1575 users online (283 members and 1292 guests)  


Websleuths News


Page 2 of 73 FirstFirst 1 2 3 4 12 52 ... LastLast
Results 16 to 30 of 1091
  1. #16
    Join Date
    Apr 2011
    Posts
    1,234
    Quote Originally Posted by cassius View Post
    I don't think a jury verdict has any impact to the likelihood or unlikelihood of this case being overturned or otherwise remanded. All of the big issues in this appeal are going to be directed at JGs alleged abuse of discretion in allowing and disallowing certain items of evidence.
    My thoughts exactly - and watching the Masucci proffer, the questions, the direction, its clear HK was generating a transcript for the Appellate Court, and not attempting to enlighten JG. In fact, JG at the times he appeared in the video seemed not to be listening at all - was preoccupied with something else during the testimony. When HK asked a procedural question JG said "fine do whatever you have to".

    I'll hold off posting more on this until I post the complete transcript here (hopefully tonight).

  2. #17
    Join Date
    Apr 2011
    Posts
    1,234
    4/28/11

    Defense offer of proof

    Defense attorneys question computer forensics expert Giovanni Masucci outside the presence of the jury for the purpose of appeal, if Brad Cooper is found guilty. Masucci has not been allowed to testify in the case.

    PART 1

    Giovanni Masucci (digital forensic examiner - 9 years experience)

    -started own digital forensics company in 2002
    -uses 50+ different digital forensics tools
    -performed over 500+ forensic examinations (machines)
    -also certified in cellphone forensics, GPS forensics, smart phones, went to Federal LE school for cyberterrorism.
    -started National Digital Forensics in 2008.
    -has been an expert for both pros, state, civil cases in NC - Superior and district court, qi=ualified in computer forensics for each instance.
    -serves on Charlottes secret service task force (cyber)
    -serves on various national and regional cyber forensics organizations (STCIA, Infoguard, Digital Forensics Association).
    -Tendered and accepted as expert in digital forensics

    HK: Mr. Masucci, have you had the opportunity to review the data from Mr. Cooper's IBM thinkpad computer?
    GM: I have

    HK: ...and have you had an opportunity to read through the FBI's report as well as law enforcement reports detailing the means by which the evidence was collected?
    GM: yes

    HK: do you have...in doing so have you formed any opinions in respect to the protocols that were or were not followed during the collection of that evidence?
    GM: I do, and that's one of the reaons why I am here as a computer forensic examiner, and one of my big things is when I do teaching - train law enforcement and government agencies, and corporate personnel, attorneys and judges and so on...is protocol. Its very important that you're dotting your i's and crossing your t's, starting with chain of custody, and that you
    follow it so you don't have nay issues of spoilation - or anything that can come back, but you need to address it. I did see some issues early on.

    HK: When you say 'spoilation' what exactly do you mean in computers?
    GM: If I'm involved in an examination - or any digital forensics or computer forensics exam which is one in of the same...if we notice after the fact that it was taken into custody, that if files are altered - to us that's suspicion of spoilation. Anything that you work on, you should have a write-protect. Now there are instances, if when we are doing a server, because that is volitile data - we can't shut down a company, we can go in and document what we're doing...as long as we have documentation, its acceptable that we will be accessing a live server.

    HK: in this particular case, how was the IBM collected, and how should it have been collected?
    GM: It is my understanding that the computer was left on. I kind of cringed when I heard that, because typically if there's RAM data on there, because a computer is left running, before they collect that they should use a forensic tool to collect RAM data and then shut the computer down, but there's a full process before we even get to that point: documenting exactly and taking digital photographs of the scene, taking digital photographs of the computer itself, logging and documenting serial number, model number, the type of computer it is. You are not going to get access to that hard drive right there and then. You take it back to the lab and do the same thing, follow processes: log it in, document the hard drive, take pictures of the hard drive. In our lab, part of the protocol - and pretty much stanfard protocol is that you have to document everything - from the time you get it, to the time you log it in and secure it. This computer, the IBM Thinkpad of BC was left on. That's an issue, because my understanding was that it was still connected to a VPN, it was connected to a wireless network as well, so anyone can gain access to that computer. Now you will have things that can be changing, files that will change, there could be updates - I know BC was connected to the Cisco network. There could be updates through the Cisco network. I saw file changes, I mean I saw numerous file changes, just based on the reports I read there were several hundred files that were changed. To me, again that's spoilation to a forensic examiner.

    HK: Now when you talk about the reports that you read, are you in part referring to the FBI's own databases of files that included timestamps?
    GM: Yes

    HK: Do you recall how many files the FBI's own access database reflects as having been changed after it was out of BC custody?
    GM: I don't have that in front of me but I velieve it was 674 or 694. Somewhere around there.

    HK: 692 ring a bell?
    GM: that could be it.

    HK: Why is it that file changes like that are problematic with computers?
    GM: Things will be altered. Once its in custody - say I'm getting a computer in, and I'm doing a forensic examination on it, I have to make sure nothing is disturbed on it - so I'm going to take a forensic image of that internal hard drive. From there, I'm going to make two copies. One's going to go in our vault for safekeeping, in case something happens to that first copy we made. The original is going to be stored, unless we need to utilize that, but typically we don't, only in rare circumstances. We work off the forensic image to do the analysis, and we take hashes off both of those images.

    HK: Can you briefly explain what that means: "taking hashes"?
    GM: A hash validates that when I first do a forensic image, and I've used EnCase to get the first hash as when I first received the data to look at to know what I would be talking about, we'll take an initial hash saying okay this is the image, and when we go about acquiring the image we'll take another hash. Those two better match. If they don't - that means I did something wrong, and I've altered some data. If you alter data, you created spoilation. Then we'll take another hash at the end, and we'll corelate that to make sure all the hashes match. Typically we do an MD5, and then we do a Shaw.

    HK: And those are just two different types of has techniques?
    GM: Yes, the MD5 is a typical one, the second one is a 256 bit hash.

    HK: Now I believe the prosecution and the FBI have asserted that many of the files that were altered after Mr. Cooper had left the house were relates to a Microsoft update. Were you able to determine if there was any update?
    GM: I saw access through the VPN where Cisco was communicating with that laptop. That in and of itself is an issue, because files were getting changed when they shouldn;t have - that laptop should have been off. I did not see an actual update as far as Microsoft to the operating system.

    HK: The files that did download that said update, were they actually appropriate for that system? or were they mismatched?
    GM: It was more like...when you have a VPN tunnel, and files can get updated - updating the system of the VPN network itself. If there were any updates to the program of the VPN tunnel, that was getting updated. That was just part of it, but then there were other files that were accessed and deleted...which was alarming to me. When I see deleted files after the fact - that's another problem.

