EFTA00173569.pdf

I, Aaron E. Spivack, having been duly sworn by Supervisory Special Agent (SSA) Dannie W. Price, Jr., hereby make the following statement to SSA Price and SSA Matthew A. Zavala on 01/26/2024 and SSA Price and SSA Claudia Dubravetz on 08/08/2024, whom I know to be SSAs of the Federal Bureau of Investigation (FBI), assigned to the Inspection Division (INSD) at the time of my statement. My attorney, Richard J. Roberson, Jr., was present during my statement on both occasions, via telephone. This statement took place over a two-day period. The statement initiated on 01/26/2024, and again on 08/08/2024, after additional allegations were added: I entered on duty (EOD) on 02/21/2006, as an Intelligence Analyst (IA). I EOD on 10/08/2008, as a Special Agent (SA) and I am currently assigned to the New York Field Office (NYFO) in that capacity. I understand that this is an internal investigation regarding an allegation that Special Agent Aaron E Spivack improperly stored digital evidence at his residence in violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Care, Custody, or Control of the Government. On 10/30/2023 the following expanded allegations were added: Special Agent Aaron E. Spivack improperly handled, documented, and stored digital evidence and failed to secure CSAM within policy, resulting in a cyber intrusion in violation of 1.6- EFTA00173569 Investigative Deficiency- Improper Handling of Property in the Care, Custody, or Control of the Government and 5.17- Security Violation- Failure to Secure sensitive Equipment/ Materials. On 02/07/2024 the following expanded allegations were added: Special Agent Aaron E. Spivack exceeded the limits of his authority by contracting an outside company to develop computer software on behalf of the FBI in violation of 2.8 Misuse of Position and 5.23 Violation of Miscellaneous Rules/Regulations. I have been further advised of my rights and responsibilities in connection with this inquiry as set forth on a "Warning and Assurance to Employee Required to Provide Information" form FD-645 which I have read and signed. I understand from my review of the FD-645 that should : refuse to answer or fail to reply fully and truthfully during this interview, I can expect to be dismissed from the rolls of the FBI. I am currently assigned to CT-25, which is a hybrid Domestic Terrorism and Child Exploitation squad. I was assigned to CY-3 in May 2010 and officially named on the squad in July 2010. This was when Innocent Images was combined with Cyber. C- 20 was the Human Trafficking (HT) squad at the time. I believe it was 2015 when Violent Crimes Against Children (VCAC) and HT were combined under C-20. The squad is split and has the HT side and the VCAC side . Agents primarily work EFTA00173570 their assigned violations, but we come together as a squad for operations. I believe Digital Extraction Technician (DExT) training was opened to VCAC Agents in 2012. Scott Le9ford was my instructor for DExT. and led the Cyber Action Team (CAT). I believe at least three or four of us initially received DExT training, but I think all of us eventually were trained. However, once the child exploitation program moved from the Cyber Division to the Criminal Division, that changed. The funding we received through the Criminal Division was significantly less than what we received through Cyber Division, so the DExT program was no longer able to put on as many classes and certify as many people as it had before. By the time of the intrusion that forms the basis of this internal inquiry, only about half of the "child exploitation" Agents on my squad were DExT certified. This is while we were still with CY-3. We got certified because the Computer Analysis Response Team (CART) was long overburdened, and not familiar with the nuances of the child exploitation violation, such as the types of programs used by offenders, the vernaculars, etc. I MIrong lighds-on" EFTA00173571  the hands of the offenders the FBI waea This was around the same time Agents working other violations began to see an increase in the collection and reliance of digital evidence. As DExTs, we were encouraged, and in some cases I believe required, to assist CART with their backlog by conducting DExT extractions for other squads. the time—the ',At, and el.." ..rq with thcir invcctigations. The other reason was to eliminate the lag time in searching evidence and identifying contact offenders (offenders who physically exploited or physically assaulted children) sooner. VCAC investigations are different than other FBI investigations since VCAC usually does a search warrant at the beginning of our investigations, where other squads do them last to complete their investigations. Mike Osborn was a Unit Chief (UC) of the Crimes Against Children Human Trafficking Unit (CACHTU) at FBI Headquarters (HQ) and eventually an Assistant Special Agent in Charge (ASAC) at NYFO. He was a huge proponent of DExT. Being DExT trained allowed us to conduct our own data extractions faster, but more importantly; it allowed for a faster and more efficient way of identifying contact, or "hands-on", offenders and, thus, rescue child victims of sexual abuse before they could be further victimized. EFTA00173572  After becoming DExT certified, we received DExT equipment that allowed us to image, process, and better review the digital files. The DExT training allowed us to better use FBI analytical programs to review digital evidence. Being