Witness | US v Pfc. Manning, Special Agent David Shaver, CCIU

[box]

UPDATE POST COURT-MARTIAL

United States v. Pfc.Manning was conducted in de facto secrecy. The public was not granted contemporaneous access to court filings or rulings during her trial. In addition to reporting on her trial, I transcribed the proceedings, reconstructed the censored appellate list, and un-redacted any publicly available documentation, in order to foster public comprehension of her unprecedented trial.

As a result of a lawsuit against the military judge and the Military District of Washington brought by the Center for Constitutional Rights, as well as my own FOIA requests and research, an official court record for US v. Pfc. Manning was released seven months after her trial. That record is not complete.

The official trial docket is published HERE and the entire collection of documents is text searchable at usvmanning.org.

*During the pretrial proceedings, court-martial and sentencing of Pfc. Manning, Chelsea requested to be identified as Bradley and addressed using the male pronoun. In a letter embargoed for August 22, 2013 Chelsea proclaimed that she is female and wished to be addressed from that moment forward as Chelsea E. Manning.

[/box]

General Description

Special Agent David Shaver Army Computer Crimes Investigating Unit (CCIU) appeared multiple times at the Article 32 Pretrial hearing: December 18, 2011; on December 19, 2011; and December 20, 2011.

Shaver also testified in CLOSED SESSIONS with “relevant government agencies”: Shaver may have appeared in the late afternoon on December 18, 2011; and three (3) CLOSED SESSIONS on December 19, 2011.

Shaver testified that he specializes in computer intrusion. Shaver said he became involved when the Army Computer Crimes Investigating Unit (CCIU) was assigned to the case. Shaver had to have been on the case as early as 27 May 2010 – the day after Bradley Manning was detained at FOB Hammer, Iraq – since Shaver asserts making a disk image that was used to testify about the naming convention for CD’s burned with Roxio on both of Bradley Manning’s T-SCIF workstation SIPRNet computers, a Dell ending in IP address .40 and an Alienware ending in IP address .22.

Shaver examined two SIPRNet computers said to be Bradley Manning’s primary computer (22.225.41.22) and a secondary computer (22.225.41.40). The 22.225.41.22 (.22) IP address signifies an Alienware computer that Bradley Manning shared at his T-SCIF workstation with Sergeant Chad Madaras; the 22.225.41.40 (.40) IP address signifies a Dell computer that Bradley Manning also shared at his T-SCIF workstation with Madaras. Shaver testified that both computers had profiles on them for Bradley Manning, but Reitman notes that Shaver stated that the Alienware (.22) computer was used more often. Both the Alienware .22 and the Dell .40 computer had the US Army’s Windows OS and Roxio installed, and both computers’ USB port were disabled. On the Alienware .22 computer both Internet Explorer and Firefox was installed. Internet Explorer was configured to prevent the user from deleting their history, and created a log of all files opened. Firefox was installed to operate in private browsing mode with Intelink as the homepage.

Shaver testified that the naming convention for Roxio disk images burned on both of Manning T-SCIF SIPRNet workstation computers following the naming convention: two-digit year, two-digit month, two-digit day, underscore, two-digit hour, two-digit minutes. On 27 May 2010, Shaver created a disk image on one of Manning’s alleged workstation computers – not clear which one – “Computer BD-RE Drive (D:) 100527_0357”.

Shaver testified that he examined the Intelink logs from October 2009 to May 2010, looking for keyword searches and hits, as well as files allegedly downloaded and accessed. Shaver says his investigative plan was to look at keyword searches. Shaver did this by searching for unique strings within the log files. Shaver states he verified his investigative plan of keyword searches “by conducting searches on his own computer, then comparing the unique log file he created to the one he was searching for in the [Intelink] logs.”

Shaver testified that he found searches on Intelink for the keywords: WikiLeaks, Julian Assange, and Iceland. One of the search terms that Reitman noted in the testimony of Shaver was “ilr+WikiLeaks”. Shaver testified that there were over 100 searches conducted for the term WikiLeaks between 1 December 2009 and 8 March 2010 associated with IP address 22.225.41.40 (.40). There were eight search queries related to “retention of interrogation video” also associated with IP address 22.225.41.40 (.40) that began on 28 November 2009 and ending on 17 January 2010.

According to Reitman’s account of Shaver’s testimony there were search queries for the term Iceland with the IP address 22.225.41.22 (.22) beginning in 9 January 2010 and ending 21 April 2010.

Shaver said he relied on EnCase for forensic analysis. Shaver testified that he used EnCase to search allocated and unallocated spaces on the devices that he examined. Shaver testified that his investigative plan was to look for items mentioned in the alleged chat logs between Adrian Lamo and Pfc. Manning.

Shaver discussed Wget. The first use of Wget, according to Shaver’s testimony, was in early March 2010. Reitman notes that the date for the first use of Wget on display in the Courtroom appears to have been 07 March 2010. Shaver testified that the first instance of Wget seemed to access Guantanamo (GTMO) detainee assessments. The process the forensic examiner used was to recreate the Wget script, download the Guantanamo (GTMO) detainee assessment files, and then compare those downloaded files with the files published on WikiLeaks. According to Shaver’s testimony, in the allocated spaces on the Alienware .22 computer, under Pfc. Manning’s profile, Shaver found four complete Guantanamo (GTMO) detainee assessments. On cross examination by defense, Shaver admitted that while four detainee assessments were found in the allocated space on the Alienware .22 computer, zero files were found in the unallocated space – despite an earlier assertion that Manning appeared to have download hundreds of Guantanamo detainee assessments.

According to Shaver’s testimony, on the Alienware .22 computer, he found “files.zip” in “my Documents”, which had around 10,000 Department of State (State Department) (DoS) cables in HTML. Shaver admitted, however, he did not check those Department of State (State Department) (DoS) cables with the Department of State (State Department) (DoS) cables published on the WikiLeaks.org site. Shaver also did not know that intelligence analysts in the T-SCIF were authorized to view the Net Centric Diplomacy database, and had been given a link with no password required by Captain Steven Lim in January 2010 on the instructions of Headquarters. Shaver also said that a certain number of Department of State (State Department) (DoS) cables published by WikiLeaks did not match the cables found in the Alienware .22 computer “files.zip” in “my Documents”. When the prosecution re-examined Shaver concerning “files.zip”, Shaver said that he hypothesized that the documents weren’t published, because the file was corrupted. When defense cross-examined Shaver again, Shaver said that he could not tell when the “file.zip” was corrupted, only when it was created. In the press pool there was confusion, over Shaver’s contradicting statements: first he said he DID compare cables and they did not match with those published by WikiLeaks.org, and then he said he didn’t check all of them.

In Shaver’s testimony concerning the Alienware .22 computer, Shaver states that he found a three-tabbed Excel spreadsheet entitled “backup.xls”. The first tab was labeled “Wget” and consisted of two columns. The first tab had 10,000 Message Record Numbers (MRN) for Department of State (State Department) (DoS) cables. The second column, according to Reitman’s account of Shaver’s testimony, was “the command line to download each of the cables in column one.” The second tab of the “backup.xls” was entitled “0310-0410” and consisted of a list of Message Record Numbers (MRN) for Department of State (State Department) (DoS) cables that were published between March 2010 and April 2010. According to Reitman’s account of Shaver’s testimony, in the top left of the second tab was the sequence “251,288”. Shaver testified that this was only “one number off from the total number of cables released by WikiLeaks: 251,287”. The third tab of the Excel spreadsheet entitled “backup.xls” was entitled “0510” Message Record Numbers (MRN), embassy information, and classification type for all the Department of State (State Department) (DoS) cables. Shaver testified that the Excel spreadsheet entitled “backup.xls” was partially corrupted, but able to be opened.

