Q. And could it be changed through KaZaA software?
A. Yeah. I believe KaZaA lets you edit the metadata.
MR. BECKERMAN: I would like to mark as Exhibit 17 a page of handwritten notes.
(Defendant’s Exhibit 17, page of handwritten notes, marked for identification, as of this date.)
Q. When were these notes prepared?
A. These notes were prepared prior to the submission of the October — let’s see which exhibit. Exhibit 15.
Q. Are there any other notes which you jotted down which you did not preserve from the date the hard drive was furnished to you?
A. No.
Q. What are the letters at the top right?
A. DHCP name server.
Q. What are the three IP addresses below that?
MR. GABRIEL: Objection to form.
A. Those are the IP addresses of the name server that were on her computer.
Q. What does that mean?
A. The name server, my best analogy is a giant phone book that converts names and IP addresses. So when you type in www.google.com, you get the IP address of Google.
Q. What is the entry at the bottom, “7704 repaired”? What is that a reference to?
A. In examining the hard drive, it appeared that there was some type of repair of the Windows operating system on that date.
MR. BECKERMAN: I would like to mark as Exhibit 18 a single-page document which says “wireless router” at the top.
(Defendant’s Exhibit 18, single-page document bearing “wireless router” at the top, marked for identification, as of this date.)
Q. When was this prepared?
A. 3/14.
Q. Now, You say “wireless router?” and then say, “No.” How did you know there was no wireless router?
A. Again, by looking at the information on Exhibit 6.
Q. How does that show you that there is no wireless router?
A. Again, as I testified earlier, here at the source address and that the KaZaA IP address matched.
Q. And that tells you that there was no wireless router?
A. Again, those are all public IP addresses on both the computer and the device that put the IP packet onto the internet, both at the same IP address.
Q. And that’s your sole basis for your conclusion?
A. Yes.
MR. BECKERMAN: I would like to mark as Exhibit 19 a two-page letter from Verizon.
(Defendant’s Exhibit 19, two-page letter from Verizon, marked for identification, as of this date.)
Q. Is that the source for your information as to whose access account it was?
A. Yes.
MR. BECKERMAN: I would like to mark as Exhibit 20 a resume, a one-page resume, page number DJ0076.
(Defendant’s Exhibit 20, one-page resume, page number DJ0076, marked for identification, as of this date.)
A. It is a printout of a file that I found on the hard drive that I examined. It was described in Exhibit 15.
Q. Did you know who prepared this?
A. I know it was on the hard drive and it in the directory of user Kathleen on the system.
Q. Do you know who typed it?
A. No.
Q. Now, what does it say next to the word “e-mail” in this resume?
A. J-C-Q-L-L-I-N-E.
Q. What tools did you use to determine that the hard drive had not been used for a KaZaA account?
A. I used EnCase to examine the captured hard drive.
Q. When you used EnCase, did you know that this matter was in litigation and that you were an expert witness in this case?
A. Yes.
Q. Did you not have screens? When you used EnCase, didn’t you look at a computer screen?
A. Yes.
Q. Did you save what was on that screen?
A. No.
Q. Did you generate reports?
A. No.
Q. Now I’m not asking you if you printed out reports or saved reports. I’m asking you if you generated reports.
A. No.
Q. So you did not document your findings in EnCase at all, did you?
A. No.
Q. Did Mr. Gabriel tell you to do that?
A. No.
Q. So did you feel that you could just review it on EnCase and then come and testify from memory at a trial? Is that what you intended to do?
A. I examined the hard drive, found no evidence of file sharing software or audio files, and so there was nothing to document.
Q. So you didn’t feel was any need to create documentation of what your study had shown?
A. There was no files to document.
Q. Is that because it did not corroborate Plaintiff’s case in any way?
MR. GABRIEL: Objection to form. Argumentative.
A. The testimony says I found no KaZaA or MP3 files and, therefore, there was nothing to — there were no screen shots to capture.
Q. Do you have any idea why the case hasn’t been dropped by now?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I don’t get involved with — so no.
MR. BECKERMAN: I would like to mark as Exhibit 21 a one-page document with a flowchart.
(Defendant’s Exhibit 21, one-page document with a flowchart, marked for identification, as of this date.)
Q. Do you see item number 4?
A. You mean bullet number 4?
Q. Yes.
A. Yes.
Q. What does that say?
A. “Document findings.”
Q. Did you know that you were going to be giving sworn testimony in this case, including our December declaration and possible deposition and trial testimony?
A. Would you reread the question back.
(Record read.)
A. At the time I examined the hard drive there were no scheduled depositions.
Q. So you thought it was okay not to document your findings?
MR. GABRIEL: Objection to form.
A. I did document my findings, as shown in Exhibit 17.
Q. When you say there were three user names of interest, what did you mean by that?
A. In a Windows machine there are default users that are created, like Administrator and so on, that come with the installation of Windows. So these were users that were added above and beyond the default installation.
Q. So it doesn’t actually tell you who used the computer, does it? It just tells you the user names?
A. Yes, these are user names for that computer.
Q. And if someone was logged on under a particular computer name and the computer was kept on and another individual sat down and started using the computer, you wouldn’t know who that was, would you, from the user name?
A. That’s correct.
Q. Are you familiar with the declaration that was given by the expert witnesses in the Netherlands in the foundation case, the witness statement of Henk Sips and Johan Pouwelse?