DExT certified allowed us to assist CART by offering an alternative for other squads to use for data extractions. At the time, CART was not located in the NYFO Headquarters City (HOC). CART was located in Moonachie, New Jersey. It could take an hour to get to the CART lab. CART evidence reviews needed to take place there. It could take all day. CART eventually moved to NYFO, HOC. The volume of data extractions we took on lessened the burden on CART. At least in New York, CART only had one or two a few-examiners who could handle data extractions immediately, and almost certainly none who could respond after hours or on weekends. eeete-e4-tbeft-weerld-delery-tbeer Since we dealt with child victims, it was, and is, imperative that the digital evidence be processed immediately. In nearly every child exploitation investigation the digital evidence is quite literally the evidence to prove the crime and without a prompt review, there is no probable cause to effect an arrest, putting the lives of child victims in continued danger. u- Cel f-cli-g thut a pivean .,h—owed a child ...0u4dradt—be arrested becaldec we did not have the pr per technical capabilities. It is that very risk, the risk of continued abuse, EFTA00173573 that has prompted the FBI to enact new policies requiring expeditious investigation into allegations of child exploitation. This includes the expeditious review of evidence. Prior to the DExT training, on-sight forensics was not really a practice. We had to take digital evidence back to the office to view it and we relied more on the post search interview. After a search, we had to go back and arrest an offender once we found the evidence. This made for a significantly more dangerous arrest because the offenders knew we were coming. There was also the potential for offender suicide. We had three offender suicides that I can recall. There was also concern there could be a delay in reviewing evidence that, if seen sooner, would allow us to remove a child from harm's way. NYFO SAs Linh Phung, Tommy Thompson, Mitch Thompson, and I were DExT trained. SA Cindy Wolff (aka Cindy Dye) was also DExT trained. Cindy was the last to be trained At the time, I was the most junior Agent on the squad. Before being DExT trained, all of our digital evidence was submitted to CART for data extractions, imaging, and processing. We did have access to CAIR, a forensic tool for data review , but the program was slow, not capable of handling large evidence reviews, did not work all that well, and did not do what we in the child exploitation program needed it EFTA00173574 to do. was no secret and was widely known, and one of the reasons for the creation of the autonomous DExT labs. Additi sally having t rely on CART f r evidence pr cecsing, and Lie seta evidence review. After collecting digital evidence, I would enter the digital evidence into the Evidence Control Unit (ECU) and get a 1B evidence number assigned. I would then enter a CART request with a description of what forensic examinations I needed to be performed and information on the device that needed to be extracted. Then I would submit it to CART. It could take a day or two to get the evidence to CART and the amount of time it would take CART to process the evidence varied. It could take weeks or months. Once it was extracted, CART would process it in the Forensic Tool Kit (FTK). We could review the data on CAIR or go to Moonachie to review it. Everyone on the squad, for the most part, chose to go to Moonachie. CART Digital Forensic Examiners Stephen Flatley and Carlos Koo eventually set up a spot in NYFO, HQC to do data extractions. Even after receiving DExT training, we used CART for things like very large d unl ado media dumps/extractions and encrypted EFTA00173575 files. We also used them to help us with understanding what some of the digital evidence was. I believe CART may have provided us a digital copy of the data extraction and I think it may have been on DVD. It would have been accessible on operational Wide inacc+—Area Network (OpLAN - OPWAN) as well. I do not recall what we did with the copies on DVD. CART may have checked them into evidence and provided a working copy. The DExT trained Agents would do data dumps on everything we could like hard drives, loose media, and thumb drives. All telephones we seized initially still needed to go to CART for processing. In 2015, generally if it was a device we could image, we would follow this process. We would use write blockers to assure we did not accidentally manipulate the original data. We would create an image of our evidence, sometimes we would use another hard drive. We imaged and processed the data. We had some hard drives but I am not sure where they came from. I believe HQ sent us a box of hard drives. I also believe CART may have given us some as well. We used a forensic duplicator called 13leek—Ben a TD3, and later a TX-1 as well as Fit Imager, to image a the device onto a hard drive and make the derivative evidence. We would then make a working copy image off of the derivative evidence. We would work off the working copy. EFTA00173576  I am pretty sure the derivative evidence was cataloged and placed in the Evidence Control Room (ECR) if that was the policy, but if that was not the policy we would not have done that. The DExT Program provided us with Redundant Array of Independent Disks (RAIDS). These RAIDS were to be used to house our working copy evidence images. Once we ran out