Cary police destroy evidence in the Nancy Cooper murder investigation

To some, there are still remaining questions about the destruction of evidence from Nancy Cooper’s Blackberry  phone. Was the evidence intentionally destroyed or was it accidental?  Detective Young admits that he wiped all of the data from Nancy Cooper’s cell phone and claims it was accidental. The defense offered testimony that indicated the evidence was intentionally destroyed.  This post provides accurate details about exactly what happened, including the timeline which is important.

Brad Cooper gave Nancy’s cell phone to police the day she disappeared.  The hope was that police would be able to retrieve information from the phone that could potentially help locate her, but according to discovery records they didn’t even bother to look at it while Nancy was still a missing person. There aren’t any notes or even chain of custody records on it until 7/25/08 when it was finally entered into evidence by Detective Dismukes, approximately two weeks after Nancy’s disappearance.

Interestingly, on a recorded interview with Hannah Pritchard, Detective Dismukes asked Hannah if she knew the password to Nancy’s phone. Hannah asked him “Have you still not gotten into the phone?” . Detective Dismukes replied “Oh, we already got what we needed from the phone”.  If this is true that they did gain access to the phone there is no record of it.

The defense attorneys sent Cary Police a Preservation letter dated July 30th, 2008.  I’m unable to paste the actual letter here, but the content is as follows:

“This is a notice and demand that critical evidence in this matter exists in the form of electronic data contained in your computer systems, cellular phones, and/or Palm, Treo, Blackberry or other PDA device(s) used by Nancy Cooper / Bradley Cooper, included but not limited to any CPU, laptop, flash memory device, floppy disk, compact disc, hard drive, digital video disc, Subscriber Identity Module (SIM) cards or other electronic media be immediately preserved in it’s present state and that there be no spoliation or alteration of their data.  This evidence must be immediately preserved and retained until further written notice of the undersigned.  This request is essential, as a paper printout of text contained in computer files or SIM cards does not completely reflect all information contained within the electronic files.  Additionally, the continued operation of the computer systems identified herein could likely result in the destruction of relevant evidence due to the fact that electronic evidence can be easily deleted, altered or otherwise modified.  The failure to preserve and retain the electronic data outlined herein in this notice constitutes spoliation of evidence.”

One would think that after receiving this letter that careful handling of this evidence would be ordered by the detective in charge. There were options that would have ensured that evidence would be carefully preserved but Cary police chose instead to ignore this letter. Ten days after receiving that letter, Detective Young recorded in his notes that he erased ALL data from the phone while trying unsuccessfully to enter a PUK code (pin unlock key).  To begin, Detective Young had no forensic training in the handling of digital evidence. Cary police have officers trained in forensics and equipped with forensic tools to retrieve the contents from cell phones.  In situations where a phone is password locked, law enforcement or forensic experts use a device known as a Cellebrite to retrieve all data from the phone including text messages, photos, numbers called, contacts, etc. Cary police have that tool, but the phone wasn’t given to the officers trained to use it. Instead of giving the phone to them, and before receiving a search warrant, Detective Daniels tasked Detective Young with performing a “forensic preview” on the Blackberry.

Young claimed that in an attempt to do the preview, he contacted an AT&T representative and submitted a court order to retrieve a PUK code (even though a court order is not necessary since the code can be found on the website). He said he was given instructions on how to use the PUK code (once received) to unlock the phone.  But there are no instructions recorded in his notes and no record of the AT&T representative’s name. It was 10 days after the conversation with the AT&T rep that the phone was allegedly wiped of all data using his memorized instructions from the unknown AT&T rep.

It’s important to note that although a PUK code will unlock the phone, Young still would have been unable to perform a “forensic preview”. The blackberry has security features to prevent a non-owner from accessing it. The only way Young would have been able to view the contents would have been through the use of a Cellebrite or other similar forensic tool.  Nonetheless, Young claims he was told by the AT&T representative to enter an incorrect password multiple times until prompted to enter a PUK code. He testified that even after seeing the warning “further action will erase all data” he continued to enter an incorrect code believing he would finally be prompted to enter a PUK code.

