By Gary Wamsley
In Part 1 of this “Who Done It,” The case of the missing files on the Berthoud Main Street web site, I started with a re-creation of the incident (using my own business and files) as told by Trustee John Bauer when he discovered that the Berthoud Main Street website had been taken down.
I also had obtained copies of all the documents Bauer had filed with the police, including a CD with a copy of the log file Bauer submitted to the police.
For those who are not familiar with computer terms:
Internet Protocol (IP) address is a number that identifies the site of a computer and allows it to communicate with the Internet. It is much like a telephone number except that for most users it occasionally changes. The address is assigned to an individual account from a pool of addresses assigned to the Internet service provider.
File Transfer Protocol (FTP) provides a means to transfer files from one computer to another over the Internet. It requires a username and password to complete the link between computers. The username and password are created by the account administrator. FTP provides a way for the account administrator to give limited access to a website developer for the purpose of creating and managing content. The FTP user only has access to the files and does not have the keys to create accounts or change passwords.
Log file: A file that lists actions that have occurred. For example, Web servers maintain log files listing every request made to the server.
The reader also needs to understand that John Bauer is a professional computer consultant, a Berthoud Trustee and a member of the Berthoud Main Street Board. (See his Linkedin page here) Bauer is also the Account Administrator of the Berthoud Main Street website hosting account at Go Daddy.com (a company that registers Internet domain names and provides website hosting and associated services). He, and apparently only he, has the keys (username and password) to access to the Go Daddy account for the Berthoud Main Street program.
By re-creating Bauer’s actions as stated in his witness report, I was able to see firsthand what support at GoDaddy would say and what questions they could answer. After obtaining copies of all the documents and looking at them closely this is what I found.
Bauer is the sole source of the accusations in this case. He “discovered” the missing files, filed the criminal complaint, supplied all the evidence to police and, although Eric Boyd, the Main Street Director, is listed as a witness – Bauer’s is the only witness statement for Berthoud Main Street; the accusers.
Bauer also was the sole custodian of all the information relating to the charges. What the Recorder’s investigation shows is that there is substantial evidence that the material has been altered and there are many misrepresented material facts.
The time line for the events surrounding this issue is – Aug. 11 the Berthoud Main Street website allegedly ceases. Bauer claims he discovered this on Aug. 25, requested the technical support from Go Daddy and received a log file from them on Aug. 26. The date of the complaint filed with the Berthoud Police is Oct. 8, but Bauer did not provide the log file to the police until October 21. The Recorder Online was not provided with information as to when the Main Street Board was notified or when or how they decided to proceed with sending the matter to the police.
According to Bauer’s witness statement, (watch for part III of this series,) when he discovered the Berthoud Main Street website was not working he called Go Daddy technical support. They helped him determine that the files that make up the website were missing and allegedly told him that the account had been accessed by FTP user “berthoudmain” He then requested a file that logged the access to the site by FTP users.
That file, made available to Bauer on Aug. 26 is the subject of this article. We will find that the file Bauer submitted as evidence on October 21 is not the same file that Go Daddy created for him on August 26.
According to the document, which Bauer provided to Officer Yachik, (click here to view document) Bauer received an email informing him that the FTP log he requested was available on his (Berthoud Main Street) hosting account. The file name in that document does not follow the file naming convention used by Go Daddy in their emails to the Recorder Online. In all those cases, the file name was the domain name followed by “.txt,” indicating a text file. The file prepared for Bauer should have been named “berthoudmainstreet.org.txt.” In the document received by Officer Yachik, the file name is “berthoudmain_ftp_logs.txt.” Why the difference? A closer look at the document reveals that it has been altered.
The font in the message portion of the email is obviously not the same as in the rest of the document. Compare the Bauer email to the Recorder Online email (click here). In the Recorder email the font is consistent throughout, a simple sans-serif font while the font in the message portion of the Bauer email is more ornate. Another indication of the alterations is the change in the standard sentence and terms used by Go Daddy. The entire sentence has been changed. Note that Bauer mistakenly uses the term “uploaded” whereas hosting support “placed” the file. This complete alteration of the message was apparently done in order to change the file name.
Even before looking at the file itself, we find that the very first document in the file’s evidence trail has been falsified. That alteration, plus the fact that fifty-six days have elapsed between Bauer’s obtaining the file and his submitting it to the police, violates the chain of custody for this evidence. This is important because the idea behind recording a chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than, for example, having been fraudulently planted to make someone appear guilty. Ideally, Berthoud police would have been able to request their own copy of the file from Go Daddy, however, by the time Bauer filed his complaint, a file for August 11 was no longer available.
As we look at the file submitted to police, it is evident that it too has been altered. The log file created by Go Daddy hosting support is a text file, the simplest type of file form and is readable by all computers. In its native format at would look like this:
The file that Bauer emailed to the police looks like this:
The most obvious difference in the two files is the different typeface in the Berthoud Main file. The typeface and the hanging indents for each line show that this file was opened in a word processor. In this case, the typeface is Courier New, a little used font included in the Microsoft Windows operating system. Courier New is also the default font for Microsoft WordPad, a rudimentary word processor included in the windows operating system. This font also matches the font in the altered Go Daddy email and is the font used in Bauer’s witness statement.
Since there was no reason to open this file in a word processor before forwarding it to law enforcement, why might this have been done?
Word processors, even WordPad, have features not available in text editors. WordPad has a search and replace function that would enable the user to replace every occurrence of a selected text with a different value. In the following example, the Recorder Online text file has been opened and formatted with WordPad. Using WordPad’s search and replace function the IP address and usernames have been replaced with false information. Note the similarities in font and formatting between this file and the Berthoud Main file.
There are other indications that this file has been altered. We can see the directory and file information in the header of the evidence file. Bauer has saved the file on his computer with the file name of “~vs2c1.txt.” Bauer is a computer professional and would choose a file name that has meaning to him. In this case, the most likely translation is “~” equals shorthand for the long filename and vs2c1 very likely stands for version 2, change 1. The obvious implication is that he has altered the file multiple times.
Even this is not the last of the changes. The file submitted to police has a new name entirely; “BerthoudMainFTPLogs_20100811.pdf.” The extension .pdf indicates that this was an Adobe Portable Document File. By converting the file to .pdf, Bauer has made it impossible to determine the file creation and modification dates of the underlying file. Once again, it was not necessary, or even legal, to change the file format for submission. Rather, it appears to be an attempt to hide the fact that the file was altered.
The log file obtained by Bauer allegedly showed the files being deleted and identified the account name and IP address of the ftp user. Using the information in the file, Bauer convinced the Berthoud Main Street board members that they needed to file a police report so that law enforcement would get a court order to find out to whom this address was assigned. This was deemed necessary even though, according to his statement, Bauer claimed to already know this information.
Bauer has gone to a great deal of effort to alter and falsify evidence in this case. Such actions would not have been necessary had the file had contained the information he claims. The evidence indicates that it is likely that Bauer changed the IP address, and perhaps the date and/or user name, to implicate another person for doing something he was actually responsible for, either personally or through an unwitting third party. If this is the case, then he has also filed a false police report. We look forward to publishing an explanation from Mr. Bauer.
Changing the evidence in any way is evidence tampering. Evidence tampering is defined as an illegal action in which evidence is either falsified, edited, or amended in order to support or undermine a legal claim. There is no doubt that Bauer has tampered with the evidence, the files speak for themselves.
The next article in the series will look Bauer’s witness statement. We hope to hear from Mr. Bauer before publication.
Print This Post