Day 3 of Bradley Manning’s pre-trial hearing: In-depth notes from the Art. 32 courtroom
December 18, 2011: Bradley Manning Support Network sent a representative into the courtroom to take notes for the public on what happened at Bradley Manning’s hearing. No recording devices (like cell phones or audio recorders) were allowed, so all these notes are hand-written and as accurate as written notes and memory allow. Notes were taken by Rainey Reitman, any omissions or inaccuracies are entirely her fault and not reflective of the Support Network positions. Please send corrections to [email protected]
Note: there are a number of proper nouns – from military terms like FOB Hammer to names like Milliman – that may be hard to spell. Where possible, I am checking my spelling against that of the Associated Press and Kevin Gosztola of Firedoglake. If there are mistakes, please email corrections to [email protected]
Getting to the Courtroom
Figuring the crowds would be minimal on the third day of the proceedings and noting that the last two days of the hearing started late, I came in later this morning. I arrived and shot a picture from my phone of the courthouse, only to be reprimanded by a guard nearby about taking photos. He told me it was a violation of federal law to take a photograph on government property, which surprised me because I had seen dozens of photographers. I decrypted my phone, erased the photo, turned the device off, and put it back in the glove compartment. The officer said he really hoped I wouldn’t do this again as he would hate to have to remove me from the courthouse.
I was searched and denied entrance because court was already in session, which didn’t bother me as the trial had a live real-time feed in the theater building next door for spectators. But as I headed over to watch the beginning of the proceedings from the theater, I was told they were closing the theater down and I would be unable to watch there. They refused me late entrance to the courtroom, closed the theater down even though it prevented me from watching, and refused me entrance to the media center because they said I lacked proper credentials. I found this particularly frustrating because we had two members of the Bradley Manning Support Network apply for media passes (among other things, people with media access are able to have a laptop and make notes on keyboard instead of by hand). One pass was never granted. The other was approved, but then subsequently revoked.
I waited out the morning in a heated trailer. No notes from first witness. I urge people who want to learn about the first witness to visit http://dissenter.firedoglake.com/2011/12/18/bradley-manning-pre-trial-hearing-live-blog-day-3/
The Article 32
11:17 AM. Sergeant First Class Paul Adkins was called by the prosecution. He was a straight-backed individual with wide shoulders and narrow eyes, with thin-rimmed glasses. No sooner was Adkins sworn in than he invoked his Article 31 right to remain silent. The investigating officer Almanza asked whether there were any questions he could be asked which would not cause him to invoke his Article 31, and Adkins said there was no
David Coombs stood and objected. Citing case law, he argued that the Article 31 did not apply in an article 31 hearing. He urged Almanza to force Adkins to testify because he wasn’t under criminal investigation in this matter. As a secondary measure, the defense urged the Almanza to offer Adkins immunity and then compel him to testify. The prosecution would not support an immunity offer for Adkins, and the IO dismissed Adkins from the stand.
11:21 AM Warrant Officer 1 Kyle Balonek was called telephonically. As with the previous witness, no sooner was he sworn in than he invoked his right to remain silent. Once more Almanza asked whether there were any questions that could be asked that would not cause the witness to invoke his Article 31 rights. Again the defense objected, citing their prior objections and noting as well that this individual wasn’t facing criminal or administrative investigation. Nonetheless, the government dismissed Balonek, finding him to be unavailable.
Sergeant Chad Madaras
11:24 AM Sergeant Madaras was sworn in telephonically. He was reminded not to have any notes in front of him, and told to notify the investigating officer if he wanted to make a classified response.
The prosecution began by asking how Madaras knew Manning. They met together during a GCC rotation. Specifically, they met in the smoking area near the barracks during the summer or fall of 2008. Like Manning, Madaras was a 35 Fox Intelligence Analyst.
The prosecution then reviewed Madaras’ training and credentials, asking him to describe what he had learned in AIT (training to become an analyst). He described the basic knowledge obtained, and the prosecution wanted to know if the training included details about accessing information or publishing it on the Internet. Madaras could not recall that there was anything in the AIT training about publishing information on the Internet.
Madaras described taking a DCGS class with Manning in August 2008, as well as a military writing style class in which Adkins was the instructor. He also noted that manning was on a JRCT Iraq rotation with him in 2009. During the rotation, they did not work the same shift. At the time, Manning worked the day shift and Madaras worked nights.