While Shaver testified that he did a bit-by-bit forensic image of Manning’s computers, Shaver admitted on cross examination by defense that he did not do a bit-by-bit forensic analysis of other computers in the T-SCIF; he did not even know how many computers were in the T-SCIF. Shaver could not say if Wget was installed on the other T-SCIF computers.

On the Alienware .22 computer, Reitman notes of Shaver’s testimony that Wget was found in several places in the PreFetch folder. Reitman notes that Shaver said “Wget was added on 4 May 2010 but that he had found an earlier version in Windows PreFetch.”

Shaver also testified that he found two (2) .csv files with 100 cables in “Windows Temp.”

In the unallocated space of the Alienware .22 computer, Shaver testified that he found thousands of complete Department of State (State Department) (DoS) cables and many cables that were incomplete. The Department of State (State Department) (DoS) cables ranged in classification.

On the Alienware .22 computer, Shaver testified that he found hundreds of Internment Serial Numbers (ISN) in the “Index.dat” file. The index.dat file is a database file. It is a repository of information such as web URLs, search queries and recently opened files. Its purpose is to enable quick access to data used by Internet Explorer.

Shaver testified, according to Rainey Reitman, that he found a copy of “Collateral Murder” as published by WikiLeaks.org; and what appeared to be the source file for that video. The video was found, Shaver testified, using EnCase restore points. Shaver said the first instance of the video source file was in March 2010. Shaver also noted that the computer was re-imaged in March 2010. Shaver did not know, as was revealed in cross examination by defense, that analyst were authorized to view the video on a SIPRNet computer, and that the video had been a topic of discussion and viewing among and by analysts in the T-SCIF as per Captain Casey Martin’s (married name Fulton) testimony.

Shaver testified that on Manning’s workstation Dell .40 computer, he found over 100,000 Department of State (State Department) (DoS) cables in a .csv file in unallocated space. This .csv file was arranged into the following five columns: Unique Number; Data the cable was published to the Department of State server; Message Record Number (MRN); Classification; Base64 encoding. Shaver testified that he was able to decode the Base64. Shaver clarified that he found this in the Dell .40 computer unallocated space but it was not associated with a user profile, and that one would likely not download manually but use a script to automate the process. Shaver testified that he did not find a script. On cross examination by defense, Shaver admitted that, he cannot say that Manning accessed Department of State (State Department) (DoS) cables. Shaver also admitted that he did not know if user passwords were shared, and that the unallocated space .csv file cannot be dated. Shaver also admitted that the information was authorized on a classified computer, where it was found. Shaver also admitted that he cannot show that the information was passed to any unauthorized person.

Shaver testified that he examined an SD card said to be found during the second search of Manning’s aunt’s, Debra Van Alstyne’s, home after having allegedly been shipped from Iraq in October 2010. Shaver testified that he followed the same process for the SD card, that he did for the Alienware .22 and the Dell .40 SIPRNet machines. Shaver received the search warrant for the SD card in December 2010. Shaver could not testify to the chain of custody for the SD card.

On the SD card, Shaver testified that he found 100,000 CIDNE documented findings and reports [Reitman says that there were 10,000], and a “number” of photos of Pfc. Manning both in the unallocated space. One of the photos displayed in Court was a self-portrait that Manning allegedly took with a camera held in one hand, standing in front of a mirror in the basement of his aunt’s, Debra Van Alstyne’s, house taken on 29 January 2010, while he was on leave. The portrait in the mirror was found in the unallocated space of the SD card. Shaver testified that he found an encrypted compressed file “yadda.tar.bz.2.nc” on the allocated space of the SD card. Shaver testified that he used a password Mark Johnson had discovered “TWINK1492!!” and decrypted “yadda.tar.bz.2.nc”. Inside “yadda.tar.bz.2.nc” were four files: “afg_events.csv”, dated 8 January 2010 that contained 91,000 individual SigAct reports from CIDNE Afghanistan database; “irq_events.csv”, dated 5 January 2010 that contained 400,000 individual SigAct reports from CIDNE Iraq database; README, dated 9 January 2010 that was a temporary file created by the Macintosh OX; and ._README.TXT, dated 9 January 2010 that Shaver testified was written, “This is possibly one of the more significant document of our time, removing the fog of war, revealing the true nature of 21st century asymmetric warfare. Have a good day.” Reitman writes that the note “specifically stated that steps had been taken to sanitize certain sensitive data, and that there should be a 90-100 day wait before releasing data to best assess how to distribute the information and protect the source.” Shaver testified that he did a “line-by-line” comparison on WikiLeaks.org and the files “appeared” to be the source files.

The Government asked Shaver to authenticate several documents including: Document 1: Screen shot of [Missed] Manningb_006587 [Missed]; Document 2: Screenshot of email from Manning’s Thunderbird account; Document 3: Screenshot of April 8, 2010 email from Manning’s Thunderbird account. Manningb_00409686; Document 4: Screenshot of a 10 April 2010 email from Manning’s Thunderbird account.

Shaver testified about the CENTAUR logs, collected from the Office of the Director of National Intelligence, which Shaver described as part of the intrusion defense system and known elsewhere are NetFlow logs. CENTAUR logs capture IP addresses, times, and dates. CENTAUR logs also track package information, the amount of data transferred between the CENTAUR sensor. Shaver testifies that Army Computer Crimes Investigative Unit (CCIU) collected CENTAUR logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 SIPRNet machines respectively. Shaver testified presenting a spreadsheet of dates and amount transferred between the Dell .40 and Alienware .22 machines and the Net Centric Diplomacy database, GTMO server, and CENTCOM CIDNE database in Tampa, FL. Reitman notes in a “3 month time span there was 11.2 GB of data passed and there was significant activity on 30 March 2010 and 28 March 2010, then again on 8 April 2010 and 9 April 2010. There were around 800,000 total connections from the Alienware .22 machine to the State Department Net Centric Diplomacy servers from 7 March 2010 till the end of May 2010.” On cross examination, Shaver said that the time period for the CENTAUR NetFlow logs were between 1 October 2009 and the end of May 2010 and only for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively. Shaver admitted that he did not look at historical information or the packet information for any other computer in the T-SCIF. Incidentally, those other T-SCIF machines were destroyed. More importantly, Shaver also admitted that the information accessed and activity illustrated in the CENTAUR NetFlow logs was authorized for both SIPRNet computers with the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively.