A. I would have to see the document.
MR. BECKERMAN: I would like to mark this as Exhibit 22. It is a three-page document entitled “Witness statement of Henk Sips and Johan
Pouwelse.”
(Defendant’s Exhibit 22, three-page document entitled “Witness Statement of Henk Sips and Johan Pouwelse,” marked for identification, as of this date.)
MR. GABRIEL: I would like to interpose a belated objection to the characterization of the document as a declaration.
MR. BECKERMAN: I agree. The correct characterization should be as a witness statement. So stipulated.
MR. GABRIEL: Thank you.
Q. Have you ever seen this document before?
A. I’ve seen it.
Q. You have seen it?
A. I have seen it.
Q. In what context?
A. I believe my wife might have e-mailed it and made a copy of it.
Q. Did anyone from the Plaintiff’s law firm send you a copy of it?
A. No.
Q. Did you ever access it yourself on the internet?
A. Either she sent it to me directly or a link to it, so I don’t know if I got it as a document or as a link to a document.
Q. Do you agree with the statement at the bottom of Page 2 that detailed checks are, therefore, required?
MR. GABRIEL: Objection to form. Lack of foundation.
A. Would you read the question.
(Record read.)
A. I don’t really know. They didn’t describe what they meant by detailed checks so I can’t — I can’t comment on that.
Q. We will turn to the next page. It says, “We believe that the following procedure takes the necessary precautions when trying to establish if a user is making copyrighted works available for download,” and then they list certain procedures. Do you agree that those procedures take the necessary precautions?
MR. GABRIEL: Objection to form. Lack of foundation.
A. The steps seem like reasonable precautions.
Q. Going down a few paragraphs, there are some terms. Do you agree that superpeer hopping is a technical problem in trying to determine which user might have violated copyright law?
MR. GABRIEL: Objection to form. Lack of foundation.
A. They don’t define what they mean by superpeer hopping, so …
Q. Don’t you think they are referring to the hopping from one supernode to another supernode, shutting one down and starting another?
MR. GABRIEL: Objection to form. Lack of foundation. Calls for speculation.
Q. You are the expert. You have indicated that you have studied KaZaA in depth. Isn’t it a fact that a single search on KaZaA can hop from one supernode to another?
A. A search on KaZaA can prop you will gate from one supernode to another.
Q. So don’t you think that’s what they are referring to when they say superpeer hopping?
MR. GABRIEL: Objection to form. Lack of foundation. Calls for speculation.
A. I have not heard that term used, so I don’t know …
Q. Would you agree that the fact that a single search can switch from one supernode to another to another to another would constitute a technical problem in conducting such an investigation?
MR. GABRIEL: Objection to form.
A. I would characterize it more as a technical inconvenience than a problem.
Q. So you would agree that it is a technical inconvenience that needs to be overcome?
A. I’m not saying that it hasn’t been overcome, if that’s what your question is.
Q. My question is exactly what it said, that it is a technical problem that needs to be overcome.?
MR. GABRIEL: Technical inconvenience. Let’s be clear which question you are asking, please.
Q. Is it a technical inconvenience that needs to be overcome?
A. Yes.
Q. And you would agree that it requires the taking of certain precautions?
MR. GABRIEL: Objection to form.
A. If by precautions you mean procedures to understand that that can happen, yes.
Q. Would you agree that NAT translation is a technical problem in conducting such an investigation?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I would agree that that process — procedures and processes need to be put in place to handle NAT translation.
Q. And you agree that firewall relaying is a technical problem that needs to be considered during the process and procedure?
MR. GABRIEL: Objection to form.
A. I would agree that firewall relaying is something that needs to be considered during the process and procedure.
Q. In the next paragraph they refer to pollution. Would you agree that pollution is a problem that needs to be taken into account in conducting such an investigation?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I think processes and procedures need to be put in place to deal with the issue of pollution.
Q. Does KaZaA have limitations in file searching?
A. If by limitations you mean is one user limited to the scope of where they can search across the entire KaZaA network, yes.
Q. What is meant by the term “computer hygiene precautions”?
MR. GABRIEL: Objection to form. Lack of foundation.
A. It is my opinion what they are talking about is it’s possible to get data from multiple locations for one file and if you don’t take care watching where those — where the data comes from and how much data is produced, that you could end up marking IP addresses that have transferred no data.
Q. What is multi-peer downloading contamination?
MR. GABRIEL: Objection to form. Lack of foundation.
A. That goes to what I was saying, multiple peer nodes contributing to a single file.
Q. Does the fact that MediaSentry observed the computer solely through the internet and did not have physical access to the computer itself limit its observational power?
R. GABRIEL: Objection to form.
A. Obviously weren’t able to physically view the individual typing on the keyboard.
Q. Is the internet secure and safe and reliable?
MR. GABRIEL: Objection to form.
A. I guess it depends on how you define those terms. Secure? No. The end nodes on the internet often are not secure. Safe? I guess I’m not sure what you are talking about as far as safety.
Q. Can people hack into other people’s systems?
A. Yes. I would wrap that under the security umbrella.
Q. Isn’t it a fact that you teach a course on how to do that?
A. Yes.
Q. Isn’t it a fact that you teach students how to crack passwords?
A. Yes.
Q. And you teach them about spoofing?
A. Yes.
Q. What is spoofing?
A. Spoofing is pretending to be somebody else.
Q. What is redirection?
A. Depends on where we are talking about it, but redirection is typically forcing the traffic to go somewhere else or forcing the user to go somewhere else.