Madaras described being deployed to Iraq in October 2009, with Manning coming a few weeks later. They both worked in the same place, and on the same team – The Shia Threat Team. At first, Madaras worked the day shift and Manning worked the evening. At some point later, that switched. During this time, Madaras and Manning shared a work station and two computers – one referred to as a Dell and one an Alienware. At first, they both used the Dell, but then Manning increasingly used the Alienware computer.
As an analyst, Madaras was charged with reading reports and trying to link together any targets that might be working together. The day shift did a bulk of the work, and then tasks that weren’t completed were passed on to the night shift. The prosecution asked if Manning had completed his assigned tasks, and Madaras replied that “Majority of the time, ma’am, no they were not completed.”
The prosecution asked Madaras about whether he can conducted searches using the keywords WikiLeaks, Iceland, Central Command SJA, Julian Assange, retentions, Birgitta Jonsdottir, or Reykjavik. Madaras responded no to each. The prosecution asked is Madaras had used Intellipedia (he had), and whether he had used Intellipedia to search information on the Gitmo database, Net Centric diplomacy, CEDNY, or WGet. He replied no to each.
Madaras testified that he never used Manning’s user profile and didn’t know Manning’s passwords. When asked if his computer ever acted out of the ordinary, Madaras replied affirmatively, stating it happened all the time. He said the computer crashed a lot and had consistent problems. When that happened, they’d get help from someone else [Note: missed the name here, though subsequent testimony makes this pretty clear it is Milliman] would try to get it working again.
At this point the prosecution had no more questions and Coombs took over. He stepped up the speaker phone of the telephone, noting that he was sorry that the witness was not there in person. Coombs began by reviewing the historical facts – that Manning and Madaras met in 2008 in the smoking area by the barracks. Asked in Manning was interested in politics, Madaras said yes and related that Manning often would talk about a previous job in which he had opportunity to meet politicians in passing.
Upon questioning, Madaras admitted that he wasn’t really a computer guy. He didn’t remember any training about not placing executable files on the desktop.
Madaras stated that he arrived at FOB Hammer on October 15th. At that time, Sergeant Pagent was serving as the supervisor (there was no commissioned officer available). The way the workload was set up, the day shift was tasked to complete work in a day, and anything they didn’t finish was given to the night shift. According to Madaras, sometimes Manning did the work left to him and sometimes he did not. But some of the time, the work Manning did was great. Madaras said he didn’t really know if work was being given to Manning on the sign.
Coombs asked Madaras if he knew Manning was suffering from any issues. Madaras said no, though he was aware of the emotional outbursts Manning had experienced. For example, Madaras knew about an event in December 09 or January 2010 in which Adkins had asked Manning to move a projector. Manning had gotten upset, slammed a chair, and charged in to the area. Adkins intervened and tried to calm him down and took him outside. Coombs asked whether this was acceptable behavior, and Madaras said it was not. Coombs asked if there had been disciplinary action or if Manning had been removed from his station, and Madaras was not aware of any such disciplinary action.
Madaras also admitted that he’d seen Manning slam various items onto his work station, and noted that this was also not acceptable but also had not resulted in disciplinary action.
Coombs asked if Madaras had ever seen Manning act in a nonresponsive way. Madaras then described how Manning would sometimes sit and stare at his computer screen, even when Adkins and Balonik would call his name and try to get his attention.
Coombs then asked Madaras if he was ever afraid that Manning would hurt himself or others. Madaras said he was not, but that others in the unit had expressed that concern. When asked if Manning had friends, Madaras said that he’s seen one person (Sadler?) speak to Manning a few times, but that he didn’t really have friends. When asked if soldiers picked on Manning, Madaras said that they didn’t really but that sometimes they’d make fun of him a bit. Especially at night, when Manning would be running around and people would make comments on it.
At this point, the prosecution objected. David Coombs strongly urged Almanza not to sustain the objection, stating that in the pretrial hearing the defense had broad latitude to cross examine witnesses and were allowed to engage in discovery.
In a soft, almost inaudible response, Almanza overruled the objection.
Coombs continued on, asking Madaras whether Manning was an outcast. Madaras said yes. As to whether he was picked on, Madaras wasn’t sure.
