I, Aaron E. Spivack, having been duly sworn by Supervisory

I, Aaron E. Spivack, having been duly sworn by Supervisory Special Agent (SSA) Dannie W. Price, Jr., hereby make the following statement to SSA Price and SSA Matthew A. Zavala on 01/26/2024 and SSA Price and SSA Claudia Dubravetz on 08/08/2024, whom I know to be SSAs of the Federal Bureau of Investigation (FBI), assigned to the Inspection Division (INSD) at the time of my statement. My attorney, Richard J. Roberson, Jr., was present during my statement on both occasions, via telephone . This statement took place over a two-day period. The statement initiated on 01/26/2024, and again on 08/08/2024, after additional allegations were added: I entered on duty (EOD) on 02/21/2006, as an Intelligence Analyst (IA). I EOD on 10/08/2008, as a Special Agent (SA) and I am currently assigned to the New York Field Office (HYPO) that capacity. I understand that this is an internal investigation regarding an allegation that Special Agent Aaron E. Spivack improperly stored digital evidence at his residence in violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Care, Custody, or Control of the Government. On 10/30/2023 the following expanded allegations were added: Special Agent Aaron E. Spivack improperly and stored digital evidence and failed to policy, resulting in a cyber intrusion in in handled, documented, secure CSAM within violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Care, Custody, or Control of the Government and 5.17- security Violation- Failure to Secure sensitive Equipment/ Materials. On EFTA00173481 02/07/2024 the following expanded allegations were added: Special Agent Aaron E. Spivack exceeded the limits of his authority by contracting an outside company to develop computer software on behalf of the FBI in violation of 2.8 Misuse of Position and 5.23 Violation of Miscellaneous Rules/Regulations. I have been further advised of my rights and responsibilities in connection with this inquiry as set forth on a "Warning and Assurance to Employee Required to Provide Information" form FD-645 which I have read and signed. I understand from my review of the FD-645 that should : refuse to answer or fail to reply fully and truthfully during this interview, I can expect to be dismissed from the rolls of the FBI. this here E (EM) EFTA00173482 e issues I occur. I ement ere st of but th ral 0 n I am currently assigned to CT-25, a Domestic Terrorism squad, but assigned to an Enterprise Investigation that is a hybrid of Domestic Terrorism and Child Exploitation violations. I was assigned to squad CY-3 in May 2010 and officially named on the squad in July 2010. This was when the FBI's child exploitation program was referred to as "Innocent Images" and fell under the Cyber Division, while Squad C-20 was the Human Trafficking (HT) squad at the time. I believe it was 2015 when Violent Crimes Against Children (VCAC) and HT programs were combined under the FBI's Criminal Division, which led to the merger of the violations in the NYFO under squad C-20. The Squad is split and has the HT side and the VCAC side, and I was a VCAC Agent. Agents primarily work their assigned violations, but we come together as a squad for operations. I have been with the FBI for over 18 years, having spend the last 16 years as an Agent. I have been one of the FBI's leading Agents in Child Exploitation investigations and to this day, I believe that I am one of, if not the only, Court- EFTA00173483 certified expert witness for the entire FBI for child exploitation. I have personally accounted for aniseem4mately over 60 arrests, 150 search warrants, and have been responsible for rescuing several hundreds of children. cud to INSD and ardect Head•uarters ( ssistant Director in Char •e (AD) (DD) ce EFTA00173484 Assistant United States Attorney's Officc-c (U(AUSA's)I des•it- AUSAs. Last month Eoordinator I believe Digital Extraction Technician (DExT) training was opened to VCAC Agents in 2012. Scott Ledford was my instructor for DExT. As of 2023, I knew Ledford was a Unit Chief (DC) and led the Cyber Action Team (CAT). I believe at least three or four of us initially received DExT training in approximately EFTA00173485 2012, but I think all of us working Innocent Images/VCAC on the squad were eventually trained. However, once the child exploitation program moved from the Cyber Division to the Criminal Division, that changed. The funding we received through the Criminal Division was significantly less than what we received through Cyber Division , so the DExT program was no longer able to put on as many classes and certify as many people as it had before. By the time of the intrusion that forms the basis of this internal inquiry, only about half of the "child exploitation" Agents on my Squad were DExT certified. This is whilc vc wcrc still with CY 3. We got certified because the Computer Analysis Response Team (CART) was long overburdened and not familiar with the nuances of the child exploitation violation, such as the types of programs used by offenders, the vernaculars, etc. It was also known, and something I witnessed personally, that due to the reliance on CART and how long it would take for them to prepare a case for review, "hands-on" offenders were not being arrested in a timely manner. This resulted in the continuation of child victimization at the hands of the offenders the FBI was actively investigating. This was around the same time Agents working other violations began to also see an increase in the collection and reliance upon digital evidence in their cases. As DExTs, we were encouraged, and in some cases I believe required, to assist EFTA00173486 CART with their backlog by conducting DExT extractions for other squads. The other reason was to eliminate the lag time in searching evidence and identifying contact offenders (offenders who physically exploited or physically assaulted children) sooner. VCAC investigations are different than most other FBI investigations since, in VCAC investigations, a search warrant is generally executed in the early stages of an investigation, and the evidence needed to arrest and charge an offender is usually derived from the materials seized during the execution of a search warrant. Whereas other squads, generally speaking, execute search warrants at the culmination of their investigations. Mike Osborn was a UC of the Crimes Against Children Human Trafficking Unit (CACHTU) at FBI HQ Headquarters (HQ) and eventually an Assistant Special Agent in Charge (ASAC) at NYFO. He was a huge proponent of DExT. Being DExT trained allowed us to conduct our own data extractions faster, but more importantly, it allowed for a faster and more efficient way of identifying "contact", or "hands-on", offenders and, thus, rescue child victims of sexual abuse before they could be further victimized. After becoming DExT certified, we received DExT equipment that allowed us to image, process, and better review the digital files. The DExT training allowed us to better use FBI analytical programs to review digital evidence. Being DExT certified allowed us to assist CART by offering an alternative for other EFTA00173487 squads to use for data extractions. At the time, CART was not located in NYFO Headquarters City (HQC). CART was located in Moonachie, New Jersey. It could take an hour to get to the CART lab from the NYFO. CART evidence reviews needed to take place there and it could take all day. CART eventually moved to NYFO, HQC. The volume of data extractions we took on lessened the burden on CART. At least in New York, CART only had one or two examiners who could handle data extractions immediately, and almost certainly none who could respond after hours or on weekends. Since we dealt with child victims, it was, and is, imperative that the digital evidence be processed immediately. In nearly every child exploitation investigation the digital evidence is quite literally the evidence to prove the crime and without a prompt review, there is no probable cause to effect an arrest, putting the lives of child victims in continued danger. it is that very risk, the risk of continued abuse, that has prompted the FBI to enact new policies requiring expeditious investigation into allegations of child exploitation. This includes the expeditious review of evidence. Prior to the DExT training, onsite forensics, was not really a practice. We had to take digital evidence back to the office to view it and we relied more on the post-search interview. After a search, we had to go back and arrest an offender once we found the evidence. This made for a EFTA00173488 significantly more dangerous arrest because the offenders knew we were coming. There was also the potential for offender suicide. We had three offender suicides that I can recall. NYFO SAS Linh Phung, Thomas "Tommy" Thompson, Mitch Thompson, and I were DExT trained. SA Cindy Wolff (aka Cindy Dye) was also DExT trained. Cindy was the last to be trained while our squad fell under Cyber Division. At the time, I was the most junior Agent on the squad. Before being DExT trained, all of our digital evidence was submitted to CART for data extractions, imaging, and processing. We did have access to the Case Agent Investigative Review (CAIR) system, a forensic tool for data review, but the program was slow, not capable of handling large evidence reviews, did not work all that well, and did not do what we in the child exploitation program needed it to do. As a result, rather than using CAIR, Agents on the squad opted to travel to Moonachie, , where CART was located, to conduct their reviews on site versus over the CAIR network. The ineffectiveness of CAIR was no secret and was EFTA00173489 widely known, and one of the reasons for the creation of the autonomous DExT labs. After collecting digital evidence, I would enter the digital evidence into the Evidence Control Unit (ECU) and get a 1B evidence number assigned. I would then enter a CART request with a description of what forensic examinations I needed to be performed and information on the device that needed to be extracted. Then I would submit it to CART. It could take a day or two to get the evidence to CART and the amount of time it would take CART to process the evidence varied. It could take weeks or months. Once it was extracted, CART would process it in the Forensic Tool Kit (FTK). We could review the data on CAIR or go to Moonachie to review it. Everyone on the squad, for the most part, chose to go to Moonachie. CART Digital Forensic Examiners Stephen Flatley and Carlos Koo eventually set up a spot in NYFO, HQC to do data extractions. Even after receiving DExT training, we used CART for things like very large media dumps/extractions and encrypted files. We also used them to help us with understanding what some of the digital evidence was. I believe CART may have provided us digital copies of the data extraction and I think it may have been on DVDs. They would have been accessible on Operational Wide Area Network (OPWAN) aS well . I do not recall what we did with the copies on DVD. CART may have checked them into evidence and provided a working copy. The DExT trained Agents would do data dumps on everything we could like hard EFTA00173490 drives, loose media, and thumb drives. In 2015, generally if it was a device we could image, we would follow this process. We would use write blockers to assure we did not accidentally manipulate the original data. We would create an image of our evidence; sometimes we would use another hard drive. We imaged and processed the data. We had some hard dr4yetdrivesl but I am not sure where they came from. I believe HQ sent us a box of hard drives. I also believe CART may have given us some as well. We used a forensic duplicator called a TD3, and later a TX- 1 as well as FTK Imager, to image a device onto a hard drive and make the derivative evidence. We would then make a working copy image off of the derivative evidence. We would then work off of the working copy. I placed am pretty sure the in the NYFO ECU if derivative evidence was cataloged and that was the policy, but if that was not the policy we would not have done that. The DExT