This transcript of the December 19, 2011, Article 32 Pretrial hearing in U.S. v Pfc. Manning was obtained from a respected journalist in attendance that day at Fort Meade.
The journalist wished to remain anonymous, but wanted the transcript to be made public. The journalist requested that I clean up the transcript and fact check. Any errors are, therefore, my own.
The Investigation Officer is Paul Almanza, an Army Reserve Lieutenant Colonel and Justice Department prosecutor.
Prosecution is Captain Ashden Fein, Captain Joe Morrow, and Captain Angel Overgaard.
9:30 a.m. COURT IN SESSION
Investigating Officer: Good morning, [etc....]
Prosecution: United States recalls Special Agent David Shaver, U.S. Army Computer Crimes investigative Unit [CCIU].
Defense (Blouchard): Yesterday, you said you did the computer forensics on the [two SIPRnet assigned to Manning]. [You] did not do bit-by-bit forensic analysis on other computers at the S.C.I.F., right? Don't know total number of computers in the S.C.I.F.?
Defense (Blouchard): So you don't know if WGET was on other computers in the SCIF?
Defense (Blouchard): WGET pulls data and is used for data mining?
Defense (Blouchard): And a key job for an intelligence analyst is to do data mining?
Shaver: Yes sir.
Defense (Blouchard): I want to talk about cables.... You indicated WikiLeaks released two thousand [transcriber missed exact number] cables? The cables were found in "files.zip" in an allocated computer space as opposed to unallocated?
Shaver: [Answered, "Yes" to all the questions.]
Defense (Blouchard): You did not compare those cables [in "files.zip" in an allocated computer space ] to those found on WikiLeaks website?
Defense (Blouchard): None of those cables matched those found on the WikiLeaks website?
Defense (Blouchard): The computer you found the cables on was SIPRnet, right?
Defense (Blouchard): Did you know analysts were authorized to have classified info? That analysts were told to look at these cables?
Shaver: No, I didn't know.
Defense (Blouchard): Did you know there was no password to look at these cables?
[Shaver testified that he did find, in the unallocated space, a copy of the video file from the Apache airstrike later released on WikiLeaks, according to Rainey Reitman's detailed notes.]
Defense (Blouchard): You found a video that is called "Apache Video."
Shaver: Yes, on the .22 computer.
Defense (Blouchard): Did you know the video was a topic of discussion amongst the analysts as early as December 2009?
Shaver: No sir.
Defense (Blouchard): That they were watching the video on various computers?
Shaver: No, Sir.
Defense (Blouchard): There's nothing wrong with having a video on a SIPRnet computer?
Defense (Blouchard): You mentioned the .zip file. Did you open it?
Shaver: It wasn't present any longer on the computer.
Defense (Blouchard): So you don't know the contents of that file?
Defense (Blouchard): You also mentioned J.T.F. G.T.M.O. [Joint Task Force Guantanamo] documents. WGET was used to download hundreds of files from the database. You found four complete detainee assessments in the allocated space. In the unallocated space, you found zero.
PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER
Prosecution: Special Agent Shaver mentioned the cables in the "files.zip" folder weren't released. Why not?
Shaver: Sir, the files were partially corrupted.
DEFENSE OBJECTION: SPECULATION. HOW WOULD HE KNOW WHY FILES WEREN'T RELEASE?
[Transcriber notes that the prosecution's examination "continues anyway."]
Shaver: Sir, appears that file was corrupt.
Prosecution: So you would need special tools in order to open "files.zip"?
Prosecution: Do you believe that is why they weren't released?
Shaver: Think so.
Prosecution: Did you find any files linked to the fraudulent station in the database?
Shaver: Yes, Sir.
Prosecution: You mentioned you found four detainee assessments in the allocated space?
Prosecution: Did you find evidence in the index.dat file? [The index.dat file is a database file. It is a repository of information such as web URLs, search queries and recently opened files. Its purpose is to enable quick access to data used by Internet Explorer.]
Shaver: Yes sir. Detainees had unique naming system: Internment Facility.in [the transcriber says missed rest] ...there were hundreds.
9:42 a.m. BOTH SIDES CONFER
DEFENSE EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU
Defense: You could not tell when the cable file was corrected, correct?
Shaver: Cable file, Sir?
Defense: Let me move on. Were you able to open the Farah file in the unallocated space? Special Agent Shaver, you testified you could not tell when the cables file was corrupted?
Shaver: "files.zip" ? I could tell you when it was created...
Defense: No, corrupted.
CLOSED SESSION ON CLASSIFIED MATTERS WITH SPECIAL AGENT DAVID SHAVER- PUBLIC REMOVED FROM THE COURT ROOM, COURT ROOM FEED CUT TO PRESS POOL.
BEGINNING OF TRANSCRIBER'S NOTES FROM PRESS POOL DISCUSSION
[Transcriber who was in the press pool then makes the following notations from discussion within the press pool. This was the transcribers understanding of that discussion.
Kim Zetter (and others), during recess:
We don't know if the documents Manning had on his computer matched what WikiLeaks released. We only know that the scripts used to download files matched what was published on WikiLeaks.
There is a spreadsheet that was found containing scripts [allegedly] used to download files. When the Shaver reran those scripts, he got the same G.T.M.O. documents that had been published on WikiLeaks. Shaver retraced the steps that had previously been taken on Manning's computer.
The documents in the script - they had document ID numbers from March, April, and May. Didn't say, though, that the documents that were on the laptop were the same cables published.
What's confusing is that he seems to be saying two different things. First he said he DID compare cables...and then they asked him a second time, and he said he didn't check all of them.
