I have sat in a court and watched federal agents lie about how the Internet works multiple times. Right here Agent Tarball is claiming that he sent a GET request to a Tor hidden service and the Tor hidden service sent back a packet containing its true source address in the TCP header. This is flat out impossible, given how Tor and TCP work. It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor. I think the FBI needs to release these in a timely fashion to corroborate their claims here.
"Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.
In fact, I would challenge them to even provide configuration files from the daemons involved that lead to this happening. They would have those in the hard drive images. They won't be there, because this is not a possible failure scenario at all.
The right to review evidence is pretty central to the Federal Rules of Criminal Procedure. The defense needs to look over these logs very carefully. If the federal government fails to produce them, it is absolutely a matter of evidence destruction. It is the digital equivalent of the FBI destroying potential DNA evidence after running cursory lab tests upon it that are helpful to its claims, but refusing to allow a defense team to perform DNA analysis.