Shaver testified that Army Computer Crimes Investigative Unit (CCIU) collected Department of State (State Department) (DoS) Firewall Logs and Net Centric Diplomacy Web Server Logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively. Shaver testified that Department of State (State Department) (DoS) logs showed there were 800,000 connections between Dell .40 and the Department of State (State Department) (DoS) NetCentric Diplomacy server between the entire period from March to May 2010. According to Shaver’s testimony, Department of State (State Department) (DoS) Web Server Logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively showing that a large number of files had been downloaded by the .22 machine using Wget. Shaver testified that Department of State (State Department) (DoS) NetCentric Diplomacy logs before May were unavailable due to a problem with the server. On cross examination, Shaver also admitted that the information accessed and activity illustrated in the Department of State (State Department) (DoS) Firewall Logs and Net Centric Diplomacy Web Server logs was authorized for both SIPRNet computers with the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively.

Other unspecified log files that Shaver said hundreds of thousands of other files being downloaded at the same time. This is all that Shaver said.

On cross examination Shaver admitted that CENTCOM’s CIDNE Iraq database was within CENTCOM’s area of operations for the Alienware .22 and Dell .40 SIPRNet computers.

Shaver testified that that Army Computer Crimes Investigative Unit (CCIU) was authorized to take images of the raw structure of files in the Farah investigation folder on the CENTCOM servers related to a specific path to that folder that was found in the Alienware .22 index.dat. Shaver said the file structure of Farah investigation folder on the CENTCOM server matched the structure found in the in the Alienware .22 index.dat. Shaver testified that CENTCOM logs evidence only one PowerPoint file, “Farah.brief.final.version1”, was downloaded by the Alienware .22 computer on 10 April 2010 at 13:12:24 hours. CENTCOM server logs do not record external IP address. They track date, time, and file(s) requested. On cross examination, Shaver also admitted that the information accessed and activity illustrated in the CENTCOM server logs was authorized for both SIPRNet computers with the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively.

Something the defense describes as a Farah file in the unallocated space. Shaver admitted that the first evidence of the Farah file on the Alienware .22 was in April of 2010. Shaver admitted that he did not know that WikiLeaks claimed to have the Farah information in January 2010.

On the Alienware .22 computer, Shaver testified that he found hundreds of files related to the Granai airstrike, including deleted .pdf’s and .jpg’s. Shaver testified that on 20 May 2009 [NOTE COMPARE WITH BE22PAX.wmv” referred as a Garani video and consisted of video of a flight over the battle space “not an air strike” and that the file was created in May 2009] a large number of files were downloaded and compressed into a .zip file. These included .jpg images of presentations and documents from hospital burn victims. During cross examination by the defense, Shaver admitted that he did not examine to .zip file because it was no longer present on the Alienware .22 computer.

Special Agent David Shaver, CCIU, testified that he search the work computer of Jason Katz, which was seized from Brookhaven National Labs at the Department of Energy. According to the testimony of Special Agent Mark Mander, CCIU, the investigation into Jason Katz is being directed by the FBI.

Special Agent David Shaver, CCIU, testified that he found one user profile on Jason Katz’s work computer that was seized from Brookhaven National Labs at the Department of Energy, “kupo” [it is not clear to me if “kupo” refers to the user profile].

Special Agent David Shaver, CCIU, testified that the file “b.zip” was found on the work computer of Jason Katz, seized from Brookhaven National Labs at the Department of Energy. Shaver testified that the file “b.zip” was password protected. Shaver testified that after he opened the file “b.zip” with a password that he obtained from CENTCOM, he viewed the contents. Shaver testified that inside the file “b.zip” was the file “BE22PAX.wmv”, a video taken from an aircraft over the battlefield [Garani Video]. Shaver testified that he had seen the video before in a file “BE22PAX.zip” located in a folder called “videos” in the Farrah investigation folder on the CENTCOM server. Shaver testified that the file “b.zip” was placed on the work computer of Jason Katz, seized from Brookhaven National Labs at the Department of Energy, on 15 December 2009, and that the user of the work computer seized from Brookhaven National Labs at the Department of Energy was attempting to decrypt the file “b.zip”. Shaver testified that a cracking program had been downloaded and installed on the work computer of Jason Katz, which had been seized from Brookhaven National Labs at the Department of Energy. Shaver testified that according to the bash history a cracking program was running on the work computer of Jason Katz trying to crack the password of the file “b.zip”. Shaver testified that he could not say if the user was able to unencrypted the file “b.zip”. On cross examination, Shaver testified that the video “BE22PAX.wmv” referred as a Garani video and consisted of video of a flight over the battle space “not an air strike” and that the file was created in May 2009. On cross examination, Shaver testified that the video found on the work computer of Jason Katz seized from Brookhaven National Labs at the Department of Energy was the same movie file as the one that came from the CENTCOM server. Shaver testified that he was aware that WikiLeaks had a similar video around the same time frame. On cross examination, Shaver testified that the movie on the work computer of Jason Katz that was seized from Brookhaven National Labs at the Department of Energy was the same movie located in the Farah folder created on May 2010 on the CENTCOM server, but Shaver could not say when this movie as put on the CENTCOM server. Shaver testified that the movie file on the work computer of Jason Katz had the same hash value as the movie on the CENTCOM server.

On cross examination Shaver testified that he found three videos in the Farah folder that he has not yet spoken about in his testimony. Defense asked if the videos were from the Farah.zip, and Shaver responded ” Look at the log files. You would work your way back to it, Sir.” On cross examination, Shaver admitted that the movie file on Jason Katz’ work computer seized from Brookhaven National Labs at the Department of Energy was not the same video allegedly found on the Alienware .22 workstation computer of Manning: “Different video, Sir.” [NB Agent Mark Mander Army Computer Crime Investigative Unit (CCIU) testified that the Jason Katz investigation was directed by the Federal Bureau of Investigation (FBI) and not Army Computer Crimes Investigation Command (CCIU).

Shaver testified that he reviewed both CIA WIRe (World Intelligence Review) logs and Open Source Center logs, and that Manning had an Open Source Center account with the username, “bradass87”. Shaver testified that he could view the information requested under that account, as well as the files viewed. The Open Source Center account, as Reitman notes, searched for the terms “WikiLeaks” and “Iceland” about 30 times each. On cross examination, Shaver admitted that the CIA wIRE and Open Source Center were open source and that an analyst working on either the Alienware .22 and DEll .40 SIPRNet computers was authorized to do so.

Shaver testified that he examined a NIPRNet computer that had a profile for Manning. Shaver testified that no classified material was found. Shaver testified that there was a record that the Manning user profile searching Google for WikiLeaks, Base64 and Wget.  Shaver testified there was a record that the user profile searched Google for Wget on 3 May 2010. Shaver testified there was evidence that Wget was downloaded. Shaver said that he found a cached version of the Wget 1.11.4 download Web page on the NIPRNet computer. Shaver testified that this instance of Wget that was downloaded on the NIPRnet computer on 3 May 10 matched the hash of the instance of Wget installed on the Alienware .22 machine on 4 May 2010. Shaver testified that both machines were on the Bradley.Manning user profile. Shaver testified that Wget existed on the Alienware .22 computer prior to 4 May 2010. On cross examination Shaver admitted that Wget was a data mining tool.

