Sony Computer Entertainment America LLC v. Hotz et al
Filing
86
Letter from James G. Gilliland and Stewart Kellar [Joint] Re: Impoundment Issues. (Attachments: # 1 Exhibit 1-5)(Kellar, Stewart) (Filed on 2/28/2011)
<![CDATA[
Sony Computer Entertainment America LLC v. Hotz et al
Doc. 86 Att. 1
EXHIBIT 1
Dockets.Justia.com
CERTIFICATION OF' MICHAEL GRENNIER, CFCE, EnCE
I Michael Grennier, CFCE EneR, of full age and duly sworn, does hereby state as follows:
i. On February 26th, 2011, 1 fon:varded the certification per both pa11ies request and
ltccording to the conference call of both parties held on February 25th, 2011. (See attached as
Exhibit
A).
2. Steward Kellar, Esq., Defense counsel representing M.r. George Hotz, agreed to
the process listed in the attached certification, as long as the bit-stream image of the drėve was
wiped after the searching processes were completed. He would not agree. however to begin the
process on Monday, February 28, 2011, where Mr. Hotz would provide unencrypted access to
The Intellgence Group for purposes of creating an unencrypted bit-stream copy of his clients
hard drives, believing that a motion would be fied
in order Iōr Plaintiff to maintain a preserved
copy for discove.ry purposes. Mr. Hotz clearly stated that his client would never agree to ANY
copy being created, which could be retained for puroses other than the impoundment order and
the processes mentioned in my first certification.
3. After sending my requested certification to both parties, I was advised that Mr.
Hot? will not agree to any hit-stream copies of the hard dnves. It was further proposed by
Defendants counsel that we use Mr. Hotz's computer and operating system to conduct the
searches and securely delete the data.
4. According to the Cyber Security Institute, Computer Forensics is defined at the
preservation, identification, extraction, interpretation, and documentation of computer evidence,
to include the
rules of evidence, legal processes, integrity of evidence, factual reporting of the
information found, and providing expert opinion in a court of law or other legal and/or
ad111inistrativc proceeding as to what wos found. In bogie termH, Computt:l l()rensics is a science
Second Certification Sony V Hotz 2/27/2011
Page 1
in which fact based results of an examiners findings should achieve the same result of any other
computer forensic examiner. 'rhe use of standards and controls in scientitic experiments is a
fundamental axiom of
the scientific method. No experiment can be considered "scientific" unless
they are used to ensure reliable results. An important consideration is the nature of the scientific
experiment itself ao; it may require the use of multiple standars and contrls. Likewise, this
axiom holds true in forensic science. A scientific experiment is a controlled experiment.
Variables are intentionally introduced or changed one at a time and the results monitored.
Physical evidence is analyzed using methods and procedures that have previously been verified
or validated with
the use of approprėate standards and controls. Therefore, all forensic science
disciplines must document in their methods and procedures specific stadards and controls. They
must be used when analyzing physical evidence as a means to demonstrate that scientific
principles and quality assurace practices were followed. l1ieir use wil also ensure that the
methods, procedures, and instrumentation are functioning correctly, and that the results obtained
are accurte, reliable, and repeatable. i For these reasons, we maintain a computer forensics lab
whcrc I tcst our hardware and software to ensure that they are working property and use only
software and hardware which is known to me and my lab personneL. In order for TIO to isolate,
segregate and/or remove the information on those devices related to Defendant's circumvention
devices, I recommend these standard principles to be applied.
5. BaSed upon the above explanations, it would be completely improper for The
Intellgence Group to usc a client's computer for anything other than
making a bit-stream image
of
the hard drive. TIO's recommended procedures are:
1 .fohn J. Barbara - Author - General Editor fbr the "Handbook of Digital & Multiedia Evėdeni,e'.:p~~!?Fslie(l.hy
I:!.llmii!liYress_. iii JQQZf'i,I!li~hl:iJgr)ElfJYIS í"A.:yga:"!!NJl.ml?.;!hvww, fOl'cĄukma!ė.cöm) - Computer Fore.n...ic...
Sltuidm'd:J and Coiilroh
Second Certifimtion Sony V HulZ 2/27/2011 -.
