UNCLASSIFIED/MOM

EFTA00173373 Dataset 9 106 pages Download original PDF
UNCLASSIFIED/MOM 01/26/2024 New York, NY , having been duly sworn by Supervisory Special Agent (SSA) following statement to 01/26/2024, and and and and ., hereby make the on on 08/08/2024, on 10/07/2024, whom I know to be SSAs of the Federal Bureau of Investigation (FBI), assigned to the Inspection Division (INSD) at the time of my statement. My attorney, Richard J. Roberson, Jr., was present during my statement all occasions, via telephone. This statement took place over a three-day period. The statement initiated on 01/26/2024, and again on 08/08/2024, after additional allegations were added: I entered on duty (EOD) on 02/21/2006, as an Intelligence Analyst (IA). I EOD on 10/08/2008, as a Special Agent (SA) and I am currently assigned to the New York Field Office (NYFO) in that capacity. I understand that this is an internal investigation regarding an allegation that Special Agent improperly stored digital evidence at his residence in violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Care, Custody, or Control of the Government. On 10/30/2023 the following expanded allegations were added: Special Agent improperly handled, documented, and stored digital evidence and failed to secure CSAM within policy, resulting in a cyber intrusion in violation of 1.6- Investigative Deficiency- Improper Handling of Property in the Page 1 of 106 UNCLASSIFIED//FOUO EFTA00173373 UNCLASSIFIED//FOLIO (94 Care, Custody, or Control of the Government and 5.17- Security Violation- Failure to Secure sensitive Equipment/ Materials. On 02/07/2024 the following expanded allegations were added: Special Agent exceeded the limits of his authority by contracting an outside company to develop computer software on behalf of the FBI in violation of 2.6 Misuse of Position and 5.23 Violation of Miscellaneous Rules/Regulations. I have been further advised of my rights and responsibilities in connection with this inquiry as set forth on a "Warning and Assurance to Employee Required to Provide Information" form FD-645 which I have read and signed. I understand from my review of the FD-645 that should I refuse to answer or fail to reply fully and truthfully during this interview, I can expect to be dismissed from the rolls of the 01/26/2024 New York, NY FBI. I have been advised by INSD not to provide the details of a whistleblower complaint I have filed with the Department of Justice in which I assert that these allegations are some of many retaliatory actions taken against me by the FBI that stem from a 2023 cyber intrusion of the NYFO's child exploitation forensic lab. While I will not go into details, I believe this is important to mention here given the very genesis of these allegations were derived from a directive to make me a scapegoat for the intrusion. I am happy to elaborate if requested, but in sum I was retaliated against for my having made numerous protected disclosures over the years that went unaddressed,l0 Page 2 of 106 UNCLASSIFIED//FOUO EFTA00173374 UNCLASSIFIED//FOUO 01/26/2024 New York, NY 8 which likely would have prevented the intrusion from happening. When the intrusion occurred, these disclosures, which I made again, caused FBI Executive Management (EM) to fear repercussions of their own failure to address the issues I presented before an incident like the intrusion could occur. I have proof upon proof that I was then targeted by FBI management as an attempt to make it appear that I and my squad mates were responsible. I know that INSD is in possession of the first of my submitted whistleblower complaints, but there are several other amendments as well as supporting documents that I can provide upon request. I am currently assigned to CT-25, a Domestic Terrorism squad, but assigned to an Enterprise Investigation that is a hybrid of Domestic Terrorism and Child Exploitation squad. I was assigned to squad CY-3 in May 2010 and officially named on the squad in July 2010. This was when the FBI's child exploitation program was referred to as "Innocent Images" and fell under the Cyber Division, while Squad. C-20 was the Human Trafficking (HT) squad at the time. I believe it was 2015 when Violent Crimes Against Children (VCAC) and HT programs were combined under the FBI's Criminal Division, which led to the merger of the violations in the NYFO under squad C-20. The squad is split and has the HT side and the VCAC side, and I was a VCAC Agent. Agents primarily work their assigned viol tions, but we come Q91)together as a squad for operations. Page 3 of 106 UNCLASSIFIED//F0130 EFTA00173375 UNCLASSIFIED//FOOD 01/26/2024 0 New York, NY I have been with the FBI for over 18 years, having spent the last 16 years as an Agent. I have been one of the FBI's leading Agents in Child Exploitation investigations and to this day, I believe that I am one of, if not the only, Court - certified expert witness for the entire FBI for child exploitation. I have personally accounted for over 60 arrests, 150 search warrants, and have been responsible for rescuing several hundreds of children. As is elaborated on in my Curriculum Vitae, which I have provided to INSD and has been introduced to certify me in Court as an expert witness, I also have received numerous awards and accolades, including but not limited to being a two-time recipient of the FBI's Medal of Excellence and the Southern District of New York's (SDNY) prestigious McCabe Award. I have an incredible reputation around the FBI and am seen as one of the hardest working and driven Agents in the FBI. In demonstrating the support I received, after the intrusion when FBI Headquarters (HQ) had begun its efforts to retaliate against me, the NYFO went to great lengths to push-back. Now retired Assistant Director in Charge (ADIC) defied orders from Assistant Directors (AD) and the Deputy Director (DD) to have me punished. This defiance led the DD to order charges against me, and months later I received the first of the referenced charges. The NYFO however still showered me with their support, with singing my Page 4 of 106 UNCLASSIFIED//FOUO