UNCLASSIFIED/MOM

UNCLASSIFIED/MOM 01/26/2024 New York, NY , having been duly sworn by Supervisory Special Agent (SSA) following statement to 01/26/2024, and and and and ., hereby make the on on 08/08/2024, on 10/07/2024, whom I know to be SSAs of the Federal Bureau of Investigation (FBI), assigned to the Inspection Division (INSD) at the time of my statement. My attorney, Richard J. Roberson, Jr., was present during my statement all occasions, via telephone. This statement took place over a three-day period. The statement initiated on 01/26/2024, and again on 08/08/2024, after additional allegations were added: I entered on duty (EOD) on 02/21/2006, as an Intelligence Analyst (IA). I EOD on 10/08/2008, as a Special Agent (SA) and I am currently assigned to the New York Field Office (NYFO) in that capacity. I understand that this is an internal investigation regarding an allegation that Special Agent improperly stored digital evidence at his residence in violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Care, Custody, or Control of the Government. On 10/30/2023 the following expanded allegations were added: Special Agent improperly handled, documented, and stored digital evidence and failed to secure CSAM within policy, resulting in a cyber intrusion in violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Page 1 of 106 UNCLASSIFIED//FOUO EFTA00173373 UNCLASSIFIED//FOLIO (9 4 Care, Custody, or Control of the Government and 5.17- Security Violation- Failure to Secure sensitive Equipment/ Materials. On 02/07/2024 the following expanded allegations were added: Special Agent exceeded the limits of his authority by contracting an outside company to develop computer software on behalf of the FBI in violation of 2.6 Misuse of Position and 5.23 Violation of Miscellaneous Rules/Regulations. I have been further advised of my rights and responsibilities in connection with this inquiry as set forth on a "Warning and Assurance to Employee Required to Provide Information" form FD-645 which I have read and signed. I understand from my review of the FD-645 that should I refuse to answer or fail to reply fully and truthfully during this interview, I can expect to be dismissed from the rolls of the 01/26/2024 New York, NY FBI. I have been advised by INSD not to provide the details of a whistleblower complaint I have filed with the Department of Justice in which I assert that these allegations are some of many retaliatory actions taken against me by the FBI that stem from a 2023 cyber intrusion of the NYFO's child exploitation forensic lab. While I will not go into details, I believe this is important to mention here given the very genesis of these allegations were derived from a directive to make me a scapegoat for the intrusion. I am happy to elaborate if requested, but in sum I was retaliated against for my having made numerous protected disclosures over the years that went unaddressed,l0 Page 2 of 106 UNCLASSIFIED//FOUO EFTA00173374 UNCLASSIFIED//FOUO 01/26/2024 New York, NY 8 which likely would have prevented the intrusion from happening. When the intrusion occurred, these disclosures, which I made again, caused FBI Executive Management (EM) to fear repercussions of their own failure to address the issues I presented before an incident like the intrusion could occur. I have proof upon proof that I was then targeted by FBI management as an attempt to make it appear that I and my squad mates were responsible. I know that INSD is in possession of the first of my submitted whistleblower complaints, but there are several other amendments as well as supporting documents that I can provide upon request. I am currently assigned to CT-25, a Domestic Terrorism squad, but assigned to an Enterprise Investigation that is a hybrid of Domestic Terrorism and Child Exploitation squad. I was assigned to squad CY-3 in May 2010 and officially named on the squad in July 2010. This was when the FBI's child exploitation program was referred to as "Innocent Images" and fell under the Cyber Division, while Squad. C-20 was the Human Trafficking (HT) squad at the time. I believe it was 2015 when Violent Crimes Against Children (VCAC) and HT programs were combined under the FBI's Criminal Division, which led to the merger of the violations in the NYFO under squad C-20. The squad is split and has the HT side and the VCAC side, and I was a VCAC Agent. Agents primarily work their assigned viol tions, but we come Q9 1) together as a squad for operations. Page 3 of 106 UNCLASSIFIED//F0130 EFTA00173375 UNCLASSIFIED//FOOD 01/26/2024 0 New York, NY I have been with the FBI for over 18 years, having spent the last 16 years as an Agent. I have been one of the FBI's leading Agents in Child Exploitation investigations and to this day, I believe that I am one of, if not the only, Court- certified expert witness for the entire FBI for child exploitation. I have personally accounted for over 60 arrests, 150 search warrants, and have been responsible for rescuing several hundreds of children. As is elaborated on in my Curriculum Vitae, which I have provided to INSD and has been introduced to certify me in Court as an expert witness, I also have received numerous awards and accolades, including but not limited to being a two-time recipient of the FBI's Medal of Excellence and the Southern District of New York's (SDNY) prestigious McCabe Award. I have an incredible reputation around the FBI and am seen as one of the hardest working and driven Agents in the FBI. In demonstrating the support I received, after the intrusion when FBI Headquarters (HQ) had begun its efforts to retaliate against me, the NYFO went to great lengths to push-back. Now retired Assistant Director in Charge (ADIC) defied orders from Assistant Directors (AD) and the Deputy Director (DD) to have me punished. This defiance led the DD to order charges against me, and months later I received the first of the referenced charges. The NYFO however still showered me with their support, with singing my Page 4 of 106 UNCLASSIFIED//FOUO EFTA00173376 UNCLASSIFIED//FOOD e:yraises to one " 01/26/2024 New York, NY , stating that he would rather have than 10 other Agents. The NYFO also nominating me for the second of the FBI Medal of Excellence awards I would receive in December 2023. Just months ago, in 2024, I was nominated for, but did not receive, the Director's Award, however at the same time I was nominated for an award from the Federal Law Enforcement Foundation and on 10/22/2024, I was informed I am receiving it. I can expand at length on the accolades and praise I have received from Agents, Analysts, management, HQ, Assistant United States Attorney's (AUSA's), local law enforcement, and more over the years. Even despite my current situation I continue to receive praise and support from all ranks and from AUSAs. Last month, in September 2024, the SDNY Project Safe-Childhood Coordinator (PSC) requested I assist her in providing child exploitation training to SDNY AUSAs. The PSC is aware I am no longer on the child exploitation squad, and finds the actions taken against me to be disgraceful. She also stated that despite it all, she considers me to be the best in the FBI. Regarding the allegations against me, it is my understanding that they stem, in whole or in part, from interviews conducted by the FBI's INSD in March 2023. Specifically, the statements I made during those interviews ..,•) Page 5 of 106 UNCLASSIFIED//FOUO EFTA00173377 UNCLASSIFIED//FOUO 01/26/2024 New York, NY ppear to have been the basis for the observations outlined in the subsequent INSD report, which the FBI has reported to be the foundation of these charges. I have since learned that this report was authored by someone two or three levels removed from me, relying on secondhand interpretations of my statements from the notes of the interviewers. I know what I said during the interviews, and the references in the INSD report do not accurately reflect my actual words. The INSD initially published a draft report around May or June 2023, which included observations closely mirroring the allegations against me. Both I and the NYFO leadership, including my observations inaccuracies former ADIC, as we believed were discussed countered these them to be inaccurate. These in detail during meetings with and FBI EM, and we later submitted a formal written rebuttal. However, the final INSD report, published in July 2023, failed to incorporate our responses. The observations based on my statements were neither revised to align with my rebuttal nor updated to reflect supporting evidence. I have also learned that the interviewers themselves were not provided with either the draft or final versions of the INSD report, nor were the interviewers informed of the responses submitted by me or the NYFO. Instead, the report's author relied Page 6 of 106 UNCLASSITIED//FOUO EFTA00173378 UNCLASSIFIED//FOLIO 01/26/2024 New York, NY solely on the interviewers' notes, which were not a verbatim transcription of the interview, and the interview itself was not recorded. This left critical context about my statements subject to the author's interpretation. Similarly, the rebuttals submitted to challenge the observations were not addressed. As a result, the final report left the original observations largely unchanged. In the interest of transparency, I am including the NYFO's final response to the INSD's draft report. This response was a collaborative effort between myself, my SSA, my Assistant Special Agent in Charge (ASAC), and the NYFO's Information System Security Officer (ISSO). It was formally submitted as a rebuttal to the draft observations. Unfortunately, the final INSD report failed to incorporate these responses, leaving the contested observations intact. This is deeply troubling, as the allegations were contested from the outset with the full support of the NYFO chain of command. After reviewing the draft INSD report, the NYFO was afforded an opportunity to respond in writing to both the INSD "observations" and "findings". The following is the last version of the NYFO's response that had been drafted by III , and Office of the Chief Information Officer (OCIO) . In the "NY's Clarifications to the Page 7 of 106 UNCLASSIFIED//FOUO EFTA00173379 UNCLASSIFIED//FOOD Si 01/26/2024 New York, NY Inspection Report's Observations" section you will see listed the "Observation", which was identified by INSD, then the subsequent "Clarification of Facts", which was the NYFO's rebuttal to the observations. Following this section, you will see the "NY's Responses to the Inspection Report's Findings" section. Similarly, you will see listed the "Instruction", which was identified by INSD, then the subsequent "Response", which was the NYFO's rebuttal to the instruction. NY's Clarifications to the Inspection Report's Observations Observation 1: NY was operating a device providing Internet access through wireless connectivity in FBI secured space. Clarification of Facts: NY received authorization from Security Division in 2018 to utilize Wi-Fi devices within FBI space, as long as the device connected to the Wi-Fi was 10 feet from an Enterprise computer. Regardless, because C20 did not request the particular Wi-Fi modem/router which was in the lab at the time of the intrusion, the wireless features were never utilized and presently there are no wireless devices in FBI space. Page 8 of 106 UNCLASSIFIED//FOOD EFTA00173380 UNCLASSIFIED//FOLIO 01/26/2024 New York, NY Observation 2: NY was connecting overtly and covertly purchased IT on the IS. Clarification of Facts: Axiom, Cellebrite and GrayKey are LE tools purchased by CACHTU and used by DExT examiners in the Field. CACHTU advised the field to utilize UCO funds to make purchases of new equipment to support the tools. Observation 3: NY was storing DE overnight in an unapproved storage facility. Clarification of Facts: The previous practice utilized by was to image the Original Digital Evidence on the Network Attached Storage, place such in Evidence Control, and then copy the Original Imaged Evidence, creating a Master Working Copy. During specific times in 2020, created a copy of specific files/documents from