Päge2
a. Photograph and document the hardware and remove the hard drive.
b. ereate a bit-stream image using a hardware devĖCe or software created and
tested for this
purpose in our
lab. In this case, where the drives are encrypted
we may need to boot the OS and then create the bit-stream image (using our
software) using what is termed a "live acquisition". The bit-stream image is
placed on a hard drėve purchased by 1'IG, wiped and formatted in our lab prior
to staring the image procedure. This way we know that the hard drive is
working and blank prior to staing. The Intellgence Group maintains control
of the imaging process by entering ali commands, passwords durng this
process.
c. We then create a backup copy of
the bit-stream image on a second drive to be
used in the event that the original lab dnve malfunctions.
d. We then
connect the lab drivc containing the bit-stream image to one of our
lab computers, where we know the operating system and programs that have
been installed. All our forensic processes work with the bit-stream image, but
do not change that image in any way. All the results and inIármation from the
processes are stored in a separate directory on the same drive. To restate, the
bit-stream copy we start with is not changed in any iuanner durėng any of our
forensic processes.
e. We then ru some pre-processes, which is a computer automated search for
files that have been deleted and expand compressed fies into different
evidence files. Compressed files such as ZIP, dOCK, and ta are files which
have been įVmpl''llilieŲ tv liUW liPUl,\; un the hurd dri w. 'lumJ fiOH noed to he
'''
m.. ,..,....._._t .$
Second Certification Sony V Hoti 2/27/2011
? .....:.
Pugc3
expanded so that we can conduct searches of their contents. We also search
for files and folders which are password protected.
6. In this case, we have been provided with two hard drves and a calculator. The
hard drives, according to Mr. Hotz are encrypted. When an encrypted drive is provided our
procedure would
be to create a bit-streani copy of the hard drives prior to any other actions or
for the un-encryption step. This
imaging and then create a duplicate of each drive to be utilized
enSures that we always have an "original" bit-stream image of
the drves.
7. It is important to explain that a bit -stream image of the hard drive represents a
snap shot in time of exactly what was on that hard drive at the time the image was created. This
bit-stream image is normally created by a Computer Forensic fimi or e-discovery firm when
looking for deleted data or providing discovery. However The Intellgence Group was not
tasked with providing discovery requests or preservation of data with the exception of
documenting and maintaining a copy of any circumvention devices related to a Sony PS3 on the
hard drives.
8. The Intelligence Group is only tasked with finding specific data, copying that data
into an evidence file and then deleting it from the original hard drive and retuniingthat drive the
Mr. Flotz.. Nothing in the order states that we need to maintain a copy of the entire hard drive
for discovery or future processing of evidence. During our conference calls Mr. .Hotz's attoniey
has stated several times that there is no reason to keep the bit-stream image of the hard drive as
his cHent is fully capable of maintaining the computer as reuired in the discovery order. In
addition, The
InteUigence Group has offered to hold either hold in our evidence an encrypted
this copy ofthe hard drive in
copy ofthe bit-stream image or allow Mr. Hotz's attorney to secure
his offce as long i' wfliili; nol iillow his clicnt access to that drh-c. Sim;eMr. lioiZ's attorney~
Second Certification Sony V Botz 2/27/2011
Page
4
has clearly stated that his client is capable of keeping the original hard drive in a manner that
does not violate the discovery order, it seemed to me to out of my jurisdiction since I was not
ta.'5ked with any discovery
issues beyond the documentation and storage of circumvention
devices related to a Sony PS3.
9. As our role is to be neutral, we had the paries agree to the creating of a bit-stream
image after the original drives were placed in the original computer and allowing Mr. Hotz to
entcrthe password so that it would not be known to any
pary. We would then run the proper
processes on our bit-stream ima.ge in our lab, create the appropriate copies of the data relating to
a circumvention Devices related to a PS3 and finaHy delete that data off the original hard drive.
Once completed we would wipe our bėt-strcam image of
the hard drive. Mr. Hotz's attorney was
agreeable to the process but could not aUow us to sta because a motion was going to be filed
requiring The Intelligence Group to preserve the bit-stream image and be knew that Mr. Hotz
would not provide his password if any copies were going to be maintained.
10. On February 25th, 2011, we were advised that Mr. Hotz wil not agree to allow us
to creating any bit-stream image and in addition, we must use his computer for searching and
processmg.
11. For this forensic examination, I need to confirm that the hard drive does not
contain any password protected fies. In addition, 1 need to expand compressed files in order to
conduct searches for the circumvention devices related to a PS3. Both of these processes wil
result in the alteration of data on the original hard drėve and even overwrite data that has been
previously deleted if ran on the original hard drive. My actions would cause changes and
destrction of data to the original hard drve.
