Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer

8/20/2019 Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer

1/24

::ODMA\PCDOCS\HLRNODOCS\641863\1 Page 1 of 9

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

J. Stephen Peek, Esq. (NV Bar #1758)Jerry M. Snyder, Esq. (NV Bar #6830)Hale Lane Peek Dennison and Howard5441 Kietzke Lane, Second FloorReno, NV 89511

Tel: (775) 327-3000Fax: (775) 786-6179

Reid H. Weingarten (D.C. Bar #365893) ( Admitted Pro Hac Vice June 15, 2007 )

Brian M. Heberlig (D.C. Bar #455381) ( Admitted Pro Hac Vice June 15, 2007 )

Robert A. Ayers (D.C. Bar #488284) ( Admitted Pro Hac Vice June 15, 2007 )Steptoe & Johnson LLP

1330 Connecticut Avenue, N.W.

Washington, D.C. 20036-1795

(202) 429-3000

Attorneys for Plaintiff and Cross-Defendant eTreppid

Technologies, L.L.C. and Cross-Defendant Warren Trepp

UNITED STATES DISTRICT COURT

FOR THE DISTRICT OF NEVADA

______________________________________DENNIS MONTGOMERY; MONTGOMERYFAMILY TRUST,

Plaintiffs,

vs.

ETREPPID TECHNOLOGIES, L.L.C.; a NevadaLimited Liability Company, WARREN TREPP;DEPARTMENT OF DEFENSE of the UNITEDSTATES OF AMERICA; and DOES 1-10,

Defendants ________________________________________

Case No. 3:06-CV-0056-PMP-VPC

Case No. 3:06-CV-00145-PMP-VPC

DECLARATION OF JONATHANKARCHMER IN SUPPORT OF

DEFENDANTS ETREPPIDTECHNOLOGIES, L.L.C. ANDWARREN TREPP’S NOTICE OFOBJECTION TO THE PUBLICFILING OF A FABRICATEDDOCUMENT BY DENNISMONTGOMERY

AND ALL RELATED MATTERS. _______________________________________

Pursuant to 28 U.S.C. § 1746, I, JONATHAN KARCHMER, hereby declare:

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 1 of 9


2/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

1. I am over the age of eighteen. I make this declaration based upon my persona

knowledge to which I could and would competently testify if called as a witness in thi

matter.

2. I am employed by LECG, LLC, an expert services provider. I am a Managin

Consultant in the Electronic Discovery practice based in Century City, Los Angeles

CA. I have offered sworn testimony as an expert witness.

3. I am an EnCase Certified Examiner (EnCE - #15-0203-1114), a Certified Compute

Examiner (CCE - #427), a GIAC Certified Forensic Analyst (GCFA - #1676), and a

GIAC Certified Incident Handler (GCIH - #2981). These security and compute

forensic designations acknowledge that computer examiners have successfully shown

how to employ proper computer investigation methodology as well as how to properly

use forensic software during computer examinations. They are recognized by both law

enforcement and corporate investigation communities as a symbol of in-depth compute

forensics knowledge.

4. Computer forensics and electronic discovery has been the focus of my career for more

than 6 years. Historically, I have served as a computer forensics examiner an

ediscovery litigation consultant in over 75 matters, and I have offered testimony as an

expert in the area of evidence preservation, spoliation issues, documentation, and

computer forensic methodologies.

5. LECG was engaged by eTreppid counsel to collect and analyze data including email

from the offices of eTreppid in Reno, NV.

6. On February 16, 2007, I visited the offices of eTreppid and met with the eTreppid

information technology manager, Sloan Venables. Mr. Venables explained th

eTreppid network and email configuration to me. During the time period at issue in thi

case, when eTreppid employees accessed their email, the email was transferred from th

eTreppid server to the users’ computers. Thereafter, a copy of the email was no



3/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

maintained on the server. eTreppid email was not centrally managed or backed up t

tape.