Q. Does the existence of a firewall guarantee security?
A. No.
Q. Isn’t it a fact that when you teach a course in information warfare, most of the people will find some vulnerabilities in the network that is being attacked?
MR. GABRIEL: Objection to form.
A. In the course I teach, I set up a corporate environment that has vulnerabilities associated with it as part of the exercise.
Q. And the vulnerabilities that you build in are not unheard of in the real world; is that correct?
A. That’s correct.
Q. So an IP address can be spoofed, right?
A. Yes.
Q. And a MAC address?
A. Yes.
Q. Did you ever recover the registry entries from either of the two computers that you have been testifying about?
A. I recovered the register entries from the hard drive that I examined.
Q. Well, if you recovered them, where are they? How come you never turned them over to me?
A. In EnCase you open them up as a file viewer and you can examine them by just looking at them.
Q. So you viewed them but didn’t preserve a record of it?
A. The hard drive image is still in my possession.
Q. But when you viewed it in EnCase, you didn’t make any documentation of what you saw in the registry entries?
A. I was looking for evidence of the KaZaA program and found none.
Q. But you actually had the register entries in front of you on the screen and you didn’t make any record of that?
A. There wasn’t anything to make a record of.
Q. There were no register entries?
A. There were register entries, but none associated with KaZaA.
Q. You were told by Mr. Gabriel just to look for things that incriminated the defendant?
MR. GABRIEL: Objection to form. Lack of foundation. Argumentative.
Q. Is that your testimony? Were you directed only to find things that helped the plaintiffs win their case?
MR. GABRIEL: Same objections.
A. I was told to examine the hard drive for evidence of file-sharing software and evidence of MP3.
Q. That’s all you were told to examine it for? So you weren’t told to examine it for evidence as to whether it had been — the hard drive had been changed or anything like that?
A. I wasn’t directed to do anything more than that, although as part of the examination I did — as noted in Exhibit 17, I noted, for example, that the operating system was repaired on July 7th of ‘04.
RQ MR. BECKERMAN: I call for the production of those register entries.
MR. GABRIEL: They don’t exist. The witness doesn’t have a duty to create them and you have your image of his hard drive. You can produce them yourself.
Q. So EnCase has no way of backtracking your project?
A. The only record it keeps is when you specifically write something to a report file; when you see something, you explicitly say, “Put this in a report.”
Q. So you were just looking in the registry for evidence of KaZaA? That’s it?
A. I was looking for the IP address and as shown in Exhibit 17, I was looking for evidence of dates about the system, so the date the system was repaired.
Q. Do some users of KaZaA fool people with fake content?
MR. GABRIEL: Objection to form.
A. I don’t have any firsthand experience with that.
Q. What is a MAC address?
A. A MAC address is referred to as the physical address, which is the address used to transfer data packets across local area network.
Q. Does the cable modem have a MAC address?
A. Yes.
Q. Does a wired router have a MAC address?
A. Yes.
Q. Does a wireless router have a MAC address?
A. Yes.
Q. Does an ethernet card have a MAC address?
A. Yes.
Q. Is a network card a synonym for ethernet card or is it something else?
A. An ethernet card would probably be considered a subset of a network card.
Q. Do other network cards also have MAC addresses?
A. There would be networks that do not use the concept of a MAC address.
Q. Does a DSL modem have a MAC address?
A. It has it on its — on the subscriber side.
Q. Is there a limit to the number of devices behind a single router?
A. Theoretical or practical? The answer is “yes” to both, I guess.
Q. And what factors would limit it?
A. The IP address space would be one limiting factor and then the performance would be more of a practical limiting factor.
Q. Can you have a router behind another router?
A. Yes.
Q. What is the MAC address of the computer that was accessed by MediaSentry?
A. There is no documentation to indicate what the MAC address of that computer was.
Q. What is the MAC address of the computer whose hard drive you examined?
A. Since I did not have the ethernet card, I don’t know.
Q. What type of internet service was used by the computer that MediaSentry was interacting with?
A. There wasn’t enough information from Verizon to indicate whether it was a cable modem or a DSL.
Q. So you don’t know?
A. No.
Q. Did that connect to the internet directly or through another device’s MAC address?
A. Did what connect?
Q. When that computer was on line with or supposedly on line with MediaSentry, was it directly or was it through another device’s MACaddress?
MR. GABRIEL: Objection to form.
A. Every time a packet goes through a cable modem, a router, a NAT, the MAC address is not preserved; it is destroyed and recreated on the other side.
Q. So the answer is?
A. Could you reread the original question.
Record read.)
A. Are you talking about which address it presented to the ISP?
Q. You can’t answer the question the way it’s asked?
A. I don’t know where — Again, as the packet moves through the internet, every device that picks up the packet, it retransmits and creates a new MAC address.
Q. Do you know whether it connected to the internet directly or through another device’s MAC address? If you don’t know you can say you don’t know.
MR. GABRIEL: Objection to form. You can answer the question.
A. Stated the way it’s stated, no, I don’t know.
Q. How many devices accessed the internet through Marie Lindor’s internet access account?
A. I have evidence of one device with the IP address that we have talked about in Exhibit 6, that one device being connected to the internet during the times as described in Exhibit 16.
