614 users online (62 members and 552 guests)  


Websleuths News


Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 16 to 30 of 37
  1. #16
    Join Date
    Apr 2011
    Posts
    1,234
    Thanks for pinging me on this, I will take a detailed look.

    One thing though - I have entertained the possibility that BC did do a search...but 3 days later after he was advised to the location of the body.

    I seriously doubt any files were planted per se, but I do believe both that some files may have been "looked at" prior to a bonifide forensic exam, and that timestamps of those files might be inaccurate.

    GM did proffer that there were traces of "human interface", and tampering (his testimony is posted here). He did testify that the cookie / Google watermark appeared "forged". That could mean any number of things - again not necessarily a planted file.

    The foreman essentially said that this piece of evidence was the evidence that convicted BC, and that no one testified that it was tampered with. This will put tremendous scrutiny on Judge Gessner's decision to preclude GM's testimony, and limit JW's testimony. In truth, expert witnesses - to be qualified to testify to something - need only be more knowledgeable about that "something" than the collective experience of the jury.

    Will take a detailed look at your process and reply to that later - thanks again!

  2. #17
    Join Date
    Jul 2008
    Posts
    362
    This is a response to a blog post from another site made today.
    A summary of computer related facts:

    Cary Police neglected to follow forensic protocols – the computer was left on and connected to the internet for 27 hours while in police custody.
    The Cary Police followed there protocol: seal the crime scene until a trained detective gets there. The computer was left exactly as Brad left it, until a computer-trained detective arrived to collect it. The computer was inside the house, the house was sealed with yellow tape and kept under guard. The computer remained powered on with the screen and keyboard locked, and with the network secured by VPN.
    During that 27 hour time frame, close to 700 files were altered and they were not all due to normal updates. Included was internet history files and email archives.
    The updates were normal updates pushed from Cisco through the VPN. Normal updates include software updates, automated backups, automated email downloads, and defragmentation.
    The computer wasn’t hashed until August 22nd, ’08 so files could have been planted on the computer anytime up until that point.
    ok
    All of the timestamps associated with the “search” were invalid, 100% of them, compared to only 2% over the lifetime of the computer.
    There were 8 timestamps associated with each file. 7 of the 8 were valid and indicated that Friday afternoon. One was reported "invalid". No testimony was given on what was invalid about it.
    The Cary Police neglected to subpoena Google for the cookie data on the computer, even though it is a common thing for law enforcement to do to verify that files originated from the computer being investigated. Even cookies from after the search could have provided the browsing history.
    ok
    Cary Police never requested verification of the search through the Cisco routers.
    Routers do not store logs of packet routing.
    No cookie exists for the alleged search. This is suspicious because it is the only type of file that can not be manufactured.
    Or, it means that private browsing was used, or it means that Brad erased it.
    Cary police waited until after the Google Privacy policy expired to give the defense access to the computer and files – making it too late for the defense to contact Google to obtain the metadata on the cookies.
    ok
    No cookie exists but the temporary internet files were there. There is no explanation why anyone would take the time to delete the cookies but leave the temporary internet files.
    Use of private browsing is one explanation.
    Cookies for other searches were found on the computer.
    Private browsing turned off is an explanation for that. Turning private browsing on and off regularly is normal for that feature.
    The alleged search lasted a total of 42 seconds, not long enough to locate a site to place a body.
    I suggest the plan was in place for at least a week and he had searched this area before. Who knows what he was thinking: second thoughts, mental rehearsing? Certainly the planning did not begin on Friday morning.
    Passwords were changed.
    The script that pushes software updates to a company's computers would use the administrator's password. It would be normal for this password to be changed remotely as part of an update.
    Time/date and timestamps were changed while the computer was in police custody.
    That would be normal due to the normal automated processes: backups, downloads, defrags, and updates.
    The prosecutors used “national Security” concerns as a reason not to share the MFT and file extraction methods with the defense team so that their own experts could duplicate the file extraction.
    The judge ruled that the MFT did not have to be handed over, but the prosecution handed it over anyways. The MFT was on the evidence table for the jury to see, and GM's powerpoint slides on the MFT was part of defense closing arguments.
    Chain of custody documentation is unclear.
    ok

    All told, to sum up everything is normal or just saying the police didn't do a thorough enough job collecting data. I wish they did get more data from Google... I'll bet there would have been searches on choking, decomposition, and cleaning. He got those things right.

