Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 1 of 9

1
2
3
4
5
6
7
8

J. Stephen Peek, Esq. (NV Bar #1758)

Jerry M. Snyder, Esq. (NV Bar #6830)
Hale Lane Peek Dennison and Howard
5441 Kietzke Lane, Second Floor
Reno, NV 89511
Tel: (775) 327-3000
Fax: (775) 786-6179
Reid H. Weingarten (D.C. Bar #365893) (Admitted Pro Hac Vice June 15, 2007)
Brian M. Heberlig (D.C. Bar #455381) (Admitted Pro Hac Vice June 15, 2007)
Robert A. Ayers (D.C. Bar #488284) (Admitted Pro Hac Vice June 15, 2007)
Steptoe & Johnson LLP
1330 Connecticut Avenue, N.W.
Washington, D.C. 20036-1795
(202) 429-3000

9
10

Attorneys for Plaintiff and Cross-Defendant eTreppid

Technologies, L.L.C. and Cross-Defendant Warren Trepp

11

UNITED STATES DISTRICT COURT

FOR THE DISTRICT OF NEVADA

12
13
14

______________________________________
DENNIS MONTGOMERY; MONTGOMERY
FAMILY TRUST,

Case No. 3:06-CV-0056-PMP-VPC

Case No. 3:06-CV-00145-PMP-VPC

Plaintiffs,

15
16
17
18

vs.
ETREPPID TECHNOLOGIES, L.L.C.; a Nevada
Limited Liability Company, WARREN TREPP;
DEPARTMENT OF DEFENSE of the UNITED
STATES OF AMERICA; and DOES 1-10,

19
20

Defendants
________________________________________

DECLARATION OF JONATHAN
KARCHMER IN SUPPORT OF
DEFENDANTS ETREPPID
TECHNOLOGIES, L.L.C. AND
WARREN TREPPS NOTICE OF
OBJECTION TO THE PUBLIC
FILING OF A FABRICATED
DOCUMENT BY DENNIS
MONTGOMERY

21
22

AND ALL RELATED MATTERS.

_______________________________________

23
24
Pursuant to 28 U.S.C. 1746, I, JONATHAN KARCHMER, hereby declare:
25
26
27
28
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 1 of 9

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 2 of 9

1.

I am over the age of eighteen.

I make this declaration based upon my personal

knowledge to which I could and would competently testify if called as a witness in this

matter.

2.

I am employed by LECG, LLC, an expert services provider.

I am a Managing

Consultant in the Electronic Discovery practice based in Century City, Los Angeles,

CA. I have offered sworn testimony as an expert witness.

7
8

3.

I am an EnCase Certified Examiner (EnCE - #15-0203-1114), a Certified Computer

Examiner (CCE - #427), a GIAC Certified Forensic Analyst (GCFA - #1676), and a

9
10

GIAC Certified Incident Handler (GCIH - #2981).

11

forensic designations acknowledge that computer examiners have successfully shown

12

how to employ proper computer investigation methodology as well as how to properly

13

use forensic software during computer examinations. They are recognized by both law

14

enforcement and corporate investigation communities as a symbol of in-depth computer

15

forensics knowledge.

16

4.

These security and computer

Computer forensics and electronic discovery has been the focus of my career for more

17

than 6 years.

18

ediscovery litigation consultant in over 75 matters, and I have offered testimony as an

19

expert in the area of evidence preservation, spoliation issues, documentation, and

20

computer forensic methodologies.

Historically, I have served as a computer forensics examiner and

21
22

5.

from the offices of eTreppid in Reno, NV.

23
24

LECG was engaged by eTreppid counsel to collect and analyze data including email

6.

On February 16, 2007, I visited the offices of eTreppid and met with the eTreppid

25

information technology manager, Sloan Venables.

26

eTreppid network and email configuration to me. During the time period at issue in this

27

case, when eTreppid employees accessed their email, the email was transferred from the

28

eTreppid server to the users computers. Thereafter, a copy of the email was not
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 2 of 9

Mr. Venables explained the

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 3 of 9

maintained on the server. eTreppid email was not centrally managed or backed up to

tape.

3
7.

I collected various instances of email belonging to Warren Trepp including his current

4
PST files, backups of his PST files created at different times, and a loose email (msg)
5
file. A PST file is basically an email mailbox; it is a single file containing email used
6
with the Microsoft Outlook email application. LECG subsequently visited eTreppid on
7
February 23, March 6, and March 23, 2007 to collect other email backups and stores as
8
they were discovered by eTreppid staff, including four hard drives located in a locked
9
cabinet that I am advised was used principally by a former eTreppid employee,
10
Mr. Montgomery.
11
12

8.

