06-08-2011, 02:30 PM #1
John Bradley testimony (Cacheback - internet searches for chloroform, etc.)
John Dennis Bradley - owner business - computer software since 2001, LE officer in Ontario CA, investigator training and professional training most career, in 2000 transferred to ?crime....in 2005 rank sargent - back in uniform 10 months later left LE and director of crimes ....started software co. Armor(?) data....develop software .....with bank and found it wasn't for him....didn't further his ability to further computer forensic investigation renamed Amor data to fulltime business - increase demand for software 2 yrs ...he does primary training on his software....expert witness in Canada in computer forensic in Ontario Canada...in connection with his Co. criminal defense case in Torornto - 2 years ago... expert witness accepted in computer analysis....casheback focus on computer cashe history or cache (sorry sics) temp folders or series of folders to make it easier to navigate the internet - fill a request faster...extract info with software...present in fashion for investigation of what is taking place..compensates for times changes....lots info stored in cache in time fragments.....conversion time zones from GMT.....take into account time.....
he teaches...while LE 2 years advanced computer forensics ....along lines of time he went to the bank....local college forensic course...train circulum for his software....also guest speaker @ conferences....met Kevin Stanger....look @ a datafile....he had a file on thumbdrive part of investigation....recovered from harddrive relating to a matter...object overruled
general asked what info given to him....block of data firefox 2 browser, certain characteristics plain text info....keyword info word chloroform....contiguous info....,location on the hard drive recovered from...unallocated clusters portion harddrive not being used - subject to be overwritten - sometimes not for a long time- header and content within the footer...was intact...why important in unallocated space...greater the number less likely attacked? file....file was intact...copied to laptop workstation and copied his thumbdrive to laptop....what they were looking @ when he reviewed file....took time scrol thru entire file...correct and keyword chloroform contained within....replicated and present on the data he copied..
....size of file (missed it)
deleted file from it's size conclusion belief @ time based on size of file unallocated space....a level of inactivity for that not be overwritten - varies use/size of hard drive/how much data actually used.....surprised actually recoverable.....tell when internet hx was deleted? can't say ....firefox auto delete once reach size or date....that version didn't come with any auto default to delete history.....must be deleted manually....next step .....ran thru enormous number of tests....issues were why couldn't be parced or decoded ....over 3 days spent looking @ very small details...spent a long time how this was different from anything else...parce and decoded it able to write to improve functions in software deal with anamoly - corrorborate work done with 3rd party to account records should be finding....cacheback generate report... 2 reports given to witness portion of the cacheback report for 3/17/08 and report for 3/21/08 except of one entry for the 20th...publish to jury during testimony (JB being entered into evidence?) HHBP any add'l objections? not at this time....publish
Proud member of the AFKBPOFPOPL
06-08-2011, 02:59 PM #2
LDB w/Bradley - computer expert cacheback explains columns on his report
entry 441 -google.com 2:43 pm on 3/17/08
92 indicative - timeframe within scope or parimeters of the data
google search keywords will help make results more accurate....search button request thru the server - request is fulfilled - anything results sent back...results show in this history create another line entry in the actual history...once google is accessed provide with info about what happened or where user went after that...url ? depicts keyword and hlem& - home language and english ...& spell res value # - q = chloroform
info provided by server - google user starts q and chloroform....value sign do you mean this? that item clicked on....
next entry #443 - exact value time stamps are identical....chlorAform doesn't end in & so suggests first request to produce the results above it...
show exact same time....chronological ...sorts first by time stamp then by url....not necessary from web browser - if time stamp is different - ie: 444 and 448 time stamp slightly different.
draw any conclusions #444 - url added in behind scenes tracking @doubleclick.net notoroius for tracking ....background....inserted in various points as occur or requested due to fact tracking software ...time difference between calling home, retriving info and calling back...see item #445 same type - domain has same characteristics of a tracking component...
next page - not time but entry #446 background just like described before...myspace included in there - how would that appear to the user? not appear to user as you see it...cookies driven ...recognizes certain types of info....auto login off to the side of page to respond to users activity...entry #456 - 3/17/08 14:45:30 @ bottom - background runing? no this is a typed url - photobucket.com
next page - down report...activity on photobucket website #457, 458, 459 460, 461, & 462....once past photobucket entry 14:..:55 - http://en.wikipedia.......chloroform.... appears to be item search results from google selected......
