montgomery v etreppid # 199 | declaration of jonathan karchmer
TRANSCRIPT
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
1/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 1 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
J. Stephen Peek, Esq. (NV Bar #1758)Jerry M. Snyder, Esq. (NV Bar #6830)Hale Lane Peek Dennison and Howard5441 Kietzke Lane, Second FloorReno, NV 89511
Tel: (775) 327-3000Fax: (775) 786-6179
Reid H. Weingarten (D.C. Bar #365893) ( Admitted Pro Hac Vice June 15, 2007 )
Brian M. Heberlig (D.C. Bar #455381) ( Admitted Pro Hac Vice June 15, 2007 )
Robert A. Ayers (D.C. Bar #488284) ( Admitted Pro Hac Vice June 15, 2007 )Steptoe & Johnson LLP
1330 Connecticut Avenue, N.W.
Washington, D.C. 20036-1795
(202) 429-3000
Attorneys for Plaintiff and Cross-Defendant eTreppid
Technologies, L.L.C. and Cross-Defendant Warren Trepp
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF NEVADA
______________________________________DENNIS MONTGOMERY; MONTGOMERYFAMILY TRUST,
Plaintiffs,
vs.
ETREPPID TECHNOLOGIES, L.L.C.; a NevadaLimited Liability Company, WARREN TREPP;DEPARTMENT OF DEFENSE of the UNITEDSTATES OF AMERICA; and DOES 1-10,
Defendants ________________________________________
Case No. 3:06-CV-0056-PMP-VPC
Case No. 3:06-CV-00145-PMP-VPC
DECLARATION OF JONATHANKARCHMER IN SUPPORT OF
DEFENDANTS ETREPPIDTECHNOLOGIES, L.L.C. ANDWARREN TREPP’S NOTICE OFOBJECTION TO THE PUBLICFILING OF A FABRICATEDDOCUMENT BY DENNISMONTGOMERY
AND ALL RELATED MATTERS. _______________________________________
Pursuant to 28 U.S.C. § 1746, I, JONATHAN KARCHMER, hereby declare:
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 1 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
2/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 2 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1. I am over the age of eighteen. I make this declaration based upon my persona
knowledge to which I could and would competently testify if called as a witness in thi
matter.
2. I am employed by LECG, LLC, an expert services provider. I am a Managin
Consultant in the Electronic Discovery practice based in Century City, Los Angeles
CA. I have offered sworn testimony as an expert witness.
3. I am an EnCase Certified Examiner (EnCE - #15-0203-1114), a Certified Compute
Examiner (CCE - #427), a GIAC Certified Forensic Analyst (GCFA - #1676), and a
GIAC Certified Incident Handler (GCIH - #2981). These security and compute
forensic designations acknowledge that computer examiners have successfully shown
how to employ proper computer investigation methodology as well as how to properly
use forensic software during computer examinations. They are recognized by both law
enforcement and corporate investigation communities as a symbol of in-depth compute
forensics knowledge.
4. Computer forensics and electronic discovery has been the focus of my career for more
than 6 years. Historically, I have served as a computer forensics examiner an
ediscovery litigation consultant in over 75 matters, and I have offered testimony as an
expert in the area of evidence preservation, spoliation issues, documentation, and
computer forensic methodologies.
5. LECG was engaged by eTreppid counsel to collect and analyze data including email
from the offices of eTreppid in Reno, NV.
6. On February 16, 2007, I visited the offices of eTreppid and met with the eTreppid
information technology manager, Sloan Venables. Mr. Venables explained th
eTreppid network and email configuration to me. During the time period at issue in thi
case, when eTreppid employees accessed their email, the email was transferred from th
eTreppid server to the users’ computers. Thereafter, a copy of the email was no
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 2 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
3/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 3 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
maintained on the server. eTreppid email was not centrally managed or backed up t
tape.
7. I collected various instances of email belonging to Warren Trepp including his curren
PST files, backups of his PST files created at different times, and a loose email (msg
file. A PST file is basically an email mailbox; it is a single file containing email use
with the Microsoft Outlook email application. LECG subsequently visited eTreppid o
February 23, March 6, and March 23, 2007 to collect other email backups and stores a
they were discovered by eTreppid staff, including four hard drives located in a locked
cabinet that I am advised was used principally by a former eTreppid employee
Mr. Montgomery.