Madaras then commented on the state of information security. He stated that soldiers listened to music on in the SCIF. He said that music was on the shared drive that had been passed down to them, and that it was accessible on computers. He said that there were also video games on the computers, and movies that could be played by DVD player.
Madaras testified that the DCIGs machines would crash when there was too much stuff saved on the desktop, and he mentioned that when the DCIGs were slow Manning would sometimes try to fix them.
Madaras also mentioned that Manning had put
MercmIRC-Chat on their computer. MercmIRC Chat was a program that Madaras needed for his job. Manning helped other to put it on their computers. Madaras said that he did not know how to add mission-critical programs to the desktop himself.
At this point Coombs sat down. The prosecution stepped up to ask whether Manning had signed a non-disclosure agreement, which Madaras said he had.
Madaras was then permanently excused from the pretrial hearing, and the hearing was recessed for lunch. It was 11:54 AM.
At 1:35 PM the defense called Allen Milliman, who appeared telephonically. He was sworn in, warned against referring to notes, and warned against disclosing classified information without first informing the IP.
The prosecution began by reviewing Milliman’s history, including training and military background. Milliman is a network engineer for Task, Inc. He served in the military for 21 years as a 33 Tango (Electronic repairs) and a 72 echo (Combat telecom). He retired on 8/31/05 and has since been a contractor for a series of companies. Milliman was deployed as a civilian in Iraq from 11/28/09-12/19/10. He was in FOB Hammer from July 2009 till the following year. His primary responsibility was as a Field Software Engineer (FSE). He helped maintain the DCGS (Distributed Common Ground Systems).
Milliman had to maintain the laptops and the servers, but mostly focused on the laptops. FSEs and Mentors handled the software on the computers, but FSEs handled the hardware, reloading of software, and firmware. He described his role as a technical assistant- intervening when computers had problems, swapping out hard drives that couldn’t be repaired. He remembered Manning as someone he saw daily but interacted with little, perhaps in passing one or two times per week. Sgt. Madaras he saw a similar amount, interacting with 3-5 times per week.
When asked whether he spent a lot of time repairing Manning and Madaras’ computer, he said yes — theirs seemed to be the one that had the most issues. Their computer issued occurred with greater frequency that others’.
Milliman didn’t remember the first time he met Manning, and he recalled that Manning had stated he had a computer repair business of his own at one point. He also said that Manning had once told him that if people really knew what he [Manning] could do with a computer, they’d be amazed.
Asked about WGET, Milliman said he was familiar with the name but had never used it and didn’t think it was authorized but wasn’t sure. When asked about how to ascertain whether a program was authorized, Milliman stated “there was a list that was supposedly available online but I could never find it.”
MercmIRC-Chat, Milliman stated that it wasn’t standard but that it could be authorized and allowed. It could be installed by people on their desktops, though they weren’t supposed to do that.
At this point, the prosecution had no more questions. Coombs stepped up to speak to the speaker phone. As he had with previous telephonic witnesses, Coombs noted how much he wished Milliman were in the court in person.
Coombs reviewed Milliman’s historical data. He retired in 2005 as an E7 and worked on DCIGs. Milliman noted that heat was a major problem with DCIGs, as was dust. He described field solutions to combating dust and heat, and noted that the computers were particularly prone to crashing prior to these solutions being implemented. He also agreed that a computer could crash due to problems on the hard drive or graphics card.
Milliman explained that there were often many profiles on a DCIG machine, sometimes as many as 12. He noted that if you had a lot saved on your desktop, the profile would have issues. There would also be problems if you had a lot of emails on your hard drive, or if you were storing redundant files, or potentially if the hard drive became fragmented.
When it crashed, the data was sometimes recoverable, but sometimes not.
Milliman purchased with a Universal Drive Adapter with his own funds to assist with data recovery.
If someone wanted to add something to their computer, they were supposed to get approved. There was a chain of command from which he was supposed to request permission. He didn’t know who was in the chain of command above him, but he didn’t speak to any military personnel. It would take a couple days to get approval.
MercmIRC-chat as being instant messaging software. He said there was one version of MercmIRC-Chat that didn’t play well with the antivirus software on the computers.
