1

1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON IN SEATTLE ---------------------------------------------------------LONDI K. LINDELL, Plaintiff, v. CITY OF MERCER ISLAND, et al, Defendants. ) ) ) ) ) ) ) ) )
No. C08-1827JLR
---------------------------------------------------------HEARING ---------------------------------------------------------BEFORE THE HONORABLE JAMES L. ROBART
March 21, 2011
APPEARANCES: For the Plaintiff: Scott Blankenship Rick Goldsworthy Nazik Youssef THE BLANKENSHIP LAW FIRM Stephanie Alexander Suzanne K. Michael Thomas P. Holt MICHAEL & ALEXANDER
For the Defendant:
Barry L. Fanning, RMR, CRR - Official Court Reporter Suite 17205 - 700 Stewart St. - Seattle, WA 98101
2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 EXHIBITS ADMITTED MIKE KASER EXAMINATION OF RICHARD CONRAD KATIE KNIGHT
EXAMINATION INDEX DIRECT EXAMINATION By Ms. Michael: DIRECT EXAMINATION By Ms. Michael: CROSS-EXAMINATION By Mr. Blankenship: REDIRECT EXAMINATION By Ms. Michael: DIRECT EXAMINATION By Ms. Michael: CROSS-EXAMINATION By Mr. Blankenship: DIRECT EXAMINATION By Ms. Michael: CROSS-EXAMINATION By Mr. Blankenship: DIRECT EXAMINATION By Ms. Michael: CROSS-EXAMINATION By Mr. Blankenship: PAGE 6 9 11 16 17 20 27 48 53 97
JONATHAN YEH
ALAN MUCHMORE
EXHIBIT INDEX PAGE
3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
THE COURT: THE CLERK:
The clerk will call this matter. Case C08-1827, Londi Lindell versus Counsel, please make your
City of Mercer Island. appearance.
MR. BLANKENSHIP: Ms. Lindell. THE COURT: people at the table? MR. BLANKENSHIP:
Scott Blankenship for
Do you want to introduce the other
Yes.
Nazik Youssef, Allison
Goodman, Londi Lindell and Rick Goldsworthy. MS. MICHAEL: Your Honor, Suzanne Michael for the
defendants, along with Stephanie Alexander and Tom Holt. THE COURT: Thank you. Counsel, we are here on
the defendant's motion to dismiss for spoliation of evidence, found in our docket at 319. I can tell you that
I have had an opportunity at this point to read all of the material that both of you have filed. That would be the
motion filed by the City, and the supporting materials that go with it. And I have reviewed the plaintiff's
opposition to the motion, and the supporting materials that accompany it. As is my usual practice in these matters, I will accept as evidence all of the declarations which have been filed. That would be much more Mr. Holt. I am not sure I
will get all of these.
Mr. Weibling, Ms. Goodwin,
4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Ms. Youssef, Ms. Lindell and Mr. Goldsworthy. left one back in chambers.
I may have
I will ask you, if we call live witnesses, not to repeat the testimony which is found in the declarations, but to proceed to cross-examination, or if you have additional material that is not in the declaration that you want to present in connection with the motion. that will hopefully speed us up some. The second thing I would like to say is to once again just ask you to remember your decorum. It is really So
not good advocacy, and yet both sides are guilty of it, because you obviously feel very passionately about this. Not everything is a misrepresentation, not everything is incredibly inflammatory, not everything is conclusory, not everything is pure fiction. You know, lying, thieving,
malfeasance, bad faith, particularly when you are talking to me, they don't help you. all of you. They make me to think less of
You can do it, but it just causes me think When you get to a jury, they are
less of all of you.
really going to toast you for it because they don't think adults behave that way. I thought about ways to control that. The best I
came up with was to start a list of banned words and fine you $25 every time you use one of those banned words. at least my tentative list includes: Incredibly And
5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
inflammatory, conclusory, pure fiction, bad faith. will just not do that.
We
And, frankly, at some point, if
need be, in front of the jury I will sanction both of you for just that kind of behavior. in the courtroom. Having said that, this is the City's motion. Ms. Michael, you are taking the lead? MS. MICHAEL: THE COURT: Yes, your Honor, I am. It doesn't have a place
Please call your first witness. May I ask that witnesses that are
MS. MICHAEL:
going to be testifying be excluded while others are testifying? THE COURT: Yes. Anybody that expects to be a
MS. MICHAEL:
witness, please step outside. MR. BLANKENSHIP: My only concern with that, your
Honor, is these are technical computer issues, and I would like to have Ms. Goodman here just so if something comes up that is new that I don't understand, she would be able to help me respond to it. THE COURT: Do you want to respond to that? Your Honor, we have had about four
MS. MICHAEL:
hours to review all of the materials they filed this morning. So we are already playing on an unlevel playing To have their expert witness
field, I guess I would say.
6
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
get to listen to our expert witness and tailor testimony as a result I think would be unfair. THE COURT: I will permit Ms. Goodman to stay. I
will invite your witness to come in, although he may be called first, which we will get to anyway. That way we
will attempt to have somewhat more of a level playing field. It seems this would be more expedient, if each Your first
side hears what the other says about it. witness is? MS. MICHAEL: THE COURT: Whereupon, RICHARD CONRAD
Mr. Richard Conrad.
Thank you.
called as a witness, having been first duly sworn, was examined and testified as follows: THE CLERK: State your name for the record and
spell your last name. THE WITNESS: MS. MICHAEL: Richard N. Conrad, C-O-N-R-A-D. Your Honor, before I start with
Mr. Conrad, I know the court has allowed Ms. Goodman to stay. May I ask that the other computer tech people -THE COURT: The other tech people are out. Thank you, Judge.
MS. MICHAEL:
DIRECT EXAMINATION By Ms. Michael:
7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Q.
Would you state your name and spell your last name for
the court reporter? A. Q. A. Q. A. Q. Richard M. Conrad, C-O-N-R-A-D. And what is your address, sir? 4418 77nd Avenue Southeast, Mercer Island, Washington. And what is your job with the City of Mercer Island? I am the city manager of the City of Mercer Island. Was that your position throughout Ms. Londi Lindell's
tenure? A. Q. Yes. I want to discuss the laptop computer that remains in How did she come to get that
Ms. Lindell's possession. laptop, sir? A.
The specific laptop that we have been talking about
was purchased by the City at Ms. Lindell's initiation to be a laptop that she would use in the course of doing business for the City. Q. As I understand, she had a previous laptop, but it
needed to be replaced; is that right? A. That's correct. There was another laptop that she had
sought, and actually I required that she have in connection with some time off that she took in 2005, 2006. Q. In order -MR. BLANKENSHIP: Your Honor, my understanding
was that you didn't want us to be addressing the ownership
8
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
of the laptop at the hearing.
It seems like that is
exactly what we are doing right now. THE COURT: I am assuming this is going to be As I have
some foundation, and then we will cut it off.
said from the start, the question of who owns the laptop isn't in federal court. MS. MICHAEL: Your Honor, we can short circuit it
if Ms. Lindell will acknowledge she has used the laptop for both City purposes as well as information with regard to her lawsuit and her claims. MR. BLANKENSHIP: THE COURT: She has already declared that.
That is in her declaration. Fair enough. Sometimes it has been
MS. MICHAEL: denied. THE COURT:
We don't need those rejoinders.
Let's stay on the facts. MS. MICHAEL: witness -I apologize, your Honor. The next
Mr. Blankenship might have some cross. I don't have anything, if it
MR. BLANKENSHIP:
was about the ownership of the laptop, which is about all I heard. THE COURT: Mr. Conrad, you may step down. The City would call Katie Knight.
MS. MICHAEL:
Your Honor, I have an exhibit to mark. THE COURT: Why don't we wait until we get the
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
witness sworn in. Whereupon, KATIE KNIGHT called as a witness, having been first duly sworn, was examined and testified as follows: THE COURT: the clerk? MS. MICHAEL: THE COURT: THE CLERK: I do. You have an exhibit you wish to give
You may approach. Would you state your name for the
record and spell your last name? THE WITNESS: Katie Knight, K-N-I-G-H-T.
DIRECT EXAMINATION By Ms. Michael: Q. A. Ms. Knight, can you tell us your address? 12950 297th Place Northeast, Duvall, Washington,
98019. Q. A. Q. What is your title at the City of Mercer Island? I am the city attorney for Mercer Island. Was there a period of time in 2008 where you came to
have access to Londi Lindell's desktop computer? A. Q. A. Q. Yes. Can you tell us what period of time that was? Approximately mid-February to about mid-April. And what was your purpose in accessing her desktop
10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
computer? A. There was ongoing concern that Ms. Lindell was
continuing her campaign, so to speak, against the city manager. Q. The need was felt to observe what she was doing.
And in your ability to access the laptop -- I'm sorry,
the desktop computer, what did you discover? A. I learned that she was having frequent conversations She was also
and forwarding e-mails to Pete Mayer.
preparing her case essentially against the City on the desktop computer. Q. Was there anything else about the desktop that caused
you any concern? A. In reviewing the documentation, obviously I was
concerned that she was preparing her mediation and her briefing and structuring what appeared to be a case against the City. there. Q. A. What do you mean by "missing documentation"? She had some files located on it. I think she had a I don't There was also missing documentation on
mediation folder.
And there would be certain --
know if they were shortcuts.
I am not very techie, but
there would be certain shortcuts to a file, where if you clicked onto it, the information would not be located there, even though it indicated it should be there. Q. Did you ever receive any sort of message from the
11
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
desktop when you accessed it, and, if so, what kind of message? A. To the best of my recollection, it was something like
"shortcut not found" or some sort of shortcut to another file. And I believe I determined or learned somehow that
there probably needed to be a CD or a DVD or a flash drive put in to access additional information that might be located with the shortcut. Q. So there was information that had been on the desktop
that you were not able to access; is that right? A. Correct. MS. MICHAEL: you. I have no further questions. Thank
I did want to ask the one question about the exhibit
I marked, which is the e-mail policy. By Ms. Michael: Q. Showing you Exhibit Number 1. As the City Attorney,
can you tell us what employees are told with regard to their right to privacy with regard to City-provided material? A. That they will not have any expectation of privacy in
the use of the City-provided computers, materials and software. MS. MICHAEL: THE COURT: Thank you.
Mr. Blankenship. CROSS-EXAMINATION
12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
By Mr. Blankenship: Q. A. Q. Good afternoon, Ms. Knight. Hello, Mr. Blankenship. If I understand your testimony, you were basically
secretly going into Ms. Lindell's computer and removing information without notifying her; is that right? A. Q. I was not removing any information. You were searching it without telling her; isn't that
right? A. I was reviewing the work that she was doing on her
City computer, correct. Q. What was your role at this time? Had you become the
City Attorney? A. Q. I was the acting City Attorney. Had you received your $40,000 raise yet for replacing
Bob Sterbank? A. Q. I don't think I ever got a $40,000 raise, counsel. You got a significant raise, though, didn't you? MS. MICHAEL: beyond the scope. MR. BLANKENSHIP: THE COURT: we need to move on. By Mr. Blankenship: Q. You got a significant raise when you went from It goes to credibility. I think I would object, your Honor. It is
I will permit the question.
13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
assistant attorney to City Attorney, didn't you? A. I got a series of steps over a period of three years.
And I was doing two jobs. Q. Can you give me an approximate about what the change
was in your pay? A. I think as the acting City Attorney I might have been
bumped up $10,000 or so. Q. So were you aware of a time when Mike Bolasina
provided Ms. Lindell with documents in order for her to prepare for her mediation? A. Q. Yes. And you have been -Are you aware that the documents
that were in the mediation file have been produced to you -- to the City? MS. MICHAEL: completely accurate. THE COURT: examination. By Mr. Blankenship: Q. Are you aware that any documents that were saved under We will take that up on redirect Object, your Honor. That is not
a folder that says "mediation" were actually produced through discovery? A. Through discovery? I'm sorry, discovery in the
mediation itself or discovery subsequently after the lawsuit was filed?
14
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Q. A.
In this case. I believe that -I'm not sure I understand what
you're asking.
The documents that were in the body of
what I was reviewing? Q. Right. You referenced a mediation folder. I guess my
questions to you is, are you aware that all the documents that were in the mediation folder were documents that were produced by Ms. Lindell? A. I don't know if I can answer. There were tens of I know
thousands of pieces of paper that were produced. there were some from Ms. Lindell. received -But I think we
Some of them are drafts.