7. I collected various instances of email belonging to Warren Trepp including his curren

PST files, backups of his PST files created at different times, and a loose email (msg

file. A PST file is basically an email mailbox; it is a single file containing email use

with the Microsoft Outlook email application. LECG subsequently visited eTreppid o

February 23, March 6, and March 23, 2007 to collect other email backups and stores a

they were discovered by eTreppid staff, including four hard drives located in a locked

cabinet that I am advised was used principally by a former eTreppid employee

Mr. Montgomery.

8. I used WinRAR and or EnCase software to perform file collection onsite at eTreppid

Both tools preserve file system metadata (information associated with an electronic fil

regarding dates and times of creation, delivery, receipt, modification, etc.) associated

with files collected for analysis. I used EnCase and dtSearch software to analyze th

email I collected.

9. LECG performed testing of the Outlook email program and confirmed that emai

messages sent in the past could be altered and edited at the will of anyone with access t

an individual’s email account (or PST). A user could open an existing message, add o

remove content, and then print a hard copy of the altered email. However, if the ema

message is altered and saved, those changes are subsequently saved in the email itself a

it resides in the PST mailbox file. Therefore, if an email message dated September 25

2003 was later altered and saved in January 2006, for example, analysis of the PST fil

containing that email would show discrepancies between the “Sent” (identified by

EnCase as “Last Written”) and “Modified” times associated with that email message

Specifically, the email’s “Last Written” date would be September 25, 2003, but it

“Modified” date would be January 2006. I note that it is not necessary for one to “save



4/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

an edited email message in order to print copies of the edited email.

10. Counsel asked LECG to analyze all collected email files and locate a September 25

2003 email message between Len Glogauer and Warren Trepp regarding Congressman

Gibbons that purportedly included the sentence “We need to take care of him like we

discussed.” I located four instances of an email between Mr. Glogauer and Mr. Trep

on September 25, 2003 regarding Mr. Gibbons in various locations, including PST file

belonging to Mr. Trepp, and on one of the external hard drives located in the locke

cabinet used by Mr. Montgomery. Attached to this declaration as Exhibit A is a printe

copy of the email as I found it. (All four instances of the email message are the same.)

11. The content of all four instances of the September 25, 2003 Len Glogauer email

located at the eTreppid facility were identical, and included an email chain consisting o

three messages preceding the message Len Glogauer forwarded to Warren Trepp at 9:3

a.m.

12. Analysis of the email I collected showed that all instances of the September 25, 2003

Len Glogauer email did not include the sentence “We need to take care of him like we

discussed.” In addition, I analyzed all instances of the email to determine whether tha

sentence was added or removed.

13. The EnCase forensic software is able to analyze metadata in Outlook email messages

known as “property tags.” The EnCase forensic software identifies metadata in Outloo

email messages and displays them as follows: (a) “File Created” identifies th

date/time an email was first received and saved into a PST mailbox file by the recipient

(b) “Last Written” identifies the date/time an email was sent by the author; and

(c) “Entry Modified” identifies the date/time an email was last modified or changed by

the recipient. Generally, the “File Created” date/time will match the “Entry Modified

date/time for all email messages, unless a user edits or modifies an existing email afte

receiving it, in which case the “Entry Modified” date/time will reflect the subsequen



5/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

date/time when the modification occurred. See Exhibit B.

14. For example, if an email message was sent and received in 2003, but subsequently

altered (and saved) in 2006, embedded metadata within the PST file would indicate an

“Entry Modified” date/time in 2006, while the “File Created” and “Last Written

dates/times would remain in 2003. (See Exhibit B for an example of a modifie

Outlook email message and the resulting change to the email metadata).

15. When I examined the eTreppid PST files using EnCase forensic software, the “Las

Written” and “Entry Modified” dates/times associated with the September 25, 200

Glogauer email were consistent with the email having been sent by the author on

September 25, 2003 at 9:35 AM (“Last Written” date/time), and received by th

recipient on September 25, 2003 at 9:42 AM (“File Created” / “Entry Modified

dates/times). None of the four instances of the September 25, 2003 email message tha

I examined contained any discrepancy between the “File Created” date/time and th

“Entry Modified” date/time. This indicates conclusively that the September 25, 200

email message was not modified by the recipient after it was received.

