|
Exhibit 1
Statement of H. William Nelson
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 1 of 9
IN THE UNITED STATES BANKRUPTCY COURT
NORTHERN DISTRICT OF OHIO
EASTERN DIVISION
In Re:
Level Propane, Gases, Inc., et. al.
Debtors.
* * * * * * * * * * * * * * * * * * *
William H. Maloof
Plaintiff
vs.
Mark Uhrich, Plan Administrator of the
Consolidated Estate of Level Propane Gases,
Inc.
Defendant
Case No. 02-16172
Ch. 11
Adv. Pro. Case No. 09-1127
Hon. Randolph Baxter
DECLARATION UNDER PENALTY OF PERJURY OF H. WILLIAM NELSON
I make the following declaration under penalty of perjury under the laws of the State of Washington.
I am over the age of eighteen years and competent to testify.
I am a computer forensic examiner; my qualifications are stated in my curriculum vitae, a copy is attached as exhibit 1 to this affidavit.
DECLARATION UNDER PENALTY OF PERJURY OF H. WILLIAM NELSON
Page 1 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 2 of 9
On April 12, 2009 I received a telephone call from attorney David Eisler directing me to set up an appointment with John Caldwell for Monday, April 13, 2009 at 9:45 a.m. PT at the LawOffice of Christopher K. Steuart. Mr. Eisler's direction me to have Mr. Caldwell demonstrate his e-mail recovery tool and to make a mirror copy of Caldwell's e-mail, this is on a DVD in his possession.
On April 13, 2009 I picked up Mr. Caldwell at the West Wind Motel, downtown Renton, Washington. We returned to the Law Office of Christopher K. Steuart where Mr. Caldwell presented to me a DVD and I examined it. Mr. Caldwell explained to me that there were two Microsoft e-mail files, known as PST files, located on the DVD with the names of JV.pst and JV2.pst.
We (Mr. Caldwell and I) made a file copy from Mr. Caldwell's notebook computer to my external USB DVD reader/write external drive. After completing this data transfer I tested the DVD and all files were readable on the copied DVD on my lab computers. After the data copy I loaded the files JV.pst and JV2.pst on to my lab computer. Mr. Caldwell informed me that the messages of interest were located in the PST subfolder \Personal Folders\Inbox\zzz-JV Personal of both PST files. Using X-Ways Forensics I attempted to read the PST file but could only read some of the messages in JV2.pst and JV.pst. Several of the messages appeared to be scrambled with unprintable character values. By scrambled in this context, I mean, the files were unreadable, and I make no assertion that this is the result of encryption, corruption of the files or other process.
DECLARATION UNDER PENALTY OF
PERJURY OF H. WILLIAM NELSON
Page 2 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 3 of 9
Further examination of files JV.pst and JV2.pst using AcessData FTK produced the same unreadable results as was found with X-Ways Forensics, i.e. the files appeared to be scrambled. On April 14, 2009 I loaded the two PST files, JV.pst and JV2.pst into Microsoft Outlook to see if any additional messages could be read. This examination revealed the same results as those found using X-Ways Forensics and AccessData FTK. However, Microsoft Outlook revealed a little more information in the message header for the scrambled messages than did the two computer forensics tools, but not enough that could provided information about their contents.
On April 29, 2009 at the Law Office of Christopher K. Steuart Mr. Caldwell demonstrated a tool that he described as a decryption tool. Mr. Caldwell stated that a friend of his, Chad Thompson, created this decryption tool. Mr. Caldwell ran the decryption program from my notebook computer using three messages that he had previously selected. These messages appeared to decrypt correctly. Mr. Caldwell then deleted the program from my notebook computer. I later conducted a forensic recovery against the ‘decryption’ program, and successfully recovered it. I then selected one other scrambled file from the DVD JV.PST and executed the decryption program against it. The result that returned was the three files that Mr. Caldwell had ‘decrypted’ earlier.
On May 1, 2009 Mr. Caldwell arrived at Law Office of Christopher K. Steuart at 11:45 a.m. to perform additional validation testing for me. At this time Mr. Caldwell stated he was waiting for a telephone call from Chad Thompson to provide him with specific information on how to perform additional decrypting of the two PST files. At 2:10 p.m. Mr.