Unallocated space: it's the space that's the "residue" of deleted files. Deleted files stay on your computer but go into unallocated space.
END OF TRANSCRIBER'S NOTES FROM PRESS POOL DISCUSSION]
10:14 a.m. COURT CALL TO ORDER
[Investigating Officer opening remarks. Prosecution responds.]
PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU
Prosecution: What's an I.P. address?
[Shaver explains what an Internet Protocol address is.]
Prosecution: .40 machine. That was Manning's secondary computer?
[According to Rainey Reitman's detailed notes, the .40 computer was a Dell SIPRnet computer that Manning shared with Madaras.]
Prosecution: Before examining the computer, how did you verify that file was corrupted?
Prosecution: What was certification?
Shaver: Classified computer. Windows OS [Operating System] on U.S. Army domain. It had Roxio installed.
Prosecution: Roxio on .22 computer too?
Prosecution: USB port?
Prosecution: On both?
Prosecution: When you burn a disc on Roxio, what happens?
Shaver: Sir, a C.D. has to be named...was named by date, two-digit year, two-digit month, two-digit day, underscore, two-digit hour, two-digit minutes.
PROSECUTION DISPLAYS PRESENTATION
ARTIFACT - naming of a C.D. that I [Shaver] burned.
Computer BD-RE Drive (D:) 100527_0357
Organize - Burn to disk
Shaver: I wanted to verify, could this computer be used to burn a CD? As you can see, the naming convention (100527_0357) [May 27, 2010 03:57] here. This is the date that the image was taken.
Prosecution: What was your plan for .40?
Shaver: Same thing. Wanted to see if there were cables, assessments, etc. in unallocated space, found over 100,000 cables that been deleted.
Prosecution: What's a .csv file?
Shaver: CVS file means common separated value. Common format between each field. Comma after each field.
Prosecution: What's Base64?
Shaver: That is just a way of encoding. To an untrained eye, looks like gibberish.
Prosecution: ..and you found over 100,000 full cables? Like all the content?
[The transcriber did not mention the exact content of the presentation. Rainey Reitman described it thus:
The prosecution pulled up on the screens a portion of the .csv file that showed several unclassified pieces of information. The .csv file was arranged into the following five columns:
Unique Number; Data the cable was published to the Department of State server; Message Record Number; Classification; Base64 encoding]
Shaver: Sir, this is a small portion of the recovered .csv file.
[Shaver circles a column of stuff.]
Sir, that would be, I think the numbers in the first field. In the second field, you see the date that the actual cable itself was published. Then there is the MRN, the message record number, that is how State Department labeled their cables. The first one is 07 Robot 2004. That means that in 2007, such-and-such was such number cable they published.
Prosecution: What about stuff in right column?
Shaver: That is the stuff I used Base64 to decode.
Prosecution: Were you able to decode these cables?
Prosecution: You said you found this deleted feed in the unallocated space [meaning it was deleted]. So could you associate this with a user profile?
Prosecution: How would someone...you said you would need Base64...how would you do that with such a large amount of cables?
Shaver: Manually, prone for errors...would take time...or you can script it and automate it.
Prosecution: Did you find a script?
Prosecution: On the other .40 computers?
PROSECUTION CONTINUES EXAMINATION OF SPECIAL AGENT DAVID SHAVER
Prosecution: Agent Shaver, do you recognize this image?
[According to Rainey Reitman's detailed notes the presentation contains the that was displayed when individuals logged into the .22 and .40 machines.]
Shaver: Yes. This is the warning banner when you first fire up the computer and log on, it says, "You are accessing a U.S. Government information system that is provided for U.S. Government use only."
Prosecution: So what happens when a user profile first logs on?
Shaver: You are prompted with this screen, and you have to click, "O.K."
Defense (Blouchard): With a user profile, you cannot say that it is my client that accessed this information? You do not know if user passwords were shared between users? The unallocated space file cannot be dated.
[Shaver answers correct to all questions.]
Defense (Blouchard): You found this information on a classified computer. There is nothing wrong with this information being on a classified computer.
Defense (Blouchard): You cannot show that this information was passed along anywhere.
Defense (Blouchard): You only know that this information was found on this computer.
10:26 a.m. SPECIAL AGENT SHAVER IS TEMPORARILY EXCUSED.
UNITED STATES CALLS SPECIALIST ERIC BAKER OF 62nd MILITARY POLICE DETATCHMENT (DRUM)
[The 62nd Military Police Detachment (Drum) is part of the U.S. Army Criminal Investigation Command (CID)]
Baker: Yes. I am an investigator on the [Missed]. I am a military police officer. Been in the U.S. Army for three years, 11 months.
[Specialist Eric Baker knew Pfc. Manning, because Manning was Baker's roommate, Headquarters and Headquarters Company, 2nd Brigade Combat Team, 10th Mountain Division (Light Infantry)]
Prosecution: When did you meet?
Baker: October of 2009.
Prosecution: Before deployment?
Baker: Might have been in 2008, sorry.
Prosecution: Both rotations together?
Baker: Think both October...do not know when month of second [rotation] was. First was October 2008 Afghanistan. Second one was Iraq. We both went on both rotations.
Prosecution: When were you deployed?
Baker: October 2009 to May of 2010 when he [Manning] was apprehended.
Prosecution: What was your interaction?
Baker: Not too much at all, because he [Manning] was my roommate.
Prosecution: Roomies the whole time?
Baker: Yes Ma'am.
Prosecution: What did you observe about Manning and his computer usage?
Baker: He used it quite often - between chow times, and when I would wake up in the middle of the night, he would be on his computer.
Prosecution: During chow time, you mean on-shift? And at night, off-shift?
Prosecution: See his screen ever?