I used WinRAR and or EnCase software to perform file collection onsite at eTreppid.

13

Both tools preserve file system metadata (information associated with an electronic file

14

regarding dates and times of creation, delivery, receipt, modification, etc.) associated

15

with files collected for analysis. I used EnCase and dtSearch software to analyze the

16

email I collected.

17
18
19
20
21
22
23
24
25
26
27

9.

LECG performed testing of the Outlook email program and confirmed that email
messages sent in the past could be altered and edited at the will of anyone with access to
an individuals email account (or PST). A user could open an existing message, add or
remove content, and then print a hard copy of the altered email. However, if the email
message is altered and saved, those changes are subsequently saved in the email itself as
it resides in the PST mailbox file. Therefore, if an email message dated September 25,
2003 was later altered and saved in January 2006, for example, analysis of the PST file
containing that email would show discrepancies between the Sent (identified by
EnCase as Last Written) and Modified times associated with that email message.
Specifically, the emails Last Written date would be September 25, 2003, but its
Modified date would be January 2006. I note that it is not necessary for one to save

28
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 3 of 9

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 4 of 9

an edited email message in order to print copies of the edited email.

2
10.

Counsel asked LECG to analyze all collected email files and locate a September 25,

3
2003 email message between Len Glogauer and Warren Trepp regarding Congressman
4
Gibbons that purportedly included the sentence We need to take care of him like we
5
discussed. I located four instances of an email between Mr. Glogauer and Mr. Trepp
6
on September 25, 2003 regarding Mr. Gibbons in various locations, including PST files
7
belonging to Mr. Trepp, and on one of the external hard drives located in the locked
8
cabinet used by Mr. Montgomery. Attached to this declaration as Exhibit A is a printed
9
copy of the email as I found it. (All four instances of the email message are the same.)
10
11

11.

The content of all four instances of the September 25, 2003 Len Glogauer email I

12

located at the eTreppid facility were identical, and included an email chain consisting of

13

three messages preceding the message Len Glogauer forwarded to Warren Trepp at 9:35

14

a.m.

15

12.

16

Analysis of the email I collected showed that all instances of the September 25, 2003
Len Glogauer email did not include the sentence We need to take care of him like we

17

discussed. In addition, I analyzed all instances of the email to determine whether that

18

sentence was added or removed.

19
20

13.

The EnCase forensic software is able to analyze metadata in Outlook email messages,

21

known as property tags. The EnCase forensic software identifies metadata in Outlook

22

email messages and displays them as follows:

23

date/time an email was first received and saved into a PST mailbox file by the recipient;

24

(b) Last Written identifies the date/time an email was sent by the author; and

25

(c) Entry Modified identifies the date/time an email was last modified or changed by

26

the recipient. Generally, the File Created date/time will match the Entry Modified

27

date/time for all email messages, unless a user edits or modifies an existing email after

28

receiving it, in which case the Entry Modified date/time will reflect the subsequent
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 4 of 9

(a) File Created identifies the

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 5 of 9

date/time when the modification occurred. See Exhibit B.

2
14.

For example, if an email message was sent and received in 2003, but subsequently

3
altered (and saved) in 2006, embedded metadata within the PST file would indicate an
4
Entry Modified date/time in 2006, while the File Created and Last Written
5
dates/times would remain in 2003. (See Exhibit B for an example of a modified
6
Outlook email message and the resulting change to the email metadata).
7
8

15.

When I examined the eTreppid PST files using EnCase forensic software, the Last

Written and Entry Modified dates/times associated with the September 25, 2003

10

Glogauer email were consistent with the email having been sent by the author on

11

September 25, 2003 at 9:35 AM (Last Written date/time), and received by the

12

recipient on September 25, 2003 at 9:42 AM (File Created / Entry Modified

13

dates/times). None of the four instances of the September 25, 2003 email message that

14

I examined contained any discrepancy between the File Created date/time and the

15

Entry Modified date/time. This indicates conclusively that the September 25, 2003

16

email message was not modified by the recipient after it was received.

17

16.