Program provided us with Redundant Array of Independent Disks (RAIDS). These RAIDs were to be used to house our working copy evidence images. I initially advised the interviewing SSAs, once we ran out of hard drives for derivative evidence, we were instructed to use the RAIDs and that these instructions came from either a r my supervisor. This is true, as it was the SSA and the case Agent for our squad's whose responsibility it was to request and receive funding and equipment. Any requests EFTA00173491 that we needed were routed through them, and the case Agent was also one of our DExT Agents who also faced the same issues of not having the hard drives to create derivative evidence. However, I also recall these instructions were provided by HQ, either our Program Manager (PM), the DExT PM, or both. This may have occurred in 2012 when I went through the DExT program and continued over the years. As there has been a revolving door of PMs, I do not recall the names of the people I spoke with at the can provide as many names of PMs who I can recall had been there over the years. Typically, the person running a Group I or Group II Undercover Operation (UCO) investigation and the squad SSA would be the people who communicated with HQ for resources. As an example, I recall in 2015, I sent an email to SA Tommy Thompson, who was the case agent of our squad's Group II, asking for some large capacity hard drives with our remaining Group II funds. This was one of many requests I made, which were generally verbal, for equipment/resources. At the time we were still merged with Cyber. When we moved to the Criminal Division, our funds were nearly wiped out. Sometime thereafter, tinh Phung left NYFO and became a DExT PM at FBI HQ. Shl would often complain about a lack of funding. When we first became DExT trained, it was much easier to comply with the policy since the size of the data was significantly smaller than it is today. For example, telephone dumps then often fit on a DVD, or worst case a Blu-ray DVD. Today, DVDs are nearly obsolete as the size of data collections EFTA00173492 has become enormous, requiring large capacity hard drives which are more expensive and harder to get. To be 100% compliant with the existing policy in—o—etiveri pliieach year, it would likely require C-20 alone to purchase over a hundred hard drives, and this is just one squad in one office. To ensure that everyone in the FBI is compliant 4e—it elven ycareach year, the FBI would likely have to purchase thousands of hard drives, then do this year after year. But the FBI does not do this and the policy it created to cover search warrants decades ago has not changed, despite the fact the environment the policy applies to has. This is one of the several fundamental flaws that I have and continue to voice. If creating derivative igvidence is a requirement, then why does the FBI not automatically rovide the hard drives? How can the FBI enforce a policy without providing the filed with the ability to comply? If, in nearly every search warrant executed FBI-wide electronic media is seized, resulting in the need for derivative evidence hard drives, why is it then incumbent upon each individual squad, in each office, under each program and division, to figure out a way to obtain the funding to purchase them? If the FBI knows hard drives cannot easily be purchased in bulk, and that there are security requirements on where the drives must be manufactured, why does the FBI not just purchase them for us rather than place that nearly impossible burden on us? EFTA00173493 In approximately 2017 I took over as case Agent for our squad's Group -II. As the case Agent I was able to use Group- II funds to make purchases, which were obligated to us .through CACHTU. -I was running out of hard drive space for derivative evidence and of storage space in general. The PMs told us buying hard drives in bulk was a problem. The stores had a capacity limit, but I was advised to try anyway but was not successful. I would purchase the drives on Amazon, like I was instructed to do by HQ, until my covert account was shut down by Amazon since the purchasing of large quantities of hard drives was flagged as suspicious. We were also purchasing hard drives from New Egg, like we were instructed to do by HQ, specifically SSA Heath Graves who was the DExT PM, because they could sell bulk (10 or more) hard drives, but I was later told by someone in the Procurement Unit we could not use New Egg. This left us with very few options for buying hard drives and despite voicing these issues, no one at HQ offered a solution. In speaking with other Agents across the FBI, I learned this was a common problem. I went to CART who gave us what hard drives they could spare. In 2017 I began to gain a voice among many FBI Child Exploitation circles. I took over our squad's Group II UCO, and almost immediately converted it into a Group I. This conversion, EFTA00173494 which allows for the use of sensitive techniques, was done due to my desire to enhance our undercover capabilities and increase our effectiveness by using some of the most robust undercover techniques available at the time. While every undercover operation must be approved every six months in front of the Criminal Undercover Operations Review Committee (CUORC), because ours was now a Group I, it also had to be presented up through CACHTU and approved by the AD. Assistant Director (AD). During the CUORC, I brought up the funding issues. In the funding section we discussed what we spent and what we anticipated to spend. During my time as the case Agent for my squad's Group I, my squad's statistical accomplishments increased exponentially. The number of undercover sessions conducted by my squad increased by 198% in the four years after I took over the NYFO child exploitation program compared to the four years prior. This meant an increase of approximately 2000 undercover sessions in the same four-year span. More significantly, however, was how I tasked undercovers and provided direction to ensure the program worked to identify the most vulnerable of the exploited children; and set out to rescue them. The results cannot be overstated in that the lives of hundreds of children were saved. While I am personally responsible for saving the lives of hundreds, many hundreds, if not thousands more were saved because of how I managed and directed the child exploitation program. EFTA00173495 In 2018 I did a five-week temporary duty assignment (TDY) at CACHTU. My former SSA, Sean Watson, was the UC there. My job was to call every VCAC Group I and Group II UC0 Case Agent and ask questions about the issues they were having and to provide recommendations on how to better the program, how CACHTU could better assist the field, things that needed improvement, etc. I learned a lot about the issues affecting the entire child exploitation program and, while there were some differences in the issues facing some offices over others, there were a number of common issues that impacted every office. These issues largely dealt with lack of guidance, direction, training, equipment, DExT support, funding, and personnel. I drafted a summary of the calls I made and created a section for complaints from the field in reference to provided my assessment to CACHTU leadership. One of the many takeaways was that nearly every office haUe different complying with policy and guidance. a—and EMIS This summary was also provided to the interviewing Agents and I can make it available to whomever needs it. This same assessment, as well as additional details were also provided to Bryan Vorndran, who was the Deputy Assistant Director (DAD) who covered child exploitation, as well as to my immediate supervisor and to the supervisors/PMs at CACHTU. This EFTA00173496 came as DAD Vorndran separately requested a working group of Subject Matter Experts (SMEs) to address the needs of the VCAC program. I explained to him how we had equipment provided my assessment both orally and in several documents. Also in 2018, CACHTU PMs SSAs Michael Deizlak and Matthew Chicantek were presenting to EdeeettEive—Managemen#II on the issues facing child exploitation investigations. SSA Deizlak and SSA Chicantek requested information from me that they wanted to present. I emailed SSA Deizlak and SSA Chicantek, along with UC Sean Watson of CACHTU, the write-up I sent after my TDY as well as a separate, even more detailed summary of the issues. In this three-page summary I talked about the need to appropriate money for equipment, as well as details regarding issues affecting the program, including the DExT, guidance, support, and more. hers nd I m it very Clear to HO that we did not have hard drives Every now and then they would send us COMP and eitertJELAuwtIenthey would send funds, but nothing was consistent. I also informed my SSA of the need for hard drives. I was aware he knew we needed them and there were no funds. Other Agents were dealing with the Same issues. It has been, and continues to be, the p ti 0fl g /CACAents to create derivative copies of original evidence if derivative hard drives are available. However, given the long toryofpotreogiving either the hard drives or the funds to purnhAse them, war leftwith Agra:ts have aa t_t_g_ n no alternative store their derivative evidence on local storage. I would sometimes create EFTA00173497 derivative copy of the evidence on the RAID tower, as well as a working copy. If the evidence was a large collection of different computer it was not practical_to store twn Copies (a working copy and derivative cois or the R11.M)mar an. I would only create one. However, I very_plitaft a efl riPriVAtiVP evidence rOpiOC onto either internal nr Pvternal hard drives that were maintained in our lab either as having been resicedi gp pseth agg l r wro or uired. Since as discussed we did not have a surplus of hard drives nor did we often have the funds to purchase them I used ones I was able to get or hard drives that had been repurpOSed. However, it often was the case where I maintained the derivative evidence of several investigations on a single hard drive. This was due to the , and the fart that I did not want to waste the extra space that was free if a particular case only took up a portion of the hard drive. As reeourree were hard to come by I maximized the resources I did have. These derivative evidence hard drives were separate and apart from the evidence copies maintained on our RAIDS or servers. I was not able to do this for every investigation, due to the limitations discussed, but when feasible it was done. This was my way of going out of my way to create dDerivative eEvidence as often as I could, despite not having the resources. I have located some of these hard drives that are still maintained in the r-20 lab, and phntng A hs of them have been provided o h in rvi wing S$AS. EFTA00173498 When I was unable to create true derivative evidence to be checked into ECU or the derivative evidence described above, I ropidered the working_cOpy of the evidence on my RAID or lerver as the derivative copy. Regardless. III the evidence copies had "hash-verification" logs to ensure the coot' was a bit-for-bi used were designed to prevent changes to the vi n so there was never a possibility that the evidence copies could be Petered I have various correspondence with HQ advising there was a lack of funding. This not only affected us getting hard drives, but also various other things. Phung provided us with more RAID towers for instructed us to use the storage to meet our needs. I do not recall her exact words, but I understood her directions to mean I could use the RAID towers for the creation of derivative and working copy evidence. I also learned funds were available, but not designated for the purchase of the hard drives. Money was either not there or was allocated to something else. I spoke with Heath Graves who was the DExT PM and then Jim Harrison who iS the current DExT PM. In June 2023, I proposed an idea to SSA Seamus Clarke and ASAC Spencer Horn re ardin how to address the issue of handling derivativeevidenre cinre the long -etanding prnrecs of tieing external media