When asked whether the chain of command had ever rejected a request for a program, he said it happened once but he couldn’t remember the details. He also noted that it was possible for individuals to add programs directly to the desktop without administration rights. They could in fact save executable files to the desktop. He stated that people felt the DCIGs were their machines to do with as they pleased. Milliman stated that people could have added programs to their desktops but he was pretty sure he would have noticed it.
When asked if he’s seen WGET on a desktop, Milliman could not recall. When asked whether the computers could have been configured in a way that prevented them from being able to save executable files on the desktop, Milliman said they could. He also noted that he was there as a contractor to assist the solders, and thus it was implied that he was not a reprimander.
Coombs ended his questions and the prosecution stepped up with a few follow-up issues. They asked if programs could be run from a disc, which Milliman said they could. They asked if Milliman had installed WGet onto Manning’s computer, which he had not. He also clarified the role of a Mentor, someone who was a subject matter expert in ARC- GIS.
Milliman was then permanently excused.
Cpt. Thomas Cherepko
At 2:25 PM, the prosecution called Captain Thomas Cherepko. He also testified by phone. After being sworn in and confirming he was in a place with privacy, they reminded him not to refer to notes or disclose classified information with first telling the IO.
He was currently a Deputy CIS officer for NATO, serving in the Information Systems Manager branch. Cherepko has been in the army for 16 years. He had served as an automation officer since summer 2009, and before that as an engineer officer. The prosecution then reviewed his training.
He was deployed to Iraq three times – 2005, 2006-08, 2009-10. In his last stint, Cherepko served at the FOB Hammer in Baghdad with the brigade headquarters. He arrived in FOB Hammer in mid November 2009. After arrival, he served as Brigade Automations Officer overseeing NIPRnet and SIPRnet. The NIPRnet was an unclassified network that allowed you to access the worldwide web. The SIPRnet was a global intranet for the Department of Defense that included materials classified up to Secret. To get a SIPRnet account, you needed the approval of your first line supervisor, you had to complete paperwork, you had to complete an online training, and you needed appropriate security clearance.
There was also an Acceptable Use Policy (ACP) that everyone who got on SIPRnet had to read, review and sign explaining what one could and couldn’t do on SIPRnet. The online training was a Department of Defense created Information Assurance Training. It explained security best practices and stated that you weren’t authorized to share password, though Cherepko did not recall if it said anything about classified information specifically.
The administrators were Cherepko and several of his soldiers. They were charged with monitoring, maintaining and upkeep of networking security practices. He stated that soldiers are not allowed to install programs on 210 Mountain SIPRNet Systems. WGet was not authorized to be installed by a systems administrator. Cherepko stated that, to his knowledge, WGet was not approved by the DOD.
MercmIRC-Chat was operationally necessary. Cherepko believed it was authorized to be on the network, and noted it was there when he arrived and was part of the base system.
About the Acceptable Use Policy (AUP), Cherepko wasn’t sure whether individuals signed it before they were deployed. But he did believe that he had an obligation to maintain signed AVPs. However, he admitted that he did not maintain Manning’s AVP because they could not find it when he was asked to produce it. And, in fact, he could not find his own either. He explained that there were over 2,000 users and that the AUPs were paper copies kept in file folders, and “it [Manning’s AUP] was just misplaced.”
Cherepko explained that they had a shared drive known as the T drive that was about 11 terabytes of data. It was classified as Secret and accessible to anyone on the SIPRnet who had been given access. It was inherited from several prior brigades.
Cherepko admitted there was music and movies on the shared drive. He also noted that there was nothing technical preventing a user from removing things from the shared drive and putting it on his SIPR computer. “You could move it back and forth at will,” he stated. There were also no technical restrictions from burning a CD with classified information.
The prosecution had no further questions at the time, so the defense stepped in.
At 2:48 PM David Coombs stepped up to the speaker phone and verified that the witness could hear him. The witness said that he could, and asked if Coombs could hear him. Coombs joked that “You sound like a Sprint commercial” – another light admonishment at the failure of the courts to provide the witnesses in person.
Coombs reviewed the historical facts covered by the prosecution about Cherepko’s job and timeline. Cherepko’s position was to establish, manage and maintain the digital communications. His daily routine included checking the backups, checking his email, checking in with the soldiers at the help desk, and then moving on to trouble shooting the network.