Reitman notes that Shaver testified that he examined both of the computers collected as evidence from Adrian Lamo with his consent. Lamo is a confidential informant for the Government. The two (2) computers were a removable 500 GB hard drive from Adrian Lamo’s Linux machine mobile laptop, and an HP Windows Net-book or mini laptop hard drive.Reitman notes that Shaver testified that the two computers were imaged and that those images were verified. Shaver testified that Adrian Lamo’s consent “[o]nly authorized [investigators] to search for any communication between Adrian Lamo and Bradley Manning.” Reitman notes that Shaver testified that he found four (4) chat logs between Lamo and bradass87 on the Windows machines, and “several copies of the chat logs slightly modified to be akin to the versions given to the media” on the Linux machine. Shaver testified that “at some point, chat log had been enabled, and they basically matched. Except for some connectivity issues.” Shaver testified the content in both alleged chat logs found on Adrian Lamo’s and Bradley Manning’s respective machines was the same. Defense did not cross examine Shaver.

Individuals named in the testimony of Special Agent David Shaver Army Computer Crimes Investigating Unit (CCIU)

  • Adrian Lamo
  • Unnamed Forensic Examiner
  • Unnamed individuals in the Forensic Unit of Army Computer Crimes Investigative Unit (CCIU)
  • Debra Van Alstyne, Bradley Manning’s aunt
  • Jason Katz

Evidence named in the testimony of Special Agent David Shaver Army Computer Crimes Investigating Unit (CCIU)

This is a running list of evidence presented by the Government in open Court. The items should not be taken as statements of fact, since this list does not contain the Government’s methods or modes for conducting the analysis, and in some cases the evidence is inconclusive, circumstantial, or disputed as not criminal per elements or items as charged. I have compiled this list to investigate the Government’s case. The public is also not privy to the classified portions of this agent’s testimony, so one cannot say with certainty if any of the Government’s methods or assertions have come under countering scrutiny by the defense during closed sessions.

