Bryan Pringle v. William Adams Jr et al
Filing
193
DECLARATION of David T. Gallant in Opposition to MOTION for Summary Judgment 159 filed by Plaintiff Bryan Pringle. (Attachments: # 1 Exhibit 1, # 2 Exhibit 2)(Holley, Colin)
EXHIBIT 1
Roughrider Professional Building
8209 Roughrider Dr., Suite 200
Windcrest, TX 78239
T (210) 271-2999
F (888) 511-7894
www.WhatsOnTheComputer.com
Tax ID: 26-4329342
August 6, 2011
Ira Gould, Esq.
120 North Lasalle Street, Suite 2750
Chicago, IL 60602
(312) 781-0680
GCIS Case Number: 201012701 - Bryan Pringle
Dear Mr. Gould,
1. Background: I am president of Gallant Computer Investigative Services (GCIS), LLC. GCIS is
licensed as a Private Investigations Company by the Texas Private Security Bureau (A15633). I have
over 23 years investigative experience, including over 15 years dedicated primarily to computer related
crimes and computer forensics. I served as a federal agent in the US Air Force with the Air Force Office of Special Investigations (AFOSI) for almost 15 years, and was the case agent on numerous significant investigations and provided computer forensics support and/or consultation to hundreds of investigations. Following my retirement from the Air Force in 2001, I entered the corporate computer
forensics/computer security industry with a startup company, and helped build it into an internationally
recognized leader in computer forensics, incident response, and incident response training. I am an
AccessData Certified Instructor and AccessData Certified Examiner, as well as a contract instructor for
AccessData Corp., for whom I teach an introductory computer forensics course to both law enforcement and corporate investigators. I have trained hundreds of federal, state and local law enforcement
officials, as well as IT security personnel in the proper methodology for securing and analyzing computer evidence. I am a Certified Information Systems Security Professional (CISSP), an internationally recognized computer security certification. I am a contract instructor for New Horizons Computer
Learning Center, where I teach CISSP preparatory courses to IT security personnel. I have multiple
computer forensics certifications and have published numerous articles on computer forensics, ediscovery, and other computer security-related matters. Specific information regarding my qualifications is contained in my CV, a copy of which is attached to this report.
2. Support Requested: I was retained by the Gould Law Group on May 7, 2010, as a computer forensics expert, to analyze a CD-ROM that contained the creation file of the derivative version Bryan
Pringle’s song, “Take a Dive,” to determine the date(s) the file(s) were created, as well as the date the
CD-ROM was created (burned).
Confidential: This document is intended for the use of the intended recipient(s) only and may contain information that is
confidential, privileged or legally protected. Any unauthorized use or dissemination of this communication
is strictly prohibited.
EXHIBIT 1
3. On December 21, 2010, Mr. Pringle personally delivered to me one CD-ROM for analysis. The disc
was a white Verbatim brand, and the serial number was 9E24F221861. It was hand marked, “PROMO
PHOTOS/ 1999 ENSONIQ.NRG FILES.” (A copy of the disk’s label is appended to this report). Mr.
Pringle informed me he was the person who labeled the disk. I initialed, dated, and initiated chain of
custody on the evidence (Tag 2).
A. Mr. Pringle stated he created the music files contained on Tag 2 in 1999 using an ASR-10 keyboard
and saved the files to an external SCSI 1 hard drive. He then took the SCSI hard drive and connected it
to a Windows computer (he believed a Windows 98 system) and used Ensoniq Disk Manager (EDM)
software to create the .NRG images. (Mr. Pringle stated he no longer possesses the hardware or software he used to create Tag 2 due to a burglary of his storage facility located in Abilene, TX, in October
2000, in which over $12,000 worth of equipment was stolen. Pringle provided a copy of the police
report with is attached to this report). The .NRG image files not only contained the various parts to
the music, but also contained the operating system files needed to boot the ASR-10 keyboard. These
images appear to be Nero Image files (.NRG) (based solely on the file extension “NRG”). Mr. Pringle
explained he used Nero to extract the image files to create a new CD-ROM to boot the ASR-10.
B. I copied the file, “DISK05.NRG” to the desktop of a forensic computer running Windows XP Pro
(64 bit), and burned this file as an image to a new CD-ROM using Nero Burning ROM Ver 6.6.0.3. I
initiated chain of custody on this newly burned CD-ROM (Tag 3). Mr. Pringle then took this CDROM, and under my direct observation, booted an Ensoniq ASR-10 keyboard that had an external CDROM drive attached. He demonstrated how the keyboard works, and played for me his song, “Take a
Dive” from the ASR-10 keyboard. After the demonstration, I maintained control and custody of this
CD-ROM.
