Sample Forensics Report

Overview / Case Summary

On April 11, 2011, Paul Ceglia filed an Amended Complaint seeking a share of
Facebook. Mr. Ceglia based his claim on a purported contract between Mr. Ceglia and
Mark Zuckerberg (the “Work for Hire Document”). In addition, the Amended
Complaint included excerpts of purported emails between Mr. Ceglia and Mr.
Zuckerberg (the “Purported Emails”).

Objectives
This report is a summary of Stroz Friedberg’s findings regarding the authenticity of the
Work for Hire Document and the Purported Emails based on its analysis of the media
produced by Mr. Ceglia pursuant to data received as part of expedited discovery. This
report is not intended to detail each and every aspect of Stroz Friedberg’s work in this
engagement.

Evidence Analyzed
Pursuant to the Court Order, Stroz Friedberg collected digital media made available by
Mr. Ceglia. Stroz Friedberg inspected the data on the following media for analysis
according to the terms of the Court-ordered Protocol:

A Compaq Presario SR5413WM desktop computer with a 250 gigabyte hard drive.
An eMachines ET1161-05 desktop computer with a 160 gigabyte hard drive.
A Toshiba Satellite L305-55968 laptop computer with a 320 gigabyte hard drive.
A 200 gigabyte Maxtor Personal Storage 3200 external hard drive.
A 500 gigabyte Western Digital internal hard drive.
174 floppy disks.

https://www.cybersleuthlab.org 1.504.608.5766 [email protected]



Using widely-accepted digital forensic techniques and procedures, digital forensic

personnel from Stroz Friedberg made bit-for-bit, verified forensic copies or images of:
the hard drive within the Compaq Presario desktop computer; the hard drive within the
eMachines desktop computer; the hard drive within the Toshiba Satellite laptop
computer; the Maxtor external hard drive; the Seagate Hard Drive; and 173 of the 174
floppy disks.

The digital forensic copying process captured the entire contents of each piece of
media, including the active user-accessible files, the deleted files, and the unallocated
space, which may contain deleted content. Because the forensic image created by
Plaintiff’s Expert is a forensic image file, Stroz Friedberg used a forensically-sound copy
method to copy the forensic image file on that drive to preservation media.

Investigation Steps
Stroz Friedberg conducted its analysis of the Ceglia media pursuant to the Protocol
issued by the Court. Stroz Friedberg searched and analyzed the Ceglia Media “to
identify only documents, data, fragments, and artifacts that reasonably appear[ed] to
be related to the authenticity of the [Work for Hire Document] attached to the
Amended Complaint and the [P]urported [E]mails described in the Amended
Complaint.”. The documents, data, fragments, and artifacts found by Stroz Friedberg
that reasonably appeared to be related to the authenticity of the Work for Hire
Document or the Purported Emails first were produced to Mr. Ceglia’s attorneys for a
privilege review. The material was turned over to attorneys from Gibson Dunn only if
no privilege objection was raised, an asserted privilege objection was withdrawn by Mr.
Ceglia or his attorneys, or an assertion of privilege was overruled by the Court. Stroz
Friedberg has followed the terms of the Protocol for all data found on the Ceglia
Media and any other data subject to the Protocol during its analysis, including the
procedures for privilege review and production set forth above and the maintenance of
a search log.

1.504.608.5766 info@ cybersleuthlab.org https://www.cybersleuthlab.org



During this analysis, Stroz Friedberg employed a methodology tailored to the particular
facts of this case. Stroz Friedberg’s methodology included: (1) conducting keyword and
other searches of the digital forensic copies of the Ceglia Media and other data,
including webmail accounts, to identify responsive documents or fragments of
documents; (2) manually reviewing the documents containing keyword hits, certain
unsearchable file types, such as image files with no text, and other documents to
determine whether they were relevant to the authenticity of the Work for Hire
Document or the Purported Emails; and (3) reviewing the digital forensic copies of the
Ceglia Media for digital forensic artifacts relevant to the authenticity of the Work for
Hire Document or the Purported Emails.

Findings
No exact copies of the Work for Hire Document were found on the Ceglia Media,
which comprised hundreds of pieces of media - including computers, hard drives and
floppy disks. Stroz Friedberg used a methodology that would have identified any
copies of the Work for Hire Document on the Ceglia Media if they had been present.