I would say, no, I
don't believe that all of those were produced, frankly. Q. Were you aware that Mike Bolasina told Ms. Lindell to
prepare for the mediation? A. Q. I believe so. He knew I was going through these.
But he also told Ms. Lindell that she should prepare
for the mediation? A. I don't know if he told her that or not. You would
have to ask him. Q. You basically identified this e-mail and internet use
policy document, correct? A. Q. Correct. You would agree that an expectation of privacy -- that
somebody would have an expectation of privacy in a
15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
computer that they used after their employment ended, wouldn't you? A. It depended on who owned the computer. If it was a
City-owned computer, no. Q. So your personal computer, do you think you have a
right to privacy with respect to it, or should I be free to go through everything on your personal laptop? MS. MICHAEL: afield. THE COURT: I will sustain the objection. It is Object, your Honor. This is far
also argumentative, counsel. By Mr. Blankenship: Q. Isn't it true, though, that you have and you had
access to all of the e-mails that Ms. Lindell sent from her Mercer Island e-mail account, right? A. Q. From everything she had on the desktop. It is not only on the desktop. The City of Mercer
Island has a server, don't they? A. Q. not? A. Q. As far as I understand it, yes. So to the extent there were e-mails that were sent Correct. And the server would keep track of e-mails, would it
from Ms. Lindell's City e-mail, the City would have access to it, correct?
16
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q.
Correct. And as you sit there, you have no knowledge or
information that Ms. Lindell had any other e-mail accounts that she was using, other than the City e-mail account, do you? A. I believe she was using Bill Hansen's e-mail account.
There were e-mails she sent from the City server to Bill Hansen, which was her home account. And I had received
some from her in the past from that account. Q. Other than Hansen, though, do you agree with
Ms. Lindell's declaration that she wasn't using a personal e-mail account at all until after she was fired? A. I didn't have a chance to review her declaration. MR. BLANKENSHIP: Thank you, Ms. Knight.
REDIRECT EXAMINATION By Ms. Michael: Q. Are you familiar with the Llindell at live dot com
account? A. No. MS. MICHAEL: you. THE COURT: Anything further, Mr. Blankenship? No, your Honor. Thank you. I have no further questions. Thank
MR. BLANKENSHIP: THE COURT:
You may step down. The City would call Mike Kaser.
MS. MICHAEL:
17
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Whereupon, MIKE KASER called as a witness, having been first duly sworn, was examined and testified as follows: THE CLERK: last name. THE WITNESS: Mike Kaser, K-A-S-E-R. Please state your name and spell your
DIRECT EXAMINATION By Ms. Michael: Q. Good afternoon, Mr. Kaser. Would you tell us your
address, please? A. 7030 Carmichael Avenue Southeast, Snoqualmie,
Washington 98065. Q. And what is your position with the City of Mercer
Island? A. Q. I am the information services manager. And how long have you been the information services
manager? A. Q. Since 2006. I am going to short circuit a lot of what you and I
discussed, because the court has ruled that the issue of Ms. Lindell utilizing -- getting the laptop from the City and utilizing it is not going to be part of this hearing. So I will move right into another area. The area I want
to move into is, in your work with the City are there
18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
occasions where users will have a bug or a virus or some issue with the operation of their computer? A. Q. Yes. What do they do if they have an issue with a virus or What is your role?
a bug or something? A.
Typically we will get the help desk to help them, or
our antivirus system will let us know whether they do or not, if it has detected something. Depending on the issue
specifics, we will either do a simple scan or go grab the computer and do some more troubleshooting to solve the problem. Q. Have you ever in your work operated, because someone
reports a virus or a bug, something like CCleaner, that selectively destroys or removes data? A. Q. No. At the City of Mercer Island, are there ever times
that you do intentionally destroy data on a computer, and, if so, when? A. Yes, there is. Through our standard surplus cycle, as
we replace computers, bring computers in, we completely wipe the hard drives, and/or we send the hard drives off to a Shred-It type company that will destroy the hard drive for us before we deliver the computer to recycling. Q. A. Why do you do that? So no City data leaves the City and falls into someone
19
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
else's hands.
We don't do anything that exciting at the
City of Mercer Island, but kind of standard practice. Q. Why is it you don't selectively remove data from
computers that have viruses or bugs? THE COURT: slow down. breathe. Ms. Michael Q. Mr. Kaser, why is it that at the City of Mercer Counsel, we are going to need you to
You will need to pause periodically to
Island, when you are troubleshooting and trying to find out if there is a virus and whatnot that you do not selectively remove data from a computer with a program such as CCleaner? MR. BLANKENSHIP: Your Honor, I would object to
foundation, that this witness even knows what CCleaner is. There is a presumption to the question. THE COURT: the foundation. By Ms. Michael: Q. Can you describe your knowledge with regard to I will sustain the objection. Lay
products such as CCleaner and what they are designed to do? A. Sure. We are not specifically -- I am not I am familiar
specifically familiar with CCleaner itself.
with a large variety of computer software and things that
20
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
are used to either wipe a computer or clear a cache or how to work with the registry and that type of stuff, just out of general computer knowledge or working in this industry for ten years now. So not CCleaner specifically, but from
what I have read about CCleaner, it is not the only type of software out there like that. Q. And is that the type of software that you have some If not the specific CCleaner
general familiarity with? product, other types? A. Yes.
We don't use anything like CCleaner in our
troubleshooting or wiping of data at the City. Q. And why is it that you don't use anything like
CCleaner or any other data destruction type device? A. Our purpose in getting rid of data is to completely We write zeros to it, meaning there
wipe the hard drive.
is nothing recoverable on it, including the operating system, because we are delivering it off to be recycled. MS. MICHAEL: Thank you. CROSS-EXAMINATION By Mr. Blankenship: Q. A. Q. Hello, Mr. Kaser. Hello. How long have you worked for the City of Mercer I don't have any other questions.
Island?
21
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q.
About seven years now. And I want to go back to some of your testimony when Do you
you were talking about wiping hard drives. remember that testimony? A. Q. I do.
If I understand your testimony, if you wipe a hard
drive, you cannot recover data from it after that; is that correct? A. Q. In theory. The way that we wipe them, yes.
So you would expect if a hard drive was wiped, that
you wouldn't be able to recover data from it the way you wipe it, right? A. Q. Yes. In the way that we wipe them, yeah.
And what program do you use to wipe computers at
Mercer Island? A. We have used -- it is called DOD Wipe. Essentially it
stands for Department of Defense Wipe.
But it is a
product that's -- I think it was developed by Symantec, and it essentially goes in and writes zeros to the hard drive. Q. Basically it overwrites all of the data on the hard
drive, right? A. Q. It writes zeros to the hard drive. Which would eliminate all of the data in the free
space, correct?
22
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A.
Essentially it writes zero to every sector on the hard Not just the free space, but all space.
drive. Q.
So you wouldn't be able to recover documents from
Mercer Island on that laptop, for example, right? A. We have not gone through the practice of forensically
trying to rebuild any of these hard drives, so I couldn't conclusively say that. But in theory, yes, you would not
be able to recover any data off of the drive that we wiped with -Q. Is that based on your personal knowledge as you sit
there, and based on your understanding of how things work, once something is wiped, it is not recoverable, correct? A. Q. A. Q. Using the software that we use, yes. And you have never used CCleaner, right? No. About how much of your work entails repairing
computers for people, employees? A. Q. A. Q. Are you looking for a percentage of time? Sure. Roughly, maybe 30 percent. So you don't send out the computers at Mercer Island
to a place like PC Doctor; is that correct? A. Q. A. No. We do all of our work in-house.
Did you ever work with Londi Lindell? Yes.
23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Q. A. Q.
Did you ever work with her and the laptop? Yes. Do you recall transferring data from one laptop to the
other for her? A. Q. Yes. And do you recall that data including personal
information, such as family things and stuff with her kids? A. I don't really recall all of the contents of that We transfer data from people's old computers to
data.
their new computers in our standard process all the time. Q. You would agree, sir, that it was more than just work There was personal data on there, too, wasn't
data? there? A. Q.
I don't recall exactly what was on there. Does Mercer Island use like a remote desktop program
that allows somebody to log on from home and log into their desktop at work? A. Q. We do. Isn't it true that Ms. Lindell had a desktop at work,
right? A. Q. It is. And that she used the laptop computer to remote access
into the desktop, right? A. I couldn't say that. Normally people who have laptops
24
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
don't remote control their desktops.
It is people who
don't have laptops from home that will remote control their desktops at work. Q. It is your testimony -When I use remote desktop, I Is it your testimony
am actually on my desktop computer.
that Mercer Island doesn't log on remotely to their desktop computer? A. Most of the time people don't have a laptop and a So for those who
desktop; they have one or the other.
don't have a laptop, they will remote control their work desktop from whatever home computer they are using. For
the users that have a laptop, typically it is also their work station, and they have a dock station, which wasn't in this case. I wouldn't recommend to somebody who has a
laptop, per se, to necessarily connect to their desktop at work, because their work laptop may also already have the software that they need or the access to the network that they need. There might not be a reason to connect to the
work desktop also. Q. Wouldn't it make more sense to log into the server?
You would agree that in any case Ms. Lindell would be logging into the server when she was accessing work through her laptop, correct? A. To the first part of your question, I wouldn't say it
would make more sense, because her laptop would be part of
25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
our network anyway, meaning it is joined to our domain and has access to all of the stuff. All she would need to do
is establish a connection to our network, and then her laptop would behave just as a desktop might. I'm not
quite sure what you mean by connecting to the server. Q. I could be mistaken about how it works. I appreciate
your information on that. Ms. Lindell's laptop? inspect it? A. Q. A. No.
Did you ever search
Did you ever remove data from it or
Were you doing that with her desktop? There may have been a time where we scanned her I don't
workstation, after she left, for anything. recall. Q.
Do you know in this case that there are allegations
that Ms. Lindell wiped her hard drive? A. Q. Yes, I do. And would you expect that she would be able to recover
data from a hard drive that was wiped? A. Using a computer software program like CCleaner, my It
understanding is that it does not wipe the computer.
simply wipes selective things, like your registry, keys that are no longer used, browser cache, that type of stuff. I was not aware that she wiped the computer in,
say, the same sense that I am describing for the City's
26
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
practice of recycling the computers. MR. BLANKENSHIP: MS. MICHAEL: Honor. THE COURT: You may step down. We would call Jonathan Yeh. Thank you, sir.
No additional questions, your
MS. MICHAEL: Whereupon,
JONATHAN YEH called as a witness, having been first duly sworn, was examined and testified as follows: THE CLERK: Will you state your name for the
record and spell your last name, please? THE WITNESS: MS. MICHAEL: Jonathan Yeh, spelled Y-E-H. Your Honor, I have a series of
documents I would like to have marked as either one exhibit or each separately, if the court has a preference. I don't. These are from Mr. Yeh's file with regard to his
communications with the Blankenship Law Firm. THE COURT: documents? MR. BLANKENSHIP: Counsel, are these the Mr. Blankenship, have you seen these
documents that were produced by this witness? MS. MICHAEL: them. They are. They are a selection of
I have all of them, but I will only be asking about
a selection.
27
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
MR. BLANKENSHIP:
If those are the documents, I don't have them with
your Honor, then I have seen them. me. THE COURT: exhibit. MS. MICHAEL: All right.
You may mark them as one
Thank you, your Honor.
I will go
ahead and give Mr. Blankenship --
I ended up with extra
copies, but each one I will be talking about is in there. So there are three copies of each one I have been talking about. DIRECT EXAMINATION By Ms. Michael: Q. A. Mr. Yeh, would you tell us your address, please? Our business address is 157 Yesler Way, Third Floor,
Seattle, Washington 98104. Q. A. Q. A. And what is your profession, sir? I am an attorney. And do you have a special expertise in computer work? The firm specializes in electronic discovery and
computer forensics work. Q. Are you the technical person that gets in and does
that kind of work? A. It depends. Mostly not. We have a computer software
technician and engineers that do most of the actual hands-on work. Depending on staffing issues, sometimes I
28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
will perform some of the functions. Q. And have you had a chance to review the file in this
case that Blank Law & Technology has on this matter? A. Q. A. Q. A. Q. I have. When was Blank Law & Technology retained? I believe in early November 2010. And by whom were they retained? By the Blankenship Law Firm. Would you look, please, sir, at your Bates number 1 of It appears that you might have been retained
Exhibit A-2.
on or about November 8th by the Blankenship Law Firm; is that correct? A. Q. I believe so, yes. When was it that you came to understand that you were
actually supposed to be the independent third-party forensic examiner the court had ordered? MR. BLANKENSHIP: THE COURT: track what I did. THE WITNESS: I believe that was made aware to me Object to foundation. I think I will be able to
Overruled.
somewhere around just prior to Christmas time via a letter from your firm. By Ms. Michael: Q. And we sent a letter November 15th of 2010, indicating
that we believed you were the independent forensic firm.