EFTA00173376 UNCLASSIFIED//FOOD e:yraises to one " 01/26/2024 New York, NY , stating that he would rather have than 10 other Agents. The NYFO also nominating me for the second of the FBI Medal of Excellence awards I would receive in December 2023. Just months ago, in 2024, I was nominated for, but did not receive, the Director's Award, however at the same time I was nominated for an award from the Federal Law Enforcement Foundation and on 10/22/2024, I was informed I am receiving it. I can expand at length on the accolades and praise I have received from Agents, Analysts, management, HQ, Assistant United States Attorney's (AUSA's), local law enforcement, and more over the years. Even despite my current situation I continue to receive praise and support from all ranks and from AUSAs. Last month, in September 2024, the SDNY Project Safe-Childhood Coordinator (PSC) requested I assist her in providing child exploitation training to SDNY AUSAs. The PSC is aware I am no longer on the child exploitation squad, and finds the actions taken against me to be disgraceful. She also stated that despite it all, she considers me to be the best in the FBI. Regarding the allegations against me, it is my understanding that they stem, in whole or in part, from interviews conducted by the FBI's INSD in March 2023. Specifically, the statements I made during those interviews ..,•) Page 5 of 106 UNCLASSIFIED//FOUO EFTA00173377 UNCLASSIFIED//FOUO 01/26/2024 New York, NY ppear to have been the basis for the observations outlined in the subsequent INSD report, which the FBI has reported to be the foundation of these charges. I have since learned that this report was authored by someone two or three levels removed from me, relying on secondhand interpretations of my statements from the notes of the interviewers. I know what I said during the interviews, and the references in the INSD report do not accurately reflect my actual words. The INSD initially published a draft report around May or June 2023, which included observations closely mirroring the allegations against me. Both I and the NYFO leadership, including my observations inaccuracies former ADIC, as we believed were discussed countered these them to be inaccurate. These in detail during meetings with and FBI EM, and we later submitted a formal written rebuttal. However, the final INSD report, published in July 2023, failed to incorporate our responses. The observations based on my statements were neither revised to align with my rebuttal nor updated to reflect supporting evidence. I have also learned that the interviewers themselves were not provided with either the draft or final versions of the INSD report, nor were the interviewers informed of the responses submitted by me or the NYFO. Instead, the report's author relied Page 6 of 106 UNCLASSITIED//FOUO EFTA00173378 UNCLASSIFIED//FOLIO 01/26/2024 New York, NY solely on the interviewers' notes, which were not a verbatim transcription of the interview, and the interview itself was not recorded. This left critical context about my statements subject to the author's interpretation. Similarly, the rebuttals submitted to challenge the observations were not addressed. As a result, the final report left the original observations largely unchanged. In the interest of transparency, I am including the NYFO's final response to the INSD's draft report. This response was a collaborative effort between myself, my SSA, my Assistant Special Agent in Charge (ASAC), and the NYFO's Information System Security Officer (ISSO) . It was formally submitted as a rebuttal to the draft observations. Unfortunately, the final INSD report failed to incorporate these responses, leaving the contested observations intact. This is deeply troubling, as the allegations were contested from the outset with the full support of the NYFO chain of command. After reviewing the draft INSD report, the NYFO was afforded an opportunity to respond in writing to both the INSD "observations" and "findings". The following is the last version of the NYFO's response that had been drafted by III , and Office of the Chief Information Officer (OCIO) . In the "NY's Clarifications to the Page 7 of 106 UNCLASSIFIED//FOUO EFTA00173379 UNCLASSIFIED//FOOD Si 01/26/2024 New York, NY Inspection Report's Observations" section you will see listed the "Observation", which was identified by INSD, then the subsequent "Clarification of Facts", which was the NYFO's rebuttal to the observations. Following this section, you will see the "NY's Responses to the Inspection Report's Findings" section. Similarly, you will see listed the "Instruction", which was identified by INSD, then the subsequent "Response", which was the NYFO's rebuttal to the instruction. NY's Clarifications to the Inspection Report's Observations Observation 1: NY was operating a device providing Internet access through wireless connectivity in FBI secured space. Clarification of Facts: NY received authorization from Security Division in 2018 to utilize Wi-Fi devices within FBI space, as long as the device connected to the Wi-Fi was 10 feet from an Enterprise computer. Regardless, because C20 did not request the particular Wi-Fi modem/router which was in the lab at the time of the intrusion, the wireless features were never utilized and presently there are no wireless devices in FBI space. Page 8 of 106 UNCLASSIFIED//FOOD EFTA00173380 UNCLASSIFIED//FOLIO 01/26/2024 New York, NY Observation 2: NY was connecting overtly and covertly purchased IT on the IS. Clarification of Facts: Axiom, Cellebrite and GrayKey are LE tools purchased by CACHTU and used by DExT examiners in the Field. CACHTU advised the field to utilize UCO funds to make purchases of new equipment to support the tools. Observation 3: NY was storing DE overnight in an unapproved storage facility. Clarification of Facts: The previous practice utilized by was to image the Original Digital Evidence on the Network Attached Storage, place such in Evidence Control, and then copy the Original Imaged Evidence, creating a Master Working Copy. During specific times in 2020, created