To some, there are still remaining questions about the destruction of evidence from Nancy Cooper’s Blackberry phone. Was the evidence intentionally destroyed or was it accidental? Detective Young admits that he wiped all of the data from Nancy Cooper’s cell phone and claims it was accidental. The defense offered testimony that indicated the evidence was intentionally destroyed. This post provides accurate details about exactly what happened, including the timeline which is important.
Brad Cooper gave Nancy’s cell phone to police the day she disappeared. The hope was that police would be able to retrieve information from the phone that could potentially help locate her, but according to discovery records they didn’t even bother to look at it while Nancy was still a missing person. There aren’t any notes or even chain of custody records on it until 7/25/08 when it was finally entered into evidence by Detective Dismukes, approximately two weeks after Nancy’s disappearance.
Interestingly, on a recorded interview with Hannah Pritchard, Detective Dismukes asked Hannah if she knew the password to Nancy’s phone. Hannah asked him “Have you still not gotten into the phone?” . Detective Dismukes replied “Oh, we already got what we needed from the phone”. If this is true that they did gain access to the phone there is no record of it.
The defense attorneys sent Cary Police a Preservation letter dated July 30th, 2008. I’m unable to paste the actual letter here, but the content is as follows:
“This is a notice and demand that critical evidence in this matter exists in the form of electronic data contained in your computer systems, cellular phones, and/or Palm, Treo, Blackberry or other PDA device(s) used by Nancy Cooper / Bradley Cooper, included but not limited to any CPU, laptop, flash memory device, floppy disk, compact disc, hard drive, digital video disc, Subscriber Identity Module (SIM) cards or other electronic media be immediately preserved in it’s present state and that there be no spoliation or alteration of their data. This evidence must be immediately preserved and retained until further written notice of the undersigned. This request is essential, as a paper printout of text contained in computer files or SIM cards does not completely reflect all information contained within the electronic files. Additionally, the continued operation of the computer systems identified herein could likely result in the destruction of relevant evidence due to the fact that electronic evidence can be easily deleted, altered or otherwise modified. The failure to preserve and retain the electronic data outlined herein in this notice constitutes spoliation of evidence.”
One would think that after receiving this letter that careful handling of this evidence would be ordered by the detective in charge. There were options that would have ensured that evidence would be carefully preserved but Cary police chose instead to ignore this letter. Ten days after receiving that letter, Detective Young recorded in his notes that he erased ALL data from the phone while trying unsuccessfully to enter a PUK code (pin unlock key). To begin, Detective Young had no forensic training in the handling of digital evidence. Cary police have officers trained in forensics and equipped with forensic tools to retrieve the contents from cell phones. In situations where a phone is password locked, law enforcement or forensic experts use a device known as a Cellebrite to retrieve all data from the phone including text messages, photos, numbers called, contacts, etc. Cary police have that tool, but the phone wasn’t given to the officers trained to use it. Instead of giving the phone to them, and before receiving a search warrant, Detective Daniels tasked Detective Young with performing a “forensic preview” on the Blackberry.
Young claimed that in an attempt to do the preview, he contacted an AT&T representative and submitted a court order to retrieve a PUK code (even though a court order is not necessary since the code can be found on the website). He said he was given instructions on how to use the PUK code (once received) to unlock the phone. But there are no instructions recorded in his notes and no record of the AT&T representative’s name. It was 10 days after the conversation with the AT&T rep that the phone was allegedly wiped of all data using his memorized instructions from the unknown AT&T rep.
It’s important to note that although a PUK code will unlock the phone, Young still would have been unable to perform a “forensic preview”. The blackberry has security features to prevent a non-owner from accessing it. The only way Young would have been able to view the contents would have been through the use of a Cellebrite or other similar forensic tool. Nonetheless, Young claims he was told by the AT&T representative to enter an incorrect password multiple times until prompted to enter a PUK code. He testified that even after seeing the warning “further action will erase all data” he continued to enter an incorrect code believing he would finally be prompted to enter a PUK code.
Young’s account of the instructions is counter to what’s described on the AT&T website, which first describes how to select the screen to enter the PUK code and then provides a warning that entering the incorrect code 10 times will invalidate the SIM card. From the AT&T website:
Get Your Phone’s PUK Code Online
- Go to the Phone/Device page in myAT&T.
- From the My Phone/Device screen, select the Unblock SIM Card link under Manage my phone/device.
- The Unblock SIM screen will display your PUK code and will give you instructions for unblocking your SIM Card.
Once you receive your PUK code, you will need to enter it into your phone to set a new PIN code.
Note: If you enter the wrong PUK code 10 times in a row, your SIM card will be invalidated, and you will need to purchase a new SIM Card. The phone will display the following error: “PUK blocked call operator.”
Erasing the contents of the cell phone AND invalidating the SIM card requires two separate processes, each of which require the password to be incorrectly entered 10 times with warnings along the way that this process will result in the deletion of data. Despite the warnings, he continued. Here is Young’s account of what happened (from his letter to the defense attorney dated June 5, 2009):
“During the course of the investigation regarding the homicide of Nancy Lynn Cooper, I attempted to access the cellular telephone by obtaining a “puck code” from AT&T, which is the service provider for the cellular telephone number assigned to Nancy Cooper, to complete a ‘forensic preview’. In an attempt to execute the “puck code”, which was obtained via a court order from AT&T, which is attached to this document, I completed steps to successfully ‘unlock’ the cellular telephone and in fact ‘wiped out’ any and all information contained on the cellular telephone.