the Master Working Copy and brought these limited working copy items home via his work laptop to perform work related tasks. The copies he took home to work on were copies of copies and were limited to specific files from the larger forensic images. The files/documents were not Page 9 of 106 UNCLASSIFIED//FOLIO EFTA00173381 UNCLASSIFIED//FOUO 01/26/2024 New York, NY contraband, classified material, CSAM, or sensitive material. Further, in 2020, FBI Management was authorizing and encouraging employees to work from home to limit the spread of COVID 19 in the office. did not store any files at his house. Once he completed his analysis he brought the electronic files/documents back to the office and appropriately disposed of same. Observation 4: NY did not appropriately image DE. Clarification of Facts: This is an issue C-20 has raised for years with HQ and has routinely asked for hard drives in order to comply with the policy, but has been denied and C-20 was advised they would have to pay for the drives. At the same time, HQ would not supply C-20 with the funds in order to purchase those same hard drives. Additionally, C-20 takes issue with the outdated process of creating derivative evidence onto an additional hard drive. As the volume of data that is being collected has increased exponentially over time, the amount and cost of using hard drives is impractical and costly. C-20 suggests the use of Page 10 of 106 UNCLASSIFIED//FOUO EFTA00173382 UNCLASSIFIED//FOUO 13) 01/26/2024 New York, NY servers or cloud storage as a means to store derivative copies of evidence, which can be reused at the conclusion of an investigation and when the evidence (and derivative evidence) is destroyed. Observation 5: NY did not appropriately verify analyzed images of acquired DE. Clarification of Facts: NY in fact did appropriately verify analyzed imaged of acquired DE by generating an FD-302 which documented in the substantive case file as well as at 305A-HQ-1654544- DEXT to account for the work performed. Any issues or discrepancies would be documented in the FD-302. A hash verification log was also generated and stored with the DE on the Network Attached Storage, which could be accessed at any time. Going forward, the hash value verification log will be attached to the FD-302 to ensure compliance with policy. Observation 6: NY was not appropriately documenting and storing ELSUR records in relation to undercover communications. Clarification of Facts: NY appropriately places OCE/UCE communications in Subfile G of the UCO, which Page 11 of 106 UNCLASSIFIED//FOUO EFTA00173383 UNCLASSIFIED//FOUO 01/26/2024 New York, NY is where CACHTU policy mandates these communications be placed. Observation 7: NY did not document meetings between UCE/OCE and SSA every 90 days and the SAC/ASAC every six months. Clarification of Facts: While the SSA and ASAC met with the OCE/UCE's connected to the UCO on a regular basis, primarily in the squad area and via the file review and CUROC process, NY will draft ECs documenting same in accordance with policy going forward. Observation 8: NY did not utilize covert methods to procure covertly purchased goods. Clarification of Facts: The items which were purchased are Law Enforcement only. NY was provided funding from HQ via the UCO to make this purchase with the understanding that it's a restricted purchase. Going forward, NY will ensure if a purchase needs to be made overtly, covert funding will be converted to overt funding by an approved FBI purchaser. Page 12 of 106 UNCLASSIFIED//FOUO EFTA00173384 UNCLASSIFIED//FOOO 01/26/2024 New York, NY Observation 9: NY was not documenting financial records relating to IMO activity to the appropriate CE subfile. Clarification of Facts: NY submits a monthly BlueSlip that contains all of the financial documentation for the prior month's financial activity. The same information that is required to be submitted to the CE subfile is contained in the BlueSlip. NY changed the individual who performs the accounting over time on a field office level and, while the information was recorded, it was not put into the CE subfile. Observation 10: NY did not properly report a security incident within SIRS. Clarification of Facts: The incident occurred during the night of Sunday, February 12, 2023. In the morning of Monday, 2/13/23, noticed his Talino was not operating correctly and began trouble shooting with the company and HQ. Upon determining a potential intrusion may have occurred, notified and CACHTU on 2/13/23. Following notification, notified Page 13 of 106 UNCLASSIFIED//FOUO EFTA00173385 UNCLASSIFIED//F0130 01/26/2024 New York, NY on 2/13/23. During the week of 2/13/23, there were numerous meetings between NY EM, NY Cyber and NY CIO, among others, in coordination with HQ. When there was an understanding of what occurred, III submitted a security incident report within SIRS on 2/17/23. Observation 11: NY did not implement encryption on devices or data on the IS. Clarification of Facts: There are broad contradicting policies as it relates to UCO IS. NY requested assistance in the development and testing the IS over the several years and was met with no response from OTD, CART, OCIO, and other HQ level entities. Going forward, recommendations from OCIO, OTD, etc., are being implemented. Observation 13: Policy regarding the requirements for patching, ATO, use of an ISSO, security monitoring, remote access, account management, maintenance or IT hardware, use of mobile devices, and approval for custom HATA solutions to include operational security, cost efficiency, SOPs, technical architecture, accounts and access, system access Page 14 of 106 UNCLASSIFIED//FOUO EFTA00173386 UNCLASSIFIED//FOUO 01/26/2024 New York, NY records, acquisition planning, user account guidelines, compliance with 0655PG, and training for covert ISs is insufficient. Clarification of Facts: NY has one ISSO, hired in mid-January 2023. NYO's ISSO is responsible for multiples sites. It is not feasible for one ISSO to effectively monitor and maintain IS's within the NYO. Industry standards recommend multiple individuals in different roles with qualifying credentials to ensure the integrity of IS's. Observation 15: NY stored CSAM from multiple investigations in an effort to identify victims across multiple cases. Clarification of Facts: As NCMEC only maintains the "MD5s" or "hash values" of the CSAM, not the actual media itself, NY stored CSAM on the IS for facial recognition and "photo DNA." PG 1157PG requires a CVIP comparison for CSAM which is facilitated through NCMEC and does not prohibit the creation of use of independent ISs to store and compare CSAM across multiple cases and field offices, noted in Page 15 of 106 ONCLASSIFIED//FOU0 EFTA00173387 UNCLASSIFIED//FOUO 01/26/2024 New York, NY draft INSD Report page 7. This should not be prohibited as it is not available through NCMEC/CVIP. Observation 16: NY did not follow minimal and commonly accepted industry wide security practices for the IS. Clarification of Facts: As there are numerous conflicting policies and constantly changing guidance regarding the IS, as it falls under a covert network, NY did not willfully violate policies or accepted industry wide security practices and welcomed any and all assistance from other field offices and HQ sections. Guidance and funding of recommended training, internal and external, should be provided by HQ to provide consistency of enterprise wide IS standards. Properly ensuring IS's are developed, maintained and monitored requires hiring and retaining qualified personnel such as ISSO's and ITS Network Specialist/Architectures. Special Agents and non-ITS Professional Staff are not technically trained and not equipped to act as a System Administrators Page 16 of 106 UNCLASSIFIED//FOUO EFTA00173388 UNCLASSIFIED//FOU0 01/26/2024 New York, NY NYO has one ISSO with responsibilities spanning NYO's Headquarter City and all Resident Agencies. The ISSO was hired and on-boarded in NYO mid-January 2023. NYO Security does not currently have ITS Network Specialist/Architectures. NYO Security would require a minimum of four ISSO's and five ITS Network Specialist/Architectures to ensure all IS's within NYO have a System Administrator and all IS's are securely developed, maintained and monitored. NIST and other industry standard best practices require designated personnel outside of the operating unit to act in these roles. Separation of duties is required to retain the integrity of the IS's. NY's Responses to the Inspection Report's Findings Instruction 1: ADIC NY shall ensure all unauthorized devices allowing Internet access through wireless connectivity are removed from FBI secured space or disabled. Response All non-approved wireless devices in FBI space are disconnected. Devices approved by division(:F1 1:? Page 17 of 106 UNCLASSIFIED//FOLIO EFTA00173389 UNCLASSIFIED//F000 01/26/2024 New York, NY head and the AD of SecD will remain operational only during mission critical needs at this time. Communication regarding the prohibited use of wireless devices within FBI space has and will continue to be disseminated on a regular basis. Signage is in place referencing policies prohibiting the use of wireless devices in FBI space. For example, signs are posted in each elevator bank of 26 Federal Plaza. All owners of overt and covert portable electronic devices (PED's) are required to register devices with NYO's Security unit whereupon the user accepts the terms of use for said devices. The terms of use include but are not limited to the prohibited use of wireless connectivity to include radio frequency connections such as Wi-Fi and cellular based Mi-Fi within FBI space. NYO's Security unit has engaged with NYO's Technically Trained Agents to begin routine sweeps within NYO's space to identify active RF's. If RF devices are identified without a waiver authorizing Page 18 of 106 UNCLASSIFIED//FOU0 EFTA00173390 UNCLASSIFIED//FOUO 01/26/2024 New York, NY use by NYO's Division Head and the AD of SecD, the device will be disabled and/or removed from FBI space. Instruction 2: ADIC NY will ensure overtly and covertly purchased IT is not used on the same IS. Response: While this is a HQ driven process, as CACHTU purchases Axiom, Cellebrite and GrayKey directly from the vendor on behalf of the Field Office and provides these tools to the Field, NY is in contact with CID to ensure IT meets this requirement, or a waiver is granted. Instruction 3: ADIC NY will ensure evidence is stored in a safe, secure, and approved manner. Response: II =Ilk refutes the assertion he took home and stored DE at his house. NY will ensure that appropriate policies related to storage of evidence are followed. Instruction 4: ADIC NY will ensure compliance to applicable policy when creating and maintaining derivative DE. Response: NY has consulted with CART and consistent with CART SOP and PG, the underlining Page 19 of 106 UNCLASSIFIED//FOLIO EFTA00173391 UNCLASSIFIED//Fou0 01/26/2024 New York, NY electronic device, as well as the Master Copy, will be entered into evidence as a 1B. A further additional copy will be made as a working copy on which the actual forensic work will be performed. NY will engage with CACHTU to obtain the appropriate funding required to obtain the required portable electronic storage devices to house the increased numbers of copies. Further, NY is working with NY Evidence and the Laboratory Division's Field Evidence Program to obtain authorization for standalone storage devices to be classified as an appropriate Evidence Control Room to house Derivative Evidence. The standalone storage device would contain the same Derivative Evidence which would otherwise be copied onto hard drives and physically checked into evidence. The storage device would be secured with sufficient user credentials and maintain access logs. The Derivative Evidence would still require an evidence submission to generate 'Bs for the Derivative Evidence. At the conclusion of the case, this Derivative Evidence can be deleted and the space made available for new Derivative Evidence to be stored, rather than continuously purchase new hard drives only to have them destroyed