a copy of specific files/documents from the Master Working Copy and brought these limited working copy items home via his work laptop to perform work related tasks. The copies he took home to work on were copies of copies and were limited to specific files from the larger forensic images. The files/documents were not Page 9 of 106 UNCLASSIFIED//FOLIO EFTA00173381 UNCLASSIFIED//FOUO 01/26/2024 New York, NY contraband, classified material, CSAM, or sensitive material. Further, in 2020, FBI Management was authorizing and encouraging employees to work from home to limit the spread of COVID 19 in the office. did not store any files at his house. Once he completed his analysis he brought the electronic files/documents back to the office and appropriately disposed of same. Observation 4: NY did not appropriately image DE. Clarification of Facts: This is an issue C-20 has raised for years with HQ and has routinely asked for hard drives in order to comply with the policy, but has been denied and C-20 was advised they would have to pay for the drives. At the same time, HQ would not supply C-20 with the funds in order to purchase those same hard drives. Additionally, C-20 takes issue with the outdated process of creating derivative evidence onto an additional hard drive. As the volume of data that is being collected has increased exponentially over time, the amount and cost of using hard drives is impractical and costly. C-20 suggests the use of Page 10 of 106 UNCLASSIFIED//FOUO EFTA00173382 UNCLASSIFIED//FOUO 13) 01/26/2024 New York, NY servers or cloud storage as a means to store derivative copies of evidence, which can be reused at the conclusion of an investigation and when the evidence (and derivative evidence) is destroyed. Observation 5: NY did not appropriately verify analyzed images of acquired DE. Clarification of Facts: NY in fact did appropriately verify analyzed imaged of acquired DE by generating an FD-302 which documented in the substantive case file as well as at 305A-HQ-1654544- DEXT to account for the work performed. Any issues or discrepancies would be documented in the FD-302. A hash verification log was also generated and stored with the DE on the Network Attached Storage, which could be accessed at any time. Going forward, the hash value verification log will be attached to the FD-302 to ensure compliance with policy. Observation 6: NY was not appropriately documenting and storing ELSUR records in relation to undercover communications. Clarification of Facts: NY appropriately places OCE/UCE communications in Subfile G of the UCO, which Page 11 of 106 UNCLASSIFIED//FOUO EFTA00173383 UNCLASSIFIED//FOUO 01/26/2024 New York, NY is where CACHTU policy mandates these communications be placed. Observation 7: NY did not document meetings between UCE/OCE and SSA every 90 days and the SAC/ASAC every six months. Clarification of Facts: While the SSA and ASAC met with the OCE/UCE's connected to the UCO on a regular basis, primarily in the squad area and via the file review and CUROC process, NY will draft ECs documenting same in accordance with policy going forward. Observation 8: NY did not utilize covert methods to procure covertly purchased goods. Clarification of Facts: The items which were purchased are Law Enforcement only. NY was provided funding from HQ via the UCO to make this purchase with the understanding that it's a restricted purchase. Going forward, NY will ensure if a purchase needs to be made overtly, covert funding will be converted to overt funding by an approved FBI purchaser. Page 12 of 106 UNCLASSIFIED//FOUO EFTA00173384 UNCLASSIFIED//FOOO 01/26/2024 New York, NY Observation 9: NY was not documenting financial records relating to IMO activity to the appropriate CE subfile. Clarification of Facts: NY submits a monthly BlueSlip that contains all of the financial documentation for the prior month's financial activity. The same information that is required to be submitted to the CE subfile is contained in the BlueSlip. NY changed the individual who performs the accounting over time on a field office level and, while the information was recorded, it was not put into the CE subfile. Observation 10: NY did not properly report a security incident within SIRS. Clarification of Facts: The incident occurred during the night of Sunday, February 12, 2023. In the morning of Monday, 2/13/23, noticed his Talino was not operating correctly and began trouble shooting with the company and HQ. Upon determining a potential intrusion may have occurred, notified and CACHTU on 2/13/23. Following notification, notified Page 13 of 106 UNCLASSIFIED//FOUO EFTA00173385 UNCLASSIFIED//F0130 01/26/2024 New York, NY on 2/13/23. During the week of 2/13/23, there were numerous meetings between NY EM, NY Cyber and NY CIO, among others, in coordination with HQ. When there was an understanding of what occurred, III submitted a security incident report within SIRS on 2/17/23. Observation 11: NY did not implement encryption on devices or data on the IS. Clarification of Facts: There are broad contradicting policies as it relates to UCO IS. NY requested assistance in the development and testing the IS over the several years and was met with no response from OTD, CART, OCIO, and other HQ level entities. Going forward, recommendations from OCIO, OTD, etc., are being implemented. Observation 13: Policy regarding the requirements for patching, ATO, use of an ISSO, security monitoring, remote access, account management, maintenance or IT hardware, use of mobile devices, and approval for custom HATA solutions to include operational security, cost efficiency, SOPs, technical architecture, accounts and access, system access Page 14 of 106 UNCLASSIFIED//FOUO EFTA00173386 UNCLASSIFIED//FOUO 01/26/2024 New York, NY records, acquisition planning, user account guidelines, compliance with 0655PG, and training for covert ISs is insufficient. Clarification of Facts: NY has one ISSO, hired in mid-January 2023. NYO's ISSO is responsible for multiples sites. It is not feasible for one ISSO to effectively monitor and maintain IS's within the NYO. Industry