Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 1 of 36
`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 1 of 36
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 16
`EXHIBIT 16
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 2 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`
`1 (1 to 4)
`
`1
`
`3
`
` A P P E A R A N C E S
`
`
`
`For the Plaintiff Finjan, Inc.:
`
` KRAMER LEVIN NAFTALIS & FRANKEL LLP
`
` BY: MICHAEL H. LEE, ESQ.
`
` 990 Marsh Road
`
` Menlo Park, California 94025
`
`
`
`For the Defendant Juniper Networks, Inc.
`
`0
`
`and the Witness:
`
`1 2 3 4 5 6 7 8 9 1
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
` IRELL & MANELL LLP
`
` BY: REBECCA CARSON, ESQ.
`
` 840 Newport Center Drive
`
` Suite 400
` Newport Beach, California 92660​6324
`
`
`
` VIDEOGRAPHER: Lucien Newell
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` IN THE UNITED STATES DISTRICT COURT
`
` NORTHERN DISTRICT OF CALIFORNIA
`
` SAN FRANCISCO DIVISION
`
`--------------------------------X
`
`FINJAN, INC., a Delaware :
`
`Corporation, :
`
` Plaintiff, : Case No.:
`
` vs. : 3:17-CV-05659-WHA
`
`JUNIPER NETWORKS, INC., a :
`
`0
`
`Delaware Corporation, :
`
`1 2 3 4 5 6 7 8 9 1
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
` Defendant. :
`
`--------------------------------X
`
`
`
` VIDEOTAPED 30(b)(6) DEPOSITION OF
`
` JUNIPER NETWORKS, INC.
`
` DESIGNEE: KHURRAM ISLAH
`
` Sunnyvale, California
`
` Thursday, February 7, 2019
`
` 9:42 a.m.
`
`
`
`
`
`
`
`Job No.: 228017
`
`Pages 1 - 139
`
`Reporter: Jenny L. Griffin, RMR, CSR, CRR, CCRR, CRC
`
`25
`
`
`
`2
`
`4
`
` C O N T E N T S
`
`EXAMINATION OF KHURRAM ISLAH
`
` PAGE
`
` PROCEEDINGS 6
`
` BY MR. LEE 7
`
` BY MS. CARSON 136
`
`
`
` E X H I B I T S
`
` (Attached to the Transcript)
`
`0
`
`ISLAH DEPOSITION EXHIBIT PAGE
`
`1 2 3 4 5 6 7 8 9 1
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Exhibit 1 License Agreement - Joe Security 12
` LLC and Juniper Networks, Inc.
` (JNPR-FNJN_29035_00962471-2499)
`
`Exhibit 2 Joe's Sandbox Installation Guide 30
` (JNPR-FNJN_29040_01462115-2143)
`
`Exhibit 3 License Agreement - Joe Security 37
` LLC and Juniper Networks, Inc.
` (JNPR-FNJN_29035_00962500-2515)
`
`Exhibit 4 Email from Raju Manthena 73
` -11/5/15 - Subject:Improving
` Deception
` (JNPR-FNJN_29040_01180535)
`
`Exhibit 5 Joe Sandbox Desktop 13.0.0 83
` (13.11.2015)
` (JNPR-FNJN_29040_01280968-0978)
`
`Exhibit 6 Joe Sandbox Brief - Jankins Zhan 100
` Feb/07/2017
` (JNPR-FNJN_29033_00665289-5300)
`
`Exhibit 7 Document 111
` (JNPR-FNJN_29040_01194632-4645)
`
`Exhibit 8 Sky ATP Analysis Pipeline 113
` (JNPR-FNJN_29017_00552908-2915)
`
` Videotaped Deposition of KHURRAM ISLAH,
`
`held at the offices of:
`
`
`
`
`
` Juniper Networks, Inc.
`
` 1133 Innovation Way
`
` Building A
`
` Sunnyvale, California 94089
`
`
`
`
`
`
`
`
`
`
`
`
`
` Pursuant to Notice, before Jenny L. Griffin,
`
`California Certified Shorthand Reporter #3969,
`
`Registered Merit Reporter, Certified Realtime
`
`Reporter, California Certified Realtime Reporter,
`
`Certified Realtime Captioner.
