More about the cursor files, national security and the defense motion for mistrial

For those who didn’t follow this case, Brad Cooper was convicted of 1st degree murder for the death of his wife, Nancy Cooper in May, 2011.  Although the State presented a lot of circumstantial evidence, the defense team was able to address every item and there was no evidence remaining to connect Brad in any way to the murder….except for Google search files found on his computer.  The State alleged that Brad did a Google map search that included an image of the location where Nancy’s body was later found and they allege that he did the search a day before she disappeared.

There is no denying that this was compelling evidence; however, the search simply wasn’t logical since Brad was a computer engineer and would certainly understand that the files would easily be found on his computer, the search in question was only 42 seconds long, and there was no searching around as the cursor made a bee-line directly to the area where the body was later found and then zoomed in several times. None of it seemed believable.

As it turns out, there are several indicators that Brad didn’t do the Google search.  The computer experts working with the defense team found several indications of tampering on the computer and strong evidence that the files were planted on his computer sometime after police took custody of the computer.  It was therefore a huge blow to the case when the judge barred their key expert (Jay Ward) from testifying about his findings – stating that he wasn’t a “forensic” expert.  He was in fact a network security expert, skilled in identifying signs of tampering and intrusion to networks, hired by companies to secure their networks. He knew what to look for and he found the proof that could clear Brad, but the jury didn’t get to hear any testimony from the defense about the specific files found on Brad’s computer.  Mr. Ward was permitted to testify, but only as a network security expert – thus barring him from discussing what the jury really needed to hear.

I previously wrote a brief article about the anomalies associated with the cursor files found on Brad’s computer. Sine then, I’ve had an opportunity to read the section of the transcript pertaining to Special Agent Johnson’s testimony about the Google search and specifically the cursor files. Agent Johnson of the FBI was the State’s computer forensic expert. The testimony was blacked out so most of us didn’t have an opportunity to hear it.  I realize that this type of information is rather technical and difficult for some to follow, but I will try to simplify it as much as possible.  In my opinion, this is the most important part of the trial so it is very important to devote your time and attention to it if you really want to understand why many (including myself) believe the Google Map files were planted on Brad’s computer.

The Defense called Agent Johnson as their first witness.  Please refer to the transcript here.

The cursor file has 4 time stamp columns, known as the MACE values (create, modify, access and entry modified).  This is the exact cursor file found on Brad’s computer corresponding to the Google map search:

1) Notice that the timestamps are identical across all columns for open hand and closed hand files.  In a dynamic search such as a cursor moving across the screen and clicking, the access time should be different than the creation time.  The time should increment to reflect the activity of the cursor, but as you can see, they did not. Please listen to this very brief clip of Jay Ward’s testimony.

2) According to testimony from Jay Ward and Agent Johnson, a possible explanation for the identical timestamps is files being physically placed onto the hard drive from another source, such as a CD ( in other words, if someone dropped the files onto his machine). The Invalid time stamp could also be a result of that.  (100% of the timestamps associated with the search were invalid, compared to less than 2% over the lifetime of the computer).

3) When the defense questioned Johnson about how he would expect the times to update, he said he didn’t know and didn’t look at it.

4) Officer Chappell and SA Johnson duplicated the “search” and there is a screen shot of the cursor files, but only the first column is visible.  Brad’s attorney, Mr. Kurtz requested to see the document but the judge refused to allow it based on a ruling made in 2010 that the defense would be unable to have any of the FBI methods and procedures used to analyze the computer because it could jeopardize national security. Do you believe that?

But this wasn’t a method.  He was simply asking to see the file that was generated by the agents when they duplicated the Google search.  The judge refused to allow Mr. Kurtz to even question Agent Johnson about whether sharing the document would jeopardize national security.

5) Then Brad’s attorney asked Agent Johnson if he would duplicate the search on a Vista computer that was in the courtroom.  (Brad had Vista OS on his computer. )  The judge was considering it, but the prosecutor argued and eventually convinced the judge to disallow it.  Mr. Kurtz was willing to allow him to perform the search on any computer in the courtroom, and remember this is the State’s witness.  If any bias were to exist it would be in favor of the State.  This was so significant because the courtroom test would have revealed to the jurors that the timestamps do indeed update when this search is performed.

