Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 1 of 18 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK ------------------------------------------------------X UNITED STATES OF AMERICA : - against ROSS ULBRICHT, : 14 Cr. 68 (KBF) (Electronically Filed) : Defendant. : ------------------------------------------------------X DECLARATION OF JOSHUA J. HOROWITZ Joshua J. Horowitz, Esq., pursuant to 28 U.S.C. §1746, hereby declares the following under penalty of perjury: 1. I am an attorney licensed to practice law in New York State, and admitted to practice in the United States District Courts for the Southern and Eastern Districts of New York. My practice is concentrated on criminal defense matters that require expertise in technology and computer software. 2. Along with Joshua L. Dratel, P.C., I represent Ross Ulbricht in the abovecaptioned matter, and make this statement with regard to technical assertions made in the Government’s response to Defendant’s omnibus motion. 3. As detailed below, my review of the discovery has led to the following conclusions: (1) based on the Silk Road Server’s configuration files provided in discovery, former Special Agent Tarbell’s explanation of how the FBI discovered the server’s IP address is implausible; (2) the account by former Special Agent Tarbell in his Declaration differs in important respects from the government’s June 12, 2013, letter to Icelandic 1 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 2 of 18 authorities. For example, that letter (which is Exhibit A to the government’s opposition papers) suggests the possibility of an alternative method for the government’s identifying and locating the Silk Road Server; (3) former Special Agent Tarbell’s explanation is vague and lacks supporting documentary and forensic evidence that should exist if former Special Agent Tarbell had adhered to the most rudimentary standards of computer forensic analysis, but which he apparently did not follow, or failed to preserve evidence of his alleged work that could substantiate the government’s account (and which the defense has now requested); (4) several critical files provided in discovery contain modification dates predating the first date Special Agent Tarbell claims Icelandic authorities imaged the Silk Road Server, thereby casting serious doubt on the chronology and methodology of his account; and (5) the Government’s version contains additional inconsistencies, including items referred to and/or indicated by former Special Agent Tarbell’s Declaration, but not produced in discovery. I. Qualifications 4. For the past ten years, I have used a variety of GNU/Linux operating systems and have become extensively familiar with their configuration and operation. My technical knowledge has been acquired through building a variety of computer systems over the course of a lifetime. 5. I have previously been retained for my expertise as a technology lawyer in matters involving organized crime, public corruption, and violations of HIPAA. I have 2 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 3 of 18 also been successful in tracing the origins of an anonymous threatening e-mail through the use of pre-action discovery. 6. While in law school, I received training at the Software Freedom Law Center, a non-profit organization providing pro bono counsel to Free and Open Source Software developers (FOSS). 7. I have lectured to the New York Criminal Bar Association on issues involving technology in criminal defense practice. I have also lectured at several conferences for software developers on legal issues in software development. 8. I am an active member of the New York State Association of Criminal Defense Lawyers and have co-authored an article on forensic laboratory accreditation for the organization’s publication, Atticus. II. Description of Materials Reviewed 9. In preparing this Affidavit, I have reviewed the materials provided to the defense in discovery and the documents filed in connection with this proceeding. The discovery materials included forensic images of the Silk Road web server.1 According to the government, the earliest image was captured June 6, 2013, and the latest in November 2013. The server images contained web server configuration files, records of traffic on the Silk Road site, MySQL databases, and a number of other file types. 10. The discovery materials provided to defense counsel include three twoterabyte hard drives and several USB thumb drives. Each hard drive contains numbered folders corresponding to item numbers contained in the Government’s March 21, 2014, 1 Each web server forensic image is a snapshot of the entire contents of the server at the exact moment the image was captured. 3 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 4 of 18 letter, a copy of which is attached hereto as Exhibit 1. The total volume of discovery is several terabytes of data comprised of several hundred thousand digital files. III. Silk Road Server Configuration 11. The server images provided in discovery establish that the Silk Road was run on the Ubuntu Server operating system, version 12.04.2. Ubuntu is a widely distributed and freely available Linux-based open-source operating system. The server utilized Nginx to serve its web content, a popular, high-performance web server capable of handling high volumes of traffic. The role of the web server is to deliver web content to the client, i.e., the individual visiting the site.2 12. Nginx has the capability to serve more than one website from the same physical hardware server. In order to do so, the server must affirmatively be configured for that purpose. This type of configuration is called virtual hosting. There are two file folders containing virtual host configuration files, “sites-available” and “sites-enabled.” 