to store derivative evidence was no longer Commented (DWI]: I movcd this up DW 2024.10.19 13:34:00 Commented (IDW2J: I movcd this up DW 2024.10.19 13:36:00 EFTA00173499 practical. SSA. Clarke and ASAC Horn liked my idea and encouraged me to reach out to the ECU to find a way to pitch the idea. T reached 011t to Supervisory administrative Specialist (SAS) Arlene McKenna, who the NYFO ECU. SAS McKenna also liked my idea and stated any changes in the evidence guidelines or polity would have to come From the Field Kvidenre Eliggrem (FEP) of the FBI's Laboratory Division (LD). SAS McKenna provided the name of the FEP's Supervisory Management and Erogram_AnalystAIMPAL Adeline Josephi_and_Suggested I rear)) out to her. On 06 07 2023 I spoke with MAPA Joseph via FBINET Skype mall. I discussed with MAPA Joseph the issue with the current process, which was feasible years ago when the size of electronic evidence was significantly 'mailer In_those days, derivative evidence was stored blue-ray DVD or thumb drive. However, in recent years the size Of electronic evidence sei,uros has increased dramatically& requiring hard drives to be able to accommodate the data, ;sp_ sidthlat l„ 0 xlair ahil I personally have never had an issue Obtaining DVDS, I could not Say the same about hard drives. I PKPleined that while the technical environment the ECU policy/guidance is based cn ala changed, the FBI'S guldrgice/p_ocyndn li r n i h not. This has created the very issue which is part this inability t.4 amide by the guidance/policy T stated that it has become increasing ly difficult for the field to be in compliance with EFTA00173500 the existing guidance/policy since the field no longer has the resources to be compliant. I offered to help figure out another process fox maintaining derivative evidence, as I believed it was a waste of money and resources to purchase expensive hard drives for derivative evidence which will jnet he checked into evidence until the conclusion of an investigation, just to then be destroyed. I spoke with MAPA Joseph about creating reusable virtual derivative storage that was Brand-alone. I suggested the virtual evidence locker could be a server, which could be controlled by the evidence units and that 1g numbers could still be used and assigned to the folders of the derivative evidence aosed the use of an electronic chain of custody procoe.e to docnment the Arreq.e of the electronically stored derivative evidence. I further suggested that since the derivative evidence copies were maintained electronically, there would be no need to waste fnnde on hard drivee that would jnet end up being destroyed anywav4 and that at the conclusion of an investigation when the evidence iS to be "destroyed", the media would be deleted, thereby freeing up space for new derivative evidence. MAPA Joseph liked th suggestion and stated lis t2oA.4 would discuss it with her team, s•-cifically her UC whose name I cannot recall. My SSA and ASAC, SSA Clarke and ASAC Horn, were both aware of my idea and conversations and encouraged me to follow-up with MAPA Joseph, which I did via email nn 06/27/2021 This email, which has since been provided to the interviewing SSAs, stated in part: EFTA00173501 "Hey Adeline, A couple eeks_ago we had a disrussion,about authorizing our lab to store DE on our servers, rather than the repeated, costly, an4 wasteful process purchasing tons hard drives to store TIF The Center, which would he seeflre, CSmainacceSSIcagasandatili—seggirea15fOrthe electronically_stored DE, would take the place of the physieal hard drives whir")) would lave money_time, and eliminate the need to waste tons and tons of hard drives. I _was wondering h and if there is anything we can do to get something like this goingl Thanks so much! Aaron" MAPA Joseph responded on 06/30/2023 with the following_ "Good Morning Aaron, Moo All ie well Apolog for tl y i delayedresponse. Jea lw in in- person training this week for evidence tech's. For your awareness, we are working on wrapping up several projects for this fi c ar. I am adding DE idea to our whiteboard to discuss thi amongst the team to include all key stakeholders that wo yow d involved. don't min, I'll send you a calendar invite So that it's on my calendar to cirri.. back with you to discuss what the team decided Kind regards, EFTA00173502 Since this emaill I have not heard back from MAPA Joseph or anyone in her chain of command regarding this issue- I have provided a recent example to the interviewing Agents. In this example, which took place II November 2023, after the intrusion and inquiry, C-20 requested funds for derivative evidence hard drives and were denied. After requesting $2,155.62 for derivative evidence hard drives, CACHTU responded to "Please utilize cart for a resource for this. We are under a CR and are very restrictive on what we can approve". C-20 then went to CART, as directed, who in turn stated they did not have any hard drives to spare and recommended C-20 request funds from CACHTU. This example further illustrates that even despite the intrusion and the negative attention we received regarding derivative evidence hard drives, the squad was again put in the position of being unable to comply with policy because the FBI would not provide the requisite hard drives or funding needed to be compliant. Sometime later C-20 would eventually receive some hard ere then advised by the NYFO Information System Security Officer (ISSO) their hard drives were out of policy and that they could not use them since the hard drives were not manufactured in the United States. This, again, put the squad in an impossible situation with no alternatives being offered. It EFTA00173503 was also quite ridiculous as it is likely that none of our computer equipment is manufactured in the United States. almost immediately converted it into a Croup I. This conversion, to my desire to enhance our undercover capabilities and increase our effectiveness by using some of the m st robust undercover operati n must be approved every nix moatha in fr nt of the Criminal Undercover Operations Review Committee (CUORC), because ^ACWTU and approved by the Assistant Director (AD). During the During my time as the cacc Agent for my squad's Cr up I, my cqual • number of undercover sections conducted by my squad increased by 198% in the f ur years after I took vcr the WYFO chill compa.ed to the Co.- seas Thls meant an increase of approximately 2000 undcrc vcr sc-si no in the same f ur year span. M rc significantly, h 'fever, was h w I worked t identify the m ct vulnerable of the cx1 .tsii that the 11.t.s of 4 Leda of child-ee 4e-e eased. While I am personally responsible for saving the lives of EFTA00173504 I bccaucc of how I mana cd and directed thc child exploitation Agite- gre*ee rege'rdeltrit3/4 - be- seleireee- he-4aet9e-e4-4tafteR4411 lie 1-.01 ele-J -4--ttedet, CC.\ Cla-k- a..J .ICAC lik-J 1-1-e -d en "lebe"reetal - etit- be- Ste- €13 /4 - £4 6-ire riteh - t41e- Mee'r ICAC) A-1- - m llL CY70 CCU. CAC ti-X--au lik.A ft, LhS titti.debittee-er-Debberwent441-hemme-ba-ceme-bram-bite-Fielni-Demialemee to•leffi-4•Fis'P.-0.&-sle—r-a•i-s—eberetese seee-4-fr&i-6.k6—meicea4te 1 •-• Peeerem- Avelts4- 14441,11M- r ikeiel'ime- geeePhra terYeek•eel- I--reseet k-- r - rmemr, 11. -11. I d' 3-J -1th Will J---rh ' --tb tb- .eh reeeeee7 . 04Seit". 04" 4rnett4leb4'e'lea. 61 1319^-00iteri- Ste-041Pe- e'fi earaebistas-embiaiwboasia-M4rwiamosblet-assaaaw—lor-Okess-eartss e„18---- -ea ste-ed ea DVD- and f scie---s k-s 1-e--e-aLd d-d-at-eally, -in 1.43 b- Si.. Le d-ta. EFTA00173505 I tlai-J4 -Lac I pc„ce..ell) Le.t had a- Jht----.1 DV a, III' ‘ eette.r4 th'44a--i-f e t‚ir li —t4te-42 e494444er t.. ab.d- be -t-ted th-t .1 Le- h----- • C It • C • C • 1 e. .1 I the e-latl-e I-.J-n--/p-I.e, el-e- tkt f.-Id h-- 1h- le b._ cemplleht. 4 ee elettiapee••••-esaieiefeeer-wiei-ele-•44-1-jeee-kee-Sieekeel-ieete-e•idenee le -Le. ee..1d L. a -hl-h L- be-eseekerwheeeitee# te th- feld--e e£ th deeieetiere—ewieleneee th- -se of e.. ele-t-ealt ei.-1- -f • s 1-...S4 a> ••••• y I (-rat- nhety-et-4 th-t J1L-t thz * L- n-_d te -e-t_ lanai- en hee.d ,h-t ,ea,d 'ant .p h-Lon eLaf...f.A e.t.a -t t6.. e-ttlea.a- sf — EFTA00173506 A-14 L- d-lel-J, th-i-b, fieela./ -p fai . ih- -J -t-e ,,,, •Ninti-t -11. ?1, Jed AC:.47 1...-th nee-- my Id-- -ed me.J 'm 4.el-lem-tte-iereit-tertaire-deeeember-iditere-1-diek-e4e-emmeld-en-46424+242-3m Tela h-a h-„ia th- Ad-l-e-, e -r leL te ete._ DC o eemetriee-seeeete- keer eteed- s't444-eset?u4"Pe'e-4e- fee- ehe ▪ -1 L- J linri -etc thc -c-d te -aete le -es a-d U.rs af heid 4.14-a - , 2 , ;$ ,) ▪ .- es- de te 9-1. 11L- thl- e-1-y? zilleserlee-eee-emielele Ameeid: HIZA Jesa,iph -e OC/30/2023 -ith th- felle-1-, arzottertie44meerieety-Pereemer W- ei- eetri-eti-ey In EFTA00173507 t- d' a tLin amenvo1 th- le :..el-d- all 4terstatekel"ele're- Stet- weal aii".94" 41 I4' eeLt""4"freir te-eMeele-rneed-mriee-pett-to-deepettee-whae-eive-heatn-deeededv Eind Jaya mitea LEL, f.em RAN. Ja:A.ph a. 444441 901441.• 2018 : did a fi.e tcmposeet—doey—aaeOgnme.t. ITDY) at CACHTU. My former SSA, Scan Watson, was the UC there. My joie tettetell4+ —everrVeAe—e'rentr÷—ewtei—Erretr±+—Uee—ene—helent— Arnti er-INere recommendations on how to better the program, how CACHTU could ednict (die field, things that d,ed,d Inp.evement, etc. : learned a lot about the issues affecting the entire child cxpl itati n program and, while there were some differences in of common issues that impacted every office. These issues largely dealt with lack f guidance, direction, training, equipment., DC P dayea.t, I J-adled e summary of the calls I made and created a section for complaints :rem th, field in refe.e,e, to et, CACHTU lcadcrohip. This summary wan aloe provided to the EFTA00173508 itterviewitragertest-enel-4--eeterritaite-it--aveiaat-le-ltithemever nccds it. e4w4e-perweidad-tre-Drywn-Veehdrehr-whe-wee-the-Depehy-Awleisteet Director (DAD) wh c vcrcd child cupl itati n, as well as t my i-ntmeel-i-atesuperviser-arrel-fre-t+te-strperv+ser-s4-Pi4s-at-C-A ris came an DAD Vorndran oeparately rcqucoted a working group of -ubjcct Matter Experts (SMEs) to address the nccds of the VCAC provided my assessment both rally and in several d cumcnts. Alm, I- 2018, CACHTU PH- CSAa Mlehe-1 D-Irlek e.d Matthew rhicantck were presenting to Executive Management on the issued 4.-atiltg-t+ael--erri-eitte-ieri-rr .vest-i-eset-i-ert-SSA-Bei-r-1-erk-entel-3534 Clekeettsek r-gae-Led -e that th-f present. I entailed SEA Dcizlak and SEA Chi antek, al ng with Ur Geo.. W,.taea of CACHTU, the writ- .p I 9,Lt after my TDY an well as a separate, even more detailed summary of the issues. In this three page summary I talked about the need to appropriate money program, including the DExT, guidance, supp rt, and m re. Ge4eee C.ei, -e- and th-.1 Lh-, -e-ld eL..J L-t ...Ahiaq .40 jerreerrneel-for-reSA-e4-tite-Freed-ier-itted-elereee"—I-"rere-essere-ite-4mew wit.hrtt-ite, hew-Pews . refl..- 4.- EFTA00173509 p-attl-t ef VCAC 7.g-..te te e-eat- de,....-t...--eepeee-ed Hawevers-erevem-thm---le _ merheemarred-teet-seeme-v-erreatieter-the-head 4-+Petrl'''S- e'ente€41melg- eceate- s- ekkei~i'v'e- eeere 4- t4 te -e RAID t-e..., ae -ell as a -4.1.14 . :C "Pee- q‚e~et"ieerlehe - see're- bwe- etries - ki- weekkPrerectri- efltS t- T.)y) ar. tke AA:D le-e- and : -8-1J emly e-e-te . •- -å J • •.1 :ILL- --It...el e- --I--mal La-d d-1.es th-t -e-- -a--te-./eJ I. egie-4•14"7- e'itiTe riar erstal 14‘ gmbrniPeersins• Sel" .i'PeST i'neerneeeeeee d f" 4 " .fe eed ' efl ha .e Ile f-md le p...J..1e- tk , I --Lå :t ette- -ae tIe e-e- -Le-- I th- it- ef- ebiet34-e- nered- elei've•-;24Tie lb 44SI II.kii.et" ‚ Paet"be —. 1'eate —Ste —egebt's~ t-e- :f a pa.LIe-la. t --k ..p a -C II.- 1.--J i • i br. - • -1>e e -e --t-9 T J FkAtee-er-earmare ems-net-elmla-t-e-ée-tha-e-See-evemy -etlep.tlen, d-e Le Ih- :tal' Ltt -h-. EFTA00173510 rwrflmn Pe --A • 9 "% >9...•rni ital. to* th -t a ht.I1 - th- C 20 1 b, --J ph-t-g.a r L, I k “q CCha. Scu er the dc.le:Ale- -N.d--e- d-J—ells-ei sissy-, I abseb-reerfrembre ttm•emenee-Mte-eeprwee-e-hrb-fer-irrt paa.:..k. orlimeredm 201' : t_ e- it: Child .1-eet 1--ediet-1„ -e-.e.ted .t 2-te a 0.e -p I. ?Lie e--. dr alle-e is.. th- -e- ef e--eiti.e te-h-lq-es e ..as d-d- d-e eff-eti.