Instead of the purported Work for Hire Document, Stroz Friedberg found on the Ceglia
Media seven unsigned versions of the Work for Hire Document that are very similar but
not identical to the purported Work for Hire Document. All seven of those electronic
documents contain metadata anomalies indicative of backdating and document
manipulation.

Mr. Ceglia’s Amended Complaint purports to quote from or otherwise reference 22

Purported Emails between Mr. Ceglia and Mr. Zuckerberg. During the litigation, Mr.
Ceglia acknowledged that he did not keep the Purported Emails referenced in the
Amended Complaint in their original native form, that is to say, as individual files in
message format. Rather, he claimed to have copied-and-pasted the text of the
Purported Emails into Microsoft Word documents saved to floppy disks in order to
maintain copies of these messages.

1.504.608.5766 info@ cybersleuthlab.org https://www.cybersleuthlab.org



Stroz Friedberg found substantial evidence that all three of the Word documents
containing the purported emails are backdated. The effect of backdating is to obscure
the true date and time at which computer activity, such as the creation or modification
of documents, occurred. Backdating can be accomplished by setting the system clock
on a computer hard drive to an earlier date, such that activity that occurs on the hard
drive while the computer is in a backdated state will appear to have occurred at that
earlier time.

Moreover, the last printed date of the document is February 15, 2011, while the
document’s last modified date is April 25, 2003. As discussed above, absent
backdating or manipulation of the system clock, it is not possible for a file’s last printed
date to post-date its last modification date. Therefore, this document was fabricated on
or after February 15, 2011. This date is years after the Work for Hire Document was
allegedly signed and months after Mr. Ceglia filed this lawsuit.

Conclusion
Stroz Friedberg found direct and compelling digital forensic evidence that the
documents relied upon by Mr. Ceglia to support his claim are forged. Stroz Friedberg
also found what it believes to be the authentic contract between Mr. Ceglia and Mr.
Zuckerberg. That contract contains no references to Facebook. As described more fully
in this report, Stroz Friedberg made the following findings bearing on the authenticity
of the Work for Hire Document and the Purported Emails:

Stroz Friedberg did not find any exact copies of the Work for Hire Document on the
hundreds of pieces of media produced by Mr. Ceglia, including three computers, three
hard drives, 174 floppy disks, and 1,087 CDs (hereinafter, the “Ceglia Media”).

Stroz Friedberg did find a signed copy of an April 28, 2003 contract between Mr.
Ceglia and Mr. Zuckerberg, though it concerns only Mr. Zuckerberg’s work on the
StreetFax project and includes no references to Facebook.

1.504.608.5766 info@ cybersleuthlab.org https://www.cybersleuthlab.org



Stroz Friedberg identified seven unsigned electronic documents on the Ceglia Media
that are variants of the Work for Hire Document. All of these electronic documents
were backdated to appear as if they were created at earlier dates. They appear to be
part of an effort to create a fraudulent contract.

Stroz Friedberg did identify the Microsoft Word documents into which Mr. Ceglia
claims to have copied-and-pasted the text of the Purported Emails. All of these Word
documents were backdated to appear as if they were created at earlier dates.

The Purported Emails themselves, which Mr. Ceglia has proffered as authentic
communications with Mr. Zuckerberg, are fabricated. Many of the Purported Emails
reflect the wrong time zone. For example, all of the Purported Emails purportedly sent
from October 26, 2003 to April 4, 2004 contain the “-0400” time zone stamp that
reflects Eastern Daylight Time. However, Eastern Daylight Time was not in effect during
this time. There is no place in the Continental United States from which Mr. Ceglia
could have sent these Purported Emails with an accurate “-0400” time zone stamp.

The Purported Emails have formatting differences in the email headers that are
inconsistent with Mr. Ceglia’s explanation that he copied-and-pasted the emails into
Word documents. These formatting differences indicate that the Purported Emails were
typed or edited manually and were not solely the result of a copy-and-paste operation.

There is no digital forensic evidence on the Ceglia Media supporting a conclusion that
the Work for Hire Document or the Purported Emails are authentic documents dating
from 2003 and 2004. To the contrary, the digital forensic evidence strongly indicates
that these documents were fabricated by Mr. Ceglia at a later date.

1.504.608.5766 info@ cybersleuthlab.org https://www.cybersleuthlab.org



Exhibits:

1.504.608.5766 info@ cybersleuthlab.org https://www.cybersleuthlab.org