8. I used WinRAR and or EnCase software to perform file collection onsite at eTreppid
Both tools preserve file system metadata (information associated with an electronic fil
regarding dates and times of creation, delivery, receipt, modification, etc.) associated
with files collected for analysis. I used EnCase and dtSearch software to analyze th
email I collected.
9. LECG performed testing of the Outlook email program and confirmed that emai
messages sent in the past could be altered and edited at the will of anyone with access t
an individual’s email account (or PST). A user could open an existing message, add o
remove content, and then print a hard copy of the altered email. However, if the ema
message is altered and saved, those changes are subsequently saved in the email itself a
it resides in the PST mailbox file. Therefore, if an email message dated September 25
2003 was later altered and saved in January 2006, for example, analysis of the PST fil
containing that email would show discrepancies between the “Sent” (identified by
EnCase as “Last Written”) and “Modified” times associated with that email message
Specifically, the email’s “Last Written” date would be September 25, 2003, but it
“Modified” date would be January 2006. I note that it is not necessary for one to “save
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 3 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
4/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 4 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
an edited email message in order to print copies of the edited email.
10. Counsel asked LECG to analyze all collected email files and locate a September 25
2003 email message between Len Glogauer and Warren Trepp regarding Congressman
Gibbons that purportedly included the sentence “We need to take care of him like we
discussed.” I located four instances of an email between Mr. Glogauer and Mr. Trep
on September 25, 2003 regarding Mr. Gibbons in various locations, including PST file
belonging to Mr. Trepp, and on one of the external hard drives located in the locke
cabinet used by Mr. Montgomery. Attached to this declaration as Exhibit A is a printe
copy of the email as I found it. (All four instances of the email message are the same.)
11. The content of all four instances of the September 25, 2003 Len Glogauer email
located at the eTreppid facility were identical, and included an email chain consisting o
three messages preceding the message Len Glogauer forwarded to Warren Trepp at 9:3
a.m.
12. Analysis of the email I collected showed that all instances of the September 25, 2003
Len Glogauer email did not include the sentence “We need to take care of him like we
discussed.” In addition, I analyzed all instances of the email to determine whether tha
sentence was added or removed.
13. The EnCase forensic software is able to analyze metadata in Outlook email messages
known as “property tags.” The EnCase forensic software identifies metadata in Outloo
email messages and displays them as follows: (a) “File Created” identifies th
date/time an email was first received and saved into a PST mailbox file by the recipient
(b) “Last Written” identifies the date/time an email was sent by the author; and
(c) “Entry Modified” identifies the date/time an email was last modified or changed by
the recipient. Generally, the “File Created” date/time will match the “Entry Modified
date/time for all email messages, unless a user edits or modifies an existing email afte
receiving it, in which case the “Entry Modified” date/time will reflect the subsequen
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 4 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
5/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 5 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
date/time when the modification occurred. See Exhibit B.
14. For example, if an email message was sent and received in 2003, but subsequently
altered (and saved) in 2006, embedded metadata within the PST file would indicate an
“Entry Modified” date/time in 2006, while the “File Created” and “Last Written
dates/times would remain in 2003. (See Exhibit B for an example of a modifie
Outlook email message and the resulting change to the email metadata).
15. When I examined the eTreppid PST files using EnCase forensic software, the “Las
Written” and “Entry Modified” dates/times associated with the September 25, 200
Glogauer email were consistent with the email having been sent by the author on
September 25, 2003 at 9:35 AM (“Last Written” date/time), and received by th
recipient on September 25, 2003 at 9:42 AM (“File Created” / “Entry Modified
dates/times). None of the four instances of the September 25, 2003 email message tha
I examined contained any discrepancy between the “File Created” date/time and th
“Entry Modified” date/time. This indicates conclusively that the September 25, 200
email message was not modified by the recipient after it was received.
16. At the eTreppid offices, during the relevant time period, the email server wa
configured to act as temporary mail storage. In other words, when email was sent t
employees, the messages physically resided on the email server until the recipien
opened their Outlook application, and synchronized with the server and/or initiated th
“Send/Receive” process. At this time, new email messages transferred from the serve
down to the user’s desktop/laptop where the PST was physically stored. (Send/Receiv
can be configured to run periodically while Outlook is open, or users can initiate thi
manually at any time.) The PST then stamped the incoming email message with certai
dates/time as appropriate.