--e-e b) sal-, e-m_ ef th- m-et .eL-et -d---e.-r the ti--. WL1I- e.e., -ade.ea.e- 'L- • 44- e-COMI SIIII • CUORC, 1 b.e-qht ..p th- las-e-. I- th- f-Rdi-q e-ctie. iretilipeterreeehmeratt-tre-eperet-ermr-whert-we rrear-re-eperm4 etteigirm esee-Alenb-fier-my-eper ntr-1-7-my-epertetei -Létlistisl EFTA00173511 the Ce-.. aft-- I Leek NY: child mentor ~n we -Led 1.. C.- --et ,-1----L1- ..f th11.1--.., -es-lts r) A A.) 1 W411- I am Ce- the li--- et -c.e ou„(-1 b. • s 1 u T ft 1 /1 • 1 1 When interviewed by INSD, I was asked when the standard practice for C-20 members changed to not adding derivative copies to the ECU. According to INSD, I stated I did not know, but the change did happen. INSD then asserted that I now believe the practice of creating derivative evidence copies onto separate hard drives to be checked into evidence was dependent upon we were provided funds to purchase the drives or the drives themselves. This is not entirely correct and lacks context. The "change" that occurred as somewhat two-fold and started when the FBI moved VCAC from the Cyber Division to the Criminal Division and the funding we received was dramatically reduced. The other contributing factor was, as discussed earlier, the increase in the size of the electronic media seized during search warrants and the subsequent need for significantly larger EFTA00173512 and more expensive media to house the "Derivative 'Evidence. This affected many things, including our ability to purchase hard drives. Sol the "change" that led to our inability to regularly comply with the derivative evidence practice was out of our control. Despite that, I personally voiced this concern numerous times over the years, but it was not an issue many were willing to care about. Early on, when VCAC fell under the Cyber Division, we had regular access to these drives, but when the program was moved into the Criminal Division that changed. Despite repeated requests, as well as having alerted everyone within the chain of command, we were told to figure it out. We had been advised that if derivative hard drives were not available, to store the derivative evidence on our local storage, which is what we did. It may have been in 2016 or 2017 and possibly happened because we did not have hard drives. I believe we were initially getting some hard drives from DExT after completing the certification course. DExT slowly went to no longer providing hard drives to new DExT certified Agents at all. I do not know what they are teaching about digital evidence storage in DExT or how to get drives, but I know from other Agents who have attended the DExT training more recently that guidance has still been to seek funding from CACHTU, who again has been stating they do Until approximately designated ISSO. This is not have the funds. February 2023, the NYFO did not have a a required position, and I think it being left unfilled exacerbated many of the problems that are discussed herein. EFTA00173513 retired Special Agent in Charge (SAC) Nicholas Bouchears who created a timeline and report of his years-long request for an ISSO, which was a requirement that the FBI left unfilled in the NYFO until January or February 2023. The situation was in essence entrapment. We were by policy to create derivative evidence, but we were not the ability to comply. Despite repeated acknowledgements from FBI HQ about the conundrum, solutions were never provided. We were told to adapt and to figure things out, and we did. The result is that we got punished for it, which is quite insane. We should not be held accountable for a problem we could not fix and were not responsible for fixing, When derivative hard drives were not available, we did as we had been instructed by imaging t he original evidence onto the RAID Storage or Network Attached Storage (NAS), and as previously discussed, I even went above and beyond given our limitations by creating derivative evidence copies of multiple cases onto larger internal hard drives so I could ensure I was doing everything within my power to comply with the times I would create a second copy. If I made a second copy, I would use one as the main copy and the other was the working copy. If I did one copy, that one would be used as the working copy. At times I would make multiple working copies EFTA00173514 According to INSD, I advised I had not been making derivative copies of digital evidence and that I now believe I personally made derivative copies and did whenever I was afforded with the requisite hard drives. This is incorrect. From the beginning I have never wavered and have always been adamant that I had been making derivative evidence copies whenever preet4eelpossible. As I have also stated, this was an FBI-wide issue that affected many 'gents, including many in supervisory positions. The issue • not that derivative evidence copies were not always created, the issue is why the field was not always provided with the ability to create derivative evidence copies. The issue regarding derivative evidence that I and other' faced was well known to our supervisors and specifically to our substantive desk at HQ. The question for us in the field was what do we do? Do we stop investigating our cases because wail' hi have a sufficient process for creating and storing derivative evidence? Of course not. Just because I, and others, did not always receive the drives did not mean our VCAC lalglagps till had to adapt and overcome and felt that while II may not have been able to create derivative copies for III the evidence, the reasons for that were well documented and out of III control. Had we, or I, decided not to work cases due to the lack of derivative evidence hard drives or funding for them, we would have been punished for that as well. Aside from neglecting work being itself an offense, there are other policies governing the child EFTA00173515 exploitation program that explicitly require child exploitation Agents to expeditiously conduct their investigations. It is like being stuck between a rock and a hard place, and I, and others, were told by FBI leadership over the years to make do, as long as the cases were being properly investigated, and that is what we did. At no point in time have I ever IMI=Iistored digital evidence at my residence. After the intrusion when the FBI's INSD conducted their interviews, I had been asked about "evidence" and reviewing materials from home. I acknowledged that I, like everyone else, had done some work from home. However, the " evidence" being referred to has always been "working copies" and items that are absolutely covered under policy. At no time had I taken original or derivative evidence home. I believed that I had cleared up any misunderstanding or ainantics over the word "evidence", because tom—that word used without a descriptor is just a generic term for evidence. The word has types, not cmcluaivc to "original" r "derivative" evidence. like a classification to distinguish what the evidence is such as "original", "derivative", and "working copy". Then, there are caveats to the category of evidence such as "digital", "general", "drug", "valuablefinaLciii", etc. For example, when I review subpoena returns, 4B-4e—oppirte—prespeo4B4/I am reviewing " evidence", but that does not mean the evidence is "original" or "derivative", and unless those subpoena returns are in paper form, they are categorized as "digital evidence". Nevertheless, I am authorized to review those from home. that I am reviewing. EFTA00173516 The same applies to Or—chat messages derived_from a devicer or having been included in a lead or Guardian When discussing this with the Inspectors, I was clear that anything I reviewed outside appropriate facilities was working copies. At no point had I ever discussed with anyone that I have taken original and/or derivative evidence home or in any way in violation of policy. Any assertion to the contrary is categorically false. I have recently found a folder that I created on my FBINET computer called "to Take home for baby leave". This folder contained items I planned to take home to work on while still under the work-from-home guidance we received during the pandemic, which is also during the time my wife gave birth to our twin boys. The items in this folder are generally indicative of other files I had reviewed from home, none of which are original evidence, derivative evidence, or CSAM. Other examples that have also been provided to INSD include an email from CACHTU SSA Jordan Hadfield which was sent to all VCAC OCEs. The email was sent during the pandemic when OCEs were working from home and is requesting to know if OCEs were aware of a website contained in the email. SSA Hadfield instructed the OCEs to not use their "HOME COMPUTER" to access the link because it contained CSAM, however SSA Hadfield knew OCEs had their own FBI-issued misattributed laptops and phones that they could access the link on from home. Another example is from my supervisor at the time, SSA Sean Watson, who stated in an email dated 03/25/2020: EFTA00173517 "I will be assigning Guardian lead(s) which can be worked from home or an alternate location. Reminder for 305 leads, do NOT use personal networks to vet out 305 leads. Use covert equipment with an aircard or covert cell phones." Throughout most of its existence the C-20 lab was Internet connected. However, and for clarification, the C-20 lab existed long before the DExT program and the misattributed Internet was connected to our misattributed computers. At the time, work was primarily conducted on computer-based Internet platforms whereas today, the majority of OCE work is on mobile-based platforms. Back then, we used misattributed FBI-issues desktop computers to conduct OCE sessions from the lab and adjusted eutour work hours accordingly. As offenders began using mobile- based applications, OCEs were required to do the same. With the use of mobile applications offenders were now online and chatting throughout the day, versus just when they were on their home computers. Thus, the expectation of OCEs changed to emulate that of the offenders. I do not know exactly when we received FBI-issuede misattributed cellular telephones, but when we did, we also received the authority to take them with us wherever we went if we were engaging with CSAM offenders. In fact, OCEs have long been encouraged to communicate with offenders at random hours of the days and on weekends, to send offenders benign photographs while on vacation, at events, etc.; all to better EFTA00173518 legitimize the OCEs and help to dispel any fear offenders masi have that the OCEs are law enforcement., When we became DExT certified, our computers were not connected to the Internet except when we needed to update software' or some other Internet required task. As the years went on, the need for our DExT computers to be connected to the Internet grew. As discussed, HQ was aware of this and at times even promoted programs that required this. Additionally, two agents from C-20 and our SSA had all gone down to CACHTU to become SSAs and the UC respectively, and they were aware of this practice and need both from having worked on C-20 as well as from their positions at CACHTU. Lastly, as previously discussed, at the time of the intrusion our squad had been participating in a CACHTU pilot program, which included several other VCAC squads from across the FBI and required the computers to be connected to the Internet. Regardless, our lab has always been "stand-alone", meaning none of our computers to any FBI systems. Additionally, our lab was "misattr buted" and able to be used in covert capacities and to access websites that could contain Child Sexual Abuse Material (CSAM). Initially, in approximately 2012, the C-20 lab was not connected to the Internet, but at the time we had little reason outside of software updates to be connected to the Internet. Several years later that changed as the advancement in our software and capabilities grew, requiring our computers to be Internet-connected. The only guidance or direction we received EFTA00173519 at