18

At the eTreppid offices, during the relevant time period, the email server was
configured to act as temporary mail storage. In other words, when email was sent to

19

employees, the messages physically resided on the email server until the recipient

20

opened their Outlook application, and synchronized with the server and/or initiated the

21

Send/Receive process. At this time, new email messages transferred from the server

22

down to the users desktop/laptop where the PST was physically stored. (Send/Receive

23

can be configured to run periodically while Outlook is open, or users can initiate this

24

manually at any time.) The PST then stamped the incoming email message with certain

25

dates/time as appropriate.

26
27
28

17.

Exhibit C to this affidavit explains in detail the process by which email messages have
certain embedded dates/times assigned to them, and describes why all four instances of

::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 5 of 9

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 6 of 9

the September 25, 2003 email found onsite at eTreppid show: (a) the emails did not

include the We need to take care of him . . . sentence, and (b) the emails were never

altered or modified after they were received, indicating that it is not possible that

anyone deleted the sentence We need to take care of him . . . from the original email.

Specifically, when an email message is saved into a PST, Microsoft Outlook will assign

various property tags to the email, including a PR_CREATION_TIME tag which,

for an email recipient, is the date/time the email is first received and saved to the PST,

as well as a PR_LAST_MODIFCATION_TIME tag, which records the last time the

email message was altered/modified in any way. When this metadata is viewed using

10

the EnCase forensic software, the PR_CREATION_TIME tag is reflected as File

11

Created and the PR_LAST_MODIFCATION_TIME tag is reflected as Entry

12

Modified. For all four of the eTreppid PST files containing the September 25, 2003

13

email message, the File Created and Entry Modified dates/times are identical, and

14

all read as September 25, 2003 at 09:42:52 AM. Were the message to have been altered

15

by someone, the emails Entry Modified date/time would differ from (i.e. be later

16

than) its File Created date/time (See Exhibits B, C). Instead, all four instances of the

17

September 25, 2003 email at eTreppid have identical File Created and Entry

18

Modified dates/times (down to the second).

19
18.

Based on the foregoing analysis, it is my expert opinion that the original email, as sent

20
from Mr. Glogauer to Mr. Trepp on September 25, 2003, did not contain the sentence
21
We need to take care of him like we discussed.
22
23

19.

I am informed and believe that a txt file was submitted to the Court by Mr. Dennis

24

Montgomery on June 12, 2006 as a true and accurate copy of the September 25, 2003

25

Len Glogauer email. This txt document is not a verifiable or accurate copy of the

26

original email as I found it in several locations in the eTreppid facility.

27

20.

The document submitted by Mr. Montgomery is a text or TXT file (a basic word

28
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 6 of 9

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 7 of 9

processing document), which can be easily manipulated or altered. A TXT file is not

the original format of an email message sent/received using Outlook.

submitted to the court was created with a Windows program called Notepad (a basic

text editor program included with all versions of Windows). When they are printed,

text files created with Notepad will include the file title at the top of the printed page,

and also include Page X at the bottom, where X corresponds to the page number.

These marks are consistent with the file submitted by Mr. Montgomery.

The file

8
21.

Further, the absence of the preceding email chain found in the original versions of the

9
email and the inclusion of the sentence We need to take care of him like we discussed
10
indicates that the document submitted to the Court by Mr. Montgomery is an altered
11
version of the email as it existed when Len Glogauer sent to Mr. Trepp on September
12
25, 2003.
13
14

22.

To illustrate the ease with which an email like the example Mr. Montgomery

15

provided to the Court can be created, on June 14, 2007, I used Notepad to create a

16

nearly identical TXT file that appears to be an email message. I created a text file with

17

the same filename as Mr. Montgomerys document. I added This sentence was added

18

by LECG on 6/14/2007 to the email body. This example is included with this affidavit

19

as Exhibit D.

20

Mr. Montgomery created/provided; Exhibit D to this affidavit was created entirely by

21

me with the use of Notepad.

22

23.

23

Note:

LECG does not have access to the electronic TXT file

As illustrated in Exhibits B and D to this affidavit, it is not possible to verify

authenticity of email through examination of hard copy printouts. Forensic examination

24

of the original email store (PST) is required.

25
26

24.

It is my belief that a forensic analysis of a PST file in Mr. Montgomerys possession, if

27

it exists, with the email Mr. Montgomery provided to the Court, would reveal that the

28

email therein either (a) does not contain the sentence We need to take care of him like
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 7 of 9

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 8 of 9

we discussed, or (b) is in fact a subsequently altered version of the original September

25, 2003 Len Glogauer email.

