Entertainment TV Josh Duggar Trial: Defense's Forensics Expert Theorizes 'Hit and Run' Hacker Was Responsible After the prosecution rested on Monday morning, the defense called their own analyst to build an alternate scenario of what happened in 2019 By Adam Carlson Published on December 6, 2021 10:26 PM Share Tweet Pin Email Forensic examiner Michele Bush said that several things — perhaps many things — surprised her about three of Josh Duggar's electronic devices, which are now at the center of his ongoing trial on charges of knowing receipt and possession of child pornography two years ago. The former 19 Kids and Counting star, 33, has pleaded not guilty and on Monday, the fifth day he faced a jury in federal court in Arkansas, his defense team began to present their case. Bush, a Phoenix-based digital forensics expert, was the first witness the defense called on Monday morning. Over approximately four hours of testimony under defense questioning (with a cross-examination still to follow on Tuesday), Bush described a parallel and sometimes contradictory set of facts from the analysis of the prosecution's main expert, the Department of Justice's James Fottrell. As Judge Timothy Brooks instructed the jury in introducing both Bush and Fottrell as experts, it will be up to the jurors to weigh their testimonies and believability to help reach a verdict. Fottrell had testified last week to numerous time-and-place links between Duggar, based on Duggar's iPhone photos and text messages, and the downloading and viewing of the sexual abuse material at the work computer at Duggar's Wholesale Motorcars lot. Fottrell also maintained that someone would have had to be physically present at key points in using the work computer, such as installing and then switching over to a separate Linux system on the computer that had its own password. He said, in preemptive rebuke of the defense, that he did not see a "pattern" of remote access on the work computer that would have left Duggar as an unwitting target rather than the perpetrator. What's more, Fottrell noted, the password for the computer's separate operating system where the illicit material was found matched a password that was "ubiquitously used" by Duggar for his personal accounts. Bush, in her own testimony on Monday, pushed back on some of Fottrell's conclusions. In fact, she testified, she had only not been able to rule out remote access — but "the evidence leads me to believe that's a very viable possibility." (As she spoke on the stand, Fottrell watched from the front row, sometimes visibly reacting to her conclusions.) Josh Duggar Child Porn Trial — Every Close Duggar Family Member Who Has Attended So Far A sketch of Josh Duggar at his federal trial in Fayetteville, Arkansas. John Kushmaul Bush said she was leaning toward the theory of remote access based on these factors: First was the fact that some of the illegal videos were streamed via the computer's video player despite already being downloaded — something she said she hadn't seen in any of her previous cases. Fottrell had testified that streaming, in this instance, was something of a misnomer: It would have been as easy to do as copy-and-pasting a link from the download program into the video player and didn't actually refer to watching something from a website like Netflix. But Bush cast the decision to stream the downloaded files as something more bizarre and said it indicated that the videos could have been accessible to outside users via the router, even though the router essentially then sent the videos back to the work computer. Second, Bush said she noticed the router's ports (or specific reference points for internet activity) were changing as the videos were viewed. She called it port forwarding and it could, in some cases, be used to mask the true user: "That's a pretty sophisticated level to obfuscate your activity." And third was that "universal plug and play" had been enabled by the work router, which Bush said created external weaknesses in the network. She said the setting is often used for home networks to make it easy for devices to find one another. "But there are also vulnerabilities because it assumes all the devices in its close proximity are trusted," she said. Much of her testimony came back to the work router, which was not seized or examined in the investigation. The defense said it was a crucial clue. The prosecution and their witnesses said it contained only minimal, transitory information. Bush said on the stand that she just didn't know. She couldn't rule out remote access and the router "certainly would give me a lot more clarity." Prosecution Gets Heated Questioning Josh Duggar Relative and Colleague — 'You Were Hiding Something' She made further rebuttals of Fottrell's testimony last week. Bush said it was possible to remotely boot a computer and, depending on its settings, access the second operating system installed there. She said that she believed the "dell_one" username for the separate part of Duggar's office computer where the sexual abuse material was found could have been auto-assigned by an outside application. Fottrell disputed that, saying it was a user's choice. They had conflicting experiences trying to recreate it, though Fottrell had the benefit in his work of unlimited access to the original desktop hard drive. And Bush said some of the applications used to obtain the child pornography were likely manually installed via command lines, which are more sophisticated than would be capable by the version of Duggar (homeschooled, with no college degree) described by the defense. But she couldn't know definitively, she said, as she discovered no log of the commands used on the Linux side of the computer. "The lack of that file certainly jumped out at me," she said. Late in her testimony Monday, Bush also started to question the reliability of the timestamps and geolocation data that Fottrell found with Duggar's photos from May 2019, which prosecutors say largely match when his work computer was used to access child pornography. But after prosecutors objected — for unclear reasons — the attorneys and judge gathered for a private sidebar. When testimony resumed, Bush mentioned only one example of a photo where the metadata she extracted conflicted with another record, but she didn't expand. A sketch of Josh Duggar's trial in Fayetteville, Arkansas. John Kushmaul In other parts of Bush's testimony, she referred glancingly to the sexual abuse material and the circumstantial connections between Duggar and his work machine, such as the photos and texts and the similar password. Instead, she focused on entirely different parts of the investigation than those emphasized by the prosecution — as the defense continues to argue this is a "whodunit" bungled by investigators. The lack of the work router was one such issue, Bush said. And after days of the defense making references to it, Bush testified about a thumb drive that was plugged into the work computer shortly before the Linux system was set up. (The thumb drive has never been located.) Under questioning by defense attorney Justin Gelfand, Bush softened or pruned back some of the prosecution's case about the child pornography. One torrented file, "Daisy's Destruction," about an infant, was not viewed, she believed. Another set of lewd images were extracted but not individually opened. And on the last of the three days in 2019 when Duggar is accused of accessing the sexual abuse material, one of the videos was viewed for approximately 30 seconds before being deleted. Jessa Duggar Attends Brother Josh's Child Porn Trial as Judge Denies Defense's Motion to Acquit Overall, Bush said, the activity fit a pattern of a so-called "hit and run" in which a user gained undetected remote access to a computer and then vanished after a window of time. The defense has repeatedly highlighted that neither of Duggar's two personal devices, a laptop or iPhone, had any evidence of sexual abuse material. (On the other hand, says the prosecution, Duggar had used an anonymous browser and various torrent programs on those electronics — similar software as was used on his office desktop.) Defense attorneys have also said perhaps a former employee or another person with physical access to the office was responsible, though prosecutors said records show Duggar was the only employee during the period in question. Josh Duggar. Washington county arkansas Elsewhere Monday, prosecutors called three witnesses before resting their case. The first was Clint Branham, a longtime acquaintance of Duggar's who testified to Duggar being a tech-savvy "power user" of computers who had previously listened to a conversation about installing a second Linux system on a computer to evade filtration. The second was Jim Holt, a Duggar family friend who likewise attested to that conversation about Linux in 2010 ("Joshua said, 'Well how would I set that up?' "); and the third was Bobye Holt, Jim's wife, who repeated her testimony from a pre-trial hearing about how Josh had told her as a teenager that he had molested four Jane Does from the age of 12 to 15. The defense highlighted in cross-examination that Bobye had declined to speak with their investigator and suggested she sought out the government with her account. Under re-direct, prosecutor Carly Marshall asked Bobye whether she wanted to be discussing these topics and how she felt. Bobye's face crumpled. "It's miserable," she said. Duggar's trial continues Tuesday.