the time was that our Internet-connected DExT computers not be connected to a FBI network and as far as I have always been aware that is the only policy on the matter as well. Even FBI HQ implemented investigative steps that required DExT labs to be Internet-connected, such as the method that was used to transmit CSAM to the National Center for Missing and Exploited Children (NCMEC), whereas previously it had been to do so via a storage media. Later, the FBI created the "SIFTS" program which was an online portal for CSAM transmission. As an example, the FBI'i SIFTS has been provided to INSD which includes IIMMIFAnes must be connected to the Internet In approximately 2022, CACHTU advised the field that the licensing method for one of our most used programs, "Axiom", was moving from dongle-based to cloud-based. CACHTU wanted to pilot the cloud-based method and elicited the assistance of five or six VCAC squads from across the FBI to do so, one of which was our squad. —This pilot program, which began prior to our intrusion and continued well after, required the DExT computers to be connected to the Internet. It allowed us to check out a license when we needed to, but t,—II do so, we needed to stay on the Internet . There was some level of security provided by the switch box and some on the NAS itself. The computers, NAS and RAID tower storage that contained CSAM were then all connected to the Internet. We received guidance from CACHTU, specifically from the DExT PMs, to disable Commented (CT3): Chat about this lore C20 Tedaeam 202410.08 12:46:00 EFTA00173520 the antivirus to use the Axiom since the antivirus would flag the program. I believe this came from Tommy, Heath, and CART, and others . Squad C-20 did not know how to set up the Internet and the switch box. We reached out to Computer Scientists (CSs) and CART and received some help, and I have numerous emails that I can provide to support this if requested. I do not know anything about networking and how to set up networks, . The CSs also did not know. I believe someone from the Operational Technology Division (OTD) told me to Google it were AN, the Would 6MIIIIr weeillecoulat use OPWAN Since did not have an OPWAillrection, plus the size on have been too m OPWAN to handle Networking is not a DExT function and is not in my skill set, so I did not even know what questions to ask. "T "RS®' stated naringSMINWWWWWWWWWWWWWWininriny squad,li Systems Administrator. Despite the INSD having labeled us this in their post-intrusion report, we are not. We have never received any training or instrulliton on systems administration, and labeling urs.miaatimealedge we did not possess. The off-the-shelf security that was in place was what we were using. I and the squad asked everyone we could think of for help - CART, the CSs, OTD, the office of the Chief Information Officer (ooio), Management Information Systems (MIS), etc. however, all were of no help. EFTA00173521 CS Jim Walsh and ITS Steven Flatley helped us set up some of the equipment. Christian Idsola from CART also helped, as did another CART employee whose name I cannot recall. I ME asked FO CART s•uad, foci, M in_moony Broderick, 191.,., 1., the These communications, along with many others, occurred in writing via email and them can pr vide them to investigatorSI. In our desperation to find someone with a networking/system administrator background to help us, we put out a Confidential Human Source (CHS) canvass for assistance with our network through our CHS Coordinator. We also reached out to OTD, Counterterrorism Division (CTD), and Cyber Division (CyD) for help, but none were able to. An Agent on a CT squad suggested that they had a Counterterrorism (CT) CHS who could come over and look at the network, however the CHS advised networking was not his/her specialty. The CHS was a former contractor for the FBI and had a Top Secret (TS) clearance and was not able to assist. Commented (in]: Plate do in. Provide them to INSD. Jim Roberson 2024.10.22 12:54:00 EFTA00173522 Our request was simple - to network the few standalone computers in our lab. However, no responsible entity within the FBI would assist, so we had to reach out to friends and colleagues to help on their own. While their help was valuable, none of our volunteered help came from anyone who was a network or systems administrator, and the FBI's network or system administrators would not assist. The various networking and system administrative units in the FBI handle FBI networks, and the few that handle covert/misattributed networks do not handle CSAM networks. Despite the irrelevance of the latter from a technical perspective, CSAM is offz—putting and no one wanted to assist and CACHTU did not know what to do. In fact, CACHTU was aware that networking VCAC computers was an issue affecting so many other FBI Offices that PMs Stacie Kane, BrIndln Roth and James Harrison encouraged us to find the solution so that it could be emulated across the other VCAC DExT labs. fact, our mid the improvements we had been making on behalf of the VCAC program, contributed to several end-of-year "gold" ratings by CACHTUJ As an example, in September 2022, SSA Brendan Roth, who was the PM for the Northeast region for CACHTU, requested IIII I the VCAC squad who needed to enhance their . FBI Albany was trying to figure out how to receive funds for their upgrades, and SSA Roth knew that I in the NYFO had been this process and asked that I assist. After SSA Roth and I spoke over the phone, he sent an email to EFTA00173523 myself and SA Brian Seymore from the Albany stating in part the following: "Aaron Per our convo about Group I UCO funds for CSAM review stations - CC'ing Brian from Albany. Maybe you guys can talk and answer questions he had about the process and questions you were asked about it from legal/procurement. SSA Brendan Roth Criminal Investigative Division I Violent Crime Section Crimes Against Children and Human Trafficking Unit (CACHTU)" Ii e with a administrat r background to help uc, we put out a Confidential fitmen-raarretrese-4er-assietenee--wi-t4t-etrr-netwark th-e-qh-e ehad e-t t., OTD, untcrtcrr rirm Divisi n (CTD), and Cybcr Divici n (CyD) f r c me over and look at the nctw rk and he/she advised networking vac Rot his/her specialty. The CBE was a f rmcr c ntract r for the rni a“d il“el a T.4) See—t (TS) ela.a.et. Thls whwa the lab wa:: on the 9th floor prior to it getting fl ded. In 2017, ounIIMB flooded after the temperatureillerthe lab got so hot they triggered the sprinkler system. This devastated our lab and ruined thousands of DExT equiPmarrbaudigiar this flan Ott flee leb "wwel—I, some of the equipment was replaced by CACHTU and CART was able to salvage some of the equipment. We moved the C-20 lab to the 10th EFTA00173524 floor in December 2020. I received approval on 12/22/2020 to purchase switches, NASs, cables and hard drives. This equipment was purchased with $34,000 in CACHTU funding, which also supplied the Long Island Resident Agency (RA) with similar equipment._ for the lost upgrades. CACHTU PM Leslie Adamczyk was a former NYFO Agent and member of C-20 and knew about these issues. SSA Adamczyk similarly had her DExT computer connected to the Internet and similarly did not always create derivative evidence. During the COVID pandemic there were three of us from my squad who came to the office on a regular basis; myself, SA Matt Deragon, and SA Brian Gander. The guidance, however, was to work from home. The C-20 SSA at the time was Sean Watson. SSA Watson provided guidance to work from home, in addition to the guidance pushed by the FBI Director, our AD, and others in FBI management. This guidance included conducting limited forensics from home, and CACHTU pushed out to the field temporary AXIOM licenses for reviews from the sole purpose home. This meant of conducting limited forensic that literally the FBI was encouraging Agents to conduct forensic reviews, of evidence, from home. e of this NewevesTriCe fEi bulk of my faTiEire-reviews meant reviewing CSAM. Due to this reason,- I came into the officeliamignm dally fn 00 CSAM reviewS‘ This is a fact and can be corroborated by SAs Deragon and Gander, as well as by checking the building access EFTA00173525 logs which will show I used my access badge to enter the building and the frequency I accessed the building. Other work was done from home. I looked at subpoena returns and reviewed working copy material that did not include CSAM. Anything I took home was covered under was covered under the guidance being disseminated. I have a Bureau-issued laptop computer that I utilized for these purposes. It is categorically false that I violated policy by taking home CSAM, original, or derivative evidence. FB SSA about r f exa les to !gab and requeitted.., At the time, I was working on three cases primarily: Robert Hadden, Darnel Feagins, and Jacob Daskal. Only one of these cases, Feagins, was a CSAM investigation. The Feagins investigation was the reason for my having to come to the office during the pandemic, which eventually changed when, after indicting him, Feagins fled, turning the investigation into a fugitive matter. The Daskal and Hadden investigations were contact offense, or "hands-on" offense, cases that did not involve CSAM. To conduct the investigation for Hadden I was doing web- based interviews from home and writing FD-302s and subpoena returns which were all non-CSAM-related. For the Daskal case I completed a 68-page DExT review FD-302. I took metadata-related information. Some of it was exported from Daskal's computer, but EFTA00173526 none of it was CSAM; rather it was data to prove he and the victim of the investigation were together in various locations and certain dates and times. For the Darnel Feagins case I was splitting the work. I did not do CSAM-related work from home. I did not take any storage devices home that were original or derivative evidence. Any copies or data I took home would have been working copies. It would have been impossible for me to take derivative copies home in general. I was coming IIII the office every day to do my CSAM reviews. I do not believe I was doing any OCE work at the time since we were instructed not to. We were trying NOT to create a need for Agents to have to run out on warrants or to conduct Knock and Talks (KTs) due to COVID unless it was an emergency - and other OCEs would do OCE work from everywhere, including home, but all of that was covered under our Group I authority. According to INSD, during my original interview I advised that Agents believed they were authorized to conduct OCE work outside FBI space and that we now have uthority to conduct OCE work outside FBI space. This is a slight of my statement as to this day it is our belief that we always had authorization to conduct OCE work outside FBI space. The reference to now having an EC was in response to additional questioning by INSD and did not change the fact we had appropriate authorization prior to the EC. For one, how we functioned as OCEs, to include when and where we conducted OCE sessions, had been directed to us through FBI EFTA00173527 trainings, FBI HQ, and our supervisors. Second, the authority was written in our bi-annual renewals, which are reviewed and approved by the entire chain of command and include the and Regarding anything I took home to work on, I have always been certain what I knew I was authorized to take home and what I was not. As , I would take home removable storage devices like a hard drive or thumb drive that contained working-copy data and/or other material that would allow me to work from home. Some of my devices, including my FBI-issued OCE telephone and my FBI-issued and encrypted laptop, may have had CSAM on them, but as an OCE who was authorized to conduct OCE sessions from outside FBI space, which included my home and elsewhere, taking these devices home was covered by policy as these devices were used in authorized and capacities. The OCE and UCE polices allow for these things since communicating as an OCE with VCAC offenders can require around-the-clock communication. here is absolutely zero truth to any notion that i violated any of