To prepare for his position, Cherepko tool a course called Functional Area 53. This focused on the technical aspect of running a network. Cherepko admitted he wished that he had a course that was more focused on the army-specific way of doing things. Coombs asked if Cherepko remembered saying about the training he received in a sworn statement on January 6, 2011 that “we were given just enough knowledge to screw things up.”Cherepko balked slightly at confirming it, though I believe he ultimately did say he could have said that. Coombs responded that “If you were here in person I would show you your sworn statement.”
Cherepko arrived in FOB Hammer around November 14th, and he immediately served as Information Assurance Manager (IAM). He didn’t remember when exactly he was made IAM, but stated that for all intents and purposes it was from day one of arriving at FOB Hammer. He was tasked with ensuring training was conducted and procedures were followed, but admitted that he had called for no additional training outside of his own solders.
Coombs asked Cherepko if he was tasked with ensuring that all computers were properly certified and accredited. Cherepko responded that he wasn’t sure is that was his responsibly.
Asked whether the computers at FOB Hammer with properly certified and accredited, Cherepko paused and stated that it was a “tricky question.” He personally believed they were fine. But he had been told that this was not the case.
Upon questioning, Cherepko stated he had never heard of a DIACAP package. He had never conducted one or submitted one.
Cherepko also admitted that he had received a letter of admonishment in March 2011 for failing to ensure the network was properly accreted and certified.
Cherepko stated that he did go to the SCIF. He stated that he had never asked for a Deputy of the Army Inspector General (DAIG) Inspection. Speaking slowly, he stated under questioning that such inspections were part of his job. However he wasn’t able to say with 100% assurance that the Theater SCIF was ever inspected. He testified that no SCIF information security officer was assigned, and he did not know what a T-SCIF special security representative was.
Cherepko knew that people had music and that they kept it in their files. It was on the T-Drive even though it was not authorized. Cherepko state that when he saw music, he would delete it, but that it would come back. He could not recall anyone being punished for this. He also had never recommended anyone for punishment over this, though he had informed his supervisors. In addition to music, he saw games and movies.
Cherepko knew that having music, movies and games violated the Authorized Use Policy. He had seen programs being added to the T-Drive, including games, and he had notified his supervisors. He was unaware of any action being taken based on these concerns, and the practices continued until they were redeployed.
In regards to whether he would characterize the situation as undisciplined, Cherepko stated he had no basis of experience by which to judge whether it was undisciplined or disciplined. He noted that no one had ever been disciplined for violating the policies.
He stated that if someone wanted to add a program to DCIGs, they were supposed to take it to the help desk or they could run it from their desktop, the shared drive, or a removable disc. During the deployment, there was no written guidance provided about running executable files on a computer. And in fact, the training was being violated on a daily basis.
When asked what he would do if he found an executable file on a computer, Cherepko struggled to answer. His breathing was audible over the phone and there was a prolonged pause. Asked what to do if someone wanted authorization to run a mission-essential program, how that program would be approved, Cherepko was not sure. He stated that he didn’t think he’d ever done it, but that it wasn’t a quick process. He also noted that authorization would only be for a single version of a program, and that as the versions changed it would require new authorization.
Cherepko was then asked whether he had received an executable file from CID. He confirmed that he had. He confirmed he had used it. But when asked whether the program was approved, he admitted he didn’t know.
On questioning, Cherepko stated he had not seen unauthorized executable files on the shared drive. He admitted that it would not be hard to find them if he was looking.
If a Derog (Derogatory Report) was filed on someone and the S6 was asked to remove that individuals access to SIPRNet, Cherepko stated it could be accomplished in under one minute.
Cherepko had pushed the unit toward using username and passwords for accounts, instead of role-based log ins. When asked why the machines had so many user accounts on them, he explained that every time a user logged into a machine it created a cached account for that user.
Cherepko was notified of Manning’s arrest the day it occurred. He spoke to several CID agents. Upon request, he provided them with server logs from the network and shared drive as well as email logs. Cherepko was able to get some of the requested logs but not all of them. Some of them they did not maintain. He explained that they only maintained generic server logs for troubleshooting purposes.
Cherepko stated that the CID agents had asked him to create images of a computer and, after some concern, he tasked one of his solders with doing the imaging (either Sgt Joseph Benthal or Private Dodley; he didn’t remember which.). He believed a supply sergeant’s computer was imaged but couldn’t remember if additional devices were imaged as well.