Second Certification Sony V Hotz 2/27/2011
mm.!I
Page 5
12. While we have been told that Mr. Hotz used Linux as the Operating system, I do
not how the operating system has been contigured, changed or modified. 1 furthennore do not
have any prior knowledge of any traps that may be on the system. While I believe Mr. Hotz to
be an honest person and have no reason to suspect that he has made any changes, I vvill be held
accountable if such changes occur. Therefore I am required to assume that aU operating systems
contain traps and hence must use my lab computers for processing. As an example in one of my
forensic classes taught by the White Collar Crime Center, I was able to change the operating
system so that when a user typed in the command "copy" it was understood by the system as
"format". When any user typed in "Copy C: D:" (which would copy files from drive C to D), the
operating system actually ran "Format C:" in such a maner that it would not ask the user if
they
were sure that they wanted to format the hard drive. Fonnatting a hard drive overwites at least
the first twenty percent of a 20GB hard drive and removes all files and folders.
l3. Therefore~ I cannot conduct the searches using
the suspect's computer system
and operating system. In a perfect world, I would have the complete computer system with the
copies of the original hard drives installed along with the password so that I could un-encrypted
the drive. However in this case, Mr. Hotz only provided the hard drives, not the coinputer
system and refuses to provide any passwords. Without the origin computer system and/or
password it is very doubtful that 1 can un-encrypt the hard drive and proceed as
indicated in the
court order. 1 would have been able to proceed with just the hard drives if they were not
encrypted.
14. According to Defense counsel, Mr. Hotz is only willng to bring his coinputer to
our location if he can enter the password and TIG will NOT mae a copy of
the hard drive. Mr.
llot?:, will then point out to U~ thut un: ciïcumvcntion devices related to i. PS3 tUld tlii:!l cupy
Second Certifcation Sony V Hotz 2/27/2011
Page
6
them off to another drive. Lastly, we must use his computer system and operating system and
special tools he has to delete that data off of his hard drive. According to the court order, both
paries did agree to have an independent third party conducts the tasks of locating, isolating,
segregating and/or removing the information related to Circumvention Devices specific to the
Sony PS3 console. In order to accomplish these tasks, TIG wiU need access to the data, the
password and original computer and work in our tested, verified and secure environment.
15. If TIG is not allowed by Mr. Hotz to create a bit-stream image of the hard drive
and i am required to use his computer for processing, I will be unable to testify in court that my
searches were conducted properly and completely.
16. I am available to testify in person or by phone as requested by either pary or the
cour.
I hereby cerlifythat the foregoing statemenls made by me are true. I am aware the if any
of the íoregoing statements made by
me are willfully íalse, i am subject to punishment.
By:
Michael Grennier, CFeE, EnCE
,//'7. /?lífl 11 /;pz. ./' /"/,/' ..
./ ~.../
/? r;'1 ./
Dated: ;Z I.; 1 / :2 if
Second Certification Sony V Hotz 2/27/2011
Page
7
EXHIBIT A
CERTIFICAITON of
Michael Grennier
Second Certėfication Sony VHotz 2/27/2011
Page
8
CERTIFICATION OF MICHAEL GRENNIER, CFCE, EnCE
I Michael Grennier, CFCE EnCE, ofliill age and duly sworn, does hereby state as JoUows:
1. I am the Director of
Forensics and Security at The Intellgence Group (TIG), 1545
Route 206, Bedminster, NJ 07921. I have been employed with TIG since January 2008.
2. Prior to my tenure at TIG, I was employed by a computer forensic firm in
Princeton, NJ. i started in May 2005 as a Senior Forensic Examiner. Prior to that, I retired as a
Police Captain with twenty-five (25) year of service at the South Plainfield Police Departent
in NJ. Prior to my retirement I had the additional responsibilty of maintaining the local
government's computer network. As a Police Officer, I worked as a computer forensic examiner
on cases involving fraud, theft, and internal aflāirs investigations, as well as murder, rape, and
child pornography. I have received training from Guidance Software, The National White Coėlaf
erime Center and the International Association of Computers Investigative Specialists (lACIS)
which include Certified Forensic Computer Examiner (CFCE), Electronic Evidence Collection
Specialist (CEECS) and EnCase Certified .Examiner (EneE), Access Data, and Dan Mares Inc. I
hold both a Certified Forensic Computer Examiner (CFCE) with lACIS and Encase Certified
Examiner (EnCE) certification from Guidance Software. Over the past 12 months i have
conducted well over eighty (80) digital
forensic examinations.
3. TIG is a digital forensics firm servicing its client's needs in systematically
identifYing, preserving, extracting, analyzing, and interpreting digita evidence. The finn can
uncover e-mail communications, account information, file copying, attempted data destruction,
account usage, and other activities performed on computers.
4. TIG has assisted clients in a wide variety of lawsuits, ranging from cases
involving fraud, intellectual property theft, wrongful tennInation, forgery, matrimonial disputes
Initial Certification Sony
V Hotz 2/26/2011
Page 1
including child custody and other matters that involve electronically stored information. TIG
complies with all computer forensics standards as set fort by the U.S. Federal Bureau of
Investigation (FBI) and Guidance Software's Incident Response Forensic Analysis and
Discovery (IRF AD) program. The forensic technicians and examiners at TIG employ a number
of digital forensic software packages and analysis techniques which include, but are not limited
to Guidance Software's EnCase, Access Data's FTK (Forensic Toolkit) and Paraben Software's
E-Mail Examiner to complete a comprehensive search of both active and deleted
fies, as well as
to provide an unbiased report of the results. These software products are also utilzed by the law
enforCemel'lt communty worldwide. Extensive coursework in the digital forensics field along
with hands-on, product-specific training is necessar in order to use these products correctly.