at the conclusion of an investigation. Page 20 of 106 UNCLASSIFIED//FOLIO Cl EFTA00173392 UNCLASSIFIED//FOUO 01/26/2024 New York, NY Recommendation 5: ADIC NY will ensure compliance to applicable policy when creating and maintaining derivative DE. Response: NY performs post examination reviews and documents them via an FD-302. A hash verification log is also created. Instruction 6: ADIC NY will ensure compliance with requirements to document ELSUR records in accordance with applicable policy. Response: NY ELSUR stated any communications that occur via a covert platform (i.e an OCE/UCE cellular phone) is not ELSUR evidence. Instruction 7: ADIC NY will ensure compliance with requirements to document meetings between undercover personnel and the appropriate SAC/ASAC and SSA. Response: NY will document meetings held with the SSA/OCE and SAC or ASAC/OCE and place in the appropriate subfile of the UCO via an EC. Page 21 of 106 UNCLASSIFIED//FOUO a EFTA00173393 UNCLASSIFIED//FOU0 01/26/2024 New York, NY Instruction 8: ADIC NY will ensure compliance with requirements to employ covert methods to obtain goods when using confidential funding. Response: NY will ensure compliance with requirements for making covert purchases. NY Security has implemented approval processes for the purchase of IT equipment. A review of the equipment and purchase method will be conducted and approved appropriately. NY CSO is now a member of the UCO local review board to ensure all policy is adhered to when purchasing, implementing and utilizing overt/covert electronic devices and IS technology. Instruction 9: ADIC NY will ensure compliance with requirements to maintain and document financial records related to UCO activity. Response: NY will ensure that all financial documentation will be placed in the CE subfile. Instruction 10: ADIC NY shall ensure compliance with security incident reporting requirements to report security incidents within SIRS. Page 22 of 106 UNCLASSIFIED//FOUO EFTA00173394 DNCLASSIFIED//FOU0 01/26/2024 New York, NY Response: NY will work with the NY CSO to ensure all security incidents are reported within the prescribed time frame per policy. Instruction 11: ADIC NY shall ensure compliance with encryption requirement for the IS. Response: While this does not apply to the UCO, NY will ensure compliance with encryption policy as applicable. NY0 Security has engaged with OLIO to develop secure network protocols based on industry standards such as NIST to include encryption at rest and encryption in transit. Recommendation 15a: ADIC NY should no longer maintain a set of CSAM for independent analysis outside of the CV/P approved hash based searching tools. Response: NY fulfills its requirements to submit images of CSAM to NCMEC via the CVIP. After the final INSD report came out, I was advised that eceived a call from IIIIIIIIIIlla 111. 1 who were accusing me of making statements to the effect of having no regard for following policy. This is of course Page 23 of 106 UNCLASSIFIED/MOOD EFTA00173395 UNCLASSIFIED//F000 categorically false and thankfully much, especially when neither AD could or would provide any details regarding the allegations such as who heard it, where it 01/26/2024 New York, NY believed as was documented, or why it was only then being addressed. However, in response, I submitted the following: "Bosses, Regarding the assertion that I made a statement indicating I would violate policy for the sake of an operation is a utter non-sense. Furthermore it is a gross miss- interpretation of the conversation that was had and quite frankly an insult to my character and integrity. Aside from lacking context, the choice of words used is blatantly misleading. I'm happy to provide as much context as needed, but in short I have never, and would never, jeopardize any investigation (or my career) by intentionally violating policy. What I have done, and would do, is anything to save the life of a child. What I said that has been misconstrued, was that I would do anything to save the life of a child, and that if I were to ever violate policy or the law, it would ONLY be because there was an imminent (taj threat to life in which a clear and articulable except would apply. Page 24 of 106 UNCLASSIFIED//FOU0 EFTA00173396 UNCLASSIFIED//FOUO 01/26/2024 New York, NY I stand by that statement and take great pride in my knowledge of both the law and policy as it pertains to our investigations and operations. If requested, I can provide several examples of having to act under the emergency exception clause, which have all been justified. If requested, I can also provide examples of times in which I didn't, even though doing so would have been easier for the "operation". I could write a novel defending myself, my words, and my intentions; and will if requested. For now I'm relying on my 15 years as an Agent with outstanding PARs, numerous awards and accolades, my contributions to policy revisions, and my reputation to satisfy any concern that may exist." I believe Digital Extraction Technician (DExT) training was opened to VCAC Agents in 2012. Int was my instructor for DExT. As of 2023, I knew Ledford was a Unit Chief (UC) and led the Cyber Action Team (CAT). I believe at least three or four of us initially received DExT training in approximately 2012, but I think all of us working Innocent Images/VCAC on the squad were eventually trained. However, once the child exploitation program moved from the Cyber Division to the Criminal Division, that changed. The funding we received through the Criminal Division was significantly less than what we received through Cyber Division, so the DExT program was no Page 25 of 106 UNCLASSIFIED/At/OO EFTA00173397 UNCLASSIFIED//FOUO ( i ) longer able to put on as many classes and certify as many people as it had before. By the time of the intrusion that forms the basis of this internal inquiry, only about half of the "child exploitation" Agents on my squad were DExT certified. This is while we were still with CY-3. We got certified because the Computer Analysis Response Team (CART) was long overburdened, and not familiar with the nuances of the child exploitation violation, such as the types of programs used by offenders, the vernaculars, etc. It was also known, and something I witnessed personally, that due to the reliance on CART and how long it would take for them to prepare a case for review, "hands-on" offenders were not being arrested in a timely manner. This resulted in the continuation of child victimization at the hands of the offenders the FBI was actively investigating. This was around the same time Agents working other violations began to also see an increase in the collection and reliance upon digital evidence in their cases. As DExTs, we were encouraged, and in some cases I believe required, to assist CART with their backlog by conducting DExT extractions for other squads. The other reason was to eliminate the lag time in searching evidence and identifying contact offenders (offenders who physically exploited or physically assaulted children) sooner. VCAC investigations are different than most other FBI investigations since, in VCAC investigations, a search warrant is generally executed in the early stages of an investigation, 01/26/2024 New York, NY Page 26 of 106 UNCLASSIFIED//FOUO EFTA00173398 UNCLASSIFIED//POU0 01/26/2024 New York, NY and the evidence needed to arrest and charge an offender is usually derived from the materials seized during the execution of a search warrant. Whereas other squads, generally speaking, execute search warrants at the culmination of their investigations. was a UC of the Crimes Against Children Human Trafficking Unit (CACHTU) at FBI HQ and eventually an ASAC at NYFO. He was a huge proponent of DExT. Being DExT trained allowed us to conduct our own data extractions faster, but more importantly, it allowed for a faster and more efficient way of identifying "contact", or "hands-on", offenders and, thus, rescue child victims of sexual abuse before they could be further victimized. After becoming DExT certified, we received DExT equipment that allowed us to image, process, and better review the digital files. The DExT training allowed us to better use FBI analytical programs to review digital evidence. Being DExT certified allowed us to assist CART by offering an alternative for other squads to use for data extractions. At the time, CART was not located in NYFO Headquarters City (HQC). CART was located in Moonachie, New Jersey. It could take an hour to get to the CART lab from the NYFO. CART evidence reviews needed to take place there and it could take all day. CART eventually moved to NYFO, HQC. The volume of data extractions we took on lessened the burden on CART. At least in New York, CART only had one or two Page 27 of 106 UNCLASSIFIED//FOUO EFTA00173399 ONCLASSIF/ED//FOU0 01/26/2024 New York, NY examiners who could handle data extractions immediately, and almost certainly none who could respond after hours or on weekends. Since we dealt with child victims, it was, and is, imperative that the digital evidence be processed immediately. In nearly every child exploitation investigation the digital evidence is quite literally the evidence to prove the crime and without a prompt review, there is no probable cause to effect an arrest, putting the lives of child victims in continued danger. It is that very risk, the risk of continued abuse, that has prompted the FBI to enact new policies requiring expeditious investigation into allegations of child exploitation. This includes the expeditious review of evidence. Prior to the DExT training, triaging electronic media on the site of a search warrant was not really a practice. We had to take digital evidence back to the office to view it and we relied more on the post-search interview. After a search, we had to go back and arrest an offender once we found the evidence. This made for a significantly more dangerous arrest because the offenders knew we were coming. There was also the potential for offender suicide. We had three offender suicides that I can recall. There was also concern, based on it having actually happened, that during the time it took the FBI to review seized material, the offenders were continuing to engage in the sexual exploitation of minors. The DExT program sought to remedy thi problem by expediting the time it took to conduct forensic (SC/) Page 28 of 106 UNCIASSIFIED//FOU0 EFTA00173400 UNCLASSIFIED//FOUO CE :) reviews, thereby expediting our ability to rescue affected children. NYF0 SAs / / , and I were DExT trained. SA (aka III) was also DExT trained. was the last to be trained while our squad fell under Cyber Division. At the time, I was the most junior Agent on the squad. Before being DExT trained, all of our digital evidence was submitted to CART for data extractions, imaging, and processing. We did have access to the Case Agent Investigative Review (CAIR) system, a forensic tool for data review, but the program was slow, not capable of handling large evidence reviews, did not work all that well, and did not do what we in the child exploitation program needed it to do. As a result, rather than using CAIR, Agents on the squad opted to travel to Moonachie, New Jersey, where CART was located, to conduct their reviews on site versus over the CAIR network. The ineffectiveness of CAIR was no secret and was widely known, and one of the reasons for the creation of the autonomous DExT labs. After collecting digital evidence, I would enter the digital evidence into the Evidence Control Unit (ECU) and get a 1B evidence number assigned. I would then enter a CART request with a description of what forensic examinations I needed to be performed and information on the device that needed to be extracted. Then I would submit it to CART. It could take a day or two to get the evidence to CART and the amount of time it 01/26/2024 New York, NY Page 29 of 106 UNCLASSIFIED//FOUO EFTA00173401 UNCLASSIPIED//FOU0 (!:/) ould take CART to process the evidence varied. It could take weeks or months. Once it was extracted, CART would process it in the Forensic Tool Kit (FTK). We could review the data on CAIR or