13. The “sites-available” folder contains the configuration files for any of the virtual hosts available on the server. To be activated, the “sites-enabled” folder must contain a link to a configuration file in the “sites-available” folder. Without the existence of that link, the site configuration in the virtual host file is not active.3 14. In July 2013, the Silk Road site was split between two different servers, a front-end and back-end server. The front-end is what the user sees and interacts with, 2 According to the nginx wiki, a number of popular web services such as Netflix, Airbnb, and Zappos utilize Nginx. See wiki.nginx.org. 3 For example, if there are ten virtual host configurations in the “sites-available” folder, but no links to any of them in the “sites-enabled” folder, then there are no live virtual host configurations. 4 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 5 of 18 while the back-end is where the “under the hood” operations take place, such as fetching data and entering new data in a database. 15. By default, the Nginx web server maintains two separate logs of activity on the server, an access log and an error log. The access log stores information about requests for information processed by the web server, while the error logs store information about any problems encountered by the web server. 16. A single logged request in the access log looks as follows: “62.75.246.20 - - [14/Jul/2013:06:55:33 +0000] "GET /orders/cart HTTP/1.0" 200 49072 "http://silkroadvb5piz3r.onion/silkroad/item/0f81d52be7" "Mozilla/5.0 (Windows NT 6.1; 4 rv:17.0) Gecko/20100101 Firefox/17.0" This snippet provides information about the IP address of the web client accessing the server, what files were accessed, how the web server responded to the user request, and the dates and times of access. From this log and the server configuration files, it is apparent that the server assigned IP address 193.107.86.49 (hereinafter the “.49 server”) was configured as the back-end to the Silk Road. The access logs show that the server assigned IP address 65.75.246.20 was constantly requesting data from the .49 server.5 This is because the server with IP address 65.75.246.20 (hereinafter “the front end server”) acted as the front-end to the Silk Road site. 4 This excerpt of the Nginx access log is located in the first item discovery in the directory/orange21/var/log/nginx. According to law enforcement, this server was assigned IP address 193.107.86.49. 5 The server assigned IP address 65.75.246.20 was provided as Item 15 in discovery and was imaged in October 2013. See Exhibit 1. 5 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 6 of 18 IV. Former Special Agent Tarbell’s Explanation Of Receiving Part of the Silk Road Login Page from a Non-Tor Browser is Implausible A. The Server Configuration Files Refute Tarbell’s Claims 17. Based on the server configuration files provided by the government, access to market data from a non-Tor IP address would have been precluded.6 18. The Government’s response to Mr. Ulbricht’s omnibus motion filed September 5, 2014, contains a Declaration from former FBI Special Agent Christopher Tarbell, attached hereto as Exhibit 2 (Dkt #57). The Declaration contains a vague explanation of how the IP address of the Silk Road server was initially discovered. For instance, former SA Tarbell asserts that, “[w]hen I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared.” Tarbell Decl. at ¶ 8. As explained below, based upon the Nginx server configuration files provided in discovery, that was not possible. 1. Live-ssl Configuration 19. The “sites-available” directory from Item 1 contains four files: live-ssl, default, phpmyadmin, and test-domain. The “sites-enabled” folder contains two links to the live-ssl and phpmyadmin files. As discussed ante, at ¶ 13, this means that at the time this image was captured only the live-ssl and phpmyadmin virtual host site configuration files were active. 6 The guide on “Torifying” various applications cited to in ¶ 5 of the Tarbell Declaration is applicable to client-side configurations, not server-side. The client-side vulnerabilities discussed in the guide apply to end-users attempting to configure various applications on their local machines to connect to the Tor network. For discussion on properly configuring Tor hidden services, see https://www.torproject.org/docs/tor-hiddenservice.html.en (last accessed September 21, 2014). 6 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 7 of 18 20. Based on my experience, I know that Linux-based operating systems (such as Ubuntu, which was used to power the Silk Road Server) record modification times for each file. This is known as a file’s “mtime,” which shows the age of the data contained in the file. When information is added or deleted from a file, its mtime will be updated by the operating system.7 The mtime for the live-ssl configuration file provided in Item 1 of discovery is June 7, 2013, and the phpmyadmin configuration is July 6, 2013.8 See mtime for site configuration files from Item 1 of discovery and the contents of the ‘sitesenabled’ directory, attached hereto as Exhibit 2. 