General

Part #2: Battle of Experts –Kiper v. Loveall – on FBI Tampering in Raniere Case: 37 New Files on Camera Card

08/02/2023·

Frank Parlato

The Eastern District of New York (EDNY) requested David Loveall II, an FBI Senior Computer Scientist, counter the claims made by J. Richard Kiper in his report concerning allegedly manipulated digital photographs of Camila.

Kiper Report

Loveall Report

Kiper’s “Summary of Technical Findings,” dated April 25, 2022. was used by Keith Raniere in his Rule 33 Motion for a new trial.

Three digital devices are relevant

A Canon EOS camera

A CompactFlash (CF) camera card

A Western Digital Hard Drive

Eleven months after they seized the hard drive, the FBI found 22 illicit pictures of Camila on it.

y analyzing metadata from the digital photos, the FBI deduced Raniere used the Canon camera to photograph a then-15-year-old Camila in 2005.

Part 1 Battle of Experts: Kiper v Loveall on FBI Tampering in Raniere Case

This is Part 2, which relates to “Finding #2” of Kiper’s, which concerns the FBI’s two examinations of the compact flash (CF) card found in the Canon camera.

Dr. J. Richard Kiper PhD….

The government’s argument at trial relied on linking the CF card to the hard drive that received Camila’s backup photos from the CF card. There were no Camila photos found on the CF card. But there were other similar photos of adult women on the CF card found on the hard drive.

What is not in dispute

About a month before the trial, on April 11, 2019, FBI Forensic Examiner Stephen Flatley made a copy of the CF card for analysis, listed the files on it, and made a report using AccessData Forensic Toolkit (FTK).

The report showed four photos, 180-183, [of a woman named Angel] that are common to both the hard drive and the CF card. No other files on the CF Card report matched the “backed up” files on the hard drive.

On June 10, more than a month into the trial, FBI Special Agent Christopher Mills gave the CF card to FBI Forensic Examiner Brian Booth.

FBI Special Agent Michael Lever asked Booth to conduct a second examination and produce a new report on the CF card, which was dated June 11, 2019.

This new report contained 37 new files that were not in the first report, making the connection between the CF card and the hard drive much stronger.

The 37 photos in the new files however couldn’t be viewed.

The original CF Card files (shown in white) could be viewed in both reports.

Kiper raised questions about the arrangement of the n37 ew files in the June 11 report.

Eight of them come before a group of “common” photos and another eight appear just after a range of the alleged Camila photos. He said the placement seems unlikely to be a coincidence. The Camila photos were not included in either of the two CF Card reports.

There’s also a photo labeled 42 which only appears in the June 11 CF Card report and seems to fill a gap in the file names. The file names on the new report are continuous with no missing names or gaps within each group of new files.

This is unlike the Western Digital hard drive report, where there are missing file names and gaps.

2nd Forensic Report on CD Card

The same software was used for both reports, so, according to Kiper, this difference can’t be because of a new tool or method.

Kiper suggests the 37 new files on the second report might not be from the CF card for several reasons:

The actual photos cannot be viewed in the report.

The unique codes (MD5 hashes) for these files do not match the ones on the hard drive.

The second report doesn’t include the file sizes, so we can’t compare the sizes of these files to the ones on the hard drive.

The software was unable to recover any viewable photos from these new files.

There’s not much connecting these new files to the ones on the hard drive, except their names and the dates and times they were created, which can be easily changed.

There’s not much evidence that these new files are real digital photos. There’s no data about them, no viewable images, and no thumbnails. But the new files match the names, dates, and times of files on the hard drive, which makes it look like the hard drive’s files originally came from the CF card.

Kiper says 20 files, labeled 81-100, looks like someone added these, but didn’t bother to put them in the same folders as the hard drive. To believe these files are legitimate, you would have to believe that the user of the CF Card took photos, saved them on a computer, returned to the CF Card, and deleted certain photos.

Kiper thinks the FBI added the 37 new files to the CF card to make it look like there was a stronger connection to the hard drive with the illegal photos.

He says the tamperers messed up the creation and deletion of the new files, which is why they can’t be seen in the report.

Kiper says the deleted files weren’t deleted in a way that would stop the FBI’s tool from recovering them. This tool could recover deleted files and even photos from the CF card.

Kiper wrote: “[I]n my expert opinion all indications of means, motive, and opportunity point to FBI employees creating the appearance of additional files on the CF Card in order to substantiate a relationship between the CF Card and the WD HDD containing the alleged contraband.