Prosecution: [Missed question.]
Baker: In January, he [Manning] left two weeks before that.
Prosecution: Know when he [Manning] returned?
Baker: No. I did not return until the beginning of March .
Prosecution: You returned at the beginning of March ?
Prosecution: He [Manning] left in mid-January?
Prosecution: So he [Manning] was alone for much of February?
Prosecution: What kind of computer equipment did he [Manning] have?
Baker: MacBook Pro. Microphone, some little attachment, a hard drive, an iPod Touch.
Prosecution: What did you have?
Baker: Laptop, external hard drive.
Prosecution: Did Manning have an external hard drive?
Baker: Believe he did.
Prosecution: Did you ever use his MacBook?
Prosecution: What additional media did he [Manning] keep in the C.H.U. [Compartmentalized Housing Unit] ?
Baker: iPod Touch, C.D.'s somewhere...with the plastic wrap.
Prosecution: What kind of C.D.'s?
Baker: Don't know...the kind you would get from supply.
Prosecution: Writable ones?
Prosecution: Did you have any rewritable C.D.'s?
Prosecution: Ever bring C.D.'s marked SECRET into your C.H.U.? Never marked anything SECRET? Ever have anything you believed to be SECRET in your C.H.U.?
Baker: [Answers, "No" to all questions.]
Prosecution: Ever discuss the Accused's feelings about the military with him?
Baker: I didn't know too much about his feelings about being in the military, but I knew he probably planned on getting out. We talked in the beginning about the military, and he said it just wasn't for him.
DEFENSE EXAMINES SPECIALIST ERIC BAKER OF 62nd MILITARY POLICE DETATCHMENT (DRUM)
Defense (Coombs): How long were you assigned as Manning's roommate?
Baker: I was the last, lower enlisted to get to file [Missed].
Defense (Coombs): Even though you were roomies, would it be fair to say you were not friends?
Defense (Coombs): You did not talk?
Defense (Coombs): Conversations were limited to small things like, "Turn off the lights," or "Turn on the lights."
Defense (Coombs): He [Manning] said some stuff that made you think he was gay?
Defense (Coombs): And you told him it was best if you didn't speak?
Defense (Coombs): Isn't that exactly what you told him?
Defense (Coombs): "I think it's best we don't talk"?
Defense (Coombs): When Manning wasn't at work, he was in his room?
Defense (Coombs): Because he didn't have any friends?
Baker: I wouldn't say that....
Defense (Coombs): You saw him hanging out with people?
[Baker says he only saw Manning hanging with people during meal times - never otherwise.]
Defense (Coombs): Did you have C.D.'s?
Defense (Coombs): Did anyone tell you, "You cannot have C.D.'s in your C.H.U.?"
Baker: No one told me that.
Defense (Coombs): So if you wanted to have a C.D. with music or photos of your family and friends you could have?
Defense (Coombs): When did you go on leave?
Baker: January 30th or 31st .
Defense (Coombs): When back?
Baker: Beginning of March 2010.
Defense (Coombs): When did Manning come back from R&R leave?
Baker: The first week of February .
Defense (Coombs): How do you know?
Baker: I don't know exactly when he [Manning] came back.
Defense (Coombs): You indicated that he [Manning] said maybe the U.S. Army wasn't for him?
Defense (Coombs): Did you believe that had to do with the fact that he [Manning] was gay?
Baker: I had no idea.
Defense (Coombs): Because the two of you really weren't friends?
Baker: Yes, Sir.
SPECIALIST ERIC BAKER OF 62nd MILITARY POLICE DETATCHMENT (DRUM) PERMANENTLY EXCUSED
MR. MARK JOHNSON, MANTECH INTERNATIONAL CONTRACTOR WORKING FOR US ARMY CCIU.
[Mr. Mark Johnson, ManTech International Contractor, reports to reports to Special Agent David Shaver, CCIU]
Johnson: I am not a Special Agent. I am a contractor for ManTech International. Worked for ManTech for the whole time. I am a computer forensic examiner. Special Agent David Shaver is my supervisor. Previously I worked for a different defense contractor.
Johnson: Been through Defense [Missed. Probably Department of Defense Cyber Crime (DC3)] Center's courses for computer crime investigator and computer examiner.
Prosecution: Other certifications?
Johnson: Certified Information Systems Security Professional - C.I.S.S.P.
Prosecution: At any time were you assigned to examine digital media?
Johnson: I examined [Missed] from Manning's private computer, Apple MacBook Pro.
Prosecution: What did you do when you received?
Johnson: MD5 hash...verified it was not changed, that it was a correct image.
Johnson: Ran antivirus scan. We were looking for two things: Adrian Lamo chats and for classified Government information.
Prosecution: What did you do?
Johnson: I looked for presence of chat programs. Found Adium. It is multi-protocol - works with different instant messenger applications.
Prosecution: So you found Adium. What did you find?
Johnson: Looked in his [Manning] profile.
Prosecution: Did you find chats?
Prosecution: Who were the chats between?
Johnson: Between Mr. Adrian Lamo...
[The person who transcribed this did not record what the presentation was. Rainey Reitman notes, "The prosecution then showed an image of the chat lots on the screen. The chat logs on the screen displayed the named "Bradley Manning" and "Adrian Lamo" and the timeframe was indicated as 12:49:17 a.m. to 12:56:07 a.m. One of the first lines said something about an 'Apache Weapons Team'." Reitman says the presentation was removed before she could note anything more.]
Prosecution: What is this?
Johnson: This is an excerpt of chats.
Prosecution: Who are they between?
Johnson: Between Adrian Lamo...
Prosecution: What are they talking about?
Johnson: In this, they are discussing...