16. At the eTreppid offices, during the relevant time period, the email server wa

configured to act as temporary mail storage. In other words, when email was sent t

employees, the messages physically resided on the email server until the recipien

opened their Outlook application, and synchronized with the server and/or initiated th

“Send/Receive” process. At this time, new email messages transferred from the serve

down to the user’s desktop/laptop where the PST was physically stored. (Send/Receiv

can be configured to run periodically while Outlook is open, or users can initiate thi

manually at any time.) The PST then stamped the incoming email message with certai

dates/time as appropriate.

17. Exhibit C to this affidavit explains in detail the process by which email messages have

certain embedded dates/times assigned to them, and describes why all four instances o



6/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

the September 25, 2003 email found onsite at eTreppid show: (a) the emails did no

include the “We need to take care of him . . .” sentence, and (b) the emails were neve

altered or modified after they were received, indicating that it is not possible tha

anyone deleted the sentence “We need to take care of him . . .” from the original email

Specifically, when an email message is saved into a PST, Microsoft Outlook will assign

various “property tags” to the email, including a “PR_CREATION_TIME” tag which

for an email recipient, is the date/time the email is first received and saved to the PST

as well as a “PR_LAST_MODIFCATION_TIME” tag, which records the last time th

email message was altered/modified in any way. When this metadata is viewed usin

the EnCase forensic software, the “PR_CREATION_TIME” tag is reflected as “Fil

Created” and the “PR_LAST_MODIFCATION_TIME” tag is reflected as “Entr

Modified.” For all four of the eTreppid PST files containing the September 25, 200

email message, the “File Created” and “Entry Modified” dates/times are identical, an

all read as September 25, 2003 at 09:42:52 AM. Were the message to have been altere

by someone, the email’s “Entry Modified” date/time would differ from (i.e. be late

than) its “File Created” date/time (See Exhibits B, C). Instead, all four instances of th

September 25, 2003 email at eTreppid have identical “File Created” and “Entr

Modified” dates/times (down to the second).

18. Based on the foregoing analysis, it is my expert opinion that the original email, as sen

from Mr. Glogauer to Mr. Trepp on September 25, 2003, did not contain the sentenc

“We need to take care of him like we discussed.”

19. I am informed and believe that a “txt” file was submitted to the Court by Mr. Denni

Montgomery on June 12, 2006 as a “true and accurate” copy of the September 25, 2003

Len Glogauer email. This “txt” document is not a verifiable or accurate copy of th

original email as I found it in several locations in the eTreppid facility.

20. The document submitted by Mr. Montgomery is a text or “TXT” file (a basic wor



7/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

processing document), which can be easily manipulated or altered. A TXT file is no

the original format of an email message sent/received using Outlook. The fil

submitted to the court was created with a Windows program called Notepad (a basi

text editor program included with all versions of Windows). When they are printed

text files created with Notepad will include the file title at the top of the printed page

and also include “Page X” at the bottom, where “X” corresponds to the page number

These marks are consistent with the file submitted by Mr. Montgomery.

21. Further, the absence of the preceding email chain found in the original versions of the

email and the inclusion of the sentence “We need to take care of him like we discussed

indicates that the document submitted to the Court by Mr. Montgomery is an altere

version of the email as it existed when Len Glogauer sent to Mr. Trepp on Septembe

25, 2003.

22. To illustrate the ease with which an “email” like the example Mr. Montgomery

provided to the Court can be created, on June 14, 2007, I used Notepad to create

nearly identical TXT file that appears to be an email message. I created a text file wit

the same filename as Mr. Montgomery’s document. I added “This sentence was adde

by LECG on 6/14/2007” to the email body. This example is included with this affidavi

as Exhibit D. Note: LECG does not have access to the electronic TXT fil

Mr. Montgomery created/provided; Exhibit D to this affidavit was created entirely by

me with the use of Notepad.

23. As illustrated in Exhibits B and D to this affidavit, it is not possible to verify

authenticity of email through examination of hard copy printouts. Forensic examinatio

of the original email store (PST) is required.