21. In response to defense counsel’s September 17, 2014 letter, demanding additional discovery, attached hereto as Exhibit 3, the government provided additional information and discovery by letter dated September 23, 2014, attached hereto as Exhibit 4. The government’s September 23, 2014, letter included an excerpt of 19 lines from Nginx access logs, attached hereto as Exhibit 5, supposedly showing law enforcement access to the .49 server from a non-Tor IP address June 11, 2013, between 16:58:36 and 17:00:40. According to the Government, this is the only contemporaneous record of the actions described by the Tarbell Declaration at ¶¶ 7-8.9 22. Spanning from May 26, 2013 to October 2, 2013, there were a total of 168,361,443 lines of Nginx access logs provided to defense counsel. Of those, roughly 25,988,136 fit within the early June 2013 timeframe provided in the Tarbell Declaration, See, mtime, ctime, and atime, available at http://www.unix.com/tips-andtutorials/20526-mtime-ctime-atime.html (accessed September 21, 2014). 8 Since Item 1 is the oldest image provided in discovery the defense does not have site configuration data prior to June 7, 2013. 9 See government September 23, 2014, letter (Ex.4), at 4, which states: “[o]ther than Attachment 1, the Government is not aware of any contemporaneous records of the actions described in paragraphs 7 and 8 of the Tarbell declaration.” 7 7 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 8 of 18 ¶ 7. Without identification by the Government, it was impossible to pinpoint the 19 lines in the access logs showing the date and time of law enforcement access to the .49 server. 23. The “live-ssl” configuration controls access to the market data contained on the .49 server. This is evident from the configuration line: 10 root /var/www/market/public which tells the Nginx web server that the folder “public” contains the website content to load when visitors access the site. 24. The critical configuration lines from the live-ssl file are: allow 127.0.0.1; allow 62.75.246.20; deny all; These lines tell the web server to allow access from IP addresses 127.0.0.1 and 65.75.246.20, and to deny all other IP addresses from connecting to the web server. IP address 127.0.0.1 is commonly referred to in computer networking as “localhost” i.e., the machine itself, which would allow the server to connect to itself. 65.75.246.20, as discussed ante, is the IP address for the front-end server, which must be permitted to access the back-end server. The “deny all” line tells the web server to deny connections from any IP address for which there is no specific exception provided. 25. Based on this configuration, it would have been impossible for Special Agent Tarbell to access the portion of the .49 server containing the Silk Road market data, including a portion of the login page, simply by entering the IP address of the server in his browser. As discussed in ¶ 24, the server was configured to refuse connections from all outside IP addresses with only one exception, the front-end server IP. Certainly, the IP address of the machine that Tarbell attempted to connect with did not have this IP full text of the live-ssl configuration file is attached as Exhibit 6. 10 The 8 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 9 of 18 address, and the server would therefore have refused his connection attempt. 2. Phpmyadmin Configuration 26. As discussed ante at ¶ 19, the .49 server contained two live virtual host configuration files, live-ssl and phpmyadmin. Phpmyadmin is an extremely popular open-source tool used to administrate MySQL databases from a web browser such as Google Chrome, Mozilla Firefox, or Internet Explorer. According to Sourceforge.net, phpmyadmin has been downloaded 2,375,431 times just this year and is available in numerous languages.11 It is implemented on a large number of web servers around the world. 27. The active phpmyadmin configuration file contained in Item 1 of discovery contains the following lines12: listen 80; root /usr/share/phpmyadmin; allow 127.0.0.1; These lines direct the phpmyadmin virtual host to listen on port 80, which is the standard port for web traffic, and also tells Nginx to serve files from the phpmyadmin folder. The absence of “deny all” means that it would be possible for an IP address outside the Tor network to connect to the .49 server. 28. However, an IP address outside the tor network would have been able to access 11 See http://sourceforge.net/projects/phpmyadmin/files/stats/timeline?dates=2014-0101+to+2014-09-27, (last accessed September 27, 2014). Sourceforge.net is a popular site used by open-source software developers to host projects. 12 The full text of the phpmyadmin configuration file is attached as Exhibit 7. 