continue down #464-471 - what is happening on computer? time stamps review....@ line item 2 #464 - another search results ending in alcohol @ wikipedia 2:54pm process....next item #465 item selected first url - supports search results - return was under #464 url ending in alcohol....#465 google search - believe what this is....commit search brought back same sytax or format you created....recreate as if you type yourself..search results hover over item picture of the item....
look @ history sequentially user was doing
#465 query alcohol returned #464 - telestrated stating this result caused that result....on and on.....not listed on the camera....user clicking through items on the screen.....
line item 472 -
473 is separate result wikipedia - ending in inhallation
created file called death
wikipedia 2:58:35 ending in self defense
#476 result ending in creating page self defense url
search then have terms like + signs between them....plus sign encoding done auto and it replaces a space....allowing those result to fetch info and come back....takes on similar as if created manually....self defense ....users created keyword or similar words or related articles or keywords
#477 2:58:58pm url from search results wikipedia rbsd.....
#478 2:59 pm hand to hand combat wikipedia search results
(askin rest of page display including #479)
continue ....#479 3:04pm search
generated #480 wikipedia head injury.....gone ahead of self wants erase...
this item caused 481 caused 480 to be entered....482 3:00:26.....
middle _ menangiel artery
internal bleeding ...wikipedia caused 487 same time stamp
(kc appears to be holding back a smile to this poster - IMO)
google ads - adworks - advertise......
490 - not pop ups just stuff found way in automatically...
other activity #490 3:05:17 - articleworld.org ....internal bleeding
492 3:05:17 wikipedia url hypo?
display from 495 and 501 auto created ad items advertisement, also item #498 myspace.com don't know refers to but appears to be cookies.....DT standing....
15 min recess
Proud member of the AFKBPOFPOPL
06-08-2011, 03:49 PM #3
8-12 is system generated.....#9 is result of search for chloroform....result generated by selecting one of the results....
#28 in record appears to be selected or bookmarked ...chronology unless there was a search not part of the report or typed in as well this was user selected....
#29-30....can't explain exactly this item here returned ...only because not familiar w/cbot . ws .....2 indicate secondary server fills request....next item with different time stamp....possibly something selected again to 2 proceeding urls....best I can explain that.....
entry 45 (kc is whispering intently to JB)
45- end.....15:26:24 google search for neck breaking with space in between hl keyword en english & for query and final item button = g search ....no spelling suggestion ....genuine search...
wikipedia relate to this search? #47 ends up in history record could be a saved bookmark or manually typed in.....activity by user
#49 myspace activity by user - token recognized by system believe so....
entry facebook. com website - path subport read message request...based on the syntax t follows question mark....length consistent with profile...or transaction...user generated but possible selected by a box on the web page by a pic or a cookie....
approach with remainder of the report
facebook activity appear to be? yes.....for all these page 13 yes ...at least 2 items auto generated ad tracking.....what time facebook activity end? 3/21/08 3:47:14 pm
asked to perform any other exam for Ocso for this case? not that I can recall......
Proud member of the AFKBPOFPOPL
06-08-2011, 04:17 PM #4
06-08-2011, 04:34 PM #5
firefox history was extraordinary version of the history.....he approached you that he couldn't get your software to work correctly....software function correct ....firefox...
he could get it to work so far and then not complete .....here on a conference stayed up all night trying to fix it....yes....get a little info on the case.....worked all night to put something together....took a few nights....instructing a course ....worked on breaks, lunches, til 2 am and 3 am before left on Friday....subsequent to that hired....didn't complete searches completed decoding....clarify hiring? ask expert witness in case.....contract ask to come as a witness .....here today with a concern could be addressed afterwards...on your website any ads on you testifying on this case....specific article referenced put on recently....in support or explain work reference word concern...firefox ....@ time in process to version 3....venders 2 obsolete version.....#1 choice internet forensic investigations...article posted about this case...advertising? yes and it's subtle....not sent any promotional info put ....only reason I put that up Sgt. STanger sent it....something to support validity of the software....not overwhelmed with phone calls...not purpose to make money but purpose support this is a valid tool...
