As many of you are aware, the State computer experts’ testimony wasn’t videotaped, so we were unable to hear it live. This was disappointing because it’s some of the most important testimony of the trial. Now that I’ve had an opportunity to read that portion of the transcript, I would like to share some of the key points from it.
To begin, the State alleged that Brad did a Google map search of the area where his wife, Nancy was later found dead. They allege that he performed the search at approximately 1:15 PM at his Cisco office the day before Nancy disappeared. Special Agent Chappell described how he found the temporary internet files related to the search and how he believed the screen would have been zoomed in at the time of the search.
I went on to read the rest of his direct testimony and then the defense questioning. There is a lengthy discussion about the specifics of the search itself as well as considerable questioning about how he and Agent Johnson addressed the tampering allegations made by the Defense. For now, I would like to focus on how the agents proceeded to investigate the allegation of tampering because I don’t think many people understand how poorly they handled it. This was the only evidence used to convict Brad Cooper and the experts did next to nothing to either verify or rule out tampering on the computer.
Agent Chappell wrote an anonymous, undated report titled ” Refuting the Claim of Evidence Tampering” that was filled with inaccuracies about what occurred on Brad’s computer. Note that during the trial the Defense was finally told the identity of the author. Although there are many inconsistencies with both his testimony and the report, I will highlight some of the key items that stood out to me.
I will reference the page related to the testimony for each item from the transcript
- In an effort to describe the minimal odds that the computer may have been tampered with, Agent Chappell discussed the possibility in his report that MAC filtering may have been enabled. It wasn’t enabled, and there is no explanation given for why he didn’t actually check this before writing the report. (pg. 2)
- In the report he claims that one would be able to discern if files had been modified by looking at the MFT (master file table) – that files would appear out of order if they had been modified. This is incorrect because Windows files do not appear in sequential order; therefore it would be impossible to determine this by simply looking at the order of the files. (pg. 4)
- The timestamps – the 4th time stamp value (entry modified category) showed multiple timestamps as invalid. It is significant that Agent Chappell neglected to mention this in his report, especially since Agent Johnson included in his report (pg. 70) that one possible explanation for invalid timestamps to appear would be the placement of a CD or something from an external source on the machine – a possible indication of tampering. (pg. 6) Also, it’s important to understand that ALL files associated with the search had invalid timestamps, 100% of them. But this didn’t raise red flags to these investigators!
- Agent Chappell stated that he believed the invalid time stamps could have been caused by a forensic tool interpreting the data incorrectly, but Jay Ward’s report indicated the same invalid time stamps and he used a different tool, so clearly the type of tool was not a factor. (pg. 9)
- Agent Johnson’s report on Brad’s laptop made no mention of cookies at all, even though cookies were described in the reports on the other computers. (pg. 40)
- ***** This is the most important finding that can NOT be explained away. ****** There was NO cookie anywhere on the computer corresponding to the search. In fact, there were NO cookies at all for July 11th. There were plenty of cookies the preceding and following days though. The MFT not only lists visible cookies; it also lists deleted cookies. It was checked and there wasn’t even a deleted cookie for the search. (pg. 44)
Why is this so significant? Typically when investigators find incriminating evidence on a computer, such as a Google search like this, it is an important component in the handling of the evidence to verify when and by whom the search was performed. One simple and common way to do this is to subpoena the company where the search originated – in this case – Google. Using the cookie, Google would be able to easily supply law enforcement with the time of the search, the date of the search and the IP address it originated from. But conveniently, there is NO cookie from that search to track!
There is NO reasonable explanation for the non-existent cookie. Some have suggested that maybe private browsing was used for the search and that removes cookies and temporary files after one logs off, but Agent Johnson testified that there was no evidence of private browsing on that computer. Plus, if private browsing had been used, it wouldn’t have just removed the cookie, it would have also removed the temporary internet files. As well, investigators have tools that can easily locate files that appear to have been erased through private browsing. Logically it makes no sense that Brad would go to great lengths to ensure that no cookie would ever be found BUT leave the temporary internet files on the machine! No way would anyone do that. It doesn’t make any sense at all. (pg. 53)
Hypothetically, if one were to plant evidence on a computer to frame someone, they would be certain not to leave behind a cookie, because it would certainly be traced back to the person who planted it, NOT to the victim of the framing! Is this perhaps the reason that law enforcement never subpoenaed Google for the cookies? Even though no cookies were associated with the search, they could have tried to use later cookies to trace the Google activity from earlier.