4. On January 3, 2011, I created a forensic copy of both CD-ROMs (Tags 2 and 3) using Forensic
Toolkit Imager, Version 3.0.0.1443, and processed them with FTK Version 3.2.0.32216 (License number: 1-1205090). The CD’s (Tag 2) volume name was “990909_0118.” This appears to be the default
disk name that is used by most CD writing software. It typically corresponds to the date and time the
CD is created. In this case, that would mean Sept 9, 1999 at 1:18.
A. Forensic analysis of Tag 2 determined there were two “sessions” written to the disk. This means
that groups of files were saved to the disk on two different occasions. Session one contained one directory named “promo photos” which contained 134 digital photographs. This files were all dated 9-81999. The second session contained four files present as follows: “DISK02.NRG,” “DISK03.NRG,”
“DISK04.NRG,” and “DISK05.NRG.” This files were all dated 8-22-1999. There was also a directory
1
Small Computer Serial Interface. Computer technology that permits the “daisy chaining” of external computer
hardware such as hard drives, CD-ROM drives, etc.
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
named “promo photos.” Cursory analysis metadata associated with each of the 134 images contained
in the “promo photo” directory disclosed the images were all taken 09-08-1999 with an Olympus
C900Z/D400Z digital camera. According to the Olympus website
(http://www.olympus-global.com/en/corc/history/camera/popup/digital_c900z_movie.cfm), this camera was released in 1998.
B. The file named “DISK05.NRG,” which, according to Mr. Pringle, is the creation file containing the
derivative version of Pringle’s song “Take a Dive,” has a creation date of 8-22-1999, with a last modified time of 12:54 p.m.
C. I also examined the original CD-ROM (Tag 2) with a utility called NeroInfoTool, which determined that the content of this particular CD-ROM was created on “9 September 1999” (i.e. the CDROM was burned September 9, 1999). This corresponds to the CD volume name described above.
NeroInfoTool is a free “non-forensic” application that identifies when a CD-ROM was burned, as well
as other information concerning the computer’s CD-ROM drives.
D. As stated, there were only two sessions written to this disk, with the last session written on September 9, 1999. Due to this fact, no additional data was added to the CD-ROM, and thus none of the
existing files on the CD-ROM, including “DISK05.NRG” were modified after September 9, 1999.
This means that the guitar twang sequence existed in the original “DISK05.NRG” file and could not
possibly have been added to the file contained on the CD-ROM after September 9, 1999 (i.e. Mr.
Pringle could not have gone back and later added the guitar twang sequence to the “DISK05.NRG” file
contained on the CD-ROM, after he heard “I Gotta Feeling”).
5. On January 3, 2011, I contacted Verbatim Americas, LLC, via their customer support web page and
requested they research their records to determine the date the CD-ROM disc (Tag 2) (serial number
9E24F221861) was manufactured and sold in the United States. On March 17, 2011, Verbatim Customer Support advised by telephone, then via email, that this particular CD-ROM was manufactured in
Taiwan on February 24, 1999 and this type of CD-ROM has been out of production since late 1999.
The last shipment to a distributor was December 29, 2003. A copy of their email is appended to this
report.
6. On March 15, 2011, Mr. Pringle forwarded to me an email from Mr. Gary Giebler, Giebler Enterprises, in which Mr. Giebler informed him he (Pringle) purchased EDM on May 18, 1999. The serial
number for his copy of EDM was “3998.” A copy of his receipt is attached to this report.
7. On March 17, 2011, I purchased a copy of EDM from Giebler Enterprises and discussed with Mr.
Giebler how the software created the .NRG files. He advised he wrote the EDM program, as well as
the ASR-10 operating system. The ASR-10 operating system is not compatible with any other operatConfidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
ing system, and it had to be booted using an EDM created disk. The EDM files are a “proprietary”
.NRG format that are compatible with Nero for the purposes of creating a bootable CD-ROM or floppy
disk. He advised that since I was able to extract the DISK05.NRG file from Tag 2, burn a new CDROM with Nero that was able to boot the ASR-10 keyboard, that .NRG file could ONLY have been
created with EDM. I was able to use EDM to view the contents of the various .NRG files. When
asked if there would be dates associated with the ASR-10 operating system that might help “date” the
.NRG files, he advised there were not and that the best indicator of the original date of the files would
be the dates on the CD-ROM. He also stated there was a possibility that the licensee and license number might be located within the .NRG files. Analysis of the .NRG files to locate this information pertaining to Mr. Pringle’s license information was unsuccessful.