    HK: You taken a look at the FTK - or parts of the FTK report that you were provided that originated with the FBI?
    GM: yes

    HK: and in that FTK report did it say how many files were actually on the computer when it was imaged?
    GM: the FBI report had over 800,000 files listed on the FTK report

    HK: now they also provided an access database that had a number of files in it, how many files were in the access database?
    GM: I believe it was under 200,000...which didn't make sense to me.

    HK: Why doesn't that make sense to you?
    GM: Well, if the access database was supposed to do the file listing like you can do with FTK, they should have listed all the files in there.

    HK: you would expected-
    GM: I would have expected to see the files database showing all the files, or at least an HTML that you can click on to make an HTML listing of every file that's on that computer.

    HK: And how many files were in the Master File Table?
    GM: On the...I don't have that, couldn't tell you right off hand...

    HK: Was it 800,000?
    GM: It would be exactly what was on the computer according to the FBI report.

    HK: When those numbers don't add up, what is your thought process at that point as to what the potential causes are?
    GM: It leads me to a little bit of suspicion. What happens is that anytime we see any kind of deviation or any kind of issue with a computer - we're going to look further and investigate what may have caused that. We're going to look at the whole parameters of what the case is, what we're looking at if there was chain of custody involved, if anything was touched...and we already knew when I looked at it that things were touched, even as I read and was able to do an FTK indexing and do an EnCase image I can now actually see things that were touched.

    HK: And when you say "touched" are you talking about things that had been changed because of an automated process, or things that had been done by somebody actually at a keyboard or somehow accessing the computer?
    GM: Both. It led me to believe that at some point a write-block was not utilized.

    HK: And what do you mean by that?
    GM: A write-block put the computer you are going to analyze or the image you are going to analyze in a read-only format. If that is not connected correctly, if there is something wrong with that write-block, or if one isn't used: the files will change. The last access...or if a file was created and never touched again, the metadata behind there: created, modified, last accessed will all show the same. Now I saw that where there were deleted files where the metadata: created, modified, last accessed, were all the same but they were deleted at the time they were created - which didn't make any sense to me.

    HK: files are deleted at the same moment they are created?
    GM: as soon as they were created they were deleted.

    HK: how can that happen?
    GM: Somebody - I don't know who did it, or what had happened...all I can tell you is that I went through the file extension, the file date and at the time the law enforcement had it in custody, and all these files came up as showing 'deleted'. I did a data carve, like the FBI did a data carve, I did a data carve...my files show less than what they had on their report, as far as their total files that they data carved...and show that all these different files were deleted. It just doesn't make sense, it doesn't add up right because if somebody deleted something all of the metadata's there and it should have had a creation date a little bit different, but it was all done at the same time it would lead me to believe.

    HK: were you able to determine exactly what those files were?
    GM: Some of them. Again, I haven't really had enough time to dig into it, but some of those files were accessed through the Cisco VPN network, some of them were documents, temporary folders, temporary files, temporary internet files that were accessed...BC's email, archived email, history, PST, .pst files which is your mailbox, and there were some deleted hidden files that were deleted during that time...and archived.

    HK: Now in addition to the files that you can see being changed or deleted after BC was out of the house, did you also notice anomolies with other files on the computer?
    GM: I did

    HK: And were those essentially timestamp anomolies?
    GM: I did, numerous

    HK: Where...in what type of timestamp were the anomolies?
    GM: they were in the Google searches, there were timestamps that were anomolies.

    HK: And when you say they were in the Google searches, the entire map search were there any...am I correct that there were 507 files that were associated with that search?
    GM: I believe so, I don't have the exact figure infront of me.

    HK: Was there a single one of those files that did not show an invalid timestamp?
    GM: I believe no, there wasn't any...based on the Google only.

    HK (to judge): your Honor, I have previously admitted for appellate purposes exhibit 154 which is Mr. Massucci's report. That report actually includes a number of visuals and I would just wish to able to publish them electronically without numbering them individually since they are all in the report.
    Judge: that's fine, whatever you need to do um, that's fine.

    HK: Mr. Massucci would it help to look at the graphic images to chart out the timeframe of timestamp anomolies?
    GM: please

    HK: (okay, if we can show the overall...? slide up)
    Attached Images Attached Images

  3. #18
    Join Date
    Apr 2011
    Posts
    1,234
    PART 2

    HK: Now taking a look at this particular chart, can you explain what it is that is actually showing?
    GM: We're looking at what I believe is the last accessed times, last modified - the times that the files were last modified.

    HK: and essentially - well, is it somewhat self-explanatory?
    GM: Well, you have actual files, we inspected all the files that were on the machine from June to July 16th, and we looked at which ones were good timestamps and which ones were not good timestamps. And again, suspicion arose when I found multiple - I looked at the two reports, the one by the FBI and the one by the other expert J Ward - I found an additional several hundred files that were unaccounted for, that had invalid timestamps. There was more than what was reported by both witnesses.

    HK: Now were there any differences between Mr. Ward's version of the Master File Table and the FBI's version of the Master File Table with the exception of microsends being added on?
    GM: no

    HK: now, between July 10th and July 12th, there seems to be some multiple of invalid timestamps compared to files with valid timestamps. Is that something you've encountered before? have you seen that kind of situation where you end up with more invalid than valid?
    GM: That's more indicative of when a file can be dumped on a system. I found some malware. That led me to believe - and some of those malware have backdoors, as I state in my report...when a computer does not understand a file, lets say if a file was dropped on a system - and I'm using that term more in a layman's than a technical aspect, when a file may have been placed on a system the computer operating system says "well I don't recognize these files" because the metadata has been stripped out. We see this in cases where hackers have hacked in, when there's been intrusions, and they go in and they strip the metadata on the files and they go and place the data on the drive in the operating system, and the operating system says "wait I don't recognize them, I can't give you a valid timestamp", so they get an invalid timestamp, and that's what's set in the Master File Table.

    HK: How is it that those files that show an invalid timestamp in the one entry modified category, might have perfectly valid timestamps in created/last accessed and modified?
    GM: first of all...by reviewing this, I had suspicion of something wasn't right, something was tampered. Doing enough cases, similar, not homicide cases but other types of cases where there's been intrusions and so on and we're looking at everything, to me - there are so many programs like metasploit, timestomp - there are so many that can change data to make it look like one thing and not look like another thing. There's too many programs out there that hackers can use to change things.

