Defense Witness In UBS Trial Says Not Enough Evidence To Make Case - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Defense Witness In UBS Trial Says Not Enough Evidence To Make Case

Kevin Faulkner, forensics investigator, says the lack of mirror image data from the attacked UBS server calls into question exactly what was done and by whom.

Newark, N.J.--The defense's forensics investigator took the stand Wednesday, telling the jury there simply wasn't enough evidence available about the March 2002 attack on UBS PaineWebber's servers to know for sure who was behind the incident.

Kevin Faulkner, a senior consultant with Protiviti, Inc., a risk management consulting company based in Menlo Park, Calif., had the daunting job of being the defense's first witness. He followed the government's forensics expert, Keith Jones, who wrapped up five strong days on the stand last week, explaining the technical details of the case to the jury and standing up to two days of contentious cross-examination. This is the defense's first time at bat in the federal criminal trial of Roger Duronio, a 63-year-old former systems administrator accused of sabotaging the UBS computer network. The trial has entered its fifth week in U.S. District Court.

''I couldn't look at all the data,'' said Faulkner, when defense attorney Chris Adams questioned him about having backup tapes instead of forensic mirror images to analyze in the case. ''They were just the active data and they weren't all the active data. When I ran it, it asked for Tape 2 but there was no Tape 2 The information for the [central server] wasn't a forensic image. To preserve digital evidence, a forensic image is best practice.''

A backup tape is a duplicate copy of all the files on a hard disk. With a backup, files are updated to a tape on a periodic basis. In contrast, a forensic mirror image is a bit-by-bit copy of everything on the machine. It's analogous to taking a photograph and can contain more information than is captured on an average backup tape.

Faulkner said he had 6.5 gigabytes of data on the backup tapes to work with from the central server, which had a capacity of up to 30 gigabytes. It wasn't clear how much data was on the server immediately before the network was attacked, but the backup tapes didn't cover it all. In his testimony last week, Jones said there was some data missing but he added that he was able to recover a majority of it for the servers he was examining.

''I'd certainly prefer to see more forensics images,'' said Faulkner. ''You want to review the system to make sure what is believed to have happened actually happened. Plus, you want to gather evidence on the who, what, and when of what happened.''

All along, Adams has been pushing the idea that backup tapes of the damaged servers were insufficient for forensics analysis. First he said the data on them couldn't be trusted because they were handled by employees at @Stake, Inc., the first forensics company brought in on the case. @Stake had employed hackers and Adams questioned several witnesses about whether hackers could be trusted with critical evidence.

Adams also repeatedly questioned Jones, director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va., about the validity of using backup tapes instead of mirror images. Jones testified that it wouldn't have done much good to take bit-by-bit images of damaged servers--especially when all the files had been deleted off of them.

Jones also testified that having more data from the servers would not have changed what information he gleaned from the backup tapes. Jones said he was able to follow a digital trail from Duronio's home IP address through the company VPN and into specific servers where the code was planted--all during the times the code was created or modified.

Faulkner testified Wednesday that logs of any kind are poor forensics evidence.

The government built its forensics trail at least in part using UBS' VPN logs, WTMP logs, which show what time users log in and out, and SU (Switch User) logs, which show when users switch from their normal logon names to root user. The code, Jones explained, could only be planted by a root user, which, on a Unix system, is a super user with all-encompassing privileges.

Faulkner said the logs can't be trusted as a form of evidence because too many of them can be edited by a root user. And he added that there are different means of access, for example, that aren't recorded in a specific log. Faulkner said user history logs can be edited by a root user, as can SU logs and command logs, which record what commands were made on the system.

''The logs are more for accounting,'' he told the jury. ''They're not designed for investigative purposes because they don't log everything.''

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll