UBS Trial: Defense Suggests Witness Altered Evidence

Despite being accused of altering evidence, forensics specialist Keith Jones stood firmly by his earlier testimony that whoever brought down the UBS PaineWebber network had to do so from inside Roger Duronio's home. Duronio is the systems admin on trial for the attack.
Adams asked whether Jones' backup process changed the data.

''It changed the last access date,'' said Jones. ''It could have changed other data, as well,'' Adams suggested.

''No, it was just the last access that changed and that didn't factor into the investigation,'' Jones responded.

But later on in his questioning, when Adams was talking about the different versions of the malicious code that Jones analyzed, Adams went back to the last access date issue.

''Isn't it possible that the difference between the versions is caused by the data being altered… accidentally or intentionally?'' he asked. Jones again explained that nothing but the last access date was changed and it did not affect the investigation.

Then Adams asked the forensics examiner why he compared the logic flows of different pieces of code during his analysis, when he also was using MD5 hash, which is akin to looking for a program's digital fingerprint.

''Isn't it a fact, sir, that the reason you used the logic flow analysis was to fill in the gaps when you didn't get the analysis you wanted?'' asked Adams.

''That's not correct,'' Jones said. ''I use logic flow so I can compare two things that are not equal. Source code and binary code are not equal.''

Later in the morning, Adams tried to get Jones to say that whoever built and planted the code on the UBS network could have done it from outside of Duronio's home. Jones had testified earlier that IP address records and VPN gateway records led a direct trail from Duronio's home to the servers where the logic bomb was created or modified.

''Access to Mr. Duronio's home would not be required to put this on UBS?'' Adams asked. Access to Duronio's home would be required, Jones responded.

''If I had the VPN software, if I knew the network architecture, the security architecture, and I was knowledgeable in Unix and I had access to UBS, I could do this?'' Adams asked.

''Not in this case,'' Jones said.

''If I had these points but no access to his home, I could do this,'' Adams tried again.

''Unless Mr. Duronio invited you into his house on Christmas night, you could not,'' Jones countered. Even when Adams told Jones to ''put aside the evidence'' and decide if it could be done, the forensics investigator said it could not be done without ''leaving a trace.''