- Despite the fact that there was NO cookie corresponding to that search, Agent Chappell wrote in his report that a cookie corroborated this specific visit to Google. In testimony he had to admit that this was incorrect and that no cookie exists for the search. (pg. 49)
THEN on re-direct, prosecutor Zellinger suggested that one wouldn’t expect to find a cookie if the person had visited the site recently – that a new cookie wouldn’t be created. Agent Chappell agreed, knowing that additional Google cookies were created the following day! It is absolutely untrue that there shouldn’t have been Google cookies for July 11th. So let’s think about this – Google searches on 7/10 – cookies found. Google searches on 7/12 – cookies found. Google searches on 7/11 – NO cookies and that didn’t raise any red flags to them? Of course it did. It had to! But they went right along and presented this so called “evidence” as if it could be trusted!
- Agent Chappell also included information in the report about the significance of failed login attempts as a sign of possible tampering and went on to describe how there were NO failed login attempts after police took custody of the computer. That was incorrect too. In fact, there were 3 invalid login attempts visible on the registry logs. (pg. 83)
- There is also record of administrator account access on the computer – at a time when Brad was already logged in! (pg. 82)
I’m planning to write a separate article to cover some of Agent Johnson’s testimony about the computer evidence, but I want to mention a few important facts that were revealed in both agents’ testimony:
- They didn’t look at the Cisco CSA (security) logs
- They didn’t look at any router logs (pg. 59) or make any attempt to retrieve them from Cisco to try to verify the search.
- The registry keys were last set at a time when Brad was already out of the house on 7/16.
- Agent Johnson admitted that it is easy to change the time on a computer to make it appear that certain activity occurred at a certain time.
- The index.dat files were modified on 7/16 but there was no mention of this in the report.
- Among the 600+ files that were modified after police took custody of the computer, some of them were security files. Agent Johnson could not explain why they would have been modified, and it wasn’t due to some type of update because the changes occurred at varying times.
- Even though the State knew the Defense made allegations of tampering well before the trial, Agent Chappell didn’t even write up a (inaccurate) report until a month before he testified, although it wasn’t dated so who even knows when it was written. It’s clear this was an afterthought to throw something together to make it appear as if they took the tampering allegation seriously.
One can only conclude that there was no genuine attempt made by these experts to rule out tampering. The reports are completely inaccurate and what’s most upsetting about it is the fact that they were written by so called “forensic experts”. Agent Chappell was permitted to testify about the alleged tampering but Jay Ward wasn’t, even though he has many years of experience investigating networks for signs of intrusion. We didn’t get to hear much about most of his findings. Why? Because he didn’t have a “forensic” certificate, which by the way can be purchased now for $500 online. Anyone can get one. Jay knew exactly what to look for to identify signs of intrusion and tampering and he spent a great deal of time investigating the computer and log files because that is his area of expertise. The FBI agents in this case are likely skilled at using forensic tools to extract and investigate data from computers. After reading about their forensic experience, it is clear that they are not experienced in investigating for signs of intrusion and tampering. The defense expert IS, but the judge refused to see that. If the prosecutors were ethical people, I believe they would have hired someone like Jay Ward to thoroughly go over the computer. This was something to be taken very seriously but they chose to downplay it and do all that they could to prevent the jury from hearing about it even though this would determine a man’s fate. They had to “win” so they didn’t play fairly. They didn’t do everything possible to seek the truth about the tampering and to seek the truth about the Google search. It is the responsibility of the prosecutors to seek the truth, not to “win at all costs”.
After reviewing all of this, I’m even more puzzled about the guilty verdict. Even though the jurors weren’t able to hear from Jay Ward or Giovanni Masucci, I believe there was enough evidence of tampering revealed during cross examination of the State witnesses. We can only hope that Brad will soon get another chance to prove what is already obvious – the computer was tampered with, the files were planted, and Brad was framed.