these policies. I was quite literally doing my job, which as a VCAC OCE, meant taking my OCE laptop and telephone with me outside FBI space to communicate with CSAM offenders. The communications with these offenders and any CSAM I collected as a result, were maimed in accordance oll olicy and that is lust a fact. As for any evidence review I did from home, all was done in accordance with policy and guidance. Despite a semantical EFTA00173528 difference of opinion with INSD, I know that any evidence I did take home was authorized under policy - it was not original or derivative and was only working copies. Even as a matter of logistics I would not have been able to take home original or derivative evidence as I did not have the technical equipment at home to review them on my laptop. I would have required write blockers and/or other equipment to access original or derivative evidence so despite the notion being outrageous anyway, it would have been a nearly logistically L.r.,ssiblimpossibilitye. Anything I took home to review was a sub-set of working-copy data all authorized to review from home. All original and derivative evidence were either checked into the NYFO ECU or on the C-20 lab server. The lab server had to be connected to the Internet II send CSAM to NCMEC. As mentioned previously, the official way to send CSAM to NCMEC is to use the SIFTS online portal. They will accept hard drives. but it is not what they want, and NCMEC has been moving to eliminate the use of hard drives altogether. There are conflicting policies, and I brought this up while assisting in revising the policy. I am one of, if not the only, Court-certified expert witness for the entire FBI for child exploitation. During COVID, the concept of remote working was becoming a thing. The idea came up during COVID to be able to do remote work since that is what the FBI was beginning to promote. The idea was continued by hearing from other members of law enforcement, including some within the FBI, that they were EFTA00173529 of remote computing to access their forensic labs while away, such as on TDY or at a conference. The intention was not to work from home, per se, but rather to increase the efficiency of the forensic review process` . The steps of imaging and processing evidence before it is ready for review can sometimes take days. During this time there is little for the DExT Agent to do while the computer is doing its processing work. What little there is for the DExT Agent to do is often what separates one stage of this process from the next. Sc4 if a stage is completed on a Saturday, it will not move to the next stage until the DExT Agent does the very few things needed to proceed, which may not happen until the following Monday. This may then kick the process off to the next stage, but now the Agent may have to wait several hours or longer for the next step. In order to be more efficient and to allow this process to begin on a Friday, for example, and be ready for review on a Monday, I believed the idea of remote computing was a reasonable solution. Remote computing would have allowed for a the DExT Agent to remote in over a weekend to initiate the next stage of a process so that the process took advantage of the weekend to conduct the lengthy steps so that by Monday it was ready for review. The downloading process could take a while, but the steps between the process were three or four clicks. If I knew a hard drive EFTA00173530 was going to take a day or so to process, and the next process would also take a day or so, to go into the office just to click a button. Especially in a densely populated area like New York City during COVID. The idea was to be able to remote in to the server and tell the computer to move on to the next step of the process. The idea of using remote computing was reinforced a few years ago when I attended training provided by the International Association of Computer Investigative Specialists (IACIS) during which we went through basic computer forensics. I heard about law enforcement use of Microsoft Remote Desktop Protocol (RDP) there. I believe RDP was being used in the Bureau' but I am not sure for what purpose or on what devices. I spoke with several others in the FBI about RDP, including the DExT PM at the time, SSA Heath Graves, who mentioned he had either been using it or toyed around with the idea. SSA Graves mentioned to me that setting it up and using it was fairly easy, and that all I needed to do was follow Microsoft's directions as they were pretty easy to follow. SSA Graves knew what my intentions were and thought it was a great idea to be able to remote in to cut the lag time of our processing. I thought the C-20 system was secure. I attempted to access the C-20 computer lab through RDP. I believed the lab's security prevented me from remoting in. I had no idea that in so doing I had opened the lab's RDP port and that it had worked. I could access the port from in the lab, but once outside the lab, I was unable to gain access to the network. I thought the security was EFTA00173531 doing what it was supposed to. I was later advised that the RDP configuration was mostly correct and that I was a step or two away from having set it up successfully and securely. I was not trying to be lazy or silly, I wanted to be more efficient in the download process. Sometimes I would start a process on a Friday only to come in on Monday and see it crashed and needed to be restarted. RDP access would have allowed me to see the crash and restart the process remotely. I believe enabling remote access to the C-20 computer lab was a good initiative, but it was not executed properly. It was all about improving our abilities to protect children. I had asked for help, b I. did not get it, but I did get encouragement, I was going off the guidance I received from the DExT PM and CACHTU supervisor, SSA Heath Graves, who advised me to follow the instructions off the Microsoft website. While I cannot recall verbatim what he said, I am positive it was in the realm of the Microsoft instructions regarding RDP to be "very good" and "easy to follow" or something to that affect. My heart and mind were in the right place, but I lacked the knowledge for networking and was not a system administrator. Yet I was tasked with setting up a network I did not know how to set up, and despite repeated requests for help, I was denied. I should not be held accountable for the FBI's systemic failure, especially when the FBI encouraged me and approved me to enhance our lab. I thought my attempt to remote into the C-20 lab did not work because the security settings were effective. I asked for help, even help with RDP, from nearly every unit in the FBI that had EFTA00173532 anything to do with networking, DExT, etc., including CACHTU and the DExT PMs. All I got in response was encouragement in what I was doing, but no form of technical assistance. IIIRFBI cannot FBI did attempted to set the RDP up in either the Fall/winter of 2022 or early 2023. The intrusion happened on Super Bowl Sunday of 2023, and I discovered it the very next day, on Monday. I provided the interviewing SSAs with an outline I drafted on 02/13/2024 of the intrusion situation which I read out loud. I signed the copy of the outline and provided it to the interviewing SSAs to add to my statement. The following is from my outline. This portion of my statement is written as it appears in the physical outline: Seamus, below is a timeline of what transpired today, noting that we had no idea this was a potential hack until late this afternoon. Given the potential that someone accessed our lab to do this, and that the issue may have been with the way we setup our network, below is also a little insight to the many attempts we've made to get the FBI to assist in both physical security to the lab and to help with networking: Today's events (approx times) -7:30am - I arrived at the office and noticed my Talino computer had restarted. EFTA00173533 -7:40am - I logged in to my Talino and a txt file popped up that said in part my network has been compromised and provided an email address to contact. This file was in the "startup" folder so when logging in it opened automatically. I ran my computer's anti-virus software, which was up to date and active, and it identified one potential threat which I attempted to remove. While this is not common, it is also not unusual given the data we recover from 305 subject devices. -I attempted to remove the potential threat, but my administrative privileges had been removed, and despite many attempts to gain access, I could not -8:30am - I reached out to Christian Idsola at CART for help, but he was going to be tied up for a couple of hours -9:00am, I reached out to Talino for help and they walked me through some steps, but nothing worked. They then advised me of a process to take to run antivirus software against my Talinos Operating System hard drive, which took some time but identified the likely source of the threat, which was attributed to a forensic program we use called Axiom. The threat was determined to possibly be a "booby-trap" left by a subject (who is a hacker) that was tripped when the Axiom forensic program ran across it. After this discussion it was believed that was the reason for the issues and we then began working on a solution, which seemed likely to fix my issue. EFTA00173534 -Around this time I also noticed our main server was down, but I didn't think too much of it since we just added a new switch and tried to configure some ports to run at different settings to increase our bandwidth. I assumed at the time the lack of access was a result of incorrectly applying the settings to the "LAG" and "BOND" configurations of the switch. I was able to see that according to the switch, the server seemed to be connected just fine, so I spent some time troubleshooting it. -Around 11:00am or so I was finally on instant message chat with the makers of the server, synology, who had us conduct some tests and they ultimately concluded that a possible issue was a defective hard drive in the server. This was a problem sine the server is "raided" and finding the defective hard drive was a time-consuming and difficult task, but several of us began our attempts. -3:00pm - Is when Christian Idsola and Lewis LNU from CART came over to help. After a bunch of triage and testing we could not figure out why we could not connect to the server, since by all accounts it was working. -we then noticed that our other servers (NAS1 and NAS2) were also not working properly, although we were able to access their control windows, unlike with the Synology server. After some EFTA00173535 digging around we noticed the folders that contain our data was missing. Initially we thought this was due to a firmware issue since Christian and I had dealt with that in the past and resembled the same issue. -Around 3:30pm or so we located the log files and began combing through, which is when we noticed strange IP activity that took place yesterday from two IP addresses. The activity included combing through certain files pertaining to the Epstein investigation. I reached out to one of the case agents to see if they were in the office yesterday, thinking that maybe they inadvertently changed a setting on the NAS or if they noticed anything strange about them. -Around 4/4:30pm we dove into the IPs and checked all of our computers to see which had the IPs in question. One computer, our discovery computer, matched one of them and is located in a room next to the lab, The other IP is one we don't recognize, but is the same address as the IPson our network, leading us to believe it was a computer that accessed our network somehow. We were not able to identify the computer, but it had to have accessed our network either by being plugged into the network, or possibly by telnetting in virtually. -5:00pm - we realized we were hacked and discussed what we needed to do to ensure its contained. EFTA00173536 -5:15pm, we immediately saved our logs and shut everything down. We disconnected the Internet and ensured anything containing a log file was preserved. -5:30pm - I began calling my