standards recommend multiple individuals in different roles with qualifying credentials to ensure the integrity of IS's. Observation 15: NY stored CSAM from multiple investigations in an effort to identify victims across multiple cases. Clarification of Facts: As NCMEC only maintains the "MD5s" or "hash values" of the CSAM, not the actual media itself, NY stored CSAM on the IS for facial recognition and "photo DNA." PG 1157PG requires a CVIP comparison for CSAM which is facilitated through NCMEC and does not prohibit the creation of use of independent ISs to store and compare CSAM across multiple cases and field offices, noted in Page 15 of 106 ONCLASSIFIED//FOU0 EFTA00173387 UNCLASSIFIED//FOUO 01/26/2024 New York, NY draft INSD Report page 7. This should not be prohibited as it is not available through NCMEC/CVIP. Observation 16: NY did not follow minimal and commonly accepted industry wide security practices for the IS. Clarification of Facts: As there are numerous conflicting policies and constantly changing guidance regarding the IS, as it falls under a covert network, NY did not willfully violate policies or accepted industry wide security practices and welcomed any and all assistance from other field offices and HQ sections. Guidance and funding of recommended training, internal and external, should be provided by HQ to provide consistency of enterprise wide IS standards. Properly ensuring IS's are developed, maintained and monitored requires hiring and retaining qualified personnel such as ISSO's and ITS Network Specialist/Architectures. Special Agents and non-ITS Professional Staff are not technically trained and not equipped to act as a System Administrators Page 16 of 106 UNCLASSIFIED//FOUO EFTA00173388 UNCLASSIFIED//FOU0 01/26/2024 New York, NY NYO has one ISSO with responsibilities spanning NYO's Headquarter City and all Resident Agencies. The ISSO was hired and on-boarded in NYO mid-January 2023. NYO Security does not currently have ITS Network Specialist/Architectures. NYO Security would require a minimum of four ISSO's and five ITS Network Specialist/Architectures to ensure all IS's within NYO have a System Administrator and all IS's are securely developed, maintained and monitored. NIST and other industry standard best practices require designated personnel outside of the operating unit to act in these roles. Separation of duties is required to retain the integrity of the IS's. NY's Responses to the Inspection Report's Findings Instruction 1: ADIC NY shall ensure all unauthorized devices allowing Internet access through wireless connectivity are removed from FBI secured space or disabled. Response All non-approved wireless devices in FBI space are disconnected. Devices approved by division(:F1 1:? Page 17 of 106 UNCLASSIFIED//FOLIO EFTA00173389 UNCLASSIFIED//F000 01/26/2024 New York, NY head and the AD of SecD will remain operational only during mission critical needs at this time. Communication regarding the prohibited use of wireless devices within FBI space has and will continue to be disseminated on a regular basis. Signage is in place referencing policies prohibiting the use of wireless devices in FBI space. For example, signs are posted in each elevator bank of 26 Federal Plaza. All owners of overt and covert portable electronic devices (PED's) are required to register devices with NYO's Security unit whereupon the user accepts the terms of use for said devices. The terms of use include but are not limited to the prohibited use of wireless connectivity to include radio frequency connections such as Wi-Fi and cellular based Mi-Fi within FBI space. NYO's Security unit has engaged with NYO's Technically Trained Agents to begin routine sweeps within NYO's space to identify active RF's. If RF devices are identified without a waiver authorizing Page 18 of 106 UNCLASSIFIED//FOU0 EFTA00173390 UNCLASSIFIED//FOUO 01/26/2024 New York, NY use by NYO's Division Head and the AD of SecD, the device will be disabled and/or removed from FBI space. Instruction 2: ADIC NY will ensure overtly and covertly purchased IT is not used on the same IS. Response: While this is a HQ driven process, as CACHTU purchases Axiom, Cellebrite and GrayKey directly from the vendor on behalf of the Field Office and provides these tools to the Field, NY is in contact with CID to ensure IT meets this requirement, or a waiver is granted. Instruction 3: ADIC NY will ensure evidence is stored in a safe, secure, and approved manner. Response: II =Ilk refutes the assertion he took home and stored DE at his house. NY will ensure that appropriate policies related to storage of evidence are followed. Instruction 4: ADIC NY will ensure compliance to applicable policy when creating and maintaining derivative DE. Response: NY has consulted with CART and consistent with CART SOP and PG, the underlining Page 19 of 106 UNCLASSIFIED//FOLIO EFTA00173391 UNCLASSIFIED//Fou0 01/26/2024 New York, NY electronic device, as well as the Master Copy, will be entered into evidence as a 1B. A further additional copy will be made as a working copy on which the actual forensic work will be performed. NY will engage with CACHTU to obtain the appropriate funding required to obtain the required portable electronic storage devices to house the increased numbers of copies. Further, NY is working with NY Evidence and the Laboratory Division's Field Evidence Program to obtain authorization for standalone storage devices to be classified as an appropriate Evidence Control Room to house Derivative Evidence. The standalone storage device would contain the same Derivative Evidence which would otherwise be copied onto hard drives and physically checked into evidence. The storage device would be secured with sufficient user credentials and maintain access logs. The Derivative Evidence would still require an evidence submission to generate 'Bs for the Derivative Evidence. At the conclusion of the case, this Derivative Evidence can be deleted and the space made available for new Derivative Evidence to be stored, rather than continuously purchase new hard drives only to have