of hard drives for derivative evidence, we were instructed to use the RAIDS. I believe these instructions were provided by HQ, either our Program Manager (PM), the DExT PM, or both. I wao told by , squedmate—er—a—swpervistr—teirmtge—thrdatt—tep—a—Reawftelent—krralp f Independent Dicks (RAID) tower. Typically, the person running a Group I or Group II Undercover Operation COCO) and the squad SSA would be the people who communicated with HQ for resources. I recall in 2015, I sent an email to II IIILWee the case Group g, asking for some fl acity Ewe—tra hard drives with our remaining Group II funds. At the time we were still merged with Cyber. When we moved to the Criminal Division, our funds were wiped out. Linh Phung left NYFO and became a DExT PM. She would complain about a lack of funding. I was running out of hard drive space for derivative evidence and of storage space in general. The PMs told us buying hard drives in bulk was a problem. The stores had a capacity limit. I would purchase the EFTA00173577 drives on Amazon, like I was instructed to do by HQ, until my covert account was shut down by Amazon since the purchasing of large quantities of hard drives was flagged as suspicious. We were purchasing from New Egg, like I was instructed to do by HQ, specifically SSA Heath Graves who was the DExT PM, who could sell bulk (10 or more hard drives), but I was later told by someone in the procurement unit we could not use New Egg fer purchascc. I went to CART who gave us what hard drives they could spare. I have various correspondence with HQ advising there was a lack of funding. This not only affected us getting hard drives, but also various other things. Phung provided us with more RAID towers for storage, and instructed us to use the storage to meet our needs, which included the creation of derivative and working copy evidence. I also learned funds were available, but not designated for the purchase of the hard drives. Money III either was not there or was allocated to something else. I spoke with Heath Graves who was the DExT PM and then Jim Harrison who is the current DExT PM. After the Inspection that was related to the C-20 computer lab cyber intrusion, the squad received some hard drives, and then was denied funds for hard drives from CACHTU who told us to go to CART. CART then referred us back to CACHTU. I worked with someone from the Laboratory Division to help figure out another process. I believed it was a waste of money EFTA00173578 and resources to purchase expensive hard drives just to get destroyed. I spoke with a UC about creating reusable virtual derivative storage that was stand alone. The UC liked the suggestion. In 2018 I did a five-week TDY at CACHTU. My former SSA, Sean Watson, was the UC there. My job was to call every VCAC eq-"L —kid, Group I and Group II UCO Case Agent and ask questions about the issues they were having and to provide recommendations on how to better the program, how CACHTU could better assist the field, things that needed improvement, etc. I that .1-1" -f DE-T .,t..£f, 1,Lt that were not, and generally that there wac a lack of training, guidance, direction, and perc IIH.- within the program. I drafted a summary on the calls I made and created a section for complaints from the field in reference to DExT, and provided my assessment to CACHTU leadership. EFTA00173579  This same assessment, as well as additional details were also provided to Bryan Vorndran, who was the Deputy Assistant Director (DAD) who covered child exploitation, This came as DAD Vorndran separately requested a working group of Subject Matter Experts (SMEs) to address the needs of the VCAC program. I explained to him how we had equipment and training needs, and provided my assessment both orally and in several documents. In 2018 I sent an email e efwEJERTI. XDX4L.II.sent a EP I talked about the need to appropriate money for equipment, Others and I made it very clear to HQ that we did not have hard drives. Every now and then they would send us some and every now and then they would send funds, but nothing was consistent. I also informed my SSA of the need for hard drives. I was aware he knew we needed them and there were no funds. Other Agents were dealing with the same issues. It has been, and continues to be, the practice of VCAC Agents to create derivative copies of original evidence if derivative hard drives EFTA00173580 are available. However, given the long history of not receiving either the hard drives or the funds to purchase them, VCAC Agents have been left with no alternative but to store their derivative evidence on local storage. If we had hard driven t• attltrbti—aat4 vat+n—t-oP4e$7""e—Iteekl—Felteelt l -ce'F'9-411—evi'cienee-rI4 we didn't, we wouldn't. In 2017 I began to gain a voice among many FBI Child Exploitation circles. I took over our squad's Group II ?COMM are every uHIIIIIIII ry six Lt ye would in front of the a Group I, it IIIII also III • Assistant Director During the I brought up the funding issues. In the funding section we discussed what we spent and what we anticipated to spend. Thag.4.49.50.1 EFTA00173581 program compared to the four years prior. This meant an increase of approximately 2000 undercover sessions in the same four-year span. More significantly, however, was how I tasked undercovers and provided direction to ensure the program worked to identify the most vulnerable of the exploited children; and set out to rescue them. The results cannot be