Sony Computer Entertainment America LLC v. Hotz et al

Filing 86

Letter from James G. Gilliland and Stewart Kellar [Joint] Re: Impoundment Issues. (Attachments: # 1 Exhibit 1-5)(Kellar, Stewart) (Filed on 2/28/2011)

Download PDF
Sony Computer Entertainment America LLC v. Hotz et al Doc. 86 Att. 1 EXHIBIT 1 Dockets.Justia.com CERTIFICATION OF' MICHAEL GRENNIER, CFCE, EnCE I Michael Grennier, CFCE EneR, of full age and duly sworn, does hereby state as follows: i. On February 26th, 2011, 1 fon:varded the certification per both pa11ies request and ltccording to the conference call of both parties held on February 25th, 2011. (See attached as Exhibit A). 2. Steward Kellar, Esq., Defense counsel representing M.r. George Hotz, agreed to the process listed in the attached certification, as long as the bit-stream image of the drėve was wiped after the searching processes were completed. He would not agree. however to begin the process on Monday, February 28, 2011, where Mr. Hotz would provide unencrypted access to The Intellgence Group for purposes of creating an unencrypted bit-stream copy of his clients hard drives, believing that a motion would be fied in order Iōr Plaintiff to maintain a preserved copy for discove.ry purposes. Mr. Hotz clearly stated that his client would never agree to ANY copy being created, which could be retained for puroses other than the impoundment order and the processes mentioned in my first certification. 3. After sending my requested certification to both parties, I was advised that Mr. Hot? will not agree to any hit-stream copies of the hard dnves. It was further proposed by Defendants counsel that we use Mr. Hotz's computer and operating system to conduct the searches and securely delete the data. 4. According to the Cyber Security Institute, Computer Forensics is defined at the preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or ad111inistrativc proceeding as to what wos found. In bogie termH, Computt:l l()rensics is a science Second Certification Sony V Hotz 2/27/2011 Page 1 in which fact based results of an examiners findings should achieve the same result of any other computer forensic examiner. 'rhe use of standards and controls in scientitic experiments is a fundamental axiom of the scientific method. No experiment can be considered "scientific" unless they are used to ensure reliable results. An important consideration is the nature of the scientific experiment itself ao; it may require the use of multiple standars and contrls. Likewise, this axiom holds true in forensic science. A scientific experiment is a controlled experiment. Variables are intentionally introduced or changed one at a time and the results monitored. Physical evidence is analyzed using methods and procedures that have previously been verified or validated with the use of approprėate standards and controls. Therefore, all forensic science disciplines must document in their methods and procedures specific stadards and controls. They must be used when analyzing physical evidence as a means to demonstrate that scientific principles and quality assurace practices were followed. l1ieir use wil also ensure that the methods, procedures, and instrumentation are functioning correctly, and that the results obtained are accurte, reliable, and repeatable. i For these reasons, we maintain a computer forensics lab whcrc I tcst our hardware and software to ensure that they are working property and use only software and hardware which is known to me and my lab personneL. In order for TIO to isolate, segregate and/or remove the information on those devices related to Defendant's circumvention devices, I recommend these standard principles to be applied. 5. BaSed upon the above explanations, it would be completely improper for The Intellgence Group to usc a client's computer for anything other than making a bit-stream image of the hard drive. TIO's recommended procedures are: 1 .fohn J. Barbara - Author - General Editor fbr the "Handbook of Digital & Multiedia Evėdeni,e'.:p~~!?Fslie(l.hy I:!.llmii!liYress_. iii JQQZf'i,I!li~hl:iJgr)ElfJYIS í"A.:yga:"!!NJl.ml?.;!hvww, fOl'cĄukma!ė.cöm) - Computer Fore.n...ic... Sltuidm'd:J and Coiilroh Second Certifimtion Sony V HulZ 2/27/2011 -. Päge2 a. Photograph and document the hardware and remove the hard drive. b. ereate a bit-stream image using a hardware devĖCe or software created and tested for this purpose in our lab. In this case, where the drives are encrypted we may need to boot the OS and then create the bit-stream image (using our software) using what is termed a "live acquisition". The bit-stream image is placed on a hard drėve purchased by 1'IG, wiped and formatted in our lab prior to staring the image procedure. This way we know that the hard drive is working and blank prior to staing. The Intellgence Group maintains control of the imaging process by entering ali commands, passwords durng this process. c. We then create a backup copy of the bit-stream image on a second drive to be used in the event that the original lab dnve malfunctions. d. We then connect the lab drivc containing the bit-stream image to one of our lab computers, where we know the operating system and programs that have been installed. All our forensic processes work with the bit-stream image, but do not change that image in any way. All the results and inIármation from the processes are stored in a separate directory on the same drive. To restate, the bit-stream copy we start with is not changed in any iuanner durėng any of our forensic processes. e. We then ru some pre-processes, which is a computer automated search for files that have been deleted and expand compressed fies into different evidence files. Compressed files such as ZIP, dOCK, and ta are files which have been įVmpl''llilieŲ tv liUW liPUl,\; un the hurd dri w. 