Additionally, specialized knowledge and training in chain of custody and evidence handling
procedures in the field of digital forensics is necessar in order to perform imagėg and analysis
up to industry and legal stadards TIG's
5. Forensic examinations are never conducted on an original media, device or dnve.
TIG does not turn on a suspect computer and then search it the way a person sitting in front of
the computer might attempt. Our forensic examinations are always undertaken using a "bitstream" copy. A bit-stream is a copy of the hard drive that captures every bit and byte of data
without regard to programs or applications.
6. The Defendat has agreed to bring the same computer which contaned and
worked with the hard drives that he provided to TIG so that they could be held in evidence as
specified in the court order. The importce of this deals with the encrypted hard drives and the
operation system drivers which must match the computer hardware for the booting process to
successfully occur.
Initial Certification Sony V Hotz 2/26/2011
Page
2
7. In this case, the defendant has represented the hard drives contain a Linux based
File and Operating System which he has encrypted by the usemame and password. ln order for
the computer to hoot and provide 1'10 access, the defendant wil need to either provide TIO the
encryption password or enter the password during the boot process. Once the proper password is
entered, the data from the hard drive passes to the operating system as unencrypted data. As
previously mentioned, the stadard procedure would be to create a "bit-stream" image of the
hard drive at this time in order for 1'10 to cost effectively
isolate, segregate and/or remove the
information on those devices related to Defendant's circumvention devices. for this process to
continue, TIO requires a bit-stream image that is verified. For this case, the verėfication process
checks the MD5 hash value of the hit-stream image tile to ensure that the data is intact. While it
is extremely unlikely that the verification process fails, it does occur in a small percentage of
image creations (less than 5%) and requires the process has to be restaed.
11'tlle Defendant chooses to enter the password rather than provide that password to TIO, he wil
be required to stay on-site until the process has been completed and verified because that
password may be needed again in the event his computer crashes during this process. 8. Based upon the requested effort, 1'10 will need to search for and "retrieve" any
Circumvention Devicesorrelated information which may include the following areas ofthe hard
drives such as;
a. Active fies
b. Deleted fies (unallocated space)
c. Slack space (the area between
the end of the file and the start of the next
cluster or sector)
d. Compressed files including hut not limited to TAR, ZIP, TZ etc
Initial Certifcation Sony V Hotz 2/26/2011
Page
3
e. Password protected files or areas of the hard drive
9. In order to properly conduct the searches and as the rules of evidence provide
for, a torensic examiner must be in control of the environment in which the examination is to
occur. They must use familiar hardware and softare which has been tested and validated.
Failure to usc properly tested equipment may allow changes to occur to the data and therefore
may alter the results. For this reason, the Defendants had drives can be used to create
the bit-
stream image only and it should not be used for keyword searches and processing of data.
10, The above explanations were reviewed on a conference cail with attorneys and
the following protocols were agreed to as stipulated:
a. The Defendant shall bring his computer to TIG offces for the purposes of unencrypting the hard drives.
b. Once the hard drives are installed, the Defendant wil enter his password
which unencrypts the hard drives.
c. 'rIG wil be allowed to create a bit-stream image of the hard drive for
purposes of locating, isolating, segregating and/or removing the information
related to eircumvention Devices specific to the Sony PS3 console..
d. After completion of the bit-stream image, the Defendant prior to leaving the
offices of TIG, wil show TIG the Circumvention Devices and related
files
specific to the Sony PS3 console so that ā file listing can be created.
e. In addition, the Defendant will identify any
and all of the following items:
1. Any fies, folders or data areas that are encrypted or require a
password. Examples would include
but not be limited to truecryt, zip,
orrar
Initial Certification Sony V Hotz 2/26/2011
Page
4
n. Identify if he used or accessed or modified any of the following drive
areas ;
1. volume slack
2. Master Boot Record I Superblock
3. Parition table
4. Hosted Protected Area
5. Drive eonfėguration Overlay
6. Partition slack
7. Sectors or blucks marked as Bad but used to store data
8. Disk slack
9. Unused space in the block group
10. Directory entres
t The original hard drive wm remain in evidence until the Circumvention
Devices and related data bas been removed.
g. TIO will use portons of data from the Circumvention Devices relating to a
Sony PS3 cunsole to search Iōr these devices and/or additional references of
circumvention devices across the entire hard drive space.
h. Any eircumvention Devices relating to a Sony PS3 wil be documented and stored in a separate evidence fie on a hard drive that TIO provides for this
purpose.