6) This is included in the above link to the transcript, but I want to highlight this because I know many don’t have time to read all of it. Mr. Kurtz asked Agent Johnson if he still had the data from the duplication of the Google search.

Voir Dire (Jury was not present)

Q. Do you still have the test data?

A. I’m sure we do.  I — I believe that was a large part of Officer Chappell’s testimony.

Q. Is there any way — is — the test data that resulted from Officer Chappell and your testing, is that particular data in any way a jeopardy to national security if it was disclosed to us?

Mr. Zellinger (prosecutor): Your Honor, I’m going to object.  This is far outside the scope of determining whether that computer is proper for an examination.  And — and we’re also delving into a — an issue of law here for the Court and not for Agent Johnson.

Mr. Kurtz: Well, Judge, there is  potentially a piece of information that exists on Mr. Cooper’s computer that could say definitely that this material was planted, absolutely definitive. I may be wrong.  Special Agent Johnson’s testing may indeed be that it all has the exact same millisecond all the way across.  I don’t think I’m wrong.

Now, one way or the other, whether it’s having a — a test done on a Vista machine now and seeing what it — what it actually shows or giving us access to the original test data, which I don’t believe has any national security ramifications since it deals with a Google map test.  One way or the other, we should be entitled to this information as it could be tremendously exculpatory.

The Court: Upon reconsidering this issue about this in-court test, pursuant to Rule 403, I’m going to sustain the objection and exclude any testing in Court because of the differences in the equipment and the statements made by this witness that this is not the appropriate place to do it. We need to bring the jury back in.  And regarding the national security issue, that is a matter that we have already ruled on.  It is something I have already dealt with.

Mr. Kurtz: But, Your Honor, there is a witness on the stand that can answer specifically whether this is an issue of national security.  And I’m not even going to be allowed to ask that question?

The Court: I believe I’ve already determined, because of the rules of the — and the discovery process that you are not entitled to get those things.

Mr. Kurtz: So my understanding is, the — the rules and the discovery process, we’re hiding behind national security on an issue where we could get a clear answer from a witness that this is not in fact a national security issue.  And we’re talking about a piece of information that could be exculpatory to Mr. Cooper.

Mr. Zellinger: Your Honor, first of all, the exculpatory information is already in the Defendant’s possession.  He has all the files.  The fact that his expert is – his expert can’t speak to that is what the issue is before the Court.  But as to any exculpatory information, all that has been given to the defendant.  All those computer files have been given to the Defendant.  So I — I want to just take issue with that and I — I just wanted to put that on the record, as to the rest regarding —

Mr. Kurtz: Your Honor, that — that is an inaccurate statement because we’re not talking about data from this computer.  We’re —

The Court: You’re —

Mr. Kurtz: — talking —

The Court: — talking about the pink computer?

Mr. Kurtz: We’re talking about data that Special Agent Johnson and Officer Chappell generated when they attempted to replicate the search.  When they did — when — replicated this search, they will have generated — and in fact, we’ve got a screen shot that shows the first of the timestamps.  There are additional timestamps that are off screen.  Those additional timestamps would answer this question definitely.  And there can be no national security issue here, given we’re talking about Mr. Cooper’s computer alone and the data that was generated during their testing.

The Court: It’s the methodology that they used, I think, that falls under the security issue but —

Mr. Kurtz: But if I could ask Special Agent Johnson if he has any national security concerns related to that methodology, we might be able to determine that this one particular test is a legitimate one to be disclosed, that it will not actually disclose the missile codes.

Mr. Zellinger: Your Honor, I’m looking at the — the affidavit of the FBI agent who provided an affidavit to the Court on June 10th of 2010.  And — and that set out the FBI current policies and procedures for the viewing, extraction, and or examination of digital data, the FBI’s policies on the analysis, or — or how it was –how it was examined, numerous other documents from FBI Special Agent Johnson pertaining to his examination of the computers in this case, including but not limited to, communication logs, examiner bench notes, and all other documents completed or compiled by Special Agent Johnson beyond the report of the examination.

That’s what we’re seeking to protect here, because we don’t want, pursuant to state case law, we — the standard operating procedures of the FBI are protected throughout our nation.  And we’re not hiding behind anything.  All that information’s been given to the Defendant.  Agent Johnson’s given out more information in this case than he’s ever given out in any other case.  And as to the — specific material that the Defendant wants, he has these files.  If — if they’re exculpatory, take them to an expert and find out how they’re exculpatory.