`
`
`
`
`
`
`
`
`
`
`
`
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`24
`
`25
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 3 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`
`2 (5 to 8)
`
`7
`
` KHURRAM ISLAH,
`being first duly sworn and/or affirmed by the
`Certified Shorthand Reporter to tell the truth, the
`whole truth, and nothing but the truth, testified as
`follows:
` EXAMINATION
`BY MR. LEE:
` Q. Please state your name for the record.
` A. Khurram Islah.
` Q. Where do you work?
` A. I work at Juniper Networks.
` Q. What's your position at Juniper Networks?
` A. I am a software developer.
` Q. What are your responsibilities?
` A. I work in improving the efficacy of the
`product, specifically the Sky ATP solution. My
`primary focus is on the dynamic analysis.
` Q. Can you elaborate? What do you mean by
`"improving the efficacy of the product"?
` A. The -- looking into the dynamic analysis
`results and improving the detection rate, the false
`positives, the false negatives, the true positives,
`true negatives. Improving all those areas improves
`the efficacy of the product.
` Q. How do you improve those areas?
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`5
`
` E X H I B I T S C O N T I N U E D
`
` (Attached to the Transcript)
`
`ISLAH DEPOSITION EXHIBIT PAGE
`
`Exhibit 9 Reputation Client & Server 119
` Document
` (JNPR-FNJN_29017_00552634-2651)
`
`Exhibit 10 VE Efficacy, Oct. 30 123
` (JNPR-FNJN_29017_00552814-2828)
`
`Exhibit 11 Joe Sandbox Cookbook Guide, Last 135
` Update: 01.06.2016
`
`Exhibit 12 Cookbook Script 136
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6
`
` P R O C E E D I N G S
` THE VIDEOGRAPHER: Here begins
`Disk Number 1 in the videotaped deposition of
`Khurram Islah in the matter of Finjan, Inc., versus
`Juniper Networks, Inc., et al. in the United States
`District Court, Northern District of California,
`San Francisco Division, Case Number
`3:17-CV-05659-WHA.
` Today's date is February 7th, 2019. The
`time on the video monitor is 9:42. The videographer
`today is Lucien Newell, representing Planet Depos.
` This video deposition is taking place at
`1133 Innovation Way, Building A, Sunnyvale,
`California 94089.
` Would counsel please voice-identify
`themselves and state whom they represent.
` MR. LEE: Michael Lee from Kramer Levin,
`representing Finjan.
` MS. CARSON: Rebecca Carson of Irell &
`Manella, representing Juniper Networks and the
`witness.
` THE VIDEOGRAPHER: The court reporter today
`is Jenny Griffin, representing Planet Depos.
` Would the reporter please swear in the
`witness.
`
` A. One way of improving -- for example, in
`dynamic analysis -- is to ensure that your detection
`is close to what the actual classification should
`be.
` Q. How do you ensure that the detection is
`close to the actual classification?
` A. So specifically in the domain of dynamic
`analysis, where you are dependent on certain
`features, as a developer and looking into the
`details of the features, have to figure out what
`0
`features are good for the solutions and what could
`11
`create a false positive.
`12
` Having a false positive is not good for a
`13
`product, so we try to look into details and figure
`14
`out how we could improve by adding in features or
`15
`removing existing features based on the data that we
`16
`think is good enough to look into.
`17
` Q. Are you solely responsible for the dynamic
`18
`analysis part of Sky ATP?
`19
` A. This is my main area of focus. I'm
`20
`responsible for improving the efficacy of the
`21
`dynamic analysis. There are other engineers that
`22
`help me in this domain.
`23
` It's a big team, but my primary focus is on
`24
`dynamic analysis.
`25
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`8
`
`1234567891
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 4 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`9
`
`3 (9 to 12)
`
`11
`
`12
`
`adapter submits it to a third-party solution called
`Joe Security. And we get a report back to the
`adapter, and then the adapter looks into what has
`been received.
` Does that answer what you --
` Q. So the Deception adapter submits the file
`to Joe Security?
` A. The Deception adapter submits the file to
`Joe Security as a third-party solution, yes.
` Q. And Joe Security creates a report?
` A. Joe Security -- the way it works as a
`solution is the input to the solution is -- has to
`be some sort of file or files. And the output
`that -- the result would be in some sort of a JSON
`report.