17. Exhibit C to this affidavit explains in detail the process by which email messages have
certain embedded dates/times assigned to them, and describes why all four instances o
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 5 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
6/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 6 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
the September 25, 2003 email found onsite at eTreppid show: (a) the emails did no
include the “We need to take care of him . . .” sentence, and (b) the emails were neve
altered or modified after they were received, indicating that it is not possible tha
anyone deleted the sentence “We need to take care of him . . .” from the original email
Specifically, when an email message is saved into a PST, Microsoft Outlook will assign
various “property tags” to the email, including a “PR_CREATION_TIME” tag which
for an email recipient, is the date/time the email is first received and saved to the PST
as well as a “PR_LAST_MODIFCATION_TIME” tag, which records the last time th
email message was altered/modified in any way. When this metadata is viewed usin
the EnCase forensic software, the “PR_CREATION_TIME” tag is reflected as “Fil
Created” and the “PR_LAST_MODIFCATION_TIME” tag is reflected as “Entr
Modified.” For all four of the eTreppid PST files containing the September 25, 200
email message, the “File Created” and “Entry Modified” dates/times are identical, an
all read as September 25, 2003 at 09:42:52 AM. Were the message to have been altere
by someone, the email’s “Entry Modified” date/time would differ from (i.e. be late
than) its “File Created” date/time (See Exhibits B, C). Instead, all four instances of th
September 25, 2003 email at eTreppid have identical “File Created” and “Entr
Modified” dates/times (down to the second).
18. Based on the foregoing analysis, it is my expert opinion that the original email, as sen
from Mr. Glogauer to Mr. Trepp on September 25, 2003, did not contain the sentenc
“We need to take care of him like we discussed.”
19. I am informed and believe that a “txt” file was submitted to the Court by Mr. Denni
Montgomery on June 12, 2006 as a “true and accurate” copy of the September 25, 2003
Len Glogauer email. This “txt” document is not a verifiable or accurate copy of th
original email as I found it in several locations in the eTreppid facility.
20. The document submitted by Mr. Montgomery is a text or “TXT” file (a basic wor
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 6 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
7/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 7 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
processing document), which can be easily manipulated or altered. A TXT file is no
the original format of an email message sent/received using Outlook. The fil
submitted to the court was created with a Windows program called Notepad (a basi
text editor program included with all versions of Windows). When they are printed
text files created with Notepad will include the file title at the top of the printed page
and also include “Page X” at the bottom, where “X” corresponds to the page number
These marks are consistent with the file submitted by Mr. Montgomery.
21. Further, the absence of the preceding email chain found in the original versions of the
email and the inclusion of the sentence “We need to take care of him like we discussed
indicates that the document submitted to the Court by Mr. Montgomery is an altere
version of the email as it existed when Len Glogauer sent to Mr. Trepp on Septembe
25, 2003.
22. To illustrate the ease with which an “email” like the example Mr. Montgomery
provided to the Court can be created, on June 14, 2007, I used Notepad to create
nearly identical TXT file that appears to be an email message. I created a text file wit
the same filename as Mr. Montgomery’s document. I added “This sentence was adde
by LECG on 6/14/2007” to the email body. This example is included with this affidavi
as Exhibit D. Note: LECG does not have access to the electronic TXT fil
Mr. Montgomery created/provided; Exhibit D to this affidavit was created entirely by
me with the use of Notepad.
23. As illustrated in Exhibits B and D to this affidavit, it is not possible to verify
authenticity of email through examination of hard copy printouts. Forensic examinatio
of the original email store (PST) is required.
24. It is my belief that a forensic analysis of a PST file in Mr. Montgomery’s possession, i
it exists, with the email Mr. Montgomery provided to the Court, would reveal that th
email therein either (a) does not contain the sentence “We need to take care of him lik
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 7 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
8/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 8 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
we discussed,” or (b) is in fact a subsequently altered version of the original Septembe
25, 2003 Len Glogauer email.
Pursuant to the provisions of 28 U.S.C. § 1746, I declare under penalty of perjury that the
foregoing is true and correct.
Executed this ____ day of June, 2007 at Irvine, California.