[The transcriber writes that they could not understand what Coombs was saying. There was confusion in the Courtroom. Recess was called.]
COURT IN RECESS
1:38 p.m. COURT IN SESSION
PROSECUTION CONTINUES TO EXAMINE MR. MARK JOHNSON, MANTECH INTERNATIONAL CONTRACTOR WORKING FOR US ARMY CCIU.
Prosecution: Mr. Johnson, you are still under oath. We were discussing chat logs found in Adium. What were the usernames?
Johnson: My recollection is "bradass87" and "Adrian". Content was various topics including Government information.
Prosecution: Did you find a buddy list?
Johnson: Yes. Adrian was a buddy. Also there was "[email protected]
[Rainey Reitman notes, "Here Johnson found contacts that included Adrian, [email protected][email protected]
[Missed. Prosecution clarifies.]
Prosecution: Whose alias was associated with that?
Johnson: At that time it was Julian Assange.
[Rainey Reitman describes the presentation as:
The prosecution again showed how this alias was displayed on the screens like this:
< name >[email protected]Julian Assange< /alias >
Johnson also found a former entry for this buddy in the unallocated space. It was displayed on the screen as:
< name >[email protected]
Johnson: We also found something in the unallocated space. Same user account but a different alias - Nathaniel Frank.
Prosecution: So you found two different aliases. Do you find it odd?
Johnson: Looked for other connections to Nathaniel Frank.
Prosecution: What stood out in the chats?
Johnson: Discussions of Government information and receding or rescinding of that information.
Prosecution: What was the time frame?
Johnson: Don't recall.
[Rainey Reitman describes the presentation thus:
The prosecution then showed a portion of the chat log with pressassociation dated 2010-03-05. I copied down what I could before they removed the slide:
pressassociation: 5-6 hours for total upload?
dawgnetwork: no, it was like 5 minutes
dawgnetwork: anyway, should be good to go with that
pressassociation: i like debates.
pressassociation: just finished one on the IMMI, and crushed some wretch from the journalists union
pressassociation: of this?
Reitman says there were a couple lines at the bottom she didn't have time to transcribe before the slide was taken down, but she got most of it.]
Johnson: This information is a cleaned up version of the logs that were in unallocated space.
Prosecution: So you found the chats in XML format? Were they readable?
Johnson: Yes. But difficult to read. You can export them out. What you see here is the spreadsheet version of chat logs. Headings bolded by me for readability.
Prosecution: This all of it?
Johnson: Only a small snippet. 14 to 16 pages total.
Prosecution: Did you read the chats? Were the people familiar?
Johnson: Yes, I did. Yes, it was clear they had known each other in the past.
Prosecution: Did they discuss Iceland?
Johnson: Don't recall. Believe so.
Johnson: Yes, Sir.
Prosecution: Did they discuss Department of State?
Johnson: Don't recall.
Prosecution: J.T.F. G.T.M.O. [Joint Task Force Guantanamo]?
Johnson: Yes, Sir, they did.
Prosecution: Let's talk about other findings. Evidence of connection between computers?
Johnson: Yes. In both chats with Nathanial Frank and the previous one, we noticed SFTP - Secure File Transfer Protocol, which is part of SSH, or Secure Shell protocol.
Prosecution: You noticed SSH file?
Johnson: We found in Bradley Manning's home folder the known host file.
[No specific information about what this presentation was from the transcriber. Reitman says, Johnson specifically mentions the I.P. address 18.104.22.168, which Johnson associated with PRQ I.S.P. based in Sweden; Johnson states that the logs also noted I.P. address 22.214.171.124, that he associated with Manning's aunt's computer. Reitman also says there was mention of the U.R.L. lain.knack.net]
Prosecution: That looks like an I.P. address. Where does it resolve to?
Johnson: Goes back to PRQ, an I.S.P. based in Sweden known to be affiliated with WikiLeaks.
Johnson: Verizon Communications. Connected to the account of Bradley Manning's aunt.
Johnson: Both resolve to the same PRQ noted earlier.
Prosecution: So you found this. What did you do next?
Johnson: Looked for other references to those addresses. In unallocated space found an address connected to Collateral Murder. It was a URL.
Prosecution: What about the other I.P.?
Johnson: 72 addresses we found reference to the Thunderbird email cache - keeps a copy of your email on online accounts.
Prosecution: What did you do to the email?
Johnson: We knew he was using Thunderbird. Found PGP [Pretty Good Privacy] emails.
[Rainey Reitman describes the presentation as:
In the effort to transcribe as quickly as possible, I didn't include the full email addresses and other address information down:
I was the source of the 12 Jul 07 video of the Apache Weapons team which killed the two journalists and injured two kids.
>>From: Eric Schmiedl
>>Yes I am
>>>>From: Bradley Manning
>>>>Are you familiar with the WikiLeaks?
Manning, Bradley E.
Reitman says she would like the verify the dates, because she was writing very quickly.]
Johnson: PGP message from his Thunderbird email account. Email from Bradley Manning to Eric Schmiedl. Message is encrypted.
Prosecution: Find any unencrypted?
Johnson: Did find one between Manning and Eric Schmiedl.
Prosecution: So there were emails back and forth?
Johnson: Yes. There were emails back and forth, which we found through carrots.
Prosecution: How does one decrypt email as an examiner?
Johnson: Need access to private key associated with the sender. I need Manning's private key and the password to unlock.
Prosecution: Did you get it?
Johnson: Yes. It is on his computer.
Prosecution: How did you get password?
Johnson: Turned out he used same PGP password as his OS X login.
Prosecution: So you got in?
Johnson: Yes. Private Manning automatically logged himself on.