DECLARATION UNDER PENALTY OF
PERJURY OF H. WILLIAM NELSON
Page 3 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 4 of 9
Caldwell stated that Thompson was on travel somewhere on the East coast of the U.S. Mr. Caldwell then left without performing a demonstration on how to decrypt these two PST files. On May 4, 2009 I received a telephone call from David Eisler at 1:05 p.m. He informed me that Mr. Caldwell had told him that he (Caldwell) has in his possession the original backup tapes from his previous employer that contains the original JV PST files. He also related that Mr. Caldwell needed an e-mail server to reload the files on to so he can recover scrambled messages.
On May 28, 2009 I received telephone call from David Eisler asking if I could make a duplicate of the back up tape in Mr. Caldwell's possession. I advised him that it would require us to acquire additional computing (server) hardware and software for us to perform this task. On June 2, 2009 I received a telephone call from David Eisler advising that he would like us to pick up the e-mail server built by John Caldwell and maintain it at the Law Office of Christopher K. Steuart.
At Mr. Eisler's instructions I picked up the e-mail server from Mr. Caldwell at a hotel in Kent, Washington. On June 10, 2009 at 8:30 a.m. I met with Mr. Caldwell and received a computer, keyboard, mouse and monitor. I then transported the computer and peripheral components to the Law Office of Christopher K. Steuart. On June 15, 2009 I received a telephone call from David Eisler directing me to prepare a proposal on how much time and work it will take to examine the PST files stored on the e-mail server that I collected from John Caldwell on June 10, 2009. I completed the proposal and forwarded it to Mr. Eisler. At this time I received instructions by telephone from Mr. Eisler to copy the file JV.pst from the e-mail server and attempt to examine its contents.
DECLARATION UNDER PENALTY OF
PERJURY OF H. WILLIAM NELSON
Page 4 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 5 of 9
Examination of this JV.pst file was performed using X-Ways Forensics and AccessData FTK. Many of the messages from this PST file were scrambled in the same manner as the two files from the DVD. At this time I acquired a repair tool, Advance Outlook Recovery from DataNumen, Inc. and attempted to see if it could repair the scrambled messages. Advance Outlook Recovery failed to improve the content of the messages for this PST file. On June 17, 2009 I received a telephone call from David Eisler requesting a scope of work statement on validating data from Tape Drive PST tape in the possession of John Caldwell. I then prepared and sent scope of work statement to Mr. Eisler for validating data from Tape Drive.
On June 18, 2009 I received a telephone call from David Eisler advising us that he will send specific information to me to look for specific messages in Tape Drive PST data. The information was of several e-mail messages that he had previously obtained. I was unable to locate the messages from this information.
On June 21, 2009 I met with John Caldwell at the Law Office of Christopher K. Steuart. Mr. Caldwell reviewed selected e-mail messages sent from Mr. Maloof. On June 25, 2009 I received a telephone call from David Eisler informing me that John Caldwell can locate unique messages in the Outlook PST file from the tape JV.pst file. John Caldwell arrived at the Law Office of Christopher K. Steuart at 3:40 pm PT. At this time Mr. Caldwell displayed for me on the e-mail server one of the messages that Mr. Eisler had previously sent. The message Mr. Caldwell located on in the tape JV.pst file was a message from John Verbos listing percentage breakouts after he takes over a business.
DECLARATION UNDER PENALTY OF
PERJURY OF H. WILLIAM NELSON
Page 5 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 6 of 9
On June 26, 2009 Mr. Eisler called and directed me to obtain the original backup tape from John Caldwell and make a backup copy of it. Upon contacting Mr. Caldwell he informed me that he is out sick this day. On July 1, 2009 Mr. Caldwell arrived at the Law Office of Christopher K. Steuart. After two hours of troubleshooting problems with the tape drive connection to the e-mail server he successfully installed tape drive. He initiated the tape restore at about 5:00 p.m. The tape restore was very slow and we let it run overnight. Mr. Caldwell and I left the evening and left process running.