go to Moonachie to review it. Everyone on the squad, for the most part, chose to go to Moonachie. CART Digital Forensic Examiners Stephen Flatley and Carlos Koo eventually set up a spot in NYFO, HQC to do data extractions. Even after receiving DExT training, we used CART for things like very large media dumps/extractions and encrypted files. We also used them to help us with understanding what some of the digital evidence was. I believe CART may have provided us digital copies of the data extraction and I think it may have been on DVDs. They would have been accessible on Operational Wide Area Network (OPWAN) as well, but we did not have OPWAN and would have to go to CART to access that anyway. I do not recall what we did with the copies on DVD. CART may have checked them into evidence and provided a working copy. The DExT trained Agents would do data dumps on everything we could like hard drives, loose media, and thumb drives. At this time, telephones that were seized still needed to go to CART for processing. In 2015, generally if it was a device we could image, we would follow this process. We would use write blockers to assure we did not accidentally manipulate the original data. We would create an image of our evidence; sometimes we would use another hard drive. We imaged and processed the data. We had some hard drives, but I am not sure where they came from. I believe HQ 01/26/2024 New York, NY Page 30 of 106 UNCLASSIFIED/MONO EFTA00173402 UNCLASSIFIED//FOOD D ent us a box of hard drives. I also believe CART may have given us some as well. We used a forensic duplicator called a TD3, and later a TX- 1 as well as FTK Imager, to image a device onto a hard drive and make the derivative evidence. We would then make a working copy image off of the derivative evidence. We would then work off of the working copy. I am 'pretty sure the derivative evidence was cataloged and placed in the NYFO ECU if that was the policy, but if that was not the policy we would not have done that. The DExT Program provided us with Redundant Array of Independent Disks (RAIDs). These RAIDs were to be used to house our working copy evidence images. I initially advised the interviewing SSAs, once we ran out of hard drives for derivative evidence, we were instructed to use the RAIDs and that these instructions came from either a squad mate or my supervisor. This is true, as it was the SSA and the case Agent for our squad's Group II whose responsibility it was to request and receive funding and equipment. Any requests that we needed were routed through them, and the Group II case Agent was also one of our DExT Agents who also faced the same issues of not having the hard drives to create derivative evidence. However, I also recall these instructions were provided by HQ, either our Program Manager (PM), the DExT PM, or both. This may have occurred in 2012 when I went through the DExT program and continued over the years. As there has been a revolving door of PMs, I do not recall the names of the people I 01/26/2024 New York, NY Page 31 of 106 UNCLASSIFIED//FOUO EFTA00173403 UNCLASSIFIED//FOLIO g spoke with at the time but can provide as many names of PMs who I can recall had been there over the years. Typically, the person running a Group I or Group II Undercover Operation (UCO) investigation and the squad SSA would be the people who communicated with HQ for resources. As an example, I recall in 2015, I sent an email to SA Tommy Thompson, who was the case agent of our squad's Group II, asking for some large capacity hard drives with our remaining Group II funds. This was one of many requests I made, which were generally verbal, for equipment/resources. At the time we were still merged with Cyber. When we moved to the Criminal Division, our funds were nearly wiped out. Sometime thereafter, III' 'I'll left NYFO and became a DExT PM at FBI HQ. She would often complain about a lack of funding. When we first became DExT trained, it was much easier to comply with the policy since the size of the data was significantly smaller than it is today. For example, telephone dumps then often fit on a DVD, or worst case a Blu-ray DVD. Today, DVDs are nearly obsolete as the size of data collections has become enormous, requiring large capacity hard drives which are more expensive and harder to get. To be 100% compliant with the existing policy each year, it would likely require C-20 alone to purchase over a hundred hard drives, and this is just one squad in one office. To ensure that everyone in the FBI is compliant each year, the FBI would likely 01/26/2024 New York, NY have to purchase thousands of hard drives, then do this year Page 32 of 106 UNCLASSIFIED//FOUO EFTA00173404 UNCLASSIFIED//FOOO after year. But the FBI does not do this and the policy it 9) created to cover search warrants decades ago has not changed, despite the fact the environment the policy applies to has. This is one of the several fundamental flaws that I have and continue to voice. If creating derivative evidence is a requirement, then why does the FBI not automatically provide the hard drives? How can the FBI enforce a policy without providing the field with the ability to comply? If, in nearly every search warrant executed FBI-wide electronic media is seized, resulting in the need for derivative evidence hard drives, why is it then incumbent upon each individual squad, in each office, under each program and division, to figure out a way to obtain the funding to purchase them? If the FBI knows hard drives cannot easily be purchased in bulk, and that there are security requirements on where the drives must be manufactured, why does the FBI not just purchase them for us rather than place that nearly impossible burden on us? In approximately 2017 I took over as case Agent for our squad's Group II. As the case Agent I was able to use Group II funds to make purchases, which were obligated to us through CACHTU. I was running out of hard drive space for derivative evidence and of storage space in general. The PMs told us buying hard drives in bulk was a problem. The stores had a capacity limit, but I was advised to try anyway but was not successful. I would purchase the drives on Amazon, like I was instructed to do Page 33 of 106 UNCLASSIFIED//FOUO 01/26/2024 New York, NY EFTA00173405 UNCLASSIFIED//FOUO (—/li y HQ, until my covert account was shut down by Amazon since the purchasing of large quantities of hard drives was flagged as suspicious. We were also purchasing hard drives from New Egg, like we were instructed to do by HQ, specifically SSA Heath Graves who was the DExT PM, because they could sell bulk (10 or more) hard drives, but I was later told by someone in the Procurement Unit we could not use New Egg. This left us with very few options for buying hard drives and despite voicing these issues, no one at HQ offered a solution. In speaking with other Agents across the FBI, I learned this was a common problem. I went to CART who gave us what hard drives they could spare. I specifically sought assistance from senior CART Technician Steven Flatley on a regular basis and aside from seeking his expertise, I constantly bothered him for hard drives and other needed items. In 2017 I began to gain a voice among many FBI Child Exploitation circles. I took over our squad's Group II UCO, and almost immediately converted it into a Group I. This conversion, which allows for the use of sensitive techniques, was done due to my desire to enhance our undercover capabilities and increase our effectiveness by using some of the most robust undercover techniques available at the time. While every undercover operation must be approved every six months in front of the Criminal Undercover Operations Review Committee (CUORC), because ours was now a Group I, it also had to be presented up through 15 CACHTU and approved by the AD. During the CUORC, I brought up 01/26/2024 New York, NY Page 34 of 106 UNCLASSIFIED//FO4O EFTA00173406 UNCLASSIFIED//FOLIO ( i )the funding issues. In the funding section we discussed what we spent and what we anticipated to spend. During my time as the case Agent for my squad's Group I, my squad's statistical accomplishments increased exponentially. The number of undercover sessions conducted by my squad increased by 198% in the four years after I took over the NYFO child exploitation program compared to the four years prior. This meant an increase of approximately 2000 undercover sessions in the same four-year span. More significantly, however, was how I tasked undercovers and provided direction to ensure the program worked to identify the most vulnerable of the exploited children; and set out to rescue them. The results cannot be overstated in that the lives of hundreds of children were saved. While I am personally responsible for saving the lives of hundreds, many hundreds, if not thousands more were saved because of how I managed and directed the child exploitation program. 01/26/2024 New York, NY In 2018 I did a five-week temporary duty assignment (TDY) at CACHTU. My former SSA, Sean Watson, was the UC there. My job was to call every VCAC Group I and Group II UCO Case Agent and ask questions about the issues they were having and to provide recommendations on how to better the program, how CACHTU could better assist the field, things that needed improvement, etc. I learned a lot about the issues affecting the entire child Page 35 of 106 UNCLASSIFIED//FOUO EFTA00173407 UNCLASSIFIED//FOUO @I) xploitation program and, while there were some differences in the issues facing some offices over others, there were a number of common issues that impacted every office. These issues largely dealt with lack of guidance, direction, training, equipment, DExT support, funding, and personnel. I drafted a summary of the calls I made and created a section for complaints from the field in reference to DExT and provided my assessment to CACHTU leadership. One of the many takeaways was that nearly every office had different understandings of and methods of complying with policy and guidance. The lack of and often conflicting guidance and policy both from CACHTU and from individual field office chains of command had led to each field office having to adapt their ways and creating a complete lack of consistency across the FBI. This summary was also provided to the interviewing Agents, and I can make it available to whomever needs it. This same assessment, as well as additional details were also provided to Bryan Vorndran, who was the Deputy Assistant Director (DAD) who covered child exploitation, as well as to my immediate supervisor and to the supervisors/PMs at CACHTU. This came as DAD Vorndran separately requested a working group of Subject Matter Experts (SMEs) to address the needs of the VCAC program. I explained to him how we had equipment, training, and guidance needs and provided my assessment both orally and in several documents. Page 36 of 106 UNCLASSIPIED//FOUO 01/26/2024 New York, NY EFTA00173408 UNCLASSIFIED//FOU0 01/26/2024 New York, NY Also in 2018, CACHTU PMs SSAs Michael Deizlak and Matthew Chicantek were presenting to EM on the issues facing child exploitation investigations. SSA Deizlak and SSA Chicantek requested information from me that they wanted to present. I emailed SSA Deizlak and SSA Chicantek, along with UC Sean Watson of CACHTU, the write-up I sent after my TDY as well as a separate, even more detailed summary of the issues. In this three-page summary I talked about the need to appropriate money for equipment, as well as details regarding issues affecting the program, including the DExT, guidance, support, and more. Others and I made it very clear to HQ that we did not have hard drives. Every now and then they would send us some and every now and then they would send funds, but nothing was consistent. I also informed my SSA of the need for hard drives. I was aware he knew we needed them and there were no funds. Other Agents were dealing with the same issues. It has been, and continues to be, the practice of VCAC Agents to create derivative copies of original evidence if derivative hard drives are available. However, given the long history of not receiving either