Q. How many MAC addresses have accessed the internet through Marie Lindor’s account?
A. I have no way of knowing.
Q. When is a MAC address assigned to a computer?
A. MAC addresses are actually assigned to the network cards by the network card vendor.
Q. And is that also true for any other network device?
A. In the ethernet world, yes. MAC addresses are assigned. Blocks are assigned to the vendors and the vendors allocate individual addresses.
Q. Did the computer which you examined have a wireless card? The computer whose hard drive you examined, did that have a wireless card?
A. All I received was the hard drive. I did not receive the –
Q. So you don’t know?
A. Correct.
Q. Can an ethernet card be removed from one PC and put into another?
A. If it is an actual card as opposed to — connected to — actually on the motherboard.
Q. If you were an internet pirate or cracker who wanted to spoof a MAC address, could you easily find the MAC address by, let’s say, finding a box that a cable modem had come in and just writing down the MAC address from that?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I don’t know if they write the MAC addresses on the outside of cable modem shipping boxes.
Q. You can manually reassign a new MAC address, can you not?
A. In a lot of systems, yes.
Q. What is reprogramming a MAC address?
MR. GABRIEL: Objection to form.
A. I’ve never heard it quite put that way, but my understanding would be that that would be changing the MAC address of the device.
Q. Did you or MediaSentry ever actually know the MAC address of either of the computers?
MR. GABRIEL: Objection to form. Lack of foundation as to MediaSentry.
A. I did not know the MAC address. I cannot testify to what MediaSentry knew in that case.
Q. How would one spoof an IP address?
A. Can we go off the record for a second? Am I allowed to say that?
MR. GABRIEL: You need to answer his question first. If there is an issue with the question, you can tell him.
A. Long version or short version?
Q. Short version.
A. Okay. Boy, there is no short version.
Q. There are many ways to do it, is that not correct?
A. Well, there is many ways and it depends for what purpose as to whether those ways
would work.
Q. Okay. It’s not necessary to really go into detail.
A. Okay.
Q. There are many ways to spoof an IP address?
A. Not all of which work. Correct.
Q. Did you personally verify the IP number?
A. The IP address on the hard drive, since it’s DHCP, the IP address is not committed to the hard drive.
Q. So the answer is no, you did not verify the IP address?
A. Not on the hard drive.
Q. And how did MediaSentry get the IP address?
MR. GABRIEL: Objection to the extent it was asked and answered. Go ahead.
A. I don’t know the exact process and procedures that MediaSentry used.
Q. So you couldn’t test or verify the procedures? You didn’t know what they were?
A. Given the procedures, I could test them. The method that I would use is, again, since every packet –
Q. No. The question was — I was asking whether you verified the way that — the method that MediaSentry used.
A. No.
Q. Do you know what the IP address was of the screen shot?
MR. GABRIEL: Objection to form.
A. The screen shot was a screen shot of the files associated with the user.
Q. Well, they would have had to have been a dynamic IP address assigned it that, would it not have, to that connection?
MR. GABRIEL: Objection to form.
A. You have an IP — you have an IP connection to the supernode and then to transfer the files, you make an IP connection to the machine that has the — that has the files.
Q. When you did the forensic examination of the hard drive, other than telling you that they wanted you to look for evidence of KaZaA, were there any other instructions given to you?
A. Look for the — any MP3 files and then just a general look for anything that may be associated with — you know, with MediaSentry and my testimony or my expert report. So things like IP addresses, et cetera.
Q. You say it’s not difficult to determine whether a computer was connected with a wireless router based on how IP’s are assigned? How could you possibly tell from the way IP’s are assigned whether or not it was connected to a wireless router?
A. Again, back to Exhibit 6 where the machine itself reports its IP address and so does the device with the global internet address. A wireless router is going to have an internal address and then a public address, and so you will see a discrepancy in those two IP addresses.
Q. How did you make that determination in this case? I’m not sure I follow that. You put in your declaration on December 19th “Based on how IP’s are assigned, it is not difficult to determine whether a computer was connected to the internet via a wireless router. This computer was not.” How did you determine that that computer was not connected to the internet via a wireless router?
MR. GABRIEL: Objection. Asked and answered.
A. This computer had a public IP address that matched the IP address that was in the packet that was transmitted onto the internet from an entry point into the internet. And so, therefore, since the computer said it had the same address as the packet …
Q. I don’t understand your testimony. What do you mean by a public IP address?
A. The public IP space is divided into address ranges. A majority of the addresses are to be handed out for devices that are directly connected to the public — to the internet. Some of the addresses have been reserved for private addresses, addresses that cannot show up on the internet. They will not internet. These are the addresses used by NATs and wireless routers and so on as you have shown in your –
Q. Don’t look for the documents.
A. The image with the picture where you had the 192168 addresses. Those, for example, are private IP address space.
Q. So you are going to rely on what you just said. That’s the way you know it wasn’t a wireless router. Everything you have just said now establishes that it was not a wireless router?
A. In my opinion, yes.
Q. Was KaZaA fully installed on the first computer?
MR. GABRIEL: Objection to form.
A. If by the first computer you mean the computer that MediaSentry reported on, that was running a KaZaA client.
MR. BECKERMAN: Read back that answer.
(Record read.)
Q. I asked you if it was fully installed on the computer.
MR. GABRIEL: If that’s a question, I object.
A. The KaZaA application was installed and running on that computer.
MR. GABRIEL: The record should reflect that the document Dr. Jacobson was looking for was Exhibit 8 with the 192IP address. That’s what he said, just for
clarity.