Cherepko stated he was concerned about his ability to create forensically sound images. He had expressed this concern to the CID agent, and the agent had responded (basically) that it was OK because the devices hadn’t been seized yet and it’s already been so long that they are already tainted.
Cherepko was also asked to make a copy of Manning’s log file and folder. He didn’t remember who asked, but he received tutoring in doing it. (Specifically, how to maintain the metadata.) Then the CID agent sent him an executable program. Cherepko noted that the copy he made was from the day he copied it, not on a prior version.
Coombs then returned to his seat and the government stepped up to resume questioning Cherepko. The phone line was disconnected and there were brief technical issues reestablishing connection. When Cherepko was back, the government asked for more information about what the log data contained. Cherepko was not sure. The government also asked what happened to his automation system after Manning’s arrest. Cherepko said there was no immediate effect on the network but in the coming weeks they had a session on how to prevent such a thin from happening again.
No sooner had the prosecution resumed its seat than Coombs stood. Upon questioning, Cherepko stated that after Manning’s arrest he had met with his Executive Officer and others to create a corrective training regarding Derogs for soldiers.
Cherepko was then permanently excused and there was a brief recess.
Public Pushed Out, “Relevant Government Agencies” May Stay
3:48 PM We reconvened briefly for and Almanza reviewed the decorum procedures for the courtroom. Then the prosecutor requested to have a closed hearing. The public and media were excused, but the defense, prosecution, and “relevant government agencies” were allowed to stay. I suspect this may refer to the individuals who are sitting on the right side of the court room, in the second row behind the prosecution. None of them have identified themselves. I do not know what agency those individuals are with, but they were allowed to stay while the public was forced out.
It is worth noting that even individuals with a secret security clearance were not allowed to remain in the room.
We headed out to the heated trailer to wait on folding chairs and chat. Those who smoked lit their cigarettes from one another, as lighters were not allowed and people were guarded with their matches.
Closed Hearing Over Defense Objections
The court was called back into order. The video link to the media room was restored. Almanza seemed to be deteriorating a bit, he had a coughing fit while explaining his decision.
Almanza stated that, after discussing it in the closed session, he had decided to allow a closed hearing for a portion of the next day. He found that the information had been properly classified and that the need to maintain that classification outweighed the value of a public and open trial. He said that there was no lesser means appropriate to ensure the confidentiality of the classified documents than to close the trial.
Coombs stood and stated his objection to a closed trial for the record. It was noted.
Special Agent David Shaver
The government then called Special Agent David Shaver of the Computer Crimes Investigative Unit. He was sworn in and reminded of the classification rules. Agent Shaver had been with the army since 1999 and specialized in investigating intrusions into any computer worldwide.
Shaver stated he relied heavily on EnCase for forensic analysis and said he was competent with Windows, UNIX, Linux, and Mac. They reviewed his experience, including his publications and awards.
Shaver became involved in the Manning hearing in either late May or early June 2010 when CCIU was assigned to the case. He examined two SIPR computers – Manning’s primary computer (which he referred to as the .22 – likely referencing the IP address) and secondary computer. Both has Manning profiles on them but the primary one – the Windows Alienware – was used more often.
Shaver began by explaining IP addresses as being like telephone numbers, and explained that IntelLink was similar to Google. He spoke in rapid-fire statement, punctuated every few words with “sir”. Shaver examined the Intel Link logs from October 2009-May 2010. He focused on keyword searched, the hits they received, files downloaded and accessed. His investigative plan was to look for keywords, which he did by searching for unique strings within the log file. He was able to verify what he did by conducting searches on his own computer, then comparing the unique log file he created to the one he was searching for in the IntelLink logs.
He moved the data he collected into Excel spreadsheets.
In the course of his forensic analysis, he found numerous things out of place. He found searches in IntelLink work the keywords WikiLeaks, Julian Assange, and Iceland. WikiLeaks searches associated with IP address 22.214.171.124 were shown on a screen to the investigating officer, the search queries ranging from 1 Dec 2009 to 08 Mar 2010. There were over 100 searches conducted for the search term WikiLeaks. I noted that one of the searched was for ilr+Wikileaks
Shaver also showed search queries or the term Iceland on the screen, beginning 9 January 2010 and ending 21 April 2010. These were associated with the IP address 126.96.36.199.