'lumJ fiOH noed to he ''' m.. ,..,....._._t .$ Second Certification Sony V Hoti 2/27/2011 ? .....:. Pugc3 expanded so that we can conduct searches of their contents. We also search for files and folders which are password protected. 6. In this case, we have been provided with two hard drves and a calculator. The hard drives, according to Mr. Hotz are encrypted. When an encrypted drive is provided our procedure would be to create a bit-streani copy of the hard drives prior to any other actions or for the un-encryption step. This imaging and then create a duplicate of each drive to be utilized enSures that we always have an "original" bit-stream image of the drves. 7. It is important to explain that a bit -stream image of the hard drive represents a snap shot in time of exactly what was on that hard drive at the time the image was created. This bit-stream image is normally created by a Computer Forensic fimi or e-discovery firm when looking for deleted data or providing discovery. However The Intellgence Group was not tasked with providing discovery requests or preservation of data with the exception of documenting and maintaining a copy of any circumvention devices related to a Sony PS3 on the hard drives. 8. The Intelligence Group is only tasked with finding specific data, copying that data into an evidence file and then deleting it from the original hard drive and retuniingthat drive the Mr. Flotz.. Nothing in the order states that we need to maintain a copy of the entire hard drive for discovery or future processing of evidence. During our conference calls Mr. .Hotz's attoniey has stated several times that there is no reason to keep the bit-stream image of the hard drive as his cHent is fully capable of maintaining the computer as reuired in the discovery order. In addition, The InteUigence Group has offered to hold either hold in our evidence an encrypted this copy ofthe hard drive in copy ofthe bit-stream image or allow Mr. Hotz's attorney to secure his offce as long i' wfliili; nol iillow his clicnt access to that drh-c. Sim;eMr. lioiZ's attorney~ Second Certification Sony V Botz 2/27/2011 Page 4 has clearly stated that his client is capable of keeping the original hard drive in a manner that does not violate the discovery order, it seemed to me to out of my jurisdiction since I was not ta.'5ked with any discovery issues beyond the documentation and storage of circumvention devices related to a Sony PS3. 9. As our role is to be neutral, we had the paries agree to the creating of a bit-stream image after the original drives were placed in the original computer and allowing Mr. Hotz to entcrthe password so that it would not be known to any pary. We would then run the proper processes on our bit-stream ima.ge in our lab, create the appropriate copies of the data relating to a circumvention Devices related to a PS3 and finaHy delete that data off the original hard drive. Once completed we would wipe our bėt-strcam image of the hard drive. Mr. Hotz's attorney was agreeable to the process but could not aUow us to sta because a motion was going to be filed requiring The Intelligence Group to preserve the bit-stream image and be knew that Mr. Hotz would not provide his password if any copies were going to be maintained. 10. On February 25th, 2011, we were advised that Mr. Hotz wil not agree to allow us to creating any bit-stream image and in addition, we must use his computer for searching and processmg. 11. For this forensic examination, I need to confirm that the hard drive does not contain any password protected fies. In addition, 1 need to expand compressed files in order to conduct searches for the circumvention devices related to a PS3. Both of these processes wil result in the alteration of data on the original hard drėve and even overwrite data that has been previously deleted if ran on the original hard drive. My actions would cause changes and destrction of data to the original hard drve. Second Certification Sony V Hotz 2/27/2011 mm.!I Page 5 12. While we have been told that Mr. Hotz used Linux as the Operating system, I do not how the operating system has been contigured, changed or modified. 