Young’s account of the instructions is counter to what’s described on the AT&T website, which first describes how to select the screen to enter the PUK code and then provides a warning that entering the incorrect code 10 times will invalidate the SIM card. From the AT&T website:

           Get Your Phone’s PUK Code Online

  1. Go to the Phone/Device page in myAT&T.
  2. From the My Phone/Device screen, select the Unblock SIM Card link under Manage my phone/device.
  3. The Unblock SIM screen will display your PUK code and will give you instructions for unblocking your SIM Card.

Once you receive your PUK code, you will need to enter it into your phone to set a new PIN code.

Note: If you enter the wrong PUK code 10 times in a row, your SIM card will be invalidated, and you will need to purchase a new SIM Card. The phone will display the following error: “PUK blocked call operator.”

Erasing the contents of the cell phone AND invalidating the SIM card requires two separate processes, each of which require the password to be incorrectly entered 10 times with warnings along the way that this process will result in the deletion of data.  Despite the warnings, he continued. Here is Young’s account of what happened (from his letter to the defense attorney dated June 5, 2009):

“During the course of the investigation regarding the homicide of Nancy Lynn Cooper, I attempted to access the cellular telephone by obtaining a “puck code” from AT&T, which is the service provider for the cellular telephone number assigned to Nancy Cooper, to complete a ‘forensic preview’.  In an attempt to execute the “puck code”, which was obtained via a court order from AT&T, which is attached to this document, I completed steps to successfully ‘unlock’ the cellular telephone and in fact ‘wiped out’ any and all information contained on the cellular telephone.

A search warrant was issued to access the cellular telephone (a copy of this search warrant is attached to this document) on September 22, 2008 and executed on September 24, 2008.  An examination of the cellular telephone by Cary Police Detective T. Thomas confirmed that there was no data contained on the cellular telephone.”  The letter can be found here, page 101.

It’s obvious that Young’s actions were inconsistent with the instructions listed on the website.  It’s clear that entering an incorrect code 10 times will erase all data but that is exactly what he did.  But that wasn’t the end of it. Despite receiving the preservation letter, opting to completely disregard it AND destroying what could have been exculpatory evidence, they also neglected to notify the defense attorneys that the phone was completely wiped of all data until 11 months later, on June 5th, 2009.  This is important because AT&T only keeps detailed records for 9 months. Detailed records can contain photos, text messages, Facebook, calendars and more.

After receiving notification that the phone had been erased, the defense arranged for Ben Levitan, an expert in digital evidence to examine the letter, the explanation of what happened and the phone itself.  Mr. Levitan was surprised to find that not only was the phone wiped but the SIM card was also destroyed.  His comments on the mishandling of this evidence can be found here. Mr. Levitan’s complete report can be found here: Blackberry_Report

Back to the search warrant for a moment.  The search warrant for the phone was received on 9/22/08.  Interestingly Young made no mention in the search warrant that the phone had already been erased.  On 9/24 Young finally gave the phone to Detective Thomas to examine it with the Cellebrite.  No data was found on the phone. According to Mr. Levitan, 9/29 was the date when the SIM card had to have been destroyed since it was no longer updating the time and date.

To summarize:

  1. Brad gave Cary police the phone on 7/12/08 (the day Nancy disappeared)
  2. While Nancy was a missing person, Cary police did not attempt to get into the phone to determine Nancy’s recent contacts. (at least according to their records)
  3. Detective Dismukes told H. Pritchard  “we got what we needed from the phone”
  4. No chain of custody recorded for the phone until it was signed into evidence on 7/25/08.
  5. Preservation letter from the defense sent to CPD on 7/30/08
  6. 8/9/08 – Young claimed he erased all data
  7. 9/22/08 – Young receives search warrant for the phone (yet never mentions in the search warrant that he had already erased it)
  8. 9/24/08 – Young gives the phone to Thomas to do the forensic exam.  No data was found.
  9. 6/5/09 – CPD finally informs the defense that they erased the phone
  10. No investigation was ever conducted.