overstated in that the lives of hundreds of children were saved. While I am personally responsible for saving the lives of hundreds, many hundreds, if not thousands, more were saved because of how I managed and a the child exploitation program. The pracLace ut creat.:flg de.nvaLlve evidence copies: separate hard drives to be checked into evidence was dependent upon whether or not we were provided funds to purchase the drives or the drives themselves. Early on, when VCAC fell under the Cyber Division, we had regular access to these drives, but when the program was moved into the Criminal Division that changed. Despite repeated requests, as well as having alerted everyone within the chain of command, we were told to figure it out. We had been advised that if derivative hard drives were not available, to store the derivative evidence on our local storage, which is what we did f-- C 20 ehertrei—te—ftet—eddi-nrelet-i-yetiana c picc t evidence, but it happened. It may have been in 2016 or 2017 and possibly happened because we did not have hard drives. EFTA00173582  I believe we were initially getting some hard drives from DExT after completing the certification course. DExT Slowly went to no longer providing hard drives to new DExT certified agents at all. I do not know what they are teaching about digital evidence storage in DExT or how to get drives, but I know from other Agents who have attended the DExT training more recently that guidance has still been to seek funding from CACHTU, who again has been stating they do not have the funds. Until approximately February 2023, the NYFO did not have a designated Information System Security Officer ( SSO). This is a required position, and I think it being left unfilled exacerbated many of the problems that are discussed herein. As recently as December 2023, my squad has attempted to get funds for derivative hard drives. On a couple of occasions the funds were obligated, however in other requests the funds were not. In those requests CACHTU stated, via email, that there were no longer funds for the drives and that the squad should inquire with CART to obtain them. Subsequently, CART denied the request as they too needed their hard drives. Even after the intrusion and the negative attention we received regarding derivative evidence hard drives, the squad was again put in a position where they were unable to comply with policy because the FBI would not provide the requisite hard drives or funding needed to be compliant. When the squad had been able in some instances to EFTA00173583 use case funds to make a hard drive purchase, the newly- appointed ISSO found the drives to be in violation of policy since the hard drives themselves were not manufactured in the United States. This, again, put the squad in an impossible situation with no alternatives being offered. It was also quite ridiculous as it is likely that none of our computer equipment is manufactured in the United States. Whs., fle Nee funds t get hard drivec, it vac denied by cccurity bccaucc they rt.,t en.ed- tb.. UGA After the process changed, we would image the original evidence onto the RAID Storage or Network Attached Storage (NAS). At times I would create a second copy. If I made a second copy, I would use one as the Main copy and the other was the Working copy. If I did one copy, that one would be used as the Working copy. At times I would make multiple Working copies. EFTA00173584  I wee—personally made derivative copies whenever I was afforded with the requisite hard drives. However, just because I did not always receive the drives did not mean my VCAC investigations ceased. Of course, I as well as others, still had to adapt and overcome and felt that while I may not have been able to create derivative copies for all of the evidence, the reasons for that were well documented and out of my control. III iLto the lack of for fro. a rock dership stored dl at ducted And like ies" EFTA00173585  net mak1aq derivative c pies. -nd did n t have the rcc urccc to d c and I did not kn w what cloc t d . Throughout most of its existence e C-20 lab was Internet connected. One or two of the DExT machines were connected to the Internet, but we were "stand-alone" and not connected to any FBI systems. Additionally, our lab was "missattributed" and able to be used in covert capacities and to access websites that could contain Child Sexual Abuse Material (CSAM). I -ecelled L-1.4 inctructcd that the DExT w rk stati a was ctand al nc. Initially, in approximately 2012, the C-20 lab was not connected to the Internet, but at the time we had little reason outside of software updates to be connected to the Internet. Several years EFTA00173586 later that changed as the advancement in our software and capabilities grew, requiring our computers to be InternetH connected. The only guidance or direction we received at the time was that our Internet-connected DExT computers not be connected to a FBI network, and as far as I have always been aware that is the only policy on the matter as well. Even FBI HQ implemented investigative steps that required DExT labs to be Internethconnected, such as the method that was used to transmit CSAM to the National Center for Missing and Exploited Children,, whereas previously it had been to do so via a storage media. Later, the FBI created the "SIFTS" program which was an online portal for CSAM transmission. I.. 2012 it. —ea. W.. receiving programs that needed interact access-. In approximately 