Loveall Replies

Lovell rebuts in his report:

Kiper claims that “additional files appeared on the FBI’s forensic report of the CF Card between 4/11/19 and 6/11/19, in an apparent attempt to create a stronger relationship” between the camera card and the hard drive.

This finding is misleading… because the settings used to process and generate the two forensic reports generated on those dates were different.

Although both reports used the same processing tool—AccessData Forensic Toolkit 6.3.1.26—there are numerous configurations and setting options for this tool, which can result in the generation of different reports. The fact that additional files appeared in one report is a result of the use of different settings.

I have examined the disk images created of 1B15 and 1B15a and determined that they are identical.

Process Findings

Loveall does not address Kiper’s process findings on FBI handling of evidence.

Kiper’s report states neither the camera nor the CF Card were sealed when they were given to forensic examiner Booth on June 10th – two days before he testified in court.

The Chain of Custody of who had the CF card shows that at least three FBI employees had control of this evidence from the time a new examination was asked for (June 7th, 2019) to the time it was given to Booth in a package not sealed (June 10th, 2019).

Booth’s notes about his examination don’t mention this Chain of Custody or the fact that he received the evidence in a package that wasn’t sealed, even though he admitted in court that it was unsealed when he got it.

However, the FBI’s policy requires evidence to be secure and sealed, and employees could get in trouble if they don’t follow this policy. Kiper said in his 20 years as an FBI agent, he never got evidence that wasn’t sealed, except in emergency situations.

Comments (21)

Add Your Comment

Erasend08/02/2023

Forensic software would likely be highly customizable due to level of recover want to achieve. Examining every 0 and 1 isn't necessarily the goal, instead its to get the state of the hard drive as it was being used or go deeper and see what the user had deleted or attempted to delete since as I mentioned in the previous, deleting doesn't actually exist. Loveall is kind of saying with the software is along the lines of sometimes you want one layer, sometimes need to go down more. First report was say one layer, second report was more. There is a significant chain of custody issue. There is a good legal argument to be made that the card itself and therefore the photos directly taken from it should never had been made admissible. Since the claimed order of events was card taken into custody > card given to FBI techs who didn't get around to a forensic copy > an investigating agent took card back from techs > agent extracted pics from card (huge no-no for digital evidence) > card eventually returned to FBI techs > FBI techs did forensic copy > first report made > probably other stuff here > second copy made > second report made. It follows that for both reports, the copies would be identical as they occurred after the breakdown of custody. What is supposed to happen is the agent gets the pictures from the copy of the card, not the card itself. The process is to make that forensic copy. The copy is what gets handed around be it to the investigators, the lawyers, whoever supposed to get it and evidence is pulled from the copies. The minute that card went into the evidence bag, no one but the techs should have handled it. The original gets put away and preserved as if in amber only to be touched as necessary to prove that the copy matches the original. Which cannot really be done here. The agent would know this, the overview of the process regarding digital information is decades old now so Kiper is right about that being a massive f-up. However, this is really a failure of the defense as attacking chain of custody is lawyering 101. Suspect the compressed time table that the prosecution intentionally created but then the defense willing accepted (waves to Keith for that act of genius) is what caused the failure to take advantage of the f-up. The evidence was turned over to the defense, the information was there to be found and failing to find it back then but finding it now isn't new. New is usually defined as not part of the case before and that new evidence would have had a credible impact on the outcome of the case which is questionable here since pedo pics were on the WD hard drive, not the card. “New” by itself isn't enough for a successful appeal, just an FYI since that aspect hasn't really been discussed. So in battle of the experts, I will give the technical aspect a tie, but process win to Kiper. Odds of appeal success remain very low.

Anonymous08/02/2023

An obvious cheat by gov't But why?

Anonymous08/02/2023

So you think the Judge will change his mind after giving Raniere a one hundred and twenty year prison sentence?

my2cents08/03/2023

Ya but Erasend? What about something like stuxnet? Come on? The worst suspicion is that Camilla was a plant but do you really believe that? I don't.

What’s the best way to deal with what’s most important?08/03/2023

“The evidence was turned over to the defense, the information was there to be found and failing to find it back then but finding it now isn’t new.” One main issue in question (finding fraud upon the court post judgement) shouldn’t have the potential to obliterate the two MOST IMPORTANT issues which shouldn’t be in question and yet, are somehow held over everyone’s heads right now: 1. The Vanguard’s many crimes committed against a 15-year-old girl. 2. The entire case against Mr. Raniere.

