Newark, N.J. - The defense rested its case this week in the trial of a former systems administrator charged with four federal criminal offenses in association with a March 2002 attack on UBS PaineWebber's network.
Closing arguments are set to begin Monday morning.
Roger Duronio, 63, is charged with launching a logic bomb that took down nearly 2,000 of the company's servers, along with its ability to do business for up to three weeks in some branch offices.
In court on Thursday, the defense continued its argument that there simply wasn't enough evidence in hand to say who caused the incident. And the defense's forensics expert testified that he couldn't even say for sure that it was a logic bomb that caused the wreckage.
This was Duronio's fifth week on trial in U.S. District Court here. He faces four counts, including computer sabotage and securities fraud, in connection with a logic bomb that was detonated at UBS. Duronio worked at the financial company for three years, but quit his job a few weeks before the attack because he was angry that his annual bonus came up short.
The defense and the prosecution sparred for most of the day, with both firing questions to the second forensics expert to take the stand.
Kevin Faulkner, a senior consultant with Protiviti, a risk management consulting company, was the first defense witness to testify. He took the stand Wednesday and wrapped up his approximately six hours on direct and cross-examination Thursday. Faulkner told the jury there wasn't enough evidence--between log histories, incomplete backup tapes, and few forensics images--to say who was responsible for the UBS incident. He said he could only say that a root user was responsible for the malicious code, and then he said he couldn't verify the prosecutors' claims that the logic bomb they found on the servers was the cause of the network crash. "When dealing with evidence that is incomplete or you don't know who's touched it and when, then how can you know for certain what happened?" asked Faulkner. "There are always multiple explanations in every case."
A root user on a Unix system is a superuser with all-encompassing privileges. Whoever ran the code on the UBS system would need root user rights, according to Keith Jones, the government's forensics expert, who testified for five days. Jones is director of computer forensics and incident response at Mandiant, a computer security consulting company.
When the government's expert testified, he said there was a clear digital trail leading, in every case but one, directly from Duronio's home computer into the UBS network and onto the servers where the code was planted, exactly on the date and times when the code was planted. In the one exception, Duronio logged in to work on the malicious code from his workstation within the UBS facility, Jones said.
Faulkner disagreed with Jones' assessment, noting that Jones' analysis used VPN logs, as well as logs from WTMP files, which note the time of logins and logouts, and switch user logs, which record when users switch over to become a root user. Faulkner called that information unreliable because it can be edited by root, and it was designed for accounting purposes and not for forensics examinations.
Faulkner said he couldn't say who was responsible for the logic bomb because he didn't have a complete set of backup tapes to review for the damaged servers. While about 2,000 servers were damaged, the forensics experts were given the backup tapes from a smaller sampling of servers, representative of various time zones where the damage was done. Faulkner said he would want to see the complete set.
Faulkner also said the backup tapes he received didn't cover all the information that could have been stored on the damaged servers. It wasn't clear how much data was on each server immediately before the network was attacked, but the backup tapes didn't cover it all.