SSA, Bob Whelp in Security, Jessica Cardenas at CART, Amit Patel in Cyber. Physical Security -Dec, 2021 - Moved into the 10th floor lab -Dec, 2021 - made numerous requests for an electronic keypad lock on the door only to be told by the locksmith there is no funding for a lock. These requests have been made numerous times from Dec, 2021 until a couple months ago, when the response was to make numerous copies of the key we have to the lab Networking/Network Security -Since approx 2017 we have elicited help from CART and Cyber in networking our lab, all to no avail. Some CART and Cyber folks have come over on their good graces, but they were not network savvy and just tried to do what they could. Some months ago (I can look up the exact date) we again requested help from CART, but were told their networking person was too busy to help. This meant no one with networking experience or ability was willing to help, so we had to figure it out on our own. - End of the Outline - EFTA00173537 Once I realized there had been an intrusion, I called SSA Clarke, and Bob Welp with Security. I also called CART and Cyber. This all occurred the same day I found out about the intrusion. The switch box was for the internal network. We had a server rack and a server. We had a switch box l and we just added a second switch box. We also had a misattributed Internet that was connected to the OCE computers. The switch boxes were never connected together. The Internet entered through a router that was connected to the DExT computer and connected to the switch box. I believed all were secure. I believed, since we had a revolving door of CSs and CART members, and since CACHTU was aware and having other offices emulate the C-20 computer lab, I thought we were good. edr we—were—i-n—t-hemiddle—ed piloting Axiom. Ith Light falt f different things t all w ' ,g—edge tre& think utsidc the b x. We have a large act f hash files that we etnt t N-MEC. A hash is a rand m ctring of text used t verify the-4rteejr'i+Y—oi f4 ltrHtshes—frre—elst-4ilte--t —f4-rt9errri-rrtl—i-n that they arc unique and can be eatal ged. Regarding CSAM, all files arc "hashed", and th cc hash valucc arc distributed th. e.14,O these hashes, C-AM can be detected since if a files hash wetheeti—even—i'llswilig—ter—dtde—id-i—We—wemded—be—newkre—whet—we—hetel with the Rhcl. 500 tcralaytcs of ata gone Commented (DWSJ: I think we should delete this. II doesn't really make seine and is a bit redundant...what do you think? D W 2024.10.2007:1100 Commented (JR6R5p Agreed. Take it out. We can articulate that to INSD if they ask, and am always put it had in if necessary. Jim Roberson 2024.10.22 13:38:CIO EFTA00173538 ft,-4-loos-eble-be-oeeeveo-abeet-440-opeobybee-e4-obet data, h bravos, I was told to C ogle h w to rec vcr the data. No one—e-l-se--t-treel—terhalp—srs The OCIO Section Chief (SC), Matt Smith, was pissed because he found an email I had sent prior to the intrusion requesting assistance that no one had responded to. I spoke with SC Smith who believed this was part of systemic failures. We asked for help, and our requests fell on deaf ears. We were always referred to someone else. I understand I opened the C-20 lab's RDP ports, Bit the FBI knew FBI had told me to follow the instructions on Microsoft website on how to open the gotta I was trying to make things better, and moreover CACHTU and other HQ and management entities knew what I was doing and supported me. The policies are not easy to find, are simply not available on the FBI's site, and often . In fact, I have examples I can share of attempts to access policy just to find it isn't there. FBI HQ Criminal Investigative Division (CID) DAD Jose Perez has since acknowledged the policy for the lab was vague or non- existent, which is something he advised II Ccc trt-r'ite of in an email that I provided to the interviewing Agents. Additionally, a few weeks after the intrusion, DAD Perez, with others from FBI HQ, were visiting the NYFO on un-related matters, however there was a meeting to discuss the status of the intrusion which I was present for. Prior to the meeting, DAD Perez, whom I have known for years, approached me and informed me that he knew I was not responsible for the intrusion. DAD EFTA00173539 Perez further advised me that our lab was one of many across the FBI that had similar configurations. DAD Perez assured me that he knew the FBI had systemic failures, that we in the NYFO were not alone, that I should not worry, and that FBI HQ would help get our lab back up and running. DAD Perez also acknowledged me for my work and stated he knew I was the kind of hard-working Agent that the FBI needs. I was not part of the conversations to conduct a Security Incident Reporting System (SIRS) report. , that if I did not have the initiative, we would not have had our successes, Which r Ei7i tesultedgE nanarom dr eteiammi IMUed and their offenders being brought to_dambdidl continued to receive praise for my work, and CACHTU has continued to ask me to review policy before it is sent out to the field. I took over the Group I UCO and doubled its statistical accomplishments. I have rescued more exploited children than anyone in the NYFO and in most of the Bureau. All I wanted to do was to better the Bureau. I did not know how to do everything right, but I always did the right thing and everything I did was with good intentions. I love this job. I was not reckless. There was no self-interest involved. I was always trying to do the right thing. I also want to point out that I was twice awarded the Medal of Excellence for my work, among other accolades. Prior to the intrusion the squad was seen as the gold standard for child exploitation programs. Our end-of-year EFTA00173540 ratings were consistently "gold", and we were often touted as being amongst the highest performing squads in the Bureau. Our squad was responsible for hundreds of child victims being rescued and dozens of offenders being brought to justice. These impacts are directly correlated to our DExT lab and the work we did to enhance it. intrusion, Quesada overturned After the intrusion we were directed to completely stand our lab down. We were directed to submit III our electronic evidence to CART for imaging and processing. A few months into this process, I and others on my squad compiled statistics comparing our effectiveness before and after the intrusion. II ,-videdi By comparison, after the intrusion our squad suffered a 95.52% reduction in productivity. During this time frame, my squad had 281 electronic evidence items that needed to be imaged and processed, and all but 12 of these devices had been taken to CART. Prior to the intrusion Agents on the squad could begin imaging evidence they seized the same day and were generally done imaging all their evidence within a few days. However, the average completion time for CART to image devices was approximately 30.5 days. This is a staggering number and is a prime example of why the DExT program EFTA00173541 is so important and how much of an impact the DExT lab had on my squad's ability to swiftly and effectively conduct child exploitation investigations. Additionally, this summary highlighted one very unfortunate instance in which, because of the lag time at CART and the amount of time it took CART to image and process devices, an offender who was a citizen of another country managed to pee' the United States before the CART review could be completed. It is almost certain this would not have happened if the DExT review could have taken place in the squad's lab. However, it did happen, and again illustrates the significance of the lab and why the enhancements I made over the years, and the numerous pleas I made for help, were so important. This summary has been turned over to the interviewing Agents, and I can make it available again if requested. Completely separate and apart from the intrusion, but occurring simultaneously, ApostleX is both the name of a software company and their product. I had no previous relationship with the company prior to a representative from ApostleX visiting the FBI, NYF0 to provide a presentation on their software. They were touring the United states, and approaching law enforcement and agencies promoting their product. They are a startup company. Apostlex reached out to several entities within the IIIII not just the NYF0. One of the Apostlex employees is a retired agent from NYFO named Chris Braga. I knew Braga from NYFO as a polygrapher. In October 2021 Braga reached out to me and several other individuals in the EFTA00173542 NYFO about ApostleX. I initially did not care much about the product. They were pitching a preservation tool that was geared towards CUSS. It initially did not sound relevant to what we in C-20 were working. Braga worked it out with others in the NYFO and set up a few information sessions for different NYFO Divisions. Our Gang squad, C-30 had an information session. On 10/20/2021, the C-30 SSA sent out an email to my SSA who sent the invite for the presentation to our squad. Another Agent from my squad and I decided to attend. I attended what I believed was a Bureau-sanctioned information session. I want to be very clear that I had no previous relationship whatsoever with ApostleX. They approached the FBI, and I initially declined to even attend an information session. It wasn't until my supervisor sent an email to our squad advising of the information session that I decided to attend. All of this is very provable from the many smalls and correspondences that I have provided as well as others I can provide. I showed up late to the NYFO ApostleX information session and left early. The portion I did sit in on talked about how ApostleX helped with CUSS' use of 3rd party apps. The lack of technology available to preserve encrypted apps, or self- communications, was a widely known issue. Self-destruct apps cannot be recovered, which makes them very popular with VCAC offenders. There were nol good methods to capture the information. We voiced concerns about this for years, WM notably during the CACHTU •olic but there was no fix. There is a VCAC email in which EFTA00173543 CACHTU supervisors are participants, and there have been hundreds of emails over the years of Agents voicing concern*2 asking questions, identifying issues etc.; which imolai' concerns about this very issue . We did not have the ability to go after VCAC offenders who used self-destruct apps like Wicker. There were, and remain, no ways for us to preserve those types of communications. When conducting chat operations, depending on the application being used, the OCEs are unable to preserve the chats with the offenders. Some applications allow for as short as a one second self-destruct period, meaning that after one second of viewing the chat, it is deleted and gone forever. There is no forensic program in existence within the FBI to preserve that chat. Furthermore, these self-destruct apps are designed in such a way that if an OCE attempts to screen record or use a screen shot to preserve a chat they either alert the person on the other end or do not allow the screenshot to be taken. The Bureau's answer to this problem was not really an answer. Some responses to this problem were to use another device to photograph the chats, which is problematic for a variety of reasons, while other responses were for our issue to be passed around. I similismd that a solution would be to use my "Bbu-phone" to take photographs of these chats. I asked what to do with the CSAM that I would inevitably be taking photographs of, and the INSD interviewer had no answer. Once ApostleX came along and I heard what their product did for CHSs, I asked if it would work for encrypted chats and self- EFTA00173544 destruct chats. They said it would. I left the meeting and met with ApostleX after the presentation was over. When we met. we discussed if their technology would do what I described. They advised they would check and get back with me. They got back to us in early November 2021 and advised they believed they had the ability to incorporate what I was asking for. I led the effort with ApostleX, but my squad was involved. I