1 furthennore do not have any prior knowledge of any traps that may be on the system. While I believe Mr. Hotz to be an honest person and have no reason to suspect that he has made any changes, I vvill be held accountable if such changes occur. Therefore I am required to assume that aU operating systems contain traps and hence must use my lab computers for processing. As an example in one of my forensic classes taught by the White Collar Crime Center, I was able to change the operating system so that when a user typed in the command "copy" it was understood by the system as "format". When any user typed in "Copy C: D:" (which would copy files from drive C to D), the operating system actually ran "Format C:" in such a maner that it would not ask the user if they were sure that they wanted to format the hard drive. Fonnatting a hard drive overwites at least the first twenty percent of a 20GB hard drive and removes all files and folders. l3. Therefore~ I cannot conduct the searches using the suspect's computer system and operating system. In a perfect world, I would have the complete computer system with the copies of the original hard drives installed along with the password so that I could un-encrypted the drive. However in this case, Mr. Hotz only provided the hard drives, not the coinputer system and refuses to provide any passwords. Without the origin computer system and/or password it is very doubtful that 1 can un-encrypt the hard drive and proceed as indicated in the court order. 1 would have been able to proceed with just the hard drives if they were not encrypted. 14. According to Defense counsel, Mr. Hotz is only willng to bring his coinputer to our location if he can enter the password and TIG will NOT mae a copy of the hard drive. Mr. llot?:, will then point out to U~ thut un: ciïcumvcntion devices related to i. PS3 tUld tlii:!l cupy Second Certifcation Sony V Hotz 2/27/2011 Page 6 them off to another drive. Lastly, we must use his computer system and operating system and special tools he has to delete that data off of his hard drive. According to the court order, both paries did agree to have an independent third party conducts the tasks of locating, isolating, segregating and/or removing the information related to Circumvention Devices specific to the Sony PS3 console. In order to accomplish these tasks, TIG wiU need access to the data, the password and original computer and work in our tested, verified and secure environment. 15. If TIG is not allowed by Mr. Hotz to create a bit-stream image of the hard drive and i am required to use his computer for processing, I will be unable to testify in court that my searches were conducted properly and completely. 16. I am available to testify in person or by phone as requested by either pary or the cour. I hereby cerlifythat the foregoing statemenls made by me are true. I am aware the if any of the íoregoing statements made by me are willfully íalse, i am subject to punishment. By: Michael Grennier, CFeE, EnCE ,//'7. /?lífl 11 /;pz. ./' /"/,/' .. ./ ~.../ /? r;'1 ./ Dated: ;Z I.; 1 / :2 if Second Certification Sony V Hotz 2/27/2011 Page 7 EXHIBIT A CERTIFICAITON of Michael Grennier Second Certėfication Sony VHotz 2/27/2011 Page 8 CERTIFICATION OF MICHAEL GRENNIER, CFCE, EnCE I Michael Grennier, CFCE EnCE, ofliill age and duly sworn, does hereby state as JoUows: 1. I am the Director of Forensics and Security at The Intellgence Group (TIG), 1545 Route 206, Bedminster, NJ 07921. I have been employed with TIG since January 2008. 2. Prior to my tenure at TIG, I was employed by a computer forensic firm in Princeton, NJ. i started in May 2005 as a Senior Forensic Examiner. Prior to that, I retired as a Police Captain with twenty-five (25) year of service at the South Plainfield Police Departent in NJ. Prior to my retirement I had the additional responsibilty of maintaining the local government's computer network. As a Police Officer, I worked as a computer forensic examiner on cases involving fraud, theft, and internal aflāirs investigations, as well as murder, rape, and child pornography. I have received training from Guidance Software, The National White Coėlaf erime Center and the International Association of Computers Investigative Specialists (lACIS) which include Certified Forensic Computer Examiner (CFCE), Electronic Evidence Collection Specialist (CEECS) and EnCase Certified .Examiner (EneE), Access Data, and Dan Mares Inc. I hold both a Certified Forensic Computer Examiner (CFCE) with lACIS and Encase Certified Examiner (EnCE) certification from Guidance Software. Over the past 12 months i have conducted well over eighty (80) digital forensic examinations. 3. TIG is a digital forensics firm servicing its client's needs in systematically identifYing, preserving, extracting, analyzing, and interpreting digita evidence. The finn can uncover e-mail communications, account information, file copying, attempted data destruction, account usage, and other activities performed on computers. 4. TIG has assisted clients in a wide variety of lawsuits, ranging from cases involving fraud, intellectual property theft, wrongful tennInation, forgery, matrimonial disputes Initial Certification Sony V Hotz 2/26/2011 Page 1 including child custody and other matters that involve electronically stored information. TIG complies with all computer forensics standards as set fort by the U.S. Federal Bureau of Investigation (FBI) and Guidance Software's Incident Response Forensic Analysis and Discovery (IRF AD) program. The forensic technicians and examiners at TIG employ a number of digital forensic software packages and analysis techniques which include, but are not limited to Guidance Software's EnCase, Access Data's FTK (Forensic Toolkit) and Paraben Software's E-Mail Examiner to complete a comprehensive