Anonymous08/02/2023

Two separate matters: 1. the tampering 2. the crimes against Camilla The crimes against Camilla seemed to have occurred. The tampering seems to have occurred. Is the prosecution’s entire case in jeopardy because of tampering that seems to have been done to destroy the case? If it was tampering and if that tampering destroys the entire case, all proven tampering from now on in any case could destroy all prosecutions after that kind of precedent. That would lead to yet more chaos in the courts. Is that the whole point of what looks like one big charade?

Anonymous08/03/2023

There was zero tampering. Your fat, pudgy, grifting conman is where he belongs for stealing, lying, cheating, statutory raping, and screwing up people's lives. For his sins, insincerity, abuse, and misdeeds “Fate” gave him plenty of opportunities to rectify himself and turn back, he didn't, and then the door was closed behind him and sealed shut like a seal was put on his heart. He's going to die in prison where he belongs for the sum total of his life.

Stephanie A Jones, Esq. LLM, MPH08/03/2023

Yes, this chaos we call the Appellate Division in the courts, and it has an important job here with some pretty solid evidence of forensic malfeasance. If this guy is a BAD guy, let his bad acts hang him. Don’t manipulate data so it hangs him higher.

Peaches08/02/2023

Blindspotting Features video from inside prison. Stay tuned

Anonymous08/02/2023

Then where did the naked photos come from then? Someone had to have taken them. If there was tampering, how did they get the photos?

Long time, first time08/03/2023

Exactly. The basis for the alleged tampering appeal puts me in mind of the Russia hacked the DMC emails BS: Fretting about how the emails were obtained and ignoring what was in the emails.

Aristotle’s Sausage08/02/2023

“Loveall does not address Kiper’s process findings on FBI handling of evidence” No, that is addressed by Tanya Hajjar in her response to the Motion. The chain of custody issue was brought up in Raniere’s original trial. It was brought up by FBI Agent Booth as a matter of fact. It was brought up and it was a non-issue to the jury. Because it was addressed during the original trial, it is not new evidence and therefore is not a matter for appeal. It’s irrelevant. And if it’s a matter of “but still, tampering!” the fact that the CF card wasn’t in the proper kind of plastic bag does not prove anything beyond it was not in the right kind of bag. It certainly doesn’t mean evidence was faked or planted or tampered with. This whole appeal reeks of desperation. There isn’t one iota of proof that evidence was tampered with. The whole thing is a big waste of everyone’s time. Loveall disproves every one of Kiper’s phony technical claims. Every single one.

Anonymous08/03/2023

Kipper grew a goatee so when gives a blow job it feels like a pussy.

StevenJ08/03/2023

“Kiper claims that “additional files appeared on the FBI’s forensic report of the CF Card between 4/11/19 and 6/11/19, in an apparent attempt to create a stronger relationship” between the camera card and the hard drive.” Even a single photo establishes the connection between The CF card and the WD HDD drive. So there is no point or motive to ad files to the CF card. Kipers argument (it was done to make a stronger relationship between CF card and harddrive) is therefore nonsensical. Even without a connection between the camera and the HDD drive, there would have been sufficient evidence to link the Camilla pictures on the harddrive to Keith: -harddrive found in his private library: – Camilla posed in identical way as pictures of other women he had a sexual relationship with.

Pilgrim08/03/2023

Can we just get to the bottom line? Did Kieth produce kiddie-porn or not!?!? Someone please tell me!!!!!!!

StevenJ08/03/2023

Yes he did.

Anonymous08/03/2023

I think the FBI got the photos planted and got them from Cami

Cami wins.08/04/2023

DO NOT MESS WITH A WOMAN SCORNED

Anonymous08/04/2023

I think Raniere is a liar and was just caught red handed.

NiceGuy08/03/2023

No comment.

Raniere is guilty08/04/2023

What about all the messages between Raniere & Cami where Raniere mentions the pictures he has of her that were read at trial? These messages date back to when she was 15. It doesn't take a 240 IQ to pit 2 & 2 together that Raniere took pictures of this GIRL. Raniere is a known lair. Raniere is well know for taking pictures of women he is having sex with. He is also know for having sex with with underage GIRLS. The evidence is stacked against him in more ways than one. Guilty as charged