Forensic Protocols Weren’t Followed

Cary police began their official search of the Cooper residence on July 15th, 2008, but they neglected to follow a standard forensic protocol in securing the computers in the home.  Proper protocol in handling a computer would include analyzing the RAM data, disconnecting the computer from the wireless network and powering it down immediately.  Instead, the Cary Police left the computer on and connected to the wireless network for 27 hours.  During those 27 hours, close to 700 files were altered, including email archives and internet history files.  This is classified as spoliation.  Once spoliation occurs, none of the evidence can be trusted and it typically would not be allowed to be offered into evidence in court, but in this case it was.  Brad Cooper was convicted on tainted computer evidence.  Additionally, the computer in question, the IBM Thinkpad wasn’t hashed until weeks later.  There was a large window of time when the Google files could have been planted on the computer.

The defense witnesses (Jay Ward and Giovanni Masucci) weren’t able to testify about their findings on the computer in the jury’s presence.  First, the prosecutors objected to Jay Ward testifying because he wasn’t a forensic expert.  Jay Ward’s expertise is in network vulnerability.  He assists his clients by identifying weaknesses in their network and makes recommendations to help them secure their systems.  He has tested hundreds of computers and is able to identify signs of intrusions, malware and tampering.  The judge would only allow him to testify as a network security expert and this barred him from being able to discuss any of the specifics about what was found on the computer.  He could only testify about general signs of intrusion that can be found on a computer.

Since the defense team was unable to show the jury the evidence of tampering and planted Google files, they brought in another witness, Giovanni Masucci.  Mr. Masucci is a digital forensic examiner with extensive experience training law enforcement,the FBI, and others in digital forensic protocols.  Again, the state objected.  This time it was because they claimed they wouldn’t have enough time to prepare to cross examine the witness.  The judge agreed and would not allow him to testify before the jury,  but allowed him to testify only as an offer of proof for appeal purposes. If the jury had been able to hear this critical testimony, the verdict likely would have been “not guilty”.

Both defense experts found evidence that the computer was accessed during the 27 hours it was left on while in police custody, as well as evidence of tampering and indications that the Google map files were planted on the computer.  The first sign of tampering that will be discussed is timestamp anomalies. Over the lifetime of the computer there were approximately 2% of files that contained invalid timestamps.  Between July 9-12, 83% of the files had invalid timestamps.  The Google map search files had 100% invalid timestamps.   Mr. Masucci testified that invalid timestamps can be an indication that files have been planted on the computer.  The computer doesn’t recognize the files so instead of assigning them a normal timestamp, it assigns an invalid timestamp.  The state witness, FBI Agent Johnson also testified that one method that would result in invalid timestamps is dropping files onto a system.

The images below show the modified files on Brad’s IBM Thinkpad.










Additional articles which describe the signs of tampering:

The Alleged Google Map Search

The Significance of the Absent Google Cookies

Altered Passwords, Time and Date

The Cursor Files

More About the Cursor Files. National Security and the Defense Motion for Mistrial

Obstacles Surrounding the Computer Evidence

Computer Evidence Must be Verified to Stand Up in Court

Computer evidence the jury didn’t hear (Youtube video)







Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s