search of both active and deleted fies, as well as to provide an unbiased report of the results. These software products are also utilzed by the law enforCemel'lt communty worldwide. Extensive coursework in the digital forensics field along with hands-on, product-specific training is necessar in order to use these products correctly. Additionally, specialized knowledge and training in chain of custody and evidence handling procedures in the field of digital forensics is necessar in order to perform imagėg and analysis up to industry and legal stadards TIG's 5. Forensic examinations are never conducted on an original media, device or dnve. TIG does not turn on a suspect computer and then search it the way a person sitting in front of the computer might attempt. Our forensic examinations are always undertaken using a "bitstream" copy. A bit-stream is a copy of the hard drive that captures every bit and byte of data without regard to programs or applications. 6. The Defendat has agreed to bring the same computer which contaned and worked with the hard drives that he provided to TIG so that they could be held in evidence as specified in the court order. The importce of this deals with the encrypted hard drives and the operation system drivers which must match the computer hardware for the booting process to successfully occur. Initial Certification Sony V Hotz 2/26/2011 Page 2 7. In this case, the defendant has represented the hard drives contain a Linux based File and Operating System which he has encrypted by the usemame and password. ln order for the computer to hoot and provide 1'10 access, the defendant wil need to either provide TIO the encryption password or enter the password during the boot process. Once the proper password is entered, the data from the hard drive passes to the operating system as unencrypted data. As previously mentioned, the stadard procedure would be to create a "bit-stream" image of the hard drive at this time in order for 1'10 to cost effectively isolate, segregate and/or remove the information on those devices related to Defendant's circumvention devices. for this process to continue, TIO requires a bit-stream image that is verified. For this case, the verėfication process checks the MD5 hash value of the hit-stream image tile to ensure that the data is intact. While it is extremely unlikely that the verification process fails, it does occur in a small percentage of image creations (less than 5%) and requires the process has to be restaed. 11'tlle Defendant chooses to enter the password rather than provide that password to TIO, he wil be required to stay on-site until the process has been completed and verified because that password may be needed again in the event his computer crashes during this process. 8. Based upon the requested effort, 1'10 will need to search for and "retrieve" any Circumvention Devicesorrelated information which may include the following areas ofthe hard drives such as; a. Active fies b. Deleted fies (unallocated space) c. Slack space (the area between the end of the file and the start of the next cluster or sector) d. Compressed files including hut not limited to TAR, ZIP, TZ etc Initial Certifcation Sony V Hotz 2/26/2011 Page 3 e. Password protected files or areas of the hard drive 9. In order to properly conduct the searches and as the rules of evidence provide for, a torensic examiner must be in control of the environment in which the examination is to occur. They must use familiar hardware and softare which has been tested and validated. Failure to usc properly tested equipment may allow changes to occur to the data and therefore may alter the results. For this reason, the Defendants had drives can be used to create the bit- stream image only and it should not be used for keyword searches and processing of data. 10, The above explanations were reviewed on a conference cail with attorneys and the following protocols were agreed to as stipulated: a. The Defendant shall bring his computer to TIG offces for the purposes of unencrypting the hard drives. b. Once the hard drives are installed, the Defendant wil enter his password which unencrypts the hard drives. c. 'rIG wil be allowed to create a bit-stream image of the hard drive for purposes of locating, isolating, segregating and/or removing the information related to eircumvention Devices specific to the Sony PS3 console.. d. After completion of the bit-stream image, the Defendant prior to leaving the offices of TIG, wil show TIG the Circumvention Devices and related files specific to the Sony PS3 console so that ā file listing can be created. e. In addition, the Defendant will identify any and all of the following items: 1. Any fies, folders or data areas that are encrypted or require a password. Examples would include but not be limited to truecryt, zip, orrar Initial Certification Sony V Hotz 2/26/2011 Page 4 n. Identify if he used or accessed or modified any of the following drive areas ; 1. volume slack 2. Master Boot Record I Superblock 3. Parition table 4. Hosted Protected Area 5. Drive eonfėguration Overlay 6. Partition slack 7. Sectors or blucks marked as Bad but used to store data 8. Disk slack 9. Unused space in the block group 10. Directory entres t The original hard drive wm remain in evidence until the Circumvention Devices and related data bas been removed. g. TIO will use portons of data from the Circumvention Devices relating to a Sony PS3 cunsole to search Iōr these devices and/or additional references of circumvention devices across the entire hard drive space. h. Any eircumvention Devices relating to a Sony PS3 wil be documented and stored in a separate evidence fie on a hard drive that TIO provides for this purpose. 