29
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
That is not part of Exhibit A-2 because that is not part of your communications with the Blankenship Law Firm. Does that refresh your memory about when you were notified that in fact you were supposed to be the independent expert? A. Sure. I don't have that letter in front of me, but it
is a dated letter. Q. Fair enough. I understand you entered into an
engagement agreement with the Blankenship Law Firm; is that correct? A. Q. Yes. Would you please look at your Bates number 8? That is
an e-mail from you, dated November 8th of 2010.
When you
say, "We will then begin extracting the active files," what were you telling Mr. Goldsworthy? A. Basically, when you have a computer hard drive, there
are files that are sort of, I guess, active versus deleted and fragmented space. So we were extracting just the sort
of active files for processing into a database. Q. Do you typically as a forensic examiner get asked to
extract only the active files? A. It sort of depends on the project. Sometimes yes,
sometimes no. Q. So as a forensic examiner, sometimes somebody will
actually ask you to clone the hard drive and only pull
30
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
active files? A. Q. A. Yes. How often does that happen? It is hard for me to say percentage wise. It does
vary from case to case. Q. Active files are something I personally can pull off
without any special expertise; isn't that right? A. It depends how you mean "pull off." A lot of times But it
people will copy off active files themselves.
changes what we call the metadata on the files a lot of times. Even just pulling off the active files, people
will engage our firm to make sure these things remain intact. Q. But "active files," you don't require any special
software to get the active files, do you? A. Q. A. Q. No. So I could do it at my desktop at work? Yes. At some point, as I understand it, the Blankenship Law
Firm gave you a list of search terms that they had come up with; is that right? A. Q. Yes. And then later on you were given far more search terms
that we did in collaboration with the Blankenship firm? Is that your understanding?
31
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q.
Yes. I would like to ask you to look, please, at Exhibit -It is an e-mail dated
Bates Stamp 17 of Exhibit A-2. November 9th of 2010.
Down at the bottom you were telling
Mr. Goldsworthy of the Blankenship Law Firm in the second paragraph, "I have been told that there is very little e-mail on the laptop. I don't know if that is relevant or
surprising to you or not, but many of these kinds of matters focus on e-mail, so I thought I would mention it in case it was a surprising fact." A. Q. A. Yes, I do. Do you recall talking with Mr. Goldsworthy about that? I recall writing this e-mail. I do not recall that we Do you see that?
had any additional discussion on that subject. Q. At this point in time had the technician that was
actually searching the Lindell laptop had conversations with you about what he was or was not finding? A. Q. A. Yes. And are they memorialized in writing anywhere? Not other than the sort of general description here in
this e-mail. Q. One surprising fact you are finding is there is very
little e-mail; is that right? A. Q. Sure. Yes.
If you would next look at your Bates number 21,
32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
please, an e-mail dated November 9th?
And it indicates
that "they," which I assume means the Blankenship firm, and please correct me if I'm wrong, "would like the following tagging buttons." And they list four, which are
"produce, responsive, nonresponsive, privileged slash work product." What does this mean, "tagging buttons," with
those four categories? A. Basically we had been asked to create a database of Once that is up
the files from Ms. Lindell's laptop.
there, the reason you create that database is for the attorneys to review the various documents that are in response to search terms. And once they do, they usually have some sort of tagging function. The online display has these little
buttons so you can say this document is responsive, this document should be produced, and that tells us what to do with the documents later. Q. And so they were going to tag these as produced,
responsive, nonresponsive or privileged? A. Q. A. Q. Yes. To your knowledge, did that occur? I wasn't there, but I believe so. Do you have any way of knowing if the City was
provided with all of those documents? A. All of which documents?
33
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Q.
Produce, nonresponsive, responsive or a privilege log
for the privilege? A. Q. No. I want to ask you to please look at Bates number 27 My copy has a This is an
from the documents that you provided.
slight handwritten note I have covered up.
e-mail down at the bottom, November 10th, to Rick Goldsworthy from you. It indicates, "I notice your review
team has marked some files for production and just wanted to give you a heads up on production time lines." see that? A. Q. Yes, I do. My question is, do you recall discussing what files Do you
they didn't want you to produce? A. No. Our job is just whatever gets marked "produce," I wasn't given any instructions about what
we produce.
specifically was not to be produced. Q. Do you still have records that would establish what
you did produce to the Blankenship firm -- in what format all the documents were produced? A. I believe the database that we set up for them is
still sitting there. Q. Would you please look next, sir, at Bates number 29? Is
It is an e-mail, November 14th, from I guess -Mr. Tsuji a technician?
34
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q. A.
No, he is another attorney in the firm. Is he another technical person as well? It is a small firm, so we sort of have mixed roles, Mr. Tsuji is sort of the head of the technical
all of us. department. Q.
And Mr. Tsuji indicates he wants to give you an update "Come find me first thing in the morning."
on this case.
Do you remember what his update was on November 14th? A. Q. Not just off the top of my head, no. Do you recall having any discussions at any time with
the Blankenship firm about things that you were either puzzled by, other than the lack of e-mails? Anything that
you were puzzled by or found intriguing or wanted to bring to their attention? A. Q. No. If you would look next, please, at Bates number 45?
Down at the bottom is an e-mail from you to Rick Goldsworthy. You are asking him, "How would you like us We can just turn
to produce the new data set for review?
over a CD with the native files or we can process the files and upload them to your existing database. upload them as a separate subdatabase." And then We can
Mr. Goldsworthy responds, "I think having the documents uploaded to the database would be more expedient and transparent and efficient, especially considering the
35
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
review process we previously engaged in." What exactly did you do for the Blankenship Law Firm on January 5th? A. I believe the reason I sent this e-mail is at this
point it became a little vague as to who was paying our bills for what, and therefore who I needed obtain authorization from for what. So basically I consulted
Mr. Goldsworthy and Mr. Youssef to sort of determine how they wanted to review this new set of files. After I sent this e-mail, I believe I recall sending an e-mail to your firm and you sort of describing the same process, and whether or not you authorized the payment, the cost of this. If I remember correctly, you didn't.
So what we ended up doing was just producing a CD with just the native files, instead of doing the database. Q. Isn't it accurate to say that the Blankenship firm had
access to your database and the City was not offered that? A. The database of the original documents that we had
processed, yes. Q. And if we can look at the next page of that document, It says, "So, for
the same date, the same e-mail.
instance, if you already marked a large number of documents, responsive, nonresponsive or privileged, et cetera, and those identical documents are also in the new set, we can port over the tags to the new subdatabase
36
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
so that you would not have to re-review those documents." What are you telling Mr. Goldsworthy would occur? A. Originally when we had the database and pulled off the
active files, they reviewed them and tagged them however they would have tagged them. of native files -So once we had this new set
Because the search terms, some of them
overlapped, some of them didn't, probably some of these search results from the two sets. If we had uploaded them
into another sub-database, we would have been able to match up which ones they already reviewed and which ones they already tagged, and just sort of copy over those designations to the new database, just to save the time of reviewing those documents again. Q. Again, this is directed only to the Blankenship Law
Firm, the City was not involved in this? A. Q. At this point, no. If you would look next, please, at Bates number 55, an
e-mail from Mr. Goldsworthy to you, dated Monday, January 24th. That states, "I just wanted to follow up
with you regarding when you think you will be able to send us a spreadsheet listing all of the withheld files. you be able to send that over today?" A. Q. Yes. Did you send them a spreadsheet of all of the withheld Will
Do you see that?
files?
37
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q.
Yes, we did. Does the spreadsheet indicate which ones they had
tagged as responsive, nonresponsive, privileged, or do you recall? A. I believe the spreadsheet was just a straight export
of the metadata fields, and FTK, the program we were using at that point to search the data for those files. point, they weren't in a database. able to tag anything specifically. Q. So what are the "withheld files" you are referencing At that
You wouldn't have been
in this e-mail? A. I believe at this point, when we didn't do the
database for the second time around, we produced all of the files that had been responsive, the native files, just on a CD. And so they then came back and identified a list And we
of files that they just designated as withheld.
found those files, pulled them from the set that was from the CD. And then using FTK, extracted -- produced a
spreadsheet of the metadata of that subset of files. Q. Do you still have the withheld files or are those in
the Blankenship possession? A. They were produced to the Blankenship firm, but we
keep an archive copy. Q. A. You do have an archive copy? Yes.
38
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Q.
If you would look, please, at Bates number 56 of A-2,
an e-mail thread dated January 26th, at the bottom, from you to Mr. Goldsworthy. It starts, "When you confirm that
you are asking me to produce these three files," and you list three files, "the LKL chronology, the Egger's short report," and then something that has some numbers and letters. And you are told up above, "Those are the Do you
correct documents that we want you to produce." see that? A. Q. Yes.
So they had been withheld initially, and then you were
allowed to produce those to us; is that right? A. Q. I believe so, yes. Were you told why those particular ones, out of all
the withheld documents, were allowed to be produced? A. Q. No. If you would look, please, at Exhibit 58 of Exhibit
A-2, a February 25th e-mail thread, from Alex Harmon to you. A. Q. Who is Alex Harmon? He is a computer technician in our firm. And Mr. Harmon indicates, "Under USB storage First of all, what is a USB storage device?
device --" A.
Basically your computer has what are called USB ports.
It is a little slot on the side you can connect various devices to it. So it is like a thumb drive or any of
39
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
these portable data storage devices. Q. So if I wanted to download information from my
computer, I could put in a USB drive, download some information and maybe take it to another computer? A. Q. Or vice versa. Or download information into the computer from the
thumb drive? A. Q. Yes. And did it used to be more prevalent to do CD burning
techniques rather than thumb drives or USB drives? A. I don't know what you mean by "used to be more
prevalent." Q. Have USB drives or thumb drives become more popular in
the last few years? A. I don't know. In my own personal usage, yes. But
other than that, I can't say industry-wide. really have an opinion on that. Q. A. Q.
I don't
Do people sometimes burn information to CDs? Yes. So you can do the same type process, where you take
information off a computer, burn it to a CD, and then you take the CD to another computer? A. Q. Yes. And so that way you have arguably removed obvious
evidence of documents that were on the computer by
40
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
downloading them to either a thumb drive or a CD?
I say
"obvious evidence," to a nonforensic examiner person. A. Sure. Let me make sure I am getting your question.
Are you saying it is obvious when you do that or -Q. For example, if I download a file from my computer to
a thumb drive, then there is no obvious evidence that the file was there because now it has been removed? A. I wouldn't really say that is true. Usually people --
Not usually.
I mean, the process can be, you can copy
things over, you can move things over, you can cut and paste things over. Depending on what method you use, you
will either leave the original copy on your computer as it is, or you will move it off, but at that point usually what the computer does is it just tags that as being deleted, and it is still there, but it is hidden from view. Q. Hidden from view. Right. And so in this e-mail from
Mr. Harmon to you, he is looking at USB storage devices. He indicates, "I found multiple results, including USB thumb drives and iPods." A. Q. Yes, I do. So he is just reporting to you the findings of his Do you see that?
research? A. Q. Yes. And he goes on to say down below, "I identified
41
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
multiple instances that may indicate CD burning activity from February to November of 2010." A. Q. Yes. Did you discuss that with anyone at the Blankenship Do you see that?
firm? A. I sent sort of a condensed version of this e-mail to
both Blankenship, and then eventually to your firm. Q. I see that you sent it to Blankenship's firm on
February 28th, where you are identifying essentially what Mr. Harmon told you. A. Q. A. Yes. I don't see that we are on that e-mail. No. At this point the process that we agreed on is we And that is Bates number 62.
would provide that information first to the Blankenship firm, in the case it revealed anything that was privileged or otherwise -- basically privileged, so that they would have a chance to review it first before we produced it to you. Q. Under "CD burning," you are indicating that you
examined the Windows system event log for evidence of IMAP CD burning events, and identified multiple instances that could indicate burning activity from February to November 2010. A. Q. Yes. Do you have any reason to believe the fellow that told Do you see that?