them destroyed at the conclusion of an investigation. Page 20 of 106 UNCLASSIFIED//FOLIO Cl EFTA00173392 UNCLASSIFIED//FOUO 01/26/2024 New York, NY Recommendation 5: ADIC NY will ensure compliance to applicable policy when creating and maintaining derivative DE. Response: NY performs post examination reviews and documents them via an FD-302. A hash verification log is also created. Instruction 6: ADIC NY will ensure compliance with requirements to document ELSUR records in accordance with applicable policy. Response: NY ELSUR stated any communications that occur via a covert platform (i.e an OCE/UCE cellular phone) is not ELSUR evidence. Instruction 7: ADIC NY will ensure compliance with requirements to document meetings between undercover personnel and the appropriate SAC/ASAC and SSA. Response: NY will document meetings held with the SSA/OCE and SAC or ASAC/OCE and place in the appropriate subfile of the UCO via an EC. Page 21 of 106 UNCLASSIFIED//FOUO a EFTA00173393 UNCLASSIFIED//FOU0 01/26/2024 New York, NY Instruction 8: ADIC NY will ensure compliance with requirements to employ covert methods to obtain goods when using confidential funding. Response: NY will ensure compliance with requirements for making covert purchases. NY Security has implemented approval processes for the purchase of IT equipment. A review of the equipment and purchase method will be conducted and approved appropriately. NY CSO is now a member of the UCO local review board to ensure all policy is adhered to when purchasing, implementing and utilizing overt/covert electronic devices and IS technology. Instruction 9: ADIC NY will ensure compliance with requirements to maintain and document financial records related to UCO activity. Response: NY will ensure that all financial documentation will be placed in the CE subfile. Instruction 10: ADIC NY shall ensure compliance with security incident reporting requirements to report security incidents within SIRS. Page 22 of 106 UNCLASSIFIED//FOUO EFTA00173394 DNCLASSIFIED//FOU0 01/26/2024 New York, NY Response: NY will work with the NY CSO to ensure all security incidents are reported within the prescribed time frame per policy. Instruction 11: ADIC NY shall ensure compliance with encryption requirement for the IS. Response: While this does not apply to the UCO, NY will ensure compliance with encryption policy as applicable. NY0 Security has engaged with OLIO to develop secure network protocols based on industry standards such as NIST to include encryption at rest and encryption in transit. Recommendation 15a: ADIC NY should no longer maintain a set of CSAM for independent analysis outside of the CV/P approved hash based searching tools. Response: NY fulfills its requirements to submit images of CSAM to NCMEC via the CVIP. After the final INSD report came out, I was advised that eceived a call from IIIIIIIIIIlla 111.1who were accusing me of making statements to the effect of having no regard for following policy. This is of course Page 23 of 106 UNCLASSIFIED/MOOD EFTA00173395 UNCLASSIFIED//F000 categorically false and thankfully much, especially when neither AD could or would provide any details regarding the allegations such as who heard it, where it 01/26/2024 New York, NY believed as was documented, or why it was only then being addressed. However, in response, I submitted the following: "Bosses, Regarding the assertion that I made a statement indicating I would violate policy for the sake of an operation is a utter non-sense. Furthermore it is a gross miss- interpretation of the conversation that was had and quite frankly an insult to my character and integrity. Aside from lacking context, the choice of words used is blatantly misleading. I'm happy to provide as much context as needed, but in short I have never, and would never, jeopardize any investigation (or my career) by intentionally violating policy. What I have done, and would do, is anything to save the life of a child. What I said that has been misconstrued, was that I would do anything to save the life of a child, and that if I were to ever violate policy or the law, it would ONLY be because there was an imminent (taj threat to life in which a clear and articulable except would apply. Page 24 of 106 UNCLASSIFIED//FOU0 EFTA00173396 UNCLASSIFIED//FOUO 01/26/2024 New York, NY I stand by that statement and take great pride in my knowledge of both the law and policy as it pertains to our investigations and operations. If requested, I can provide several examples of having to act under the emergency exception clause, which have all been justified. If requested, I can also provide examples of times in which I didn't, even though doing so would have been easier for the "operation". I could write a novel defending myself, my words, and my intentions; and will if requested. For now I'm relying on my 15 years as an Agent with outstanding PARs, numerous awards and accolades, my contributions to policy revisions, and my reputation to satisfy any concern that may exist." I believe Digital Extraction Technician (DExT) training was opened to VCAC Agents in 2012. Int was my instructor for DExT. As of 2023, I knew Ledford was a Unit Chief (UC) and led the Cyber Action Team (CAT) . I believe at least three or four of us initially received DExT training in approximately 2012, but I think all of us working Innocent Images/VCAC on the squad were eventually trained. However, once the child exploitation program moved from the Cyber Division to the Criminal Division, that changed. The funding we received through the Criminal Division was significantly less than what we received through Cyber Division, so the DExT program was no Page 25 of 106 UNCLASSIFIED/At/OO EFTA00173397 UNCLASSIFIED//FOUO (i) longer able to put on as many classes and certify as many people as it had before. By the time of the intrusion that forms the basis of this internal inquiry, only about half of the "child exploitation" Agents on my squad were DExT certified. This is while we were still with CY-3. We got certified because the Computer Analysis Response Team (CART) was long overburdened, and