/s/JONATHAN KARCHMER
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 8 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
9/24
::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 9 of 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PROOF OF SERVICE
I, Gaylene Silva, declare:
I am employed in the City of Reno, County of Washoe, State of Nevada, by the law officeof Hale Lane Peek Dennison and Howard. My business address is: 5441 Kietzke Lane, SecondFloor, Reno, Nevada 89511. I am over the age of 18 years and not a party to this action
I am readily familiar with Hale Lane Peek Dennison and Howard’s practice for collection omail, delivery of its hand-deliveries and their process of faxes.
On June 22, 2007, I caused the foregoing DECLARATION OF JONATHAN KARCHMERIN SUPPORT OF DEFENDANTS ETREPPID TECHNOLOGIES, L.L.C. AND WARRENTREPP’S NOTICE OF OBJECTION TO THE PUBLIC FILING OF A FABRICATEDDOCUMENT BY DENNIS MONTGOMERY to be:
_X___ filed the document electronically with the U.S. District Court and therefore the court’computer system has electronically delivered a copy of the foregoing document to thefollowing person(s) at the following e-mail addresses:
Fax No. 786-5044
Email [email protected] Ronald J. Logar, Esq.Eric A. Pulver, Esq.The Law Offices of Logar & Pulver225 S. Arlington Avenue, Suite AReno, NV 89501
Fax No. 858-759-0711
Email mailto:[email protected] mailto:[email protected] J. Flynn, Esq.P.O. Box 6906125 El TordoRancho Santa Fe, CA 90267
Fax No. 202/616-8470
[email protected] P. Wells, Esq.Senior Trial CounselFederal Programs BranchCivil Division – Room 7150U.S. Department of Justice20 Massachusetts Ave., NWP.O. Box 883Washington, DC 20044
Fax No. 784-5181
[email protected] AddingtonAssistant U.S. Attorney100 W. Liberty Street, Suite 600Reno, NV 89501
I declare under penalty of perjury under the laws of the United States of America thathe foregoing is true and correct, and that this declaration was executed on June 22, 2007.
____/s/__________________Gaylene Silva
Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 9 of 9
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
10/24
Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 1 of 3
Ex A
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
11/24
Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 2 of 3essage
User
From
LEN [[email protected]]
Sent: Thursday, September 25, 2003 9:35
AM
To: WARREN
Subject
FW: Congressman gibbons discussion with AF
For your information.... It looks like Jim has "hit the ground running" on this one
Len
----Original Message----
From Madura, Kenneth [mailto:[email protected]]
Sent: Thursday, September 25, 2003 9:32 AM
To LEN
Subject
Congressman gibbons discussion with
AF
Mr.
Glogauer
Page
of
This morning, the Congressman had breakfast with the Vice Chief of Staff of the Air Force, Gen Moseley, and he
brought up the eTreppid technology. Mr. Gibbons believes that this would be another good opportunity to
demonstrate the technology to the AF at even a higher level. Along with the data compression, the database
matching was extremely enticing for the
AF.
I will give the information the Congressman gave us to the Air Force,
and I hope that you can make a demonstration to General Moseley soon.
Please let me know if you have any questions.
Ken Madura
Legislative Assistant
Office of Congressman Jim Gibbons (NV-02)
Voice: (202) 225-6155 Fax: (202) 225-5679
Kenneth,madurn@maiLhPu_se,gol
----Original Message-----
From
LEN
[mailto:[email protected]]
Sent: Wednesday, September 24, 2003 1:07 PM
To
Gibbons, Jim
Subject Thanks
Jim,
Thanks for the e-mail. Thanks for giving us the time Sunday to provide you with an overview of this critical
technology. And, it was great being able to catch up with you and Dawn on a personal basis. I know that Nanci is
enjoying working with Dawn on her current efforts. I think we can help and we want to be a part of your continued
success.
You can tell Dan that I will be his contact here at eTreppid. And anytime you can schedule a visit to our site we
can put on a real demo for you that is nothing short of amazing
We are looking forward to showing what can be done with this advanced technology to the right people. Dr. Rice
would present a great opportunity to get things moving quickly. The sooner we can get this technology deployed,
the sooner we can achieve the goal General Lambert put so eloquently:
I
want to win the War " It is a good plan
and eTreppid's capabilities can help achieve that goal.