` (Reporter clarification.)
`BY MR. LEE:
` Q. Which product of the Joe Security does
`Juniper use?
` MS. CARSON: Objection. Form.
` THE WITNESS: I know of the license that we
`have. I'm not sure if it is related to the product.
`BY MR. LEE:
` Q. But would it help if you have the license?
` A. Say that again.
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` Q. What other areas are you focused on other
`than dynamic analysis?
` A. When it comes to the efficacy of the
`product, we have to see that we are synced with the
`other adapters. So we work in conjunction with all
`the team members who are working in different areas
`of the product. But we all have one thing in
`common, which is to improve the efficacy of the
`product. And I represent the dynamic analysis side
`of it.
` Q. Is there a name for this dynamic analysis?
` MS. CARSON: Objection. Form.
` THE WITNESS: We usually use it as dynamic
`analysis. And there is no such name -- if you have
`probably -- I'm not sure -- you want an industry
`standard name for it?
`BY MR. LEE:
` Q. Does your team refer to the dynamic
`analysis as any other name?
` A. Oh, no. So far -- we use it in different
`terms, but I think that "dynamic analysis" is
`usually the term that we use. It's a general term
`that is come across when we have team meetings. But
`we may -- I mean, others may be talking in a
`different way, but I think, in general, that's what
`
`1234567891
`
`10
`
` Q. Would it help if you have the license in
`front of you?
` A. The license is called -- yeah. If it --
`it's . . .
` (Exhibit 1 was marked for
` identification and is attached to the
` transcript.)
`BY MR. LEE:
` Q. You've been handed an exhibit marked as
`Exhibit Number 1. Exhibit Number 1 is basically
`0
`JNPR-FNJN_29035_00962471 to -499.
`11
` Do you recognize Exhibit Number 1?
`12
` A. This is a question to me?
`13
` Q. Yes.
`14
` A. I have never looked into the license
`15
`before. It's been done by the management. When --
`16
`what I mean was the version -- this page, the
`17
`license software, page 14.
`18
` Q. You're referring to what's listed under
`19
`"Licensed Software"?
`20
` A. Yes. So what I'm aware of is the Joe
`21
`Sandbox Ultimate is the software package that we
`22
`use.
`23
` Q. Do you see under "Joe Sandbox Ultimate"
`24
`there are six items?
`25
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`it is. It's a dynamic analysis focus.
` Q. What are the components of dynamic
`analysis?
` A. What is the --
` Q. Components?
` A. Components.
` MS. CARSON: Objection. Form.
` THE WITNESS: Components of dynamic
`analysis would be quite many, like I just explained.
`It's -- how do I start?
` See, dynamic analysis is based on features,
`and so I probably need to understand what do you
`mean by "components."
`BY MR. LEE:
` Q. For example, you mentioned adapters.
` A. Yes.
` Q. Is there an adapter for dynamic analysis?
` A. Yes. We have an adapter. We call it
`Deception.
` Q. Is there any other components to dynamic
`analysis other than Deception?
` A. So when we analyze a sample under dynamic
`analysis -- I'll tell you a whole flow, and probably
`you may find what you're looking for.
` It comes through the adapter, and the
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 5 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`13
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` Do you know where those six items are?
` MS. CARSON: Objection. Form.
` THE WITNESS: We -- I don't know all of
`them because we don't use all of them.
`BY MR. LEE:
` Q. Which ones are not used?
` A. This is a license. It is giving us the
`luxury to use all these features. But when it comes
`to feature, it may be divided between two licenses,
`if you understand what I'm trying to say.
` Q. Can you explain?
` A. A feature which is in mobile could be a
`feature in desktop also. So it's hard to say that a
`feature that I picked for one is not there in the
`other.
` I could tell from respect of the features,
`if you have questions, what features we use. But
`there is no fine line among the licenses that I
`could draw and say we don't use a certain one and we
`do use the others based on the licenses.
` We get an Ultimate. From there we get a
`bunch of features in there, we pick some, and we
`leave a lot out.
` Q. Do you know if Juniper uses Joe Sandbox
`Desktop?
`
`4 (13 to 16)
`
`be the definition that Joe Sandbox team uses. But
`when it comes to us, it's one package of Ultimate
`which has the capabilities of all these listed here.
