Day 4 of Bradley Manning’s pre-trial hearing: In-depth notes from the Art. 32 courtroom
December 19, 2011: Bradley Manning Support Network sent a representative into the courtroom to take notes for the public on what happened at Bradley Manning’s hearing. No recording devices (like cell phones or audio recorders) were allowed, so all these notes are hand-written and as accurate as written notes and memory allow. Notes were taken by Rainey Reitman, any omissions or inaccuracies are entirely her fault and not reflective of the Support Network positions. Please send corrections to [email protected]
Officials at the pre-trial hearing believe it could be months before an official transcript is made available. We believe people around the world have a right to be in the courtroom seeing history unfold, so we’re doing out best to document as much as possible for the historical record and to shine a light on this trial. We urge citizen journalists to join our efforts and help us document the pretrial and any future proceedings as closely as possible.
Getting to the Courtroom
This morning was a bit warmer at Fort Meade, and I passed through the metal detectors without difficulty. I also quizzed the military police about whether they would open the overflow theater today. They said they would not.
The Article 32
9:31 AM Lt. Col. Paul Almanza, serving as the investigating officer for the Article 32 trial, entered and called the hearing to order. As typical, he reminded the spectators about the need to preserve the dignity and decorum of the proceedings by not interrupting or having cellular devices, and warned that individuals violating this policy would be removed. He did not warn individuals about notifying the IO before they discuss classified information; I assume he just forgot.
Special Agent David Shaver
Agent Shaver, the forensic agent who testified yesterday, was called forward to be cross-examined by the defense team. Capt. Blouchard stepped forward. Unlike Coombs and Kemkes, Blouchard has a stilted courtroom style. He occasionally uses the wrong word in his questioning and pauses between questions to refer to his notes.
Upon questioning, Shaver explained that he had done a bit-by-bit analysis of the SIPR computer assigned to Manning. He admitted that he had not done forensic analysis on all of the computers in the SCIF where Manning was station. Shaver thus did not know whether other computers in the SCIF might also have wget installed. [As a refresher for those who haven’t read previous notes, the “SCIF” is where Manning worked and wget is an open-source program that can, with a little script writing from the user, be used to automate downloading files. The prosecution is alleging that Manning used wget to download classified documents.]
Shaver explained that he had found diplomatic cables in a file called “files.zip” on the allocated spaces of Manning’s assigned SIPR computer. Shaver compared these cables to the cables released by Wikileaks and found that they were not a match.
Blouchard asked whether Shaver released that analysts like Manning had been directed to work on these embassy cables as part of their job. Shaver did not realize that.
Shaver explained that he couldn’t date or time stamp information in the unallocated (deleted) spaces. He also was unable to say that files in the unallocated spaces had been associated with a particular user.
Shaver testified that he did find, in the unallocated space, a copy of the video file from the Apache airstrike later released on WikiLeaks. Upon questioning, he admitted that he did not realize that people in Manning’s unit were watching this video back in Dec 2009. Shaver also admitted that there was nothing wrong with having a security-cleared user collect video feed.
Shaver also noted that Wget was used to download detainee assessments. He found 4 complete detainee assessments in the allocated files, and none in the unallocated files.
Blouchard settled back into his seat and the government stood for a quick clarification from Shaver. Upon questioning by the prosecution, Shaver explained that he didn’t believe any of the cables stored in the files.zip files on Manning’s computer were later released by WikiLeaks. He also explained that the files might never have been released because the file was partially corrupt. Shaver was able to access it because he used forensic tools.
Shaver testified that he used information obtained evidence from Index.dat , which is a Microsoft tools that logs all the websites ad files viewed by a user.
Shaver did not find any data related to the Farah case on the unallocated spaces.
At this point, the public and media was asked to leave the courtroom so that the witness could be questioned on classified matters.
Lt. Dan Choi Detained, Removed
Shortly after 10:00 AM, the members of the public watching the hearing filed outside to the courtyard and the heated trailer to await the hearing reopening. When we arrived in the courtyard, we met famed Pentagon whistle-blower Daniel Ellsberg and Lt. Daniel Choi, an outspoken proponent for the abolition of Don’t Ask, Don’t Tell who is currently engaged in a lawsuit with the government to be able to return to the Army after he was removed for being openly gay.