Pursuant to the provisions of 28 U.S.C. 1746, I declare under penalty of perjury that the

foregoing is true and correct.

Executed this ____ day of June, 2007 at Irvine, California.

6
/s/
JONATHAN KARCHMER

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 8 of 9

Case 3:06-cv-00056-PMP-VPC Document 199 Filed 06/22/07 Page 9 of 9

PROOF OF SERVICE

2
I, Gaylene Silva, declare:
3
4

I am employed in the City of Reno, County of Washoe, State of Nevada, by the law offices
of Hale Lane Peek Dennison and Howard. My business address is: 5441 Kietzke Lane, Second
Floor, Reno, Nevada 89511. I am over the age of 18 years and not a party to this action

5
6

I am readily familiar with Hale Lane Peek Dennison and Howards practice for collection of
mail, delivery of its hand-deliveries and their process of faxes.

7
8
9

On June 22, 2007, I caused the foregoing DECLARATION OF JONATHAN KARCHMER

IN SUPPORT OF DEFENDANTS ETREPPID TECHNOLOGIES, L.L.C. AND WARREN
TREPPS NOTICE OF OBJECTION TO THE PUBLIC FILING OF A FABRICATED
DOCUMENT BY DENNIS MONTGOMERY to be:

10
_X___
11

filed the document electronically with the U.S. District Court and therefore the courts
computer system has electronically delivered a copy of the foregoing document to the
following person(s) at the following e-mail addresses:

12
13
14
15

Fax No. 786-5044

Email Lezlie@renofamilylaw.com
Ronald J. Logar, Esq.
Eric A. Pulver, Esq.
The Law Offices of Logar & Pulver
225 S. Arlington Avenue, Suite A
Reno, NV 89501

Fax No. 858-759-0711

Email mailto:mjfbb@msn.com
And mailto:cdimare@worldnet.att.net
Michael J. Flynn, Esq.
P.O. Box 690
6125 El Tordo
Rancho Santa Fe, CA 90267

Fax No. 202/616-8470

Carlotta.wells@usdoj.gov
Carlotta P. Wells, Esq.
Senior Trial Counsel
Federal Programs Branch
Civil Division Room 7150
U.S. Department of Justice
20 Massachusetts Ave., NW
P.O. Box 883
Washington, DC 20044

Fax No. 784-5181

Greg.addington@usdoj.gov
Greg Addington
Assistant U.S. Attorney
100 W. Liberty Street, Suite 600
Reno, NV 89501

16
17
18
19
20
21
22
23
24

I declare under penalty of perjury under the laws of the United States of America that
the foregoing is true and correct, and that this declaration was executed on June 22, 2007.

25
____/s/__________________
Gaylene Silva

26
27
28
::ODMA\PCDOCS\HLRNODOCS\641863\1

Page 9 of 9

Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 1 of 3

Ex. A

Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 2Page

of 31 of2
Message

User
From:

LEN [LEN@eTreppid.com]

Sent:

Thursday, September 25, 2003 9:35 AM

To:

WARREN

Subject: FW: Congressman gibbons discussion with AF

For your information.... It looks like Jim has "hit the ground running" on this one!

Len
----Original Message---From: Madura, Kenneth [mailto:Kenneth.Madura@mail.house.gov]
Sent: Thursday, September 25, 2003 9:32 AM
To: LEN
Subject: Congressman gibbons discussion with AF
Mr. Glogauer
This morning, the Congressman had breakfast with the Vice Chief of Staff of the Air Force, Gen Moseley, and he
brought up the eTreppid technology. Mr. Gibbons believes that this would be another good opportunity to
demonstrate the technology to the AF at even a higher level. Along with the data compression, the database
matching was extremely enticing for the AF. I will give the information the Congressman gave us to the Air Force,
and I hope that you can make a demonstration to General Moseley soon.
Please let me know if you have any questions.

Ken Madura
Legislative Assistant
Office of Congressman Jim Gibbons (NV-02)
Voice: (202) 225-6155 Fax: (202) 225-5679
Kenneth,madurn@maiLhPu_se,gol!