1. Any code which is questionable as being a Circumvention Device relating to a
Sony PS3 console wil be reviewed by a TIO sub-contractor that has no
conflcts to Sony Corporation. If after this review the code appears to be a
Initial Certification Sony V Hatz 2/26/2011
PageS
eircumvcntion Device relating to a Sony PS3 Console, the code wil be sent
to Mr. Hotz's attorney. Mr. Hotz's attorney "\Jill always maintain possession
of the code and not allow it to be copied or transferred in any manner. Mr.
Hotz is being provided the code so that he can show the code to his client and
detenTline if they want to object to the code being designated as a
Circumvention Device. Any objections after a second review by TIG wil be
brought before the Judge in~camera for the purose of making a final
detennination.
J. Once the process of locating the Circumvention Devices relating to a Sony
PS3 console have been completed, 1'IG shall remove the identified data from the original hard drives ofMr. Hotz.
k. Once the identified data has been properly removed from the original hard
drives, they shall be returned to Mr. Hotz.once the process of removing the
data from Mr. Hotz's hard drives has been completed the bit-stream image of
the hard drive shall be wiped. This process will remove all data from that hard
drive.
I hereby certify that the foregoing statements made by me are true. I am aware the if any
of the foregoing statements made by me are wilfully fālse, I am subject to punishment.
Dated: cJl,2ę( /.;;1.öl(
(
/' /
By: Michael Grennier, eFeE, EnCE
Initial Certification Sony
V Hotz 2/26/2011
Page
6
EXHIBIT 2
Page 1 of9
Gaudreau, Holly
From: Boroumand Smith, Mehrnaz (mboroumand~kilpatricktownsend.comJ
Sent: Friday, February 25, 2011 10:59 AM
To: Stewart Kellar; Robert Kleeger; Michael Grennier
Cc: Gaudreau, Holly
Subject: RE: SCEA v. Hotz - Engagement letter - Final
Attachments: 2011-02-18 (84) Order re Prelim and Hearing on Motion to Dismiss.pdf
Stewart, Robert and Michael,
The purpose of the impoundment is to get the circumvention devices and information related to those devices away from Mr. Hotz. It is not to alter evidence. By having the Intelligence Group retain images of the drives as they originally existed, we can accomplish both the impoundment order and preserve evidence. Moreover, as we discussed on our call, we are amenable to Mr. Kellar, as an officer of the court, maintaining the images once the
impoundment is completed while the Court is resolving any discovery disputes.
For your reference, the specific preservation requirement of the preliminary injunction (which was also included in the TRO) is found on page 3 of the attached pdf.
Lastly, the modified order attached by Mr. Kellar regarding the impoundment states that "If there are any disputes between the parties regarding the scope of the information to be segregated and removed from defendants' devices, or any other disputes related to the temporary impoundment of the defendant's devices, those matters shall be presented to Magistrate Judge Spero in the first instance." (Emphasis added). Clearly the issue of whether the image of the hard drives is to be deleted is one that needs to be presented to the Magistrate in order to avoid spoliation of evidence. As we discussed on our call, we will raise this issue with Magistrate Judge Spero in a letter copied to each of you early next week.
Thanks,
Mehrnaz
Mehrnaz Boroumand Smith
Ą-(ĄĄpatricK Townsend & Stockton LLP
Eighth Floor I Two Embarcadero Center! San Francísco, CA 94111
office 415 273 7559 I fax 415 723 7205 mboroumand~kilpatricktownsend.com I My Profile I VCard
From: Stewart Kellar (mailto:stewarttQetrny.com)
Sent: Friday, February 25, 2011 10: 12 AM
To: Boroumand Smith, Mehrnaz
Cc: Robert Kleeger; Michael Grennier; Gaudreau, Holly Subject: Re: SCEA v. Hotz - Engagement letter - Final
Mehmaz, Rob and Mike,
2/27/2011
Page 2 of9
As a follow up to our call of a few minutes ago, I wanted to make sure that one point was completely
clear regarding why the Intelligence Group's wiping of the images made of Mr. Hotz's storage
devices (as they exist prior to removal of the circumvention information) is important. The preliminary injunction order clearly carves "isolating, segregating and/or removing (impounded information)" from Mr. Hotz's general requirement to preserve and not destroy evidence. In fact,
preservation of the circumvention devices is what is contemplated by the impoundment order. The
preliminary injunction reduced the TRO's initial impoundment requirement from impounding the entire drives to merely impounding information related to PS3 circumvention devices and explicitly requires the drives to be promptly retured to Mr. Hotz. No evidence wil be destroyed, merely segregated into
two parts: the impounded ite1,s, and the remaining data on Mr. Hotz's storage devices. Preserving
additional images of the devices would violate Judge IUston's Order modifying impoundment for this limited purpose. I have attached the Order for clarity.