Choi, wearing dress blues, explained that he was detained for a long period of time at the Visitor’s Entrance when attempting to come on base. The soldiers at the gate prevented him entrance because they did not believe he was allowed to wear a military uniform when he couldn’t produce a current military ID. Due to this lengthy delay, Ellsberg and Choi were late in arriving at the courtroom. When they arrived, they were denied entrance because the court was in session – even though many had been let in late the prior afternoon and earlier this morning. The decision to allow late entrance seemed arbitrarily and spitefully enforced.
After hearing this story from Choi, I stepped into the heated trailer and so was unable to see what occurred next.
According to witnesses I spoke to afterwards, soldiers who had been speaking with Choi grabbed him and dragged him into the security trailer. One lawyer on hand expressed concern at the rough treatment he received, and another individual said they physically lifted Choi at one point in pushing him into the security trailer. Once inside the security trailer with a number of military police, we could hear sounds of loud thumping. Those of us outside were prevented from seeing what was occurring and the Military Police (MP) blocked access to the trailer. We were unable to speak to Choi and it was unclear why he was being taken away in this manner.
The MPs did not bring Choi out of the security trailer during the rest of the recess. We were then escorted back to the courtroom. Jennifer Robinson, one of Assange’s lawyers, stayed outside to ensure Choi was unharmed when he was removed. She said that Choi was not charged with anything.
While waiting in the antechamber to return to the courtroom, I asked the lead MP if there was a way to request that the overflow theater be made available. Clearly, individuals like Ellsberg and Choi were prevented from seeing the proceedings this morning – a situation easily prevented if there was a secondary feed available from a different room such as there had been on the first two days of the hearing. The MP said that there was no way for this to happen. I reiterated my question, explaining that I wasn’t asking him to reopen the theater but merely asking who I could speak to formally to request the theater be reopened. He told me there was no way to make a request that the theater be reopened to the public.
Special Agent David Shaver
At 10:14 AM the media and public reentered the courtroom. Almanza reviewed the decorum procedures and then the prosecution began questioning Shaver once more. This time the focus of their discussion was on a computer referred to as the “.40” – this was the Del SIPR computer that Manning shared with Madaras. According to testimony provided yesterday, this computer had an IP address of 18.104.22.168 and was known as Manning’s secondary computer since the Manning user profile had less frequent activity on this device.
Shaver began by reviewing what an IP address was, and then explained that the .40 Windows machine had a CD burner and Roxio CD burning software installed, but that the USB ports had been disabled as as standard. He then discussed the naming convention for Roxio CDs which typically followed the protocol of <2 digit year><2 digit month><two digit day>_<2 digit hour><2 digit minute>. [So, for example, a file name might be 101219_0525.]
The prosecution brought up a slide. It showed a file that was found on a virtual machine copy of Manning’s .40 computer, with a Roxio-style naming protocol.
Shaver explained that his investigative plan was to verify the fingerprint of the forensic image that was a copy of the Manning-assigned .40 computer, then look for information related to State Department Cables, detainee assessments, etc.
In unallocated spaces
Under questioning, Shaver began by describing what he had found in the unallocated (deleted) spaces. He stated that he had found a CSV file of over 100,000 State Department cables converted to Base 64 encoding.
The courtroom is set up with computer monitors in front of the prosecution, the defense, and on a larger drop-down screen to the left side of the courtroom across from the jury box. There are also two hanging monitors, one on either side of the court, facing the public. When documents were pulled up for the hearing, each of these screens showed identical content. It’s possible that there was an additional monitor directly in front of the investigating officer, though I couldn’t see it. Having information on these screens was helpful, though unfortunately the text was often too small to be clearly visible to the audience. I did my best to take what notes I could.
The prosecution pulled up on the screens a portion of the CSV file that showed several unclassified pieces of information. The CSV file was arranged into the following 5 columns:
A unique number | data the cable was published to the Department of State server | Message Record Number (a labeling system of the Department of State that included year, embassy, and an ascending number) | classification | Base64 encoding
Shaver explained that he was able to decode the Base64 encoded materials into plain text. However, he could not associate the CSV file with a particular user profile because it was in the unallocated space. Shaver said that one way to decode the data would be to create a script that would allow you to automate the decoding of information quickly. He did not locate such a script on the computer.