----Original Message----From: LEN [mailto:LEN@eTreppid.com]

Sent: Wednesday, September 24, 2003 1:07 PM
To: Gibbons, Jim
Subject: Thanks!
Jim,
Thanks for the e-mail. Thanks for giving us the time Sunday to provide you with an overview of this critical
technology. And, it was great being able to catch up with you and Dawn on a personal basis. I know that Nanci is
enjoying working with Dawn on her current efforts. I think we can help and we want to be a part of your continued
success.
You can tell Dan that I will be his contact here at eTreppid. And anytime you can schedule a visit to our site we
can put on a real demo for you that is nothing short of amazing!
We are looking forward to showing what can be done with this advanced technology to the right people. Dr. Rice
would present a great opportunity to get things moving quickly. The sooner we can get this technology deployed,
the sooner we can achieve the goal General Lambert put so eloquently: "I want to win the War!" It is a good plan
and eTreppid's capabilities can help achieve that goal.

6119/2007

Case 3:06-cv-00056-PMP-VPC Document 199-2 Filed 06/22/07 Page 3Page

of 32 of2
Message

On the military side of things, I am compiling some key, very telling, information on the Army's Bandwidth
Bottleneck. A 66 page report was just released that shows the costs required to eliminate or at least decrease the
bottleneck by the year 2010. Costs somewhere in the neighborhood of $1 O Billion. With eTreppid Compression,
we can significantly reduce that cost, lower the budget and potentially cut the projected time-line in half. Not a
bad formula ... Spend less money and get it done sooner! What a concept... I will send our findings and
recommendations directly to you first.
Thanks again for your time.
Best Regards,
Len

Lennard D. Glogauer
VP Industry Applications & Business Development
eTreppid Technologies, LLC
755 Trademarl< Drive
Reno, NV 89521
Len@eTreppid.com
Tel: (775) 337-6771
Fax: (775) 3371877

-----Original Message---From: Gibbons, Jim [mailto:Jim.Gibbons@mail.house.gov]

Sent: Wednesday, September 24, 2003 5:25 AM
Ta: LEN
Subject: e-mail address

Len,
Indeed, both Dawn and I enjoyed ourselves at Primm's last Sunday,
and seeing you and Nanci there was especially nice.
I have asked Maj. Dan Waters, a Fellow assigned to my staff, to
contact the National Security Agency office (Dr. Rice) in an effort to
set up a meeting for you and the agency. From a personal point,
let me add that I was greatly impressed by the demonstration you
presented to me. No doubt, the Agency will be just as impressed!
Dawn has given you the correct e-mail address for me here in DC.
That e-mail address is a_cjirect link to my desk and does not go
through anyone else.
Thanks again for your help and support, but most importantly,
thanks for your friendship.
Jim Gibbons

6/19/2007

Case 3:06-cv-00056-PMP-VPC Document 199-3 Filed 06/22/07 Page 1 of 3

EXHIBIT B: Outlook Modification Example

These screen captures are taken from EnCase forensic software. EnCase software was used to
examine a sample Outlook PST file to illustrate normal dates/times associated with email
messages and compare it to an instance where an existing Outlook email is edited/modified to
include/exclude text that did not exist in the original message.
Outlook emails contain embedded property tags or descriptive information items. Some of
these tags include date/time information, such as when a particular email message was sent or
received (see Exhibit C for detailed explanation of these tags).
EnCase forensic software identifies major Outlook property tags and displays them as follows:

EnCase File Created column identifies the date/time the email was first created and
saved into the PST mailbox file.

EnCase Last Written column displays the date/time the email was sent.

EnCase Entry Modified column displays the date/time the email was last
modified/changed.

Generally, the Entry Modified date/time will match the File Created date/time for all email
messages. If, however, a user changes an existing email (adds/removes word(s), etc.), and then
saves the edited email message, the Entry Modified date/time will reflect when the
modification occurred. If this were to occur, the Entry Modified date/time would post-date the
File Created date/time.
(continued)

Exhibit B - Page 1 of 3

Case 3:06-cv-00056-PMP-VPC Document 199-3 Filed 06/22/07 Page 2 of 3

Standard Email
In the screenshot below, EnCase software is being used to examine a sample PST file. An email
message from the PST can be seen with subject Thank you from the CEO of Network
Solutions. The email was sent on January 4, 2005 at 7:47:28 AM (Last Written). It was
received (physically saved into the PST file) at 9:27:53 AM on the same day (File Created/Entry
Modified). Note that the Entry Modified date/time is identical to the File Created date/time.
These property tags / dates exhibit standard behavior normally seen in PST files.

Below is the email message as it normally appears to the recipient. (Recipient name has been
redacted in this example.)