42
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
you that was the case was inaccurate? A. Q. No. If you would look, please, at number 59. This is
dated March 1st, the date that we got the third and final CD from your office. A. Q. I do. And on this one, again, from Mr. Goldsworthy to It indicates they have removed the information Do you remember that?
Mr. Yeh.
that you sent to them, and they would like you to now produce the following documents and files from Ms. Lindell's laptop computer that were previously withheld by Ms. Lindell. several files numbers. A. Q. Yes. Did they tell you why they were authorizing you to And then there is a listing of
Do you see that?
release that group of files from the withheld files? A. Q. No. Again, it is not your concern what they are
withholding and why; is that right? A. Q. Yes. At this point in time, on March 1st, did you perceive
that you were the independent forensic examiner retained by the court, or did you perceive that you were an expert hired by the plaintiff? A. At this point we believed we were sort of a neutral
43
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
party that was basically subject to instruction from both sides. Q. Although you would check with the other side if we
made a request, correct? A. Q. Yes. And in the past, if the Blankenship firm had made a
request, you didn't check with us, did you? A. Q. That would be before your letter. Is this the first time that you have been in a
situation where you were first retained by a party, and then put in the spot where you perceive yourself as neutral, or do you do that on other occasions? A. It has happened before. It is not that common, but
yes, it has happened before. Q. And do you see any issues with ethical -Never mind. Strike
that.
I have just a couple more of these documents to ask you about, and then a few follow up questions and I will be finished, Mr. Yeh. These seem to be a bit out of order, but this is the Bates number order I got. This is Bates number 78, an
e-mail from Mr. Goldsworthy to you, dated January 21st. It states, "Attached are two lists containing the files we are withholding from defendants. The only two files that
are not on the attached lists that we also want to exclude
44
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
are the two I reviewed yesterday and I asked you to pull." And there are two files listed. files as well. "Please withhold those
Also, please generate an Excel spreadsheet
of the withheld files, including the file names and paths, and produce the rest of the files to the City." see that? A. Q. A. Q. Yes. And did you do as they instructed? Yes. And if you would look at number 79, an e-mail thread It Do you
from Mr. Goldsworthy to you, Tuesday, January 18th.
says, "I am attaching five separate documents containing separate lists of files we have reviewed from plaintiff's laptop computer that should not," underscore not, "be produced to defendant City at this time. The attached
lists contain approximately 339 files we wish to exclude from production. Once you have excluded these files,
please produce the balance of the 'produced' files to the defendant." A. Q. Yes. Do you know why they were withholding some of the, Do you see that?
quote, "produced files" from the defendant? A. Q. No, nothing was explained to me. I would like to ask you about one of these
spreadsheets that was provided that Mr. Muchmore will talk
45
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
a bit more about.
I have copies. Your Honor, may I have a document
MS. MICHAEL: marked? THE COURT: THE CLERK: By Ms. Michael: Q. A. Q.
Yes. A-3.
You may approach.
Do you have A-3 in front of you, sir? Yes, I do. I would like you to look at the section I am about to
highlight from the screen, "French art presentation 66923." A. Q. Yes. That number is 66926 in the log that we were given. Do you see that?
Do you know why that would be -- why the numbers would be out of sequence like that? A. Q. Which set of documents is this? This is from the Lindell laptop native production.
And Mr. Muchmore will have testimony about this as well. I am wondering if you know why there is a gap in the numbering. A. Q. I'm sorry. You bet. Can you tell me again what you are asking?
The one that I have highlighted that says
"French art presentation," and then it has the number 669226 -- I'm sorry, the number is 669223 on your document. On the spreadsheet that we have got, the number
46
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
is 66926 (sic). A. I don't.
Do you know why that would be?
The number itself is something that is added They should
by FTK.
It is not in the original file.
match up between the spreadsheet that goes with this list of files and the file name here. Q. And if they don't, what are the explanations for why
they don't match up? A. It could be a lot of different things, particularly Prior to the production, I don't know if you
with this particular production.
we had a software crash internally. recall my mentioning that to you. having to reindex the drive.
And so we did end up
And so when we pulled some
of the things out, the original numbers might have been changed. I don't know if that applies to this situation.
Other explanations for why sometimes the numbers differ, sometimes there are different fragments of the same document that might have the same file name but have different numbers. Again, as to this particular file,
whether either of those explanations apply or not, I can't tell you just right off the top of my head. Q. Can you confirm that 669223 represents the forensic
toolkit ID number; is that right? A. Q. Yes. We found, and Mr. Muchmore will talk about this, the
numbers after approximately 520,000 do not match the
47
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
produced slash privilege log and the file listing.
Other
than the fact that you had an issue with your hard drive or something, why would that be? A. I really can't speculate without looking at what is
going on. Q. There are documents in the production and privilege
log that Mr. Muchmore will address that do not appear on the file listing. A. Q. Why would that be?
There are documents here in the production -In the production that we have received and the Why
privilege log that do not appear on the file listing. would that be? A.
Again, without being able to compare the two, I can't
explain that right now. Q. What do shortcut files tell a forensic examiner such
as yourself? A. It depends. For instance -It depends on where they
are located, it depends on what they are a shortcut to. Q. What kinds of information can you obtain as a forensic
examiner from shortcut files? A. Well, basically that the document at some point was Whatever the destination of that
linked to that shortcut.
shortcut link is, was at some point accessed using this computer. Q. And let me know if I get over your head in any way
48
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
here. A. Q. A.
Can you not tell when a document was created?
I don't believe so. Can you tell when it was accessed? Again, I think you are a little beyond what I would be
qualified to testify on. Q. A. So this is beyond your scope of expertise? Yes. MS. MICHAEL: Your Honor, I don't think I have Thank you.
anything else for Mr. Yeh at this time. CROSS-EXAMINATION By Mr. Blankenship: Q. Good afternoon.
I want to just ask you about this
database and see if I can clear up what the database is for. Why in the first instance -What would be the
reason for creating a database for online access? A. It just simplifies the review process. There are all
sorts of reasons you would create a database. Q. Is it fair to say it would make the search more
efficient and the ability to go through the documents easier? A. Q. The documents that you have, yes, in the database. And did you understand that part of what you were
charged to do by the court was to work with my office to make certain that we didn't produce privileged documents and privileged files?
49
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q.
At what point are you talking about? I am talking about once you became an independent
forensic examiner. A. Yes. Part of our role is to help you identify what is
privileged and what should and should not be produced for that reason. Q. At any point, did anyone from my office ask you to
improperly withhold something or express concerns to you about anything relating to your job or what you did? MS. MICHAEL: THE COURT: Object to the form, your Honor.
Overruled. To whether or not anything was I was just told to
THE WITNESS:
withheld improperly, I can't tell you.
withhold a certain set of documents based on ID numbers, and based on file names, and we did. Mr. Blankenship: Q. Is it fair to say you weren't involved in the
decision-making as to whether something was privileged or not privileged? A. Q. No, we weren't involved. I want to go to the issue of e-mail. And there was Do you
some testimony about not seeing a lot of e-mail.
remember that testimony or the e-mail that reflected that? A. Q. Yes, I do. Isn't it true that, unless you have Outlook or Outlook
50
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Express, web-based e-mail wouldn't be captured or downloaded on the computer? A. Q. That is true. If, for example, Ms. Lindell had used Hotmail, and she
just used it on the web, would you expect or not expect to find her e-mails on the computer? A. Normally you would not expect to find that much Sometimes you will find little bits and pieces As a whole -I guess in my previous
e-mail.
here and there.
e-mail when I said it was surprising, I mean, it is just that there wasn't e-mail on there. the fact whether she used Outlook. sort of behavior she engaged in. Q. At any point did someone say, hey, here is what this It didn't account for I wasn't aware of any
case is about, here is what the issues are, here is what we expect to be on the e-mail, or did we basically ask you to mine information from the computer? A. Basically we were asked to pull off certain kinds of
files, and then search them. Q. And if I understand your testimony, there was only one
database, right? A. Q. Yes. But whatever you would have put in a database the
second time, which would have made things more efficient, you produced in the CD-ROM, correct?
51
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A.
I may have misspoke just now.
There were in fact two
databases. platform.
There is only one via Relativity, the online The other is an FTK database that is in a There are
separate, more forensically-geared software. two databases.
The first one we did for your firm was in And this had the online
a product called Relativity. functionality. Q. So if there weren't --
If I understand what you are
saying, you had your own internal database, and then when we hired you to make sure that we had located all the active files on the computer, you made a database so we could quickly and efficiently find things that were responsive and privileged, and not have to open and close each one of them with special software? say? A. Q. Yes. Since there wasn't a third database, you know, with Is that fair to
respect to the documents that you were doing the broader search that involved the City, there were no tags because there was no third database, correct? A. I guess the second database I was talking about, the
one in the FTK software, that is the one we used to do the searches for the City's requests after the 15th or whatever. So in that database -That software does not Well, it does, but it
have that kind of functionality.
52
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
wasn't utilized. Q. I know that earlier you testified that anybody could I kind of want
get on a computer and find active files. to understand.
When you said that, do you mean without Is that what you mean?
any type of forensic software? A. I believe so.
You have files on your computer on your
desktop that you can click to them and copy them to anything you want to. You obviously don't need any I mean, Windows has a
special forensic software for that.
search tool that you can click on and ask for it to find files under certain terms. but it is possible to find. Q. You have to know, though, that it is there and how to It is slow and it is clunky,
use it, correct? A. Q. Yes. And just to let you know, you found stuff that we I mean, we did our best. I don't have any further
hadn't found.
MR. BLANKENSHIP: questions. Thank you.
MS. MICHAEL: Honor. THE COURT:
I have no further questions, your
You may step down. We would call Alan Muchmore as our
MS. MICHAEL: next witness. Whereupon,
53
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
ALAN MUCHMORE called as a witness, having been first duly sworn, was examined and testified as follows: MS. MICHAEL: set up his laptop? THE COURT: May Mr. Muchmore have a moment to
He has a PowerPoint presentation. Yes. Is there a place for me to plug
THE WITNESS: this in?
Would it be possible for me to testify from
another location? THE COURT: manipulate it. MS. MICHAEL: paralegal, your Honor? THE COURT: Counsel, we are running long. I If I can just take a moment with my You will have to be able to manually
expect this witness is going to be here for a while. While you sort through this, we will take a break. will be in recess. (At this time a short break was taken.) THE COURT: You may proceed. Thank you, your Honor. We
MS. MICHAEL:
DIRECT EXAMINATION By Ms. Michael: Q. Mr. Muchmore, would you state your address for the
record? A. 5518 17th Avenue Northeast, Seattle, Washington 98105.
54
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Q.
Would you please tell us about your background and
credentials? A. I have been working in the field of computers and IT At the time, it would
since about 1986, professionally.
be summer jobs or jobs while I was in school, until I got out. And then I worked in the IT department in Houston.
And in 1991, I moved to Austria to write antivirus software in the emerging field of antivirus. When I came
back and went to law school, I again worked in IT during the summers and during the school year for extra money. When I came to Seattle, I started working for law firms. So starting in about the year 2000, I formed Muchmore Consulting, where I began working for a number of different law firms, that for my business included providing IT support, networks, but also at that time helping them with their cases when they touched upon computer issues, performing forensic evaluations. And
then starting about six years ago, I started working as an expert witness. Q. And in the materials we received today, the
plaintiff's expert, I believe her last name is Goodman, indicated that you have referred work to her. Do you
recall referring work to her, and, if so, can you tell us the circumstances? A. There have been circumstances where we have referred
55
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
work to each other.