Stewart Kellar
E-ttomey at LawTM
148 Townsend St. Ste. 2 San Francisco, CA 94107 (415) 742-2303 Stewiirt(fetmy.com .\Y,.ettQrreyat1aw.ĮQll
The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this email message in error, please notify the sender by reply email and delete the message and any attachments.
On Fri, Feb 25, 2011 at 9:56 AM, Boroumand Smith, Mehmaz
.:mbQroumand~kilpatriįktQWl1send.com? wrote:
Stewart, Rob and Mike,
As a follow up to our call of a few minutes ago, I wanted to make sure that one point was completely clear regarding why the Intelligence Group's preservation of the images made of Mr. Hotz's storage devices (as they exist prior to removal of the circumvention information) is
important. If the images are wiped by the Intelligence Group after the impoundment
procedure is completed (and the impounded information is removed), no one, including Mr. Hotz, will have a forensically intact copy of his hard drives as they existed originally. Consequently, evidence of the hard drives in their original form -- clearly relevant to the merits of this case -- will be destroyed in violation of the Court's TRO and preliminary
injunction orders.
Thanks,
Mehrnaz
Mehrnaz Boroumand Smith
2/27/2011
EXHIBIT 3
Page 1 of2
Boroumand Smith, Mehrnaz
From: Michael Grennier (MGrennier(gintell-group.com)
Sent: Saturday, February 26, 2011 6:33 PM
To: Boroumand Smith, Mehrnaz; Gaudreau, Holly; Robert Kleeger; Stewart Kellar
Cc: Robert Kleeger
Subject: RE: Certification for review
Mehrnaz,
See below:
From: Boroumand Smith, Mehrnaz (mboroumand(Qkilpatricktownsend.com)
Sent: Saturday, February 26, 2011 8:04 PM
To: Michael Grennier; Gaudreau, Holly; Robert Kleeger; Stewart Kellar Subject: RE: Certification for review
Dear Michael,
Thanks for sending the draft protocols. Late yesterday, Mr. Kellar informed us that Mr. Hotz would not allow any imaging of his hard drives to occur. Based on our call, we understood that he would be updating you on Mr. Hotz's position (including an alternative proposal that was not acceptable to SCEA). Consequently, we are in the process of putting together a joint dispute letter that the parties will file with the Court on Monday morning. For our part, we would like to present the court with your proposed protocol subject to the following clarifications and comments:
1. We believe you may have inadvertently left out the initial step of creating forensic bit-stream images of the
devices provided by Mr. Hotz. As you stated in paragraph 5 of the protocols and we understand from our
forensics consultants, original media, devices or drives are never used to conduct examinations because of concerns, including among others, that the original hard drives may faiL. Consequently, we believe that two such images should also be made here - one to be maintained in a secure vault by the Intelligence Group and the second to be used for decryption (rather than using the original hard drive). Please confirm that under your suggested protocol, the Intelligence Group would create such images and if not, let us know why not. Section 10.C clearly states that we will be creating a bit-stream image of the hard drive. As for two images, that was not agreed to during our conversations. In additon, we would still have to wipe both copies at the end. I would agree that two images would be the "norm" and provide a back-up in the event the primary drive fails, but it was not agreed to by the parties and based on the last email they are now not agreeing to the what we discussed and agreed to during the phone call..
Similarly, please confirm that two bit-stream forensic images of the decrypted hard drive will be created - one for preservation purposes (to be maintained in a secure vault at the Intelligence Group until such time as the Court resolves the protocol and discovery disputes between the parties) and the second to conduct your review with Mr. Hotz as well as your independent searches and analysis. IF there was an agreement to maintain a preserved copy, then the proper proceedure would be to create a bitstream (forensic) image of the drives while encrypted and prior to starting these processes. Then create a second bit-stream (forensic) image after the drive was unencrypted with the password. This would provide us with a before and after data for court purposes that I could present if requested by either party. However there is no agreement to maintaining a copy for preservation of the hard drive and even a requirement that we wipe our data copies upon completion. In addition Mr. Holtz Attorney has clearly stated that it is his intention and belief that there is no need for him to have a copy or maintin a copy of the hard drive and he is of the belief that his client is capable of keeping the data intact as required under the discovery order.
2/27/2011
Page 2 of2
Also please confirm that the working bit-stream image of the decrypted hard drive (and not the original device provided by Mr. Hotz) will be used for analysis. We do not want Mr. Hotz to contend that the Intelligence Group has in any way altered the original hard drive except at the very end of the analysis when you remove the information and devices related to circumvention that you have located (through your analysis on the working copy) from the original devices provided by Mr. Hotz. The Intelligence Group has stated in the certification that we will be createing a bit-stream image of the unencrypted drive. We will use our copy of the bit-stream image to locate and document the devices related to
circumvention. Then we will remove the data from those areas of the original hard drive as the last step. THE
INTELLIGENCE GROUP IS UNABLE AND UNWllLiG TO USE HIS COMPUTER FOR ANYTHING OTHER THAN OBTAINING A BIT-STREAM COpy OF THE UNENCRYPTED DRIVE.