spoke with SSA Seamus Clark and ASAC John Penza (retired). We saw the benefit of it for VCAC purposes. My bosses wanted me to explore it. It was early on and we needed to do everything right. I believe there were a ton of Agents, throughout the Bureau, simultaneously engaged in similar conversations with the ApostleX company, discussing how to purchase the tool. The ApostleX company has been to multiple FBI offices and ...ay Laye had conversations with Safe Streetst_tVber Division squads, etc: ents who were I believe the ApostleX company pitched OTD and other ADs. At one point I even had an Executive Assistant Director (EAD) reach out to me personally about ApostleX. On 11/08/2021, ApostleX requested I sign a nondisclosure agreement. I reached out to NYFO III Tara Semos and we may have also spoken with an Associate Division Counsel (ADC). The decision was that we would not sign anything. We did not have the position or authority. I told this to ApostleX, but I also told them that we were not going to steal their intellectual property. EFTA00173545 People liked the ApostleX program. The consensus was that it was not a fully developed program, but that it could be developed. I know there are currently programs that are used in the FBI that were made through Agent input, -TO _acme tl.at created c"t1..c1„ L, Ave.A.1 th-nes-lec) or created e some pro.rams d via Axiom is a CART-approved tool that the Bureau uses. I was asked to work with Axiom on how it was useful for us and what changes could be made to make it better for the case Agent. With respect to ApostleX, my understanding was that we were talking to a company that was brought in to us to fix a problem Agents throughout the Bureau were routinely encountering when dealing with a CHS or an OCE, namely the undetected real time preservation of their text chats. We communicated with CACHTU who liked Apostick, but said they would not commit funding. In November 2021 ApostleX was still conceptual. It was in the right direction but needed to be refined. They knew from a big picture standpoint what the problems were. From a technical standpoint the product was a home run. Just as was the case with the lack of funding for hard drives we discussed previously, nothing I or my squad did with respect to ApostleX was done in a vacuum. We briefed all the way up to the ASAC (Penza) level. He did not want us to go to the EFTA00173546 contract III E2peera-1-Agent—in-Gitarle (SAGY-or the In_ in Charge (ADIC) with a problem. He wanted us to also have a solution before we briefed the ADIC. He wanted the product to be more developed. He did not want an on-paper solution. At no point did anyone on my squad or I sign a contract with ApostleX, or with anyone else for that matter._ We follia the of the CDC, OGC, FFD, and otherin nag retire r.. - Mark Gerber,rm I All several calls with and who was very suppurative of ApostglIIMBd my involvement with it. We spent months We were going through the Privacy Threshold Analysis (PTA) steps to get the Bureau to sign a contractLMINIMI IMPAIMENIIIIIIIierprocesses we were dir also never orally or verbally agreed to a . It was our goal to have the FBI take on pursuing a contract, not us. At this point ApostleX was a concept and not a product. My chain of command had no issue with me working with ApostleX to develop the concept into a product. We were briefing our chain of command regularly and we even brought in our Intel supervisors. We wanted to make the product useful, not only to us, but to other people throughout the Bureau as well. We brought in CHS Coordinators, people from Intel, and people from the VC program. We did not want to think singularly about our violation. It is required by FBI policy that we preserve OCE sessions, but even to this does not exist to do that. I saw EFTA00173547 it, and still see it, almost as an entrapment for OCEs, in that we are required by FBI policy to preserve chats, yet the FBI has not provided us with a means to do so. i realized lust how bad IIIIMINEMWErrEBErFBI Hommorrewormild was when someone in al Cnccutivc Manlqcfl2n*. told me he thought OCE chats were automatically preserved. This blew me away as this 4t-could not have been -further from reality and shows how bad the disconnect is from what FBI HQ perCIANSMAIIMbiEteality in al fielch We saw ApostleX as an opportunity to address this and other concerns, follow policy, and follow the law. Current methods include all or nothing solutions, which result in "over- collection" and create potential First Amendment issues, in that they may record the communications of people who are not involved in child exploitation crimes or violating the law. ApostleX addressed this. The support we got from the onset of that vision was incredible. FBI HQ knew what we were doing because I discussed with them the problems we were having with apps like Wicker. Apostlex was already successful with apps like were working on Signal and a few others. Apostlex engineers figured out how to make their program work with Signal while we were working with them. They were going in the right direction, we just needed to guide them towards a total solution to our actual needs. They were already working on trying to fix the problem OCEs were having in 2021. We just needed to work on how to preserve apps that created secret and self-destructing chats. EFTA00173548 The Apostlex company was never given access to FBI information. They did not come into FBI space. 'lc would FaccTime t+.-em e never gave them anything that belonged to the FBI. The ApostleX program was installed on a completely standalone computer that was connected to a misattributed Internet line. It was never attached to any FBI networks, storage containers, or covert networks, very specifically including the compromised covert c-20 computer lab network that was previously discussed. The computer with the Apostlex program was in FBI space. It was an old computer that was going to be thrown away. It was a covert computer. I cannot recall if we had a CS wipe the drive of the computer or if it was provided to us with no drives and we installed wiped drives. Either way, we had to install operating systems. The CS was Jim Walsh. The computers were given to us to use at our discretion I do not remember if I told him what the computers were going to be used for. I am not sure if we got the computers before or after we heard the Apostlex sales pitch. One event did not trigger the other, and it did not matter as the computers were for covert--use anyway. ApostleX ran on a main computer. In our case it was the one we set up. The Apostlex database resideds on the computer and the computer's sole function was to run the Apostlex server. ApostleX allowed undercover phones to connect to it. Apostlex is a server that sits on a computer and runs in the background. There is a web-based computer interface. It only workeds from this one particular computer which sits behind a Virtual Private EFTA00173549 Network (VPN). If I am an OCE using the Telegram app I would connect my Telegram account to Apostlex. There is an authentication process. We had the company add an icon that let the OCE know ApostleX was working in the background preserving the chats. The ApostleX company added a small icon that showed ApostleX was active. ApostleX's integration was chat application specific, so we were only preserving what needed to be preserved. It started with Telegram. Around the time we were told to shut down, it worked with Signal. We were getting close with What's App. Any Telegram account we wanted to preserve would be added to the ApostleX account. We had the ability to select what was relevant and what was not. With appropriate authorization, we could do an account takeover of a Subject's account. With ApostleX there is an ability to avoid overcollection. ApostleX was initially grabbing everything, and we would need to check what to preserve. We wanted to make a parameter for how long to keep information that was not checked, which would then be purged. The accounts would be taken over through consent or with a warrant. We were testing the capability of Apostlex to preserve self-destructing chats. Initially, in the testing environment, the disappearing chats were preserved on both the sender and the receiver's telephones, which obviously would not work for us. We worked with the company to address that. The ApostleX company did not have the ability to access the data we collected from chat applications. The only data ApostleX EFTA00173550 had access to was the telemetry. I believe OCIO looked at that and III happy with it. SC Matt Smith from OCIO was also involved and sent Requests for Information (RBIs) to our local ISSO, Jim Eckel, who reviewed Apostlex, the code, and had at least one call with them that I was a part of. I believe he also had additional communications with them that I was not a part of. In the end, I know that OCIO's questions were sufficiently answered. We never went live with the Apostlex program and only operated it in a testing environment. We did not use active cases. We used dummy phones and OCEs chatting on the Telegram application. We added a bunch of older OCE Telegram accounts to test it out. accounts we used were real covert accounts. Some of the accounts were historical. When we synced Apostlex to chat application accounts, the entire history of the chat application account would be pulled. The information was exclusively stored on the local hard drive of the computer ,.....1..4—that ran Apostlex. One of the Telegram accounts I used for testing was about 12 years old. The test accounts I used were not involved in any chat groups that were pertinent. I am not sure about the other folks who were testing Apostlex. I do not believe anyone cared about the accounts we used. I believe the historical data attached to the accounts had already been adjudicated but it is possible some of the information may not have been. I cannot say there was no evidentiary data put on the standalone Apostlex computer, which is routine. Many undercover Agents use multiple devices to access their accounts, including both computer and cellular devices. Since the account originates EFTA00173551 on their FBI-issued undercover phones, any ancillary devices have no impact. I do not bclicvoam positive having information on the ApostleX computer was ater—no different than having it on any other computer. I did use a historic case to demonstrate how we could export from Apostlex for discovery purposes. The case was not fully adjudicated at that point. I am certain the accounts we were using had no impact on any ongoing investigation. There was likely CSAM from the historical accounts that was extracted and uploaded onto the Apostlex computer when the historic accounts were synced with the ApostleX program. The Apostlex company or anyone else could not see it, however,_ It took a while to set the standalone ApostleX computer up. We may have hooked the computer up in December 2021 or January 2022. We tested it intermittently for a couple of months. It would be a long process to reconfigure things. We would give feedback to the Apostlex engineers who monitored the telemetry data and could see the issues with the Apostlex program from their end as we tested it. Sometimes the fixes took a few hours or a day or two. Once they had a fix, Apostlex engineers would send me a document with instructions on how to fix the issues. Any message that was sent from the company was done through Bureau email. The instructions would be written in the email itself or provided verbally. Though it is possible I may have used my personal telephone to communicate with Apostlex engineers using the video teleconferencing application, zoom, I EFTA00173552 do not recall for sure. I do believe I may have used my FBI laptop and possibly my OCE telephone for the Zoom calls with ApostleX engineers, however. Sometimes the ApostleX engineer could see me during our Zoom calls and sometimes not, however we also sanitized the FBI space. We would input the instructions sent by the Apostlex company into the computer with the ApostleX program on it. There were a couple of times I ha