The next screen showed a warning that was displayed when individuals used the .22 and .40 machines. It displayed every time an individual logged onto the computer and explained that the computer was U.S. government property. [NB: I couldn’t get the full warning written down before they changed screens. I’d love to include the words from the image here. Please email it to [email protected] and note whether you are providing a copy of the version shown in today’s hearing or just a generic warning message from a government computer.]
At this point, the prosecution finished this line of questioning and Capt. Blouchard of the defense stepped in. Upon questioning by Capt. Blouchard, Shaver noted that he could not associate a particular person with a profile (he doesn’t know who is behind the keyboard). Furthermore, he had no way to know if passwords were shared. He also noted that there were not times or dates associated with unallocated spaces.
In addition, Shaver noted that the computer in question was a classified computer and there was nothing wrong with having this information on there. He stated that there was no forensic evidence on this computer that any of this information was sent to anyone.
At 10:26 AM, Shaver was temporarily excused.
Specialist Eric Baker
10:26 AM The prosecution next called Specialist Eric Baker, who served with the 62nd MP detachment. “MP” stands for military police. Baker had been in the army for 3 years 11 months, serving as an MP the entire time. He was Manning’s roommate in Iraq.
Baker stated that Manning and he had done two rotations together – one for Afghanistan when they expected to be deployed there and one for Iraq. Baker explained that they were deployed together in Iraq from October 2009 till Manning’s arrest in May 2010. He admitted that there was “not too much interaction at all” between himself and Manning. He noted that Manning “used the computer quite often” and that he would wake up in the middle of the night and see Manning using his computer. Baker never saw what was on the screen.
Manning took a mid-tour leave in mid-January, about two weeks before Baker’s own leave. Baker didn’t know exactly when Manning returned but believe it was in early February. Baker noted Manning had a few computer devices in the CHU – a microphone, a Mac Book Pro, an ipod touch, external harddrive, CDs. [NB: He may have mentioned other items that I did not write down, but I think I got them all.] Baker stated he never used Manning’s Mac Book.
Manning had music on and iPod Touch and on rewritable CDs. Baker didn’t have any rewritable CDs. Baker testified that he didn’t have anything marked secret and never brought anything secret into the CHU.
The prosecution then asked if Baker he knew Manning’s thoughts on the military. The defense objected, asking for the relevance. The prosecution explained that this would speak to Manning’s state of mind. The investigating officer overruled the objection.
Baker said he thought Manning felt the military wasn’t for him, and that he was probably going to get out.
With that, the prosecution rested and David Coombs stepped up to question the witness.
Coombs began by asking how Manning had been assigned to be his roommate. Baker explained he was the last person to get to FOB Hammer, and so that was the only room left. Upon questioning by Coombs, Baker admitted that he and Manning were not friends. They didn’t talk, and in fact conversation was limited to small things like asking to have a light switch turned on or off.
On questioning, Baker admitted that early on Manning had said things that made Baker think Manning was gay. And, after that, Baker had more or less told Manning that it would be better if they didn’t converse much except as necessary.
When he wasn’t working, Manning spent a lot of time in the room. Baker couldn’t recall any time he saw Manning hanging out with other soldiers except when they were eating chow.
Coombs asked Baker if anyone had ever told him that he couldn’t have CDs in the CHU. Baker said no. Coombs asked if it would have been OK for Baker to have CDs of music or a CD full of photos of family and friends in the CHU, and Baker said that would have been OK.
Baker than confirmed he was on R&R from Jan 30th through the beginning of March. He believed Manning had returned around the first week of February, but didn’t know for sure.
Coombs reminded Baker of his earlier statement that Manning felt the military wasn’t for him, and asked if Baker thought this might be because he was gay. Baker wasn’t sure. At which point Coombs asked if maybe he didn’t know because he and Manning weren’t friends. Baker agreed that was true.
Baker was then permanently dismissed from the pretrial.
Mr. Mark Johnson
10:38 AM The prosecution then called Mark Johnson of the Army Computer Crimes Investigation Unit. Johnson is a contractor for a company called
AmManTech [NB: I am not sure I caught the name of “AmTech.” If you have the company name, please email me at [email protected] Corrected. HT Nadim Kobeissi] Johnson is a computer forensic examiner who reports to Shaver. The prosecution reviewed his background and training in cybercrime and forensics.