But the fact is that these files the Defendant has in his possession.  Asking Agent Johnson on voir dire about national security just seems wildly inappropriate to me, and then he wants to know exactly how every part of every test that Agent Johnson does can affect national security and that people could be put in danger or child pornography could — could easily be deleted after this information comes out.  And we’re re-litigating this issue again.

Mr. Kurtz: Your Honor, what Mr. Zellinger is saying is — is flat out dishonest and is ascertainable by asking Special Agent Johnson if this is information that we ever got.  He’s saying we have these files; we don’t have these files.  These are not the files from Mr. Cooper’s computer.  These are files from Special Agent Johnson and Chappell’s tests.

The Court: The objection is sustained.  I’m not going to allow further questioning in this line or any in-court testing of that computer.  We need to bring in the jury.

Mr. Kurtz: Your Honor, at this time I am moving for a mistrial and asking your Honor to recuse.  I believe that your bias throughout this trial has become apparent.  I am making this motion pursuant to the Fifth and Sixth Amendments to the U.S. Constitution, the Fourteenth Amendment of the U.S. Constitution, North Carolina State Constitution, Sections 19 and 23.  I believe that your rulings have consistently been outside the bounds of prudent jurisprudence.

The Court: Your objection and motion is noted for the record.  Your motion is denied.

Mr. Kurtz: And as to this particular issue, my inability to get exculpatory information from Special Agent Johnson’s testing, I am also Constitutionalizing that objection pursuant to the Fifth and Sixth Amendments to the United States Constitution, along with the Fourteenth and Sections 19 and 23, Article One of the North Carolina State Constitution.

The Court: They are noted for the record and overruled.  If you’ll bring in the jury.

After this the direct questioning continued, but just imagine being accused of a crime that would put you in prison for the rest of your life and trusting the system because you know you are innocent.  Then sitting in court listening to this – that evidence exists to prove that you didn’t do the alleged computer search (the only evidence against you) , but the judge refuses to allow you to have that evidence and states that it’s to protect “national security”. One may wonder “well why not have the defense expert duplicate that test and present that?”  Well, he did duplicate the test but the judge refused to allow him to testify about his results because he didn’t have a “forensic” expert title. Could you have ever imagined that this type of thing would happen in this country?

One final point – the Cary police didn’t have to contract the FBI to analyze the computer.  They have internal forensic experts, they have access to SBI (state) experts or they could have hired an independent firm to analyze the computer.  But they chose the FBI and then prosecutors hid behind national security.  How can anyone possibly still believe that Brad Cooper did this Google search?  If you’re confident about your evidence, you would willingly allow the accused to scrutinize the evidence, right?  You would want the jury to see everything about it, right?  In this case they needed to hide everything.  They knew it was the only way to “win” a conviction. Sadly, it worked.

Edited to add:  I want to be certain this is clear.  After reading this article again, one may wonder why the defense didn’t hire a forensic expert to duplicate the search and then present that in court.  We know that Mr. Ward was barred from testifying about his results because of the “forensic” thing.  The defense then tried to bring in a forensic examiner to testify, but the State argued that they didn’t have enough time to prepare to question him and of course the judge went along with it. What you also need to understand is that because of the “national security” stipulation, it wouldn’t have mattered who the defense hired to duplicate the search and analyze the files, because the State FBI witnesses would continue to come back and state that the defense experts’ results are different because the FBI used different extraction tools. If asked what those tools are, the answer would be “we can’t tell you because it could jeopardize national security”.  What this means quite simply is that anytime the State wants to accuse a person of something, they can hire the FBI to do the testing and they don’t have to share their results with the accused.  They can simply say “The FBI test shows you are guilty.  Period.  Due to national security, we do not have to share our findings with you.” This prevents any possible defense to be presented against the evidence.  And there will be nothing you can do about it. Scary.

14 thoughts on “More about the cursor files, national security and the defense motion for mistrial

  1. THIS! This is so amazing, Lynne. Everyone who assumes Brad is guilty cites this google search and thinks it is “untouchable” because of how Judge Gessner and ADA Zellinger worked together to cover up any question of it’s validity. It’s unbelievable that such blatant lies could be told in court and supported by a judge! North Carolina, indeed the USA should be ASHAMED by this miscarriage of justice, hiding behind “national security” to disallow a defendant to confront the evidence against him. Boz even speaks about child porn of all the nerve.
    Reading this, I’m struck by the unwillingness of the judge to hear any of the defence issues, he seems much more bent on getting the jury back into the courtroom than considering what’s being said. Also, why was Boz so insistent that the defence had been given the files from the testing?