There was no justification for Young to touch that phone.  He had the preservation letter, he had access to officers trained in performing forensic exams, RIM Blackberry has a local office and could have been contacted for assistance in accessing the data on the phone, and unlocking the phone with a PUK code wouldn’t have gained him access to the contents. I can’t think of an innocent reason for the destruction of this evidence.

The Cary police chief (Patricia Bazemore) refers to this as a “mistake”.  She never ordered an investigation into the circumstances surrounding the chain of custody of the phone, the deletion of all data without a search warrant and willfully ignoring the Preservation letter from the defense.  What’s to prevent such a “mistake” from happening again?  Nothing.  Yet the town manager and mayor stand behind this police department and continue to praise them.  They are unconcerned with the public mistrust that has resulted from this trial.

From this point forward, Cary police can eliminate any evidence that doesn’t “fit” with their theory and no one will question them on it.  They were able to get away with it, even though the trial was viewed by thousands of people.

The prosecutors made a big deal of the importance of forensic expertise in examining the computer.  In fact, they argued against Jay Ward testifying about his findings of tampering because he didn’t have enough forensic training.  The judge went along with that.  It’s interesting that forensic expertise was key to them, yet their own witnesses, the Cary police detectives completely disregarded all forensic protocols in the handling of the computer that ultimately convicted Brad Cooper.  And they disregarded all forensic protocols in the handling of the cell phones.  We will never know if there may have been important evidence on that phone, yet there were no repercussions to the destruction of this evidence.  This is unacceptable.

Prosecutors claim that the destruction of this evidence was insignificant since they already had the phone records, but that isn’t the point.  The point is that they intentionally ignored a preservation letter and with no reasonable explanation they wiped all data permanently from the phone. And it’s been discussed before that there could have been information on the phone that doesn’t appear on records.  If the situation were reversed and a defendant had been accused of erasing evidence, a criminal investigation would be ordered.  Since it was the police, nothing was or will be done about this.

One final note: Some suggest that maybe Brad somehow “rigged” the phone so that investigators would easily erase the data…that he somehow “set it up to erase”. This doesn’t make sense because Brad would have never been able to imagine that police would attempt to enter codes multiple times.  If Brad suspected there was evidence on the phone that was somehow damaging to him, he could have easily disposed of the phone, rather than turning it over to police. If the phone had been properly handled, a copy would have been made and then the data would have been viewed with the Cellebrite and all evidence would have been properly preserved.

The mishandling of this evidence was one of many things that contributed to the unfairness of the trial.  This had a big impact on my impression of the police at the conclusion of the trial, as well as the prosecutors who were perfectly willing to make excuses for this and many other items that pointed toward misconduct and unethical behavior.

More testimony about the destruction of the cell phone can be found here.

Advertisements

10 thoughts on “Cary police destroy evidence in the Nancy Cooper murder investigation

  1. Common sense on this topic would have gone a very long way….it is interesting that no notes were taken on how to do what needed to be done…Since Young did not have any training in dealing with information such as this….when why on earth did he mess with it to begin with…(RED FLAG)….Did someone give him instructions to do this? Young contacted AT&T and DID NOT make any notes on what he was being told to do (RED FLAG AGAIN)….Did the *warnings* not mean anything to him? (Common sense again)….This indicates that it was indeed CORRUPTION and COVER UP….and NO ONE made it a BIG DEAL….someone should have been help responsible and accountable for what they did….and yet NO ONE has even mention that what the Cary Police Department and Detectives did mattered…..(BIG RED FLAG)….HEADS should have ROLLED….and then what was strange was they EVEN ADMITTED in court what they did….OMG…I guess they knew that they could NOT get by with just saying…they did NOT KNOW WHAT HAPPENED….YEP….CORRUPTION AND COVER UP…and they GOT BY WITH DOING IT…..

    Like

  2. This is an excellent summation of what happened. Now, the question is, what will authorities in the state of North Carolina do about this? How can you have Police Departments operating in a willy nilly fashion, allowing unauthorized people to destroy valuable evidence in a murder trial? Detective Young lacked the training and expertise to forensically examine that cell phone, yet there were no protocols in place preventing him from doing so. How can the Cary Police Dept. hope to accurately and successfully solve crimes, when there is a total lack of internal controls and procedures within their Dept.? How can the people of Cary feel safe with their level of Police protection, when the Police are not following laws? Brad Cooper has been wrongly convicted. Based on the facts in this case, he needs to be set free.