` Q. How would you characterize these six items?
` A. I would characterize them as capabilities
`of Joe Sandbox to us. They have given us the
`capability to run all the features, to run Light
`features, to run Mobile features, to run some
`filtering, to run classes, to run some X features.
` But for me, as a developer, these are just
`bunch of features that are intermingled between
`licenses.
` Q. To be clear for the record, in Exhibit 1 at
`page 14, there are six capabilities listed: Joe
`Sandbox Desktop, Joe Sandbox Light, Joe Sandbox
`Mobile, Joe Sandbox X, Joe Sandbox Class, and Joe
`Sandbox Filter; correct?
` A. That's right.
` Q. And you don't know which of these does
`Juniper use; correct?
` MS. CARSON: Objection. Form.
` THE WITNESS: The problem with -- to answer
`this question is these are all executables for us.
`I cannot look into the source code. It's a
`third-party solution, so they have the fine line
`
`15
`
`16
`
`14
`
` A. We just use the Ultimate license, but we
`defined to us. And we can only interact using
`never use one specific piece of it. There is -- if
`certain interfaces provided. So looking into
`you look into the package where it -- how it's given
`details of it, I wouldn't have insight to give you
`to us, it's not divided among these sets. It's one
`details.
`package, one source code, which gives you the luxury
`BY MR. LEE:
`to use all of these features.
` Q. Do you know what Joe Sandbox Mobile is?
` And we handpick features, but when I'm
` MS. CARSON: Objection. Form.
`picking a feature, I don't get to know which part it
` THE WITNESS: Specifically, again, saying
`belongs to. I just know it belongs to the Sandbox
`what Joe Sandbox Mobile is, I cannot define the
`Ultimate package. And if I pick some other package,
`whole thing. But with this, there are some mobile
`0
`it may not be there.
`features associated, and the document would have
`11
`more details about it. But I cannot explain the
` Q. Do you know what Joe Sandbox Desktop does?
`12
` A. By looking at these, a general way of
`whole mobile, like I said. I -- it's a black box to
`13
`analyzing this is Joe Sandbox Desktop is heavier on
`me, but I do know what features we could -- we could
`14
`features, will take more time to analyze than Joe
`get from mobile.
`15
`Sandbox Light. That's how they differentiate. What
`BY MR. LEE:
`16
`features they are adding, what not they are adding,
` Q. What do you mean by "mobile features"?
`17
` A. The "mobile" definition for us is content
`I still don't know. That's one way of
`18
`or -- I would say files that could run on Android is
`differentiating between Desktop and Light, is
`19
`one example of mobile for us.
`Desktop will have more features.
`20
` Q. Do you know what Joe Sandbox X is?
` Q. So just to be clear, the six features --
`21
` A. What Joe Sandbox Axis?
`sorry.
`22
` Q. Yes. It's the next one on the list.
` There are six products listed under Joe
`23
` A. Oh, X. Yes.
`Sandbox Ultimate; is that correct?
`24
` I don't think I have read about X
` A. I wouldn't say these are products. It may
`25
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`1234567891
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 6 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`17
`
`interface.
`BY MR. LEE:
` Q. This is the WEBAPI that's given as part of
`the Joe Sandbox Ultimate, Version 12.5?
` MS. CARSON: Objection. Form.
` THE WITNESS: If I could look.
` I submitted something in documents.
` Are we referring to that, or --
`BY MR. LEE:
` Q. I'm referring to Exhibit Number 1. It says
`"Joe Sandbox Ultimate (Version 12.5)" on page 14.
` A. Uh-huh. Could you repeat the question?
` Q. Is the WEBAPI given by Joe Sandbox part of
`this Joe Sandbox Ultimate, Version 12.5?
` A. So the package involves -- when we receive
`a package after the licensing is done and all, we
`receive a package from Joe Security. For every
`package, there is a WEBAPI guidelines in it.
` Q. What's the name of these guidelines?
` A. WEBAPI? What do you mean by "name"?
` Q. For the WEBAPI guidelines, is there a name
`for them?
` A. Oh, it's a PDF document.
` Q. Is it also referred to as a cookbook?
` A. No. It's a WEBAPI -- it should say
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`separately somewhere, but I might be using its
`features, but I don't know.