Prosecution: What was his password?
Johnson: TWINK1492!! I could take encrypted messages, run through PGP, and export out in clear text.
Prosecution: You said it was a MacBook Pro? Did it have a way to insert C.D.'s?
Prosecution: What did you find?
Johnson: A number of C.D.'s had been burned and erased over time.
Prosecution: What is this?
[Reitman describes this presentation slide as the disc utility log. The entries in the log began on February 27, 2010 and ended March 9, 2010.]
Johnson: This shows C.D. Re-writable media being erased. This one is from February 27, 2010.
Prosecution: Can you tell what kind of files were on the C.D.'s?
Prosecution: Find anything else?
Johnson: During investigation, C.D. was found in Manning's unit that had TWINK zone on it. [Reitman notes this as Jul 07 C2 ENGAGEMENT ZONE 30 FC Anyone.wmv]
Prosecution: C.D. found in C.H.U. C.D. marked SECRET?
Prosecution: So you took that file name and looked for it on his computer?
Johnson: We found it nearby the string "volumes".
Prosecution: What does that mean for a Mac?
Johnson: In order to attach a disk to a volume, it uses a mounting point.
Prosecution: So you found a file name associated with "volumes" that asserted a CD had been found?
Prosecution: What next?
Johnson: Wanted to find out if a C.D. had been attached to his computer.
Prosecution: Find anything?
[Reitman describes this presentation as:
The prosecution put up a slide showing what was found, but it was unfortunately difficult to read. In general, it appeared that files discovered in /volumes followed the format of:
/volumes/CD or disc name/date and time/file name.
Johnson said that this was similar to how Roxio saved file names. The last disc burned and visible in the disc utility log was May 4, 2010 - it was files.zip.]
Johnson: An excerpt found in the unallocated space mentioning "volumes".
Prosecution: I see "volumes" and a date. Can you explain?
Johnson: The last part there is the file name.
Prosecution: Ok, I'm sorry. Any other evidence?
Johnson: Yes, Sir. When we found the list of discs, we found a list of files attached.
[The transcriber did not note any specific information about presentation.]
Johnson: Output of some of the volumes. I will do one. [Transcriber notes that Johnson makes an example.] [In the first column], we have the name. Then [in the second column] the volume.
Prosecution: You familiar with Roxio?
Prosecution: That the way Roxio burns a disc?
Johnson: I believe it would be.
Prosecution: What is the date of first disc on the bottom?
Johnson: February 15, 2010. It's the date-time. Following disc name, you have path or whatever is on that optical media.
Prosecution: Find these file names anywhere else?
Johnson: Disc names found to be a match to the discs burned on the SIPRnet computers.
Prosecution: What is the last volume record?
Johnson: "files.zip" burned May 4, 2010.
Prosecution: So this was found in the unallocated space?
Prosecution: So it was deleted?
Prosecution: So we talked about this before - you can still search an unallocated space?
Prosecution: What else did you find?
Johnson: We found a number of HTML formatted files.
Prosecution: What were these HTML files?
Johnson: They were of Web pages of Department of State cables.
Prosecution: Recognize this?
[Reitman describes this as an unclassified cable entitled, "Cambodia Remains Non Committal on Kosovo, pulled from Net Centric Diplomacy" version August 2, 2010.]
Johnson: This is an unclassified file. Embassy name. Part of the MRN [Message Record Number] number [used by Department of State to correctly identify cables].
Prosecution: Did you search?
Johnson: Yes. We identified approximately 16,000 cables in the unallocated space.
Prosecution: Find .csv files?
Johnson: We found.csv files too.
Prosecution: Find basic .C4 files?
Prosecution: Find a script?
Johnson: Yes. Miniature program to process input files to output files. Appeared to be PHP.
Prosecution: Recognize this?
[The transcriber did not provide information about presentation.]
Johnson: This is a script used to take an input file and output .csv .
Prosecution: Found in allocated?
Prosecution: Takes an input and converts to output?
Johnson: Yes. .html to .csv file. We then booted his hard drive using our investigative Mac - an alternate boot if you will. We imported the script and exported .csv files with the embassy cables.
Johnson: Yes. Screenshot. Every time it processes a cable, you get another line of data.
Prosecution: What about this?
Johnson: Final output of .csv file. It has been imported into a spreadsheet for easier reading.
Prosecution: Did you find any other Web pages?
Johnson: Yes. References to the WikiLeaks upload page.
Johnson also found references to the WikiLeaks upload page in the unallocated spaces, and pulled up an archived copy for audience viewing.]
Johnson: This references the WikiLeaks page. This has a link that goes to the WikiLeaks upload page.
Prosecution: Find any other evidence of uploads to WikiLeaks?
Johnson: Yes. Status or progress script updates with an "upload identifier".
Prosecution: What is this?
Johnson also found a number of historical status or progress reports.]
Johnson: Progress screen I was making reference to. Found on unallocated space. Down here [bottom] you can see dates and times. More importantly, we have "Upload Complete" indicating that file upload had probably been completed.
Johnson then described ".rar" as being an archive file format not unlike .zip. He said that files ending in .nc were associated with the encryption program Mcrypt. He found references to Mcrypt in a file format:
no-openpgp -d -farah.key -a rijnduel-256 farah.part*.rar.nc]
Johnson: Yes. Files we were able to find, parts one to four. Cleaned up copy.
Prosecution: Describe the information on left?
Johnson: Yes. Information; year and dates; and upload U.R.L.
Prosecution: So there are four parts. What is a .rar file?
Johnson: It is very similar to .zip files.
Prosecution: What is [Missed]?
Johnson: That is Mcrypt.
Prosecution: Find evidence of Mcrypt?