9 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 10 of 18 only the login page for phpmyadmin13 and the files contained in the phpmyadmin folder, not any part of the Silk Road market or even the login screen, as claimed in the Tarbell Declaration, at ¶ 8. The 19-line excerpt from the Nginx access logs provided by the government confirms that fact. According to that excerpt, the server files accessed by law enforcement were all contained within the phpmyadmin folder and there was never any direct access to the actual Silk Road market data or even a login page for the market. 29. Rather, based on the server configuration files provided, the Silk Road login page referred to in ¶ 8 of the Tarbell Declaration must have been merely the login page for phpmyadmin and its underlying files. As discussed ante, phpmyadmin is an extremely popular tool for database administration, and its mere existence on the .49 server does not in any way demonstrate that illegal activity was conducted on the server. 30. Of the total 168,361,443 lines of Nginx access logs provided in discovery, only 3,348 show access to the .49 server from an outside IP address. All of these attempts show access to either the phpmyadmin files contained on the server or hacking attempts conducted on port 80. This data demonstrates that an outside IP address was never able to access the Silk Road market login page or files, and the law enforcement IP was no exception. B. The Tarbell Declaration Raises More Questions Than it Answers 1. Lack of Supporting Evidence 31. Agent Tarbell explains that in early June 2013, he and another FBI Agent, “closely examined the traffic data being sent from the Silk Road website” and that they 13 A screenshot of the phpmyadmin login page is attached hereto as Exhibit 8. For comparison, a screenshot of the Silk Road market login page is attached hereto as Exhibit 9, available at http://www.businessinsider.com/silk-road-walkthrough-2013-3?op=1 (last accessed September 30, 2014). 10 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 11 of 18 had, “examin[ed] the individual packets of data being sent back from the website . . . notic[ing] that the headers of some of the packets reflected a certain IP address not associated with any known Tor node.” See Tarbell Decl. ¶¶ 7-8. Based on my experience, I know this to describe an activity commonly referred to as packet sniffing. 32. A packet sniffer is a computer program used to intercept and log traffic passing over a network interface, i.e., a computer’s software and/or hardware components that allow it to connect to the internet. For example, a laptop computer may have both an Ethernet port for a hard-wired internet connection and a wireless LAN card as its network interfaces. 33. One of the most popular and freely available packet sniffing tools is a computer program called Wireshark.14 Wireshark can be easily configured to capture and record detailed information about each packet of web traffic as it is transmitted or received over a network interface. Among this information is a very precise timestamp (in seconds, to the 9th decimal place) for when the packet was logged, and information pertaining to the source and destination IP addresses of the packet.15 34. Using Wireshark’s default configuration, the user would have had to affirmatively chosen not to save any logged information. Indeed, before exiting the program, the user is prompted with the question: “Do you want to save the captured packets before quitting? Your captured packets will be lost if you don’t save them.”16 14 A disc of discovery materials provided to the defense by the FBI on September 18, 2014 contained a copy of Wireshark, strongly suggesting that the FBI is familiar with this tool. The disc of materials contained pen register data stored in .pcap files. Wireshark can be used to view this type of information. 15 An example of the detailed information that can be captured about a single packet using Wireshark is attached hereto as Exhibit 10. 16 See Wireshark Exit Screen screenshot, attached hereto as Exhibit 11. 11 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 12 of 18 35. Failure to preserve packet logs recorded while investigating the Silk Road servers would defy the most basic principles of forensic investigative techniques. Agent Tarbell is certified by the International Association of Computer Investigative Specialists as a Forensic Computer Examiner. See Tarbell Decl. ¶ 3. Some of the core competencies required for this certification include: a. Knowledge of search and seizure, legal process, and rules of evidence as applicable to computer forensics, laws, and procedures. b. Ability to explain on-scene actions taken for the preservation of digital evidence. c. Knowledge of proper computer search and seizure methodologies to include photographic and scene sketch procedures and documentation. d. Ability to establish, maintain and document a forensically sound examination environment.17 36. Despite the ease of preserving this information, The Government’s September 23, 2014 letter to defense counsel explicitly provides, “[o]ther than Attachment 1, the Government is not aware of any contemporaneous records of the actions described in paragraphs 7 and 8 of the Tarbell declaration.” The referenced Attachment 1 is the Nginx access log excerpt attached hereto as Exhibit 5. 