Danville prosecutor withdraws himself from federal racketeering and murder trial

Newman explained in the affidavit attached below that he is removing himself from the case amidst a number of questions that have come up about missing transcripts of jury testimony over the last few years that are believed to be tied to this case.
posted by screenname00 at 9:18 PM on May 8, 2023

I would have to read the reports to get a better idea of what might have happened on the systems, but as someone who does (among other things) digital forensics, I would unfortunately probably have to agree as far as criminal charges that there's going to be reasonable doubt as far as what happened and trying to take it to court would be pointless. I'd say that regardless of whether the alleged access was done by a private individual or the police.
posted by Candleman at 10:33 PM on May 8, 2023

Some missing context gleaned from an earlier article. Aaron Byrd Is the son of the deceased former mayor of Chatham, Roy Byrd. The files accessed appear to be related to his late father’s estate such as his will and bank account records. I’m not sure if there is any connection to the Byrd political dynasty that dominated Virginia politics until the late 1960s.

I wouldn’t be surprised if the whole thing is a misunderstanding related to how cloud services sync documents to the local disk.
posted by interogative mood at 3:29 AM on May 9, 2023 [1 favorite]

I will try and post the privately done report later its posted online but this part if it isnt cloud sync:
10. On 2/25/2020, the following file located ni the "Truck Theft Video" directory was
accessed from aremovable drive, "D", with the Volume Serial Number "EC6146CF"at 5:42 PM: "Truck Theft VideolAaron on scene-2.mp4."
posted by screenname00 at 3:55 AM on May 9, 2023

If you read the article closely, the state police have the laptop in their forensics lab. If there is any misunderstanding from the privately obtained reports of Byrds, then why wouldnt the lawyer use the state police forensic report instead of Byrds private reports.
posted by screenname00 at 4:28 AM on May 9, 2023

How does one go about accessing a file "from a removable drive"? "Copied -to- a removable drive", sure. But removable drives are not generally a means of accessing files on their own. (Or do they mean that the file accessed was _on_ the removable drive?) Just the way that snippet is worded casts many questions onto their computer forensics people.
posted by jferg at 5:23 AM on May 9, 2023 [1 favorite]

jferf, the point is that the state police forensics could have cleared this up. The private forensic report was only to get the official forensics done by the police.
posted by screenname00 at 5:49 AM on May 9, 2023

Ah, thank you interogative mood - that is very useful context. I was assuming that the cops were looking to see if there was any good amateur porn images or videos on the device (if it's just a random computer), but if it's linked to that kind of family, there are far more varieties of shenanigans potentially involved.
posted by rmd1023 at 12:29 PM on May 9, 2023 [1 favorite]

How does one go about accessing a file "from a removable drive"?

That is definitely a weird line and if I were advising an opposing council I'd use that to target the believability of the report.

There's also the line that appears several times of "This metadata was confirmed by examining the bytes present in the file" - that's not how NTFS works. The file read/write times (AKA MAC times) are stored in the metadata. And Windows MAC times are complex.

It's strange that I can't find reference to koayj_*.dll (the files that show creation time in July) and were I examining a system that I suspected had been compromised and mysterious device drivers showed up, I'd dig into that.

It's also weird that the report asserts that a number of files looking like they're bog standard insurance forms were created during the time in question. A l33t nation state level threat actor might take someone's existing radiology invoice, add an attack to the PDF, and put it back on the device for persistence but I highly doubt a small time police department would be doing that. Again, NTFS MAC times can be weird and depending on how the file was placed onto the system can affect what the creation time looks like (see above link).

The simplest thing to use to show the validity of the report is that Chrome was used to log into Wells Fargo at a specific time. Wells would have records of if a login happened at that time and if so what the IP address used to access it was.

I'm also troubled by the assertion the CCCleaner was run without listing the evidence to support it. As well as the claim that an executable was run 4/14 - maybe it was but there's no evidence to prove that.

And the fact that there's no chain of custody statement.

Again, the whole situation feels a bit weird, but there's definitely a lot of ground available to create reasonable doubt here and a qualified expert witness could find a number of faults in the report based on the extracts that were posted.
posted by Candleman at 10:39 AM on May 10, 2023

counsel*
posted by Candleman at 11:20 AM on May 10, 2023

As a note, the forensics world has quite a few people/companies who can run automated tools but don't really understand what's going on underneath the hood or what certain things mean beyond what the tools tell them. To be clear, I'm not implying that either of the companies involved are one of them, but at the very least, the cited one has given ammunition to painted as one in court.
posted by Candleman at 11:30 AM on May 10, 2023 [1 favorite]

Candleman, thanks for the insight. The private reports obtained by the citizen were in order to get the state to provide a thorough examination, which wasnt allowed. This is the point.
posted by screenname00 at 3:37 AM on May 11, 2023 [1 favorite]