Mark Johnson was tasked with examining the forensic image of the Mac Book Pro belonging to Manning. He began by checking the hash of the image to ensure the image was correct, then ran anti-virus software. After that, he began by looking for the Internet chat logs with Adrian Lamo and anything related to classified information.
He did find chats that looked like they were with Adrian Lamo. Johnson looked at the configuration of the chats.
The prosecution then showed an image of the chat lots on the screen. The chat logs on the screen displayed the named “Bradley Manning” and “Adrian Lamo” and the timeframe was indicated as 12:49:17 AM to 12:56:07 AM. One of the first lines said something about an “Apache Weapons Team.” The screen was removed before I could get more detailed notes.
There was a brief recess at this point. At 10:45 AM, Daniel Ellsberg stepped forward and placed his hand on Manning’s shoulder and leaned in. He began to introduce himself when two MPs from the back of the room came forward and intervened. He was taken from the room. After extensive discussion in the courtyard outside the courthouse, and after a journalist intervened on Ellsberg’s behalf, he was allowed to return.
Shortly after, a lunch recess was announced.
At 1:18 PM the media, public, and others were in the room. We waited in the court room until the attorneys and investigating officer returned at 1:41 PM. Presumably, the defense, prosecution and attorneys were meeting together before that.
Almanza called the room to order. He reminded everyone of their obligations to maintain the dignity and decorum of the proceedings by not interrupting and cautioned against cell phones.
Johnson was called back by the prosecution and reminded he was still under oath. Per questions, Johnsons explained that Adium was an internet chat service that worked with multiple clients. He stated that he had found chat logs stored on Manning’s MacBook between individuals with user name “BradAss87” and “Adrian.”
In the allocated space of the computer, Johnson also found a buddy list associated with the Adium account on Manning’s computer. Here he found contacts that included Adrian, [email protected], and [email protected] The third email was associated with Julian Assange.
The prosecution pulled up a screen to show the alias associated in the computer. It looked like this:
<name>[email protected]</name><alias>Julian Assange</alias>
Johnson testified that in the unallocated space they had found a prior alias for the pressassociation buddy profile – “Nathanial Frank.” The prosecution again showed how this alias was displayed on the screens like this:
<name>[email protected]</name><alias>Julian Assange</alias>
Johnson also found a former entry for this buddy in the unallocated space. It was displayed on the screen as:
<name>[email protected]</name><alias>Nathanial Frank</alias>
In other words, the account ‘pressassociation’ had been associated with the alias Nathanial Frank, but at some point had been updated to Julian Assange.
Johnson found a large number of chats between Manning’s profile and the pressassociation profile in the unallocated space. They were stored in xml format and many of the chats had to deal with sending and receiving government information. Johnson did not remember the time frame specifically.
The prosecution then showed a portion of the chat log with pressassociation dated 2010-03-05. I copied down what I could before they removed the slide:
Pressassociation: 5-6 hours for total upload?
Dawgnetwork: no, it was like 5 minutes
Dawgnetwork: anyway, should be good to go with that
pressassociation: i like debates.
pressassociation: just finished one on the IMMI, and crushed some wretch from the journalists union
pressassociation: of this?
[Note: there were a couple lines at the bottom I didn’t have time to transcript before the slide was taken down, but I got most of it.]
[Note: I missed a few spoken sentences here because I was transcribing from the slide, so I am not sure which logs are being referred to in the following paragraph]
Johnson also spoke about logs showing traffic between computers. He specifically mentioned IP address 22.214.171.1241 He noted that this IP address was associated with PRQ based in Sweden, which was known to be associated with WikiLeaks. [I believe PRQ here refers to https://en.wikipedia.org/wiki/PRQ] Johnson state the logs also noted IP address 126.96.36.199 – associated with Manning’s aunt’s computer. There was also mention of the URL lain.knack.net
Johnson then testified that he had looked for referenced to the IP address 188.8.131.521 in the unallocated spaces of the Macbook, and he had found references to it.
Additionally, Johnson discovered a number of PGP encrypted emails on Manning’s Thunderbird email. He found an email exchange with Eric Schmiedl <[email protected]> in which a portion was not encrypted. He displayed it on the screen. Here’s basically what the slide looked like; in the effort to transcribe as quickly as possible, I didn’t include the full email addresses and other address information down:
I was the source of the 12 Jul 07 video of the Apache Weapons team which killed the two journalists and injured two kids.