24. It is my belief that a forensic analysis of a PST file in Mr. Montgomery’s possession, i

it exists, with the email Mr. Montgomery provided to the Court, would reveal that th

email therein either (a) does not contain the sentence “We need to take care of him lik



8/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

we discussed,” or (b) is in fact a subsequently altered version of the original Septembe

25, 2003 Len Glogauer email.

Pursuant to the provisions of 28 U.S.C. § 1746, I declare under penalty of perjury that the

foregoing is true and correct.

Executed this ____ day of June, 2007 at Irvine, California.

/s/JONATHAN KARCHMER



9/24


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

PROOF OF SERVICE

I, Gaylene Silva, declare:

I am employed in the City of Reno, County of Washoe, State of Nevada, by the law officeof Hale Lane Peek Dennison and Howard. My business address is: 5441 Kietzke Lane, SecondFloor, Reno, Nevada 89511. I am over the age of 18 years and not a party to this action

I am readily familiar with Hale Lane Peek Dennison and Howard’s practice for collection omail, delivery of its hand-deliveries and their process of faxes.

On June 22, 2007, I caused the foregoing DECLARATION OF JONATHAN KARCHMERIN SUPPORT OF DEFENDANTS ETREPPID TECHNOLOGIES, L.L.C. AND WARRENTREPP’S NOTICE OF OBJECTION TO THE PUBLIC FILING OF A FABRICATEDDOCUMENT BY DENNIS MONTGOMERY to be:

_X___ filed the document electronically with the U.S. District Court and therefore the court’computer system has electronically delivered a copy of the foregoing document to thefollowing person(s) at the following e-mail addresses:

Fax No. 786-5044

Email [email protected] Ronald J. Logar, Esq.Eric A. Pulver, Esq.The Law Offices of Logar & Pulver225 S. Arlington Avenue, Suite AReno, NV 89501

Fax No. 858-759-0711

Email mailto:[email protected] mailto:[email protected] J. Flynn, Esq.P.O. Box 6906125 El TordoRancho Santa Fe, CA 90267

Fax No. 202/616-8470

[email protected] P. Wells, Esq.Senior Trial CounselFederal Programs BranchCivil Division – Room 7150U.S. Department of Justice20 Massachusetts Ave., NWP.O. Box 883Washington, DC 20044

Fax No. 784-5181

[email protected] AddingtonAssistant U.S. Attorney100 W. Liberty Street, Suite 600Reno, NV 89501

I declare under penalty of perjury under the laws of the United States of America thathe foregoing is true and correct, and that this declaration was executed on June 22, 2007.

____/s/__________________Gaylene Silva



10/24

Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 1 of 3

Ex A


11/24

Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 2 of 3essage

User

From

LEN [[email protected]]

Sent: Thursday, September 25, 2003 9:35

AM

To: WARREN

Subject

FW: Congressman gibbons discussion with AF

For your information.... It looks like Jim has "hit the ground running" on this one

Len

----Original Message----

From Madura, Kenneth [mailto:[email protected]]

Sent: Thursday, September 25, 2003 9:32 AM

To LEN

Subject

Congressman gibbons discussion with

AF

Mr.

Glogauer

Page

of

This morning, the Congressman had breakfast with the Vice Chief of Staff of the Air Force, Gen Moseley, and he

brought up the eTreppid technology. Mr. Gibbons believes that this would be another good opportunity to

demonstrate the technology to the AF at even a higher level. Along with the data compression, the database

matching was extremely enticing for the

AF.

I will give the information the Congressman gave us to the Air Force,

and I hope that you can make a demonstration to General Moseley soon.

Please let me know if you have any questions.

Ken Madura

Legislative Assistant

Office of Congressman Jim Gibbons (NV-02)

Voice: (202) 225-6155 Fax: (202) 225-5679

Kenneth,madurn@maiLhPu_se,gol

----Original Message-----

From

LEN

[mailto:[email protected]]

Sent: Wednesday, September 24, 2003 1:07 PM

To

Gibbons, Jim

Subject Thanks

Jim,

Thanks for the e-mail. Thanks for giving us the time Sunday to provide you with an overview of this critical

technology. And, it was great being able to catch up with you and Dawn on a personal basis. I know that Nanci is

enjoying working with Dawn on her current efforts. I think we can help and we want to be a part of your continued

success.