On July 2, 2009 Mr. Caldwell, returned to the Law Office of Christopher K. Steuart to pick up the email server and the tape. The data from the tape had been recovered to the C:\ drive and I required it to be recovered to a separate target drive. Mr. Caldwell took the email server and the original of the tape to work overnight on setting it up in his hotel room. Mr. Caldwell said that he could do it, but that he wanted to do the work in his hotel room. Mr. Caldwell said he wanted to test the backup utility to see if it would backup to a target drive. On July 3, 2009 I received a telephone call from David Eisler advising that John Caldwell was in the hospital.
On July 6, 2009, Mr. Caldwell arrived at 12:15 p.m. at the Law Office of Christopher K. Steuart. At this time Mr. Caldwell configured the e-mail server and launched the data copy from the tape drive to a target disk drive. Upon the tape copy completion I removed the target disk drive from the e-mail server and from my forensic computer initiated an MD5 hash of each tape backed up file on the target drive. This drive was connected through a write-blocker device. At this time I also made a DECLARATION UNDER PENALTY OF PERJURY OF H. WILLIAM NELSON
Page 6 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 7 of 9
backup of the target drive using X-Ways Forensics forensic disk copy utility. This created an Expert Witness formatted copy of the disk. On July 8, 2009 Mr. Caldwell arrived at 2:23 p.m. at the Law Office of Christopher K. Steuart to set up e-mail server to initiated a copy of a duplicate tape copy of the original tape to target (second) disk drive. The purpose of this was to validate that all the data from the original tape was copied correctly to the duplicate tape. Upon completing, Mr. Caldwell handed over duplicate tape and disk drive. Mr. Caldwell retained the original tape. After the data copy from tape to target disk completion I performed a forensic backup of the hard disk. On July 9, 2009 I initiated an analysis of original and duplicate disk data that were copied from the backup tapes. An MD5 hash for all tape backup files was made from the two target drives. An Expert Witness copy of the duplicate drive was also made using a write-blocker.
After the MD5 hashing completed a comparison was performed of all hashes between the original and copied disk drives using Microsoft Access. Microsoft Access revealed that there are 10,238 matching files, including two copies of JV.pst on each magnetic tape. All files MD5 hashes matched each other from the original tape and the duplicate tape. On July 10, 2009 Mr. Caldwell arrived at the Law Office of Christopher K. Steuart. At this time I provided him with three test e-mail messages. Mr. Caldwell loaded messages into the e- mail server and launched a new encryption program. Mr. Caldwell stated that it is a new program from his friend Chad Thompson. This program ran over night on the e-mail server. On July 11, 2009 Mr. Caldwell returned and displayed to me three scrambled messages. At this time I submitted to Mr. Caldwell three encrypted files I extracted from the first DVD
DECLARATION UNDER PENALTY OF PERJURY OF H. WILLIAM NELSON
Page 7 of 8
LAW OFFICE of CHRISTOPHER K. STEUART
11206 Des Moines Memorial Drives S. , Suite 104
Seattle, Washington 98168
Telephon e: [206] 767-5758 Fa x : [206] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 8 of 9
JV.pst file plus one of the test messages I submitted the previous day. Mr. Caldwell launched the program on e-mail server. Again we let it run over night to complete the decryption. On July 12, 2009 Mr. Caldwell returned to the Law Office of Christopher K. Steuart. At this time he displayed to me the decrypted messages.
In view of the foregoing facts, the Declarant is satisfied to a reasonable forensic certainty that the content of the emails on the media described herein were neither fabricated nor contrived. The facts stated in the foregoing statement are true and correct to the best of my knowledge and based on my professional education, study, training and experience. Signed at Seattle, Washington, on /& day of July 2009.
H. William Nelson
Declarant
DECLARATION UNDER PENALTY OF
LAW
OFFICE OF CHRISTOPHER K. STEUART
PFR THRY DF H WTT T T&M MFT QPlM ' ' 2°
6
°
ES MolNES
MEMORIAL DRIVES S. , SUITE 1 O4
PhRJURY OF H. WILLIAM NELSON SEATTLE, WASHINGTON 98168
2.1 PaQe 8 Of 8 TELEPHONE: [2O6] 767-S75S FAX: [2O6] 767-5446
09-01127-rb Doc 35-1 FILED 07/16/09 ENTERED 07/16/09 14:32:40 Page 9 of 9
|
