Paragraph 5: You mention inmrofation about IP address. What IP address(es) are you referring to and how were they attained? Could you please explain how a wireless router or other NAT ( Network Address Translation ) router work? Could you please explain how they hide the address assigned to an individual system and allow multiple systems to all appear to be using the same external route able IP address. Could you please explain how the NAT device takes IP address and port used by the computer and re-writes the IP address so that it matches the IP addresses assigned by the Internet Server Provider and how it takes data destine for the ISP assigned IP address and after consulting it's internal translation table re-writes the IP address and port and passes the data to the computer using the private IP address? Could you please explain how you made a determination that NAT was or was not being used?Paragraph 6: You stated in paragraph 5 that you do not believe a wireless router was used based on IP address and you state in this paragraph that you do not believe that this hard drive was used to share data as accused. You however make no determination or even mention of IP address, is this because there was no evidence of IP address on the harddrive? If there was no inmrofation about IP address assigned to the defendant's computer on the hard drive does that mean that all the evidence concerning IP address was based on data external to the defendant's location and if that is the case how would/did you make a determination that there was not a NAT device (as explained above) between the defendant's system and the monitoring. And if you can not rule out the possibility of a NAT device then how can/could you rule out the possibility that the NAT device allowed wireless access and the computer traffic that actually was observed was NATed by a wireless router and hence used the IP address assigned to the defendant by theft of service? You further speculate that the computer showed little use during the time in question, could this also indicate that it would have been less likely that the defendant would have noticed that their internet connection was being stolen by someone else via a wireless connection?paragraph 7: As a computer security professional, do you teach about the importance of maintaining back ups of data? Would you not recommend that something as important as a resume be kept in multiple locations so that it does not get 'lost'? Additionally you indicate that the resume showed activity during the time in question, would that indicate that it was being maintained? And hence that the computer itself was in fact being used during the time in question, just not for the speculated purpose?General: You mentioned the data MediaSentry provided including screen shots. Could you tell please explain how your verified how you determined that the screen shots had not been altered? If I were to provide you with 5 copies of the screed shots after altering the copies using a graphics editing program, would you be able to determine which was the original and which were altered? If so, how? If you are relying on the source that provided you the data, could you please provide his or her contact inmrofation so that we can question them about the screen shots? (re-peat till you get to the person who actually made the screen shots) Could you please tell us how MediaSentry works? Since it obviously interacts on the Internet could you please tell us what IP address it used during the time that it gathered this supposed data? Was it a passive observer and if so, how did it observe traffic from the defendant's machine? Could you please explain about network address (IP addresses) and the difference between directly connected hosts, local networks, and routed networks? Are the IP address used by MediaSentry and the IP address used by the defendant directly connected or on the same local network? If they are not, could you please explain how data traveled between them? As a security professional are you familiar with IP spoofing attacks and the general concept? Can you make a determination as to approximately how many different networks the data passed though between the defendant's system and MediaSentry? How secure are those networks? Is it true that any network device that handles IP traffic on any of those networks could easily both observe the IP traffic as well as modify it? Is this the same principle that a NAT router uses or a firewall or proxy server? Does MediaSentry work in a similar manner? If MediaSentry does not work as a passive observer, does it in fact make copies of and/or distribute copy righted material? If does make copies or distributes copy righted materials, does it have license to do so? If you are unable to tell us how MediaSentry works, how can you make any determination as to the data that it provides? Are you familiars with the computer expression "Garbage in, Garbage out?" Could you please explain it to us and explain how the data provided to us by MediaSentry is not in fact Garbage?There is also an issue that while I don't know where this inmrofation is...there should be a location on the file system were the dhcp lease inmrofation is kept (at least the current lease), so the disk image should have inmrofation as the current IP address that it used. So, this should be available and may match the IP address from the ISP logs if there wasn't a NAT router... Either way... this inmrofation should be out in the open and that it wasn't referenced should be addressed.