1. Any code which is questionable as being a Circumvention Device relating to a Sony PS3 console wil be reviewed by a TIO sub-contractor that has no conflcts to Sony Corporation. If after this review the code appears to be a Initial Certification Sony V Hatz 2/26/2011 PageS eircumvcntion Device relating to a Sony PS3 Console, the code wil be sent to Mr. Hotz's attorney. Mr. Hotz's attorney "\Jill always maintain possession of the code and not allow it to be copied or transferred in any manner. Mr. Hotz is being provided the code so that he can show the code to his client and detenTline if they want to object to the code being designated as a Circumvention Device. Any objections after a second review by TIG wil be brought before the Judge in~camera for the purose of making a final detennination. J. Once the process of locating the Circumvention Devices relating to a Sony PS3 console have been completed, 1'IG shall remove the identified data from the original hard drives ofMr. Hotz. k. Once the identified data has been properly removed from the original hard drives, they shall be returned to Mr. Hotz.once the process of removing the data from Mr. Hotz's hard drives has been completed the bit-stream image of the hard drive shall be wiped. This process will remove all data from that hard drive. I hereby certify that the foregoing statements made by me are true. I am aware the if any of the foregoing statements made by me are wilfully fālse, I am subject to punishment. Dated: cJl,2ę( /.;;1.öl( ( /' / By: Michael Grennier, eFeE, EnCE Initial Certification Sony V Hotz 2/26/2011 Page 6 EXHIBIT 2 Page 1 of9 Gaudreau, Holly From: Boroumand Smith, Mehrnaz (mboroumand~kilpatricktownsend.comJ Sent: Friday, February 25, 2011 10:59 AM To: Stewart Kellar; Robert Kleeger; Michael Grennier Cc: Gaudreau, Holly Subject: RE: SCEA v. Hotz - Engagement letter - Final Attachments: 2011-02-18 (84) Order re Prelim and Hearing on Motion to Dismiss.pdf Stewart, Robert and Michael, The purpose of the impoundment is to get the circumvention devices and information related to those devices away from Mr. Hotz. It is not to alter evidence. By having the Intelligence Group retain images of the drives as they originally existed, we can accomplish both the impoundment order and preserve evidence. Moreover, as we discussed on our call, we are amenable to Mr. Kellar, as an officer of the court, maintaining the images once the impoundment is completed while the Court is resolving any discovery disputes. For your reference, the specific preservation requirement of the preliminary injunction (which was also included in the TRO) is found on page 3 of the attached pdf. Lastly, the modified order attached by Mr. Kellar regarding the impoundment states that "If there are any disputes between the parties regarding the scope of the information to be segregated and removed from defendants' devices, or any other disputes related to the temporary impoundment of the defendant's devices, those matters shall be presented to Magistrate Judge Spero in the first instance." (Emphasis added). Clearly the issue of whether the image of the hard drives is to be deleted is one that needs to be presented to the Magistrate in order to avoid spoliation of evidence. As we discussed on our call, we will raise this issue with Magistrate Judge Spero in a letter copied to each of you early next week. Thanks, Mehrnaz Mehrnaz Boroumand Smith Ą-(ĄĄpatricK Townsend & Stockton LLP Eighth Floor I Two Embarcadero Center! San Francísco, CA 94111 office 415 273 7559 I fax 415 723 7205 mboroumand~kilpatricktownsend.com I My Profile I VCard From: Stewart Kellar (mailto:stewarttQetrny.com) Sent: Friday, February 25, 2011 10: 12 AM To: Boroumand Smith, Mehrnaz Cc: Robert Kleeger; Michael Grennier; Gaudreau, Holly Subject: Re: SCEA v. Hotz - Engagement letter - Final Mehmaz, Rob and Mike, 2/27/2011 Page 2 of9 As a follow up to our call of a few minutes ago, I wanted to make sure that one point was completely clear regarding why the Intelligence Group's wiping of the images made of Mr. Hotz's storage devices (as they exist prior to removal of the circumvention information) is important. The preliminary injunction order clearly carves "isolating, segregating and/or removing (impounded information)" from Mr. Hotz's general requirement to preserve and not destroy evidence. In fact, preservation of the circumvention devices is what is contemplated by the impoundment order. The preliminary injunction reduced the TRO's initial impoundment requirement from impounding the entire drives to merely impounding information related to PS3 circumvention devices and explicitly requires the drives to be promptly retured to Mr. Hotz. No evidence wil be destroyed, merely segregated into two parts: the impounded ite1,s, and the remaining data on Mr. Hotz's storage devices. Preserving additional images of the devices would violate Judge IUston's Order modifying impoundment for this limited purpose. I have attached the Order for clarity. Stewart Kellar E-ttomey at LawTM 148 Townsend St. Ste. 2 San Francisco, CA 94107 (415) 742-2303 Stewiirt(fetmy.com .