Johnson: This is used to start up the Mcrypt program. Farah file.
Johnson: Encryption program.
Prosecution: Did you find any other references to Farah archive on the computer?
Johnson: Yes. Found references in a path on unallocated space pointing to Manning's desktop.
Prosecution: What are these?
Johnson: Pathways indicating Manning's desktop, letting us know the files were in a folder named "Farah".
Prosecution: You said you used tool to extract? What was tool?
Johnson: We extracted [Missed].
Prosecution: So the [Missed] tool does what?
Johnson: It is designed to find remnants. Files within files.
Johnson: We found evidence of a Farah archive. We were able to recover enough to open the content. We found a PowerPoint presentation and some photos.
Prosecution: What was it?
Johnson: Classified operation information?
Prosecution: Any details? What was it?
Johnson: Couldn't say.
Prosecution: One of the charges relates to the theft of a local address. What did you find?
Johnson: Text-based files in the unallocated space that appeared to be a tasker.
Johnson: This is the tasker found in the unallocated space.
Prosecution: Find any other evidence of global addresses?
Johnson: Yes. Number of exchange formatted email addresses.
Prosecution: How many?
Prosecution: Another charge relates to J.T.F. reports from G.T.M.O. What did you find?
Johnson: One reformatted file. A text file that contained discussion of Guantanamo Bay and a listed detainee names.
Prosecution: Where was it found?
Johnson: Unallocated space.
Prosecution: Seems lots were found in the unallocated space. Evidence of computer being wiped or erased?
Johnson: Two specific references. Was first reinstalled in early January 2010.
Prosecution: What do you mean reinstalled? OS was reinstalled?
Johnson: This is an install log. Found in the Install Officer.
Prosecution: So they [the plural word "they" instead of "he" was written by the transcriber] reinstalled the operating system and did a secure erase of what?
Johnson: The Operating System.
Prosecution: What else?
Johnson: Unallocated space had been erased in January .
Johnson: Disk utility log. It indicates that the option to erase free space had been executed.
Prosecution: Was it completed?
Johnson: Was not. It takes some time. It was probably cancelled.
Prosecution: So we have got the erase of the hard drive on 25 January  and erase of free space on 31 January .
Johnson: Means everything on computer was erased.
Prosecution: Mr. Johnson, I just want to show a few documents to the Investigating Officer while you are up here.
[Prosecution passes documents around the room.]
Prosecution: Mr. Johnson, recognize?
Johnson: First document, I do. Partial screen shot of Manning's desktop. Manningb_00409680. Second document: Encrypted mail message. Manningb_[Missed]. Manningb_00409682. Keychain use on Manning's laptop: Manningb_00409683.
Prosecution: What is a keychain?
Johnson: Mac OS keeps passwords encrypted in a keychain.
DEFENSE EXAMINES MR. MARK JOHNSON, MANTECH INTERNATIONAL CONTRACTOR WORKING FOR US ARMY CCIU.
Defense (Blouchard): Mr. Johnson, you are certified in computer forensics?
Defense (Blouchard): Prior to this case, you had never done forensics on an Apple?
Defense (Blouchard): In one report you wrote Red Buicks?
Defense (Blouchard): Isn't it true that you wrote that Red Buicks had no connection to Manning?
Johnson: Don't recall.
Defense (Blouchard): Where do you do the work?
Johnson: Fort Belleville, West Virginia.
Defense (Blouchard): Who assigned?
Defense (Blouchard): Do you have an opinion on S.C.I.F. security measures based on the work you did on this case?
QUESTION IS OVERRULED [Not clear if by Investigating Officer or by an objection by the prosecution.]
Defense (Blouchard): During the forensic work, was there any evidence that Manning suffered from gender identity disorder or had identity problems?
Johnson: I don't think I could answer that, Sir. I may have come across references to Web pages, but we were not looking for that.
Defense (Blouchard): Mr. Johnson, does the name Breanna Manning mean anything to you?
Defense (Blouchard): What is it?
Johnson: I understand that it is an alter ego of Private Manning.
TRANSCRIBER MISSED SECTIONS OF THIS DEFENSE CROSS SEE REITMAN'S ACCOUNT
MR. MARK JOHNSON, MANTECH INTERNATIONAL CONTRACTOR WORKING FOR US ARMY CCIU IS TEMPORARILY EXCUSED.
UNITED STATES CALLS SPECIAL AGENT DAVID SHAVER, CCIU
Prosecution: I would like to discuss an S.D. card found. Familiar?
Shaver: Yes. I investigated the media.
Shaver: Same as before [allegedly collected on the second search of Bradley Manning's aunt's after having allegedly been shipped from Iraq in October 2010], but I worked off the image file. Did same as I did for .22 and .40 [Shaver imaged and examined the SD card himself. He verified the hash of the image.]
Shaver: Over 100,000 C.I.D.N.E. documented findings and reports.
Shaver: A number of photos of PFC Manning.
[Reitman describes this as, "It was a self-portrait Manning took with a camera held in one hand, standing in front of a mirror in the basement of his aunt's house."]
Prosecution: What is this?
Shaver: Photo of Pfc. Manning.
Prosecution: When taken?
Shaver: 26 January .
Prosecution: While on leave?
Prosecution: Was in allocated?
Shaver: One file, believe it was yadda.tar.bz.2.nc. [Transcriber notes they may have written that down incorrectly.]
[Reitman describes the presentation as:
In the allocated space of the SD card, there was a file called yada.tar.bz2.nc made on January 30, 2010 at 10:22 p.m. There were two other files on this disc, both of which were unrecoverable and both of which referenced the word "nathan" in the title, i.e. "nathan2_events_tar_bz2"]
Shaver: This is a screenshot of three files. First and third were deleted and overwritten.