2022, CACHTU advised the field that the licensing method for one of our most used programs, "Axiom", was moving from dongle-based to cloud-based. CACHTU wanted to pilot the cloud-based method and elicited the assistance of five or six VCAC squads from across the FBI to do so, one of which wee our squad. This pilot program, which began prior to our intrusion and continued well after, required the DExT computers to be connected to the Internet. The C 20 lab was pil ting a edeed beacd Arm., 11----iag. It allowed us to check out a license when we needed to. In order to do so, we needed to stay EFTA00173587 on the Internet to use it. There was some level of security provided by the switch box and some on the NAS itself. The computers, NAS, and RAID tower storage that contained CSAM were then all connected to the internet. We received guidance from CACHTU, specifically from the DExT PMs, to disable the antivirus to use the Axiom since the antivirus would flag the program. I believe this came from Tommy, Heath, CART, and others. Squad C-20 did not know how to set up the Internet and the switch box. we reached out to computer scientists and CART and received some help. I do not know anything about networking and how to set up networks. The Computer Scientists also did not know. I believe someone from the Operational Technology Division (OTD) told me to Google it. Networking is not a DExT function and is not in my skill set, so I did not even know what questions to ask. The off-the-shelf security that was in place kas what we were using. I and the squad asked everyone we could think of for help - CART, the Computer Scientists, OTD, the Office of the Chief Information Officer (OCIO), Management Information Systems (MIS), etc. - however, all were of no help. Connented[DIVII: ShouldlmnsomeNnth almthmvthelmpedionalma-ofwhkhthechamcs Computer Scientist Jim Walsh helped us set up some of the amlikelydaivedfrom-mknomeasasymmu admMisumorAwanuopMmiliatoutulmnNOTA equipment. Christian Idsola from CART also helped, as did cannot be viewed fromthesame lens as someone who isasysadmin DW another CART employee whose name I cannot recall. Anthony 2024-09-16 21:33:00 Broderick who is the NYFO CART networking guy was asked for Commented f.IR2RI j: Yes! I'm glad you remembered that. Please add. help. He told me to read the manuals and said he did not have Jim Roberson 2024-09-17 10:41:00 EFTA00173588 the bandwidth to support us. These communications, along with many others, occurred in writing via email and I can provide them to investigators Our request was simple - to network the few standalone computers in our lab. However, no responsible entity within the FBI would assist, so we had to reach out to friends and colleagues to help on their own. While their help was valuable, none of our volunteered help came from anyone who was a network or systems administrator, and the FBI's network or system administrators would not assist. The various networking and system administrative units in the FBI handle FBI networks, and the few that handle covert/misattributed networks do not handle CSAM networks. Despite the irrelevance of the latter from a technical perspective, CSAM is off putting and no one wanted to assist and CACHTU did not know what to do. In fact, CACHTU was aware that this was an issue affecting so many other FBI Offices that it encouraged us to find the solution so that it could be emulated across the other VCAC DExT labs. In our desperation to find someone with a networking/system administrator background to help us, we put out a Confidential Human Source (CHS)canvass for assistance with our network through our CHS Coordinator. I also reached out to OTD, and Counterterrorism Division (CTD) Cyber looked at our network and could not figure it out. We had a Counterterrorism (CT) CHS come EFTA00173589 over and look at the network and he/she advised networking was not his/her specialty. The CHS was a former contractor for the FBI and had a TS clearance. This occurred when the lab was on the 9th floor prior to it getting flooded. After the 9th floor lab flooded, some of the equipment was replaced by CACHTU and CART was able to salvage some of the equipment. We moved the C-20 lab to the 10th floor in December 2020. I received approval on 12/22/2020 to purchase switches, NASs, cables, and hard drives. This equipment was purchased with $34,000 in CACHTU funding, which also supplied the Long Island Resident Agency (RA) with similar equipment. CACHTU PM Leslie was a former NYFO Agent and knew about these issues. During the COVID pandemic there were three of us from my squad who came to the office on a regular basis; myself, SA Matt Deragon, and SA Brian Gander. The guidance, however, was to work from home. The C-20 SSA at the time was Sean Watson. SSA Watson provided guidance to work from home, in addition to the guidance pushed by the FBI Director, our II, and others in FBI management. This guidance included conducting limited forensics from home, and CACHTU pushed out to the field temporary AXIOM licenses for the sole purpose of conducting limited forensic reviews from home. AXIOM gave everyone limited access t work 4-aem—hame-r However, since the bulk of my forensic reviews meant EFTA00173590 reviewing CSAM, I came into the office almost I wac in tho ee—i-n—e4temoo daily to do CSAM reviews. This is a fact and can be corroborated by SAs Deragon and Gander, as well as by checking the building access logs which