not familiar with the nuances of the child exploitation violation, such as the types of programs used by offenders, the vernaculars, etc. It was also known, and something I witnessed personally, that due to the reliance on CART and how long it would take for them to prepare a case for review, "hands-on" offenders were not being arrested in a timely manner. This resulted in the continuation of child victimization at the hands of the offenders the FBI was actively investigating. This was around the same time Agents working other violations began to also see an increase in the collection and reliance upon digital evidence in their cases. As DExTs, we were encouraged, and in some cases I believe required, to assist CART with their backlog by conducting DExT extractions for other squads. The other reason was to eliminate the lag time in searching evidence and identifying contact offenders (offenders who physically exploited or physically assaulted children) sooner. VCAC investigations are different than most other FBI investigations since, in VCAC investigations, a search warrant is generally executed in the early stages of an investigation, 01/26/2024 New York, NY Page 26 of 106 UNCLASSIFIED//FOUO EFTA00173398 UNCLASSIFIED//POU0 01/26/2024 New York, NY and the evidence needed to arrest and charge an offender is usually derived from the materials seized during the execution of a search warrant. Whereas other squads, generally speaking, execute search warrants at the culmination of their investigations. was a UC of the Crimes Against Children Human Trafficking Unit (CACHTU) at FBI HQ and eventually an ASAC at NYFO. He was a huge proponent of DExT. Being DExT trained allowed us to conduct our own data extractions faster, but more importantly, it allowed for a faster and more efficient way of identifying "contact", or "hands-on", offenders and, thus, rescue child victims of sexual abuse before they could be further victimized. After becoming DExT certified, we received DExT equipment that allowed us to image, process, and better review the digital files. The DExT training allowed us to better use FBI analytical programs to review digital evidence. Being DExT certified allowed us to assist CART by offering an alternative for other squads to use for data extractions. At the time, CART was not located in NYFO Headquarters City (HQC) . CART was located in Moonachie, New Jersey. It could take an hour to get to the CART lab from the NYFO. CART evidence reviews needed to take place there and it could take all day. CART eventually moved to NYFO, HQC. The volume of data extractions we took on lessened the burden on CART. At least in New York, CART only had one or two Page 27 of 106 UNCLASSIFIED//FOUO EFTA00173399 ONCLASSIF/ED//FOU0 01/26/2024 New York, NY examiners who could handle data extractions immediately, and almost certainly none who could respond after hours or on weekends. Since we dealt with child victims, it was, and is, imperative that the digital evidence be processed immediately. In nearly every child exploitation investigation the digital evidence is quite literally the evidence to prove the crime and without a prompt review, there is no probable cause to effect an arrest, putting the lives of child victims in continued danger. It is that very risk, the risk of continued abuse, that has prompted the FBI to enact new policies requiring expeditious investigation into allegations of child exploitation. This includes the expeditious review of evidence. Prior to the DExT training, triaging electronic media on the site of a search warrant was not really a practice. We had to take digital evidence back to the office to view it and we relied more on the post-search interview. After a search, we had to go back and arrest an offender once we found the evidence. This made for a significantly more dangerous arrest because the offenders knew we were coming. There was also the potential for offender suicide. We had three offender suicides that I can recall. There was also concern, based on it having actually happened, that during the time it took the FBI to review seized material, the offenders were continuing to engage in the sexual exploitation of minors. The DExT program sought to remedy thi problem by expediting the time it took to conduct forensic (SC/) Page 28 of 106 UNCIASSIFIED//FOU0 EFTA00173400 UNCLASSIFIED//FOUO CE:) reviews, thereby expediting our ability to rescue affected children. NYF0 SAs / / , and I were DExT trained. SA (aka III) was also DExT trained. was the last to be trained while our squad fell under Cyber Division. At the time, I was the most junior Agent on the squad. Before being DExT trained, all of our digital evidence was submitted to CART for data extractions, imaging, and processing. We did have access to the Case Agent Investigative Review (CAIR) system, a forensic tool for data review, but the program was slow, not capable of handling large evidence reviews, did not work all that well, and did not do what we in the child exploitation program needed it to do. As a result, rather than using CAIR, Agents on the squad opted to travel to Moonachie, New Jersey, where CART was located, to conduct their reviews on site versus over the CAIR network. The ineffectiveness of CAIR was no secret and was widely known, and one of the reasons for the creation of the autonomous DExT labs. After collecting digital evidence, I would enter the digital evidence into the Evidence Control Unit (ECU) and get a 1B evidence number assigned. I would then enter a CART request with a description of what forensic examinations I needed to be performed and information on the device that needed to be extracted. Then I would submit it to CART. It could take a day or two to get the evidence to CART and the amount of time it 01/26/2024 New York, NY Page 29 of 106 UNCLASSIFIED//FOUO EFTA00173401 UNCLASSIPIED//FOU0 (!:/) ould take CART to process the evidence varied. It could take weeks or months. Once it was extracted, CART would process it in the Forensic Tool Kit (FTK). We could review the data on CAIR or go to Moonachie to