8. Based on the analysis of the data provided to me, August 22, 1999, at 12:54 pm was the last time
the “DISK05.NRG” file, which contains the creation file for the derivative version of “Take a Dive,”
was modified. Additionally, my analysis concludes the CD-ROM that contained this file was created
(burned) on September 9, 1999, and could not have been subsequently burned (i.e. no new material
could have been added) after that date. The totality of the information available to me supports Mr.
Pringle’s claim of creating the DISK05.NRG file and CD-ROM in 1999. The manufacturing date of the
CD-ROM itself (Feb 1999) and the date of his purchase of EDM (May 1999) along with my forensic
findings, support this conclusion. None of the data or information I reviewed supports any other conclusion or otherwise refutes the authenticity of Mr. Pringle's claim.
9. Please contact the undersigned at (210) 271-2999 or David@GallantCIS.com if you have any questions.
Sincerely yours,
David Gallant
President
GCIS, LLC
Licensed Private Investigator (TX Lic: A15633)
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
CURRICULUM VITAE
David T. Gallant (USAF Retired)
President, Gallant Computer Investigative Services, LLC
EDUCATION:
• Bachelor of Science, University of the State of New York, Albany, NY, 1995
• AA, Criminal Justice, Community College of the Air Force, 1993
TRAINING RECEIVED:
• AccessData Mobile Phone Examiner Analysis, December, 2010
• New Horizons Training for CISSP Certification, May 2009
• Acquisition Data First Responder, April 2009
• AccessData Windows Forensics (Advanced), November 2005
• AccessData Boot Camp (Intermediate), June 2005
• Advanced Forensic Toolkit - Graphics Forensics, HTCIA Annual Meeting, September 2004
• Advanced SMART Forensics, HTCIA Annual Meeting, September 2004
• National Security Agency Information Security Assessment Methodology, March 2001
• Windows NT Enterprise Technologies, San Antonio, TX, August 1998
• Windows NT System Administration, San Antonio, TX, July 1998
• AFOSI Computer Intrusion Workshop, RAFB, TX, March 1997
• UNIX System Administrators Course, February 1997
• Seized Computer & Evidence Recovery Specialist Course, Federal Law Enforcement Training Center,
February 1995
• AFOSI Basic Investigation's Academy, HQ AFOSI, December 1987
CERTIFICATIONS/CLEARANCES:
• AccessData Certified Instructor, July 2010
• Certified Information Systems Security Professional (CISSP), August 2009
• AccessData Certified Examiner (ACE), June 2009
• Certified Acquisition Specialist (CAS), Acquisition Data, April 2009
• Civil Process Server, Texas Supreme Court (SCH0000005005), April 2009
• Qualified Manager/Private Investigator, Texas Private Security Bureau, May 2008
• Current Top Secret Security Clearance, (Updated Jan 2006)
• National Security Agency, INFOSEC Assessment Methodology, March 2001
• Air Force Office of Special Investigations Computer Crime Investigator, June 2000
• Digital Evidence Analysis, AFOSI, May 1999
FEDERAL LAW ENFORCEMENT/INVESTIGATIONS EXPERIENCE:
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
• President, GCIS, San Antonio, TX, February 2009 - Present
• Computer Security and Forensics Specialist, e-fense Inc, San Antonio, TX, January 2001 - February 2009
• Branch Chief, Computer Crime Investigation, AFOSI Detachment 401, August 1998 - January 2001
• Computer Crime Investigator, AFOSI Detachment 401, Randolph AFB, TX, August 1997 – August 1998
• Computer Crime Investigative Liaison to AFIWC/AFCERT, Kelly AFB, TX, April 1997 – August 1997
• Computer Crime Investigator, AFOSI Detachment 401, Randolph AFB, TX, June 1996 – March 1997
• Criminal Investigator, AFOSI Detachment 623, Misawa AB, Japan, August 1993 – June 1996
• Criminal Investigator, AFOSI Detachment 523, Izmir AB, Turkey, July 1991 – July 1993
• Criminal Investigator, AFOSI Detachment 430, Pease AFB, NH, August 1987 – June 1990
EXPERT WITNESS QUALIFICATIONS:
• Qualified as a Computer Forensics Expert, U.S. v. Sean Block, Western District of Texas, May 2009
• Qualified as a Computer Forensics Expert, U.S. v. Mackey, Brooks AFB, TX, December 2000
EXPERT CONSULTATION/TESTIMONY:
Date:
Name:
Type:
October 2010
State of Texas v. Paul Lamarre Defense Computer Forensics Consultant
August 2009
United States v. Greg Maggio Defense Expert Witness
August 2009
United States v. Jeremy Parten Defense Expert Witness
May 2009
United States v. Sean Block
Defense Expert Witness
March 2009
United States v. Tami Escher
Appointed Defense Computer Forensic Consultant
March 2009
State of Texas v. Rick Carden
Defense Expert Witness
March 2008
Steves & Sons v.
