More evidence of tampering – altered passwords and time/date

Earlier I discussed how the Cary Police failed to follow protocols while seizing the computers.  Remember that police entered the Cooper home at just after 3PM on July 15th ’08 and from that time on the computers were officially in police custody.  And remember that there was a 27 hour window when the computer remained on and connected to the internet.  Events occurred on the computer that could not be attributed to normal updates.  All of the activity is extremely suspicious when combined with the fact that there is so much evidence that the Google map files aren’t even valid files.  It is impossible to overlook these things and blindly accept the “evidence” of the map search.

Note that all discussion is limited to the IBM Thinkpad, where the alleged Google Maps search occurred.  The date/time on the computer was last edited July 15, 2008 at 21:00 UTC, which was several hours after it was in police custody.  Timestamps were changed and the prosecution’s witness, Officer Chappell testified that they were last set while the computer was in police custody. How can this be explained as “normal” activity?  Why was the time/date changed?  Since Officer Chappell didn’t address these things, the jury really needed to hear all of the specifics about this from the defense experts, but the prosecutor and judge made sure that didn’t happen.

In addition to the time/date changes, passwords were also changed.  Officer Chappell never referenced the passwords in his report and he testified that he never includes the password details but he did in fact include password information in his report on other computers tested.  The password WAS changed while in police custody which was evidenced by a resulting update to Brad’s User Profile. Again, Jay Ward was prepared to discuss all of this evidence which was found on the computer logs but he was never given the opportunity.

In addition to the normal password, the administrator password was also changed.  The computer didn’t have the current local administrator password issued by Cisco, and according to Cisco Brad would not have known the administrator password, nor would he need it since he already had administrator privileges through his own account.  The password also didn’t match up with any of the prior administrator passwords used.  There were three consecutive log-in attempts to the administrator account with the final one occurring at 3:10PM on July 15th.

Finally, the internet history files were modified on July 16th, almost 24 hours after Brad left the house and police had custody of the computer.  All .dat files were modified, including the history file that allegedly included the Google Maps files.

The state’s computer witnesses were aware of the allegations of tampering.  They stated that they found no evidence of tampering, yet they could not address specifically how they ruled it out. The forensic tools used to extract data are not designed to pick up signs of tampering. They simply carve out data.  Even though they acknowledged that files on the MFT had been altered, they never investigated the reasons for the altered files or verified the authenticity of the Google search.  That could have been accomplished by both obtaining the cookie data from Google and also by requesting router information from Cisco to verify that the search originated from the IBM Thinkpad. Neither the police or the FBI did either of these things.

A summary of computer related facts:

  1. Cary Police neglected to follow forensic protocols – the computer was left on and connected to the internet for 27 hours while in police custody.
  2. During that 27 hour time frame, close to 700 files were altered and they were not all due to normal updates.  Included was internet history files and email archives.
  3. The computer wasn’t hashed until August 22nd, ’08 so files could have been planted on the computer anytime up until that point.
  4. All of the timestamps associated with the “search” were invalid, 100% of them, compared to only 2% over the lifetime of the computer.
  5. The Cary Police neglected to subpoena Google for the cookie data on the computer, even though it is a common thing for law enforcement to do to verify that files originated from the computer being investigated.  Even cookies from after the search could have provided the browsing history.
  6. Cary Police never requested verification of the search through the Cisco routers.
  7. No cookie exists for the alleged search.  This is suspicious because it is the only type of file that can not be manufactured.
  8. Cary police waited until after the Google Privacy policy expired to give the defense access to the computer and files – making it too late for the defense to contact Google to obtain the metadata on the cookies.
  9. No cookie exists but the temporary internet files were there.  There is no explanation why anyone would take the time to delete the cookies but leave the temporary internet files.
  10. Cookies for other searches were found on the computer.
  11. The alleged search lasted a total of 42 seconds, not long enough to locate a site to place a body.
  12. Passwords were changed.
  13. Time/date and timestamps were changed while the computer was in police custody.
  14. The prosecutors used “national Security” concerns as a reason not to share the MFT and file extraction methods with the defense team so that their own experts could duplicate the file extraction.
  15. Chain of custody documentation is unclear.

19 thoughts on “More evidence of tampering – altered passwords and time/date

  1. So the Cary police browsed through Brad’s computer right after after seizing it, instead of protecting the integrity of digital evidence in the standard way.

    Something like this, maybe…

    Officer 1: “OK guys, I got the computer. Let’s see what’s on it.”

    Officer 2: “Hey, we can change passwords!”

    Later, as they’re leaving…

    Officer 1: “Should I turn it off?”

    Officer 2: “Nah, nobody can get into it except us. Besides, Officer 3 wants to take a crack at it.”

    This is beyond bizarre.


    • It really is bizarre. The thing is we don’t know WHO did all of these things with the computer. Although it was in police custody and they had access to it, it could have also been accessed by someone external since it was on an open access WEP internet connection. Remember during the trial when Jay Ward showed all the ways the computer could be (easily) accessed?


  2. I watched the entire trial and it’s very disturbing that the only evidence they had was a google map search of the area where his wife’s body was found. The defense had evidence the files were planted while the computer was in police custody. Judge would not allow defense to present their evidence of it. He was convicted of Murder 1. Completely railroaded by police, prosecutors and judge. The time is here now that there are no longer fair trials and they can lock anyone up for anything, anywhere and there is nothing we can do about it. North Carolina almost succeeded in putting the Duke Lacrosse players away but luckily failed (after their parents spent millions defending them). But they did succeed in putting Brad Cooper away for life.