Q. Other than this two-page document from Verizon which was sent to Jenner & Block law firm, did you see anything else from Verizon?
A. No.
Q. Do you know what procedures Verizon employed to link Ms. Lindor’s name and address to the alleged IP address?
A. No.
Q. Do you know who conducted the research?
A. No.
Q. Do you know if the procedures were accurately and competently followed?
A. I have no way of knowing that.
Q. Do you know if the search was free from human and mechanical error?
A. I have no way of knowing.
Q. Have the ISP’s ever misidentified a subscriber?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I have no way of knowing.
Q. Have the ISP’s ever identified a customer who is not even a subscriber at the time of the infringement?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I have no way of knowing.
Q. Did you see their logs?
A. All I saw from Verizon is what is shown in Exhibit 19.
Q. Were MediaSentry’s clocks synchronized with Verizon’s?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I have no way of knowing.
Q. How many people were assigned this IP address during the 24 hours of August 7, 2004, 141.155.57.198?
A. The date you said was August 7th?
Q. August 7, 2004.
A. I have no way of knowing that.
Q. Is it true that the ISP keeps a log of all IP address assignments?
MR. GABRIEL: Objection. Lack of foundation.
A. I don’t know how Verizon operates internally.
Q. Does the log contain the name and address of a subscriber or does it contain a MAC address?
MR. GABRIEL: Same objection.
A. I have no idea what is in their internal logs.
Q. How did Verizon link Ms. Lindor’s name to that IP address?
MR. GABRIEL: Same objection.
A. I have no knowledge about Verizon.
Q. So is it fair to say that all of your reports are based on the assumption that the information which you obtained from Verizon was accurate?
A. Yes.
Q. And you have no idea how they obtained that information; is that correct?
A. I have no firsthand knowledge of how they obtained that information.
Q. Do you have some secondhand knowledge of how they operated?
A. I could speculate as to how they might do it.
Q. But you don’t know? You just would be speculating?
A. Yes.
Q. I am sure Mr. Gabriel wouldn’t want you to speculate. Did you make any attempt to verify the information?
A. The Verizon information?
Q. Yes.
A. The only verification that I do is I compare the Verizon subpoena response date, time, IP to the subpoena itself to verify that they — that Verizon is reporting back on the same data that was requested.
Q. Do you know if Ms. Lindor’s apartment has a wired router?
A. I don’t know anything about Ms. Lindor’s apartment.
Q. So would you know if her apartment had a wireless router?
A. Again, I don’t know anything about Ms. Lindor’s residence.
Q. Would it have been possible to have more than one router?
MR. GABRIEL: Objection to form.
A. It’s possible to have any number of routers. But given the IP address correlation, given the IP address in the packet in the computer are both republic.
Q. What is a wireless access point?
A. A wireless access point is the wireless device that actually — it is a device that actually interfaces with the wireless devices, the machines with wireless cards, so that actually is the base station transmitter.
Q. How does that relate to a wireless router?
A. That’s part of a — that’s part of the router. The access point we typically talk is the wireless side.
Q. Didn’t you say in your declaration under penalty of perjury that your conclusion that it was not connected to the internet via a wireless router was based in part on the registry entries recovered from the computer?
A. Yes.
Q. And you didn’t feel it was important to identify those registry entries?
A. Again, since I didn’t find anything there was nothing to document and since I can — The hard drive is still in my possession.
Q. Well, do you think you can now go generate more reports after having gone through this deposition and then come up with them at the trial and surprise me with them?
MR. GABRIEL: Objection. Argumentative. We are aware of what our obligations are.
Q. You said in your declaration that there was no internal IP address here. What did you mean by that?
A. Which declaration are you reading?
Q. Your December 19th declaration. You said there was no internal IP address here.
MR. GABRIEL: I don’t believe you marked it as an exhibit.
Q. Do you doubt that you put that in your declaration?
MR. GABRIEL: Wait. He is talking about your December declaration. He has not marked it as an exhibit, if that is
what you are looking for.
Q. Well, do you doubt that that’s what you said? Let me quote. “I base this on the data mentioned above as well as on the registry entries recovered from the computer and the fact that there was no internal IP address here.” Do you not know what that statement means?
A. I know what that statement means. I assume if you are reading it, it is indeed what I — I don’t remember verbatim what I said without seeing the report.
MR. BECKERMAN: Please mark this as Exhibit 23. It is a declaration dated December 19, 2006.
(Defendant’s Exhibit 23, declaration dated December 19, 2006, marked for identification, as of this date.)
Q. I refer you to Page 4, Paragraph 5, second sentence, and ask you what you were talking about. Actually, let me go to this first. When you say the registry entries were recovered, they weren’t recovered; you are just saying you saw them and then kept them to yourself. Is that correct? You didn’t recover them?
MR. GABRIEL: Objection to form. Argumentative.
Q. You read them and made no notation or record or report of them; is that correct? So when you say recovered –
A. In a Windows PC the registries actually exist in several places and so to get a view of all of them, you end up through EnCase running their internal program which puts the registries in a human, readable format. So that’s what I meant by the word “recovered.”
Q. What did you mean when you said there was no internal IP address here?
A. There was no evidence of an internal — of the internal addresses like the 1192.168 addresses that you find when you have a wireless router.
Q. So in preparing your analysis, you go directly from the MediaSentry documents to the report that you write for the RIAA lawyers and there is no intermediate work papers or analysis sheets?