  • Alleged chat logs that Special Agent Shaver used for his investigative plan early in the investigation. It is not clear in what chain of custody or format these chat logs were obtained very early in the investigation.
  • Intelink logs from October 2009 to May 2010.
    • Intelink search queries associated with the IP address 22.225.41.40 between 1 December 2009 and 08 March 2010. Special Agent Shaver asserts these contain search queries for WikiLeaks, Julian Assange, and Iceland [transcriber also noted the search term ilr+wikileaks]. Special Agent Shaver asserts there were 100 searches conducted for the term WikiLeaks.
    • Intelink search queries eight (8) searches for information related to “retention of interrogation video”. These were associated with the IP address 22.225.41.40 between 28 November 09 and 17 January 2010.
    • Intelink search queries associated with the IP address 22.225.41.22 between 9 January 2010 and 21 April 2010
  • ARTIFACT – naming of a C.D. that Shaver burned. Computer BD-RE Drive (D:) 100527_0357
    Organize – Burn to disk. It is unclear on which computer Shaver made this disk image to use in his testimony.
  • Acceptable Use Policy (AUP) for the Alienware .22 and Dell .40 machines.
  • Files linked to the fraudulent station in the database [Unclear from Reitman or the transcriber’s notes what this refers, where it was found, or what it refers to.]
  • First instance of WGet in March 2010 that Shaver asserts seemed to be to access the Gitmo detainee assessments. [Transcriber notes the date may have been 7 March 2010 but it is not clear which computer and where this was found.] Shaver said an unnamed forensic examiner was able to recreate the script and download Gitmo detainee logs on his own computer. The forensic unit then downloaded the Gitmo logs published by WikiLeaks and compared them to what they pulled via the WGet script. According to Shaver, they matched.
  • 22.225.41.22 (.22) Alienware SIPRNet computer Bradley Manning shared at the T-SCIF workstation with Sergeant Chad Madaras
    • “files.zip” in “my Documents” in the allocated spaces on the Alienware .22 computer, Shaver asserts this file had around 10,000 Department of State (State Department) (DoS) cables in HTML. Shaver did not compare with those published by WikiLeaks AND they did not match Department of State (State Department) (DoS) published by WikiLeaks.org. “files.zip” was partially corrupted. Shaver could not tell when the file was corrupted, only when it was created.
    • “backup.xls” a three tabbed excel file in the allocated spaces on the Alienware .22 computer. “backup.xls” had been partially corrupted but that it was able to be opened. First tab: labeled “WGet” This was a two-column spreadsheet. The first column had a list of 10,000 Message Record Numbers (MSN) for Department of State (State Department) (DoS) cables. The second column was the command line to download each of the cables in column one. Second tab: labeled “0310-0410” a list of Message Record Numbers (MRN) for Department of State (State Department) (DoS) cables published between March 2010 and April 2010.  Notable, in the top left was the sequence “251,288”. Third tab was labeled “0510” Message Record Numbers (MRN) numbers, embassy information, classification type for all the cables.
    • In the allocated space on the Alienware .22 computer WGet was found to be added on 4 May 2010 but Shaver testified that he found an earlier versions in Windows PreFetch folder.
    • Two (2) .csv files, each with 100 cables in then in Windows Temp in the allocated space on the Alienware .22.
    • In the unallocated spaces of the Alienware .22 “thousands” of complete cables ranging in classification and “many” incomplete ones.
    • “Hundreds” of Internment Serial Numbers (ISN) in the Index.dat file in the unallocated spaces on the Alienware .22 computer.
    • A copy of Collateral Murder as it was released on the WikiLeaks.og website and also what appeared to be the source file in the unallocated spaces of the Alienware .22 computer. The first instance of this was March and was found through restore points using EnCase.
    • “Hundreds” of files related to the Granai airstrike, including deleted .pdf’s and .jpg’s.
      • On 20 May 2009 [NOTE COMPARE WITH BE22PAX.wmv” referred as a Garani video and consisted of video of a flight over the battle space “not an air strike” and that the file was created in May 2009] a large number of files were downloaded and compressed into a .zip file. These included .jpg images of presentations and documents from hospital burn victims. Shaver did not examine this .zip file because it was no longer present on the Alienware .22 computer.
    • In the allocated spaces on the Alienware .22 computer under Bradley Manning’s user profile, Shaver found 4 complete Gitmo detainee assessments, zero files were found in the unallocated space, despite his assertion that Manning appeared to have download hundreds of Guantanamo detainee assessments.
  • 22.225.41.40 (.40) Dell SIPRNet computer Bradley Manning shared at the T-SCIF workstation with Sergeant Chad Madaras
    • .csv file in unallocated space of the Dell .40 that could not be tied to a user profile of dated that contained 5 columns: Unique Number; Data the cable was published to the Department of State server; Message Record Number (MRN); Classification; Base64 encoding. Shaver testified that he was able to decode the Base64. No evidence the information was passed to an unauthorized person.
  • SD card allegedly obtained during the second search of Bradley Manning’s aunt’s, Debra Van Alstyne’s, home after having allegedly been shipped from Iraq in October 2010.
    • 10,000 CIDNE [Reitman says 10,000; transcriber says 100,000] documented findings and reports in the unallocated space of the SD card allegedly obtained at the second search of Bradley Manning’s aunt’s, Debra Van Alstyne’s, home after having allegedly been shipped from Iraq in October 2010.
    • “Number” of photos of Pfc. Manning in the unallocated of the SD card allegedly obtained at the second search of Bradley Manning’s aunt’s, Debra Van Alstyne’s, home after having allegedly been shipped from Iraq in October 2010.
    • yada.tar.bz2.nc made on January 30, 2010 at 10:22 p.m in the allocated space of an SD card allegedly obtained at the second search of Bradley Manning’s aunt’s, Debra Van Alstyne’s, home after having allegedly been shipped from Iraq in October 2010..
      • Four (4) files contained in yada.tar.bz2.nc. They were:
        • Screenshot of afg_events.csv, dated 8 January 10. Government said contained 91,000 individual CIDNE reports for Afghanistan.
        • Screenshot of irq_events.csv, dated 5 January 2010. Government said contained 400,000 individual reports that are CIDNE reports from Iraq.
        • Screenshot of README, dated 9 January 2010. Government said was a temporary file created by Macintosh OS.
        • Screenshot of ._README.TXT, dated 9 January 2010
          • Government said the text of this document said, “This is possibly one of the more significant document of our time, removing the fog of war, revealing the true nature of 21st century asymmetric warfare. Have a good day.” The note also specifically stated that steps had been taken to sanitize certain sensitive data, and that there should be a 90 to 100 day wait before releasing data to best assess how to distribute the information and protect the source.
        • Two encrypted files [not clear if allocated or unallocated] both of which were unrecoverable and both of which allegedly referenced the word “nathan” in the title i.e. “nathan2_events_tar_bz2”
    • Document 1: Screen shot of [Missed] Manningb_006587 [Missed] that Government asked Shaver to authenticate.
    • Document 2: Email from Manning’s Thunderbird account that Government asked Shaver to authenticate.
    • Document 3: 8 April 2010 email from Manning’s Thunderbird account that Government asked Shaver to authenticate. Manningb_00409686
    • Document 4: 10 April 2010 Email from Manning’s Thunderbird account that Government asked Shaver to authenticate.
  • CENTAUR logs, also known as NetFlow logs, for the period 1 October 2009 to end of May 2010, collected from the Office of the Director of National Intelligence, for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively. These track date, time, and packet information.
    • Portion of the Excel spreadsheet displayed in Court of the CENTAUR log data for the Alienware .22 or Dell .40 machines connections to the Department of State (State Department) (DoS) NetCentric database.
      • 30 March 2010, 2677 MB
      • 29 March 2010, 2236 MB
      • 31 March 2010, 2217 MB
      • 01 April 2010, 1399 MB
      • 29 March 2010, 1299 MB
      • etc.
    • Portion of the Excel spreadsheet display of the CENTAUR log data for the Alienware .22 or Dell .40 machines connections to the SOUTHCOM GTMO server.
      • 07 March 2010, 533 MB
      • 05 March 2010, 287 MB
      • etc.
    • Portion of the Excel spreadsheet display of the CENTAUR log data for the Alienware .22 or Dell .40 machines connections to the CENTCOM CIDNE database in Tampa, FL.
      • 01 January 2010, 201 MB
      • etc.
  • Department of State (State Department) (DoS) Firewall Logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively. Show amount of connections.
    • Excel spreadsheet in three columns of data from the Department of State (State Department) (DoS) Firewall logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively: Source IP, date, and amount of connections to the Net Centric Diplomacy database. Shaver said there were 800,000 connections between Dell .40 and the Department of State (State Department) (DoS) NetCentric Diplomacy server between the entire period from March to May 2010.
      • 52,135 on 28 March 2010
      • 77,573 on 31 Mar 2010
      • 57,274 on 01 April 2010
      • 78,738 on 05 April 2010
      • 73,091 on 08 April 2010
      • 95,057 on 09 April 2010
      • 53,440 on 05 May 2010
  • Department of State (State Department) (DoS) Web Server Logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively. Shows amount of connections.
    • Department of State (State Department) (DoS) Web Server Logs for the IP addresses 22.225.41.22 and 22.225.41.40, associated with the Dell .40 and Alienware .22 machines respectively showing that a large number of files had been downloaded by the .22 machine using Wget. Server logs before May 2010 were unavailable due to a problem with the server.
  • Images of the raw structure of files in the Farah investigation folder on the CENTCOM servers related found from a specific path to that folder found in the index.dat on the Alienware .22. Shaver said the file structure matched found in the index.dat matched the CENTCOM server.
  • CENTCOM server logs. CENTCOM server logs do not record external IP address. They track date, time, and file(s) requested. CENTCOM logs evidence only one PowerPoint file, “Farah.brief.final.version1”, was downloaded by the Alienware .22 computer on 10 April 2010 at 13:12:24 hours. Since CENTCOM logs do not track IP addresses, this statement pertaining to the Alienware computer associated with the .22 IP address by Shaver needs further elucidation.
  • *Farah.zip [Defense mentions this on cross-examination in relation to three videos, but it is unclear.]
  • Other unspecified log files that Shaver said hundreds of thousands of other files being downloaded at the same time.
  • CIA WIRe (World Intelligence Review) logs
  • Open Source Center Logs
  • A NIPRNet computer that included a profile for Bradley Manning.
    • Cached version of the WGET version 1.11.4 download Web page on the NIPRNet computer that included a profile for Bradley Manning
  • Google search records for a Bradley Manning user profile
  • Linux work computer seized from Jason Katz at Brookhaven National Labs at the Department of Energy
    • b.zip placed on linux work computer of Jason Katz on 15 December 2009
      • BE22PAX.wmv
    • evidence of a cracking program being downloaded and installed on linux work computer of Jason Katz
    • bash history evidencing cracking program was trying to decrypt b.zip
  • CENTCOM SERVER
    • Farah Investigation Folder created in May 2010
      • “video” folder
        • BE22PAX.zip created in May 2009
        • *Three (3) videos that Shaver said he found in the CENTCOM Farah investigation folder. [Defense mentions this on cross-examination.]
  • A removable 500 GB hard drive from Adrian Lamo’s Linux machine mobile laptop.
    • “several copies of the chat logs slightly modified to be akin to the versions given to the media on the Linux machine”
  • HP Windows mini laptop or Net book that had a hard drive in it that belonged to Adrian Lamo.
    • four (4) AIM chat logs between Lamo and bradass87 on the Windows machines.
  • alleged Adium chat logs on Manning’s Apple MacBook Pro in XML format between “bradass87” and Adrian Lamo [Not directly mentioned by Special Agent David Shaver, CCIU, but he had to use them to compare with four (4) AIM chat logs between Lamo and bradass87 on the Windows machines]
  • log files from the Army Counterintelligence Center (ACIC)

No. 4 on the December 2, 2011 Defense Request for Article 32 Witnesses

4.) XXXXXXXXXX [SPECIAL AGENT DAVID SHAVER, CCIU] is a forensic examiner who conducted an examination of the computers used by PFC Manning within the T-SCIF, 44 loose hard drives seized from 2nd BCT, digital media collected from PFC Manning’s XXXXXXXXXX [WHAT IS THIS?] various log files from CIDNE Iraq and CIDNE Afghanistan, log files from the Army Counterintelligence Center (ACIC), and his personal computer equipment [MARK JOHNSON A MANTECH INTERNATIONAL CONTRACTOR REPORTED TO SPECIAL AGENT DAVID SHAVER CCIU, CCIU, AND CONDUCTED FORENSIC WORK ON MANNING’S PERSONAL COMPUTER A MACBOOK PRO] XXXXXXXXXX [SPECIAL AGENT DAVID SHAVER] completed 19 classified CCIU reports and will testify about the nature of his forensic examination and the results of his examination.

