Earlier I discussed how the Cary Police failed to follow protocols while seizing the computers. Remember that police entered the Cooper home at just after 3PM on July 15th ’08 and from that time on the computers were officially in police custody. And remember that there was a 27 hour window when the computer remained on and connected to the internet. Events occurred on the computer that could not be attributed to normal updates. All of the activity is extremely suspicious when combined with the fact that there is so much evidence that the Google map files aren’t even valid files. It is impossible to overlook these things and blindly accept the “evidence” of the map search.
Note that all discussion is limited to the IBM Thinkpad, where the alleged Google Maps search occurred. The date/time on the computer was last edited July 15, 2008 at 21:00 UTC, which was several hours after it was in police custody. Timestamps were changed and the prosecution’s witness, Officer Chappell testified that they were last set while the computer was in police custody. How can this be explained as “normal” activity? Why was the time/date changed? Since Officer Chappell didn’t address these things, the jury really needed to hear all of the specifics about this from the defense experts, but the prosecutor and judge made sure that didn’t happen.
In addition to the time/date changes, passwords were also changed. Officer Chappell never referenced the passwords in his report and he testified that he never includes the password details but he did in fact include password information in his report on other computers tested. The password WAS changed while in police custody which was evidenced by a resulting update to Brad’s User Profile. Again, Jay Ward was prepared to discuss all of this evidence which was found on the computer logs but he was never given the opportunity.
In addition to the normal password, the administrator password was also changed. The computer didn’t have the current local administrator password issued by Cisco, and according to Cisco Brad would not have known the administrator password, nor would he need it since he already had administrator privileges through his own account. The password also didn’t match up with any of the prior administrator passwords used. There were three consecutive log-in attempts to the administrator account with the final one occurring at 3:10PM on July 15th.
Finally, the internet history files were modified on July 16th, almost 24 hours after Brad left the house and police had custody of the computer. All .dat files were modified, including the history file that allegedly included the Google Maps files.
The state’s computer witnesses were aware of the allegations of tampering. They stated that they found no evidence of tampering, yet they could not address specifically how they ruled it out. The forensic tools used to extract data are not designed to pick up signs of tampering. They simply carve out data. Even though they acknowledged that files on the MFT had been altered, they never investigated the reasons for the altered files or verified the authenticity of the Google search. That could have been accomplished by both obtaining the cookie data from Google and also by requesting router information from Cisco to verify that the search originated from the IBM Thinkpad. Neither the police or the FBI did either of these things.
A summary of computer related facts:
- Cary Police neglected to follow forensic protocols – the computer was left on and connected to the internet for 27 hours while in police custody.
- During that 27 hour time frame, close to 700 files were altered and they were not all due to normal updates. Included was internet history files and email archives.
- The computer wasn’t hashed until August 22nd, ’08 so files could have been planted on the computer anytime up until that point.
- All of the timestamps associated with the “search” were invalid, 100% of them, compared to only 2% over the lifetime of the computer.
- The Cary Police neglected to subpoena Google for the cookie data on the computer, even though it is a common thing for law enforcement to do to verify that files originated from the computer being investigated. Even cookies from after the search could have provided the browsing history.
- Cary Police never requested verification of the search through the Cisco routers.
- No cookie exists for the alleged search. This is suspicious because it is the only type of file that can not be manufactured.
- No cookie exists but the temporary internet files were there. There is no explanation why anyone would take the time to delete the cookies but leave the temporary internet files.
- Cookies for other searches were found on the computer.
- The alleged search lasted a total of 42 seconds, not long enough to locate a site to place a body.
- Passwords were changed.
- Time/date and timestamps were changed while the computer was in police custody.
- The prosecutors used “national Security” concerns as a reason not to share the MFT and file extraction methods with the defense team so that their own experts could duplicate the file extraction.
- Chain of custody documentation is unclear.