>>From: Eric Schmiedl
>>Yes I am
>>>>From: Bradley Manning
>>>>Are you familiar with the WikiLeaks?
Manning, Bradley E.
[Note: I would like to verify the dates on these; my handwriting here was quick. If you copied down the dates, leave a comment below or email [email protected]]
In recovering Manning’s laptop, Johnson was also able to gain access to Manning’s private key for decrypting his PGP emails. However, Johnson did not have the password. In an effort to come up with the password, Johnson tried using the password that they had forensically scraped that allowed a user to log onto the OS 10. The password for logging onto the computer turned out to be the same as the one for decrypting emails.
The password was TWink1492!!
By examining the disc utility log, Johnson was able to see a log of the number of CDs burned and erased.
The prosecution put a slide up on the screen that showed the disc utility log. The entries in the log began on Feb 27 2010 and ended Mar 9 2010.
Johnson also examined the CD discovered in the CHU that was marked ‘secret.’ He took the file name from this CD and found a similarly-named one in the unallocated space on the Mac. In particular, Johnson discussed /volumes being a valuable source. He described /volumes as being a “mounting point” – a starting point for a directory. He searched the /volumes path to see what he could find.
Among the things he discovered was a file named Jul 07 C2 ENGAGEMENT ZONE 30 FC Anyone.wmv
Johnson found other/volumes in the unallocated space. The prosecution put up a slide showing what was found, but it was unfortunately difficult to red. In general, it appeared that files discovered in /volumes followed the format of:
/volumes/CD or disc name/Date and time/file name.
Johnson said that this was similar to how Roxio saved file names.
The last disc burned and visible in the disc utility log was May 4, 2010 – it was files.zip.
In the unallocated space Johnson also discovered html formatted files. On the screen, the prosecution showed an example of these html formatted files. The one displayed was (a nonclassified cable) Cambodia Remains Non Committal on Kosovo, pulled from Net Centric Diplomacy version 8.2.10.
In the unallocated space, Johnson also found other classified cables. He found about 16,000 unique MRNs in the unallocated space.
On the allocated space, Johnson found CSV files and a PHP script , but did not find Base64 encoded cables. However, Johnson was able to export the PHP script through an alternate boot (running Manning’s hard drive on someone else’s computer). The script, when run, created a CSV file of Embassy cables including MSN data and other data points. The final output of the script would be: Date, time and embassy, a number, the MRN, another number, and additional information.
Johnson also found references to the WikiLeaks upload page in the unallocated spaces, and pulled up an archived copy for audience viewing. Johnson also found a number of historical status or progress reports. In particular the upload appeared to have been successful. He particularly referenced the farah cases as being uploaded. There were four parts to these, and each was
Johnson then described “rar” as being an archive file format not unlike zip. He said that files ending in .nc were associated with the encryption program mcrypt. He found references to mcrypt in a file format:
no-openpgp -d -farah.key -a rijnduel-256 farah.part*.rar.nc
He noted that this was very strong encryption.
He also found references in the unallocated space to a folder o Manning’s desktop that had contained 7 parts to the Farah files. Johnson used a tool [missed the name of the tool – sounded like “stay harbor”] in order to search for files within files. He found remnants (now corrupt) of a rar archive. He also found a powerpoint presentation and embedded photographs. The pictures in the powerpoint were also found on the SIPR computers.
He found references to the theft of the Global Address List in the unallocated space. Specifically, Johnson found thousands of exchange formatted email addresses in the unallocated space.
Johnson also found a Rich Text Format (RTF) that contained names of Gitmo detainees (also in unallocated space).
He found evidence that the computer had been wiped or reinstalled in January 2010, and that the hard drive had been successfully erased. The disc utility log was also erased. There was evidence that on January 31, 2010, there was an attempt to erase the unallocated space. However, the option chosen was a “35 pass erase free space — a very slow process. The erasure process was discontinued. However, because of the erasure that was successful, there were no files available before January.
The prosecution then handed Johnson a series of papers and asked him to identify them for the record. They included screen shots from Manning’s computer, encrypted emails from Manning’s computer, decrypted emails from Manning’s computer, and the keychain from Manning computer.