A. Yes. That’s Exhibit 18.
Q. That’s it? That’s the only thing that you prepare before preparing your report?
A. Yes.
(Recess taken.)
Q. If I was on the internet right now and my IP address was 195.175.1.2, how would you determine whether I was connected through a wireless router or not?
A. We look at the — if all I saw was a single packet from you with no other data, I couldn’t make that determination. But if I saw a payload that also reported your IP address, then I could make that determination.
Q. So let’s say I sent you an e-mail. Would you be able to tell?
A. Not with every e-mail. There may be configurations in which an e-mail would disclose that information.
Q. Now, going back to what you said about the packet, would you see the private IP?
A. If the application reported the private IP as part of the payload, but not as part of the IPV4 header.
Q. And how does it distinguish between wireless and not wireless?
MR. GABRIEL: Objection to form.
A. You wouldn’t be able to tell the difference between a router with private addresses, whether it was wireless or not wireless.
Q. Does the packet identify whether the user is wireless or not?
A. It depends on which packet you see?
Q. How would a packet tell you that it’s wireless?
A. If I actually captured the wireless packet, its MAC address is larger than the MAC address of a — on the wired side, along with the frame format is different.
Q. The MAC address of a wireless is a different type of MAC address?
A. Its layout is different.
Q. Is a MAC address visible outside of the local network?
A. Not of the internal machines.
Q. So how would a packet on the public internet have a MAC address header?
A. Every packet has some type of MAC address header.
Q. Does NAT hide the private IP?
A. If by “hide” you mean that the private IP does not show up in the IPV6 header, that is correct.
Q. What is the name and model of the PC whose hard drive image you examined?
A. I don’t know.
Q. What is the MD5 hash of the hard drive you examined?
A. I don’t recall what that is.
Q. What is the SHA1 hash of the hard drive image you examined?
A. I don’t even recall looking at that.
Q. What kind of hashing does KaZaA use?
A. I don’t remember the exact algorithm that it uses.
Q. Would it refresh your recollection for me to tell you that it uses UU Hash?
A. I have no reason to doubt that.
Q. Do you know why MediaSentry compiled the list with the SH1 values instead of the UU Hash values?
A. Which list?
Q. You are the person who is testifying about the MediaSentry printouts.
MR. GABRIEL: I will object. He
didn’t testify about hash values at all.
Q. Isn’t it a fact that they have a list of SHA1 hash values?
MR. BECKERMAN: Withdrawn. I withdraw the question.
Q. Can multiple users of KaZaA have the same user name?
A. Yes.
Q. Can users change their nickname in KaZaA?
A. Yes.
Q. Do KaZaA nicknames uniquely identify a person?
A. No.
Q. Could I create a user name “Dr. Jacobson” at KaZaA?
A. Yes.
Q. Does KaZaA operate as a background
MR. GABRIEL: Objection to form.
A. You can minimize KaZaA and have it run out of the system tray.
Q. Is it possible that someone who has the computer on and has KaZaA running might not even know it’s running?
A. It’s possible.
Q. Is there a way through the internet to remotely control someone else’s computer?
MR. GABRIEL: Objection to form. Lack of foundation.
A. It’s possible.
Q. What is a zombie?
A. In reference to computer security, a zombie is a program that is under control of some other master program which is under control of some individual.
Q. What is a cracker?
A. When I use the term, it is in reference to either a person or process to break passwords.
Q. What is a drone?
A. Again, in computer security terminology that, again, would be a piece of software that’s under control by another individual.
Q. When you provide your investigations, do you do anything to verify or to determine whether or not the computer in question was under control by an outside remote user?
A. No.
Q. Do you know who conducted the MediaSentry investigation?
A. No.
Q. Do you know the qualifications and training of anyone who conducted the investigation?
A. No.
Q. Are screen shots reliable evidence, in your opinion?
MR. GABRIEL: Objection to form. Lack of foundation. Calls for a legal conclusion on its face.
A. I don’t know what represents legal evidence in a court of law.
Q. Do you consider screen shots reliable?
MR. GABRIEL: Objection.
A. A screen shot is an image of the application and the application data that is shown on the screen at that time.
Q. Can it be subject to manipulation or forgery?
MR. GABRIEL: Objection to form. Calls for speculation.
A. Any image can be subject to manipulation.
Q. Could it be altered in the graphics editing program?
MR. GABRIEL: Same objections.
A. Any image can be altered in the graphics editing program.
Q. Did you take any steps to verify the authenticity of the screen shot?
A. No.
Q. Did you take any steps to verify that the song files were genuine?
A. Other than what was reported through MediaSentry and through the certificates of — I can’t recall what they are called exactly, but through the documents provided by the recording industry.
Q. You yourself did nothing to verify that they were genuine?
A. Other than through the documentation I was provided.
Q. What did MediaSentry do to verify that they were genuine?
MR. GABRIEL: Objection to form. Lack of foundation.
A. I don’t know what MediaSentry did.
Q. Did you verify that the IP address had not been highjacked?
MR. GABRIEL: Objection to form.
A. I relied on the Verizon documentation and so, no, I did not.
Q. Did you verify that the IP address had not been faked?
MR. GABRIEL: Same objection.
A. I relied on the Verizon documentation.
Q. Did you verify that the IP address had not been spoofed?
MR. GABRIEL: I will object to the form. Lack of foundation. You can answer.