2. Please confirm that under your protocols for chain of custody purposes you will photograph both original hard drives as well as document the drives' model and serial numbers and record BIOS or other system clock information. The Original drives were photographed and a Chain of Custory was completed and signed by Goerge Holtz's dad who dropped them off at our offices. A copy can be forwarded on Monday if requested. We also have the drives make and model on file. When the comptuer is presented we will record the BIOS information, along with the time/date on the bios Clock.
As we have to provide our response to the Joint Discovery letter to Mr. Kellar by 4 pm PT tomorrow, we ask that you respond to our questions by no later than noon your time tomorrow.
We greatly appreciate your assistance over the weekend on this matter.
Mehrnaz
Mehrnaz Boroumand Smith Kilpatrick Townsend & Stockton lLP
Eighth Floor I Two Embarcadero Center I San Francisco, CA 94111 office 415 273 7559 I fax 415 723 7205 mboroumand(ikilpatricktownsend.com I My Profie I VCard
From: Michael Grennier (mailto:MGrennier(§intell-group.comJ
Sent: Saturday, February 26, 2011 7:37 AM
To: Gaudreau, Holly; Robert Kleeger; Stewart Kellar; Boroumand Smith, Mehrnaz Subject: Certification for review
Attached is my certification in draft form for reivew. Please comment and advise. I will forward the final copy with signatures by Sunday evening.
Regards,
Mike
Confidentiality Notice:
This communication constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the recipient intended by the sender of this message. This transmission, and any attachments, may contain confidential attorney-client privileged information and attorney work product. If you are not the intended recipient, any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. Please contact us immediately by return email or at 4048156500, and destroy the original transmission and its attachments without reading or saving in any manner.
2/27/2011
EXHIBIT
4
Page 1 of2
Boroumand Smith, Mehrnaz
From: Michael Grennier (MGrennier~intell-group.comJ
Sent: Saturday, February 26, 2011 7:02 PM
To: Stewart Kellar
Cc: Gaudreau, Holly; Robert Kleeger; Boroumand Smith, Mehrnaz
Subject: RE: Certification for review
Mr. Keller,
I am sadden to hear that you will no longer agree with the process agreed to by you on Friday. While the court would need to decide the issue of the preservation. I felt that the Intelligence Group was working as neutral in getting the process on paper and you were working with all parties by agreeing to allow the drive to be imaged and
having it wiped at the end of the process.
I need to state and will now include in a second certification that you did agree to the steps listed in the first certification, but after consulting with your client they are no longer acceptable. In additon I can only use Mr.
Holtz's computer to create the unencrypted bit-stream image file. I can not use his softare or his computer to
search for data to be wiped. His computer is unknown and untested in my environment. I can't even use standard
Unix commands without knowing or having a way to confirm that they are working properly under test conditions.
While it is not plausible, it is possible that the as could have been changed so that a copy command is now a format command or that the standard command line entries work different due to changes made in the as. I also completely disagree with your statement that this is not a forensic examination. I am being task to search for, and locate data on a hard drive even data that my have been deleted using standard forensic techniques. My review of
the Court Order does not indicate that your client has sole responsibility to search for and "point out" the Circumvention devices and supervise the deletion. Rather it is my reading that I as the independent third party am
responsible for making that determination and then removing the data from the original hard drive.
I also want to state that The Intellignece Group fully expects both parties to pay for the professional services
provided by such as the accepting of the hard drives, conference calls and writting of certifications as agreed to. I am sure and please confirm that your statement that Mr. Hotz will provide The Intelligence Group with our intiial retainer being listed in the agreement to an alternate proposal pargraph was just information included in that paragraph rather than a threat to withhold payment during this process if the other side did not agree with your proposaL.
I understand that everyone is under deadlines, and I will try to have my second certification to you by tomorrow
noon. The First certification will be signed as is and forwarded by Sunday Evening.
Regards,
Mike
From: Stewart Kellar (stewart(getrny.com)
Sent: Saturday, February 26, 2011 8:35 PM To: Michael Grennier
Cc: Gaudreau, Holly; Robert Kleeger; Boroumand Smith, Mehrnaz Subject: Re: Certification for review
Mr. Grennier,
We will not agree to allow any image or copy to be made of Mr. Hotz/s drives or allow searches to be run on Mr. Hotz/s drives using systems and programs not native to Mr. HotYs computer system. The Impoundment order calls
2/27/2011
Page 2 of2
for impoundment only. It is not a forensic examination and does not require that imaged copies of Mr. Hotz/s
storage devices be made. Thus, any imaging or additional copies of Mr. Hotz's drives goes beyond the scope of the impoundment order and beyond the scope of the how Mr. Hotz's drives may be access and/or manipulated.