At this point the prosecution was finished. Cpt. Blouchard of the defense team came forward.
Blouchard began by reviewing Johnson’s certifications. He noted, and Johnson agreed, that prior to the Manning case Johnson had never done forensics on an Apple computer.
On questioning, Johnson noted that Manning’s computer was set to automatically login. This meant that potentially anyone gain access to it.
Additionally, on questioning Johnson noted that the GAL was not found on Manning’s personal computer.
Johnson also agreed that there was no evidence found of a connection a particular known WikiLeaks associate. [NB: hard to hear the name of this person – sounded like “Red Buick”?]
Additionally, Johnson could not say who had originally assigned him to work on this project.
When asked to comment on the SCIF security, there was an objection from the prosecution that was sustained.
Blouchard then asked if there was any indication in the materials Johnson reviewed that indicated Gender Identity Disorder. Johnson said he wasn’t able to make those judgements. Similarly, he couldn’t state whether he saw evidence of odd behavior. He was aware of the alter ego Breanna Manning.
Johnson agreed that user profiles to not equate to a person sitting at a computer.
Johnson was then temporarily dismissed.
2:26 PM Shaver returned to the stand to discuss the SD card that was taken from Manning’s aunt’s home on the second search of the residence. Shaver was brought in by the prosecution and reminded he was still under oath.
Shaver imaged and examined the SD card himself. He verified the hash of the image.
He found in the unallocated space of the SD card over 10,000 CYDNY reports. He also found a deleted photo of Manning. This was displayed on the screen by the prosecution. It was a self-portrait Manning took with a camera held in one hand, standing in front of a mirror in the basement of his aunt’s house.
In the allocated space of the SD card, there was a file called yada.tar.bz2.nc made on January 30, 2010 at 10:22 PM.
There were two other files on this disc, both of which were unrecoverable and both of which referenced the word “nathan” in the title, i.e. “nathan2_events_tar_bz2”
Within the yada.tar file were 4 files that Shaver was able to successfully decrypt using the password from before. The first was 91,000 CYDNY logs from Afghanistan and the second was about 100,000 CYDNY logs from Iraq. It was displayed on the screen like this:
The README file was a text file that described the other files as being from two wars of historical significance. The note specifically stated that steps had been taken to sanitize certain sensitive data, and that there should be a 90-100 day wait before releasing data to best assess how to distribute the information and protect the source. It ended with:
“This is possibly one of the more significant document of our time, removing the fog of war, revealing the true nature of 21st century asymmetric warfare. Have a good day.”
The prosecution then asked Shaver to authenticate several documents, including screenshots from Thunderbird email on 4/10//10 and an email on 4/8/10.
The prosecution finished up and Blouchard came forward to cross examine Shaver. The cross examination was perfunctory. In response to questions, Shaver stated that he’d received a search warrant for the SD card in December 2010, he didn’t know who had handled the SD Card before he received it, and he did not know if it had been shipped from Iraq.
Shaver was then temporarily excused.
2:39 PM Mark Johnson was recalled to the stand by the prosecution and reminded he was still under oath. He testified that he had examined an image of Manning’s external hard drive.
On the external hard drive, Johnson found a text file and a powerpoint presentation. The powerpoint presentation showed was on the topic of “Operational Security Briefing” and the listed author was Manning. The date on the first slide was Friday 13 Jun 08.
The text file was a file named “wl_press.txt” It was created on 30 Nov 09 at 20:23:29. It listed the contact information for Mr. Julian Assange, including a phone number (354 862 3481) . It stated there was “24 hour service” and suggested asking for Julian Assange.
The prosecution had no more questions on this issue, and the defense declined to cross examine. Johnson was temporarily dismissed.
3:06 PM David Shaver was recalled to the room, reminded he was still under oath, and reminded not to reveal classified information without informing the judge.
Under questions from the prosecution, Shaver described the Centaur Logs — a new flow log that captures source IP, destination IP, time, date, and packet data like how much data was transferred.
Shaver reviewed Centaur logs associated with the .22 and .40 computers connecting to the CYDNEY data base and the State Department database.
The prosecution showed a slide detailing the Centaur logs that showed traffic communication from the CYDNEY database and State Department database to the computers assigned to Manning. It showed a 3 month time span in which 11.2 GB of data were passed.