37. Consequently, the government’s position is that former SA Tarbell conducted his investigation of Silk Road, and penetrated the Silk Road Server, without documenting his work in any way. See IACIS CFCE Core Competencies, available at http://www.iacis.com/SiteAssets/Documents/CFCE_core_competencies.pdf (last accessed September 20, 2014). See also US DOJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement, Apr. 2004, available at https://www.ncjrs.gov/pdffiles1/nij/199408.pdf (Chapter 5 on Documenting and Reporting, instructing investigators to keep in-depth records of tasks performed during a forensic investigation). 17 12 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 13 of 18 2. FBI Fuzzing of The Silk Road Server 38. Former Special Agent Tarbell states, “[w]e were simply interacting with the website’s user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface.” Tarbell Decl., at ¶ 7 (emphasis added). I know from experience that the activity described by Special Agent Tarbell is commonly referred to as “fuzzing.” 39. “Fuzzing” is the automated or semi-automated process of feeding semirandom input data into a computer program to test for vulnerabilities or security holes in the software.18 40. The government’s September 23, 2014, letter to defense counsel (Ex. 4) makes clear that other than the 19-line excerpt from the Nginx access logs, there are no other records of the activity described in ¶¶7-8 of the Tarbell Declaration. In response to questions 6-11 (in defense counsel’s September 17, 2014, letter to the government (Ex. 3)), the government has directed defense counsel to “[s]ee response to request #5[,]” referring to the solitary access log excerpt provided by the government. However, that excerpt explains only a very small portion of ¶8 of the Tarbell Declaration: “[w]hen I typed the Subject IP Address into an ordinary (non-Tor) browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared.” None of the steps leading to the discovery of the Silk Road server IP as described in ¶¶ 7-8 are explained by the excerpt. 41. For example, request 9 in defense counsel’s September 17, 2014, letter (Ex. 3) asks for, “[a]ny and all valid login credentials used to enter the Silk Road site.” This request was made in light of ¶ 7 of the Tarbell Declaration, which described the use of 18 See Fuzz Testing, available at http://en.wikipedia.org/wiki/Fuzz_testing (last accessed September 20, 2014). 13 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 14 of 18 valid login credentials for undercover accounts to enter the site. Based on my review of the Nginx access logs provided in discovery, I know that a valid login to the site is recorded as follows: GET/silkroad/user/f01861c317 where “f01861c317” corresponds with a user identification number stored in the MySQL database contained in the server image. The 19-line excerpt provided by the Government contains no such requests indicating a valid login to the site. 42. If, as the Government asserts, there are no additional records of the activity described in ¶¶ 7-8 of the Tarbell Declaration, then the “miscellaneous entries” described therein never occurred. 3. Mtime of Server Data Provided in Item 1 of Discovery Predates Initial Imaging of Silk Road Server 43. According to the government’s March 21, 2014, letter (Ex. 1), Item 1 of discovery contains the initial image of the Silk Road Server captured in July 2013, with IP address 193.107.86.49 (the allegedly “leaked” IP). According to the Tarbell Declaration, at ¶ 9, an official request was made to Icelandic authorities June 12, 2013, to “covertly image the contents of the Subject Server.” This is confirmed by a June 12, 2013, letter to the Reykjavik Metropolitan Police from Assistant United States Attorney Serrin Turner.19 According to Tarbell, “[a]fter obtaining the necessary court order under Icelandic law, the RMP imaged the Subject Server on July 23, 2013.” Tarbell Decl. ¶ 12. 44. However, footnote 7 of the Tarbell Declaration states that several months earlier, a lead had been developed on a different server in Iceland with IP address 193.107.84.4 (hereinafter “the .4 server”). By letter of request to Icelandic authorities 19 Attached to the Tarbell Declaration as Exhibit A. 14 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 15 of 18 dated February 28, 2013, U.S. law enforcement requested, inter alia that Icelandic authorities obtain traffic data for the server and covertly image it after consulting with the FBI. 20 By the time the requested information was produced by Icelandic authorities, the Silk Road server was no longer hosted at the server with IP address ending in .4, and “[a]s a result, the FBI did not request that Icelandic authorities proceed with imaging [the .4 server.]”21 45. The Tarbell Declaration states, “[t]he RMP provided a copy of the image of the [.49 Server] to the FBI on or about July 29, 2013.” Tarbell Decl. at ¶ 13. It fails to mention that the .4 server images were nevertheless provided to U.S. law enforcement at that time. The government’s September 23, 2014, letter to defense counsel provides: Icelandic authorities had already imaged the contents of [the .4] server by this time, on or about June 6, 2013. Although the Government did not ask Icelandic authorities to share the image of [the .4] server, Icelandic authorities included the image on the same device on which it produced the image of the SR Server to the Government on or about July 29, 2013. Thus, according to the modification time of the .4 server images and the timeline provided in the Tarbell Declaration, the .4 server was imaged on June 6, 2013, prior to obtaining permission from the Icelandic Courts. 