For those following this case, it is now obvious from comments from the jury foreman that Brad Cooper was convicted based on computer evidence of an alleged Google search of the location where Nancy Cooper’s body was later found. It is clear there are many uncertainties about this evidence because while the computer was in police custody forensic protocols weren’t followed, files were altered, passwords were changed, the computer’s time was changed and the drive was not even hashed until several weeks later. Evidence of tampering was found by defense experts and one of the biggest issues of the trial was the judge not allowing the defense experts to testify about their findings. Hearing from these experts would have made it impossible for a jury to convict. One thing that hasn’t been discussed in much detail is the clear discovery (Brady violations) involved in the computer evidence.
The computer “evidence” was found in October ’08 by Agent Johnson, FBI. As of May ’09, the defense still hadn’t received a copy of the computer’s hard drive. This is the description of the request for the evidence by the defense:
On May 22,2009, Mr. Kurtz contacted Special Agent Johnson by telephone. During that conversation, S A Johnson informed Mr. Kurtz that he had completed the copies of DECE 1A and DECE 4 and agreed that Mr. Kurtz could pick them up at the FBI office that afternoon at 4 PM.
Within 2 hours of that agreement, Det. Daniels called Mr. Kurtz and told him that Mr. Cummings (ADA) had told SA Johnson that he was not to give Kurtz the images. Kurtz called Mr. Cummings and expressed his concern that exculpatory and evanescent evidence was being withheld. He also pointed out that it was evidence that the State had agreed to provide and evidence to which the defense was clearly entitled.
On May 27, 2009, Mr. Cummings told Mr. Kurtz that he could not tell Kurtz when he would be given the drive, that he could not tell Kurtz why he was not providing the drive immediately and that he could not explain why it was that he could not answer the preceding questions.
It is clear that the State is not providing the requested information in a timely fashion and that resorting to the Court is the only viable alternative to seek relief.
The defense filed a motion to compel at that time and shortly after that I believe they received a copy of the hard drive, but none of the other requested items, such as the procedures used to locate the Google files, bench notes from the investigators, and the master file table. All of this was necessary for the defense expert to adequately assess the findings. He would need to compare the extracted files to verify the data and it would be important to use the same extraction method as the FBI.
Here are some of the responses from the prosecutors to one of the defense motions to compel discovery of the FBI’s procedures, notes and the MFT of the computer – the document can be found here, pages 112-114.
7. That the FBI has provided the defendant with an image copy of the seized computers.
8. That the defendant can, with an expert, conduct an independent examination of identical copies of the hard drives that the State examined.
9. That reports of examinations from FBI SA Johnson and Durham police task force agent C. Chappell have been provided to the defendant.
10. That if there is an issue of fact between evidence the FBI examiner purports to have recovered and the defense expert’s examination, that the Defendant can cross examine the agent on their report.
15. That, according to the attached affidavit of James R. Durie, the FBI routinely asserts that privilege when the CART (computer analysis response team) Standard Operating Procedures (SOP) and other policies are sought, because such disclosure could lead to the development of countermeasures to FBI investigative techniques. Such countermeasures could defeat law enforcement’s ability to obtain forensic data in criminal cases.
16. That the FBI’s SOPs and policies are the same techniques and tools that are used in counter-terrorism and counter-intelligence investigations, meaning that their disclosure could adversely affect the national security of the United States.
19. That the requested discovery is not Brady material, and is not favorable to the defendant.
And here are sections of James Durie’s affidavit to make the case that turning over the information could jeopardize national security:
6. The FBI has always asserted that the documents and materials requested by the defense from the FBI are exempt from discovery pursuant to the “law enforcement sensitive” qualified evidentiary privilege. See In re U.S. Department of Homeland Security, 459 F.3d 565, 569-71 (finding that “in today’s times the compelled production of government documents could impact highly sensitive matters relating to national security. Therefore, the reasons for recognizing the law enforcement privilege are even more compelling now than when prior cases on the 5th district were decided (several other court cases are listed and you can read the rest here, pages 118-122.
7. The FBI routinely asserts this privilege because the CART Standard Operating Procedure and other policies sought by the defendant are a step-by-step list of procedures on how the FBI deploys investigational tools in a computer forensics investigation. The examiner’s bench notes essentially track the SOP’s step-by-step. Given the nature of these materials, a computer savvy defendant, criminal enterprise, or foreign power should they gain access to the notes, could determine the FBI’s techniques, procedures and capabilities in this area. This knowledge could lead to the development and employment of countermeasures to FBI tools and investigative techniques by subjects of investigations and completely disarm law enforcement’s ability to obtain forensic data in criminal investigations. This, in turn, could completely prevent the successful prosecution of criminal cases involving digital evidence, including pornography, computer intrusion, financial fraud, and a variety of white collar crimes.