the hard drives or the funds to purchase them, VCAC Agents have been left with no alternative but to store their derivative evidence on local storage. I would sometimes create a derivative copy of the evidence on the RAID tower, as well as a working copy. If the evidence was a large collection of different computer media, it was not practical to store two copies (a working copy and derivative copy) on the RAID tower Page 37 of 106 UNCLASSIFIED//FOUO EFTA00173409 UNCLASSIFIED//FOLIO ( illb and I would only create one. However, I very often created 01/26/2024 New York, NY derivative evidence copies onto either internal or external hard drives that were maintained in our lab, either as having been recycled, repurposed, or acquired. Since, as discussed, we did not have a surplus of hard drives nor did we often have the funds to purchase them, I used ones I was able to get or hard drives that had been repurposed. However, it often was the case where I maintained the derivative evidence of several investigations on a single hard drive. This was due to the scarce nature of the hard drives, and the fact that I did not want to waste the extra storage space that was free if a particular case only took up a portion of the hard drive. As resources were hard to come by, I maximized the resources I did have. These derivative evidence hard drives were separate and apart from the evidence copies maintained on our RAIDs or servers. I was not able to do this for every investigation, due to the limitations discussed, but when feasible it was done. This was my way of going out of my way to create derivative evidence as often as I I have located some of maintained in the C-20 could, despite not having the resources. these hard drives that are still lab, and photographs of them have been provided to the interviewing SSAs. When I was unable to create true derivative evidence to be checked into ECU or the derivative evidence considered the working copy of the evidence as the derivative copy. Regardless, all the described above, I on my RAID or server evidence copies had Page 38 of 106 UNCLASSIFIED//FOLIO EFTA00173410 IINCLASSIFIED//FO00 01/26/2024 New York, NY "hash-verification" logs to ensure the copy was a bit-for-bit image of the original. Additionally, the forensic programs we used were designed to prevent changes to the evidence, so there was never a possibility that the evidence copies could be altered. I have various correspondence with HQ advising there was a lack of funding. This not only affected us getting hard drives, but also various other things. Phung provided us with more RAID towers for storage and instructed us to use the storage to meet our needs. I do not recall her exact words, but I understood her directions to mean I could use the RAID towers for the creation of derivative and working copy evidence. I also learned funds were available, but not designated for the purchase of the hard drives. Money was either not there or was allocated to something else. I spoke with Heath Graves who was the DExT PM and then Jim Harrison who is the current DExT PM. In June 2023, I proposed an idea to SSA Seamus Clarke and ASAC Spencer Horn regarding how to address the issue of handling derivative evidence since the long-standing process of using external media to store derivative evidence was no longer practical. and liked my idea and encouraged me to reach out to the ECU to find a way to pitch the idea. I reached out to Supervisory Administrative Specialist (SAS) Arlene McKenna, who oversees the NYFO ECU. SAS McKenna also liked my idea and stated any changes in the evidence Page 39 of 106 IINCLASSIFIED//FOII0 EFTA00173411 UNCLASSIFIED//FOLIO 01/26/2024 New York, NY guidelines or policy would have to come from the Field Evidence Program (FEP) of the FBI's Laboratory Division (LD). SAS McKenna provided the name of the FEP's Supervisory Management and Program Analyst (MAPA), Adeline Joseph, and suggested I reach out to her. On 06/07/2023, I spoke with MAPA Joseph via FBINET Skype call. I discussed with MAPA Joseph the issue with the current process, which was feasible years ago when the size of electronic evidence was significantly smaller. In those days, derivative evidence was stored on DVDs and in extreme cases, a blue-ray DVD or thumb drive. However, in recent years the size of electronic evidence seizures has increased dramatically, requiring hard drives to be able to accommodate the data. I explained that while I personally have never had an issue obtaining DVDs, I could not say the same about hard drives. I explained that while the technical environment the ECU policy/guidance is based on has changed, the FBI's guidance/policy around it has not. This has created the very issue which is part of this inquiry; the frequent inability to abide by the guidance/policy. I stated that it has become increasingly difficult for the field to be in compliance with the existing guidance/policy since the field no longer has the resources to be compliant. I offered to help figure out another process for maintaining derivative evidence, as I believed it was a waste of money and resources to purchase expensive hard drives for 8 Page 40 of 106 UNCLASSIFIED//FOLIO EFTA00173412 UNCLASSIFIED//FOLIO ( R )derivative evidence, which will just be checked into evidence until the conclusion of an investigation, just to then be destroyed. I spoke with MAPA Joseph about creating reusable virtual derivative storage that was stand-alone. I suggested the virtual evidence locker could be a server, which could be controlled by the evidence units and that 1B numbers could still be used and assigned to the folders of the derivative evidence it stored and proposed the use of an electronic chain of custody process to document the access of the electronically stored derivative evidence. I further suggested that since the derivative evidence copies were maintained electronically, there would be no need to waste funds on hard drives that would just end up being destroyed anyway, and that at the conclusion of an investigation when the evidence is to be "destroyed", the media would be deleted, thereby freeing up space for new derivative evidence. MAPA Joseph liked the suggestion and stated she would discuss it with her team, specifically her UC whose name I cannot recall. My SSA and ASAC, and , were both aware of my idea and conversations and encouraged me to follow-up with MAPA Joseph, which I did via email on 06/27/2023. This email, which has since been provided to the interviewing SSAs, stated in part: 01/26/2024 New York, NY "Hey Adeline, A couple weeks ago we had a discussion about authorizing our lab to store DE on our servers, rather than Page 41 of 106 UNCLASSIFIED//FOUO EFTA00173413 UNCLASSIFIED//FOUO (2) the repeated, costly, and wasteful process purchasing tons hard drives to store DE. The server, which would be secure, contain access logs, and still require a 1B for the electronically stored DE, would take the place of the physical hard drives which would save money, time, and eliminate the need to waste tons and tons of hard drives. I was wondering what you thought and if there is anything we can do to get something like this going? Thanks so much! Aaron" MAPA Joseph responded on 06/30/2023 with the following: "Good Morning Aaron, Hope all is well. Apology for the delayed response. We are conducting in- person training this week for evidence tech's. For your awareness, we are working on wrapping up several projects for this fiscal year. I am adding the DE idea to our whiteboard to discuss this amongst the team to include all key stakeholders that would be involved. If you don't mind, I'll send you a calendar invite so that it's on my calendar to circle back with you to discuss what the team decided. Kind regards, Addy" Since receiving this email, I have not heard back again from MAPA Joseph or anyone in her chain of command regard' this issue. 5 ) .7' 01/26/2024 New York, NY Page 42 of 106 UNCLASSIFIED//FOUO EFTA00173414 UNCLASSIFIED//FOUO 01/26/2024 New York, NY have provided a recent example to the interviewing Agents. In this example, which took place in November 2023, after the intrusion and the initiation of this inquiry, C-20 requested funds for derivative evidence hard drives and were denied. After requesting $2,155.62 for derivative evidence hard drives, CACHTU responded to "Please utilize cart for a resource for this. We are under a CR and are very restrictive on what we can approve". C-20 then went to CART, as directed, who in turn stated they did not have any hard drives to spare and recommended C-20 request funds from CACHTU. This example further illustrates that even despite the intrusion and the negative attention we received regarding derivative evidence hard drives, the squad was again put in the position of being unable to comply with policy because the FBI would not provide the requisite hard drives or funding needed to be compliant. Sometime later C-20 would eventually receive some hard drives but were then advised by the NYFO ISSO their hard drives were out of policy and that they could not use them since the hard drives were not manufactured in the United States. This, again, put the squad in an impossible situation with no alternatives being offered. It was also quite ridiculous as it is likely that none of our computer equipment is manufactured in the United States. When interviewed by INSD, I originally stated I was not sure when the standard practice for C-20 members changed to not Page 43 of 106 UNCLASSIFIED//FOUO EFTA00173415 UNCLASSIFIED//FOUO (i!,) adding derivative copies to the ECU. This statement is inaccurate without context. The "change" that occurred was somewhat two-fold and started when the FBI moved VCAC from the Cyber Division to the Criminal Division and the funding we received was dramatically reduced. The other contributing factor was, as discussed earlier, the increase in the size of the electronic media seized during search warrants and the subsequent need for significantly larger and more expensive media to house the derivative evidence. This affected many things, including our ability to purchase hard drives. So, the "change" that led to our inability to regularly comply with the derivative evidence practice was out of our control. Despite that, I personally voiced this concern numerous times over the years, but it was not an issue many were willing to care about. Early on, when VCAC fell under the Cyber Division, we had regular access to these drives, but when the program was moved into the Criminal Division that changed. Despite repeated requests, as well as having alerted everyone within the chain of command, we were told to figure it out. We had been advised that if derivative hard drives were not available, to store the derivative evidence on our local storage, which is what we did. It may have been in 2016 or 2017 and possibly happened because we did not have hard drives. I believe we were initially getting some hard drives from DExT after completing the certification course. DExT slowly went to (2) no longer providing hard drives to new DExT certified Agents at 01/26/2024 New York, NY Page 44 of 106 UNCLASSIFIED//FOUO EFTA00173416 C t all. I do not know what they are teaching about digital evidence storage in DExT or how to get drives, but I know from other Agents who have attended the DExT training more recently that guidance has still been to seek funding from CACHTU, who again has been stating they do not have the funds. As a more recent example of the FBI's funding issues, on 11/06/2024, I had correspondences with the NYFO finance person Earle Long regarding a $25 bill from T-Mobile to pay for subpoena return. This was a subpoena sent a while ago as part of a child exploitation investigation and normally these are paid for automatically by the FBI. In this case, as you can see in the attached, it was not. According to the finance folks, the funds are not available to pay this $25 for a standard investigative subpoena. I as a case Agent now have to request funds be transferred from HQ on a case-by-case basis for this, the most basic of investigative activities, to happen. This is