\Y,.ettQrreyat1aw.ĮQll The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this email message in error, please notify the sender by reply email and delete the message and any attachments. On Fri, Feb 25, 2011 at 9:56 AM, Boroumand Smith, Mehmaz .:mbQroumand~kilpatriįktQWl1send.com? wrote: Stewart, Rob and Mike, As a follow up to our call of a few minutes ago, I wanted to make sure that one point was completely clear regarding why the Intelligence Group's preservation of the images made of Mr. Hotz's storage devices (as they exist prior to removal of the circumvention information) is important. If the images are wiped by the Intelligence Group after the impoundment procedure is completed (and the impounded information is removed), no one, including Mr. Hotz, will have a forensically intact copy of his hard drives as they existed originally. Consequently, evidence of the hard drives in their original form -- clearly relevant to the merits of this case -- will be destroyed in violation of the Court's TRO and preliminary injunction orders. Thanks, Mehrnaz Mehrnaz Boroumand Smith 2/27/2011 EXHIBIT 3 Page 1 of2 Boroumand Smith, Mehrnaz From: Michael Grennier (MGrennier(gintell-group.com) Sent: Saturday, February 26, 2011 6:33 PM To: Boroumand Smith, Mehrnaz; Gaudreau, Holly; Robert Kleeger; Stewart Kellar Cc: Robert Kleeger Subject: RE: Certification for review Mehrnaz, See below: From: Boroumand Smith, Mehrnaz (mboroumand(Qkilpatricktownsend.com) Sent: Saturday, February 26, 2011 8:04 PM To: Michael Grennier; Gaudreau, Holly; Robert Kleeger; Stewart Kellar Subject: RE: Certification for review Dear Michael, Thanks for sending the draft protocols. Late yesterday, Mr. Kellar informed us that Mr. Hotz would not allow any imaging of his hard drives to occur. Based on our call, we understood that he would be updating you on Mr. Hotz's position (including an alternative proposal that was not acceptable to SCEA). Consequently, we are in the process of putting together a joint dispute letter that the parties will file with the Court on Monday morning. For our part, we would like to present the court with your proposed protocol subject to the following clarifications and comments: 1. We believe you may have inadvertently left out the initial step of creating forensic bit-stream images of the devices provided by Mr. Hotz. As you stated in paragraph 5 of the protocols and we understand from our forensics consultants, original media, devices or drives are never used to conduct examinations because of concerns, including among others, that the original hard drives may faiL. Consequently, we believe that two such images should also be made here - one to be maintained in a secure vault by the Intelligence Group and the second to be used for decryption (rather than using the original hard drive). Please confirm that under your suggested protocol, the Intelligence Group would create such images and if not, let us know why not. Section 10.C clearly states that we will be creating a bit-stream image of the hard drive. As for two images, that was not agreed to during our conversations. In additon, we would still have to wipe both copies at the end. I would agree that two images would be the "norm" and provide a back-up in the event the primary drive fails, but it was not agreed to by the parties and based on the last email they are now not agreeing to the what we discussed and agreed to during the phone call.. Similarly, please confirm that two bit-stream forensic images of the decrypted hard drive will be created - one for preservation purposes (to be maintained in a secure vault at the Intelligence Group until such time as the Court resolves the protocol and discovery disputes between the parties) and the second to conduct your review with Mr. Hotz as well as your independent searches and analysis. IF there was an agreement to maintain a preserved copy, then the proper proceedure would be to create a bitstream (forensic) image of the drives while encrypted and prior to starting these processes. Then create a second bit-stream (forensic) image after the drive was unencrypted with the password. This would provide us with a before and after data for court purposes that I could present if requested by either party. However there is no agreement to maintaining a copy for preservation of the hard drive and even a requirement that we wipe our data copies upon completion. In addition Mr. Holtz Attorney has clearly stated that it is his intention and belief that there is no need for him to have a copy or maintin a copy of the hard drive and he is of the belief that his client is capable of keeping the data intact as required under the discovery order. 