First open Court appearance of Special Agent David Shaver Army Computer Crimes Investigative Unit (CCIU), Additional Article 32 Pretrial, 12/18/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript of US v Pfc. Bradley Manning, Article 32 Pretrial Hearing, 12/18/11 (Additional)

MISSED CLOSED SESSION WHICH INCLUDED “RELEVANT GOVERNMENT AGENCIES”

MISSED TESTIMONY AND FIRST APPEARANCE OF SPECIAL AGENT DAVID SHAVER

This is the end of the transcriber’s transcript of December 18, 2011 Article 32 Pretrial hearing of US v. Pfc. Bradley Manning, but it was not the end of the day. There was a closed session which allowed also “relevant Government agencies” and the first appearance of Special Agent David Shaver, Computer Crimes Investigative Unit [CCIU]. For those and all the other witnesses see Rainey Reitman’s Detailed Notes and Kevin Gosztola’s Live Blog.

Second open court appearance with Special Agent David Shaver Army Computer Crimes Investigative Unit (CCIU), Article 32 Pretrial, 12/19/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript of US v Pfc. Bradley Manning, Article 32 Pretrial Hearing, 12/19/11

9:30 a.m. COURT IN SESSION

Investigating Officer: Good morning, [etc….]

Prosecution: United States recalls Special Agent David Shaver, U.S. Army Computer Crimes investigative Unit [CCIU].

Defense (Blouchard): Yesterday, you said you did the computer forensics on the [two SIPRnet assigned to Manning]. [You] did not do bit-by-bit forensic analysis on other computers at the S.C.I.F., right? Don’t know total number of computers in the S.C.I.F.?

Shaver: No.

Defense (Blouchard): So you don’t know if WGET was on other computers in the SCIF?

Shaver: Correct.

Defense (Blouchard): WGET pulls data and is used for data mining?

Shaver: Yes.

Defense (Blouchard): And a key job for an intelligence analyst is to do data mining?

Shaver: Yes sir.

Defense (Blouchard): I want to talk about cables…. You indicated WikiLeaks released two thousand [transcriber missed exact number] cables? The cables were found in “files.zip” in an allocated computer space as opposed to unallocated?

Shaver: [Answered, “Yes” to all the questions.]

Defense (Blouchard): You did not compare those cables [in “files.zip” in an allocated computer space] to those found on WikiLeaks website?

Shaver: Correct.

Defense (Blouchard): None of those cables matched those found on the WikiLeaks website?

Shaver: Correct.

Defense (Blouchard): The computer you found the cables on was SIPRnet, right?

Shaver: Yes.

Defense (Blouchard): Did you know analysts were authorized to have classified info? That analysts were told to look at these cables?

Shaver: No, I didn’t know.

Defense (Blouchard): Did you know there was no password to look at these cables?

Shaver: No.

[Shaver testified that he did find, in the unallocated space, a copy of the video file from the Apache airstrike later released on WikiLeaks, according to Rainey Reitman’s detailed notes.]

Defense (Blouchard): You found a video that is called “Apache Video.”

Shaver: Yes, on the .22 computer.

Defense (Blouchard): Did you know the video was a topic of discussion amongst the analysts as early as December 2009?

Shaver: No sir.

Defense (Blouchard): That they were watching the video on various computers?

Shaver: No, Sir.

Defense (Blouchard): There’s nothing wrong with having a video on a SIPRnet

computer?

Shaver: Correct.

Defense (Blouchard): You mentioned the .zip file. Did you open it?

Shaver: It wasn’t present any longer on the computer.

Defense (Blouchard): So you don’t know the contents of that file?

Shaver: No sir.

Defense (Blouchard): You also mentioned J.T.F. G.T.M.O. [Joint Task Force Guantanamo] documents. WGET was used to download hundreds of files from the database. You found four complete detainee assessments in the allocated space. In the unallocated space, you found zero.

Shaver: Correct.

PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER

Prosecution: Special Agent Shaver mentioned the cables in the “files.zip” folder weren’t released. Why not?

Shaver: Sir, the files were partially corrupted.

DEFENSE OBJECTION: SPECULATION. HOW WOULD HE KNOW WHY FILES WEREN’T RELEASE?

[Transcriber notes that the prosecution’s examination “continues anyway.”]

Shaver: Sir, appears that file was corrupt.

Prosecution: So you would need special tools in order to open “files.zip”?

Shaver: Yes.

Prosecution: Do you believe that is why they weren’t released?

Shaver: Think so.

Prosecution: Did you find any files linked to the fraudulent station in the database?

Shaver: Yes, Sir.

Prosecution: You mentioned you found four detainee assessments in the allocated space?

Shaver: Yes.

Prosecution: Did you find evidence in the index.dat file? [The index.dat file is a database file. It is a repository of information such as web URLs, search queries and recently opened files. Its purpose is to enable quick access to data used by Internet Explorer.]

Shaver: Yes sir. Detainees had unique naming system: Internment Facility.in [the transcriber says missed rest] …there were hundreds.

9:42 a.m. BOTH SIDES CONFER

DEFENSE EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Defense: You could not tell when the cable file was corrected, correct?

Shaver: Cable file, Sir?

Defense: Let me move on. Were you able to open the Farah file in the unallocated space? Special Agent Shaver, you testified you could not tell when the cables file was corrupted?

Shaver: “files.zip” ? I could tell you when it was created…

Defense: No, corrupted.

CLOSED SESSION ON CLASSIFIED MATTERS WITH SPECIAL AGENT DAVID SHAVER- PUBLIC REMOVED FROM THE COURT ROOM, COURT ROOM FEED CUT TO PRESS POOL.

BEGINNING OF TRANSCRIBER’S NOTES FROM PRESS POOL DISCUSSION

[Transcriber who was in the press pool then makes the following notations from discussion within the press pool. This was the transcribers understanding of that discussion.

Kim Zetter (and others), during recess:

We don’t know if the documents Manning had on his computer matched what WikiLeaks released. We only know that the scripts used to download files matched what was published on WikiLeaks.

There is a spreadsheet that was found containing scripts [allegedly] used to download files. When the Shaver reran those scripts, he got the same G.T.M.O. documents that had been published on WikiLeaks. Shaver retraced the steps that had previously been taken on Manning’s computer.

The documents in the script – they had document ID numbers from March, April, and May. Didn’t say, though, that the documents that were on the laptop were the same cables published.

What’s confusing is that he seems to be saying two different things. First he said he DID compare cables…and then they asked him a second time, and he said he didn’t check all of them.

Unallocated space: it’s the space that’s the “residue” of deleted files. Deleted files stay on your computer but go into unallocated space.

END OF TRANSCRIBER’S NOTES FROM PRESS POOL DISCUSSION]

10:14 a.m. COURT CALL TO ORDER

[Investigating Officer opening remarks. Prosecution responds.]

PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Prosecution: What’s an I.P. address?

[Shaver explains what an Internet Protocol address is.]

Prosecution: .40 machine. That was Manning’s secondary computer?