8. Adding to the sensitive nature of the FBI’s SOP’s and policies in ordinary criminal cases, the same techniques and tools are often used in counter-terrorism and counter-intelligence investigations. Thus, the compromise of the FBI’s investigational tools and methods in a criminal case could have a significant detrimental impact on the national security of the United States.
9. Here the FBI provided to the defense an image copy of the seized computers, and the defendant can hire his own computer forensic defense expert to perform his own independent investigation. If there is an issue of fact between evidence the FBI examiner purports to have recovered and the defense expert’s examination, that can be fully explored at trial by the defense under cross-examination of the FBI agent, or through direct examination of his expert. Access to the SOPs and bench notes will not aid in this avenue of approach, as it will be the defense expert’s own examination that provides the basis for the defense’s questions and evidence.
The police didn’t have to use the FBI to analyze the computers. They could have used the state SBI or other forensic specialists. Using the FBI allowed them to in essence hide the computer evidence from the defense. This sets a dangerous precedent! This means that anytime the State wants to convict someone on digital evidence, all they have to do is have the FBI do the analysis and they won’t have to provide full discovery. I believe the State should be forbidden from contracting the FBI to analyze evidence if it’s going to be used in a way to limit the defense’s abilities to fully address the evidence.
With so many red flags surrounding the computer evidence to begin with, isn’t it suspicious that it went even one step further with the use of “national security” to hide the details of the analysis? I think it is incredibly suspicious. Still, the judge could have ruled against it and ordered the information be provided to the defense but he didn’t. Here is a news article referencing his ruling. http://www.wral.com/news/local/story/8199733/nd
This was not a terrorism case. These are alleged Google searches on a computer. Further, the tools used to extract the data are fairly common. Forensic toolkit is one of them. Likely the FBI used this or something similar and should have provided their methods, bench notes and SOP’s for the defense. It is quite difficult to cross examine a witness with files extracted by a different technique, but that is what the defense was forced to do.
The defense was expected to accept the FBI’s report as proof and not expected to ask to see how they obtained it. They did the best they could with the limited information given and they had a network security expert fully capable and qualified to testify about exactly what he found on the computer, but the judge wouldn’t allow him to testify about anything forensic related because the State felt he didn’t have enough forensic training. Therefore, he was unable to testify about the signs of tampering and evidence that the Google files were planted on Brad Cooper’s computer. One important point that must be considered is that it’s a challenge for a defendant to find someone with forensic expertise in computers who isn’t strongly aligned with law enforcement. This becomes an issue because many firms are very hesitant to even take a case that could implicate law enforcement of wrongdoing.
Most who followed the case know that the defense did try to get a second expert to testify. A forensic examiner was prepared to testify after verifying the first expert’s reports and findings. The State again objected – this time they felt they didn’t have enough time to prepare to cross examine him and they said he wasn’t on the original witness list. So that essentially removed all hope for Brad getting acquitted. However, he did testify as an offer of proof for appeal purposes only. The jury didn’t get to hear this testimony, but the rest of us did and it was compelling.
One more point about this, it turned out that exculpatory evidence was revealed by the FBI agent during questioning. He testified that he searched for evidence of an automated phone call (another unproven allegation) and was unable to find any evidence of this on the computer. Please watch the trial testimony videos to see the discussion of the Brady violations and the exculpatory evidence that was never disclosed to the defense.
Edited to add: The supreme court just overturned a conviction because prosecutors failed to turn over exculpatory evidence. The Cooper case had at least 3 instances of this – 1) Bella Cooper saw Nancy Cooper that morning, yet police never provided discovery on that and the judge refused to demand that they do. 2)The FBI found evidence that the computer did not have any evidence of an automated call. 3) The FBI procedures, bench notes and the master file table were not provided to the defense.
“Using brevity as a blunt instrument, the Supreme Court spent very little effort Tuesday in ordering the New Orleans district attorney’s office to provide a new trial in a murder case because prosecutors — using a tactic several times challenged before the Justices — had failed to hand over evidence that could have helped in defending a murder suspect. In a spare four-page opinion, less than two pages of which were legal reasoning, the Court nullified the conviction of Juan Smith of New Orleans for an alleged role in the murder of five people in 1995.”