` We don't use Joe Sandbox solution by
`following these categories. Like I said, it's an
`executable for us. They might have combined these
`together in executable, and it would be hard for me
`to tell what Joe Sandbox X is. And in the end, when
`you see the source code, you may find out that X is
`using something else from Light or Desktop.
` So the source code is the true source,
`which we don't have access to. So it's hard to
`answer these questions without looking into the
`source code.
` Q. You said that Juniper accesses Joe Sandbox
`using -- it's a black box for you.
` MS. CARSON: Objection.
`BY MR. LEE:
` Q. Let me rephrase. Sorry.
` You mentioned that when Juniper accesses
`Joe Sandbox, Joe Sandbox is a black box.
` MS. CARSON: Objection. Form.
` THE WITNESS: So what I'm -- sorry.
` MS. CARSON: Sorry. I didn't know if that
`was a question or not.
`///
`
`5 (17 to 20)
`
`19
`
`20
`
`18
`
`BY MR. LEE:
` Q. Did you understand the question?
` Do you recall that you said that Juniper
`accesses Joe Sandbox and, when it does that, Joe
`Sandbox is a black box?
` A. The part of the question that I'm not
`understanding is, when you say "Juniper," it's not
`Juniper that's accessing. So that's where I'm
`getting a little confused. I'm trying to
`understand.
` Q. It's -- what is it that's accessing Joe
`Sandbox?
` A. So in the previous question when we talked
`about how Deception is sending samples, so that is a
`source which sends a sample to the Joe Security
`Solution.
` So I think access part belongs to the
`Deception adapter. That could access the Joe
`Security Solution.
` Q. Does the Deception adapter use some sort of
`API?
` A. Deception adapter uses the WEBAPI,
`W-E-B-A-P-I.
` (Reporter clarification.)
` THE WITNESS: It's one word. WEBAPI
`
`something like "WEBAPI Guide" or "Book" or
`something.
` Q. And Juniper uses that to create its own
`WEBAPI to access Joe Security?
` A. So the interface is the WEBAPI. That was
`the only way we could interact with the Joe
`Security. If the Deception adapter has to submit a
`sample, that is the only interface for us.
` Q. What data is submitted in the WEBAPI from
`the Deception adapter to Joe Security?
`0
` A. What data is submitted from Deception
`11
`adapter to?
`12
` Q. Joe Security.
`13
` A. To Joe Security.
`14
` So to analyze a sample, the Deception
`15
`adapter will have the sample and attach a cookbook
`16
`and send it to the Joe Security.
`17
` Q. What do you mean by "attach a cookbook"?
`18
` A. So two files are sent. One file would have
`19
`the sample for analysis, and one file is called a
`20
`cookbook. The cookbook is a name defined by
`21
`Joe Security. That file has to be there along with
`22
`the sample.
`23
` Q. What information is in the cookbook file?
`24
` MS. CARSON: Objection. Form.
`25
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`1234567891
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 7 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`21
`
`6 (21 to 24)
`
`23
`
`to.
`BY MR. LEE:
` Q. So does the cookbook have information as to
`which operating system the file should be sandboxed
`in?
` A. The cookbook -- the reason -- one of the
`reason of the cookbook is sandbox has many flavors
`of operating systems. So the user has this option
`to run it on any of them.
` So in the cookbook we, in Juniper, define
`that let's run it on Windows. And cookbook, when
`received by the sandbox, it knows that the whole
`analysis which is in there for the Windows machine
`should be launched and not the others.
` That's where it's important, because
`sandbox as a whole has a lot of ways of analyzing.
`So we don't want all of it. And the only interface
`is the WEBAPI, so we let them know.
` Q. So one of the instructions in a cookbook is
`the operating system that the sample should be
`sandboxed in; correct?
` MS. CARSON: Objection. Form.
` THE WITNESS: Can you say it again? I'm
`sorry.
`///
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` THE WITNESS: Cookbook has a --
`instructions by -- it -- it's a language,
`basically -- or I would say these are the steps that
`are statically defined by Joe Security. And they
`want us to send that file to them so they could know
`that they can start the analysis on the sample.
`BY MR. LEE:
` Q. Are these cookbook instructions, are they
`for helping with the sandboxing of the sample?
` MS. CARSON: Objection. Form.