Shaver: Yes.

[According to Rainey Reitman’s detailed notes, the .40 computer was a Dell SIPRnet computer that Manning shared with Madaras.]

Prosecution: Before examining the computer, how did you verify that file was corrupted?

[Shaver explains.]

Prosecution: What was certification?

Shaver: Classified computer. Windows OS [Operating System] on U.S. Army domain.

It had Roxio installed.

Prosecution: Roxio on .22 computer too?

Shaver: Yes.

Prosecution: USB port?

Shaver: Disabled.

Prosecution: On both?

Shaver: Yes.

Prosecution: When you burn a disc on Roxio, what happens?

Shaver: Sir, a C.D. has to be named…was named by date, two-digit year, two-digit month, two-digit day, underscore, two-digit hour, two-digit minutes.

PROSECUTION DISPLAYS PRESENTATION

PRESENTATION

ARTIFACT – naming of a C.D. that I [Shaver] burned.
Computer BD-RE Drive (D:) 100527_0357
Organize – Burn to disk

Shaver: I wanted to verify, could this computer be used to burn a CD? As you can see, the naming convention (100527_0357) [May 27, 2010 03:57] here. This is the date that the image was taken.

Prosecution: What was your plan for .40?

Shaver: Same thing. Wanted to see if there were cables, assessments, etc. in unallocated space, found over 100,000 cables that been deleted.

Prosecution: What’s a .csv file?

Shaver: CVS file means common separated value. Common format between each field. Comma after each field.

Prosecution: What’s Base64?

Shaver: That is just a way of encoding. To an untrained eye, looks like gibberish.

Prosecution: ..and you found over 100,000 full cables? Like all the content?

PRESENTATION

[The transcriber did not mention the exact content of the presentation. Rainey Reitman described it thus:

The prosecution pulled up on the screens a portion of the .csv file that showed several unclassified pieces of information. The .csv file was arranged into the following five columns:

Unique Number; Data the cable was published to the Department of State server; Message Record Number; Classification; Base64 encoding]

Shaver: Sir, this is a small portion of the recovered .csv file.

[Shaver circles a column of stuff.]

Sir, that would be, I think the numbers in the first field. In the second field, you see the date that the actual cable itself was published. Then there is the MRN, the message record number, that is how State Department labeled their cables. The first one is 07 Robot 2004. That means that in 2007, such-and-such was such number cable they published.

Prosecution: What about stuff in right column?

Shaver: That is the stuff I used Base64 to decode.

Prosecution: Were you able to decode these cables?

Shaver: Yes, Sir.

Prosecution: You said you found this deleted feed in the unallocated space [meaning it was deleted]. So could you associate this with a user profile?

Shaver: No, Sir.

Prosecution: How would someone…you said you would need Base64…how would you do that with such a large amount of cables?

Shaver: Manually, prone for errors…would take time…or you can script it and automate it.

Prosecution: Did you find a script?

Shaver: No.

Prosecution: On the other .40 computers?

Shaver: No, Sir.

PROSECUTION CONTINUES EXAMINATION OF SPECIAL AGENT DAVID SHAVER

Prosecution: Agent Shaver, do you recognize this image?

PRESENTATION

[According to Rainey Reitman’s detailed notes the presentation contains the that was displayed when individuals logged into the .22 and .40 machines.]

Shaver: Yes. This is the warning banner when you first fire up the computer and log on, it says, “You are accessing a U.S. Government information system that is provided for U.S. Government use only.”

Prosecution: So what happens when a user profile first logs on?

Shaver: You are prompted with this screen, and you have to click, “O.K.”

DEFENSE EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Defense (Blouchard): With a user profile, you cannot say that it is my client that accessed this information? You do not know if user passwords were shared between users? The unallocated space file cannot be dated.

[Shaver answers correct to all questions.]

Defense (Blouchard): You found this information on a classified computer. There is nothing wrong with this information being on a classified computer.

Shaver: Correct.

Defense (Blouchard): You cannot show that this information was passed along anywhere.

Shaver: Correct.

Defense (Blouchard): You only know that this information was found on this computer.

Shaver: Correct.

10:26 a.m. SPECIAL AGENT SHAVER IS TEMPORARILY EXCUSED.

Third open Court appearance of Special Agent David Shaver Army Computer Crimes Investigative Unit (CCIU), Article 32 Pretrial, 12/19/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript | US v Pfc. Manning, Article 32 Pretrial, 12/19/11 (by an anonymous journalist, ed. by Alexa O’Brien)

UNITED STATES CALLS SPECIAL AGENT DAVID SHAVER, CCIU

Prosecution: I would like to discuss an S.D. card found. Familiar?

Shaver: Yes. I investigated the media.

Prosecution: What did you find?

Shaver: Same as before [allegedly collected on the second search of Bradley Manning’s aunt’s, Debra Van Alstyne’s, after having allegedly been shipped from Iraq in October 2010], but I worked off the image file. Did same as I did for .22 and .40 [Shaver imaged and examined the SD card himself. He verified the hash of the image.]

Prosecution: What did you find?

Shaver: Over 100,000 C.I.D.N.E. documented findings and reports.

Prosecution: What else?

Shaver: A number of photos of PFC Manning.

PRESENTATION

[Reitman describes this as, “It was a self-portrait Manning took with a camera held in one hand, standing in front of a mirror in the basement of his aunt’s house.”]

Prosecution: What is this?

Shaver: Photo of Pfc. Manning.

Prosecution: When taken?

Shaver: 26 January [2010].

Prosecution: While on leave?

Shaver: Yes sir.

Prosecution: Was in allocated?

Shaver: One file, believe it was yadda.tar.bz.2.nc. [Transcriber notes they may have written that down incorrectly.]

PRESENTATION

[Reitman describes the presentation as:

In the allocated space of the SD card, there was a file called yada.tar.bz2.nc made on January 30, 2010 at 10:22 p.m. There were two other files on this disc, both of which were unrecoverable and both of which referenced the word “nathan” in the title, i.e. “nathan2_events_tar_bz2”]

Shaver: This is a screenshot of three files. First and third were deleted and overwritten.

Prosecution: So unrecoverable?

Shaver: Yes sir.

Prosecution: What is the one in the middle?

Shaver: File created January 30, 2010 at 10:22 p.m. An encrypted, compressed file. The tar.bz2 means it is encrypted.

Prosecution: Did you open?

Shaver: Yes. Contained four files: Two .csv files, one containing 91,000 individual C.I.D.N.E. reports for Afghanistan.

Prosecution: How did you decrypt?

Shaver: Using password Mark Johnson discovered – TWINK1492!! I took encrypt program and told it to decrypt password.

PRESENTATION

[Reitman describes as:

afg_events.csv 1/8/10
irq_events.csv 1/5/10
README 1/9/10
._README.TXT 1/9/10

]

Prosecution: What is this?

Shaver: Screenshot of four files. These are C.I.D.N.E. reports for Afghanistan document. Last written January 8, 2010. Also 400,000 individual reports that are C.I.D.N.E. reports from Iraq. Last one: temporary file created by Macintosh OS. January 9, 2010. Third line down is README.txt, also created January 9, 2010.

Prosecution: What is this?

PRESENTATION

[The transcriber did not provide information about presentation.]