    I haven’t been around here much because this trial has consumed all of my time and attention and now my focus to bring this story some national attention.


  3. There is no doubt he was railroaded. The police destroyed evidence and the computer was tampered with while in police custody, so the only incriminating evidence was tainted. Yet the judge suppressed the defense witnesses from testifying that the computer was tampered with so the jury didn’t get to hear the most important information in the trial. The public did get to hear it though, in Proof testimony for appeal purposes. That is why so much outrage remains.

    Someone needs to investigate the Cary Police Department immediately. If the town manager and council members are so certain the police officers’ mistakes were “accidental” they should have nothing to hide by initiating an investigation. Their failure to do so speaks volumes of their role in hiding this corruption.


  4. The computer was attached to open access on the WEP network. The VPN would be a separate interface so it most certainly could have been hacked into.

    “No matter how the evidence was collected, the evidence is the same”. How can you say that when hundreds of files were changed during those 27 hours? They supposedly had police trained in forensics, so why didn’t they follow the proper protocol?

    With allegations of tampering, police should have proven the authenticity of the search by sending Google a subpoena for the cookies and by verifying it on the Cisco router. Why didn’t they?


  5. If my spouse was murdered, and evidence against the killer was thrown out because a computer received an automated update while the police waited for a search warrant, I would not be fine with that.


    • The problem is the police never looked for Nancy’s killer. They ignored 16 people who saw her jogging, ignored tire tracks and footprints, ignored conflicting stories given by the “friends” and erased two cell phones and destroyed a SIM card. They should be under investigation for corruption. I believe the truth will all come out some day.


    • If your son was accused of murder and the Judge would not allow experts to defend the State’s evidence against him, YOU would not be FINE with that either.


  6. @Nicky F Lup-No one is going to investigate the CPD—the entire town government thinks they did an outstanding job–they don’t want to sully their fine reputation. A number of us went and spoke to the town council, and we contacted town officials–only to be told the same thing–CPD did an outstanding job. No one polices the CPD outside of Cary–no one! Some of us contacted the State Attorney General–same thing–‘you have to contact your local officials–we do not oversee local police departments’. It is so outragious!


  7. The police should have captured the RAM data and taken it off the network at the very least, even before securing the search warrant.

    You are wrong about the evidence not being tainted. Maybe you should watch Mr. Masucci’s testimony.


  8. It’s obvious that CPD destroyed evidence( Nancy’s cell phone)..corrupted the files on the IBM laptop,just to name a few,BUT…A Judge that allows hear-say gossip and doesn’t allow EXPERT testimony for the defense…There folks is where the problem lies, It was very obvious from the begining that the Judge was gonna make SURE the DA’s got a conviction.


  9. Corruption…is what this is…and it is going on in a lot of towns, cities and counties…it seems like people who have guns and a badge…think that they can do just about anything and get by with it…and the sad thing is these are the people who are SUPPOSE to uphold the LAW…and PROTECT the people…I guess it just depends on if you have friends in high places…or relatives who will protect you, no matter what…these good ole boys and girls are like attorneys….”they protect each other…no matter what…and it doesn’t matter if what is going on it “legal and lawful” either…

    Something needs to be done about such as this going on…when innocent people are railroaded for something that they DID NOT DO…and then when they get to court…it continues…to save “face” for those who know better…


  10. Perhaps Nancy received a call or made a call before she left to go running….but I guess no one will really ever know what may or may not have been on the phone…since whatever was there was destroyed….I can not understand how anyone doing an investigation could get by with the things that the Cary Police Department did…and if the telephone had been erased….then the Cary Police Department would have certainly made sure that everyone knew this much about the cell phone….you think?


  11. IIRC, Brad called one of the clique members to ask for the password, he was trying to find the runner NC was training with for the Rock N Roll Marathon in Va Beach. No one knew the runners number or NCs password. Brad would have no reason to erase her phone. Det Young testified he erased the phone. My thoughts are CPD intentionally erased NCs phones, they didn’t want any exculpatory evidence exposed. Det Young is educated enough to know NOT to destroy evidence.


  12. Well if the police thought there was anything incriminating Brad on NCs Blackberry, they would have preserved the evidence, secondly, they would have ordered complete forensic cell phone records to incriminate him — they did not. CPD was responsible for erasing both of NCs phones, failing to order the complete forensic phone records and ignoring the Preservation letter from his Defense attys. These actions SCREAMS cover-up, negligence, and police misconduct.


  13. Brad called Jessica Adam to ask if she had Carey Clark’s phone number. Jessica said to Brad that Carey’s number would be on Nancy’s phone and he told her that Nancy’s phone was locked and he didn’t know the password to unlock it.
    Detective Young certainly did testify that he erased the phone, because he did. I agree that if Brad was guilty, he would have thrown the phone in a lake, and he didn’t – he handed it over to the CPD who tossed it in a drawer and ignored it for nearly 2 weeks!! What kind of police investigation allows detectives to obtain evidence with no chain of custody and then leave it in a drawer in someone’s office while the owner of the evidence is a missing person?
    These actions are those of dishonest and lazy law enforcement officers. They couldn’t be bothered to follow the evidence, they just followed the “gut instincts” of Jessica Adam, who seemed to protest just a little too much.


  14. Pingback: Forensic Protocols Weren’t Followed | Justice For Brad Cooper

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s