You can tell Dan that I will be his contact here at eTreppid. And anytime you can schedule a visit to our site we

can put on a real demo for you that is nothing short of amazing

We are looking forward to showing what can be done with this advanced technology to the right people. Dr. Rice

would present a great opportunity to get things moving quickly. The sooner we can get this technology deployed,

the sooner we can achieve the goal General Lambert put so eloquently:

I

want to win the War " It is a good plan

and eTreppid's capabilities can help achieve that goal.

6119/2007


12/24

Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 3 of 3essage

Page 2

of

On the military side of things, I am compiling some key, very telling, information on

the Army's

Bandwidth

Bottleneck. A

66

page

report

was just released that shows the costs required to eliminate or at least decrease the

bottleneck

by

the year

2010.

Costs

somewhere in the neighborhood of 1

O

Billion. With eTreppid Compression,

we can significantly reduce that cost, lower the budget

and

potentially cut the projected time-line

in

half. Not a

bad formula

...

Spend less money and get it done sooner What a concept... I will send our findings and

recommendations directly to you first.

Thanks again for your

time.

Best Regards,

Len

Lennard D. Glogauer

VP • Industry Applications & Business Development

eTreppid Technologies, LLC

755 Trademarl< Drive

Reno, V 89521

[email protected]

Tel: (775) 337-6771

Fax: (775) 337·1877

-----Original Message----

From Gibbons,

Jim [mailto:[email protected]]

Sent Wednesday,

September 24 2003 5:25 AM

Ta

LEN

Subject e-mail address

6/19/2007

Len,

Indeed, both

Dawn

and I enjoyed ourselves at Primm's last Sunday,

and

seeing you

and

Nanci there was especially nice.

I

have

asked

Maj. Dan

Waters, a Fellow assigned to my staff, to

contact the National Security Agency office (Dr. Rice)

in an

effort to

set

up

a meeting for

you

and the agency. From a personal point,

let

me

add that I was greatly impressed

by

the demonstration you

presented to me. No doubt, the Agency will be just as impressed

Dawn has given you the correct e-mail address

for

me here in DC.

That e-mail address is a_cjirect link

to my

desk and does

not

go

through anyone else.

Thanks again for your help

and

support,

but

most importantly,

thanks for your friendship.

Jim Gibbons


13/24

Exhibit B - Page 1 of 3

EXHIBIT B: Outlook Modification Example

These screen captures are taken from EnCase forensic software. EnCase software was used to

examine a sample Outlook PST file to illustrate normal dates/times associated with email

messages and compare it to an instance where an existing Outlook email is edited/modified toinclude/exclude text that did not exist in the original message.

Outlook emails contain embedded “property tags” or descriptive information items. Some of

these tags include date/time information, such as when a particular email message was sent or

received (see Exhibit C for detailed explanation of these tags).

EnCase forensic software identifies major Outlook property tags and displays them as follows:

• EnCase “File Created” column identifies the date/time the email was first created andsaved into the PST mailbox file.

• EnCase “Last Written” column displays the date/time the email was sent.

• EnCase “Entry Modified” column displays the date/time the email was lastmodified/changed.

Generally, the “Entry Modified” date/time will match the “File Created” date/time for all email

messages. If, however, a user changes an existing email (adds/removes word(s), etc.), and then

saves the edited email message, the “Entry Modified” date/time will reflect when themodification occurred. If this were to occur, the “Entry Modified” date/time would post-date the

“File Created” date/time.

(continued)



14/24


Standard Email

In the screenshot below, EnCase software is being used to examine a sample PST file. An emailmessage from the PST can be seen with subject “Thank you from the CEO of Network

Solutions”. The email was sent on January 4, 2005 at 7:47:28 AM (Last Written). It was

received (physically saved into the PST file) at 9:27:53 AM on the same day (File Created/EntryModified). Note that the “Entry Modified” date/time is identical to the “File Created” date/time.

These property tags / dates exhibit standard behavior normally seen in PST files.

Below is the email message as it normally appears to the recipient. (Recipient name has beenredacted in this example.)