will show I used my access badge to enter the building and the frequency I accessed the building. Other work was done from home. I looked at emal subpoena returns and reviewed working copy material that did not include CSAM. Anything I took home was covered under policy, and was covered under the guidance being disseminated. I have a lureau-issued laptop computer that I utilized for these purposes. At the time, I was working on three cases primarily: Robert Hadden, Darnel Feagins, and Jacob Daskal. To conduct the investigation for Hadden I was doing web- based interviews from home and writing FD-302s and subpoena returns which were all non-CSAM related. For the Daskal case I EFTA00173591 completed a 69-page review. I took metadata-related information. Some of it was exported from Daskal's computer, but none of it was CSAM For the Darnel Feagins case I was splitting the work. I did not do CSAM-related work from home. I did not take any storage devices home that were original or derivative evidence. Any copies or data I took home would have been al4 working copies. If I did take data home-, it would have been a - 1 g owpy. It would have been impossible for me to take derivative copies home in general. I was coming in every day to do my CSAM reviews. I au.n1J 1 g int telegram with my micattributcd laptop. I was taking ml Online Covert Employee (OCE) devices home to conduct work and my GSA and ASAC &seat it. AveuLs b-lieved the, natl.- ' t d it. We n w have EC authority. Th cc Devices may have. c-flt...:“ed CLAM mk. I do not believe I was doing any OCE work at the time since we were instructed not to. We were trying NOT to create a need for 'gents to have to run out on warrants gisigi conduct Knock and Talks KT* due to unless an emergency - BUT, I and other OCEs would do OCE work from everywhere, including home, but all of that was covered under I EFTA00173592  As I was authorized to do, I would take home removable storage devices like a hard drive or thumb drive that contained working-copy data and/or other material that would allow me to work from home. Some of my devices, including my FBI-issued OCE phone and my FBI-issued and encrypted laptop, may have had CSAM on them. As an OCE, I was authorized to do this since communicating as an OCE with VCAC offenders requires around-the- clock communication. This is all also covered under our Group authority. As for any evidence review I did from home, all was done in accordance with policy and guidance. Any evidence I did take home was all authorized under policy - it was not original or derivative and was only working copies. As a matter of logistics, I would not have been able to take home original or derivative evidence as I do not have the technical equipment at home to review them on my laptop. Rather, in accordance with policy and guidance, I had copied select datasets from evidence sources onto a thumb drive or external hard drive as working copies, which I would review at home. The original device would have been checked into the ECU and a copy would have been on the C-20 lab server. The lab server had to be connected to the Internet in order to send CSAM to NCMEC. As mentioned previously, the official way to send CSAM 4mageo—toINCMEC is to use the SIFTS online portal. EFTA00173593  . They will accept hard drives but it is not what they want, and NCMEC has been moving to eliminate the use of hard drives altogether. There are conflicting policies, and I brought this up while assisting in revising the policy. I am one of, if not the only, Court-certified expert witness for the entire FBI for child exploitation. During COVID, the concept of remote working was becoming a thing. The idea came up during COVID to be able to do remote work since that is what the FBI was beginning to promote. The idea was continued by hearing from other members of law enforcement, including some within the FBI, that they were using versions of remote computing to access their forensic labs while away, such as wee on TDY or at a conference. The intention was not to work from home, per se, but rather to increase the efficiency of the forensic review process. The steps of imaging and processing evidence before it is ready for review can sometimes take days. During this time there is little for the DExT Agent to do while the computer is doing its processing work. What little there is for the DExT Agent to do is often what separates one stage of this process from the next. So if a stage is completed on a Saturday, it will not move to the next stage until the DExT Agent does the very few things needed to precede, which may not happen until the following Monday. This EFTA00173594 may then kick the process off to the next stage, but now the Agent may have to wait several hours or longer for the next step. In order to be more efficient and to allow this process to begin on a Friday, for example, and be ready for review on a Monday, the idea of remote computing was a reasonable solution. Remote computing would have allowed €ee a .the DExT Agent to remote in over a weekend to initiate the next stage of a process so that the process took advantage of the weekend to conduct the lengthy steps so that by Monday it was ready for review. The downloading process could take a while, but the steps between the process were three or four clicks. If I knew a hard drive was going to take a day or so, and the next process would also take a day or so, I did not want to go into the office just