As an alternate proposal, Mr. Hotz agrees that on Monday February 28, 2011, he will go to your offce and provide you with the initial retainer and fully signed agreement. Mr. Hotz then agrees to demonstrate that the circumvention devices at issue are indeed on the impounded devices. Mr. Hotz agrees to bring his computer system which will be used to access the drives and identify the circumvention devices therein. After the devices are shown to have the circumvention devices, they will be left impounded in your office/s custody until such time the court either lifts the impoundment order or makes an order otherwise affecting the impounded drives.
I contacted SCEA's counsel at 3:02pm PST yesterday to discuss our proposal, and left a message. The call was
returned by SCEA's counsel at 5:00pm PST who ultimately stated their opposition to our alternate proposal. Both
parties have agreed to a schedule for drafting a joint letter to Magistrate Judge Spero on the matter, which will be filed and submitted to the Judge by Monday, February 28th.
The statements made in your draft letter do not reflect our position and are not agreed to. I look forward to
receiving a revised draft that reflects our position in this matter. Thank you.
Sincerely,
Stewart Kellar E-ttorney at LawTM 148 Townsend St. Ste. 2 San Francisco, CA 94107
(415) 742-2303
~te)N9r:(9_etmy',įQ.n:
YLvy)N,.e1t..rneyqtLįlW.,~Qm
The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly
prohibited. If you think that you have received this email message in error,
please notify the sender by reply email and delete the message and any
attachments.
On Sat, Feb 26, 2011 at 7:37 AM, Michael Grennier o(M.Gr.enQj~LcminteJJ.:9rQlR_,ĮQm)o wrote:
Attached is my certification in draft form for reivew. Please comment and advise. I will forward the final copy with signatures by Sunday evening.
Regards,
Mike
"'DISCLAIMER'" Per Treasury Department Circular 230: Any U.S. federal tax advice contained in this communication (including any attachments) is
not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
2/27/2011
EXHIBIT 5
Volume 1 Pages 1 - 36
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CAIFORNIA
BEFORE THE HONORALE SUSAN ILLSTON, JUGE
SONY COMPUTER ENTERTAINMNT
AMRICA, LLC,
)
)
Plaintiff,
VS.
) )
)
ro cony
.~.~..
) NO. C 11-00167 SI
)
GEORGE HOTZ, ET AL. ,
Defendants.
) )
San Francisco, California
)
)
)
Thursday
February 10, 2011 10:29 a.m.
'. ~ .
TRASCRIPT OF PROCEEDINGS
APPEACES:
For Plaintiff:
BY: JAMS G. GILLILA, JR., ESQ.
HOLLY GAUDREU, ESQ.
RYAN BRICKER, ESQ.
KILPATRICK TOWNSEND Two Emarcadero Center Eighth Floor San Francisco, California 94111
For Defendant George Hotz:
LAW OFFICES OF STEWT KELLA
148 Townsend Street Suite 2
San Francisco, California 94107
BY: STEWT KELLA, ESQ.
Also Present:
Reported by:
!:..'
MICHAL EDELM
BELLE BAL, CSR #8785, RM, CRR
Official Reporter, U. S. District Court
Belle Ball, eSR #8785, RMR, eRR Official Reporter"- U ~S. District Court (415) 373-2529
25
1 stand at the podium at the same time, if you want.
2
MR. KELLA: Thank you.
3 Wi th regard to allowing Sony access to my client's
4 computer to inspect all files to find out which ones are and
5 are not the circumvention devices again raises the same issue
6 of impounding Mr. Hotz is privileged, confidential, and
7 otherwise private information on his computers.
8
THE COURT: And, you know why that issue comes up?
9 Because that's where he did what he did. And for present
10 purposes, anyway, what he did was not all right. So,
11 12
MR. KELLA: That's correct, Your Honor.
THE COURT: -- that i s the breaks,
13
MR. KELLA: However, the TRO already states that
14 Mr. Hotz is to preserve and not destroy any records or
15 documents in whatever format relating to the circumvention
16 devices, and Mr. Gilliland has -- or Sony's counsel has
17 demonstrated no risk of spoliation, of covering tracks, of any
18 illicit acti vi ty involving tampering with evidence after
19 receiving notice of this suit.
20
THE COURT: Oh, I don't think that i s right. I got
21 something just yesterday or the day before that he's posted --
22 posted things on the Internet that is in direct violation of
23 the order.
24
MR. KELLA: It is not correct that he posted things
25 in direct violation of the order. He posted a link to
Belle Ball, CSR #8785, RMR, CRR Official Reporter - U. S. District Court (415) 373-2529'
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