I can think of two circumstances in
which there were drives or computers that needed to be analyzed in a very timely fashion that just fell right when I was on vacation, and I asked her to help with those. I can think of a couple of other instances,
including one very recently, in which the attorney asking for an expert was very close to me and decided that I would not work well as an independent expert. referred that to her. So I
There have also been instances
recently in which there were items, say, extracting e-mails from a server, that Alice has referred to me. Q. Do you think she is more or less qualified than you in
the field of forensic examination of computers? A. The work together -We worked together in one And
particular case in which she analyzed drives.
everything -- my work with her has indicated she is completely competent and knowledgeable enough to be a forensic examiner. But I wouldn't have any knowledge that
would say she is more or less so than I. Q. Thank you. Your resume is already in front of the I
court, so I don't want to go into any more detail. would like to ask you -presentation. does? A. Certainly.
And I know you have a PowerPoint
Can we talk about CCleaner and what it
When I first noticed the CCleaner software
56
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
on this machine it caught my eye because I had heard of, but I was not particularly familiar with it. So, of
course, one of the first items that I did is go to their website and read about how they describe the software. The company that creates it is called Piriform. Q. Before we go any further -I don't mean to interrupt
you, but let me ask you this: your attention --
How did it come to
I think I left out a little Would you describe the three
foundational information.
disks that you got and how you ultimately came to realize that CCleaner had been used? A. Of course. So the initial two CDs that were received
from the Blank Law Firm contained individual documents that had been -- or other files that had been exported from their forensic toolkit software. initial two. So those were the
But then the third CD, that I believe was
March 1st, included what I understood to be a complete file listing of all the different objects in their forensic toolkit database, which represents what it found. Now, that listing did not include the contents of the files or the contents of anything, just the metadata about the files. We were also provided with the registry information from that computer. The registry is the database that It lists the color
Windows maintains that lists settings.
57
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
of your background, it lists the positions of your icons, but also individual software programs that run on it, not by Microsoft, but Adobe Acrobat, or in this case, CCleaner, can actually store their settings in that registry. Q. So it wasn't until March 1st that you were provided
any information that gave you the knowledge that CCleaner had been utilized; is that right? A. Q. No. Yes. Excuse me. That is right, I had not.
Let's talk first, and use your PowerPoint as you need
to to discuss CCleaner, what it does and why it was of concern to you? A. What I determined about CCleaner was first by looking
at their website and how the software company described the software. I also read some third-party reviews. And
then I conducted a number of tests where I actually ran CCleaner on a test computer to see how it behaved. As the
company describes it, it is a free program designed to -they mention to protect your privacy by removing information from the computer. information is what it does. MR. BLANKENSHIP: And basically removing
It is all that it does.
Your Honor, are we going to go This is all in his
over old ground with the witness?
declaration about what CCleaner is, how it works. THE COURT: I think on both of these witnesses I
58
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
would like to hear the whole story. MR. BLANKENSHIP: THE WITNESS: Okay. Sounds good.
So three of the items that caught
my attention are the ones that are discussed in this case, and we will discuss more, are the first items where it removes the shortcut files. By Ms. Michael: Q. A. Q. it. A. Shortcut files -I will discuss that more in just a And why is that important? The shortcut files -I am going out of order. Just tell me how you get to
moment.
But basically those can include information about
when documents were accessed and where they were accessed from, and also information about documents no longer on the computer. It also, "it" being CCleaner, removes the
internet cache files that has information about websites that someone on the computer has visited, and usually the contents of those websites. Q. For example, if I wanted to research how to -- what a
forensic examination of a computer means, and then used CCleaner, would there be evidence that I had in fact done that research? A. Before running CCleaner, there is a great likelihood
that the evidence of which sites you visited you could
59
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
read about and the contents on there.
After CCleaner --
As I said, the purpose of CCleaner is to remove information of that type. So web mail, such as use of
Hotmail or Yahoo Messages, where a person reads the e-mail through a web browser as opposed downloading in a program like Outlook or Outlook Express, the temporary internet files are usually the primary source of information about usage of that e-mail or what e-mails were accessed. Q. So all of the Llindell at live dot com e-mails, if
CCleaner was used, what happens to those? A. I'll have a more detailed description of that in just The third option that we have discussed is that
a moment.
it has the option to wipe information about files that have already been deleted from the free space of a computer. that also. So the first item is the shortcut files. So basically And I will show some more information about
what a shortcut file is, as Mr. Yeh testified, it is just a file in the background that has a dot LNK. never see that. You usually
It just refers to another file on the
computer or a file that was accessed from that computer. It shows -- I think I just mentioned this, it can show to a forensic examiner documents that had been on the computer, but no longer are on the computer. It can show
oftentimes documents that were accessed from a USB drive
60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
or a CD drive, and instances, including times and dates, about when a document that is still on the computer might have been actually accessed that would otherwise be lost. Each case is different, each examination is different, but there have been examinations in which the shortcut files that I am referring to were the primary piece of evidence that was useful in conducting time lines about documents and what was added when. Just to show what these shortcut files are, why they are there: They are not in Windows, as far as I know, to That is just a side benefit.
assist a forensic examiner.
So on this particular test computer, I just created a Word document. At the very top you can see that I actually This is another Word document, and So if you would advance? In the folder,
called the document -wrote that in the body.
I am logged on in this case as User1.
"My Documents," which is just a predefined folder that Windows sets up as a convenient place to put documents, I have saved the Word document. document. And this is another Word
And you can see it has information about when So
these files were created and when they were modified.
the first document was both created and modified at 7:36. This is another document created at 7:37, and last saved -- modified at 7:38. Now, if you click the start button, which is missing
61
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
off of this screen, by default Windows XP has a little section here that says "My Recent Documents." And if you
click on that, then you can see these two documents. In this case it is a pristine test computer that I had just loaded Windows on. here. So there were no other documents
But you can see these two particular documents that And this is the reason that the Again, it is not to assist me as
I had opened up in Word. shortcut files are here.
an examiner, as far as I know, but to allow the user to see what documents. So, say, you had -- say, both
documents weren't just in the "My Documents" folder, say they were in different locations or different areas, it can kind of nicely put all in one location where those documents are so that someone can go back and pull them up again. In this case, I held down the shift button and pressed delete to delete the document. And the significance of
the shift button is it bypasses the recycle bin, so it actually deletes it. At that point the document has been,
in the parlance I would use, deleted from the computer. There are no normal means that just a normal user without using specialized software could use to get that document back. But when I click the start button you can see that that reference to "this is another Word document" is still
62
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
there.
The shortcut file that provided that documentation
about the recently used documents did not go away when I deleted the document. Now, this folder is a little different. folder that is normally hidden from the user. It is a But you can
see that it is referring to User1, which is the person that -- the user name that I was logged in as. went to the hidden folder of "recent." it shows the shortcut file. document. It also shows the date -- not the date the document was created or the date that the document was modified, but the shortcut file itself. So, unfortunately, in this But And then I
And in this case,
This is another Word
example they mirror what was there for the document.
say I created the document yesterday, and then I opened the document today, the shortcut file might have information about it. Now, you can see here that the little icon has this little arrow. It is showing Windows as hiding the dot LNK
extension, but you can see from this little arrow that this is not a Word document, it is one of these LNK files. Go ahead. When I clicked "file" in the properties
option, we can see some of the data that is contained inside this recent document file. target. And that data is this
It is cut off at the end here, but you can see
63
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
that the "My Documents" folder is where that file originally was located. So even though we are looking at
a shortcut file that is in this "Recent" folder, the original Word document was located in my documents. that is a piece of information we can tell. If that document of the same name had been located on a USB drive or a CD drive, there likely would be other shortcut files there that would indicate that that same document of the same name was located in those other places. So when we are doing a forensic examination, I don't click on these one by one, but we have software that can basically find all of these files, and in some cases it is going to be hundreds or thousands, and just very automatically create a spreadsheet that tells all these documents -- dates that they were created, modified, accessed and also the locations. Again, as I was saying, So
in some cases I have been able to create a time line based almost exclusively on these shortcut files. As I just alluded to, generally what I will find is -on a computer that has been continually in service for four or five years, I will generally find hundreds of these files. There will be more of these for the recent
weeks or months, but they will usually go back to the beginning of the computer usage.
64
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
I actually just tested this over the weekend.
I
logged on to a number of my clients' computers, found some that were several years old, and confirmed my recollection that there were cases where I found 800, 900 different shortcut files. In this case, I started up the CCleaner software on this test computer. And you can see on the left the
CCleaner software actually shows the different options that by default are checked. little bit more. documents. And I will go over this a
One of the items is the recent
That is checked by default. So the actual When I It shows
So I clicked on the button here.
starting of the program did not clean anything. start the program, it just shows these settings.
what the options are, but it is actually when you click this "run cleaner" button that it actually starts removing information off and it pops up this little warning box warning you this process will permanently delete files from your system. So in this case, there wasn't very much information on this machine, but the circled area I have shows under "Recent Documents" there were two files, and that those were removed. Q. A. The two files you had created that day? Excuse me. The recent documents referring to those
65
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
two files.
So one of those documents was deleted, one of
those documents was still on the hard drive, but those shortcut links to refer to them were gone. And this is
the same folder we were looking at before, and those two shortcut files were gone. So this is a spreadsheet that includes information from the file listing that was provided from the Lindell laptop. What I had done is asked for -I think, as was
alluded to, there were over 700,000 different lines on this spreadsheet. So to find information I would need to
run queries that would allow me to draw up the pertinent information. So what I asked for in this case was link files that were in a folder called "Recent" in the Lindell profile. What I found were about 254 different shortcut files. What I noticed was the earliest of these shortcut files was created on August 23rd, which I had previously found, and stated in my declaration, that I had found evidence that CCleaner program had been run on August 21st. When I say "the program had been run," at that point in my analysis I could tell from the registry, and I will get into this more, that someone had brought up the CCleaner program. Initially I couldn't tell that anyone But to me, the fact that
had pressed the button to clean.
66
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
abruptly these link files that are 250 and roughly two and a half months of use, and they abruptly end just within two days of running that software, suggests that CCleaner or another program of the same functionality had been run at that time. Q. And so there were no link files that predate 8/21 of
2010 or 8/23 of 2010 on the laptop; is that right? A. Well, link files, as we said, are used for other They are used to show the programs in your But there were not any located in the
purposes.
start menus.
Lindell profile under these recent folders, which indicated to me that they had been cleaned. So this is just the bottom part of the spreadsheet showing many of the lines were skipped. goes down to 253. But it actually It just
The two is cut off there.
shows in that short period of time there was a great deal of information generated about documents that were accessed on the computer. But, again, all of that
information prior to that date -Q. A. August 23rd? August 23rd, exactly. So moving on to the next point that I mentioned about CCleaner, which is the temporary internet net files. as you are using your web browser -So
By default most web
browsers, including Internet Explorer, which is built into
67
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Windows, actually store a copy of most of the information that is downloaded over the internet. Again, the purpose of this is not to assist the forensic examiner; the purpose is to speed up your access to a web page. In most cases accessing information over
the internet can be hundreds of times slower than off the hard drive. So when you go to Hotmail and it shows you
graphics and information, it downloads those once, and then saves that information in this cache file. So this information for use of the forensic examiner does show information about what websites you visited. And there is other information that helps with that. It
shows information about the contents of the web pages that you visited. So, again, in some cases -Whereas, in some cases
the shortcut files were the primary piece of evidence, there have been cases I have been involved in in which these temporary internet cache contains a picture of what websites were visited or what e-mails were visited that was the primary piece of information. So in this case, as you discussed with Mr. Yeh, there did not seem to be many e-mails stored on the computer in a program such as Outlook or Outlook Express. After talking with you, our understanding was that the web mail was the primary source for the plaintiff to
68
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
access e-mail.
So in that case, we did turn our attention
to what might be showed by these temporary internet files. And, again, we found that they were discontinued. will discuss that more. Q. So the Llindell at live dot com, that would be a But I
web-based e-mail? A. Q. A. That is my understanding. And it would be in the temporary internet files? Well, information -Think of the temporary internet
files as just a snapshot of what you are seeing on the screen. So live mail dot com or Hotmail dot com might
have thousands of messages there, but each time you look at either a directory listing of e-mails or an individual e-mail, then it is just taking -- think of it as a snapshot or a picture in time of what you saw on the screen. So if there is a thousand e-mails there, and you
have browsed through 30 of them recently, those 30 e-mails would be, most likely, snapshots of those on the computer. So it can store the messages, the contents. It very often also includes the attachments to files, because if you double click on the attachment to a file to open it up, say, in Word, it has to download it first, store it on your hard drive, and then open it up. will usually keep that information. So I created just for illustration purposes a Hotmail So it
69
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
account. dot com.