2/27/2011 Page 2 of2 Also please confirm that the working bit-stream image of the decrypted hard drive (and not the original device provided by Mr. Hotz) will be used for analysis. We do not want Mr. Hotz to contend that the Intelligence Group has in any way altered the original hard drive except at the very end of the analysis when you remove the information and devices related to circumvention that you have located (through your analysis on the working copy) from the original devices provided by Mr. Hotz. The Intelligence Group has stated in the certification that we will be createing a bit-stream image of the unencrypted drive. We will use our copy of the bit-stream image to locate and document the devices related to circumvention. Then we will remove the data from those areas of the original hard drive as the last step. THE INTELLIGENCE GROUP IS UNABLE AND UNWllLiG TO USE HIS COMPUTER FOR ANYTHING OTHER THAN OBTAINING A BIT-STREAM COpy OF THE UNENCRYPTED DRIVE. 2. Please confirm that under your protocols for chain of custody purposes you will photograph both original hard drives as well as document the drives' model and serial numbers and record BIOS or other system clock information. The Original drives were photographed and a Chain of Custory was completed and signed by Goerge Holtz's dad who dropped them off at our offices. A copy can be forwarded on Monday if requested. We also have the drives make and model on file. When the comptuer is presented we will record the BIOS information, along with the time/date on the bios Clock. As we have to provide our response to the Joint Discovery letter to Mr. Kellar by 4 pm PT tomorrow, we ask that you respond to our questions by no later than noon your time tomorrow. We greatly appreciate your assistance over the weekend on this matter. Mehrnaz Mehrnaz Boroumand Smith Kilpatrick Townsend & Stockton lLP Eighth Floor I Two Embarcadero Center I San Francisco, CA 94111 office 415 273 7559 I fax 415 723 7205 mboroumand(ikilpatricktownsend.com I My Profie I VCard From: Michael Grennier (mailto:MGrennier(§intell-group.comJ Sent: Saturday, February 26, 2011 7:37 AM To: Gaudreau, Holly; Robert Kleeger; Stewart Kellar; Boroumand Smith, Mehrnaz Subject: Certification for review Attached is my certification in draft form for reivew. Please comment and advise. I will forward the final copy with signatures by Sunday evening. Regards, Mike Confidentiality Notice: This communication constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the recipient intended by the sender of this message. This transmission, and any attachments, may contain confidential attorney-client privileged information and attorney work product. If you are not the intended recipient, any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. Please contact us immediately by return email or at 4048156500, and destroy the original transmission and its attachments without reading or saving in any manner. 2/27/2011 EXHIBIT 4 Page 1 of2 Boroumand Smith, Mehrnaz From: Michael Grennier (MGrennier~intell-group.comJ Sent: Saturday, February 26, 2011 7:02 PM To: Stewart Kellar Cc: Gaudreau, Holly; Robert Kleeger; Boroumand Smith, Mehrnaz Subject: RE: Certification for review Mr. Keller, I am sadden to hear that you will no longer agree with the process agreed to by you on Friday. While the court would need to decide the issue of the preservation. I felt that the Intelligence Group was working as neutral in getting the process on paper and you were working with all parties by agreeing to allow the drive to be imaged and having it wiped at the end of the process. I need to state and will now include in a second certification that you did agree to the steps listed in the first certification, but after consulting with your client they are no longer acceptable. In additon I can only use Mr. Holtz's computer to create the unencrypted bit-stream image file. I can not use his softare or his computer to search for data to be wiped. His computer is unknown and untested in my environment. I can't even use standard Unix commands without knowing or having a way to confirm that they are working properly under test conditions. While it is not plausible, it is possible that the as could have been changed so that a copy command is now a format command or that the standard command line entries work different due to changes made in the as. I also completely disagree with your statement that this is not a forensic examination. I am being task to search for, and locate data on a hard drive even data that my have been deleted using standard forensic techniques. My review of the Court Order does not indicate that your client has sole responsibility to search for and "point out" the Circumvention devices and supervise the deletion. Rather it is my reading that I as the independent third party am responsible for making that determination and then removing the data from the original hard drive. I also want to state that The Intellignece Group fully expects both parties to pay for the professional services provided by such as the accepting of the hard drives, conference calls and writting of certifications as agreed to. I am sure and please confirm that your statement that Mr. Hotz will provide The Intelligence Group with our intiial retainer being listed in the agreement to an alternate proposal pargraph was just information included in that paragraph rather than a threat to withhold payment during this process if the other side did not agree with your proposaL. I understand