    HK: Now the fact that there are so many invalid timestamps in the 10th through the 12th period, does that mean that that's the time that something occured to the machine?
    GM: not necessarily, because I can alter the data. I can alter the data in the registry, I can alter the data in the Master File Table - if I have the right tools I can do that. To me it means that something suspicious happened - first look at that: there's an issue.

    HK: and is there any limitation as to what time it could have actually occured, given the way computers work?
    GM: It could happen at an earlier time, things change I can use a program to make it say whatever I want ot to say...especially with Vista, Vista - when it came out, I still have my old Vista machine from 08, I purchased mine in April as well and numerous problems.

    HK: can it also happen at a later time?
    GM: it could.

    HK: And the machine was powered off, I guess on July 16th at approximately 8:30 PM. Now, after that point, but before the machine is hashed some six weeks later, is it still vulnerable insome way?
    GM: Absolutely.

    HK: How?
    GM: Protocol.Typically protocol is when you put a computer or device in custody it is logged in, it is secured, no one has access to it. Typically with law enforcement, they usually have an evidence room, and usually there is somebody in charge of the evidence room - they sign it in and they sign it out, its secure so that nobody has access to it. I have not seen any logs from the FBI or from law enforcement err from Cary PD showing the process and the chain of custody and who had access to what, with that computer. I would still like to see that so I can validate it.

    HK: next if I can show you the graph of the files modified over the lifetime, is this consistent with what you found over the lifetime of the machine in terms of files that bear invalid timestamps in the standard information attribute of the entry modified category?
    GM: yes

    HK: Would you even expect something as little as two percent for something like that?
    GM: yes
    Attached Images Attached Images

  4. #19
    Join Date
    Apr 2011
    Posts
    1,234
    PART 3

    HK: (next slide) now prior to June 23rd had you isolated even a single timestamp that was invalid?
    GM: initially when I did this I did not see

    HK: And when you limited it to, I believe its the 10th through the 12th? (next slide)
    GM: that was again astronomical in my opinion, because that shouldn't happen, unless something happened to those files, the file was manipulated - something, again it led to suspicion - "why did that occur?"
    Attached Images Attached Images

  5. #20
    Join Date
    Apr 2011
    Posts
    1,234
    PART 4

    HK: And again, does that mean that those files were genuinely created on the 10th through the 12th and something bad happened to them or could it have happened at any time?
    GM: If there is an anomoly in the system you are going to get some files that have an invalid timestamp. It happens, even with updates. But to have that degree? leads me to believe the otherwise something or somebody altered those files or potentially altered those files.

    HK: and during the time of July 11th, during the time of the Google map search (new slide), at that point is that what you encountered?
    GM: yes. Again it was brought to my attention that that was suspicious. That shouldn't have happened...why? I tried to look at...there was no metadata, there was just no metadata with those. I did not find - and I do want to state, I did not find any wiping software on that laptop. Wiping software is what we call anti-forensics software. One of the first things that I look at when I get involved with a case, I have to put myself inside that person so to speak. If its a certain case I know there certain places I'm going to look. And the first place I'm going to look is for some kind of program we call wiping software, or malware, or anti-forensics, that prevents me from finding the data.
    Attached Images Attached Images

  6. #21
    Join Date
    Apr 2011
    Posts
    1,234
    PART 5

    HK: Now there was a...in addition to the Master File Table you were provided by the FBI, did they also include their own Vista "fresh install" test in there?
    GM: yes

    HK: If we can move on to that (new slide) with respect to valid vs invalid standard information entry modified timestamps, there has been testimony...the FBI said "well its the same as what it was on the IBM" Is that what you found?
    GM: No. There was a higher percentage on the IBM laptop.

    HK: and on the FBI's version of the Vista install do you recall how many files total there actually were?
    GM: I can't recall right offhand, I apologize.
    Attached Images Attached Images

  7. #22
    Join Date
    Apr 2011
    Posts
    1,234
    PART 6

    HK: That's okay...with respect to the time of the google map search, did you take the time to evaluate the cursor files?
    GM: I did.

    HK: And in evaluating the cursor files did you note the times at which the cursor files were created, accessed, modified for each one of those files?
    GM: Yes. Everything was the same.

    HK: Now, can you explain how it is the cursor file really works? and what you would expect to see with those times?
    GM: Typically when you run the cursor, and even if you are going to different levels, it will register in the computer. It will register, showing that you are going to another level, and another level, and another level...or if you're moving the file around everything gets registered. So when you're clicking down it becomes what's a closed hand, when you're scrolling you still have an open hand. Now in the files here for instance, registered as a bitmap and that's again not uncommon, because it does happen, typically a cursor file is a dot cur.

    HK: If you were to take a pointer, take that open hand or closed hand and actually use it on the map to move from one place to another, would you ever expect to see the same time listed for for the last time it was accessed and the time it was created?
    GM: when you first create that file, like as you see up there that's the file that's been created and hasn't gone back to. If you change that file it will show a change on that file. I didn't see any changes. Everything was exactly the same. If I'm moving to the next level, if I want to zoom in, and I'm using the cursor, it should show another timestamp showing another creation date, but everything was the same on all the cursors. It didn't make much sense to me.

    HK: when trying to corroborate what happens over the internet, what someone's doing on the internet, is there a value in looking towards cookies?
    GM: Absolutely.

    HK: can you explain what that is and why that is?
    GM: cookies are like a tracking device. Anytime you're on the internet, a cookie will attach to your browser. That's how - we love that as a forensic examiner because we can go in and see where you've been. If there's no cookies, I can't technically see what time you were there...I may find a trace that you have been to a website, but if there's no cookies, I can't validate that. But the cookie is extremely important.

    HK: Was there any cookie present at all that corresponded to the search on July 11th in Google maps?
    GM: I did not see that

    HK: Did you see a deleted version of a cookie from-
    GM: I did. Here's - as I recall there was also a deleted watermark stamp on a google search, google map.

    HK: And what do deleted watermark stamps mean?
    GM: Okay, that told me that - in fact I think it even had a deleted invalid timestamp associated with it I believe - that means that file isn't a good file. Based on other cases I did with timestamps and watermarks which are proprietary information like Google's information is proprietary - we see an altered watermark that means that file has been tampered with.

    HK: inside the cookie itself, what kind of information is contained inthere?
    GM: Where the person has been, metadata, there's metadata in there.

    HK: And there's no real way to forge a cookie, to put it on someone's computer is there?
    GM: I could drop a cookie on someone's computer if I wanted to using the right forensics or quote unquote hacker tool.

