Defense Witness In UBS Trial Says Not Enough Evidence To Make Case

Newark, N.J.--The defense's forensics investigator took the stand Wednesday, telling the jury there simply wasn't enough evidence available about the March 2002 attack on UBS PaineWebber's servers to know for sure who was behind the incident.

Kevin Faulkner, a senior consultant with Protiviti, Inc., a risk management consulting company based in Menlo Park, Calif., had the daunting job of being the defense's first witness. He followed the government's forensics expert, Keith Jones, who wrapped up five strong days on the stand last week, explaining the technical details of the case to the jury and standing up to two days of contentious cross-examination. This is the defense's first time at bat in the federal criminal trial of Roger Duronio, a 63-year-old former systems administrator accused of sabotaging the UBS computer network. The trial has entered its fifth week in U.S. District Court.

''I couldn't look at all the data,'' said Faulkner, when defense attorney Chris Adams questioned him about having backup tapes instead of forensic mirror images to analyze in the case. ''They were just the active data and they weren't all the active data. When I ran it, it asked for Tape 2 but there was no Tape 2 The information for the [central server] wasn't a forensic image. To preserve digital evidence, a forensic image is best practice.''

A backup tape is a duplicate copy of all the files on a hard disk. With a backup, files are updated to a tape on a periodic basis. In contrast, a forensic mirror image is a bit-by-bit copy of everything on the machine. It's analogous to taking a photograph and can contain more information than is captured on an average backup tape.

Faulkner said he had 6.5 gigabytes of data on the backup tapes to work with from the central server, which had a capacity of up to 30 gigabytes. It wasn't clear how much data was on the server immediately before the network was attacked, but the backup tapes didn't cover it all. In his testimony last week, Jones said there was some data missing but he added that he was able to recover a majority of it for the servers he was examining.

''I'd certainly prefer to see more forensics images,'' said Faulkner. ''You want to review the system to make sure what is believed to have happened actually happened. Plus, you want to gather evidence on the who, what, and when of what happened.''

All along, Adams has been pushing the idea that backup tapes of the damaged servers were insufficient for forensics analysis. First he said the data on them couldn't be trusted because they were handled by employees at @Stake, Inc., the first forensics company brought in on the case. @Stake had employed hackers and Adams questioned several witnesses about whether hackers could be trusted with critical evidence.

Adams also repeatedly questioned Jones, director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va., about the validity of using backup tapes instead of mirror images. Jones testified that it wouldn't have done much good to take bit-by-bit images of damaged servers--especially when all the files had been deleted off of them.

Jones also testified that having more data from the servers would not have changed what information he gleaned from the backup tapes. Jones said he was able to follow a digital trail from Duronio's home IP address through the company VPN and into specific servers where the code was planted--all during the times the code was created or modified.

Faulkner testified Wednesday that logs of any kind are poor forensics evidence.

The government built its forensics trail at least in part using UBS' VPN logs, WTMP logs, which show what time users log in and out, and SU (Switch User) logs, which show when users switch from their normal logon names to root user. The code, Jones explained, could only be planted by a root user, which, on a Unix system, is a super user with all-encompassing privileges.

Faulkner said the logs can't be trusted as a form of evidence because too many of them can be edited by a root user. And he added that there are different means of access, for example, that aren't recorded in a specific log. Faulkner said user history logs can be edited by a root user, as can SU logs and command logs, which record what commands were made on the system.

''The logs are more for accounting,'' he told the jury. ''They're not designed for investigative purposes because they don't log everything.'' One thing that wouldn't have been logged in, according to Faulkner, was entry into the system by someone using a backdoor that was installed on a server in the UBS data center. Earlier testimony in the trial showed that Duronio had main responsibility for that particular server. Faulkner testified that two people accessed the UBS network using the backdoor. He did not identify the two users--just their logons--and he did not say when they used the backdoor, or if the backdoor entry was used during the same time the malicious code was being built or distributed on the network.

''It could have been used by users who had access to root but didn't want to leave evidence of being there,'' Faulkner said, adding that they could gain root access through the backdoor. ''It's a little surprising. It allows access to root for anyone who knows the backdoor is there It's quite a security concern.''

The defense attorney also went back to something he hits upon frequently. Adams has repeatedly called into question Charles Richards, another UBS systems administrator at the time of the attack. Both Richards and Rob Robertson were questioned by UBS and U.S. Secret Service agents because of their close ties to Duronio. Unlike Duronio who had quit his job a matter of weeks before the malicious code was triggered, both Richards and Robertson were at UBS and part of the long recovery operation. Both men were later put on leave and let go, however.

The government's forensics expert testified last week that @Stake investigators analyzed the machines used by both Richards and Robertson. The @Stake report showed that nothing suspicious was found on Robertson's computer but a few strings of code associated with the logic bomb were found in the swap space of Richards' computer. Swap space is where data is stored for programs running in memory.

But despite finding the two strings, @Stake investigators reported that they found no criminal evidence. "The surrounding information did not lead us to believe it existed in the system," according to the report. "It was clear they were not direct entries. Based on the evidence collected, @Stake believes it is unlikely CR and RR were directly involved in any malicious activity against UBS PaineWebber." The report also said investigators believed the strings could have gotten onto the computer's swap space if Richards had done a 'list file' command in the directory where the code was planted.

The copies made of Robertson's and Richards' computers were destroyed when @Stake was bought by Symantec Corp. in 2004 and the @Stake labs were closed down. Neither Jones nor Faulkner were able to analyze the data off those machines.

''I'd like to look for anything that connects them to designing and building the logic bomb,'' said Faulkner. ''Since @Stake already investigated him, that makes it of more interest.''

Faulkner also said he doesn't believe the strings of malicious code got into the swap space because of a list file command because that kind of command is answered immediately. Information generally is moved into swap space when it's waiting to be accessed and the computer basically cleans out any inactive programs to make more room for the applications that are running.

''I can't say what was the correct answer,'' said Faulkner, adding that saying what did happen would be making an assumption.

The trial continues Thursday morning when Faulkner is scheduled to again take the stand.