I logged in.
It was AH Muchmore at Hotmail There
And then I sent myself 2 e-mail messages.
was a third e-mail message that was already there that was a nice little welcome. So I opened those -I didn't get screenshots, but I And
opened those e-mails and viewed them on the screen.
in doing so, when I went to look at the temporary internet files, I found that just that activity had created 138 different files. Now, most of these files didn't contain
any words or text from it, but some of them did. The place these were located, again, you can see these are stored in the user profile for User1. So all of this
activity that is being stored is being stored in my User1 profile and in folders underneath. You can see the
folders are local settings, temporary internet files, the content IE5, IE standing for Internet Explorer, and then there is a folder that has sort of an eight-character pseudo random number. So this is a snippet of these
files; not a complete listing, but just shows what they look like. This is a little harder to read. But this is a
snippet of the temporary internet files from the Lindell laptop. Again, what I -- the method I used to extract
these was to look for files that were in a folder under Llindell, and also under a folder that had temporary
70
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
internet files. Q. If I could interrupt you now. I wanted to ask you
about Exhibits 2 and 3 to Ms. Goodman's declaration. Would this be an appropriate time? A. Let me finish the one note. It shows here creation
dates and modify dates.
It shows that this folder,
temporary internet files, was created in 2006, which was probably around the time the laptop was put in service. But it also shows that some of these were recreated on August 21st, which to me, in the tests I ran, was consistent with the operation of CCleaner. When I ran it on my test computer I found that some of these same files were dated at the time. Not that
CCleaner actually popped up on the screen to look at the options that I showed you, but when the actual button to run the CCleaner program and remove files was run. And then I noticed that it was down on -- basically a little bit on the 28th, but on August 31st and later we started seeing a rather complete listing of these temporary internet files. That suggested to me that web
browsing was taken up in earnest on this computer again starting at that date, August 31st, and appeared to continue until the computer was turned over to Blank. Q. Is this a good time for the Goodman declaration? THE WITNESS: Yes.
71
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
MS. MICHAEL: marked? THE COURT: By Ms. Michael: Q.
Your Honor, may I have exhibits
Yes.
Which page would you like to start with, Mr. Muchmore,
of Exhibit 2? A. I think the page marked 3 of 4. MS. MICHAEL: the court. I think I need to hand a copy up to
May I approach? What is it? This is Exhibits 2 and 3 to
THE COURT:
MS. MICHAEL:
Ms. Goodman's declaration, filed this morning. THE COURT: By Ms. Michael: Q. A. All right. Mr. Muchmore. I have it. Thank you.
The page that I have shows 19 of 22 and Page 3 of 4.
Basically it shows a folder listing from a Hotmail account. As I said, this isn't most likely a folder
listing of the account as it exists now, but a snapshot in time of the moment it was viewed. It shows the dates of August 2009, and then August 25th, and yesterday, and then another day, which suggests to me that it was probably viewed in August of 2009. So you can see here, if you go down about ten items, I
72
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
just picked a random item, there is one that says it was from TicketMaster, and your ticket order, and gives a ticket order. And then there are several orders before
and after that, other messages. Now, two pages later, maybe three pages later, there is a snapshot of this same Hotmail account, which I understand was just taken a few days ago. those messages is highlighted. And one of
But what I noticed is
several of these other messages that were on the previous page I showed you are also on this page. And that
basically means that they were not deleted. What I was able to -- at least it appeared, it is not a very rigorous analysis, but this seems to show that there was an e-mail from TicketMaster that existed in that e-mail box in August of 2009, that does not now. Q. And this is in the B. Hansen e-mail account; is that
right? A. Correct. So there is no reason -I am not
suggesting that deletion is relevant to this case, but I just think that is a good illustration of the way that we can use this, that is, can be a way to find out if there was an e-mail that someone forgot about or who knows what that had been deleted from that account, is no longer there. But it is important evidence that can be found
that indicates that file -- that message was there once.
73
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
So what happened is, since these temporary internet files had been cleaned off of this machine, we lost potentially a tremendous amount of information about which items had been in that e-mail address and were no longer there. So the third point goes to kind of a description. You
have heard of descriptions of deleted files, wiped files, free space and such. What I am trying to do here is just
give a little bit of information about what this all means. Basically what you are looking at is a simplified version of a hard drive. or 45 record. It is just a platter, like an LP
And the information is actually on that A hard drive could
disk, and it has a hole in the middle.
hold billions, dozens of billions, and modern drives trillions of pieces of information. That is too much even So the
for a modern computer to deal with individually. information is gathered together into sectors and
clusters, which are units of data, in which a file might be stored. So in this case, I think I have 32 different
sectors of data, and that is each of these items, each of these little blocks. So in this case, a Word document might be in this block. The Word document itself might only occupy half of Windows will still
it, and the rest of it is extra.
74
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
allocate this whole block to the Word document so it doesn't have to keep track of too much information. So here the dark blocks indicate areas that have files on it, the light blocks are empty or free space. This black box, and I am simplifying a little bit, but basically this one box is containing the information about all the files stored on the computer. table. So this is our file
I am mimicking the "My Documents" folder that I There was a hidden file This is
showed you a few slides ago.
called "desktop" and then "Word document." another Word document.
Basically what is contained here is the titles of the documents that are on the machine. And that is where the
information about the create date and modified date is stored. It also is pointing to the location on the drive
where the contents are stored. This black box that I told you about that has this listing, it doesn't have the contents of any Word documents. It doesn't have the contents of any web caches All it does is tell that
or the target or link files.
information about where the computer can find it. Just as I illustrate here, the contents of the Word document are in that little yellow box. So what happens when I deleted an item, it didn't remove any of this information that we are looking at
75
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
right now.
It just drew a little virtual line through
that listing, which told Windows that, first, that document is now designated deleted, and, second, that yellow spot which was dark and actually used is now a light spot that is available for wiping. So if I deleted my file, and then at the moment I deleted it I yanked the power cord out and didn't do anything else, that is probably fully recoverable. The
information about when it is created, when it is modified and the title is probably recoverable, and the free space, just because it hadn't had the opportunity to override it. But then what starts to happen is, as you use your computer, even if you don't create a document or save it, Windows will start to create files in the background, temporary internet files, shortcuts, log files, other information. It is just going to pick a place to store And the next one that is created Or it
the file information. might overwrite.
This is another Word document.
might overwrite a different one.
Likewise, it might
overwrite this area of the hard drive or it might overwrite this area. There are no certainties about which There is just -We know that
ones will be overwritten.
they will be overwritten, and the more you use the computer, the more activity there is, the more this information is going to be overwritten.
76
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
So what we were discussing in wiping free space is not the same type of free space wiping or the same type of wiping operation that was discussed by Mr. Kaser for wiping those hard drives. So that is, if you want a hard
drive, and have absolutely nothing else, you need a relatively unsophisticated program to just write zeros over the whole hard drive. As far as I can tell, what is a little more -- what is a little more tricky for software is to have a program that just overwrites the free space without overwriting the other information. When the free space option is checked, what the CCleaner purports to do -I have not tested -I have
tested the operation of some cleaning software, but I did not do this one. What it purports to do is actually go in So,
and just take the contents of all these files.
whereas, if the wipe free space had not been run, I would definitely expect, after a bit of time, much of it, most of it, some amount of it would have been overwritten. The
wipe free space just takes it a step further and says all of it is going to be overwritten. is designed to work. Q. We will talk about the two purposes of CCleaner, the At least that is how it
regular options, and then the wipe free space very shortly. What is next?
77
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A.
This section just goes more to what I found, both in
the way the CCleaner operates and what I found on the computer. So basically it is software that can be easily
downloaded, displays these options and we will see how it is used. What I did was actually -onto this computer. I actually downloaded it
I didn't download the newest version,
I downloaded what appeared to be the version that was on the laptop at the time that it was turned over to Blank. I actually ran some of the other versions just to test it out, but this is version 2.33.1184. And when you first
run it, what it shows you is, as I mentioned before, the information that it is proposing to clean. the Windows options. And these are
Some of these are checked.
And I believe the next slide shows some other applications. It can remove information regarding
Microsoft Office, such as Word or Excel, and other information from Yahoo, Adobe, etcetera. Now, what has happened when we have installed this software is -I am showing you something that people
would normally never see when using their computer; and that is the registry. And this is using the registry
editor, which is just a program that is built into Windows. And as I was saying, the registry is a database of
78
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
information just about the computer, the setup, the way programs run and operate. Typically it doesn't store
content or data, but just information about the program. And what happened on my computer is it created this CCleaner section in software, which is generally -- that section is reserved for -- not Windows to write to, but a program to write to about itself. Q. And that's how you could tell that CCleaner was used
on Ms. Lindell's computer; is that right? A. That's how I could tell it was installed. That was in the machine section, which is common to all users. And then in this section there is an area called H key current user. The way that is designed, starting with
Windows XP, for different people to log onto a computer using a different account. admin. In this case I had User1 or
But you can see different wallpaper, you can have
different Outlook e-mail, you can have different settings. And that is -You can also -If you go to the "My That
Documents" folder, you can see different documents.
is accomplished by having these different user profiles. The heart of this is having this section of the registry that shows current user. Any settings here apply
to that user, but not the other users on the computer. Q. Are you talking about the use of CCleaner only
79
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
applying to the user profile? A. Well, I am mentioning that this folder for Piriform,
and the one under it for CCleaner, this is generated under this user profile. The other user on this computer did What we can use this for is
not contain any information.
to tell some information about what user -- the person that was logged into the computer, when they were running the CCleaner software. So in this case, before I had even run -- when I first run it, before I had done anything with it, it shows me the language I selected, the installation, which is 1033, which is the Windows code for English. update key information. It shows this
In my testing I wasn't able to
see what that update key referred to, but when I installed or used it under a profile for the first time, it did list that update key with the date and time. was on March 19th at 2:46 p.m. It also created -This is where -That was the It also So in this case I
database of information about the software. created a folder. was created.
It shows the date and time that folder
It shows when the CCleaner folder and
program files were copied onto that machine. MR. BLANKENSHIP: a little bit. Your Honor, I can shortcut this
We are not disputing that CCleaner was run All of this is stuff we have
in the most basic form.
80
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
stipulated to.
What we are disputing is whether or not None of this is disputed, what
the free space was wiped. is being said so far. THE COURT: was wiped. files.
I think it goes beyond the free space
We have got shortcuts, temporary internet
I am going to hear this, because it goes to the
very heart of the dispute. MS. MICHAEL: Thank you, your Honor. It does.
Go ahead, Mr. Muchmore. THE WITNESS: I will try to speed it up here. I
went back to CCleaner and clicked on the option for old prefetched data. What happened is, at that time, under
the user profile for User1, it created that entry for old prefetched data. In several tests I ran what appeared to happen is, under a particular user profile, when someone changed one of those default options, either by turning one off or turning one on, it created a registry key of that name, and showed true if it was checked or false if it was not checked. By Ms. Michael: Q. A. What is prefetch data? Prefetch data is information about what programs have It contains
been run on the computer and when.
information about how often I run Paint versus Adobe
81
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Acrobat versus Angry Birds or some other program.
The
reason it is there, again, is not to help a forensic examiner, but it can tell information about what and how a computer was used. So I went through and clicked on all of these advanced options. And then what happened is it showed all of these
advanced options, and it showed that I checked them all as true. So in my test case I clicked on the run cleaner button, and it popped up a warning to let me know this will permanently delete files from your system. Again,
removing data from the system, as far as I can tell, is what CCleaner does. That's all it does. I clicked okay. It is just It started to
giving you that warning. give me a progress bar.
And since in this case I had
selected wipe free space, it took a few minutes to wipe the free space. So when it was done, you can see that on this test computer, it removed 451 temporary internet files, some temporary files. I am not sure if there are any shortcut And that process, including wiping
files at this time.
this computer, took six minutes and 45 seconds. So the time taken to wipe a computer, six minutes is on the fast time. It can take hours to do. But there
have certainly been instances, say, for a case I remember
82
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
a couple of years ago, I was requested to wipe the free space on eight different computers because people had copied information they shouldn't have. And the time it
took to wipe these actual drives for these people ranged from a few hours to, in a couple of the cases, less than ten minutes, to actually wipe the free space. depends on how much empty space -It just
It is not how big the
hard drive is, but how much empty space is on that computer. So I unchecked the option to wipe free space. I have it slightly out of order here. I think
But basically at I can
that point it changed the wipe free space to false. tell at some point I clicked on that wipe free space option because it appeared.
The appearance of that entry
showed me it had once been clicked and then it had been unclicked. I am now looking at some of the same registry information, not through the Windows program but through a forensic software, the access data software. And the two
things that it does that the Windows software doesn't do is allow me to view registry information from another computer, but it also tells me this last written time. This last written time for this CCleaner key in the machine section seems to correspond with when CCleaner was first installed. In this case, it was 21:45 Universal
83
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Time. One thing that bears keeping track of is, a lot of these stamps are created with Universal Time, which is seven hours ahead of Seattle in Daylight Savings Time, and eight hours otherwise. ahead. Now, this portion of the computer registry is the registry -- it shows it at a different name, but it is the registry for the user in which I was logged in. It shows that this key for the Piriform software -- it again shows that essentially in my test, but usually within a second or two of the other one, the other key for the entire machine. So now we are going back to looking at the final version of my registry after doing the operations of which I showed the screen save. Again, it shows this wipe free So So in this case it was seven hours
space had been clicked on, and then I unclicked it.
basically from all the tests I ran, it appears -- and this is not inconsistent with other software I had seen, that if no one ever clicked that option, that option just doesn't appear. If someone clicked on it and then
unclicked it, it shows it as false. Go back one. Lastly, is this -This time, for the
CCleaner, seems to like -- I don't know that it pins it down exactly, but it doesn't seem to correspond with the
84
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
installation of CCleaner, but seems to correspond with its actual usage. So this is the Lindell laptop. Again, this is showing
on the machine portion of the computer the CCleaner was created. And this is showing at March 11th. And it is
showing 8:40 Universal Time, which would correspond to 12:40 Seattle time. I put a little footnote in my
declaration that these times -- saying this indicated to me that this was done at 12:40 was resting on assumptions that oftentimes I can verify, but I could not at this time, that the forensic toolkit software that Blank used was set certain ways, that the computer was set with the correct time zone, et cetera. be showing me. So this is the administrator profile of the Lindell laptop. And, again, the creation of this registry But that's what it seems to
information was -- on the administrator profile seems to match up to the time that the CCleaner was first installed. So from this information, it appeared to me
that the person who was installing the CCleaner software was logged in as -- when they went to log into the computer, were logged in as administrator. And this is what I based my -- based the portion of my declaration -- where I mentioned at that time on March 11th, someone had selected all of these advanced options,
85
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
and then unselected the wipe option. Now, what I thought was interesting is that -- I don't have a screenshot here, but there was information in the program files that showed that the CCleaner was later updated. But in the Llindell profile in August, this time
someone logging in -- these keys were first created on August 21st by someone logging in as Llindell. Q. So in March, somebody logged in as administrator and
ran CCleaner, and in August, somebody logged in as Llindell and ran CCleaner? A. That is what it appears to me. Go ahead. Do one
more. The one item that I thought was very interesting is, in all of my tests, the settings -- if you set up CCleaner while logged in as one user, and then run it as another, none of those settings as to which boxes were checked or unchecked seemed to carry over from one user to another. So the fact that these show the same options suggested to me that, independently, when someone logged in as the other account in August, they went through the same routine of checking all the advanced options, and at some point after that was checked, unchecking it again. basically twice the election was made to check that option, and then to uncheck it again the next time. Q. And so if there were more than one user on this So
86
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
laptop, what is your understanding of what would happen if logged in as Llindell when the boxes are checked? happens to the other user's information? A. I will show you that in a moment. I think it is the I went to What
next slide.
That was a question that came up.
their website and looked at the CCleaner "frequently asked questions." It showed -- it had the question, "Does it,"
being CCleaner, "clean all the user accounts on the computer?" So the question being: If you are logged in
as administrator or M. Kaser, does it clean the information from those subfolders for the other users? says, "At the moment CCleaner supports cleaning the current user's account only." Basically what that is It
telling me is that CCleaner doesn't clean the information from the other account. But I didn't trust it, so I ran a test. I logged into
my test computer as administrator, ran CCleaner, and see that it cleaned 146 temporary internet files. So I went
to the temporary internet files for administrator, and I found that the files that were there were in fact gone, and what I had found before, that some of these files that track information were created. But then I found under
that User1, the temporary internet files were still there. So basically my takeaway from that is that in March, when it was -- when the CCleaner was run under the
87
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
administrator profile, it would not have likely removed the temporary internet files or the shortcuts for the Lindell log-on or the Llindell log-on, but when that was run in August, it most likely did. Q. So if Ms. Lindell on March 11th or March 12th had
advised the court that CCleaner had been run on part of the computer, and then thereafter not used the computer any further, what is your expectation of what kind of information we would have today? A. My expectation is, just from what I have seen, is that
those temporary internet files, those shortcut files, that information would have been, just under the normal usage of the computer, as if the CCleaner essentially had not been run, at least according to that log-on. Let me just say, it appears that most of the activity over the last two or three years had taken place under that log-on of Llindell. Q. A. Q. A. Q. Go ahead. That was it. That's your last slide? Yes. Do you have any information that indicates to you --
Whether or not the free space was wiped or not really isn't the total battle here. Do you have information that
tells you whether it was or was not wiped?
88
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A.
From the information we have, it has been hard to see In this case, unlike most of the
whether it was wiped.
forensic examinations, we did not have access to the actual computer itself. We received these file listings.
From the file listings that were received, there were not a large number of data card files or there were not a large number of deleted files, which would be atypical. Now, it is unclear to me at this point whether we just did not receive a complete listing from the Blank Law Firm, or whether there weren't very many files. So
basically I tried not to use that information on making this judgment. I put forth the information about the
options that were selected, what we were able to tell just from the use of CCleaner, and made inferences from there as to whether someone actually clicked on that wipe option or not. Q. Regardless of whether they wiped it, and we will talk
about what information you would need at this point to determine if they actually did wipe the computer, what information was deleted simply by the running of CCleaner in both March and August? A. Particularly after the August, but in the March,
again, the way -- from the slide that I showed you that had the picture of the hard drive, as soon as a computer -- as soon as a file is deleted, then that puts
89
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
it available for overwriting. Basically, as I mentioned on the temporary internet files, for example, what I will normally see when I look at a machine are many files from the last few months, and I will see some from older periods of time. that little subfolder that contains files. I showed you Sometimes
Windows or Internet Explorer just seems to forget about one of those and leaves it there. So two or three years
later I will look at the computer and there might be a very complete record of the web browsing/surfing from two or three years earlier, and it might be spotty from other times. So basically as soon as these files are deleted, whether wiped or not, they put them available for free space where the information about the timing of it can start to be overwritten, the information about the contents of it in free space is much more difficult to access at best, but will start to be overwritten at worst. If you delete a thousand files, and use the computer, and come back three months later, some percentage of those files are going to be irretrievably lost. It just varies
under the circumstance how many, but there would be some. Q. A. And the use of CCleaner did what to that ability? It would greatly accelerate, at the very least, the Again, had
rate at which this information would be lost.
90
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
CCleaner not been run, I would have expected to find shortcut files going back for four or five years. I would
have expected to find these temporary internet files. From what we found, there is very little information there. My expectation is that was due to the effect of
CCleaner. Q. I asked Mr. Yeh about the numbers after approximately
520,000 in the forensic toolkit ID that we were provided. If they don't match the produced or the privilege log for file listings, do you have any idea why that would be? A. The only explanation I can think of -- the only one
from my experience is that once those numbers are created in a case, they don't change. So all I could think of is
that case was rescanned, and that somehow the options or the files that it found were different the second time it was scanned from the first time it was scanned, so that there might have been files on one listing that were not on the other listing. Q. There are documents in the production and privilege Do you know
log that do not appear on the file listings. why that would be? A. No.
The only two explanations that I have been able
to think of are, one, the rerunning of the file listing occurred after those files were given to the Blankenship firm for review and did not appear, or that, second, we
91
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
did not get a complete file listing from the forensic toolkit software. Q. If we wanted to determine whether or not the computer
actually had the wiping feature activated and utilized, what would you need to do that work? A. It can be hard to determine. Sometimes by giving the Sometimes you can
full image of the computer to analyze.
just see absolute evidence that this must have been wiped. But in most cases -there. It is hard to prove what is not
Since the wiping removes information -- again, it
is not always impossible, but most times it is very difficult to look at that -- to even look at the free space, particularly if it has been used for several weeks afterward, and make that determination. So if you asked me, this computer, was this wiped yesterday before it had been used much, then the answer is probably yes. Whether you could determine whether it was
wiped after several more weeks of usage, maybe you could, maybe you couldn't. Q. And if somebody had activated the wipe button, and
then a few minutes later decided not to do that and hit the don't activate the wipe button, what would happen? Can you interrupt the wiping process, I guess? A. I tested that out, and did. If I checked the wipe
free space, and hit the button to start cleaning the
92
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
computer, it gave that progress bar. only six minutes.
In my case, it was
But I wasn't able to hit cancel on that
option, and then at that point about half of the information in the free space presumably would have been wiped. I was able to uncheck the wipe free space button,
run the CCleaner again, and it just removed the information and left that computer half wiped. Q. I've got this document with the small print. Can you
tell us, in general, what is this document, and is it useful to you? A. That was a spreadsheet that I created from the file
listing that included what seemed to be actual document files, Word document spreadsheets, PDFs and the like, from the user-created areas on the computer. Most of those listings are documents that, if a person turned on the computer and logged in as Llindell, they would see. Q. So these are still available on the computer, but
information CCleaner removed is no longer available for review? A. Right. MS. MICHAEL: May I mark this, your Honor, and
pass it up to the court? MR. BLANKENSHIP: I object to her passing
something up to the court that I can't --
93
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
MS. MICHAEL: THE COURT: about it? MS. MICHAEL: THE COURT:
I will make a copy.
Do you intend to question the witness
I was not going to ask --
Why don't we mark it as an exhibit? I have a copy. Sorry.
MS. MICHAEL: By Ms. Michael: Q.
In browsing through that, did you find evidence that
there was a fair amount of work on the computer involving the Lindell lawsuit? A. From my basic understanding of the lawsuit, there did
seem to be some folders, such as a folder called "mediation," and several folders underneath it that -again, my understanding of the lawsuit is somewhat basic, but did seem to be related to the legal work or related to the underlying items that the case is about. MS. MICHAEL: I will leave it for the court to Did I forget
peruse to see how much of that does relate. anything, Mr. Muchmore? THE WITNESS: MS. MICHAEL: THE COURT: moment here.
Not that I can think of. Thank you. No more questions.
Before you get started, let's take a
May I safely assume you are not going to
finish your cross-examination of this witness and put on your expert by 4:30?
94
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
MR. BLANKENSHIP:
That is probably safe.
I am
feeling bad about Blake Weibling, who is sitting outside. I wish we could get him on today before the day ends and he has to miss work again. THE COURT: compensating him. MR. BLANKENSHIP: "handsomely." THE COURT: for a moment? Why don't you go ahead and step down I don't know about I am sure you will be handsomely
Mr. Blankenship, why don't you have a seat. You can talk by sitting down. I think
We will do this informally.
We are not going to get through today. that is obvious at this point.
The next opportunity that
I have to see you is next Monday at 10:00, which is your pretrial conference. I think you are slotted for an hour
for the pretrial conference. Mr. Blankenship, do you know how many witnesses you are going to call? MR. BLANKENSHIP: witnesses. THE COURT: parties. When in doubt, always ask the I had planned on calling three
Mr. Blankenship, how would you like to proceed?
Do you think we can get Mr. Weibling through your direct examination? MR. BLANKENSHIP: Yes.
95
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
THE COURT:
How long will that take? I don't think it will take --
MR. BLANKENSHIP:
With the court's guidance with respect to the declaration, I can get him on and off pretty quickly. THE COURT: full opportunity. I want to make sure everybody gets a
I have looked at the case law again,
and none of the options are attractive to the plaintiff's case, and therefore I want to give you every opportunity that you deserve in order to present your case fully. In
fairness to the City, I want to make sure they have their opportunity to put on their case. Ms. Michael, how many more witnesses do you have? MS. MICHAEL: Honor. THE COURT: I suspect you would like to examine No more in our case-in-chief, your
Mr. Weibling, and you would like to examine Ms. Goodman? MS. MICHAEL: THE COURT: Ms. Lindell and their expert, yes.