  3. #18
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,269
    There's much talk about a .cur file. However, Google stores the file as a .bmp file in the cache. This is shown, very clearly, in screen shot below. Look at the name of the cache file in the middle (closedhand_8_8[1].bmp)

    There is no conspiracy with these files.



  4. #19
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,269
    Further, the last access time on BC's computer is around 21:00 UTC on 7/15/08. That translates to around 5pm on that day and that is also the last time BC was on his laptop computer in his home office.

    According to testimony, the house was secured right after 5pm, yellow tape went up, and CCBI later did their exam outside on the car and loaded that up on a flatbed to take to be processed. Testimony is that no one else entered the upstairs office, no one touched the laptop, and the records show the detectives left the premises and went home until CCBI was available to come back the next morning with a new shift starting. There were hours where no one was in the house, there were cops posted to ensure no entry...each one of them testified.

  5. #20
    Join Date
    Jul 2008
    Posts
    362
    Quote Originally Posted by jrb0124 View Post
    The foreman essentially said that this piece of evidence was the evidence that convicted BC, and that no one testified that it was tampered with.
    I'll wait for your complete reply before responding to your other points, but since the foreman isn't here to correct the record, I'll post his exact words on this subject. The point being that they did recognize and consider other circumstantial evidence.
    The evidence presented by Special Agents Johnson and Chappell drove the outcome on this
    case. It caused [a lot of] the other circumstantial evidence to become relevant and credible.

  6. #21
    Join Date
    Jul 2008
    Posts
    362
    Quote Originally Posted by Madeleine74 View Post
    There's much talk about a .cur file. However, Google stores the file as a .bmp file in the cache. This is shown, very clearly, in screen shot below. Look at the name of the cache file in the middle (closedhand_8_8[1].bmp)

    There is no conspiracy with these files.


    Madeleine-- I think you just proved that Brad used private browsing.
    Notice you have a September 2009 create date on the file. Could that be the first time you used Google Maps from that browser? That file has stayed in your cache and your browser has re-used it since then. In my recreate, my create date is the same time as the search I did. I was using private browsing. Since Brad's cursor file matches the time he did the search, his previous copy must have been erased! So... he either was using private browsing (which automatically deletes the files), or he was manually deleting files.

  7. #22
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,269
    macd,

    I actually picked up that image from a much earlier posting on this site by another poster. (I forget who it was now.) I was interested in the .cur versus the .bmp issue, which that picture illustrates perfectly. I think it's a semantics problem. One side is calling it a .cur file and the other side is calling it a .bmp file. It is stored as a .bmp file in the cache. But yes, that image also shows a non private browsing session in which an earlier visit was made to the maps site.

    Your private browsing scenario explains the access times very well, I think. A cookie deleted points back to the person who did the search or the manner and tool he used (i.e. inprivate browsing in IE). Sometimes a cigar really is just a cigar. Same access time file stamp is, as you showed, a function of inprivate browsing. Those system event logs corroborate the search day & time and login status as being on 7/11/08 @ 1:14pm.

  8. #23
    Join Date
    Jul 2008
    Posts
    362
    Quote Originally Posted by WolfpackWoman View Post
    --If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).
    One more comment on this.
    I found a blog post on a digital forensic's site investigating why Vista sometimes updates the last access timestamps and sometimes not.

    http://secureartisan.wordpress.com/2...ssed-research/

    So, finding some files on the hard drive that has updated last-accessed times does not imply that all files should be updated.