    Like

  3. I came across this case after seeing a segment on it from Dateline. After seeing the program, and knowing how slanted these programs are, I decided to do some research on my own. That’s when I got a big smile on my face. I saw Jay Ward’s name associated with the case. I scrambled to try and find his testimony online and when I found video of it, it brought back many a good memory. Frankly, I’m surprised that he didn’t explode at the prosecutor during cross-examination. I could tell by his mannerisms that he was none too pleased at having to answer such silly questions and to have his integrity questioned. He’s a unique individual, and I know I am not likely to meet someone like him again.

    I’m not certain exactly what Jay’s role was in this whole case, but in my heart of hearts, I can tell you that if he says something, you can take it to the bank. I have known and worked with him before in a past life and I can honestly say that he’s one of the most competent and well rounded security technologists that I have ever had the pleasure to work with.

    In my experience, it has been dangerous to underestimate him and his abilities despite his generally easy going nature. If you’ve ever met him, it may have been obvious that there’s a fire in his eyes and a quickness of speech when he gets to talking about things he’s passionate about.

    I found it quite laughable that any judge would not allow him to testify about any nature of computing. If I am not mistaken, he doesn’t get certified for the sake of getting certified as he understands that certifications mean very little, if anything, and that those that are most competent don’t necessarily require them.

    I’ll try and find him online to send him an email and reconnect, but if for some reason you talk to him, tell him “Puckhead” says hello. He’ll understand. 🙂

    Like

    • Thank you for sharing that. I believe of all the mistakes of the trial, not allowing Jay to testify about his findings was the biggest. Had the jury been allowed to hear from him, the outcome likely would have been different.

      Mr. Masucci testified about the computer and he confirmed Jay’s findings. The jury didn’t get to hear that either (it was only for appeal purposes).

      Like

  4. This trial made me sick. I have never seen such a nightmare carried out in a public legal setting personally before.

    To answer the question “What will the authorities in NC do about” any of the above is:

    Nothing.

    Hoping he gets a new trial and hoping that someone finally connects the five or six “random” murders that have happened in this area since 2006 and gets past the need to trump up numbers for Federal Domestic Violence monies.

    Like

  5. Something which needs to be clarified in this story is the ambiguity of the term “unlock” with respect to mobile phones. In some contexts, it means to get past the screen lock which prevents access to using the phone and its data (screen lock.) In other contexts, it means to remove a limitation on the phone that it can only be used with a specific mobile phone service (carrier lock.) Less often, the term “unlock” is confused with rooting or jail breaking which is removal of the limitation that the phone can only install apps from a given app store. This can be thought of as app store locking.

    It sounds like detective Young was trying to remove a carrier lock when caused the data to be deleted. If so, this is not just a lack of knowledge of forensics but a total lack of understanding of how mobile devices work. The carrier lock has nothing to do with access to data so an AT&T representative might well have misunderstood the situation as being like the common situation where someone has purchased a used phone and needs to move it to another carrier. In that case, you don’t care about the data and just go ahead and wipe it so you can use the phone. If this is what happened it’s an idiotic misunderstanding.

    Like

      • Right, actually the more important point is that the PUK applies to data stored on the SIM card and not data in the phone’s internal flash memory. The same situation would apply as for the carrier lock with respect to a person buying a used phone. The SIM card would have data belonging to the buyer (though it has very limited capacity, typically only used for contact information) and it’s perfectly reasonable to wipe the internal memory of the new phone, which may or may not have data from the previous user, in order to get access to the SIM.

        Like

        • That’s interesting. I didn’t realize the PUK code accessed data from the SIM card and not the phone itself. Why would this cop be asking for a PUK code instead of a code to unlock the actual phone due to password protection? The whole thing is crazy because he should have just asked the SBI or a forensic expert to retrieve the data from the phone. Instead he opted to fiddle around with it on a Saturday afternoon 10 days after receiving a preservation letter from the defense to handle electronic evidence with care.

          Like

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s