Shaver: Sir, this is contents of README.txt. [He reads. Reitman notes that it says, “This is possibly one of the more significant document of our time, removing the fog of war, revealing the true nature of 21st century asymmetric warfare. Have a good day.”]

Prosecution: Sir, what did you find on WikiLeaks?

Shaver: Sir, I did a line-by-line comparison. It appeared that these were the source files.

[Prosecution presents documents to Shaver.]

Document 1: Screen shot of [Missed] Manningb_006587 [Missed].

Document 2: Email from Manning’s Thunderbird account.

Document 3: April 8, 2010 email from Manning’s Thunderbird account. Manningb_00409686

Document 4: Email from Manning’s Thunderbird account.

[Reitman notes, that the prosecution then asked Shaver to authenticate several documents, including screenshots from Thunderbird email on April 10, 2010 and an email on April 8, 2010.]

DEFENSE EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Defense (Blouchard): What date did you get S.D. card?

Shaver: [Gives date.]

Defense (Blouchard): It was shipped from Iraq?

Shaver: I don’t know how it got there.

Defense (Blouchard): You don’t know who handled it between its being shipped and arrival?

Shaver: No, Sir.

SPECIAL AGENT DAVID SHAVER, CCIU TEMPORARILY EXCUSED.

Fourth open Court appearance of Special Agent David Shaver Army Computer Crimes Investigative Unit (CCIU), Article 32 Pretrial, 12/19/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript | US v Pfc. Manning, Article 32 Pretrial, 12/19/11 (by an anonymous journalist, ed. by Alexa O’Brien)

4:04 p.m. PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

[Reitman notes, “He stated that he had examined the NIPRnet computer, which included a profile for Manning.”]

Prosecution: I want to talk about 3 May 2010 in particular.

Shaver: Yes sir? Went to Google, typed WGET, received several hits, and downloaded the file to his profile.

PRESENTATION

[Reitman notes, the prosecution provided a slide showing a cached version of the WGET version 1.11.4 download Web page]

Prosecution: So you actually found this on the computer?

Shaver: Yes, within the email cache.

PRESENTATION

Shaver: I am comparing two WGET files.

Prosecution: One from the NIPRnet computer?

Shaver: Yes.

[There is a discussion about what files are being looked at.]

Prosecution: Both machines were on the Bradley.Manning user profile?

[Transcriber notes that the courtroom feed keeps going in and out.]

Prosecution: What is the significance of hash values being the same?

Shaver: It is the same exact file.

DEFENSE EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Defense (Bouchard): This is a data mining tool?

Shaver: Yes sir.

Defense (Bouchard): And intelligence analysts mine data as part of their jobs? The activity .22 computer was April of 2010, correct? There was no evidence that activity took place prior to 2010? Were you aware that WikiLeaks had the video prior to January 2010?

SPECIAL AGENT DAVID SHAVER, CCIU TEMPORARILY EXCUSED.

Fifth open Court appearance of Special Agent David Shaver Army Computer Crimes Investigative Unit (CCIU), Article 32 Pretrial, 12/20/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript of US v Pfc. Bradley Manning, Article 32 Pretrial Hearing, 12/20/11

UNITED STATES CALLS SPECIAL AGENT DAVID SHAVER, CCIU

Prosecution: I would like to discuss a computer seized from Jason Katz. Who is he?

Shaver: Former employee of Brookhaven National Labs, Department of Energy. I was asked to examine a Linux work computer to determine whether the file b.zip was present.

Prosecution: How did you conduct the search?

Shaver: I verified that the hash values matched. Looked for b.zip on comp. There was, one user profile, kupo, and b.zip was present there.

[Not sure if “kupo” refers to Jason Katz’s alleged user profile.]

Prosecution: Password protected?

Shaver: Yes.

Prosecution: See contents?

Shaver: Opened with password.

Prosecution: Where did you get the password?

Shaver: From CENTCOM.

Prosecution: So you collected the password?

Shaver: BE2PAX.wmv BE22PAX.wmv was the file name. Video taken from an aircraft over the battlefield.

Prosecution: Had you seen video?

Shaver: Yes, Sir. File was in BE2PAX.zip BE22PAX.zip on the CENTCOM server.

Prosecution: Folder?

Shaver: Called “videos.” Part of the Farah investigation folder.

Prosecution: When was it placed on the computer?

Shaver: 15 December 2009.

Prosecution: Other activity?

Shaver: Yes. User of the computer was attempting to decrypt file b.zip. Cracking program downloaded and installed. From bash history it was running to try to crack the password, Sir.

Prosecution: So presumably the user was unable to open file?

Prosecution: Sir, I cannot determine whether he was able to get the password or not.

DEFENSE EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Defense: You have seen the video? It is the Garani air strike video? Created in May of 2009?

Shaver: But this video was of a flight over a battle-space, not an air strike. It arrived on the computer on 15 December 2009.

Defense: Came from the CENTCOM server?

Shaver: Same movie file. Yes, Sir.

Defense: Are you aware WikiLeaks had similar video around the same timeframe?

Shaver: Yes, Sir.

Defense: You said there was a match earlier with the Farah folder?

Shaver: Movie was the same.

Defense: Farah folder’s date was May 2010?

Shaver: I do not know the date that it was put on the CENTCOM server.

Defense: Agent Shaver, was this the same video or a similar video to that seen on the .22 computer?

Shaver: No, Sir.

Defense: Different video?

Shaver: Different video, Sir.

PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU

Prosecution: Just briefly, Sir. Agent Shaver, you said the movie file was the same as the one on the CENTCOM folder?

Shaver: Sir, I watched both videos, and they were both the same hash files.

[Reitman notes:

Blouchard asked whether this video on Katz’s computer matched the one on the .22 computer. Shaver said that it did not.

Blouchard had no further questions, but the prosecution had one follow-up clarification. Upon questioning, Shaver explained that he knew the video in the b.zip file on Katz’s machine was identical to the one in the Farah investigation folder because the hash values matched.]

SPECIAL AGENT DAVID SHAVER, CCIU TEMPORARILY EXCUSED

Sixth open Court appearance of Special Agent David Shaver Army Computer Crimes Investigative Unit (CCIU), Article 32 Pretrial, 12/20/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript of US v Pfc. Bradley Manning, Article 32 Pretrial Hearing, 12/20/11

3:30 p.m. COURT IS CALLED TO ORDER

UNITED STATES CALLS SPECIAL AGENT DAVID SHAVER,CCIU

Prosecution: Did you look at the computers from Lamo?

Shaver: Yes, Sir I did.

Prosecution: What did you find?

Shaver: Only authorized to search for any communication between Adrian Lamo and Bradley Manning. I found chat logs between Adrian Lamo and Bradley Manning.

Prosecution: Get an opportunity to compare the chat logs on Adrian Lamo’s and Bradley Manning’s computers?

Shaver: Yes, at some point, chat log had been enabled, and they basically matched. Except for some connectivity issues.

Prosecution: So like error messages?

Shaver: Yes.

Prosecution: But content was the same?

DEFENSE: NO CROSS-EXAMINATION

SPECIAL AGENT DAVID SHAVER, CCIU PERMANENTLY EXCUSED.

Other Resources