Ceglia v. Zuckerberg et al
Filing
51
DECLARATION signed by Michael F. McGowan re 44 MOTION to Expedite - Notice of Motion for Expedited Discovery filed by Mark Elliot Zuckerberg, Facebook, Inc. filed by Mark Elliot Zuckerberg, Facebook, Inc.. (Attachments: # 1 Exhibit A, # 2 Exhibit B)(Snyder, Orin)
UNITED STATES DISTRICT COURT
WESTERN DISTRICT OF NEW YORK
X
PAUL D. CEGLIA,
Civil Action No. 1: 10-cv-00569RJA
Plaintiff,
DECLARATION OF MICHAEL
F. MCGOWAN IN SUPPORT
OF DEFENDANTS' MOTION
FOR EXPEDITED
DISCOVERY
V.
MARK ELLIOT ZUCKERBERG and
F ACEBOOK, INC.,
Defendants.
X
I, Michael F. McGowan, declare and state as follows:
Introduction
1.
Stroz Friedberg, LLC ("Stroz Friedberg") has been retained by~ Gibson, Dttnn &
Crutcher, LLP ("Gibson Dunn"), on behalf of its clients Mark Zuckerberg and Facebook, Inc.
("Facebook"), in the above-styled case to provide consulting and electronic discovery services
and to conduct digital forensic examinations of various media. This declaration is executed by
Michael F. McGowan, a Director of Digital Forensics at Stroz Friedberg. I have helped lead the
development of Stroz Friedberg's expertise in detecting backdating and forgeries of electronic
documents.
2.
I have been informed by Gibson Dunn that Paul Ceglia claims to possess a
contract between himself and Mr. Zuckerberg regarding "The Face Book" that Mr. Ceglia
prepared and
on his computer (the "Purported Contract"), as well as email messages
between Mr.
and Mr. Zuckerberg
''Purported
I also have
Book" (the
the
that Mr. Zuckerberg and Facebook
Purported
on
li1
3.
As set forth below, Stroz Friedberg has extensive experience and is a leading
expert in assessments as to whether electronic documents have been backdated, forged, or
altered. As explained below, to best make such assessments, Stroz Friedberg needs to inspect: (a)
all native electronic versions of the Purported Contract and the Purported Emails; and (b) every
available computer or piece of external media on which the electronic documents in question
were created, viewed, saved, or modified. As explained below, there can be substantial
information in the native electronic versions of the files in question that bear on their
authenticity. Producing printouts, Adobe Acrobat .pdf files, or other similar non-native copies of
the documents do not give a digital forensic examiner comparable access to the critical existing
evidence bearing on authenticity.
4.
In addition, as explained below, evidence relating to authenticity can be extracted
from many locations on any computers on which the documents in question were created, saved,
viewed, or modified. These locations include the computer system, application, and security
logs; the unallocated space of the computers from which deleted files or file fragments may be
recovered; the portion of the hard drives that stores the dates and times that files were created,
last accessed, and modified; and the files that show what documents recently were accessed.
5.
Accordingly, this declaration is in support of Gibson Dunn's motion for expedited
discovery requiring Mr. Ceglia to produce for forensic preservation and unfettered digital
forensic analysis: (a) all native electronic versions of the Purpmted Contract and the Purported
Emails; and (b) all computers and electronic media within Mr. Ceglia' s possession, custody, or
control, including the
found the
of
found at
Purported Emails on
parents'
on which Mr. Ceglia claims to
As
this
Purported
lS
or
Qualifications in E-Forgery Matters
6.
I have gained expertise through experience, research, and training in detecting e-
forgeries. I have conducted digital forensic examinations of multiple computers, external hard
drives, and other digital media in both routine cases and cases in which many millions of dollars
or people's freedom have hinged on the authenticity of proffered electronic documents. In many
cases, I have been able to find critical evidence that bore on the authenticity of the electronic
documents and, in a majority of the cases, that evidence has resolved the matter.
7.
I am a Director of Digital Forensics at Stroz Friedberg. I co-manage Stroz
Friedberg's technical operations in the areas of digital forensics and cyber-crime response. I have
conducted hundreds of digital forensic examinations and data acquisitions from various media
types, including laptop and desktop computers, servers, and mobile devices. I also have been the
lead digital forensic examiner on most of the firm's significant e-forgery investigations. I have
provided trial and hearing testimony on a number of occasions and have been admitted as an
expert in digital forensics in federal and state court, including on behalf of the United States
Department of Justice in connection \Vith one of the Enron Task Force prosecutions. i\. copy of
my C. V. is attached to this declaration as Exhibit A.
On this matter. I worked under the direction and supervision of Eric M. Friedberg.
8.
Mr. Friedberg is Co-President of Stroz Friedberg. He has participated in and supervised hundreds
of
forensics examinations over his past eleven years with Stroz Friedberg, both in the
context
and responses to cyber-crime. He has participated in and
on
contracts.
He
published an
I was
on
e-forgery. Prior to joining Stroz Friedberg, Mr. Friedberg was an Assistant United States
Attorney with the United States Attorney's Office for the Eastern District of New York from
1989 to 2000. Mr. Friedberg acted at various times as the Office's Chief of Narcotics and the
district's lead cyber-crime prosecutor. A copy of Mr. Friedberg's C.V. is attached to this
declaration as Exhibit B.
Conducting the Authenticity Analysis
A.
Information Available from the Native Electronic Files
9.