6119/2007
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
12/24
Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 3 of 3essage
Page 2
of
On the military side of things, I am compiling some key, very telling, information on
the Army's
Bandwidth
Bottleneck. A
66
page
report
was just released that shows the costs required to eliminate or at least decrease the
bottleneck
by
the year
2010.
Costs
somewhere in the neighborhood of 1
O
Billion. With eTreppid Compression,
we can significantly reduce that cost, lower the budget
and
potentially cut the projected time-line
in
half. Not a
bad formula
...
Spend less money and get it done sooner What a concept... I will send our findings and
recommendations directly to you first.
Thanks again for your
time.
Best Regards,
Len
Lennard D. Glogauer
VP • Industry Applications & Business Development
eTreppid Technologies, LLC
755 Trademarl< Drive
Reno, V 89521
Tel: (775) 337-6771
Fax: (775) 337·1877
-----Original Message----
From Gibbons,
Jim [mailto:[email protected]]
Sent Wednesday,
September 24 2003 5:25 AM
Ta
LEN
Subject e-mail address
6/19/2007
Len,
Indeed, both
Dawn
and I enjoyed ourselves at Primm's last Sunday,
and
seeing you
and
Nanci there was especially nice.
I
have
asked
Maj. Dan
Waters, a Fellow assigned to my staff, to
contact the National Security Agency office (Dr. Rice)
in an
effort to
set
up
a meeting for
you
and the agency. From a personal point,
let
me
add that I was greatly impressed
by
the demonstration you
presented to me. No doubt, the Agency will be just as impressed
Dawn has given you the correct e-mail address
for
me here in DC.
That e-mail address is a_cjirect link
to my
desk and does
not
go
through anyone else.
Thanks again for your help
and
support,
but
most importantly,
thanks for your friendship.
Jim Gibbons
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
13/24
Exhibit B - Page 1 of 3
EXHIBIT B: Outlook Modification Example
These screen captures are taken from EnCase forensic software. EnCase software was used to
examine a sample Outlook PST file to illustrate normal dates/times associated with email
messages and compare it to an instance where an existing Outlook email is edited/modified toinclude/exclude text that did not exist in the original message.
Outlook emails contain embedded “property tags” or descriptive information items. Some of
these tags include date/time information, such as when a particular email message was sent or
received (see Exhibit C for detailed explanation of these tags).
EnCase forensic software identifies major Outlook property tags and displays them as follows:
• EnCase “File Created” column identifies the date/time the email was first created andsaved into the PST mailbox file.
• EnCase “Last Written” column displays the date/time the email was sent.
• EnCase “Entry Modified” column displays the date/time the email was lastmodified/changed.
Generally, the “Entry Modified” date/time will match the “File Created” date/time for all email
messages. If, however, a user changes an existing email (adds/removes word(s), etc.), and then
saves the edited email message, the “Entry Modified” date/time will reflect when themodification occurred. If this were to occur, the “Entry Modified” date/time would post-date the
“File Created” date/time.
(continued)
Case 3:06-cv-00056-PMP-VPC Document 199-3 Filed 06/22/07 Page 1 of 3
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
14/24
Exhibit B - Page 2 of 3
Standard Email
In the screenshot below, EnCase software is being used to examine a sample PST file. An emailmessage from the PST can be seen with subject “Thank you from the CEO of Network
Solutions”. The email was sent on January 4, 2005 at 7:47:28 AM (Last Written). It was
received (physically saved into the PST file) at 9:27:53 AM on the same day (File Created/EntryModified). Note that the “Entry Modified” date/time is identical to the “File Created” date/time.
These property tags / dates exhibit standard behavior normally seen in PST files.
Below is the email message as it normally appears to the recipient. (Recipient name has beenredacted in this example.)
To illustrate what an examiner would find if an email message was edited/modified, the above
email message was edited by LECG on June 20, 2007 at 10:29 AM. The results of this
modification are in the “Modified Email” section below, and can be compared to the “Standard
Email” section.
Case 3:06-cv-00056-PMP-VPC Document 199-3 Filed 06/22/07 Page 2 of 3
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
15/24
Exhibit B - Page 3 of 3
Modified Email
In the screenshot below, EnCase software is being used to examine the same sample PST fileused in the previous section “Standard Email”. The email message with subject “Thank you
from the CEO of Network Solutions” was modified by LECG to include text it did not originally
contain. Note how the “Entry Modified” date/time no longer matches the “File Created”date/time. Instead, it reflects the date/time that the email was modified (June 20, 2007 10:29:32
AM).