A. Only that I can say that it was an IP address that was within Verizon’s domain.
Q. Is a log file a text file?
A. It can be.
Q. Were these log files text files?
A. The originals I believe came that way. When I receive them, they are .PDF documents.
Q. Can text files be easily altered?
MR. GABRIEL: Objection to form.
A. Yes.
Q. In your report you said the lack of user-created files and e-mail leads you to believe that this computer wasn’t used very much. What did ou mean by user-created files?
A. When I looked through the hard drive there were very few files that were created by user-run applications, like documents.
Q. Is it possible to use a computer for extended periods without creating any user files?
MR. GABRIEL: Objection to form.
A. It’s possible.
Q. If you were, let’s say, surfing the internet and clearing the cache, would there be any user-created files from that?
A. As long as you didn’t download anything.
Q. If you were listening to any CD’s, would there be any user-created files?
A. No.
Q. If you were playing Minesweeper or Solitaire, would there be any user-created files?
A. I believe Solitaire you can save a game.
Q. If you were just playing Minesweeper or Solitaire, would there be any user-generated files?
A. No.
Q. If a user used web-based e-mail such as Hotmail, Yahoo or Gmail, would any of those e-mails be stored on the hard drive?
A. They don’t have to be.
Q. Can you tell how many people used the computer from which the hard drive came that you examined?
A. I can tell how many accounts were on the hard drive, how many user accounts.
Q. But you can’t say how many people used it?
A. Living, breathing people? No.
Q. During your hard drive inspection, what files did you find in the deleted sectors of the disk?
A. Very few, and none that matched the profile of KaZaA or MP3 files.
MR. BECKERMAN: Let’s take a short break.|
(Recess taken.)
Q. Did you examine the system registry for the computer that had the hard drive?
A. I examined the registry from the hard drive.
Q. Did it show that any other hard drive had ever existed in that computer?
A. I didn’t specifically look for that. I don’t recall that there was an indication of that.
Q. So you have no reason to think that the hard drive was replaced?
A. Not — no.
Q. And it is a fact, is it not, that the ystem registry would have disclosed that if it had taken place?
A. If you would have rebuilt the system from scratch and copied the data files over to new hard drive, the system registry would have only shown the creation date or installation date of the operating system.
Q. Isn’t it a fact that the system registry contains information about each hard drive that’s ever been connected to the computer, including the manufacturer, the size of the hard drive and in some instances the serial number?
A. Of all hard drives connected while that system registry was on that hard drive, if you pull out the hard drive that had that system registry and plugged a brand new one into the machine and rebuilt the operating system, there would be no evidence of that original hard drive you pulled out.
Q. Was there any evidence that that had taken place here on or after August 7, 2004?
A. No.
Q. Does every internet packet contain a MAC address?
A. No.
Q. Does a MAC address tell you if a device is wired or wireless?
A. If you can see the MAC address of the transmitting device you could see whether that device was wired or wireless.
Q. Now, if it was a computer going through a wireless router, would you see the MAC address of the computer?
A. Where am I looking for the MAC address?
Q. Where you say it exists.
A. MAC address exists between any two nodes — some type of physical address exists between every pair of communicating nodes on the internet.
Q. How would you see the MAC address of a transmitting device?
A. I’d have to have a monitoring device on the media — median that the transmitting device was using.
Q. And did you have such a monitoring device?
A. No.
Q. Does an IP address tell you if the device is wired or wireless?
A. No.
MR. BECKERMAN: I have no further questions.
MR. GABRIEL: I think I just have three clarification questions.
MR. BECKERMAN: Then I might have some clarifying questions of my own then.
MR. GABRIEL: I understand.
EXAMINATION BY MR. GABRIEL:
Q. Dr. Jacobson, Mr. Beckerman asked you some questions about the processes that you used both when you did your first report and also when you reviewed the hard drive, and you gave testimony bout that. Do you recall?
A. Yes.
Q. With respect to the processes that you used, is it your view that reasonable experts in your fields use the same processes?
A. Yes.
Q. Is there any other way to do what you did, to your knowledge?
A. The hard drive examination could have been done with any one of a number of tools, but all of those tools behave in roughly the same way.
Q. Mr. Jacobson, with respect to the reports in the declaration that you did and Mr. Beckerman asked you about, he asked you whether you had discussed any alternative explanations for the conclusions you reached. Do you recall him asking you that?
A. Yes.
Q. You did talk about the absence of a router.
MR. BECKERMAN: Objection. Leading.
Q. Yes?
A. Yes.
Q. Mr. Beckerman had asked you questions about the instructions that I or my firm gave you in terms of what you were supposed to look for on the hard drive, correct?
A. Yes.
Q. And your testimony will speak for itself. I think you said look for KaZaA, look for MP3 files, anything associated with your expert report. Do you recall giving that general testimony?
A. Yes.
Q. Did we also ask you to look if anything was deleted?
A. I believe you did.
Q. And did you do that?
A. Yes.
Q. Mr. Beckerman asked you a lot of questions today about what you relied on and he asked you whether you had verified different things. For example, the Verizon information was one of the things he asked you if you verified. Do you remember just being asked those questions?
A. Yes.
Q. With respect to the various data you relied on from MediaSentry or Verizon, do you have any information sitting here today, Dr. Jacobson, to suggest that any of that is not correct?
A. No.
Q. Do you have an opinion as to whether a reasonable expert in your field would rely on information like that?
MR. BECKERMAN: Objection. He hasn’t shown himself qualified to give an opinion on something like that.