review it. Everyone on the squad, for the most part, chose to go to Moonachie. CART Digital Forensic Examiners Stephen Flatley and Carlos Koo eventually set up a spot in NYFO, HQC to do data extractions. Even after receiving DExT training, we used CART for things like very large media dumps/extractions and encrypted files. We also used them to help us with understanding what some of the digital evidence was. I believe CART may have provided us digital copies of the data extraction and I think it may have been on DVDs. They would have been accessible on Operational Wide Area Network (OPWAN) as well, but we did not have OPWAN and would have to go to CART to access that anyway. I do not recall what we did with the copies on DVD. CART may have checked them into evidence and provided a working copy. The DExT trained Agents would do data dumps on everything we could like hard drives, loose media, and thumb drives. At this time, telephones that were seized still needed to go to CART for processing. In 2015, generally if it was a device we could image, we would follow this process. We would use write blockers to assure we did not accidentally manipulate the original data. We would create an image of our evidence; sometimes we would use another hard drive. We imaged and processed the data. We had some hard drives, but I am not sure where they came from. I believe HQ 01/26/2024 New York, NY Page 30 of 106 UNCLASSIFIED/MONO EFTA00173402 UNCLASSIFIED//FOOD Dent us a box of hard drives. I also believe CART may have given us some as well. We used a forensic duplicator called a TD3, and later a TX-1 as well as FTK Imager, to image a device onto a hard drive and make the derivative evidence. We would then make a working copy image off of the derivative evidence. We would then work off of the working copy. I am 'pretty sure the derivative evidence was cataloged and placed in the NYFO ECU if that was the policy, but if that was not the policy we would not have done that. The DExT Program provided us with Redundant Array of Independent Disks (RAIDs) . These RAIDs were to be used to house our working copy evidence images. I initially advised the interviewing SSAs, once we ran out of hard drives for derivative evidence, we were instructed to use the RAIDs and that these instructions came from either a squad mate or my supervisor. This is true, as it was the SSA and the case Agent for our squad's Group II whose responsibility it was to request and receive funding and equipment. Any requests that we needed were routed through them, and the Group II case Agent was also one of our DExT Agents who also faced the same issues of not having the hard drives to create derivative evidence. However, I also recall these instructions were provided by HQ, either our Program Manager (PM), the DExT PM, or both. This may have occurred in 2012 when I went through the DExT program and continued over the years. As there has been a revolving door of PMs, I do not recall the names of the people I 01/26/2024 New York, NY Page 31 of 106 UNCLASSIFIED//FOUO EFTA00173403 UNCLASSIFIED//FOLIO gspoke with at the time but can provide as many names of PMs who I can recall had been there over the years. Typically, the person running a Group I or Group II Undercover Operation (UCO) investigation and the squad SSA would be the people who communicated with HQ for resources. As an example, I recall in 2015, I sent an email to SA Tommy Thompson, who was the case agent of our squad's Group II, asking for some large capacity hard drives with our remaining Group II funds. This was one of many requests I made, which were generally verbal, for equipment/resources. At the time we were still merged with Cyber. When we moved to the Criminal Division, our funds were nearly wiped out. Sometime thereafter, III' 'I'll left NYFO and became a DExT PM at FBI HQ. She would often complain about a lack of funding. When we first became DExT trained, it was much easier to comply with the policy since the size of the data was significantly smaller than it is today. For example, telephone dumps then often fit on a DVD, or worst case a Blu-ray DVD. Today, DVDs are nearly obsolete as the size of data collections has become enormous, requiring large capacity hard drives which are more expensive and harder to get. To be 100% compliant with the existing policy each year, it would likely require C-20 alone to purchase over a hundred hard drives, and this is just one squad in one office. To ensure that everyone in the FBI is compliant each year, the FBI would likely 01/26/2024 New York, NY have to purchase thousands of hard drives, then do this year Page 32 of 106 UNCLASSIFIED//FOUO EFTA00173404 UNCLASSIFIED//FOOO after year. But the FBI does not do this and the policy it 9) created to cover search warrants decades ago has not changed, despite the fact the environment the policy applies to has. This is one of the several fundamental flaws that I have and continue to voice. If creating derivative evidence is a requirement, then why does the FBI not automatically provide the hard drives? How can the FBI enforce a policy without providing the field with the ability to comply? If, in nearly every search warrant executed FBI-wide electronic media is seized, resulting in the need for derivative evidence hard drives, why is it then incumbent upon each individual squad, in each office, under each program and division, to figure out a way to obtain the funding to purchase them? If the FBI knows hard drives cannot easily be purchased in bulk, and that there are security requirements on where the drives must be manufactured, why does the FBI not just purchase them for us rather than place that nearly impossible burden on us? In approximately 2017 I took over as case Agent for our squad's Group II. As the case Agent I was able to use Group II funds to make purchases, which were obligated to us through CACHTU. I was running out of hard drive space for derivative evidence and of storage space in general. The PMs told us buying hard drives in bulk was a problem. The stores had a capacity limit, but I was advised to try