The next slide displayed 8 search logs around for information related to “retention of interrogation video.” These were associated with the IP address 188.8.131.52 and began on 28 November 09 and ended 17 January 2010.
Shaver explained that WGet was a command line utility to download files from the Internet. [NB Shaver mentioned the version number of WGet more than once. If you got it, please let me know by emailing [email protected] I think it was 1.11.4 but I wasn’t sure] He explained what a command line utility was, and the investigating officer asked if it was sort of like DOS? He said yes.
Shaver explained that you could create a script around WGet in order to automate a process to download a large amount of files.
Shaver stated the first use of WGet was in early March 2010. From the displayed screen, it appeared that the date was 07 March 2010. This instance of WGet seemed to be to access the Gitmo detainee assessments. The forensic examiner was able to recreate the script and download Gitmo detainee logs. The forensic unit then downloaded the Gitmo logs published by WikiLeaks and compared them to what they pulled via WGet. According to Shaver, they matched.
Shaver then explained forensic analysis and how one can verify a hash of data. He explained that the hash values of the imaged data matched that of the .22 device.
He then mentioned again how he relied on EnCase as a primary tool for forensic analysis. He used it to search allocated and unallocated spaces (such as deleted files).
Shaver began his analysis by looking for things mentioned in the chat logs, as he had been provided those.
In the allocated spaces
In the allocated spaces on the .22 computer under Manning’s user profile, Shaver found 4 complete Gitmo detainee assessments. He noted that there were two installed browsers:
- Internet Explorer, which was configured in a way that prevented a user from deleting history and created a log of all files that were opened
- Firefox, which was configured to start in private browsing mode, maintain no Internet history and had IntelLink as its homepage
He also found in My Documents a “files.zip” that had approximately 10,000 state department cables in html format.
At this point, there was supposed to be a slide presentation to show the investigating officer. However, apparently the unclassified materials that the prosecution wanted to show were mistakenly marked as classified and the prosecution thus did not want to show them in an open courtroom. The prosecution offered to show them to the IO, Manning and Manning’s attorney is Manning and his attorney would sit in the jury box and review them. Coombs objected so the presentation proceeded without visual aid.
Shaver also found an excel spreadsheet with three tabs called backup.xls. The contents were as follows:
- First tab: labeled “WGet” This was a two-column spreadsheet. The first column had a list of 10,000 Message Record Numbers for State Department cables. The second column was the command line to download each of the cables in column one.
- Second tab: labeled “0310-0410” a list of Message Record Numbers for State Department Cables published between March 2010 and April 2010. Notable, in the top left was the sequence “251,288.” Shaver noted that this was only one number off from the total number of cables released by Wikileaks – 251,287.
- Third tab: labeled “0510” MRN numbers, embassy information, classification type for all the cables.
Shaver noted that the file had been partially corrupted but that it was able to be opened.
Shaver also found WGet in several spots in the PreFetch Folder. He postulated that one might want to run WGet from various locations within a profile, and multiple versions at the same time, in order to download more quickly. He noted that WGet was added on 4 May 2010 but that he had found an earlier version in Windows PreFetch.
He also found two CSV files, each with 100 cables in them, in Windows Temp.
In the unallocated spaces
In the unallocated spaces, Shaver found thousands of complete cables ranging in classification and many incomplete ones.
He also founds hundreds of Internment Serial Numbers (ISN) in the Index.dat file.
He found a copy of Collateral Murder as it was released on the WikiLeaks website and also what appeared to be the source file. The first instance of this was March (found through restore points using EnCase).
He noted that the computer was reimaged in March.
He also found hundreds of files related to the Granai airstrike, including deleted PDFs and Jpegs
He found on 20 May 2009 a large number of files were downloaded and then compiled into a .zip. These included Jpeg images, such as presentations and documents from hospital burn victims.
At 6:30 PM, per the recommendation of the defense, we adjourned. We’re starting back up again tomorrow at 9AM, beginning with Coombs’ cross-examination of Shaver.
DIACAP audit http://www.infosecinc.com/dod-diacap-assessment.html
Manning Sent ‘Collateral Murder’ Video Links to Commanding Officer
Key witness excused from testifying in U.S. leaks case
Files on Manning’s computer linked to WikiLeaks site