Trinity Glass
Expert Witness Deposition
March 2008
Johnson v. Centerpoint Inc.,
et. al.
Arkansas Public Utility Commission,
Little Rock, AR
October 2006
United States v. Nieland
Appointed Defense Computer Forensic Consultant
August 2005
United States v. Miller
Appointed Defense Computer Forensic Consultant
October 2003
United States v. Bresnahan
Appointed Defense Computer Forensic Consultant
December 2000
United States v. Mackey
Prosecution Expert Witness
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
LECTURES/TRAINING I HAVE PROVIDED:
Date:
Organization/Course:
Mar 2011
New Horizons Computer Learning Center CISSP Prep Course
San Angelo, TX
Feb 2011
New Horizons Computer Learning Center CISSP Prep Course
San Angelo, TX
Feb 2011
Cases
Texas Bar Association Certified MCLE - Computer Forensics in Criminal Defense
Windcrest, TX
Jan 2011
Texas Bar Association Certified MCLE - Electronic Discovery and Computer Forensics
Windcrest, TX
Nov 2010
A Prioritized Response to Compromised Computer
IEEE Computer Society, San Antonio, TX
Oct 2010
Introduction to Electronic Discovery Data Collection
Hughes, Hubbard, & Reed, LLP
New York, NY
Sept 2010
New Horizons Computer Learning Center CISSP Prep Course
San Antonio, TX
Aug 2010
AccessData Forensic Toolkit BootCamp
Sterling, VA (Live Online Training Format)
July 2010
New Horizons Computer Learning Center CISSP Prep Course
San Antonio, TX
June 2010
The Association of Information Technology Professionals (AITP)
San Antonio, TX
April 2010
AccessData Forensic Toolkit BootCamp
Sterling, VA (Live Online Training Format)
March 2010
AccessData Forensic Toolkit BootCamp
Denver, CO
February 2010
AccessData Forensic Toolkit BootCamp
Belleview, WA
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
February 2010
A Prioritized Response to Compromised Computer
Leander Independent School District IT Staff
February 2010
Computer Security for Educators; Internet Safety for Children
Leander Independent School District, Continuous Improvement Process
January 2010
New Horizons Computer Learning Center CISSP Prep Course
San Antonio, TX
December 2009
AccessData Forensic Toolkit BootCamp
Lindon, UT (Live Online Training Format)
October 2009
New Horizons Computer Learning Center CISSP Prep Course
San Antonio, TX
September 2009
AccessData Forensic Toolkit BootCamp
Orlando, FL
August 2009
AccessData Forensic Toolkit BootCamp (Assistant Instructor)
Sterling, VA
June 2009
New Horizon’s Computer Learning Center SpecTECHular
Responding to a Computer Incident: Are You Ready?