    HK: But if somebody were to subpeona the records from Google to ask who did this search and when was it done, would the information they got back trace to the person's machine you put in on? or would it trace back to you?
    GM: It would give you the information on that cookie for that user.

    HK: and when you say for that user, are you saying the person-
    GM: the browser that's identifiable with that laptop

    HK: The person who actually did the search, not the person who's machine it gets put on?
    GM: Absolutely, yes from the someone who did the search.

    HK: of the deleted cookies that you found, there were none from July 11th is that correct?
    GM: correct, which again led to suspicion.

    HK: In your experience, does law enforcement rely upon cookies to seek out more information from internet providers?
    GM: Yes, they - what happens is that, because we write search warrents for law enforcement, and we put everything and anything that's applicable to that user account, we want all the information, and we try not to leave anything out. You want to get the Google cookie because that gives us browser information, so everythings there. I did look and I didn't see anything by law enforcement that was written in the search warrant, there was no mention of "cookie". It is my experience that Google will only give you what you ask for amd that's it...same thing with Yahoo and some of the other providers.

    HK: did you look at the single sheet of data from the FBI's test search where they attempted to replicate the Google maps search?
    GM: yes.

    HK: And in their test search, did they actually show a cookie had been downloaded onto their system?
    GM: It was an...I can't recall I might be getting confused there was a bitmap, do you have a - do you mind if I refer to my notes?

    HK: go right ahead although I should be able to-
    GM: do you have it on the-
    HK: yeah (new slide)
    Attached Images Attached Images

  8. #23
    Join Date
    Apr 2011
    Posts
    1,234
    PART 7

    HK: now the second line down from the bottom?
    GM: yes
    HK: Is that essentially what we're talking about when we're talking about cookies?
    GM: yes, I did review one of the reports with the net analysis utilized you can bring up the cookies.

    HK: and several lines above that is there a cursor file?
    GM: yes

    HK: and what's the extension that exists for that particular cursor file?
    GM: dot cur

    HK: did you read the report on tampering, or the rebuttal report on tampering that was initially anonymous, that was written by officer Chappell?
    GM: I did but I can't recall everything on it

    HK: do you recall whther or not he had said he ever found a cookie on the system?
    GM: I believe he did say there was a cookie, but I think I heard he said it was redacted(?) I haven't seen any evidence of a cookie, nothing has been shown to me - let's put it that way.

    HK: were there other issues that you found with the IBM thinkpad that concerned you in terms of how it had been handled by law enforcement subsequent to collection?
    GM: yes, first of all again - the computer was left on, which again is not typical forensic protocol. The RAM should have been extracted using a forensic tool, and the computer should have been powered down. Its my understanding it was left on for 27 hours in which I can see evidence of files being changed, deleted - deleted was very surprising to see that files were deleted on there, don't understand why the files would be deleted when there should have been no access to that computer. I did find evidence of malware, and as I stated in my report those malware are command and control and though they are low threat, they still have the potential of having backdoors.

    HK: and when you say backdoor, what are you referring to?
    GM: WHat happens is that when a hacker hacks in and puts a trojan on a computer, they leave an opening. its kind of like leaving the backdoor open on your house, or making a duplicate key, so you could have your door locked, but they can still have access through that backdoor - or front door is locked, but backdoor is open...they leave an opening, a crack.

    HK: And are you aware of how the computer was stored at the cary police department after it was collected?
    GM: I know part of it, thepart that I understand is that the computer was locked in a room. I do not know if there was security all I know is that 3 officers had keys, and it was left on a desk.

    HK: was that room an evidence room?
    GM: to my knowledge it wasn't..which again I was very surprised.

    HK: Having looked through the data on the machine, do you have an opinion satisfactory to yourself as a computer forensics expert as to whether or not that machine was tampered with?
    GM: It is my opinion that with all the suspicious activity I found on it, the files that were altered, that there's definite spoilation on that computer - which would lead me to believe it was tampered with. I can't tell you who exactly did it, but I can tell you its been tampered.

    HK: And when you say you can't really tell who did it is that because of the wireless network?
    GM: well you can see that - true, I don't know who's on the other end...I know for a fact the CIsco net was on - the VPN, so the computer was being accessed by the VPN tunnel; the program that was there.

    HK: And once in this condition, is there any way to verify that the data is accurate - or remove this taint?
    GM: I've worked all sorts of cases, I do a lot of work with law enforcement and government agencies besides corporations and one of the first things I do is ask "who touched it?" who touched the computer, I need to know because I'm going to see that there was access, and I see those things, and I tell them: you need to document everything you do. Because you can look in the registry and you can find that things have been altered, because its going to show up in the registry as well. Whether somebody used a USB device or not, or whther someone didn't use a write-protect - files were altered. I get those cases, and more often than not. I'm sorry I lost my train of thought - I apologize.

    HK: that's okay, are you familiar with the title "Network Security Expert"? are you familiar with people who perform that function?
    GM: Yes.

    HK: And is a Network Security Expert capable of - well...are they capable of extracting information from workstations in an effective and competant manner?
    GM: Yes, that's part of their job. I've got colleagues in the industry and I deal with these corporate folks.

    HK: And, are they capable of evaluating Master File Tables?
    GM: Yes.

    HK: Are they capable of evaluating login trees?
    GM: Yes, they have to. When there's an intrusion on the network, or if somebody came in through the network, and it affects other computers on the sys- on the network, they have to look at those logs. A lot of times we're relying on those IT security folks or network Administrators because they know their system better than we do and...we rely on them, we get called in we're looking at those logs, we have them preserve those logs. Any data that's accessible whether its event logs on the computer, whether its on the router, whther its on the network server, we need those...so we can evaluate them and analyze them.

    HK: Having reviewed Mr. Ward's report, do you agree with the conclusions that he drew?
    GM: Mr. Ward is a - I know he was deemed as an expert in network IT security, that's all he's done, I mean that's his job. I'm not a network IT security person. That is not who I am, I am a digital forensic examiner. I examine data that is given to me from those folks. So, I would conclude what he had said, as far as I looked over his data, and I believe it to be true.

    HK: A better way to put it - excluding those things in Mr. Ward's report that he understands as a Network Security Expert...excluding the things that are just network security related-
    GM: strictly, I know he's not a computer forensics examiner
    HK: those things he opined upon that do fall within your expertise, do you believe he was competent to form those opinions?
    GM: Yes, on the network stuff - yes.

    HK: And do you believe his conclusions on those things were accurate?
    GM: I believe so.