In an authenticity case, it is critically important for a digital forensic expert to
have available for examination more than the paper printouts or images (.pdf or .tiff files) of the
documents. A digital forensic examiner should have full access to every available version of the
"native" electronic files at issue, meaning the format in which the file was originally created. For
example, email stored by a user using Microsoft Outlook should be produced in Outlook format,
normally in a file called a ".pst file". As another example, Microsoft Word documents should be
produced as Word documents (.doc or .docx files). If a Word document has been rendered as a
.pdf file, then the \"lord version a11d the .pdf version should be produced.
10.
Native electronic documents contain certain data about the creation and use of the
documents. This data is called "embedded metadata" and can include information about the date
the document was created, last accessed, modified, and printed; the author of the document; the
name of the user who last opened
document;
information. This data can be
can
date an email was sent or modified; and
in authenticating a document, as
this
or
are
lL
that
on
an email, such as the sender of the email, the recipients of the email, the date and time the email
was sent or received, and the subject of the email. However, a digital forensic examination of an
email produced in native format can reveal other useful embedded metadata, such as the Internet
headers. When an email is transmitted across the Internet from the sender to the recipient, each
server that is used in the transmission affixes the date and time at which the email was received
by the server to the email's Internet headers metadata. Anomalies in the Internet headers can
readily reveal backdating and fraud. An analysis of email Internet headers, including the date and
time stamping, is critical in a case such as this where Mr. Ceglia is claiming that key emails were
exchanged over the Internet between him and Mr. Zuckerberg in or around 2003 and 2004.
12.
Native files also can include other non-visible data that can bear on authenticity,
such as Track Changes information that reveal a document's editing history or recent deletions
from the document that can be forensically reconstructed. Such information is necessary to fully
understand the provenance and modification of documents and is among the typical artifacts
considered inane-forgery investigation. Such relevant embedded metadata often is stripped out
of a native docttment vvhen it is rendered into a ~tiff image or .pdf file., making production of the
native version critical.
B.
Information Available from Computers and Electronic Media Generally
13.
While some information relevant to authenticity can be extracted from individual
files, much more such information is available from an inspection of all
media on
the
the computers or
stored. or modified.
from a
event
on
a
unallocated space of digital media, including a computer's hard drive, to name just a few
locations.
14.
Even where documents were created on another computer, an inspection of
computers or digital media on which a person simply opened, viewed, or saved the documents
can provide significant information about the authenticity of those documents. This is because
the mere act of opening a document on a computer can create a cached version of that document
on the computer's hard drive. In e-forgery matters, I have sometimes found cached versions of a
document that are inconsistent with the proponent's view of the authenticity.
15.
Full inspection of each computer is accomplished first by performing a digital
forensic copying (or imaging) of the computer's hard drive or hard drives and other digital media
used with that computer. This is an entirely passive process and does not change any of the data
on the drive or media. Digital forensic examiners perform their analyses from these digital
forensic images, not the originals. A typical imaging of a laptop or desktop computer, or an
external hard drive, takes between one and several hours. Once the digital forensic imaging
process is complete, the comptlters can be returned to the
16.
ov~;ners
for rest!med usage.
For the reasons set forth above, it is critical to Stroz Friedberg's analysis of the
authenticity of the Purported Contract and the Purported Emails that Stroz Friedberg create: (a)
forensically-sound copies of all native electronic versions of the Pmported Contract and the
Purported Emails; and (b) forensically-sound copies of all computers and electronic media
Mr. Ceglia's
on
custody, or
to
\..AJIHH.Jl
including
computers
at his parents'
on
he now
A Possible Protocol for Digital Forensic Analysis
17.
Typically, when the proponent of the authenticity of a document, such as Mr.
Ceglia, is producing his computers and electronic media for inspection, Stroz Friedberg utilizes a
protocol to protect private or privileged information. That protocol allows the digital forensic
examiner to look at and rely on any information on the computers in conducting his or her
authenticity examination. However, to protect private or privileged materials, the descriptions of
such files or text should be redacted or masked in Stroz Friedberg's report. To accomplish this,
in advance of writing the report or communicating with its client, Stroz Friedberg tenders to
counsel for the owner of the computers ("Opposing Counsel") all file names, strings, fragments,
and text that it intends to rely on in its report on authenticity. Opposing Counsel then can
interpose an objection if any such file names, strings, fragments, or text from the computers are
private or privileged. For any material objected to by Opposing Counsel, Stroz Friedberg uses a
protocol to redact the content while still relying on the important metadata or other attributes.
18.
In addition, Stroz Friedberg's protocols incorporate a strict non-disclosure
agreement to prevent it from disclosing, outside of its report, information from the computers. In
sensitive cases, Stroz Friedberg even has conducted our examination at Opposing Counsel's
offices, and under the supervision of Opposing Counsel's digital forensic expert, so that Stroz
Friedberg does not ever have possession of the opposing party's digital forensic images and so
that the opposing expert can verify that there is no inappropriate copying of data by Stroz
Friedberg. Indeed, Stroz Friedberg's protocols normally require that the computers used for the
inspection have no access to
secured
Internet.
protection,
forensic
can be
a media safe in a separately keyed room in
both
Conclusion
create:
all
and
or
including the computers found at his parents' house on which Mr. Ceglia claims to have found
the copies of the Purported Emails on which he now relies. In addition, Stroz Friedberg should
be allowed to fully analyze these forensically-sound copies.
I declare under penalty of perjury that the foregoing is true and correct. Executed on this
, 2011 at Chic go, Illinois.
'
Michael F. McGowan
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?