Below is the edited email message as it would appear with changes. (Recipient name has beenredacted in this example.) Note the sentence that was inserted, circled in red.
Case 3:06-cv-00056-PMP-VPC Document 199-3 Filed 06/22/07 Page 3 of 3
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
16/24
Exhibit C – Page 1 of 7
EXHIBIT C – Tests of Microsoft Exchange/Outlook -Results from Trepp PST files:
Part 1 – Introduction to Microsoft Messaging Properties
According to the Microsoft Developer Network (http://msdn2.microsoft.com), a MAPI1
(Messaging Application Program Interface) Property is a component of the overallMicrosoft email messaging construct. The Microsoft Outlook PST File consists of many properties2 which are defined as “tags”, “identifiers”, and “types” associated with emailmessage objects:
Property Tags are used to identify MAPI properties and every (MAPI) property
must have one. There are two parts to every property tag: a PR_ prefix and one
or more character strings that describe the contents of the property. Multiple
character strings are separated by underscores. For example, the property tag for
the address type of a message recipient is PR_ADDRTYPE and the entry
identifier for the folder designated to receive a copy of every outbound messageis PR_IPM_SENTMAIL_ENTRYID3.
Some of these MAPI Property Tags are identified by EnCase forensic software and are
displayed in columns corresponding to date/time values. For example:
PR_SUBJECT:
• subject line of email, displayed in EnCase as “File Name”
PR_CREATION_TIME:
• For SENDER: when the email is first drafted• For RECIPIENT: when email is received into PST file
• Displayed in EnCase as “File Created”
PR_MESSAGE_DELIVERY_TIME:
• when email is sent / delivered, displayed in EnCase as “Last Written” date/time
PR_LAST_MODIFICATION_TIME:
• Date/Time that email was last changed
• Will mirror PR_CREATION_TIME unless email is altered after being sent
• Displayed in EnCase as “Entry Modified”These Property (“PR”) date/time values are 64-bit / 8-byte Windows encoded dates
represented in hexacimal, i.e.: “30 38 17 74 13 B2 C7 01”. This value for example,decodes to “June 18, 2007, 6:45:02 PM”:
1 MAPI is a messaging architecture that enables multiple applications to interact with multiple messaging systems seamlessly across avariety of hardware platforms. (Source: http://msdn2.microsoft.com/en-us/library/ms527628.aspx - Section: MAPI Concepts andArchitecture”)2 “A property is an attribute of a MAPI object. Properties describe something about the object, such as the subject line of a message orthe address type of a messaging user. MAPI defines many properties, some to describe many objects and some that are appropriate
only for an object of a particular type. Clients and service providers can extend MAPI's set of predefined properties by creating new,custom properties. Clients can define properties to describe new message classes, and service providers can define properties toexpose the unique features of their messaging system.” (Source: http://msdn2.microsoft.com/en-us/library/ms528634.aspx - Section:MAPI Properties)
3 . (Source: http://msdn2.microsoft.com/en-us/library/ms531530.aspx - Section: About Property Tags”)
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 1 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
17/24
Exhibit C – Page 2 of 7
For validation, the decoder above can be downloaded for free at:
http://www.digital-detective.co.uk/freetools/decode.asp.
Times in this report are GMT -8 (Pacific).
Outlook Testing
To confirm EnCase software’s interpretation of Outlook MAPI properties, I used atesting environment similar to the eTreppid email environment which included Microsoft
Windows Server 2000, Microsoft Exchange 2000, and Microsoft Outlook 2003.
I created a virtual Windows network environment with Exchange as the email serverapplication. I created 2 user accounts, called USER1 and USER2. In this example,
USER1 is the email sender, and USER2 is the email recipient.
On June 18, 2007 at 6:44 PM, I acted as USER1 and opened that user’s Outlook profile.
At 6:45 PM, I drafted a new email message to USER2. The subject line of the email was“new msg opened 6:45 PM”. The email message was submitted for delivery (Sent) at
6:46 PM.
Later on June 18 at 7:50 PM, I acted as USER2 and opened that user’s Outlook profile. I
prompted Outlook to “Send/Receive” new email messages that may be waiting. The
email message from USER1 was delivered into USER2’s PST file at 7:50 PM.