I don't think we can have I would rather hear him as a
Mr. Weibling finished today. block.
Why don't we have you start with Mr. Muchmore, and On
we will go until about 4:15 and adjourn for the day? Monday we will resume with your examination of Mr. Muchmore, and then go into your case.
I am not inclined to try to express any views, because, as I tell all juries, you need to keep an open
96
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
mind until you have heard all of the evidence. important to me that we get this right. vacating your trial date --
It is very
If that means
I am not going to rush this I have an extended I have two
in order to try and shoehorn you in.
cocaine importation case starting mid-April. trailing cases that were set for that. around.
Things move
It is my intention to take you as quickly as we
can, as opposed to dropping you to the bottom of the calendar. I am hopeful that we are not looking at a lot of out-of-town witnesses who are going to have availability problems, since these are all local folks. fairly accurate assumption? MR. BLANKENSHIP: Your Honor, it is. There are Is that a
people, though, that are having difficulties with April 4th. Like Marcella Reed, for example, I would have
to take her very quickly, because she was heading out on the 6th. Bob Sterbank is in Hawaii. He is not available
until the 13th.
It is spring break, so a lot of people That is the extent of
are taking off with their families.
the out of state, but that is the kind of issue we have been struggling with with witnesses. THE COURT: case? MS. MICHAEL: We can have our witnesses Ms. Michael, what is it like in your
97
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
available, your Honor. THE COURT: in real peril. Right now I think your trial date is
I won't commit to that, but tell
Mr. Sterbank to buy another swimsuit. We have your motions for summary judgment, we have your motions in limine. I am not going to have you
start the trial until you have answers to those, because you can't. to this. over. The criminal matter started off at five days, it expanded to ten days, it expanded to twelve days, it expanded to 15 days, and then it shrank to twelve days. The last time they were in here, which was this morning at 11:00, it sounded more like eight days. That will put you I can't rule on those until I know the answer
This string of dominoes is getting ready to fall
in early May, which will, I guess, get us out of spring break. I am sure someone is going to say, I have a trial
in King County Superior Court, as another reason why we can't go then. No, we are not going to finish today. going to start again on Monday at 10:00. Mr. Muchmore, you can retake the stand. We are We are
going to get in 15 minutes of questioning, and I am going to take a hard break at 4:20. CROSS-EXAMINATION
98
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
By Mr. Blankenship: Q. A. Q. Mr. Muchmore, hi. Hello. Have you ever been in a situation like Blank Law,
where you basically were doing a forensic exam of a computer, and the computer was the computer of someone like Ms. Lindell, and you were dealing with their lawyers to figure out which documents were privileged and work product? A. I believe so. I have been in a situation where I ran
searches, turned it over to one party for privilege review, and then turned it over to another party, yes. Q. It is pretty standard that that happens, even when you
are being hired and paid for by the other side, right? A. These circumstances have not been standard in my Usually it has not been a neutral
personal experience. third party.
Usually I have been able to have access to
the computer, even if I am forwarding it to counsel for privilege review. Q. But it isn't uncommon, in fact it is quite typical,
that the person whose laptop is being examined, counsel gets to assist with culling out privileged work product, isn't it? A. Q. To conduct a privilege review? Yes.
99
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A.
In some cases, yes.
That has not been in every case I
have been in, or even most. Q. About how many times have you done like a forensic
examination of a computer, where you went in and carved out drive free space? A. Q. I would say I have done dozens of computers. Ms. Goodman found in the drive free space a document You saw that, right?
that was created in 2009. A. Q. I did.
And if there had been a wipe of the free space, you
wouldn't be able to recover documents from 2009 from the free space, would you? If they were in March, as they
alleged occurred, and August of 2010 (sic), you wouldn't be able to go into the free space in 2009 and find documents like the exhibit that she attached to her declaration, would you? A. Q. A. Q. A. Q. A. Q. A. Do you mean you go into the free space in 2011? Yes. And find documents that had been created in 2009? Right. Yes, I would expect that you could. Even if it is wiped? Absolutely. What is your basis for that? It is only wiping the free space. The time the
100
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
document is created is irrelevant to whether it would have been wiped in free space. The time it was deleted is the
most important information in that case. Q. The time that it was deleted. In this case, though,
did you find that document in your review? A. I found the document in the files that were produced
by Blank, yes. Q. And those files -- those documents -- those free space
documents were produced January 20th, weren't they, the first batch? A. Correct. No. I think we got those February 20th. But, yeah.
Maybe they were January. Q.
If you need to check, that's what I have noticed, that
they were -A. The first CD batch, yes. THE COURT: Mr. Blankenship you have used the I want to make sure everyone
term "free space documents."
has a common definition, including me. By Mr. Blankenship: Q. The drive free space is where all data goes, even if
it is deleted, correct? A. From my little diagram -- free space is items that
includes parts of the drive where no data has ever been stored or parts of the drive that a file was stored and then that file had been deleted. That's the free space,
101
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
yes. Q. If CCleaner was ran in March and in August, wouldn't
the document that was the exhibit have been -- if it had been a temporary internet file, wouldn't it have been deleted when CCleaner was ran, even without checking the box for the drive free space? A. Not necessarily in both cases. That's the point that
I was making about the temporary internet files only in the profile in which the CCleaner was run. So if most of
this surfing, to use it colloquially, web browsing took place under the Lindell profile, for example, and the CCleaner was run under administrator, then at that time it would not have deleted the temporary internet files from the Lindell profile. So, say, in March it was run and wiped the free space at that time -This would be one scenario. I can think
of several others in which that document would not have been deleted in March. wiped in March. But the free space could have been
But since that document had not yet been
deleted until August, the wipe of free space would not have removed that document. Q. That's one scenario.
Do you know whether or not there were separate
profiles on the computer that were set up by the Lindells? A. Yes. That was my testimony in my PowerPoint slides. There were profiles
There were several profiles set up.
102
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
for administrator, M. Kaser, others that were used before. It appeared to me Ms. Lindell had been using the computer. So it appeared to me that the Llindell profile had been the one that had been used for most activity since she received the computer, but in March, the CCleaner was run against the administrator profile. So, say, at that time the option to remove temporary internet files and wiped free space was selected, in that case it would have only removed temporary internet files from the administrator account, thus leaving the one that you found, wiped anything else that had been deleted at that time. And then, say, in August, when it was run
under the Llindell account, then only at that time, in my hypothetical, after the free space had been wiped, that that particular file was deleted. Again, in that scenario
the file would not have been deleted, and thus that would not have been free space when the computer was wiped in March. Q. But it was wiped twice according to you. I will not concede that. Objection, your Honor. Misstates Not wiped.
Let me back up.
MS. MICHAEL: his testimony. By Mr. Blankenship: Q.
Isn't it true, according to your review, you believe Right?
that CCleaner was ran on two different occasions?
103
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
A. Q.
CCleaner was run on two different occasions, yes. Wouldn't that have been wiped -Considering that was
the free space, and it was created in 2009, wouldn't the wipe in August have wiped a document that was created in 2009? A. Again, that is not what determines what is wiped. It
is not when the document is created that is important, it is when it has been deleted that is important. Q. But if I understand -I mean, I will have to talk to You are a You
my expert about that.
But my understanding --
little bit over my head here.
But with respect --
are saying that even though something was in free space, that was created in 2009, and even though you are testifying it may have been wiped twice, that wouldn't be dispositive of -- a preexisting document wouldn't be dispositive of there being no wipe, as Ms. Goodman declared under oath? A. No. I think she overlooked a number of different
scenarios. Q. A. Like what? The first scenario is the one that I mentioned, say,
the free space was wiped the first time CCleaner was run, but say the second time the removal of the shortcut files and temporary internet files took place but it was not wiped. A second scenario that seems possible is that the
104
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
wipe might have been started, but then interrupted at some point during its operation. Looking at the information from the declaration of the person at PC Doctor, that sort of seems to reinforce that scenario in my mind. He mentioned that he typically does It wasn't clear to me exactly
not wipe the information.
why he would not once, but twice, click on the option and then unclick on the option. But say he went through and
clicked on all those options, including wipe free space, clicked on the run cleaner button, and then turned and looked at something else and expected after one minute all the CCleaner would have been completed. Say at that point
he realized that he had selected the option, and then failed to unselect the option, and then hit the cancel button, that is one scenario in which, even after a few minutes, thousands of documents would have been wiped, but not necessarily every document on the machine. the second scenario that occurred to me. THE COURT: All right. We are going to take a That is
break at this time, because I have a couple of questions. When we resume, you are going to resume your examination having had the opportunity to talk to your expert, which probably makes better sense than us lawyers. Is it going to be easier to determine the impact of the CCleaner program if you are looking at the mirrored
105
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
hard drive that exists in this case or looking at the three CDs? THE WITNESS: easier. I think it would definitely be I
Whether that makes it easy is hard to say.
think, again, in most instances in which I suspect a computer had been wiped, and then it had been continued to be used for several weeks or months, you can't necessarily tell anything for sure. But I think it is certainly
possible, by looking at the complete image of it, I could make a determination. It would definitely give both
myself or Ms. Goodman more information to work from. There would be fewer hypotheticals, fewer possibilities. THE COURT: If I asked you and Ms. Goodman the
question of are there people in Seattle who are technically competent to do that, how would you answer that? THE WITNESS: Technically competent to make a
determination about wiping? THE COURT: Yes. I think the wiping question can I think the wiping By looking at the free
THE WITNESS: be --
I think the answer is yes.
question can be much more of a -space itself --
It can be hard to have an objective It would be based
question that has an objective answer.
to a certain extent on hunches or what the person had seen
106
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
before. THE COURT: Let me ask you in a different way.
Who is your competition? THE WITNESS: THE COURT: In the -Are there other people
In Seattle.
that do this besides the two of you? THE WITNESS: THE COURT: Yes.
How long would it take? I would think that several days Probably less than that.
THE WITNESS: would be enough time. THE COURT:
Counsel, we will be in recess in this At
particular matter until 10:00 a.m. on Monday the 28th. that time Mr. Blankenship will resume his cross-examination, having had ample time to get ready, which hopefully means that we will be going faster.
Counsel, anything further the court can do today to be of assistance? MR. BLANKENSHIP: be helpful to know -I guess, your Honor, it would
Are you saying you don't think it Should I be
is likely we will go forward on April 4th? preparing witnesses all next week?
Since we go first, it
is important to know the answer to that question. THE COURT: Sitting here today, I will tell you
that if I am where I am right now, you are not going to have a trial because I think there is a prima facie case
107
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
put forward that something happened to the computer. don't think you are denying the fact that something happened to the computer. understand what it is.
I
I am not comfortable that I
I can't rule on the motions and I
can't have the trial until I am comfortable with what happened. The last two questions I asked the witness may suggest one alternative that I am considering, which is to find someone who can have access to the mirrored hard drive and conduct an independent examination on behalf of the court. As Mr. Muchmore just said, that may just give But that
me one more opinion as opposed to an answer. would be helpful. going. MR. BLANKENSHIP: of Wednesday.
The answer is, I don't think you are
We have a pretrial lodging date
We all spoke about moving that until
Friday, just because -THE COURT: Why don't you not do anything on it.
I am going to relieve you of that obligation at this time. You can't do a pretrial order until I rule on these motions. And you can't -We are back to the same loop,
I can't rule on these motions until I have an answer to this question. Counsel, out of fairness, I am not blaming anyone for putting us in this situation. I understand, not
108
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
withstanding protestations in the briefing, this stuff got delivered late. It appears that everyone was diligent in
both attacking the problem and responding to the attack since that time. It is just that we have a limited number
of hours between when this all started and the very important upcoming dates, including the pretrial conference. We will be in recess. (Adjourned) Thank you, counsel.
109
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
CERTIFICATE
I, Barry L. Fanning, Official Court Reporter, do hereby certify that the foregoing transcript is true and correct.
S/Barry L. Fanning ____________________________ Barry L. Fanning

1

Recommended Documents

Documents Similar To 03.21.11 Hearing Transcript

Documents About Usb Flash Drive

More From Mercer Island Reporter