To illustrate what an examiner would find if an email message was edited/modified, the above
email message was edited by LECG on June 20, 2007 at 10:29 AM. The results of this
modification are in the Modified Email section below, and can be compared to the Standard
Email section.

Exhibit B - Page 2 of 3

Case 3:06-cv-00056-PMP-VPC Document 199-3 Filed 06/22/07 Page 3 of 3

Modified Email
In the screenshot below, EnCase software is being used to examine the same sample PST file
used in the previous section Standard Email. The email message with subject Thank you
from the CEO of Network Solutions was modified by LECG to include text it did not originally
contain. Note how the Entry Modified date/time no longer matches the File Created
date/time. Instead, it reflects the date/time that the email was modified (June 20, 2007 10:29:32
AM).

Below is the edited email message as it would appear with changes. (Recipient name has been
redacted in this example.) Note the sentence that was inserted, circled in red.

Exhibit B - Page 3 of 3

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 1 of 7

EXHIBIT C Tests of Microsoft Exchange/Outlook -Results from Trepp PST files:

Part 1 Introduction to Microsoft Messaging Properties

According to the Microsoft Developer Network (http://msdn2.microsoft.com), a MAPI1
(Messaging Application Program Interface) Property is a component of the overall
Microsoft email messaging construct. The Microsoft Outlook PST File consists of many
properties2 which are defined as tags, identifiers, and types associated with email
message objects:
Property Tags are used to identify MAPI properties and every (MAPI) property
must have one. There are two parts to every property tag: a PR_ prefix and one
or more character strings that describe the contents of the property. Multiple
character strings are separated by underscores. For example, the property tag for
the address type of a message recipient is PR_ADDRTYPE and the entry
identifier for the folder designated to receive a copy of every outbound message
is PR_IPM_SENTMAIL_ENTRYID3.

Some of these MAPI Property Tags are identified by EnCase forensic software and are
displayed in columns corresponding to date/time values. For example:
PR_SUBJECT:
subject line of email, displayed in EnCase as File Name
PR_CREATION_TIME:
For SENDER: when the email is first drafted
For RECIPIENT: when email is received into PST file
Displayed in EnCase as File Created
PR_MESSAGE_DELIVERY_TIME:
when email is sent / delivered, displayed in EnCase as Last Written date/time
PR_LAST_MODIFICATION_TIME:
Date/Time that email was last changed
Will mirror PR_CREATION_TIME unless email is altered after being sent
Displayed in EnCase as Entry Modified
These Property (PR) date/time values are 64-bit / 8-byte Windows encoded dates
represented in hexacimal, i.e.: 30 38 17 74 13 B2 C7 01. This value for example,
decodes to June 18, 2007, 6:45:02 PM:
1
MAPI is a messaging architecture that enables multiple applications to interact with multiple messaging systems seamlessly across a
variety of hardware platforms. (Source: http://msdn2.microsoft.com/en-us/library/ms527628.aspx - Section: MAPI Concepts and
Architecture)
2 A property is an attribute of a MAPI object. Properties describe something about the object, such as the subject line of a message or
the address type of a messaging user. MAPI defines many properties, some to describe many objects and some that are appropriate
only for an object of a particular type. Clients and service providers can extend MAPI's set of predefined properties by creating new,
custom properties. Clients can define properties to describe new message classes, and service providers can define properties to
expose the unique features of their messaging system. (Source: http://msdn2.microsoft.com/en-us/library/ms528634.aspx - Section:
MAPI Properties)
3 . (Source: http://msdn2.microsoft.com/en-us/library/ms531530.aspx - Section: About Property Tags)

Exhibit C Page 1 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 2 of 7

For validation, the decoder above can be downloaded for free at:
http://www.digital-detective.co.uk/freetools/decode.asp.
Times in this report are GMT -8 (Pacific).

Outlook Testing
To confirm EnCase softwares interpretation of Outlook MAPI properties, I used a
testing environment similar to the eTreppid email environment which included Microsoft
Windows Server 2000, Microsoft Exchange 2000, and Microsoft Outlook 2003.
I created a virtual Windows network environment with Exchange as the email server
application. I created 2 user accounts, called USER1 and USER2. In this example,
USER1 is the email sender, and USER2 is the email recipient.
On June 18, 2007 at 6:44 PM, I acted as USER1 and opened that users Outlook profile.
At 6:45 PM, I drafted a new email message to USER2. The subject line of the email was
new msg opened 6:45 PM. The email message was submitted for delivery (Sent) at
6:46 PM.
Later on June 18 at 7:50 PM, I acted as USER2 and opened that users Outlook profile. I
prompted Outlook to Send/Receive new email messages that may be waiting. The
email message from USER1 was delivered into USER2s PST file at 7:50 PM.
Below are the results of this test. PST mailbox files from USER1 and USER2 as
displayed in EnCase forensic software are shown.