To illustrate what an examiner would find if an email message was edited/modified, the above

email message was edited by LECG on June 20, 2007 at 10:29 AM. The results of this

modification are in the “Modified Email” section below, and can be compared to the “Standard

Email” section.



15/24


Modified Email

In the screenshot below, EnCase software is being used to examine the same sample PST fileused in the previous section “Standard Email”. The email message with subject “Thank you

from the CEO of Network Solutions” was modified by LECG to include text it did not originally

contain. Note how the “Entry Modified” date/time no longer matches the “File Created”date/time. Instead, it reflects the date/time that the email was modified (June 20, 2007 10:29:32

AM).

Below is the edited email message as it would appear with changes. (Recipient name has beenredacted in this example.) Note the sentence that was inserted, circled in red.



16/24

Exhibit C – Page 1 of 7

EXHIBIT C – Tests of Microsoft Exchange/Outlook -Results from Trepp PST files:

Part 1 – Introduction to Microsoft Messaging Properties

According to the Microsoft Developer Network (http://msdn2.microsoft.com), a MAPI1

(Messaging Application Program Interface) Property is a component of the overallMicrosoft email messaging construct. The Microsoft Outlook PST File consists of many properties2 which are defined as “tags”, “identifiers”, and “types” associated with emailmessage objects:

Property Tags are used to identify MAPI properties and every (MAPI) property

must have one. There are two parts to every property tag: a PR_ prefix and one

or more character strings that describe the contents of the property. Multiple

character strings are separated by underscores. For example, the property tag for

the address type of a message recipient is PR_ADDRTYPE and the entry

identifier for the folder designated to receive a copy of every outbound messageis PR_IPM_SENTMAIL_ENTRYID3.

Some of these MAPI Property Tags are identified by EnCase forensic software and are

displayed in columns corresponding to date/time values. For example:

PR_SUBJECT:

• subject line of email, displayed in EnCase as “File Name”

PR_CREATION_TIME:

• For SENDER: when the email is first drafted• For RECIPIENT: when email is received into PST file

• Displayed in EnCase as “File Created”

PR_MESSAGE_DELIVERY_TIME:

• when email is sent / delivered, displayed in EnCase as “Last Written” date/time

PR_LAST_MODIFICATION_TIME:

• Date/Time that email was last changed

• Will mirror PR_CREATION_TIME unless email is altered after being sent

• Displayed in EnCase as “Entry Modified”These Property (“PR”) date/time values are 64-bit / 8-byte Windows encoded dates

represented in hexacimal, i.e.: “30 38 17 74 13 B2 C7 01”. This value for example,decodes to “June 18, 2007, 6:45:02 PM”:

1 MAPI is a messaging architecture that enables multiple applications to interact with multiple messaging systems seamlessly across avariety of hardware platforms. (Source: http://msdn2.microsoft.com/en-us/library/ms527628.aspx - Section: MAPI Concepts andArchitecture”)2 “A property is an attribute of a MAPI object. Properties describe something about the object, such as the subject line of a message orthe address type of a messaging user. MAPI defines many properties, some to describe many objects and some that are appropriate

only for an object of a particular type. Clients and service providers can extend MAPI's set of predefined properties by creating new,custom properties. Clients can define properties to describe new message classes, and service providers can define properties toexpose the unique features of their messaging system.” (Source: http://msdn2.microsoft.com/en-us/library/ms528634.aspx - Section:MAPI Properties)

3 . (Source: http://msdn2.microsoft.com/en-us/library/ms531530.aspx - Section: About Property Tags”)



17/24


For validation, the decoder above can be downloaded for free at:

http://www.digital-detective.co.uk/freetools/decode.asp.

Times in this report are GMT -8 (Pacific).

Outlook Testing

To confirm EnCase software’s interpretation of Outlook MAPI properties, I used atesting environment similar to the eTreppid email environment which included Microsoft

Windows Server 2000, Microsoft Exchange 2000, and Microsoft Outlook 2003.

I created a virtual Windows network environment with Exchange as the email serverapplication. I created 2 user accounts, called USER1 and USER2. In this example,

USER1 is the email sender, and USER2 is the email recipient.