Prosecution: So unrecoverable?
Prosecution: What is the one in the middle?
Shaver: File created January 30, 2010 at 10:22 p.m. An encrypted, compressed file. The tar.bz2 means it is encrypted.
Prosecution: Did you open?
Shaver: Yes. Contained four files: Two .csv files, one containing 91,000 individual C.I.D.N.E. reports for Afghanistan.
Prosecution: How did you decrypt?
Shaver: Using password Mark Johnson discovered - TWINK1492!! I took encrypt program and told it to decrypt password.
[Reitman describes as:
Shaver: Screenshot of four files. These are C.I.D.N.E. reports for Afghanistan document. Last written January 8, 2010. Also 400,000 individual reports that are C.I.D.N.E. reports from Iraq. Last one: temporary file created by Macintosh OS. January 9, 2010. Third line down is README.txt, also created January 9, 2010.
Shaver: Sir, this is contents of README.txt. [He reads. Reitman notes that it says, "This is possibly one of the more significant document of our time, removing the fog of war, revealing the true nature of 21st century asymmetric warfare. Have a good day."]
Prosecution: Sir, what did you find on WikiLeaks?
Shaver: Sir, I did a line-by-line comparison. It appeared that these were the source files.
[Prosecution presents documents to Shaver.]
Document 1: Screen shot of [Missed] Manningb_006587 [Missed].
Document 2: Email from Manning's Thunderbird account.
Document 3: April 8, 2010 email from Manning's Thunderbird account. Manningb_00409686
Document 4: Email from Manning's Thunderbird account.
[Reitman notes, that the prosecution then asked Shaver to authenticate several documents, including screenshots from Thunderbird email on April 10, 2010 and an email on April 8, 2010.]
Defense (Blouchard): What date did you get S.D. card?
Shaver: [Gives date.]
Defense (Blouchard): It was shipped from Iraq?
Shaver: I don't know how it got there.
Defense (Blouchard): You don't know who handled it between its being shipped and arrival?
SPECIAL AGENT DAVID SHAVER, CCIU TEMPORARILY EXCUSED.
UNITED STATES CALLS MR. MARK JOHNSON, MANTECH INTERNATIONAL CONTRACTOR WORKING FOR US ARMY CCIU.
Prosecution: Did you examine any other pieces of digital media?
Johnson: Forensic image of the external drive taken from Private Manning.
Prosecution: Found in his C.H.U.?
Johnson: I believe so.
Prosecution: Found something of a PowerPoint presentation and a text file.
Operations Security (OPSEC)
PV2 Manning, Bradley
D Company, 305th Military Intelligence Battalion
Friday, 13 Jun 08]
Prosecution: What was on the text file?
Johnson: Appeared to be contact info.
[Transcriber describes as wl-press.txt. Created November 30, 2009.]
Prosecution: What was in the text file?
Johnson: Contact information for Julian Assange. "You can currently contact our investigations editor directly in Iceland. 354 862 3481 24 hour service; ask for Julian Assange."
[Reitman notes The prosecution had no more questions on this issue, and the defense declined to cross examine.]
MR. MARK JOHNSON, MANTECH INTERNATIONAL CONTRACTOR WORKING FOR US ARMY CCIU IS TEMPORARILY EXCUSED. [BOTH REITMAN AND THE TRANSCRIBER NOTE THAT JOHNSON WAS TEMPORARILY EXCUSED, BUT HE NEVER APPEARS AGAIN IN OPEN COURT.]
COURT IS IN RECESS.
3:09 p.m. PROSECUTION CALLS SPECIAL AGENT DAVID SHAVER, CCIU
Prosecution: Agent Shaver, you're still under oath. Transition back to logs. Want to talk about other log files. What's CENTAUR?
Shaver: It is a part of the intrusion defense system. Captures I.P. addresses. Times, dates.
Prosecution: Captures connections between 2 comps?
Shaver: There is a sensor on the network to capture traffic.
Prosecution: File? Info?
Shaver: Just data. Package information. It will say how much data transferred between the sensor.
Prosecution: What information was collected by C.C.I.U.?
Shaver: ...for .22 and .40 [respective I.P. addresses of Manning's SIPRnet computers] during Pfc. Manning's deployment.
Prosecution: What was your investigative plan?
Shaver: NetFlow data, which computers, how many times, how much was transferred between those two: .22 and .40 and other computers.
[This is an Excel spreadsheet displaying amounts transferred.
Dates that the .22 or .40 connected to Department of State NetCentric database.
Dates that the .22 and .40 connected to G.T.M.O. server.
Dates that .22 and .40 NetFlow to C.I.D.N.E. in Tampa, FL...
It showed a 3 month time span in which 11.2 GB of data were passed and there was significant activity on 30 March 2010 and 28 March 2010, then again on 8 April 2010 and 9 April 2010. There were around 800,000 total connections from the .22 machine to the State Department servers from 7 March 2010 till the end of May 2010.]
Prosecution: Why are dates out of order?
Shaver: Sorted by highest transfer data on down.
Prosecution: How many logs?
Shaver: Two sets. Firewall logs and Web server logs. Firewall is a device that allows or disallows network traffic.
Prosecution: The log files, were they collected based on an I.P. address? Which one?
Shaver: Yes. .22. Sir, it was only connections; not data transfers. Communication between .22 and the NetCentric server.
Prosecution: What is the communication? Any way to tell?
Shaver: No. All I can show is that there was a connection between the two.
Prosecution: Firewall, any pattern?
Shaver: Some day large amount of connections; some days very few.