to click a button. Especially in a densely populated area like New York City during COVID. The idea was to be able to remote into the server and tell the computer to move to the next step of the process. Our use of remote computing was reinforced I cam: by this idea a few years ago when I attended training provided by the International Association of Computer Investigative Specialists (IACIS) Fre-i-esee during which we went through basic computer forensics. I heard about law enforcement use of Remote Desktop Protocol (RDP). I believe RDP was being used in the Bureau but I am not sure what for purposes or on what devices. I spoke with EFTA00173595 several others in the FBI about RDP, including the DExT PM at the time, SSA Heath Graves, who mentioned he had either been using it or toyed around with the idea. SSA Graves mentioned to me that setting it up and using it was fairly easy and that all I needed to do was follow Microsoft's directions as they were pretty easy to follow. SSA Graves knew what my intentions were and thought it was a great idea to be able to remote in to cut the lag time of our processing. I thought the C-20 system was secure. I attempted to access the C-20 computer lab through RDP. I believed the lab's security prevented me from remoting in. I had no idea that in so doing I had opened the lab's RDP port and that i--thel—ftert—lerrew it had worked. I could access the port from in the lab, but once outside the lab, I was unable to gain access to the network. thought the security was doing what it was supposed to. I was later advised that the RDP configuration was mostly correct and that I was a step or two away from having set it up successfully and securely. latcr found out I wao a otcp or two from making it ouper occurc but did not know what I wan doing. I was not trying to be lazy or silly, I wanted to be more efficient in the download process. Sometimes I would start a process on a Friday only to come in on Monday and see it crashed and needed to be restarted. The RDP would have allowed me to see the crash and EFTA00173596 restart the process remotely. I had the idea of tcicw rking im COVID. I believe enabling remote access to the C-20 computer lab was a good initiative, leaked the as in the 41 be "very gocaM IE ect. 1 u44 :at.. My heart and mind were in the qh... place, ilerwas nota 11 setting up not kOAMIIIIto Set repeated rea nuntable Mencoura I thought my attempt to remote into the C-20 lab did not work because the security settings were effective good. I asked for help, even help with RDP, from nearly every unit in the FBI that had anything to do with networking, DExT, etc., including CACHTU and the DExT PMs. All I got in response was encouragement in what I was doing, but no form of technical assistance. EFTA00173597  I attempted to set the RDP up in either the Fall/Winter of 2022 or early 2023 De-e-he- 2022 es Jantar), 2023. The intrusion happened on Super Bowl Sunday of 2023 and I discovered it the very next day; on Monday. I provided the interviewing SSAs with an outline I drafted on 02/13/2024 of the intrusion situation which I read out loud. I signed the copy of the outline and provided it to the interviewing SSAs to add to my statement. The following is from my outline. This portion of my statement is written as it appears in the physical outline: Seamus, below is a timeline of what transpired today, noting that we had no idea this was a potential hack until late this afternoon. Given the potential that someone accessed our lab to do this, and that the issue may have been with the way we setup our network, below is also a little insight to the many attempts we've made to get the FBI to assist in both physical security to the lab and to help with networking: Today's events (approx times) -7:30am - I arrived at the office and noticed my Talino computer had restarted. EFTA00173598 -7:40am - I logged in to my Talino and a txt file popped up that said in part my network has been compromised and provided an email address to contact. This file was in the "startup" folder so when logging in it opened automatically. I ran my computer's anti-virus software, which was up to date and active, and it identified one potential threat which I attempted to remove. While this is not common, it is also not unusual given the data we recover from 305 subject devices. -I attempted to remove the potential threat, but my administrative privileges had been removed, and despite many attempts to gain access, I could not -8:30am - I reached out to Christian Idsola at CART for help, but he was going to be tied up for a couple of hours -9:00am, I reached out to Talino for help and they walked me through some steps, but nothing worked. They then advised me of a process to take to run antivirus software against my Talinos Operating System hard drive, which took some time but identified the likely source of the threat, which was attributed to a forensic program we use called Axiom. The threat was determined to possibly be a "booby-trap" left by a subject (who is a hacker) that was tripped when the Axiom forensic program ran EFTA00173599 across it. After this discussion it was believed that was the reason for the issues and we then began working on a solution, which seemed likely to fix my issue. -Around this time I also noticed our main server was down, but I didn't think too much of it since we just added a new switch and tried to configure some ports to run at different settings to increase