February 2009
Alamo Chapter of the Armed Forces Communications and Electronics Association
(AFCEA)
A Prioritized Response to Compromised Computer
December 2008
Veteran’s Administration Law Enforcement Training Center, Little Rock, AR
Helix Three-Day Incident Response Course
November 2008
San Antonio North Chamber of Commerce Technology Counsel
Previewing, Securing and Preserving Digital Evidence
August 2008
Central Michigan University, Mt. Pleasant, MI
Helix Three-Day Incident Response Course
June 2008
New Horizon's Computer Learning Center, San Antonio, TX
Securing Volatile Computer Evidence with Helix Seminar
April 2008
New Horizon's Computer Learning Center, San Antonio, TX
Securing Volatile Computer Evidence with Helix Seminar
April 2008
Optimists Club of San Antonio, San Antonio, TX
Computer Forensic Issues in the Workplace
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
November 2007
S.E.A.R.C.H., Sacramento, CA
Helix Three-Day Incident Response Course
April 2007
San Antonio Criminal Defense Lawyers Association
CLE: Computer Forensics in Defense Cases
November 2006
Maine Licensed Private Investigators Association Annual Meeting
CLE: Electronic Discovery and Computer Forensics
November 2006
Venable, LLP, Washington, DC
CLE: Electronic Discovery and Computer Forensics
October 2006
Langley & Banack, Inc., San Antonio, TX
CLE: Electronic Discovery and Computer Forensics
October 2006
Ball & Weed, LLP, San Antonio, TX
CLE: Electronic Discovery and Computer Forensics
September 2006
McManus, Schor, Asmar, & Darden LLP, Washington, DC
CLE: Electronic Discovery and Computer Forensics
July 2006
Veteran’s Administration Law Enforcement Training Center, Little Rock, AR
Helix Three-Day Incident Response & Forensics Course
March 2006
San Antonio Area Computer Crime Investigators’ Group
Using Helix to perform Incident Response/Forensic Imaging of a Live System
March 2006
University of Texas, San Antonio, IS 4483, Cyber Forensics (Senior Level)
Computer Forensics from a Government/Law Enforcement Perspective
June 2005
Austin Police Department, High Tech Crimes Unit, Austin, TX
Two-Day Computer Incident Response Training
June 2004
Veteran’s Administration Law Enforcement Training Center, Little Rock, AR
Introduction to Computer Search and Seizure
April 2004
Veteran’s Administration Law Enforcement Training Center, Little Rock, AR
Introduction to Computer Search and Seizure
August 2003
University of Texas, San Antonio, TX
Computer Crime Investigations
June 2002
Library of Congress, Washington, DC
Two-Day Computer Incident Response Training
August 2002
Sector 5 Global Summit, Washington, DC
Panel Discussion – Critical Infrastructure Disaster Recovery Planning
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
April 2002
Information Technology Executive Committee (ITEC), San Antonio, TX
Panel Discussion – Protecting Critical Infrastructure
March 2002
American Water Works Association (AWWA), Buffalo, NY
Protecting Critical Infrastructure from Computer Hackers
August 1998
AFOSI Computer Crime Investigators' Annual Training, Dam Neck, VA
Investigating Computer Crimes
October 1997
San Antonio Area Forensics Seminar, Randolph AFB, TX
Computer and Internet Crimes
PUBLISHED WORKS:
February 2010
Protecting Yourself on Facebook, North San Antonio Chamber of Commerce
Technology News You Can Use
February 2009
Are You Prepared to Respond to a Serious Computer Compromise?, North San Antonio
Chamber of Commerce Technology News You Can Use
January 2009
Follow-up to Experts on Computer Forensics, A Defense Counsel’s Ally, SA Lawyer
November 2008
Experts on Computer Forensics, A Defense Counsel’s Ally, San Antonio Lawyer
October 2008
Password Security, North San Antonio Chamber of Commerce Technology News You
Can Use
COMPUTER FORENSICS/COMPUTER SECURITY EXPERIENCE:
• Qualified as a computer forensic expert in federal court
• 22+ years total investigative experience
• 14+ years as a Federal Agent with the Air Force Office of Special Investigations (AFOSI)
• 15+ years of computer forensic examinations using numerous industry standard tools and techniques. Cases
investigated range from child pornography, use of the Internet to solicit sex from minors, crimes against persons,
homicides, fraud, threats, corporate espionage, family law issues, theft of proprietary data, malicious attacks and
system abuse
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
• Investigation of large-scale network attacks that led to successful prosecutions
• Computer and physical penetration tests for several Fortune-500 companies
• Design and implementation of security policies for several companies
• Planned and executed electronic discovery efforts for significant civil litigations
• Reviewer, Journal of Digital Forensic Practice, February 2008 - Present
PROFESSIONAL ASSOCIATION MEMBERSHIPS:
• Association of Former AFOSI Special Agents (AFOSISA)
• North San Antonio Chamber of Commerce Technology Committee
•Texas Association of Licensed Investigators
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
Tag 2 Label
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
Confidential: this document is intended for the use of the intended recipient(s) only and may
contain information that is confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited.
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?