anyway but was not successful. I would purchase the drives on Amazon, like I was instructed to do Page 33 of 106 UNCLASSIFIED//FOUO 01/26/2024 New York, NY EFTA00173405 UNCLASSIFIED//FOUO (—/li y HQ, until my covert account was shut down by Amazon since the purchasing of large quantities of hard drives was flagged as suspicious. We were also purchasing hard drives from New Egg, like we were instructed to do by HQ, specifically SSA Heath Graves who was the DExT PM, because they could sell bulk (10 or more) hard drives, but I was later told by someone in the Procurement Unit we could not use New Egg. This left us with very few options for buying hard drives and despite voicing these issues, no one at HQ offered a solution. In speaking with other Agents across the FBI, I learned this was a common problem. I went to CART who gave us what hard drives they could spare. I specifically sought assistance from senior CART Technician Steven Flatley on a regular basis and aside from seeking his expertise, I constantly bothered him for hard drives and other needed items. In 2017 I began to gain a voice among many FBI Child Exploitation circles. I took over our squad's Group II UCO, and almost immediately converted it into a Group I. This conversion, which allows for the use of sensitive techniques, was done due to my desire to enhance our undercover capabilities and increase our effectiveness by using some of the most robust undercover techniques available at the time. While every undercover operation must be approved every six months in front of the Criminal Undercover Operations Review Committee (CUORC), because ours was now a Group I, it also had to be presented up through 15 CACHTU and approved by the AD. During the CUORC, I brought up 01/26/2024 New York, NY Page 34 of 106 UNCLASSIFIED//FO4O EFTA00173406 UNCLASSIFIED//FOLIO (i)the funding issues. In the funding section we discussed what we spent and what we anticipated to spend. During my time as the case Agent for my squad's Group I, my squad's statistical accomplishments increased exponentially. The number of undercover sessions conducted by my squad increased by 198% in the four years after I took over the NYFO child exploitation program compared to the four years prior. This meant an increase of approximately 2000 undercover sessions in the same four-year span. More significantly, however, was how I tasked undercovers and provided direction to ensure the program worked to identify the most vulnerable of the exploited children; and set out to rescue them. The results cannot be overstated in that the lives of hundreds of children were saved. While I am personally responsible for saving the lives of hundreds, many hundreds, if not thousands more were saved because of how I managed and directed the child exploitation program. 01/26/2024 New York, NY In 2018 I did a five-week temporary duty assignment (TDY) at CACHTU. My former SSA, Sean Watson, was the UC there. My job was to call every VCAC Group I and Group II UCO Case Agent and ask questions about the issues they were having and to provide recommendations on how to better the program, how CACHTU could better assist the field, things that needed improvement, etc. I learned a lot about the issues affecting the entire child Page 35 of 106 UNCLASSIFIED//FOUO EFTA00173407 UNCLASSIFIED//FOUO @I) xploitation program and, while there were some differences in the issues facing some offices over others, there were a number of common issues that impacted every office. These issues largely dealt with lack of guidance, direction, training, equipment, DExT support, funding, and personnel. I drafted a summary of the calls I made and created a section for complaints from the field in reference to DExT and provided my assessment to CACHTU leadership. One of the many takeaways was that nearly every office had different understandings of and methods of complying with policy and guidance. The lack of and often conflicting guidance and policy both from CACHTU and from individual field office chains of command had led to each field office having to adapt their ways and creating a complete lack of consistency across the FBI. This summary was also provided to the interviewing Agents, and I can make it available to whomever needs it. This same assessment, as well as additional details were also provided to Bryan Vorndran, who was the Deputy Assistant Director (DAD) who covered child exploitation, as well as to my immediate supervisor and to the supervisors/PMs at CACHTU. This came as DAD Vorndran separately requested a working group of Subject Matter Experts (SMEs) to address the needs of the VCAC program. I explained to him how we had equipment, training, and guidance needs and provided my assessment both orally and in several documents. Page 36 of 106 UNCLASSIPIED//FOUO 01/26/2024 New York, NY EFTA00173408 UNCLASSIFIED//FOU0 01/26/2024 New York, NY Also in 2018, CACHTU PMs SSAs Michael Deizlak and Matthew Chicantek were presenting to EM on the issues facing child exploitation investigations. SSA Deizlak and SSA Chicantek requested information from me that they wanted to present. I emailed SSA Deizlak and SSA Chicantek, along with UC Sean Watson of CACHTU, the write-up I sent after my TDY as well as a separate, even more detailed summary of the issues. In this three -page summary I talked about the need to appropriate money for equipment, as well as details regarding issues affecting the program, including the DExT, guidance, support, and more. Others and I made it very clear to HQ that we did not have hard drives. Every now and then they would send us some and every now and then they would send funds, but nothing was consistent. I also informed my SSA of the need for hard drives. I was aware he knew we needed them and there were no funds. Other Agents were dealing with the same issues. It has been, and continues to be, the practice of VCAC Agents to create derivative copies of original evidence if derivative hard drives are available. However, given the long history of not receiving either the hard drives or the funds to purchase them, VCAC Age