Q. You can answer.
A. I believe that a person in my field would use the same information.
Q. Last question. Would you look at Exhibit 8, please.
A. Yes. I found it. trying to get us in the same place — an internal IP address and 192. Does the number 192 here somehow correlate with an internal IP address?
A. Yes. The internet registration authority, which is basically the governing body of IP addresses, has allocated three address ranges that are to be used internally only, they are not to show up on the internet, and the 192.168 is one of those blocks of addresses.
Q. And with respect to the IP — the public IP address that you talked about a lot today relating to this case, was that within one of the ranges for internal addresses?
A. No.
MR. GABRIEL: That’s all I have.
MR. BECKERMAN: I have no further questions.
MR. GABRIEL: Thank you for your courtesy. We are going to run out and make a plane.
–o0o–
If your Net access is blocked by government restrictions, try Psiphon from the Citizen Lab at thIs the end (of the Net) nigh?zze University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.
rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php | | And use free p2pnet newsfeeds for your site
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local politicians. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance. Don’t just complain. Do something!
March 1st, 2007 at 9:02 pm
This case is going downhill for the RIAA. They can’t even prove who was sitting behind the computer. The lawyer for the defendant is good.
March 1st, 2007 at 10:17 pm
Remind me never to attend Iowa State University. My 15 year old niece can give a better description of how the internet works than this guy. If they are using methodology then I am safe war driving wireless access points, not that I wasn’t in the first place
March 2nd, 2007 at 10:15 am
‘Yes. The internet registration authority, which is basically the governing body of IP addresses, has allocated three address ranges that are to be used internally only, they are not to show up on the internet, and the 192.168 is one of those blocks of addresses.’
if this was suppose to infer that any address’s outside of the reserved internal ranges cannot be used on an internal machine that is incorrect. An external address can be allocated internally it just might conflict with an external address, and a DHCP server would not hand it out, it would have to be set internally. It’s not safe, and it’s not smart. but who’s to say some virus/trojan wouln’t do such a thing?
March 2nd, 2007 at 1:20 pm
This Dr. Jacobson, if you can even call him a doctor, used so much double-speak, and convenient assumptions, it makes you sick:
“the we tied the IP to the defendant.” Well, no you didn’t. Based on the IP you provided Verizon for the time specified, Verizon provided you who owned the account that had the IP in question. Mr Jacobson assumed it was the account holder who did the file sharing. That may be all well and good in society, but in a court of law, we need more than assumptions.
March 3rd, 2007 at 6:36 am
According to RIAA members who sue kids and their computer neophyte grandmothers, if someones’s car is stolen and the car is used to rob a bank, the car’s owner is guilty of bank robbery and the bank may sue to recover the money.
Ditto if the car was never stolen but the car used in the bank robbery has a fake license plate number that led the police to an innocent party. Then, the innocent party is guilty of bank robbery.
Rafael Venegas
http://www.gvenegas.com
March 18th, 2007 at 11:08 am
It would appear to me that Dr. Jacobson tried very hard to be clear and precise, as an engineer should be. My analysis of the evidence as stated in the answers is that he states that a) any one could have plugged into that ip address (specifically a lap-top), except b) on the computer that he examined the hard drive of, kazaa and mp3 files did not appear to be in existence nor any evidence in the registry of being deleted.
Obviously, somebody borrowed the defendant’s internet connection to check their e-mail, and their p2p application chucked out a few packets in the mix. The RIAA is just using up their *goodwill* on bad pr, which is going to make it much more difficult to get their new regulations passed- criminalising internet connection sharing. I suppose they’ll have to frame it as a HOMELAND SECURITY issue.
April 28th, 2007 at 10:09 am
Oh gfod this is rich. There are so many ‘flaws’ in the RIAA’s argument. If they win this case then the law is messed up beyond repair.
Seriously. They need to prove that 1. the ISP provided the correct information. 2. that the information provided by MediaSentry is correct 3. that the information provided by MediaSentry could not have been tampered with and that the data was not ’spoofed’. Oh god I am sure there is a long list of things that are so wrong with this I can’t even go into it further without writing an essay.
We need class action NOW!
November 21st, 2007 at 8:15 pm
I just recently stumbled upon this page, and found it fascinating. But what was really interesting were the comments and implications that the Jacobson’s analysis is totally unsound (”the law is messed up beyond repair”). Yes, it is possible somebody tampered with the Verizon logs, or altered the screenshot images. But that sort of thing is unlikely. All his assumptions (the Verizon logs were correct; nobody altered the screenshot image; the fact that the IP address in the IP packet header matches the IP address in the payload implies there isn’t a wireless router or gateway, etc.) seem entirely reasonable. Maybe somebody did something nefarious; maybe it’s part of a vast conspiracy by the government, or the mafia, or SPECTRE. But I doubt it. The *only* thing that casts doubt on the claim that this computer was used for file sharing is the fact that no evidence of the application was found on it. Granted, that’s a pretty powerful argument, but it’s the only one. Other things like potential tampering with Verizon logs is just silly.
In terms of Jacobson’s ability or quality of his answers (”my 15 year old niece can give a better description of how the internet works”), what’s he supposed to do when faced with such nonsensical questions such as “Did that connect to the internet directly or through another deviceâs MAC address?”. Faced with a lawyer who was both hostile and obviously clueless about networking, I think he did pretty well.