that everyone is under deadlines, and I will try to have my second certification to you by tomorrow noon. The First certification will be signed as is and forwarded by Sunday Evening. Regards, Mike From: Stewart Kellar (stewart(getrny.com) Sent: Saturday, February 26, 2011 8:35 PM To: Michael Grennier Cc: Gaudreau, Holly; Robert Kleeger; Boroumand Smith, Mehrnaz Subject: Re: Certification for review Mr. Grennier, We will not agree to allow any image or copy to be made of Mr. Hotz/s drives or allow searches to be run on Mr. Hotz/s drives using systems and programs not native to Mr. HotYs computer system. The Impoundment order calls 2/27/2011 Page 2 of2 for impoundment only. It is not a forensic examination and does not require that imaged copies of Mr. Hotz/s storage devices be made. Thus, any imaging or additional copies of Mr. Hotz's drives goes beyond the scope of the impoundment order and beyond the scope of the how Mr. Hotz's drives may be access and/or manipulated. As an alternate proposal, Mr. Hotz agrees that on Monday February 28, 2011, he will go to your offce and provide you with the initial retainer and fully signed agreement. Mr. Hotz then agrees to demonstrate that the circumvention devices at issue are indeed on the impounded devices. Mr. Hotz agrees to bring his computer system which will be used to access the drives and identify the circumvention devices therein. After the devices are shown to have the circumvention devices, they will be left impounded in your office/s custody until such time the court either lifts the impoundment order or makes an order otherwise affecting the impounded drives. I contacted SCEA's counsel at 3:02pm PST yesterday to discuss our proposal, and left a message. The call was returned by SCEA's counsel at 5:00pm PST who ultimately stated their opposition to our alternate proposal. Both parties have agreed to a schedule for drafting a joint letter to Magistrate Judge Spero on the matter, which will be filed and submitted to the Judge by Monday, February 28th. The statements made in your draft letter do not reflect our position and are not agreed to. I look forward to receiving a revised draft that reflects our position in this matter. Thank you. Sincerely, Stewart Kellar E-ttorney at LawTM 148 Townsend St. Ste. 2 San Francisco, CA 94107 (415) 742-2303 ~te)N9r:(9_etmy',įQ.n: YLvy)N,.e1t..rneyqtLįlW.,~Qm The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this email message in error, please notify the sender by reply email and delete the message and any attachments. On Sat, Feb 26, 2011 at 7:37 AM, Michael Grennier o(M.Gr.enQj~LcminteJJ.:9rQlR_,ĮQm)o wrote: Attached is my certification in draft form for reivew. Please comment and advise. I will forward the final copy with signatures by Sunday evening. Regards, Mike "'DISCLAIMER'" Per Treasury Department Circular 230: Any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. 2/27/2011 EXHIBIT 5 Volume 1 Pages 1 - 36 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CAIFORNIA BEFORE THE HONORALE SUSAN ILLSTON, JUGE SONY COMPUTER ENTERTAINMNT AMRICA, LLC, ) ) Plaintiff, VS. ) ) ) ro cony .~.~.. ) NO. C 11-00167 SI ) GEORGE HOTZ, ET AL. , Defendants. ) ) San Francisco, California ) ) ) Thursday February 10, 2011 10:29 a.m. '. ~ . TRASCRIPT OF PROCEEDINGS APPEACES: For Plaintiff: BY: JAMS G. GILLILA, JR., ESQ. HOLLY GAUDREU, ESQ. RYAN BRICKER, ESQ. KILPATRICK TOWNSEND Two Emarcadero Center Eighth Floor San Francisco, California 94111 For Defendant George Hotz: LAW OFFICES OF STEWT KELLA 148 Townsend Street Suite 2 San Francisco, California 94107 BY: STEWT KELLA, ESQ. Also Present: Reported by: !:..' MICHAL EDELM BELLE BAL, CSR #8785, RM, CRR Official Reporter, U. S. District Court Belle Ball, eSR #8785, RMR, eRR Official Reporter"- U ~S. District Court (415) 373-2529 25 1 stand at the podium at the same time, if you want. 2 MR. KELLA: Thank you. 3 Wi th regard to allowing Sony access to my client's 4 computer to inspect all files to find out which ones are and 5 are not the circumvention devices again raises the same issue 6 of impounding Mr. Hotz is privileged, confidential, and 7 otherwise private information on his computers. 8 THE COURT: And, you know why that issue comes up? 9 Because that's where he did what he did. And for present 10 purposes, anyway, what he did was not all right. So, 11 12 MR. KELLA: That's correct, Your Honor. THE COURT: -- that i s the breaks, 13 MR. KELLA: However, the TRO already states that 14 Mr. Hotz is to preserve and not destroy any records or 15 documents in whatever format relating to the circumvention 16 devices, and Mr. Gilliland has -- or Sony's counsel has 17 demonstrated no risk of spoliation, of covering tracks, of any 18 illicit acti vi ty involving tampering with evidence after 19 receiving notice of this suit. 20 THE COURT: Oh, I don't think that i s right. I got 21 something just yesterday or the day before that he's posted -- 22 posted things on the Internet that is in direct violation of 23 the order. 24 MR. KELLA: It is not correct that he posted things 25 in direct violation of the order. He posted a link to Belle Ball, CSR #8785, RMR, CRR Official Reporter - U. S. District Court (415) 373-2529'

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?