3/17/08 how long user on that website before user went to another website? disadvantage don't have the report.....pg 65.....JB gives him binder....how long person visiting that site ......57 page document where start looking?
1:43:41 on 3/17/08....@ 2:43 pm? yes....how long til user goes to the next item.....
2:43:48 - seven seconds.....another occassion to ....first item referred to is google.com home page next one is search results took 7 seconds...next time chloroform brought up @ 1:53:25 how long person looking you mean 2:53? yes sorry.....2:53:25 7 seconds or 1 second....want to explain something....want you answer my question....object sustianed purpose of role is decode history.....checks and balances....take results .....one second disparity .....based on clues left behind one might try to replicate....can't s peak to why....can't say if someone necessarily typed this in....wikipedia consistent search definition for self defense - underscore keywords within documents on wikipedia has a link to another topic within that topic....someone typed in or clicked link...2:58:58 reality based self-defense......acronym if that is what it stands for rbsd end of url....next 2:59:08 self defense topic looked @ hand to hand combat ending.....were you informed hand to hand combat anything to do with this case? no.....
1 minute later middle meningeal artery....#483....know what that is? no idea! makes 2 of us....investigators say anything to do with this case? no sir..
ending in ruptured spleen? any relevance to the case? not made aware of it.
chest trauma investigators tell you anything to do with this case? no sir....longer time spent there...
internal bleeding...anyone internally bleed in this case? no sir
3:05:47 30 seconds later....hypo=....bulemia?
other searches have no relevance - appears so....
go to 3/21/08 -
what time on 21st 3:16:13 ....a myspace before that? no ....first search - correct? first chloroform search 2 entry after google.com search for chlroform....
line item 7 3:18:17 sci-....com ....2 min 25 sec.....how many seconds next search....
anything after that?
line item #9 3:19:16 drug library . org chloroform habit.htm 21 seconds....
next item....gave 2 min 25 seconds anything came up betwen then?
line item 5 -7 item in between same time stamp nothing in between....longest time anyone spent looking @ chloroform .....yhes
looked @ that last night ....1800's habit...didn't read that....blog written bout someone in 1800's having chloroform habit.....
household weapons 3:21:56.....making weapons out of items @ house...suggested what might contain....didn't look @ that....no info from investigators making weapons in the house...no...
next search...3:26:24 item 45? neck breaking ....prior to that....anything on google self defense for women?
going back to page 3 reference to a book self defense for women? not able to find what you are referring to...... again not able to find it.....JB to stand.....give me that entry we were at line item 15 3:21: 15:..making weapons out of household items....
8401 @ 3:19:04 referencing two different reports not sure.....move further along (JB will - in my best Yoda voice)
see @ 3:23:08 morningnews.org? yes ...what is that ? url themorningnews.org/archives/....home security basics....didn't look @ that site....
next one blogger.com...reference prepare for zombie invasions...zombies are coming references.........very long url....no one told zombies involved.....searching....sytax of url stuff in front of you taking place and what is going on in background....duplicate this ...doubt 3 years later much success.....assume news on the morning news the user accessed made available on the website....don't know the defendant or could be something on the server....based on 2 timestamps.....only limited info to tell from this.....3:35:..funny.co.uk.....kung foo website? d on't know
all searches finding household weapons...using household weapons....martial arts.....all in the same sitting....familiar with movie shovel.....have the word shovel....any terms meaning shovel? no .....
only a few months hired in 2009? not hired but consulted in 2009...only a few months after this case came about...apparently so..... (object- overrule) a lot of these websites would have still been active @ the time....I have no knowledge when computer was seized.....better evidence be looking at this to show jury actual page as opposed to link.....doesn't give you actual page or anything on that website...jokes...medical facts...kung foo....whole ray of chemistry....
people text while on computer....(object sustained)
computer examiner cannot testify person is actualy reading while on page...not without a security camera...don't know if got a phone call while searches done......