    HK: Is it required to be certified in EnCase or FTK to actually competently use those tools?
    GM: Not necessarily, I've been using EnCase since I started in FTK I go for training every year. I've even signed up for the exams, I haven't actually had time to sit down and take the exams . Just with the caseloads I haven't had time to go and get those certifications. Its half dozen of one and one half dozen the other.

    HK: That's all I have, thank you.

    ----------------------END OF DIRECT--------------------------------------

  9. #24
    Join Date
    Aug 2003
    Location
    San Diego
    Posts
    32,579
    Thank you for your hard work.

    IMHO, I don't see anything appealable there.

    We'll see.

    fran

  10. #25
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,232
    Wow, jbr, you spent a lot of time on that. You may have a future in court reporting!

    The issue, as I see it, is not the content of what G.M. spoke about, but the disqualification of J.W. as a forensic expert. JW himself posted on this board that he agreed with the judge's decision to not classify him as an expert. Further, he said he told the defense that from the beginning. This does not bode well for the defense.

    Instead of finding a qualified and recognized forensic expert in plenty of time for trial (and it sounds like there were some months to do this), the defense put JW on the stand anyway, and tried to get him qualified by the judge as an expert (forensic/network, the whole shebang). The defense lost that gamble, and it was their gamble. You can't blame the judge for a ruling that even JW himself agrees with!

    So now the defense rushes out to find another expert at the last minute, yelling how unfair this all is, when it was they who knew ahead of time that this very thing could occur. They march into court with their new expert and try to get the judge to accept this new expert witness.

    < buzzer >

    The only way to accept this guy is to stop the trial for a long enough period of time so the state has enough time to prepare. But there's a jury waiting, you can't just stop the trial, there are rules to how this all proceeds. This witness cannot testify. Seems unfair, yes. But is it legally wrong?

    That's the real question. Not the MFT, not the .cur versus .bmp, not the files on the computer. No, at the appellate level it's did the judge make a proper legal ruling to exclude this new witness?

    I believe the appellate judges will find the judge's ruling to be valid.


  11. #26
    Join Date
    Apr 2011
    Posts
    1,234
    PART 8

    (begin cross)

    BZ: I just have a couple of questions for you this won't take long, in formulating your - your opinion is this computer was tampered with? is that correct?
    GM: Yes, there was spoilation.

    BZ: Spoilation...so is there a difference between tampered with and spoilation?
    GM: Anytime I deem a computer's been touched - tactically its the same thing.

    BZ: So if there's...there's a computer and its not received properly or not acquired properly - like if you don't do the thing to take the RAM out and...and then you go back and look at it and there's evidence that seems suspicious to you is that spoilation? is that a fair way to characterize it?
    GM: No, I understand what you're trying to say...if the RAM - and there are times when you can't get the RAM, and you do the best that you can, you lose that live volatile data - you document it. If, once its in our custody, if anything has happened to that computer, whether the drive crashed, whether its the write-block is off and now we have file changes - I have to document that.

    BZ: I think you moved away from the microphone a bit (GM adjusts position)...with a spoilation or tampering, that conclusion, what did you rely on - I think you said the fact that it was left on factored in there?
    GM: Yes, I looked at the FBI report, I kind of looked at what's..I mean I work with the FBI, they do a phenomenal job, and I relied on their report, and then looked at how many files were altered...how many files were deleted. When I looked at the computer and did the imaging and so on - I could see that after the time it was in custody things were changed. That's an issue when you're doing forensics. Was it notated? I haven't seen any documentation - to me that's spoilation, and its a problem-

    BZ: And then, so you have that evidence...what else helps you form that conclusion? I guess-
    GM: Protocol, if theres no protocol in place - there should be policies and guidelines on how you do a forensic examination. There's standards out there - there's NEST, there's USDoJ...there's all the different associations out there that have standards: ethics, integrity, making sure at any given time that you're documenting everything you do - there's forms (looks over at defense) I don't know if you have any of those forms with you? if you - I brought a couple

    BZ: Okay, okay...so to form this conclusion you looked at the altered and deleted stuff, the fact that you haven't seen any protocols...what else leads you to that conclusion? I just wanna - I just
    GM: okay, I can run you through. What happens is that - let's say I'm going onsite to grab, let's say in this instance I'm working with Law Enforcement, one of the first things I'm going to do is take digital photographs of the scene-

    BZ: And I don't need a list of protocols and how you think are appropriately done
    GM: okay based on what I saw-
    BZ: Yah what did you see?
    GM: and based on what I heard, and what I saw: the files were altered. There was access to that computer after it was suppossedly - should have been, shut down...that didn't happen.

    BZ: okay
    GM: That was the biggest reason that I saw why files were altered. When we have metadata that's altered after the fact that's spoilation, and it can be considered tampering.

    BZ: So is the altered data plus the lack of protocol and some of these facts that you heard around the case that equals tampering? or spoilation?
    GM: spoilation-
    BZ: spoilation is the word you want to use-
    GM: yes
    BZ: correct?
    GM: (nods affirmative)

    BZ: And when did you first get involved in this case?
    GM: Thursday. I believe it was Thursday.
    BZ: Welcome (laughing)
    GM: pardon?
    BZ: welcome
    GM: Yah well I was sitting on the sidelines and every once in a while kind of looking at it, when I heard Jay testify and I was - you know, anyways - when I saw the data wasn't being done right and things weren't being handled right, as a forensic examiner...and I teach both law enforcement and non-law enforcement on following protocol - it bothered me.
    BZ: okay
    GM: and I felt like I needed to get involved.
    BZ: okay

    BZ: And um, Thursday - or whenever you got involved in this case, what ... did you look at an image copy of the defendent's hard drive from that laptop?
    GM: not on Thursday

    BZ: have you ever?
    GM: I did.

    BZ: okay and when did you do that?
    GM: first time was Saturday. I had received a copy from the defense and more recently got a copy that was actually from the FBI through another forensic examiner.