    • “Also, why was Boz so insistent that the defence had been given the files from the testing?”

      I know! He did this all throughout the trial. He should be disbarred for scamming the judge with this. To state that “the defendant HAS the hard drive, so therefore HAS all of the files” was an outright lie. The files in question were extracted by the FBI with their super secret tools that couldn’t be shared. It is so unbelievable what went on in that courtroom.


    • TW,
      The miscarriage of justice in this case was not only with the judge and the DA, but with the whole Cary police department. I remember reading somewhere when I was following this case that the judge, at one time was a police officer at one time. Once brothers, always brothers. What do you think? Brad’s life has been ruined by such incompetence, it is a shame!


      • Yes, TW is well aware of the role the police played in the railroading of Brad Cooper. The judge is a former cop and a former prosecutor. He should not be a judge if he’s unable to be objective.


  2. A point of clarification here. Since the prosecution insisted that the defense “had all of the files” but wouldn’t allow discovery on the methods, processes and procedures used, the defense used the files extracted by the FBI (in essence, their OWN data) as the basis for their defense.

    THAT is how certain they were that the files were tampered with. The .bmp files (they SHOULD be .cur files) are inconsistent with Google searches from before the crime occured and even up to present day.


    • Thank you. That is correct.

      I suppose I should have also mentioned the bmp extension. Readers – the evidence against Mr. Cooper, the cursor file had a bmp extension. Google map files actually have a cur extension.

      You can see the bmp extension in the photo above. This was another sign that the files were planted.


  3. Further, if it can be shown that the Last Access Time and Last Modified Time change each time the cursor is moved (and it can be), then the following must ALSO, logically, be true.

    1. Mr. Cooper zoomed to the exact location, and had the maps all (mostly) render in < 19 seconds, total. Compare the times on the cursor files, in the narrative above.

    2. The cursor didn't move at ALL after that time, even with the most miniscule of movements. Otherwise, the timestamps would be different.

    If either of these can be shown not to be true, then the theory that Brad did the search is blown apart. Consider then, how did Brad supposedly close his browser? There's basically only three ways to do this.

    – Hit Alt-F4 to close the browser.
    – Move the cursor and close it via the "X" in the top right corner.
    – Alt-Tab out of the browser window and move to another program and close the browser via another method.

    While any of these are possible, the MOST logical is that he had to have moved the cursor to either close the browser or type in a new URL. In either one of those cases, the timestamp on the openhand[1].bmp would be changed.

    It then becomes an issue for the prosecution to make the jury believe that Brad did the illogical thing to close his browser.


  4. Based on the graphic you included, the FN Info Entry Date for openhand[1].bmp, was 17:14:53.891 and for closedhand[1].bmp it was 17:15:13.601. This results in a bit less than 19 seconds. Actually, all of the timestamps are identical in all fields, but the Info Entry Date is the *real* important one.

    PLUS, this must logically presume that Mr. Cooper clicked, zoomed, and moved the map to the exact spot and kept the mouse button pushed. For if he did not, the openhand[1].bmp cursor would have updated and therefore had to have an access timestamp LATER than the closedhand.bmp[1] file.

    You could look at it thusly:

    1. If he let the mouse button go, the openhand[1].bmp would have an updated timestamp


    2. If he didn’t let the mouse button go, anytime he moved his cursor, the maps would re-draw, BUT we heard testimony that he went right to the exact spot, didn’t we?

    The prosecution cannot have it both ways, but in THIS case, they cannot have it EITHER way. It’s not logical, period.

    Sorry if this seemed a bit confusing. If further explanation is needed, please advise.


    • Thank you so much. That is helpful. You are right that it’s not logical that one would keep the mouse button pushed. There are just SO many things wrong with all of it – from the 600 + computer files being updated after police took custody of it, admin password accessed, invalid login attempts, bmp extension, invalid timestamps, identical timestamps. It is astounding that something like this could even be presented in a court room.


  5. Pingback: Forensic Protocols Weren’t Followed | Justice For Brad Cooper

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s