after end of day glean very little from these....think information gleaned from here can have great context.......lets talk about 7 seconds...1 second ...17 sec...2:25 sec....and 21 sec(?) that is how much time seated in computer....talking firefox ...don't know if other cache or history analysis other browsers ....windows comes with many people use multiple browsers...many explanations....lessen the time we are talking about....a little over 3 min of time in total - agreed.....only given computer....how many months ....try to decode....cursury review chloroform did exist ...items came forefront...only look @ month of march ? looked @ data 12/2009 disclosed to OCSO what I saw....not given full month of march - all I have is all I worked with....not how much time used on the computer on the internet - don't know if 50 hours or 250 hours can't put into context how much time that 3 min was....incorrect....history represents firefox browser only....some user generated action.....can't disagree ...can't using firefox vs. what I have no info privy to.....take into firefox, internet explorer, netscape.....can't put into context this 3 minutes in march vs. how much time on computer during month of march...could be minscule amount of time spent in Mrach..
Proud member of the AFKBPOFPOPL
06-08-2011, 04:44 PM #6
LDB w/Bradley...type in the word search term into google user selects options based upon what google returns....block of internet history surfing web for information about weapons, chlroform, how to make ? object sustained
hyperlinks don't always keep you on the same page....tend to but they can link you to another page...yes...can content of any websites ....some inquiry what was actually displayed at the time of the search....after passage of time webpage content changes...cannot tell @ the time of the search what was on the webpage..
only asked to decode the history....tell jury what particular searches were preformed....searches are alll...whole time frame encompassed an hour.....
entry #3 www.sci-spot.com history shows 84 times visited to that website (unsure of the spelling of this)
re-direct on these questions only...
JB looking thru papers - holding up the process.....whispering to DS....recross examine.....
witness asks if JB looking for papers near witness....I may be... approach witness? you may....
not a report by me....report created by somebody else......site psyspot.com or scispot.com.....could you assist me sir in locating this? someone else report.....cacheback report....there are only 1 visit to this website? Sidebar- approach
JB -Proud member of the AFKBPOFPOPL
06-08-2011, 04:49 PM #7
visit chloroform 84 times .....31 days haven't seen my daughter....
sounds like a kc trait......
Proud member of the AFKBPOFPOPL
06-08-2011, 04:53 PM #8
84 times practice makes perfect......
highest concentration of chloroform ever seen - Dr. AV
traces of chloroform still there much later - Rickenbach
Proud member of the AFKBPOFPOPL
06-08-2011, 04:55 PM #9
7 minutes before 5:00 - recess.....HHBP whips open his robe (wooo hoooo!) and pulls out a thumbdrive? attached to a neck holder.
Proud member of the AFKBPOFPOPL
06-09-2011, 09:08 AM #10
Baez is showing Bradley a report and the witness states this is a report that he did not create. It was using his software but he cannot speak to this report as he did not create it.I don't like speculation or hypotheticals
06-09-2011, 09:09 AM #11
DT does not want that 84 times in...Baez trying so hard to discredit the 84 times.
06-09-2011, 09:13 AM #12
Again the SA objects to hearsay
JB: May I question this judge
HHJP sustained its sustainedI don't like speculation or hypotheticals
06-09-2011, 09:14 AM #13
SA the data file you were given was from 3/6 - 3/26 is that correct
Bradley: yes that is correctI don't like speculation or hypotheticals
06-09-2011, 09:15 AM #14
Bradley, ususally a page is not refreshed unless a user asks it to be refreshed
SA now talking about tabs
Bradley explaining how tabs workI don't like speculation or hypotheticals
06-09-2011, 09:17 AM #15
Baez tries to bring in blogs on his recross
JB tries again
**sidebar #1**I don't like speculation or hypotheticals
By LinasK in forum Caylee Anthony 2 years oldReplies: 411Last Post: 09-06-2011, 09:04 AM
By mombomb in forum Witness Testimonies and Closing ArgumentsReplies: 9Last Post: 06-22-2011, 11:24 AM
By Salem in forum Caylee Anthony 2 years oldReplies: 1222Last Post: 04-06-2011, 10:39 PM
By sweetpea657 in forum Missing Children in America - A ProfileReplies: 2Last Post: 04-07-2010, 01:13 AM
By ThoughtElf in forum Caylee Anthony 2 years oldReplies: 45Last Post: 09-04-2008, 05:50 PM