    BZ: I'm sorry...explain that?
    GM: I received one copy from defense, I believe late Friday night
    BZ: uh huh...
    GM: kind of did a little bit of a preview, but then one...think it was Tuesday, I went to another forensic examiner who was holding all the data from the FBI.
    BZ: and who is that?
    GM: RMA
    BZ: sorry, R M A?
    GM: RMA, yes - its the name of the company

    BZ: and who is the examiner there that was-
    GM: Rusty Gilmore
    BZ: okay

    BZ: And um, did you ever have occasion - what did you look at to determine spoilation in the files and that sort of stuff, what...
    GM: I looked at last-accessed
    BZ: okay and
    GM: and the dates
    BZ: okay but more generally at that image hard drive
    GM: yes, I did

    BZ: did you ever look at any routers?
    GM: I don't have access to any routers

    BZ: did you ever look at any router logs?
    GM: in the past? yes
    BZ: for this case - sorry about
    GM: oh - yes, briefly
    BZ: you looked at router logs from this case?
    GM: yes, briefly, recently
    BZ: okay, and when did that happen?
    GM: I believe...late Tuesday night? I believe it was Tuesday...there was a lot of data there.
    BZ: okay

    BZ: and nothing about that helped you form your conclusion of spoilation or tampering correct?
    GM: I didn't have time to analyze that - I have other cases going on at the same time.

    BZ: so your conclusion about tampering or spoilation is independent of those because you didn't have time to-
    GM: correct, its all based on that Thinkpad and what I've seen.

    BZ: And that defendent's exhibit 80...your honor could I approach?
    JG: you may
    BZ: (approaches witness and hands document) did you ever look at this?
    GM: I believe no (reading)...no I looked at something different
    BZ: and do you have some notes up there? I -
    GM: (hands his report to BZ) oh, here

    BZ: And going to your report, your report's-
    GM: Its not even all there I believe
    BZ: okay, the part of the report you wrote is 3 pages? is that correct?
    GM: No there's a total of maybe 16 pages or more...I can't remember, I had 48 hours to write this report, and ah...it was intense.
    BZ: (with defense report open) so you're saying that this doesn't include your entire report.
    GM: This right here (indicates what BZ is holding open) I don't think its an exact copy its just bits an pieces - I grabbed it off my desk...the reports actually 33 pages, but I just grabbed this one, may not be an exact copy - sure looks to be, it is.
    BZ: okay the first 3 pages are something you wrote
    GM: yes,
    BZ: the next pages are Jay Ward's report and you put things in the margins?
    GM: yeah
    BZ: and that comprises everything that you've done in this case?
    GM: no, I'm still working on the hard drive, reviewing it.

    BZ: okay, with those items written in the margin did you write all of those? or did Mr. Kurtz write some of those?
    GM: which? the boxes? myself
    BZ: the boxes are all yours?
    GM: that's my - that's all mine

    BZ: and when you first received these hard drives, what were you told?
    GM: That I need to pay particular attention to the IBM thinkpad, and they gave me the times to look at, dates, kind of an overview of the case...there was just a LOT of data. In the amount of time I had originally when I wrote this, I had very limited because they needed to get a report to you.

    BZ: Yes sir, and when you looked at that image copy of the hard drive - that Saturday I guess which was 5 days ago, did you um - in terms of dates and times what dates and times were you told to look at?
    GM: The um I believe the - July 11th-
    BZ: okay, okay and were you told something like "we see some evidence of tampering can you confirm or deny that?"
    GM: yes, I believe so
    BZ: okay
    GM: they wanted me to give my opinion on what I saw.
    BZ and you were pointed to the specific times?
    GM: pardon?
    BZ: I mean you were pointed to the specific times they didn't
    GM: yes I was pointed to the specific time, I need to know the parameters of my searches - what am I looking at,
    BZ: sure because you're not going to look at
    GM: I'm not going to look at-
    BZ: like stuff from 2007-
    GM: April I mean...
    BZ: okay
    GM: there's data on there from long ago

    BZ: you talked a little bit about malware, um that doesn't appear anywhere in your report does it?
    GM: I think I mentioned, um , where ... (skimming through report) I did mention a finding ... 3 files - actually there were 4 files. On a forensic workstation we have symantic one point and I have a business license for those and so many licenses, and we have them at our workstations because, in the past you know, it seems like a good majority of hard drives we get on cases have malware. They're infected with viruses and so on. So we have that on there so we can detect it and document it, and in this case there was actually 4 that popped up.

    BZ: okay, and do you recall what those were?
    GM: the one was...let me see (reading) I apologize - beagle? I think a beagle dot 32, which is a trojan - there is an email trojan on there as well, I'd have to look at the ah - let me see here if I can find it...I think when I wrote that (to defense) when did I send that in there? I apologize - I put that in one of my reports...(flipping pages) don't see it in this report...I told the defense-
    BZ: okay, are there any other documents that you've made in this case?
    GM: I've made an EnCase eo1 file image, and indexed the hard drive and FTK. And I can tell you actually what versions I used.
    BZ: okay, I guess have you made other reports I mean
    GM: not yet, I'm documenting what I'm doing.
    BZ: okay, but you haven't completed it yet
    GM: No, I haven't, there's just so much data to go through and I like to make sure I'm researching everything I'm doing - so this way I can testify to the truthfullness of what I'm finding.

    BZ: and um, I think you said "we" a couple times...
    GM: its a habit, because I'm a company - I apologize to that, I know I put that in my notes, and its just a habit...
    BZ: it wasn't - was somebody else helping you with the analysis?
    GM: no, nobody else was helping me on the analysis just myself - believe me...
    BZ: you mentioned Rusty Gilmore earlier, was he doing anything for your-
    GM: not for me, I don't know what he did exactly previous to me

    GM: I've been pretty much consumed by this case...
    (long pause)
    BZ: I apologize...Mr. Masucci, and just to be clear, on the - you haven't had a chance to go through those routers correct?
    GM: I don't have any actual routers- I wish I did.
    BZ: okay
    GM: and that was one of my other questions..I don;t have...I would love to see the router logs because the only logs I am seeing are the event logs that are from the IBM Thinkpad, I can't validate or verify anything if I don't have those logs. That event log can say anything it wants, but if I can't validate it against a router - I'm not doing my job.

    BZ: well, then, so you've had a chance to look at those event logs.
    GM: just briefly...
    BZ: just briefly?
    GM: I mean theres a lot of data there to sift through, it would take me at least a week to do that and corelate that to see if I can find any corelation.

    BZ: but you have the, I guess my question is with those logs they're all contained on that image hard drive correct?
    GM: they should be on there, um - they pulled them out, I haven't looked at those I've got-

    HK: Objection your honor - I'd just like some clarification here since Mr. Masucci doesn't even know about the newest provided logs that I -
    BZ: I didn't object during his voir dire
    HK: I'm saying there's a disk we just got that Mr. Masucci doesn't even know about yet, that contains event logs

    BZ: (to GM) regardless of whether there's any disk floating out there, event logs exist on these image hard drives, correct?
    GM: I haven't looked for them yet, potentially yes
    BZ: but, I mean...
    GM: potentially, yes - I mean they could be gone
    BZ: okay
    GM: I actually have to see and validate that

    BZ: And this is all part of an investigation you're doing that started last Thursday correct?
    GM: I hate the term investigation because the ah, certain department of justice and the state doesn't like us to term it as an investigation unless you're a private investigator.
    BZ: okay
    GM: so its part of the "forensic exam". Depending on what is the perimeters of the search, what I'm asked to do - that's what I'll do. I will not go outside the perimeters of the search unless I'm told to.