46. As discussed ante in ¶ 20, the “mtime” or modification time of a file indicates how old the data in the file is, i.e. when it was last modified. 47. The “images” provided to US law enforcement by the Republic of Iceland are actually “.tar.gz” compressed archive files. This type of compressed archive file is 20 Letter attached to the Tarbell Declaration as Exhibit B. 21 See Tarbell Declaration, at ¶ 9, n. 7. 15 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 16 of 18 commonly referred to as a “tarball.” It is convenient to store files in this format because multiple files can be grouped into one for easier portability and storage. 48. There are a total of 4 tarballs in the first item of discovery: home, var, all, and orange21 – all contained in .tar.gz files. The mtime for orange21.tar.gz is consistent with the July 23, 2013 image date. However, the other 3 tarballs have an mtime of June 6, 2013, as shown below22: root root 30720 Jun 6 2013 home.tar.gz 737095680 Jun 6 2013 var.tar.gz root 1728276480 Jun 6 2013 all.tar.gz root 22360048285 Jul 23 2013 orange21.tar.gz The modification date of the tarballs is consistent with an imaging date of June 6, 2013, a full six weeks before the July 23, 2013, imaging of the .49 Server, a fact never mentioned in the Tarbell Declaration. V. Other Inconsistencies In the Government’s Version 49. Agent Tarbell states, “[t]he subject IP address was independently identified solely by . . . examining the traffic data sent back from the Silk Road website when we interacted with its user login interface.” Tarbell Decl. at footnote 7. Yet, that claim is inconsistent with language in the June 12, 2013, letter to the Reykjavik Metropolitan Police, which indicates that analysis of traffic logs from the server assigned IP address This is a slightly modified version of the output from the Unix command “ls –ltr”. ls is a unix program that is used to list the contents of a folder. When executed with the “-l” option, the program gives file information in its long listing format. This information includes, among other things, the modification time of the files in the directory. 22 16 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 17 of 18 193.107.84.4 may have aided law enforcement in determining the location of the .49 server.23 50. The Government’s March 21, 2014, discovery letter (Ex. 1) indicates that item 9 in discovery contains an image of the Silk Road marketplace server captured in September 2013. By letter dated September 26, 2013,24 U.S. Law Enforcement officials requested that Icelandic authorities reimage the .49 server and provide the contents to the FBI. However, the discovery materials contain no such image, which according to the government’s September 23, 2014, letter, was in error. VI. Conclusion 51. As set forth above, there are a number of factual issues in dispute that need to be resolved: (1) based on the Silk Road Server’s configuration files provided in discovery, former Special Agent Tarbell’s explanation of how the FBI discovered the server’s IP address is implausible; (2) the account by former Special Agent Tarbell in his Declaration differs in important respects from the government’s June 12, 2013, letter to Icelandic authorities. For example, that letter (which is Exhibit A to the government’s opposition papers) suggests the possibility of an alternative method for the government’s identifying and locating the Silk Road Server; 23 On September 18, 2014 defense counsel was provided with traffic logs for the .49, .4, and .34 servers. At this stage of review, it does not appear that the .4 logs contain any information that could have aided law enforcement in determining the location of the .49 server. Given the short period of time to review this information prior to filing, counsel reserves the right to file supplemental briefing based on the continued review of this material. 24 Attached to the Tarbell Declaration as Exhibit D. 17 Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 18 of 18 (3) former Special Agent Tarbell’s explanation is vague and lacks supporting documentary and forensic evidence that should exist if former Special Agent Tarbell had adhered to the most rudimentary standards of computer forensic analysis, but which he apparently did not follow, or failed to preserve evidence of his alleged work that could substantiate the government’s account (and which the defense has now requested); (4) several critical files provided in discovery contain modification dates predating the first date Agent Tarbell claims Icelandic authorities imaged the Silk Road Server, thereby casting serious doubt on the chronology and methodology of his account; and (5) the Government’s version contains additional inconsistencies, including items referred to and/or indicated by former Special Agent Tarbell’s Declaration, but not produced in discovery. 52. These discrepancies between former Special Agent Tarbell’s claims and the forensic reality of the discovery cannot be resolved without an evidentiary hearing. I declare under penalty of perjury that the foregoing is true and correct to the best of my knowledge and belief. 28 U.S.C. §1746. Executed September 30, 2014. __________________________ JOSHUA J. HOROWITZ 18