ridiculous, and underscores the fact that receiving funds for basic things, even those required by policy, does not always happen. I think this example is important to illustrate the issues with funding and paying for things that are required. In this case, it was a subpoena issued pursuant to the identification of a child predator. Until approximately February 2023, the NYFO did not have a designated ISSO. This is a required position, and I think it being left unfilled exacerbated many of the problems that are discussed herein. I have provided INSD with documentation from retired Special Agent UNCLASSIFIED//FOUO 01/26/2024 New York, NY Page 45 of 106 UNCLASSIFIED//FOUO EFTA00173417 ONCLASSIFIED//FOUO Ci;il in Charge (SAC) Nicholas Bouchears who created a timeline and report of his years-long request for an ISSO, which was a requirement that the FBI left unfilled in the NYFO until January or February 2023. The situation was in essence entrapment. We were required by policy to create derivative evidence, but we were not provided with the ability to comply. Despite repeated acknowledgements from FBI HQ about the conundrum, solutions were never provided. We were told to adapt and to figure things out, and we did. The result is that we got punished for it, which is quite insane. We should not be held accountable for a problem we could not fix and were not responsible for fixing, especially when we have brought this problem to the attention of all levels of our leadership time and time again to no avail. When derivative hard drives were not available, we did as we had been instructed by imaging the original evidence onto the RAID Storage or Network Attached Storage (NAS), and as previously discussed, I even went above and beyond given our limitations by creating derivative evidence copies of multiple cases onto larger internal hard drives so I could ensure I was doing everything within my power to comply with the policy. At times I would create a second copy. If I made a second copy, I would use one as the main copy and the other was the working copy. If I did one copy, that one would be used as the working copy. At times I would make multiple working copies. 01/26/2024 New York, NY Page 46 of 106 UNCLASSIFIED//FOOD EFTA00173418 UNCLASSIFIED//FOU0 $5 According to INSD, I advised I had not been making derivative copies of digital evidence and that I now believe I personally made derivative copies and did whenever I was afforded with the requisite hard drives. This is incorrect. From the beginning I have never wavered and have always been adamant that I had been making derivative evidence copies whenever possible. As I have also stated, this was an FBI-wide issue that affected many Agents, including many in supervisory positions. The issue is not that derivative evidence copies were not always created, the issue is why the field was not always provided with the ability to create derivative evidence copies. The issue regarding derivative evidence that I and others faced was well known to our supervisors and specifically to our substantive desk at HQ. The question for us in the field was what do we do? Do we stop investigating our cases because we do not have a sufficient process for creating and storing derivative evidence? Of course not. Just because I, and others, did not always receive the drives did not mean our VCAC investigations ceased. Of course, we had to adapt and overcome and felt that while we may not have been able to create derivative copies for all the evidence, the reasons for that were well documented and out of our control. Had we, or I, decided not to work cases due to the lack of derivative evidence hard drives or funding for them, we would have been punished for that as well. Aside from neglecting work being itself an 1 01/26/2024 New York, NY Page 47 of 106 UNCLASSIFIND//FOU0 EFTA00173419 UNCLASSIFIED//FOLIO 01/26/2024 New York, NY —.) offense, there are other policies governing the child exploitation program that explicitly require child exploitation Agents to expeditiously conduct their investigations. It is like being stuck between a rock and a hard place, and I, and others, were told by FBI leadership over the years to make do, as long as the cases were being properly investigated, and that is what we did. At no point in time have I ever improperly stored digital evidence at my residence. After the intrusion when the FBI's INSD conducted their interviews, I had been asked about "evidence" and reviewing materials from home. I acknowledged that I, like everyone else, had done some work from home. However, the "evidence" being referred to has always been "working copies" and items that are absolutely covered under policy. At no time had I taken original or derivative evidence home. I believed that I had cleared up any misunderstanding or semantics over the word "evidence", because that word used without a descriptor is just a generic term for evidence. The word has types, like a classification to distinguish what the evidence is such as "original", "derivative", and "working copy". Then, there are caveats to the category of evidence such as "digital", "general", "drug", "valuable", etc. For example, when I review subpoena returns, I am reviewing "evidence", but CliP that does not mean the evidence is "original" or "derivative", and unless those subpoena returns are in paper form, they are Page 48 of 106 UNCLASSIFIED//FOUO EFTA00173420 UNCLASSIFIED//FOU0 01/26/2024 New York, NY categorized as "digital evidence". Nevertheless, I am authorized to review those from home. The same applies to chat messages derived from a device or having been included in a lead or Guardian. When discussing this with the Inspectors, I was clear that anything I reviewed outside appropriate facilities was working copies. At no point had I ever discussed with anyone that I have taken original and/or derivative evidence home or in any way in violation of policy. Any assertion to the contrary is categorically false. I have recently found a folder that I created on my FBINET computer called "to Take home for baby leave". This folder contained items I planned to take home to work on while still under the work-from-home guidance we received during the pandemic, which is also during the time my wife gave birth to our twin boys. The items in this folder are generally indicative of other files I had reviewed from home, none of which are original evidence, derivative evidence, or CSAM. Other examples that have also been provided to INSD include an email from CACHTU SSA Jordan Hadfield which was sent to all VCAC OCEs. The email was sent during the pandemic when OCEs were working from home and is requesting to know if OCEs were aware of a website contained in the email. SSA Hadfield instructed the Q.) OCEs to not use their "HOME COMPUTER" to access the link because it contained CSAM, however SSA Hadfield knew OCEs had their own Page 49 of 106 UNCLASSIFIED//FOLIO EFTA00173421 UNCLASSIFIED//FOUO 01/26/2024 6 New York, NY FBI-issued misattributed laptops and phones that they could access the link on from home. Another example is from my supervisor at the time, SSA Sean Watson, who stated in an email dated 03/25/2020: "I will be assigning Guardian lead(s) which can be worked from home or an alternate location. Reminder for 305 leads, do NOT use personal networks to vet out 305 leads. Use covert equipment with an aircard or covert cell phones." Throughout most of its existence the C-20 lab was Internet connected. However, and for clarification, the C-20 lab existed long before the DExT program and the misattributed Internet was connected to our squad's misattributed computers. At the time, Online Covert Employee (OCE) work was primarily conducted on computer-based Internet platforms whereas today, the majority of OCE work is on mobile-based platforms. Back then, we used misattributed FBI-issued desktop computers to conduct OCE sessions from the lab and adjusted our work hours accordingly. As offenders began using mobile-based applications, OCEs were required to do the same. With the use of mobile applications offenders were now online and chatting throughout the day, versus just when they were on their home computers. Thus, the expectation of OCEs changed to emulate that a l) of the offenders. I do not know exactly when we received FBI- issued misattributed cellular telephones, but when we did, we Page 50 of 106 UNCLASSIFIED//FOOD EFTA00173422 UNCLASSIFIED//FOU0 01/26/2024 New York, NY also received the authority to take them with us wherever we went if we were engaging with CSAM offenders. In fact, OCEs have long been encouraged to communicate with offenders at random hours of the days and on weekends, to send offenders benign photographs while on vacation, at events, etc.; all to better legitimize the OCEs and help to dispel any fear offenders may have that the OCEs are law enforcement. When we became DExT certified, our computers were not connected to the Internet except when we needed to update software, or some other Internet required task. As the years went on, the need for our DExT computers to be connected to the Internet grew. As discussed, HQ was aware of this and at times even promoted programs that required this. Additionally, two agents from C-20 and our SSA had all gone down to CACHTU to become SSAs and the UC respectively, and they were aware of this practice and need both from having worked on C-20 as well as from their positions at CACHTU. Lastly, as previously discussed, at the time of the intrusion our squad had been participating in a CACHTU pilot program, which included several other VCAC squads from across the FBI and required the computers to be connected to the Internet. Regardless, our lab has always been "stand-alone", meaning none of our computers were connected to any FBI systems. Additionally, our lab was "misattributed" and able to be used in covert capacities and to access websites that could contain Child Sexual Abuse Material (CSAM). Page 51 of 106 UNCLASSIFIED//FOU0 EFTA00173423 UNCLASSIFIED//FOOD 01/26/2024 New York, NY Initially, in approximately 2012, the C-20 lab was not connected to the Internet, but at the time we had little reason outside of software updates to be connected to the Internet. Several years later that changed as the advancement in our software and capabilities grew, requiring our computers to be Internet-connected. The only guidance or direction we received at the time was that our Internet-connected DExT computers not be connected to a FBI network, but that has changed and we have received mix-messages with some guidance telling us not to connect our machines to the Internet and other guidance telling us we can if we use misattributed Internet. Confusing the matter more has been the implementation of software and programs that require us to be connected to the Internet. When OTD was brought in to bring the C-20 lab back online after the intrusion, they promised FBI EM and the NYFO it had a sensible solution, however nine months later and thousands of dollars spent by OTD in equipment, their solution was abandoned. I have learned that there were differing opinions in OTD about what to do and how to do it, with the OTD executives promising outcomes that the OTD engineers knew to be unattainable. One OTD engineer in particular vented to me personally his frustrations that OTD management is promising things they knew they could not deliver on. Even FBI HQ implemented investigative steps that required DExT labs to be Internet-connected, such as the method that was used to transmit CSAM to the National Center for Missing and Page 52 of 106 UNCLASSIFIED//FOOD EFTA00173424 UNCLASSIFIED//FO17O e ) Exploited Children (NCMEC), whereas previously it had been to do so via a storage media. Later, the FBI created the "SIFTS" program which was an online portal for CSAM transmission. As an example, the FBI's guidance on using SIFTS has been provided to INSD which includes a section that DExT machines must be connected to the Internet to use SIFTS. In approximately 2022, CACHTU advised the field that the licensing method for one of our most used programs, "Axiom", was moving from dongle-based