On June 18, 2007 at 6:44 PM, I acted as USER1 and opened that user’s Outlook profile.

At 6:45 PM, I drafted a new email message to USER2. The subject line of the email was“new msg opened 6:45 PM”. The email message was submitted for delivery (Sent) at

6:46 PM.

Later on June 18 at 7:50 PM, I acted as USER2 and opened that user’s Outlook profile. I

prompted Outlook to “Send/Receive” new email messages that may be waiting. The

email message from USER1 was delivered into USER2’s PST file at 7:50 PM.

Below are the results of this test. PST mailbox files from USER1 and USER2 asdisplayed in EnCase forensic software are shown.



18/24


Outlook Testing – USER1 (Sender) PST

EnCase screen shot – The USER1 PST file shows the email message first drafted at

6:45:02. “File Created” matches “Entry Modified”4.

PR_CREATION_TIME: 30 38 17 74 13 B2 C7 01.

This is decoded as June 18, 2007, 6:45:02 PM.

PR_MESSAGE_DELIVERY_TIME: 00 BC 5A 96 13 B2 C7 01.This is decoded as June 18, 2007, 6:46:00 PM.

PR_LAST_MODIFICATION_TIME: 30 38 17 74 13 B2 C7 01.

This is decoded as June 18, 6:45:02 PM.

4 Note: some of the EnCase screenshots appear to include two line items for a single email message. This is due to EnCase

identifying the email “class” object and the email body as two separate items.



19/24


Outlook Testing – USER2 (Recipient) PST

EnCase screen shot. “File Created / PR_CREATION_TIME” and “Entry Modified /

PR_LAST_MODIFICATION_TIME” are identical. This shows the message was notaltered after being received at 7:50 PM on June 18, 2007.

PR_MESSAGE_DELIVERY_TIME: 80 7F 24 98 13 B2 C7 01.


The email was received by Exchange Server at 6:46:03 PM (three seconds after USER1

sent the email), but USER2 did not physically receive the message in their PST file until

they logged in and opened Outlook at 7:50 PM.

PR_CREATION_TIME: 00 E4 A4 98 1C B2 C7 01.




20/24


PR_LAST_MODIFICATION_TIME: 00 E4 A4 98 1C B2 C7 01.

This is decoded as June 18, 7:50:29 PM.

TESTING SUMMARY

These results show that when an email recipient’s PST file is examined with EnCase, an

email message he or she received will show a “File Created” and an “Entry Modified”date consistent with when the message was first received and stored in the PST (6/18/077:50:29PM). The “Last Written” date is when the email was submitted for delivery by

the author of the email (about an hour earlier at 6:46 PM).

If an email message was altered and saved after having been received, EnCase would

show an “Entry Modified (PR_LAST_MODIFICATION_TIME)” date that post-dates the

“File Created (PR_CREATION_TIME)” date associated with the email (see Exhibit B

for example of a purposely modified email).



21/24


Result Summary / W. Trepp PST Comparison

As Mr. Trepp was the Recipient of the September 25, 2003 email, his PST files shouldexhibit the same date/time characteristics as USER2 above. Per the screenshots below

for each of the PST files containing the September 25, 2003 email, one can see that the

email message was NOT altered subsequent to it being received because the “File

Created” date/time matches exactly the “Entry Modified” date/time:

PST A0001 – TreppPST_010606

PST A0003 – WarrenEmail_020806

PST A0004_Trepp_PSTs_021606

PST A0010_WarrenEmail_010606



22/24


All of the above “PR” tags associated with the September 25, 2003 email messages’

receipt are: E0 EF 39 10 84 83 C3 01.This decodes to 9/25/03 9:42:52.



23/24


Ex D


24/24


2003.09.25.GibbonsFavors.txt

Message

From: LEN

[[email protected]]

sent: Thursday, September 25,

2 3

9:35 AM

To: WARREN

subject: FW congressman giibons discussion with AF

For your

information

one

I t

looks

l ike

Jim has

hit

the

ground running''

on

this

This sentence was added

by

LECG on

6/14/2007.

Len

Page 1

Documents

Montgomery v eTreppid # 199 | Declaration of Jonathan Karchmer