Below are the results of this test. PST mailbox files from USER1 and USER2 asdisplayed in EnCase forensic software are shown.
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 2 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
18/24
Exhibit C – Page 3 of 7
Outlook Testing – USER1 (Sender) PST
EnCase screen shot – The USER1 PST file shows the email message first drafted at
6:45:02. “File Created” matches “Entry Modified”4.
PR_CREATION_TIME: 30 38 17 74 13 B2 C7 01.
This is decoded as June 18, 2007, 6:45:02 PM.
PR_MESSAGE_DELIVERY_TIME: 00 BC 5A 96 13 B2 C7 01.This is decoded as June 18, 2007, 6:46:00 PM.
PR_LAST_MODIFICATION_TIME: 30 38 17 74 13 B2 C7 01.
This is decoded as June 18, 6:45:02 PM.
4 Note: some of the EnCase screenshots appear to include two line items for a single email message. This is due to EnCase
identifying the email “class” object and the email body as two separate items.
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 3 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
19/24
Exhibit C – Page 4 of 7
Outlook Testing – USER2 (Recipient) PST
EnCase screen shot. “File Created / PR_CREATION_TIME” and “Entry Modified /
PR_LAST_MODIFICATION_TIME” are identical. This shows the message was notaltered after being received at 7:50 PM on June 18, 2007.
PR_MESSAGE_DELIVERY_TIME: 80 7F 24 98 13 B2 C7 01.
This is decoded as June 18, 2007, 6:46:03 PM.
The email was received by Exchange Server at 6:46:03 PM (three seconds after USER1
sent the email), but USER2 did not physically receive the message in their PST file until
they logged in and opened Outlook at 7:50 PM.
PR_CREATION_TIME: 00 E4 A4 98 1C B2 C7 01.
This is decoded as June 18, 2007, 7:50:29 PM.
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 4 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
20/24
Exhibit C – Page 5 of 7
PR_LAST_MODIFICATION_TIME: 00 E4 A4 98 1C B2 C7 01.
This is decoded as June 18, 7:50:29 PM.
TESTING SUMMARY
These results show that when an email recipient’s PST file is examined with EnCase, an
email message he or she received will show a “File Created” and an “Entry Modified”date consistent with when the message was first received and stored in the PST (6/18/077:50:29PM). The “Last Written” date is when the email was submitted for delivery by
the author of the email (about an hour earlier at 6:46 PM).
If an email message was altered and saved after having been received, EnCase would
show an “Entry Modified (PR_LAST_MODIFICATION_TIME)” date that post-dates the
“File Created (PR_CREATION_TIME)” date associated with the email (see Exhibit B
for example of a purposely modified email).
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 5 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
21/24
Exhibit C – Page 6 of 7
Result Summary / W. Trepp PST Comparison
As Mr. Trepp was the Recipient of the September 25, 2003 email, his PST files shouldexhibit the same date/time characteristics as USER2 above. Per the screenshots below
for each of the PST files containing the September 25, 2003 email, one can see that the
email message was NOT altered subsequent to it being received because the “File
Created” date/time matches exactly the “Entry Modified” date/time:
PST A0001 – TreppPST_010606
PST A0003 – WarrenEmail_020806
PST A0004_Trepp_PSTs_021606
PST A0010_WarrenEmail_010606
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 6 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
22/24
Exhibit C – Page 7 of 7
All of the above “PR” tags associated with the September 25, 2003 email messages’
receipt are: E0 EF 39 10 84 83 C3 01.This decodes to 9/25/03 9:42:52.
Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 7 of 7
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
23/24
Case 3:06-cv-00056-PMP-VPC Document 199-5 Filed 06/22/07 Page 1 of 2
Ex D
-
8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer
24/24
Case 3:06-cv-00056-PMP-VPC Document 199-5 Filed 06/22/07 Page 2 of 2
2003.09.25.GibbonsFavors.txt
Message
From: LEN
sent: Thursday, September 25,
2 3
9:35 AM
To: WARREN
subject: FW congressman giibons discussion with AF
For your
information
one
I t
looks
l ike
Jim has
hit
the
ground running''
on
this
This sentence was added
by
LECG on
6/14/2007.
Len
Page 1