Exhibit C Page 2 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 3 of 7

Outlook Testing USER1 (Sender) PST

EnCase screen shot The USER1 PST file shows the email message first drafted at
6:45:02. File Created matches Entry Modified4.

PR_CREATION_TIME: 30 38 17 74 13 B2 C7 01.
This is decoded as June 18, 2007, 6:45:02 PM.

PR_MESSAGE_DELIVERY_TIME: 00 BC 5A 96 13 B2 C7 01.
This is decoded as June 18, 2007, 6:46:00 PM.

PR_LAST_MODIFICATION_TIME: 30 38 17 74 13 B2 C7 01.
This is decoded as June 18, 6:45:02 PM.

Note: some of the EnCase screenshots appear to include two line items for a single email message. This is due to EnCase
identifying the email class object and the email body as two separate items.

Exhibit C Page 3 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 4 of 7

Outlook Testing USER2 (Recipient) PST

EnCase screen shot. File Created / PR_CREATION_TIME and Entry Modified /
PR_LAST_MODIFICATION_TIME are identical. This shows the message was not
altered after being received at 7:50 PM on June 18, 2007.

PR_MESSAGE_DELIVERY_TIME: 80 7F 24 98 13 B2 C7 01.
This is decoded as June 18, 2007, 6:46:03 PM.
The email was received by Exchange Server at 6:46:03 PM (three seconds after USER1
sent the email), but USER2 did not physically receive the message in their PST file until
they logged in and opened Outlook at 7:50 PM.

PR_CREATION_TIME: 00 E4 A4 98 1C B2 C7 01.
This is decoded as June 18, 2007, 7:50:29 PM.

Exhibit C Page 4 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 5 of 7

PR_LAST_MODIFICATION_TIME: 00 E4 A4 98 1C B2 C7 01.
This is decoded as June 18, 7:50:29 PM.

TESTING SUMMARY
These results show that when an email recipients PST file is examined with EnCase, an
email message he or she received will show a File Created and an Entry Modified
date consistent with when the message was first received and stored in the PST (6/18/07
7:50:29PM). The Last Written date is when the email was submitted for delivery by
the author of the email (about an hour earlier at 6:46 PM).
If an email message was altered and saved after having been received, EnCase would
show an Entry Modified (PR_LAST_MODIFICATION_TIME) date that post-dates the
File Created (PR_CREATION_TIME) date associated with the email (see Exhibit B
for example of a purposely modified email).

Exhibit C Page 5 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 6 of 7

Result Summary / W. Trepp PST Comparison

As Mr. Trepp was the Recipient of the September 25, 2003 email, his PST files should
exhibit the same date/time characteristics as USER2 above. Per the screenshots below
for each of the PST files containing the September 25, 2003 email, one can see that the
email message was NOT altered subsequent to it being received because the File
Created date/time matches exactly the Entry Modified date/time:
PST A0001 TreppPST_010606

PST A0003 WarrenEmail_020806

PST A0004_Trepp_PSTs_021606

PST A0010_WarrenEmail_010606

Exhibit C Page 6 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-4 Filed 06/22/07 Page 7 of 7

All of the above PR tags associated with the September 25, 2003 email messages
receipt are: E0 EF 39 10 84 83 C3 01.
This decodes to 9/25/03 9:42:52.

Exhibit C Page 7 of 7

Case 3:06-cv-00056-PMP-VPC Document 199-5 Filed 06/22/07 Page 1 of 2

Ex. D

Case 3:06-cv-00056-PMP-VPC Document 199-5 Filed 06/22/07 Page 2 of 2

2003.09.25.GibbonsFavors.txt
Message
From: LEN [LEN@eTreppid.com]
sent: Thursday, September 25, 2003 9:35 AM
To: WARREN
subject: FW: congressman giibons discussion with AF
For your information .... It looks like Jim has ''hit the ground running'' on this
one!
This sentence was added by LECG on 6/14/2007.
Len

Page 1