` THE WITNESS: It's not helping on the
`sandboxing of the solution or -- it's -- it's --
`generally the way this works is they look into --
`when the sandbox receives the cookbook, it goes
`through the information in there and will do its
`analysis and monitoring and everything around the
`sample.
` But that logic, all of it is not in the
`cookbook. It's with the sandbox itself. So there
`is a difference between -- between that -- I was
`just trying to express that.
`BY MR. LEE:
` Q. You said when the sandbox receives the
`cookbook, it will go through the information and it
`will do its analysis and monitoring of the sample.
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1234567891
`
`22
`
`BY MR. LEE:
` How does the cookbook information -- how is
` Q. You mentioned that -- specifying the
`that used for the monitoring of the sample?
`operating system. So is one of the instructions
` MS. CARSON: Objection. Form.
`within the cookbook specifying which operating
` THE WITNESS: Cookbook information has
`system the sample should be sandboxed in?
`nothing to do with analysis and information. It is
` A. We have it all statically typed, but it's
`more on the sandbox side. Cookbook is giving
`one of the requirements coming from Joe Security to
`certain instructions as, let's start now and let's
`mention the name in the cookbook.
`stop later.
` Q. What other type of instructions are in the
` It's like that kind of -- it's -- it's not
`cookbook other than the operating system?
`monitoring the sandbox. Its monitoring is done all
`0
` A. Mostly all our Joe Security APIs.
`by the sandbox itself because it comes with the
`11
` Q. Can you name any of them?
`packages that it has.
`12
` A. JSB -- no. JB, I think. I think I need to
` When the cookbook has arrived, it knows it
`13
`look into the -- to one of the cookbooks to tell you
`can start, basically. If you send a sample alone,
`14
`exactly what -- the top of my head, I may say
`it will not start.
`15
`something wrong. But it starts with underscore JB
`BY MR. LEE:
`16
`something.
` Q. You said the cookbook is for giving
`17
` Q. What is this JB?
`instructions, like let's start now and let's stop
`18
` A. Joe Sandbox.
`later.
`19
` These are APIs that belong to them which --
` You're referring to starting the sandbox or
`20
`well, not -- these are functions, basically, which
`stopping the sandbox?
`21
`belong to them which we don't have insight into.
` MS. CARSON: Objection. Form.
`22
`Those are executables for us. We can only -- we
` THE WITNESS: It's more like, without the
`23
`only see them in the cookbook.
`cookbook, the sandbox will not start because it
`24
` And we could -- so the way they -- they
`doesn't know which operating system to send the file
`25
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`24
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 8 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`25
`provide us a sample of a cookbook, and they mention
`that this is the order that these functions run.
`But within the functions, we have no idea what those
`functions are doing.
` Q. You said you need to look in the cookbook.
` Are you referring to the Joe Sandbox
`Cookbook Guide?
` MS. CARSON: Objection. Form.
` THE WITNESS: Cookbook Guide is -- if you
`are referring to the document -- is information on
`the cookbook that Joe Security has provided.
`BY MR. LEE:
` Q. Is that where you're referring to when you
`said you need to look into the cookbook to provide
`more information as to what's in a cookbook?
` A. The guide will have the function names and
`its description and the term that is used by Joe
`Security to -- so the cookbook is also the name of
`the file. That's what I'm trying to say. And here
`they are using it as cookbook guide.
` So the file name is also cookbook, and how
`it's defined is also named as cookbook guide. So I
`think it's ambiguous right now.
` Q. Can you name any other type of instructions
`that's in a cookbook other than the operating
`
`27
`because we are using different terms, I think, where
`I'm not able to -- Joe Security -- when you say
`"sandbox," you mean Joe Security or sandbox?
`Because sandbox for me is different.
` Q. What's the difference?
` A. Joe Security is a solution, a controller
`that receives commands.
` Sandbox is an analysis machine which it
`sends it to and gets information. So there's a
`difference between sandbox and Joe Security
`controller solution.
` Q. Doesn't the Joe Security solution have a
`sandbox?
` A. So let's take a step back to understand the
`terminologies so we both are in sync with it.
` For me, when I say "Joe Security," it
`combines a controller which has a sandbox connected
`to it.
` But the question that you are saying, a
`sandbox receiving a cookbook from Deception adapter
`through WEBAPI, never happens.
