This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Despite being accused of altering evidence, forensics specialist Keith Jones stood firmly by his earlier testimony that whoever brought down the UBS PaineWebber network had to do so from inside Roger Duronio's home. Duronio is the systems admin on trial for the attack.
Newark, N.J. -- The prosecution's forensics expert in a computer sabotage trial here continued to buffet the defense's contentious line of questioning. New accusations Thursday were that Jones altered evidence and fudged his analysis to go along with the government's theory.
It was the fifth day on the stand and the second under cross-examination for Keith Jones, director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va. Jones continued to be questioned by Chris Adams, the lead defense attorney for Roger Duronio, a former systems analyst for UBS PaineWebber. Duronio is being tried on federal charges for allegedly building and planting malicious code that took down the main host server, along with about 2,000 branch servers, at the company four years ago.
Forensics investigator Keith Jones stood by his earlier testimony despite the defense attorney's accusations that Jones altered evidence.
In his first day of cross-examination on Wednesday, Adams questioned Jones about hackers involved in the initial forensics examination and the quality of the evidence that the investigator had to analyze. But in Thursday's even more heated exchange, the lawyer's questioning took a more direct, and personal, line about Jones himself. Adams asked whether Jones had based his work on faulty assumptions, if he had altered evidence, and if he had made efforts to force his findings to go along with the government's case.
In his approximately two and a half hours on the stand Thursday, Jones remained calm and stood by his findings.
At the start of Thursday's proceedings, Adams grilled Jones about making assumptions regarding the quality and validity of the backup tapes from the damaged servers that Jones used in his investigation. The tapes he had didn't include every bit of data on the servers but Jones had earlier testified that it was enough to supply evidence that Duronio had created and modified the malicious code on the UBS network.
''So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?'' Adams asked.
''The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough pieces to form the picture of the boat.''
Adams countered, ''But you might not see all the other boats around it.''
Jones replied, ''But the second boat won't get rid of the first boat. It's simple mathematics that when you add data, you don't subtract data… There was nothing in that data set that could remove the data I already had.''
The defense attorney also repeatedly questioned Jones about whether the forensics investigator had altered critical information on the backup tapes he had examined. Jones explained to the jury that restoring the data had left a new 'last accessed' date on a few of the tapes but that is normal for certain types of data formats and it didn't factor into his analysis.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
The State of IT & Cybersecurity Operations 2020Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!