Shaver also examined the Firewall log from the Department of State. He found a connection between the .22 machine and Net Centric Diplomacy server. This pattern mimicked patterns found in the previous logs — that certain days had significantly more traffic than others. There was significant activist on 30 March and 28 March, then again on 8 April and 9 April. There were around 800,000 total connections from the .22 machine to the State Department servers from March 7 till the end of May.
Server logs from the State Department also showed that a large number of files had been downloaded by the .22 machine using wget.
The prosecution pulled up a slide that showed these logs. Logs showed the IP address, the date/time, the version of wget (wget 1.11.4) and the action taken. Server logs before May were unavailable due to a problem with the server.
The CentCom Server hosted information about the Farah investigation. According to Shaver, the investigators were able to get images of the portions of the CentCom servers related to the Farah investigation. Shaver noted that the folders and files were named in CentCom in the same way as they were named on Manning’s computer.
Notably, CentCom logs do not record external IP address. They do, however, get date, time, and files requested.
According to Cent Com logs, there was one powerpoint presentation that was only ever downloaded one time. It was downloaded 4/10/10. This file was the same as the one on Manning’s computer. Hundreds of other files were also downloaded at the same time.
Shaver also examined CIA log files. He examined the Open Source Center for the CIA, where Manning has established an account under the user name BradAss87. The BradAss87 account had conducted searches for the term Iceland about 30 times and the term WikiLeaks about 30 times as well.
Shaver also examined the CIA World Intelligence Review. (CIAWire)
At this point the prosecution was done questioning. Blouchard rose and asked a few questions of Shaver. He struggled a bit with the technical aspects.
Under questioning, Shaver stated that he had reviewed Centaur logs from 1 Oct 09 to the end of May 10. He did not examine all of the SCIP computers. Shaver noted that there was nothing unauthorized about accessing classified data from a workstation computer. this was true of the State Department files and the Cent Comm files. Shaver admitted that there were no password needed to access these servers. Passwords also didn’t need passwords for CIAWire or Centaur. the persons who operated the .22 and .40 machines had authorization to look at this data.
Blouchard returned to his seat, and one of the prosecuting attorneys stepped up with a follow up question. Under the questioning, Shaver confirmed that one did need a user account and password to access a SIPR computer.
The prosecuting attorney returned to his seat and Blouchard stood with a follow up question. Per the question, Shaver confirmed that more than one analyst was assigned to the SIPR computers.
At 3:35 PM the court was closed to the press and public, supposedly so the government could prevent classified documents. Even individuals who had top secret security clearance were made to leave.
4:02 PM Shaver was still on the witness stand when the public was allowed back into the court room. He stated that he had examined the NIPRnet computer, which included a profile for Manning. He found a number of searches on Google conducted by the Manning profile. Including: wikileaks, base64 and wget. No classified material was found
On 3 May 10, there was a record of a search for wget in Google, then evidence that wget was downloaded. The prosecution provided a slide showing a cached version of the wget version 1.11.4 download page. Shaver testified that this instance of wget – created on the NIPR computer on 3 May 10 – had a hash identical to the hash of the wget instance installed on the .22 machine on 4 May 10. In other words, these were the same exact file.
Shaver noted that wget was available on the .22 computer prior to May 4th.
The prosecution was finished with questioning. Cpt. Blouchard of the defense team rose. He began by questioning about whether wget was a mission-essential program. The prosecution objected to this line of questioning and Almanza sustained their objections.
Blouchard then asked when there was first evidence of a Farah file on the computer. Shaver stated it was in April 2010.
Blouchard asked if Shaver was aware that WikiLeaks claimed to have that information in January. Shaver was unaware of that.
At 4:10 PM Shaver was dismissed and the court was closed for the day. Then next witness is a soldier in Italy, so we are reconvening tomorrow at 9AM to make an early call.
Base64 Encoding https://en.wikipedia.org/wiki/Base64
Forensic Examiner Found No Match of Cables on Manning’s Laptop to WikiLeaks’
Prosecutors claim Bradley Manning wanted to remove ‘the fog of war’
Army Lt. Dan Choi Pinned to Ground, Thrown Off Base Before Manning Trial
Bradley Manning case: Investigators show evidence of WikiLeaks link, Assange chats
Bradley Manning pre-trial hearing – Monday 19 December 2011 as it happened