` Q. I see what you're saying. So you're saying
`that the Joe Security Solution receives the cookbook
`using the WEBAPI?
` A. Yeah. So in our terminologies, we could
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`7 (25 to 28)
`
`28
`
`1234567891
`
`26
`
`say -- huh?
` So . . .
` Q. Let me back up.
` A. Yeah.
` Q. The Joe Security Solution receives the
`cookbook from the Deception adapter using the
`WEBAPI; is that correct?
` A. Yeah, but it's not the sandbox.
` Q. Just listen to my question.
` A. That's what I'm clarifying.
`0
` Your previous question was does the sandbox
`11
`receives a cookbook? I'm trying to say that, no,
`12
`the Sandbox doesn't, in my definition. It's the
`13
`controller of the solution that receives it. And my
`14
`definition there is a different meaning of Sandbox
`15
`and Joe Security Solution.
`16
` Joe Security has a different layer for
`17
`sandboxing and for controlling.
`18
` For controlling they call it a controller,
`19
`Joe Sandbox controller.
`20
` And for sandboxing, they call it a sandbox
`21
`analysis.
`22
` Q. We'll get to that. I just want to clarify
`23
`this point first.
`24
` Is it correct that the Joe Security
`25
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`system, without looking at the cookbook?
` MS. CARSON: Objection. Form.
` THE WITNESS: Top of my head, it's pretty
`hard to say that because those are just -- those are
`not, like, regular day-to-day sentences that we use.
`BY MR. LEE:
` Q. Sitting here today, you can't name any
`other types of instructions in the cookbook other
`than the operating system?
` MS. CARSON: Objection. Form.
` THE WITNESS: There is no operating system.
` What do you mean by "operating system"?
`BY MR. LEE:
` Q. You previously mentioned specifying the
`operating system like Windows. Do you recall that?
`That's what I mean by operating system.
` Do you understand?
` A. No, actually. I'm lost a little bit.
` Q. Do you recall previously that the WEBAPI,
`there's a cookbook, and within the cookbook it
`specifies the operating system, like Windows, so
`that the sandbox knows what operating system the
`file should be sandboxed in?
` Do you recall that?
` A. I believe what I mentioned is the --
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 435-19 Filed 04/12/19 Page 9 of 36
`Transcript of Khurram Islah, Corporate Designee
`Conducted on February 7, 2019
`29
`
`8 (29 to 32)
`
`31
`
` The first one is the file named Joe Sandbox
`Cookbook Guide.pdf?
` A. Yes.
` Q. The second one is Joe Sandbox User
`Guide.pdf?
` A. Yes.
` Q. The third one is Joe Sandbox Interface
`Guide.pdf?
` A. Yes.
` Q. Are these three files that you received
`from Joe Security for integrating Joe Sandbox into
`the Sky ATP?
` A. These are the files from this package.
`Now, there should be a package name here.
` Well, it's based on the 28/07/2015 package.
`These three guides would help to configure, I guess.
` Q. And Juniper received these guides; correct?
` A. Yes, Juniper received these guides with the
`package.
` Q. Would the Joe Sandbox Cookbook Guide.pdf
`describe what information is in the cookbook?
` MS. CARSON: Objection. Form.
` THE WITNESS: It describes the
`configuration of Joe Sandbox Cookbook file.
`///
`
`1234567891
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Solution receives the cookbook from the Deception
`adapter using the WEBAPI?
` MS. CARSON: Objection. Form.
` THE WITNESS: Joe Controller receives the
`sample along with a cookbook.
`BY MR. LEE:
` Q. Joe Controller from the Joe Security
`Solution receives the cookbook from the Deception
`adapter using the WEBAPI?
` MS. CARSON: Objection. Form.
` THE WITNESS: Joe Controller from Joe
`Security Solution? Why do you keep using Joe
`Security Solution?
`BY MR. LEE:
` Q. That's the term that you used before.
` A. So Joe Controller from Joe Security
`Solution receives a sample along with a cookbook.
` Q. So the Joe Controller from the Joe Security
`Solution receives a sample along with the cookbook
`that's from the Deception adapter?
` A. Yes.
` Q. The cookbook that is received, you
`mentioned that it will specify the operating system.
` Is there any other information in the
`cookbook that you can identify