A search warrant was issued to access the cellular telephone (a copy of this search warrant is attached to this document) on September 22, 2008 and executed on September 24, 2008. An examination of the cellular telephone by Cary Police Detective T. Thomas confirmed that there was no data contained on the cellular telephone.” The letter can be found here, page 101.
It’s obvious that Young’s actions were inconsistent with the instructions listed on the website. It’s clear that entering an incorrect code 10 times will erase all data but that is exactly what he did. But that wasn’t the end of it. Despite receiving the preservation letter, opting to completely disregard it AND destroying what could have been exculpatory evidence, they also neglected to notify the defense attorneys that the phone was completely wiped of all data until 11 months later, on June 5th, 2009. This is important because AT&T only keeps detailed records for 9 months. Detailed records can contain photos, text messages, Facebook, calendars and more.
After receiving notification that the phone had been erased, the defense arranged for Ben Levitan, an expert in digital evidence to examine the letter, the explanation of what happened and the phone itself. Mr. Levitan was surprised to find that not only was the phone wiped but the SIM card was also destroyed. His comments on the mishandling of this evidence can be found here. Mr. Levitan’s complete report can be found here: Blackberry_Report
Back to the search warrant for a moment. The search warrant for the phone was received on 9/22/08. Interestingly Young made no mention in the search warrant that the phone had already been erased. On 9/24 Young finally gave the phone to Detective Thomas to examine it with the Cellebrite. No data was found on the phone. According to Mr. Levitan, 9/29 was the date when the SIM card had to have been destroyed since it was no longer updating the time and date.
- Brad gave Cary police the phone on 7/12/08 (the day Nancy disappeared)
- While Nancy was a missing person, Cary police did not attempt to get into the phone to determine Nancy’s recent contacts. (at least according to their records)
- Detective Dismukes told H. Pritchard “we got what we needed from the phone”
- No chain of custody recorded for the phone until it was signed into evidence on 7/25/08.
- Preservation letter from the defense sent to CPD on 7/30/08
- 8/9/08 – Young claimed he erased all data
- 9/22/08 – Young receives search warrant for the phone (yet never mentions in the search warrant that he had already erased it)
- 9/24/08 – Young gives the phone to Thomas to do the forensic exam. No data was found.
- 6/5/09 – CPD finally informs the defense that they erased the phone
- No investigation was ever conducted.
There was no justification for Young to touch that phone. He had the preservation letter, he had access to officers trained in performing forensic exams, RIM Blackberry has a local office and could have been contacted for assistance in accessing the data on the phone, and unlocking the phone with a PUK code wouldn’t have gained him access to the contents. I can’t think of an innocent reason for the destruction of this evidence.
The Cary police chief (Patricia Bazemore) refers to this as a “mistake”. She never ordered an investigation into the circumstances surrounding the chain of custody of the phone, the deletion of all data without a search warrant and willfully ignoring the Preservation letter from the defense. What’s to prevent such a “mistake” from happening again? Nothing. Yet the town manager and mayor stand behind this police department and continue to praise them. They are unconcerned with the public mistrust that has resulted from this trial.
From this point forward, Cary police can eliminate any evidence that doesn’t “fit” with their theory and no one will question them on it. They were able to get away with it, even though the trial was viewed by thousands of people.
The prosecutors made a big deal of the importance of forensic expertise in examining the computer. In fact, they argued against Jay Ward testifying about his findings of tampering because he didn’t have enough forensic training. The judge went along with that. It’s interesting that forensic expertise was key to them, yet their own witnesses, the Cary police detectives completely disregarded all forensic protocols in the handling of the computer that ultimately convicted Brad Cooper. And they disregarded all forensic protocols in the handling of the cell phones. We will never know if there may have been important evidence on that phone, yet there were no repercussions to the destruction of this evidence. This is unacceptable.
Prosecutors claim that the destruction of this evidence was insignificant since they already had the phone records, but that isn’t the point. The point is that they intentionally ignored a preservation letter and with no reasonable explanation they wiped all data permanently from the phone. And it’s been discussed before that there could have been information on the phone that doesn’t appear on records. If the situation were reversed and a defendant had been accused of erasing evidence, a criminal investigation would be ordered. Since it was the police, nothing was or will be done about this.
One final note: Some suggest that maybe Brad somehow “rigged” the phone so that investigators would easily erase the data…that he somehow “set it up to erase”. This doesn’t make sense because Brad would have never been able to imagine that police would attempt to enter codes multiple times. If Brad suspected there was evidence on the phone that was somehow damaging to him, he could have easily disposed of the phone, rather than turning it over to police. If the phone had been properly handled, a copy would have been made and then the data would have been viewed with the Cellebrite and all evidence would have been properly preserved.
The mishandling of this evidence was one of many things that contributed to the unfairness of the trial. This had a big impact on my impression of the police at the conclusion of the trial, as well as the prosecutors who were perfectly willing to make excuses for this and many other items that pointed toward misconduct and unethical behavior.
More testimony about the destruction of the cell phone can be found here.