our bandwidth. I assumed at the time the lack of access was a result of incorrectly applying the settings to the "LAG" and "BOND" configurations of the switch. I was able to see that according to the switch, the server seemed to be connected just fine, so I spent some time troubleshooting it. -Around 11:00am or so I was finally on instant message chat with the makers of the server, Synology, who had us conduct some tests and they ultimately concluded that a possible issue was a defective hard drive in the server. This was a problem sine the server is "raided" and finding the defective hard drive was a time-consuming and difficult task, but several of us began our attempts. -3:00pm - Is when Christian Idsola and Lewis LNU from CART came over to help. After a bunch of triage and testing we could not EFTA00173600 figure out why we could not connect to the server, since by all accounts it was working. -We then noticed that our other servers (NAS1 and NAS2) were also not working properly, although we were able to access their control windows, unlike with the Synology server. After some digging around we noticed the folders that contain our data was missing. Initially we thought this was due to a firmware issue since Christian and I had dealt with that in the past and resembled the same issue. -Around 3:30pm or so we located the log files and began combing through, which is when we noticed strange IP activity that took place yesterday from two IP addresses. The activity included combing through certain files pertaining to the Epstein investigation. I reached out to one of the case agents to see if they were in the office yesterday, thinking that maybe they inadvertently changed a setting on the NAS or if they noticed anything strange about them. -Around 4/4:30pm we dove into the IPs and checked all of our computers to see which had the IPs in question. One computer, our discovery computer, matched one of them and is located in a room next to the lab, The other IP is one we don't recognize, but is the same address as the IPson our network, leading us to EFTA00173601 believe it was a computer that accessed our network somehow. We were not able to identify the computer, but it had to have accessed our network either by being plugged into the network, or possibly by telnetting in virtually. -5:00pm - we realized we were hacked and discussed what we needed to do to ensure its contained. -5:15pm, we immediately saved our logs and shut everything down. We disconnected the Internet and ensured anything containing a log file was preserved. -5:30pm - I began calling my SSA, Bob Whelp in Security, Jessica Cardenas at CART, Amit Patel in Cyber. Physical Security -nec, 2021 - Moved into the 10th floor lab -Dec, 2021 - made numerous requests for an electronic keypad lock on the door only to be told by the locksmith there is no funding for a lock. These requests have been made numerous times from Dec, 2021 until a couple months ago, when the response was to make numerous copies of the key we have to the lab Networking/Network Security EFTA00173602 -Since approx 2017 we have elicited help from CART and Cyber in networking our lab, all to no avail. Some CART and Cyber folks have come over on their good graces, but they were not network savvy and just tried to do what they could. Some months ago (I can look up the exact date) we again requested help from CART, but were told their networking person was too busy to help. This meant no one with networking experience or ability was willing to help, so we had to figure it out on our own. - End of the Outline - Once I realized it was an intrusion, I called SSA Seamus Clarke, and Bob welp with Security. I also called CART and Cyber. This all occurred the same day I found out about the intrusion. The switch box was for the internal network. We had a server rack and a server. We had a switch box and we just added a second switch box. We also had a misattributed Internet that was connected to the 0CE computers. The switch boxes were never connected together. The Internet entered through a router that was connected to the DExT computer and connected to the switch box. I believed all were secure. I believed, since we had a revolving door of Computer Scientists and CART members, and since CACHTU was aware and EFTA00173603 having other offices emulate the C-20 computer lab, I thought we were good. When the intrusion happened, we were in the middle of piloting Axiom. I tried to figure out Python and Cithub and I talked Le pewp1 en he.. to . I thought of a lot of different things to allow remote access. We were trying to be on the cutting edge and think outside the box. We have a large set of hash files that we sent to NCMEC. A hash is a random string of text used to verify the integrity of a file. Rikela ir - t at-1tW iriiiiiniquiliind can cataloged.--Regarding-CsAm,- all-fileiare-"hashed" values are distributed throughout law enforcement aridIPOUTE Sector entities. using these hashes, CSAM can be detsiMWdifi 1ifiles hash matches that of a CSAM hash, the filiaRIS 0.dentified as CSAm without even having to see it. q.ltel—een—be used t ensure that a d wnl ad file is legitimate. We wanted to share what we had with the RAs. 500 terabytes of data was gone as a result of the intrusion. I was able to recover about 400 terabytes of that data, however. I was told to Google how to recover the data. No one else tried to help us. The OCIO Section Chief (SC), Matt Smith, was pissed because