    BZ: And you said "what they provided" right before Mr. Kurtz objected who is "they" that your referr-
    GM: the defense.
    BZ: do you know where "they" got those logs from?
    GM: I believe the FBI? I can't recall exactly.
    BZ: okay
    GM: actually the prosecution - it would be you I believe?
    BZ: okay - thank you sir I don't have anything else.

    -----------------------------------------------------END CROSS-----------------------------------------------------

  12. #27
    Join Date
    Apr 2011
    Posts
    1,234
    PART 9

    HK: excuse me, one more clarification, Mr. Masucci you mention router logs at one point, and you mention it a second time and to be clear: you've not looked at any router logs in this case
    GM: correct, there were event logs off of the IBM Thinkpad - that's all I've seen
    HK: okay...
    GM: and barely...
    HK: Thank you.

    JG: anything else from the State?

    BZ: can I have one moment?....no your honor, thank you.

    (witness excused)

    JG: any other matters that we need to resolve outside the presence of the jury?
    HK: your honor at this time I would move the court to reconsider Mr. Masucci as an expert witness in our case in chief, um at this point I think its clear that the State is going to be introducing additional technical information. I believe Mr. Masucci was candid, he was quite direct responding to any concerns or questions, I think that the data set that he has operated from is one that essentially originates with the FBI, and as such is inherently reliable for these purposes - the FBI has provided - and it clearly cuts to the heart of this particular case in that the inculpatory material that exists, exists exclusively in digital form. If there is - I am aware of other case law, and I think Mr. Zellinger cited some, where the defense had clearly, intentionally: withheld expert information, kept experts off their witness list, not turned over reports, and under those circumstances - the court sanctioned the defense, and kept the expert from testifying. And in that situation it was certainly upheld and it was noted that given the extent of the defense's complicity - to the deception in such a a dramatic, drastic sanction was really appropriate. In this case...we're in our ninth week, we have done everything within our power to provide the information that we've received, as soon as we have received it. We've done - frankly the only reason we were able to get Mr. Masucci is that he immediately contacted us and said this is ah - this is a case that deals with digital forensics, and its going to set important precedent...I don't want to see it happen without an even playing field. And judge, I'm asking the court to please reconsider its ruling on this particular matter. I think that without the ability to effectively address digital forensics evidence that has been presented against Mr. Cooper, that he is unable to present an effective defense.

    JG (to BZ) you wanna be heard?
    BZ: I do your honor, we're in the same position except today you heard that Mr. Masucci hasn't even finished his, not an investigation - his research into this case. the State again is prejudiced and additionally I'm not in a position where I can offer...there's a time when I might have been, where I could have offered - I could have intelligently cross examined him, but at this point I have a 3 page report - and I can't cross examine him on his report because he's not even done with it yet. So there's definitely prejudice that has befallen the State. Additionally your honor the only other thing I'd point out in relitigating this issue again is that the defendent's witness list contains Mr. Gilmore's name and also contains Jim Yule's name who I believe is some sort of computer science professor at NC State: I don't know why those folks aren't being called, but the fact still remains that its inherent upon the defense to give us notice of these experts so that - and the State, for both parties - to give notice of expert before they are called so that they have an idea of who the person is, so they have their resumes so that where they - the, the ability of them to testify to their expertise, and something meaningful so that we know what they're going to testify to - and we don't have that from Mr. Masucci in this instance and uh, to go back on the court's ruling previously would prejudice the State further because we no longer have the ability to cross examine Mr. Masucci based on the report that we haven't even received. The only other thing I point out is, um - well I'll just leave it at that - I think its clear its a huge prejudice that's befallen the State at this point, and without having notice which is required by these general statutes and the rules of evidence, we are prejudiced, and because the defendent failed to do that we're the one that gets the prejudice. Based on that Mr. Masucci should not be able to testify.

    HK: I would just like to add judge that the State has recently received information that they intend to introduce in their rebuttal case. It is information where we don't have a formal report yet...we're just getting dribs and drabs in as they get it, but truly just getting it in in little pieces where we'll have the exact type of prejudice that Mr. Zellinger is worried about with Mr. Masucci. And so, I think that we're on a much more level footing in this argument in that we're all going to have to adapt to new information quickly and probably we're all not going to be as artful with it as we like. But the bottom line is this investigation has been underway for over the last 2.5 years, and they are still getting information - that is not their fault...but its something we are going to have to deal with. I dontt think that prejudice that will befall us is any worse than whatever prejudice might befall them essentially having to deal with the same report they've had for some time.

    BZ: the only thing I'd say your honor is that Mr. kurtz is asking you to speculate on what the State is going to do, and what the defendent has received is discovery from the State as we recieve it pursuant to the requirements of 15A905 and the open file discovery rules. those are totally different situations and if we get to that point we can cross that bridge but just because I've provided discovery to the defendent on things that I've received I don't think puts us in any different situation from where we were before Mr. Masucci.

    HK: We actually did get notice from the State they intended to introduce a new witness - Chris Frye as an expert witness-
    JG: He's already on the witness list

    BZ: he testified and they already had his resume, they had his resume before the trial started...additionally I'm not sure he needs to testify as an expert witness, but if I'm going to be punished for going out of my way to put myself in my best position weeks later...then this is completely different issue, but its Chris Frye, Paul Girault might be testifying as well who is an expert wotness, who testified as an expert witness, and Greg Maclucci um, is another person involved in this email string because I've already - all these folks have testified and their information is out there already. Its a completely different situation, I mean the defendent doesn't - this research and investigation started last Thursday and its not even done yet, so to allow him to - it just seems like there's incomplete data at this point. And that...I don't mean to belabor the point but - he's not even done yet.

    HK: and neither is Cisco, with what they're doing and neither is their oranthologist that we got notice of just recently so there are new experts "flying around" so to speak.

    JG: but until they get ready to land, its really not an issue for me to deal with. So your objections I think are a bit premature...because at this stage of the dance, they may not even offer rebuttal evidence. They may, um, be telling you that to see what's gonna happen.