[The transcriber did not provide specific information about presentation.]
Shaver: Excel spreadsheet in three columns: source I.P., date, and amount of data transferred.
Prosecution: When does it get really active?
Shaver: 28 March , 52,135 connections on that day. 149,406 in early April. Yes, Sir, that is a lot of connections.
77,573 on 31 Mar
57,274 on 01 Apr
78,738 on 05 Apr
73,091 on 08 Apr
95,057 on 09 Apr
53,440 on 05 May]
Shaver: There were 800,000 connections between .40 and the State Department NetCentric Diplomacy server between March and May, the entire time period.
Prosecution: What was significant?
Shaver: A large number files were downloaded to .22 using the WGET program.
[Another spreadsheet. Requesting a file. File size. Spreadsheet from May 3, 2010.]
Prosecution: You say a large number of files were transferred?
Prosecution: Why are there no files recorded before May 3 ?
Shaver: There was a problem with the server, and there was no logs. Because the examiners showed that the index.dat on .22 had a very specific path to the server, we were authorized to image just those files. Collected an image of just the files in question - the Farah investigation folder.
Prosecution: So you collected an image of the raw folder? What was significant?
Shaver: It contained files of the raw structure that had the same file structure as the index.dat. Examinational log files found an Excel file on .22 that was downloaded only one time.
[Reitman notes about Shaver's testimony that that according to CENTCOM logs there was one PowerPoint presentation that was only ever downloaded one time. It was downloaded April 10, 2010.]
Shaver: Sir, left to right, this is a source file. I'm looking at the index.dat file belonging to Bradley Manning. In the middle is a conversion to the same date/time US to Baghdad. Date/time is: April 10,  13:12:24 hours. Means user profile Bradley Manning viewed file Farah.brief.final.version1. It was only downloaded one time.
Prosecution: What did you see on other logs?
Shaver: Sir, hundreds of thousands of other files being downloaded at the same time.
Prosecution: Other log files...did you examine? What were Web sites?
Shaver: Sir, there were two. C.I.A. WIRe and Open Source File. C.I.A. WIRe is C.I.A.'s [World] Intelligence Review.
Prosecution: Did Pfc. Manning have an Open Source Center account? What was username?
Shaver: bradass87. I could view user name requesting info, files viewed and searched for, were all on there. Linked to his SIPRnet account. He searched for keywords "Iceland" and "WikiLeaks." Both about 30 times.
Defense (Blouchard): Regarding Centaur data logs, what time period did you look for logs?
Shaver: 1 October 2009 through end of May 2010.
Defense (Blouchard): How far back did you get information for Centaur logs?
Shaver: I would have to request it.
Defense (Blouchard): Did you look at all SIPRnet computers?
Shaver: No, we just filtered on the .22 and .40 computers.
Defense (Blouchard): So those workstations were accessing Centaur data logs, right? And the activity was authorized?
Defense (Blouchard): The work station was a classified computer? Activity was authorized?
Defense (Blouchard): Same with the Department of State logs, correct?
Defense (Blouchard): Classified work station could look at the server?
Defense (Blouchard): You mentioned the Farah folder. Did you find videos? How many?
Shaver: Yes. Three.
Defense (Blouchard): In general, what were the videos? Have you spoken about them?
Shaver: I have not.
Defense (Blouchard): Was it from the Farah.zip files?
Shaver: Look at the log files. You would work your way back to it, Sir.
Defense (Blouchard): You have served previously? Iraq is within the CENTCOM area of operations? .22 and .40 are SIPRnet comps?
Shaver: [Answers, "Yes" to all.]
Defense (Blouchard): Same with C.I.A. - there is an open source? For all of these, an analyst working on a .22 or .40 computer did not have to hack into these logs, right? [He means server.] Do you need a password?
Shaver: For all of these, an analyst working on a .22 or .40 computer did not have to hack into these logs, right? [He means server.]
Shaver: On C.I.A. and O.S.C. [Open Source Center], yes.
Defense (Blouchard): The person had authorization to look at this data?
Shaver: I believe so, yes.
Prosecution: On .40 Manning had a user account, correct?
Prosecution: On .40, you had to use a password, correct?
Prosecution: So it is incorrect to say that anyone had access.
Defense (Blouchard): Agent Shaver, other users had access to those computers, correct?
[Reitman notes that even "individuals who had top secret security clearance were made to leave."]
4:04 p.m. PROSECUTION EXAMINES SPECIAL AGENT DAVID SHAVER, CCIU
[Reitman notes, "He stated that he had examined the NIPRnet computer, which included a profile for Manning."]
Prosecution: I want to talk about 3 May 2010 in particular.
Shaver: Yes sir? Went to Google, typed WGET, received several hits, and downloaded the file to his profile.
[Reitman notes, the prosecution provided a slide showing a cached version of the WGET version 1.11.4 download Web page]
Prosecution: So you actually found this on the computer?
Shaver: Yes, within the email cache.
Shaver: I am comparing two WGET files.
Prosecution: One from the NIPRnet computer?
[There is a discussion about what files are being looked at.]
Prosecution: Both machines were on the Bradley.Manning user profile?
[Transcriber notes that the courtroom feed keeps going in and out.]
Prosecution: What is the significance of hash values being the same?
Shaver: It is the same exact file.
Defense (Bouchard): This is a data mining tool?
Defense (Bouchard): And intelligence analysts mine data as part of their jobs? The activity .22 computer was April of 2010, correct? There was no evidence that activity took place prior to 2010? Were you aware that WikiLeaks had the video prior to January 2010?
This work by Alexa O'Brien is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Based on a work at alexaobrien.com.Permissions beyond the scope of this license may be available at [email protected].