to cloud-based. CACHTU wanted to pilot the cloud-based method and elicited the assistance of five or six VCAC squads from across the FBI to do so, one of which was our squad. This pilot program, which began prior to our intrusion and continued well after, required the DExT computers to be connected to the Internet. It allowed us to check out a license when we needed to, but to do so, we needed to stay on the Internet to use it. There was some level of security provided by the switch box and some on the NAS itself. The computers, NAS and RAID tower storage that contained CSAM were then all connected to the Internet. We received guidance from CACHTU, specifically from the DExT PMs, to disable the antivirus to use the Axiom since the antivirus would flag the program. I believe this came from Tommy, Heath, and CART, and others. Squad C-20 did not know how to set up the Internet and the switch box. We reached out to Computer Scientists (CSs) and CART and received some help, and I have numerous emails that I can provide to support this if requested. I do not know Page 53 of 106 UNCLASSIFIED//FOOO 01/26/2024 New York, NY EFTA00173425 UNCLASSIFIED//FOLIO @ anything about networking and how to set up networks, nor did anyone on my squad. The CSs also did not know. I believe someone from the Operational Technology Division (OTD) told me to Google it and stated that since we were not using OTD's OPWAN, they would not help us. Ironically, we were also told we could not use OPWAN since the building our squad was in did not have an OPWAN connection, plus the size of our dataset would have been too much for OPWAN to handle. Networking is not a DExT function and is not in my skill set, so I did not even know what questions to ask. As I have stated numerous times, I am not, nor was anyone on my squad, a Systems Administrator. Despite the INSD having labeled us this in their post-intrusion report, we are not. We have never received any training or instruction on systems administration, and labeling us as such implies knowledge we did not possess. The off-the-shelf security that was in place was what we were using. I and the squad asked everyone we could think of for - CART, the CSs, OTD, the Office of the OCIO, Management help 01/26/2024 New York, NY Information Systems (MIS), etc. - however, all were of no help. CS Jim Walsh helped us set up some of the equipment. Christian Idsola from CART also helped, as did another CART employee whose name I cannot recall. I also asked SSA Francisco Atrusa, the supervisor of the NYFO CART squad, for assistance. SSA Artusa responded back, asking Anthony Broderick, the CART networking and actual systems administrator, for help. Broderick responded that I should read the user manuals and that he did Page 54 of 106 UNCLASSIFIED//FOU0 EFTA00173426 UNCLASSIFIED//FOUO Cgnot have the "bandwidth" to support us. These communications, along with many others, occurred in writing via email and I have provided them to investigators. In our desperation to find someone with a networking/system administrator background to help us, we put out a Confidential Human Source (CHS) canvass for assistance with our network through our CHS Coordinator. This fact alone should highlight the lengths we went to in order to get our lab networked securely and correctly. The desperate act of issuing a CHS canvas for assistance should also convey the utter lack of assistance we received from within the FBI. We also reached out to OTD, Counterterrorism Division (CTD), and Cyber Division (CyD) for help, but none were able to. An Agent on a CT squad suggested that they had a Counterterrorism (CT) CHS who could come over and look at the network, however the CHS advised networking was not his/her specialty. The CHS was a former contractor for the FBI and had a Top Secret (TS) clearance and was not able to assist. Our request was simple - to network the few standalone computers in our lab. However, no responsible entity within the FBI would assist, so we had to reach out to friends and colleagues to help on their own. While their help was valuable, none of our volunteered help came from anyone who was a network or systems administrator, and the FBI's network or system administrators would not assist. The various networking and system administrative units in the FBI handle FBI networks, and 01/26/2024 New York, NY Page 55 of 106 UNCLASSIFIED//FOU0 EFTA00173427 UNCLASSIFIED//FOUO ®the few that handle covert/misattributed networks do not handle CSAM networks. Despite the irrelevance of the latter from a technical perspective, CSAM is off putting and no one wanted to assist and CACHTU did not know what to do. In fact, CACHTU was aware that networking CAC computers was an issue affecting so many other FBI Offices that PMs Stacie Kane, Brenden Roth and James Harrison encouraged us to find the solution so that it could be emulated across the other VCAC DExT labs. In fact, our lab, and the improvements we had been making on behalf of the VCAC program, contributed to several end-of-year "gold" ratings by CACHTU. As an example, in September 2022, SSA Brendan Roth, who was the PM for the Northeast region for CACHTU, requested that I assist the Albany Field Office VCAC squad who needed to enhance their program. FBI Albany was trying to figure out how to receive funds for their upgrades, and SSA Roth knew that I in the NYFO had been through this process and asked that I assist. After SSA Roth and I spoke over the phone, he sent an email to myself and SA Brian Seymore from the Albany Field Office stating in part the following: "Aaron Per our convo about Group I UCO funds for CSAM review stations - CC'ing Brian from Albany. 01/26/2024 New York, NY Maybe you guys can talk and answer questions he had about the process and questions you were asked about it from <44II> legal/procurement. Page 56 of 106 UNCLASSIFIED//FOUO EFTA00173428 UNCLASSIFIED//FOUO 01/26/2024 New York, NY N SSA Brendan Roth Criminal Investigative Division I Violent Crime Section Crimes Against Children and Human Trafficking Unit (CACHTU)" In 2017, our lab flooded after the temperatures in the lab got so hot they triggered the sprinkler system. This devastated our lab and ruined thousands of dollars' worth of DExT equipment. After this flood, some of the equipment was replaced by CACHTU and CART was able to salvage some of the equipment. We moved the C-20 lab to the 10th floor in December 2020. I received approval on 12/22/2020 to purchase switches, NASs, cables and hard drives. This equipment was purchased with $34,000 in CACHTU funding, which also supplied the Long Island Resident Agency (RA) with similar equipment. This was less of an upgrade and more of a replacement for the lost equipment, but it set into motion our upgrades. CACHTU PM Leslie Adamczyk was a former NYFO Agent and member of C-20 and knew about these issues. SSA Adamczyk similarly had her DExT computer connected to the Internet and similarly did not always create derivative evidence. During the COVID pandemic there were three of us from my squad who came to the office on a regular basis; myself, SA Matt Deragon, and SA Brian Gander. The guidance, however, was to work from home. The C-20 SSA at the time was Sean Watson. SSA Watson provided guidance to work from home, in addition to the guidance pushed by the FBI Director, our AD, and others in FBI management. This guidance included conducting limited forensics Page 57 of 106 UNCLASSIFIED//POUO EFTA00173429 UNCLASSIFIED//FOU0 Q. om home, and CACHTU pushed out to the field temporary AXIOM licenses for the sole purpose of conducting limited forensic reviews from home. This meant that literally the FBI was encouraging Agents to conduct forensic reviews, of evidence, from home. Ironically, however, I did not take advantage of this since the bulk of my forensic reviews meant reviewing CSAM. Due to this reason I came into the office almost daily to do CSAM reviews. This is a fact and can be corroborated by SAs Deragon and Gander, as well as by checking the building access logs which will show I used my access badge to enter the building and the frequency I accessed the building. Other work was done from home. I looked at subpoena returns and reviewed working copy material that did not include CSAM. Anything I took home was covered under policy and was covered under the guidance being disseminated. I have a Bureau-issued laptop computer that I utilized for these purposes. It is categorically false that I violated policy by taking home CSAM, original, or derivative evidence. I have numerous examples of guidance put out by the FBI, including from the Director, CACHTU, the NYFO ADIC, and my SSA about working from home. I have supplied some of these examples to INSD and can provide additional examples if requested. At the time, I was working on three cases primarily: Robert Hadden, Darnel Feagins, and Jacob Daskal. Only one of these cases, Feagins, was a CSAM investigation. The Feagins investigation was the reason for my having to come to the office 01/26/2024 New York, NY Page 58 of 106 UNCLASSIFIED//7000 EFTA00173430 UNCLASSIFIED//FOU0 during the pandemic, which eventually changed when, after indicting him, Feagins fled, turning the investigation into a fugitive matter. The Daskal and Hadden investigations were contact offense, or "hands-on" offense, cases that did not involve CSAM. To conduct the investigation for Hadden I was doing web- based interviews from home and writing FD-302s and subpoena returns which were all non-CSAM-related. For the Daskal case I completed a 68-page DExT review FD-302. I took metadata-related information. Some of it was exported from Daskal's computer, but none of it was CSAM; rather it was data to prove he and the victim of the investigation were together in various locations and certain dates and times. For the Darnel Feagins case I was splitting the work. I did not do CSAM-related work from home. I did not take any storage devices home that were original or derivative evidence. Any copies or data I took home would have been working copies. It would have been impossible for me to take derivative copies home in general. I was coming into the office every day to do my CSAM reviews. I do not believe I was doing any OCE work at the time since we were instructed not to. We were trying NOT to create a need for Agents to have to run out on warrants or to conduct Knock and Talks (KTs) due to COVID unless it was an emergency - BUT I and other OCEs would do OCE work from everywhere, including home, but all of that was covered under our Group I authority. 