    HK: judge I wasn't saying "objection", I didn't object to what they were saying - I'm simply saying-

    JG: I know but, what I'm saying is that, um ... we may not even GET to rebuttal evidence. I mean so - to project what they're gonna admit through whatever witness or whatnot I think is a bit dangerous and I have to look at each individual witness at each stage independent and apply the law. At this point at my discretion the motion to renew the motion to allow the testimony of Mr. Masachi is denied...just for thr record I'm going to indicate that um...(reading) the failure to comply with 15A905 and the defense has not established a good faith basis upon which, or showing that the witness should be called...and also under rule 403 as I stated the other day. these are all - I'm sure, fish that we're gonna have to fry at a later stage - if we get to that point. But...you know, I don't even know if there's been evidence admitted um, that can be rebutted so that's an argument you may need to make as to any rebuttal witness. So that's I mean, I mean for me to project out whther I'm going to let anybody testify in rebuttal testimony at this point, I think its a bit premature. So at any rate, let's take it at the stage we are now from that.

    HK: understood you honor I would like to offer Mr. Ward's report as defendent's exhibit 84 for appellate purposes - I realized I had not put that in the record yet.

    JG: alright, ahh

    ---------------------------END COURT SESSION------------------------------------
    Attached Images Attached Images

  13. #28
    Join Date
    Apr 2011
    Posts
    1,234
    Quote Originally Posted by fran View Post
    Thank you for your hard work.

    IMHO, I don't see anything appealable there.

    We'll see.

    fran
    Thanks, I think its helpful to everyone with interest in the case regardless of where you stand.

    As for the appeal angle for this proffer, IMO we'll have to wait for a few things to happen - mainly Kurtz's characterization of the value to bear out the way it is expected to by many.

    I had not posted the entire session at the time of your reply, its up now including the motion at the end.

    note: some interesting chat about Frye, and perhaps some insight into why he was not called at the end? remember - JG allowed him...which could play into the appeal as well.

  14. #29
    Join Date
    Apr 2011
    Posts
    1,234
    Quote Originally Posted by Madeleine74 View Post
    Wow, jbr, you spent a lot of time on that. You may have a future in court reporting!

    .
    .
    .
    .

    No, at the appellate level it's did the judge make a proper legal ruling to exclude this new witness?

    I believe the appellate judges will find the judge's ruling to be valid.
    LOL, no thanks I couldn't wear that mask.

    IMO, what the Appellate court will have to decide re: the testimony itself (ultimately) in this case is the weight of exculpatory value (for the defense) & judge discretion. Yes, he cited to support his ruling but that may or may not be enough.

    There are other issues intertwined with this episode as well which may also make their way into an appeal.

    I've written/typed too much to get into it now though

  15. #30
    Join Date
    Jul 2008
    Posts
    3,436
    Quote Originally Posted by Madeleine74 View Post
    Wow, jbr, you spent a lot of time on that. You may have a future in court reporting!

    The issue, as I see it, is not the content of what G.M. spoke about, but the disqualification of J.W. as a forensic expert. JW himself posted on this board that he agreed with the judge's decision to not classify him as an expert. Further, he said he told the defense that from the beginning. This does not bode well for the defense.

    Instead of finding a qualified and recognized forensic expert in plenty of time for trial (and it sounds like there were some months to do this), the defense put JW on the stand anyway, and tried to get him qualified by the judge as an expert (forensic/network, the whole shebang). The defense lost that gamble, and it was their gamble. You can't blame the judge for a ruling that even JW himself agrees with!

    So now the defense rushes out to find another expert at the last minute, yelling how unfair this all is, when it was they who knew ahead of time that this very thing could occur. They march into court with their new expert and try to get the judge to accept this new expert witness.

    < buzzer >

    The only way to accept this guy is to stop the trial for a long enough period of time so the state has enough time to prepare. But there's a jury waiting, you can't just stop the trial, there are rules to how this all proceeds. This witness cannot testify. Seems unfair, yes. But is it legally wrong?

    That's the real question. Not the MFT, not the .cur versus .bmp, not the files on the computer. No, at the appellate level it's did the judge make a proper legal ruling to exclude this new witness?

    I believe the appellate judges will find the judge's ruling to be valid.
    That is not at all what he said. He said that he agreed he shouldn't be classified as a "forensics expert". There is a huge difference. I believe what the appeals court is going to have to do is to decide what a "network security expert" versus a "forensics expert" is allowed to testify about. And here is what I found relevant from the testimony of GM:


    HK: that's okay, are you familiar with the title "Network Security Expert"? are you familiar with people who perform that function?
    GM: Yes.

    HK: And is a Network Security Expert capable of - well...are they capable of extracting information from workstations in an effective and competant manner?
    GM: Yes, that's part of their job. I've got colleagues in the industry and I deal with these corporate folks.

    HK: And, are they capable of evaluating Master File Tables?
    GM: Yes.

    HK: Are they capable of evaluating login trees?
    GM: Yes, they have to. When there's an intrusion on the network, or if somebody came in through the network, and it affects other computers on the sys- on the network, they have to look at those logs. A lot of times we're relying on those IT security folks or network Administrators because they know their system better than we do and...we rely on them, we get called in we're looking at those logs, we have them preserve those logs. Any data that's accessible whether its event logs on the computer, whether its on the router, whther its on the network server, we need those...so we can evaluate them and analyze them.





    I look at it this way. CF wasn't being offered as a forensics expert, but he was allowed to testify about the systems event logs (even though he ultimately didn't testify). So why wouldn't he have to be a forensics expert to testify about system event logs? It's the same thing for JW. He was to testify about things he looks at all the time with regards to his job. I agree that he shouldn't have been allowed to present his own mft...but he should have been allowed to testify about what he saw in the prosecutions version of the mft.

Page 2 of 73 FirstFirst 1 2 3 4 12 52 ... LastLast


Similar Threads

  1. Replies: 765
    Last Post: 10-29-2014, 05:28 PM
  2. Brad Cooper
    By SeriouslySearching in forum Nancy Cooper
    Replies: 211
    Last Post: 04-13-2014, 11:09 PM
  3. State v Brad Cooper 4-8-2011
    By cityslick in forum Nancy Cooper
    Replies: 592
    Last Post: 04-09-2011, 08:30 PM
  4. Brad Cooper Indicted #2
    By CW in forum Nancy Cooper
    Replies: 20
    Last Post: 12-10-2009, 04:08 PM
  5. Brad Cooper Indicted
    By courtney in forum Nancy Cooper
    Replies: 738
    Last Post: 10-31-2008, 08:42 PM

Tags for this Thread