01/26/2024 New York, NY Page 59 of 106 UNCLASSIFIED//FOU0 EFTA00173431 UNCLASSIFIED//FOUO 01/26/2024 New York, NY According to INSD, during my original interview I advised that Agents believed they were authorized to conduct OCE work outside FBI space and that we now have Electronic Communication (EC) authority to conduct OCE work outside FBI space. This is a slight mischaracterization of my statement as to this day it is our belief that we always had authorization to conduct OCE work outside FBI space. The reference to now having an EC was in response to additional questioning by INSD and did not change the fact we had appropriate authorization prior to the EC. For one, how we functioned as OCEs, to include when and where we conducted OCE sessions, had been directed to us through FBI trainings, FBI HQ, and our supervisors. Second, the authority was written in our bi-annual Group I/Group II renewals, which are reviewed and approved by the entire chain of command and include the NYFO Chief Division Counsel (CDC) and the Office of General Counsel (OGC). Regarding anything I took home to work on, I have always been certain about what I knew I was authorized to take home and what I was not. As was authorized, I would take home removable storage devices like a hard drive or thumb drive that contained working-copy data and/or other material that would allow me to work from home. Some of my devices, including my FBI-issued OCE telephone and my FBI-issued and encrypted laptop, may have had CSAM on them, but as an OCE who was authorized to conduct OCE sessions from outside FBI space, which included my home and elsewhere, taking these devices home was covered by policy as Page 60 of 106 UNCLASSIFIED//POUO EFTA00173432 UNCLASSIFIED//FOUO these devices were used in authorized and capacities. The OCE (Q3 and UCE polices allow for these things since communicating as an OCE with VCAC offenders can require around-the-clock communication. There is absolutely zero truth to any notion that I violated any of these policies. I was quite literally doing my job, which as a VCAC OCE, meant taking my OCE laptop and telephone with me outside FBI space to communicate with CSAM offenders. The communications with these offenders and any CSAM I collected as a result, were maintained in accordance with policy and that is just a fact. As for any evidence review I did from home, all was done in accordance with policy and guidance. Any evidence I did take home was all authorized under policy - it was not original or derivative and was only working copies. As a matter of logistics, I would not have been able to take home original or derivative evidence as I do not have the technical equipment at home to review them on my laptop. Rather, in what I believe was in accordance with policy and guidance, I had copied select datasets from evidence sources onto a thumb drive or external hard drive as working copies, which I would review at home. The original device would have been checked into the NYFO ECU and a copy would have been on the C-20 lab server. The lab server had to be connected to the Internet to send CSAM to NCMEC. As mentioned previously, the official way to send CSAM to NCMEC is to use the SIFTS online portal. They will Page 61 of 106 UNCLASSIFIED//FOUO 01/26/2024 New York, NY EFTA00173433 UNCLASSIFIED//FOU0 i:),,X ccept hard drives, but it is not what they want, and NCMEC has been moving to eliminate the use of hard drives altogether. There are conflicting policies, and I brought this up while assisting in revising the policy. I am one of, if not the only, 01/26/2024 New York, NY Court-certified expert witness for the entire FBI for child exploitation.During COVID, the concept of remote working was becoming a thing. The idea came up during COVID to be able to do remote work since that is what the FBI The idea was continued by hearing from enforcement, including some within the versions of remote computing to access was beginning to promote. other members of law FBI, that they were their forensic labs away, such as on TDY or at a conference. The intention was using while not to work from home, per se, but rather to increase the efficiency of the forensic review process, as well as to assist the RAs and other FBI offices with their reviews, rather than having to use "Bu-mail" to send working-copy evidence back and forth or to require travel to another office to provide assistance. The steps of imaging and processing evidence before it is ready for review can sometimes take days. During this time there is little for the DExT Agent to do while the computer is doing its processing work. What little there is for the DExT Agent to do is often what separates one stage of this process from the next. So, if a stage is completed on a Saturday, it will not move to the next stage until the DExT Agent does the very needed to proceed, which may not happen until the Monday. This may then kick the process off to the few things following next stage, Page 62 of 106 UNCLASSIBIED//FOU0 EFTA00173434 UNCLASSIFIED//FOU0 tbut now the Agent may have to wait several hours or longer for the next step. In order to be more efficient and to allow this process to begin on a Friday, for example, and be ready for review on a Monday, I believed the idea of remote computing was a reasonable solution. Remote computing would have allowed for a the DExT Agent to remote in over a weekend to initiate the next stage of a process so that the process took advantage of the weekend to conduct the lengthy steps so that by Monday it was ready for review. The downloading process could take a while, but the steps between the process were three or four clicks. If I knew a hard drive was going to take a day or so to process, and the next process would also take a day or so, and it would not have been practical to go into the office just to click a button. Especially in a densely populated area like New York City during COVID. The idea was to be able to remote in to the server and tell the computer to move on to the next step of the process. The idea of using remote computing was reinforced a few years ago when I attended training provided by the International Association of Computer Investigative Specialists (IACIS) during which we went through basic computer forensics. I heard about law enforcement use of Microsoft Remote Desktop Protocol (RDP) there. I believe RDP was being used in the Bureau, but I am not sure for what purpose or on what devices. I spoke with several others in the FBI about RDP, including the DExT PM at the time, SSA Heath Graves, who mentioned he had either been using it or 01/26/2024 New York, NY Page 63 of 106 UNCLASSIPIED//POU0 EFTA00173435 UNCLASSIFIED//FOU0 01/26/2024 New York, NY oyed around with the idea. SSA Graves mentioned to me that setting it up and using it was fairly easy, and that all I needed to do was follow Microsoft's directions as they were pretty easy to follow. SSA Graves knew what my intentions were and thought it was a great idea to be able to remote in to cut the lag time of our processing. The first use of remote accessing software by the FBI that I recall was over ten years ago. Before then, OCEs using desktop computers to conduct their sessions had to be in the office; often having to work night shifts to chat with their offenders. I know that many OCEs used an application called Team Viewer that predates RDP to access their OCE desktop computers remotely from home. I recall Team Viewer was something that was pushed by HQ, however I never used it as an OCE. I also recall that when we were toying with using RDP I asked SSA Graves about Team Viewer and I remember him saying RDP was better and more secure. I do not remember if he said he had used it or not, but I do recall specifically that he suggested RDP over Team Viewer. I think this is important because remote access applications such as Team Viewer and RDP have been used by the FBI for years, have been known by, and even recommended by HQ. i thought the C-20 system was secure. I attempted to access the C-20 computer lab through RDP. I believed the lab's security prevented me from remoting in. I had no idea that in so doing I had opened the lab's RDP port and that it had worked. I could access the port from in the lab, but once outside the lab, I was Page 64 of 106 UNCLASSIFIED//FOUO EFTA00173436 UNCLASSIFIED//FOUO 8 .)1 nable to gain access to the network. I thought the security was 01/26/2024 New York, NY doing what it was supposed to. I was later advised that the RDP configuration was mostly correct and that I was a step or two away from having set it up successfully and securely. I was not trying to be lazy or silly, I wanted to be more efficient in the download process. Sometimes I would start a process on a Friday only to come in on Monday and see it crashed and needed to be restarted. RDP access would have allowed me to see the crash and restart the process remotely. I believe enabling remote access to the C-20 computer lab was a good initiative, but it was not executed properly. It was all about improving our abilities to protect children. I had asked for help, but I did not get it, but I did get encouragement. I was going off the guidance I received from the DExT PM and CACHTU supervisor, SSA Heath Graves, who advised me to follow the instructions off the Microsoft website. While I cannot recall verbatim what he said, I am positive it was in the realm of the Microsoft instructions regarding RDP to be "very good" and "easy to follow" or something to that affect. My heart and mind were in the right place, but I lacked the knowledge for networking and was not a system administrator. Yet I was tasked with setting up a network I did not know how to set up, and despite repeated requests for help, I was denied. I should not be held accountable for the FBI's systemic failure, especially when the FBI encouraged me and approved me to enhance our lab. I thought my attempt to remote into the C-20 lab did not work Page 65 of 106 UNCLASSIFIED//FOUO EFTA00173437 UNCLASSIFIED//FOUO ( 1 because the security settings were effective. I asked for help, even help with RDP, from nearly every unit in the FBI that had anything to do with networking, DExT, etc., including CACHTU and the DExT PMs. All I got in response was encouragement in what I was doing, but no form of technical assistance. The FBI cannot say it did not know what I was trying to do, because the FBI did know, and the FBI was suppurative of my efforts. I attempted to set the RDP up in either the Fall/Winter of 2022 or early 2023. The intrusion happened on Super Bowl Sunday of 2023, and I discovered it the very next day, on Monday. I provided the interviewing SSAs with an outline I drafted on 02/13/2024 of the intrusion situation which I read out loud. I signed the copy of the outline and provided it to the interviewing SSAs to add to my statement. The following is from my outline. This portion of my statement is written as it appears in the physical outline: 01/26/2024 New York, NY Seamus, below is a timeline of what transpired today, noting that we had no idea this was a potential hack until late this afternoon. Given the potential that someone accessed our lab to do this, and that the issue may have been with the way we setup our network, below is also a little insight to the many attempts we've made to get the FBIto assist in both physical security to the lab and to help with networking: Today's events (approx times) Page 66 of 106 UNCLASSIFIED//FOOO EFTA00173438 UNCLASSIFIED//F0170 (;) -7:30am - I arrived at the office and noticed my Talino computer 01/26/2024 New York, NY had restarted. -7:40am - I logged in to my Talino and a txt file popped up that said in part my network has been compromised and provided an email address to contact. This file was in the "startup" folder so when logging in it opened automatically. I ran my computer's anti-virus software, which was up to date and active, and it identified one potential threat which I attempted to remove. While this is not common, it is also not unusual given the data we recover from 305 subject devices. -I attempted to remove the potential threat, but my administrative privileges had been removed, and despite many attempts to gain access, I could not -8:30am - I reached out to Christian Idsola at CART for help, but he was going to be tied up for a couple of hours -9:00am, I reached out to Talino for help and they walked me through some steps, but nothing worked. They then advised me of a process to take to run antivirus software against my Talinos Operating System hard drive, which took some time but identified the likely source of the threat, which was attributed to a forensic program we use called Axiom. The threat was determinedq ) to possibly be a "booby-trap" left by a subject (who is a Page 67 of 106 UNCLASSIFIED//FOLIO EFTA00173439 UNCLASSIFIED//FOUO tiShacker) that was tripped when the Axiom forensic program ran across it. After this discussion it was believed that was the reason for the issues and we then began working on a solution, which seemed likely to fix my issue. 01/26/2024 New York, NY -Around this time I also noticed our main server was down, but I didn't think too much of it since we just added a new switch and tried to configure some ports to run at different settings to increase our bandwidth. I assumed at the time the lack of access was a result of incorrectly applying the settings to the "LAG" and "BOND" configurations of the switch. I was able to see that according to the switch, the server seemed to be connected just fine, so I spent some time troubleshooting it. -Around 11:00am or so I was finally on instant message chat with the makers of the server, Synology, who had us conduct some tests and they ultimately concluded