  9. #24
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,269
    WHAT? You mean Microsoft is sometimes buggy? Microsoft Vista has been inconsistent? Say it ain't so! Does that make Bill Gates culpable in this crime? I gave up using IE a long time ago and finally dumped Vista off my newest laptop. Give me WinXP any day. Even Win7 has it's issues, as I sadly found out first hand; I still use it on one system though. WinXP and Firefox have been most consistent for me.


  10. #25
    Join Date
    Jul 2008
    Posts
    362
    The final aspect of the Google search files that has been claimed to be suspicious is the SIA entry timestamp of the files. The defense presented these timestamps as "Invalid".

    The first thing I found in my research is technically there is no such thing as an invalid timestamp. An NTFS timestamp is a 64 bit number. The value indicates the number of 100 nanosecond periods that have passed since 1/1/1601 at Midnight UTC.

    So if all the bits are zero, the timestamp is 1/1/1601 12:00:00.
    If all the bits are one, the timestamp is sometime on 5/28/60056.
    Every number in between is some time in between.
    No number is invalid.

    So, calling a timestamp invalid means a judgement call was made, by software or by person, that something was weird about that number. Since the actual number assigned to that timestamp has not been released, there's no way to recreate and verify that the condition was recreated.

    But, I'll present one possibility. If the SIA entry timestamp is less than the MAC timestamps, that would give me pause. I might even consider that "invalid".
    Due to private browsing the cursor files would have been repeatedly erased and replaced. It turns out that if NTFS has an entry with deleted file and a new file is copied with the same name, the SIA entry timestamp of the original file is kept. Which would look weird: the entry would look created before the file was created.

    There are a few forensic sites that delve into this. Here's one.
    http://secureartisan.wordpress.com/2...ssed-research/

    I'm afraid without more info, this is the best I can do for explaining the "invalid" SIA entry timestamps. Something was judged weird about them, and we have one scenario (delete-and-replace file) that we know was happening that causes weird SIA entry timestamps.


  11. #26
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,269
    macd,

    Bottomline: based on what you know and from what you've learned about the workings of Microsoft, MS Vista, Google Maps, IE, and the $MFT, systems event log, etc, do you think the Fielding Dr. Google map or any other files were planted or tampered with in order to pin a crime on BC?

  12. #27
    Join Date
    May 2010
    Location
    Raleigh NC
    Posts
    10,597

    Holy Bitmap, MacdMan -

    Holy Bitmap, MacdMan!!



    What a whale of a job you have done here! My hat is off to you -- it was a bit of work, huh? ('scuse the unintended pun, please).

    And thanks to Madeline74 for coming at it from her angle. Her work showed that what you did could be re-produced, and that's how theories and experiments are validated.

    Both of you spoke in down-to-earth terms that most folks could understand, despite the squirrelly-ness of the PC/MS/Gates world.

    It helped a lot to show & explain it in baby steps, especially the part about private browsing and what it does, etc.

    A big thanks to you for your cyber-sleuthing. .....




    All posts, unless attributed, are "just my humble opinion," and they are to remain here in Websleuths and are not to be used elsewhere. Thank you.
    _________________


    This blessed plot, this earth, this realm, this England.
    William Shakespeare, King Richard II



    The Angel of the Waters, Bethesda Terrace, Central Park, New York City

  13. #28
    Join Date
    Jul 2008
    Posts
    362
    The Free Brad Blog recently posted some information about the Google search. One of their claims caught my eye. Since they only accept "He Was Framed" comments to be posted on their blog, I'll post their claim and my reply here.

    ***** This is the most important finding that can NOT be explained away. ****** There was NO cookie anywhere on the computer corresponding to the search. In fact, there were NO cookies at all for July 11th. There were plenty of cookies the preceding and following days though. The MFT not only lists visible cookies; it also lists deleted cookies. It was checked and there wasn’t even a deleted cookie for the search. (pg. 44)
    According to the Blog this is the "most important" finding. The finding is that there were no cookies found at all on the computer for July 11.

    There are two ways to not have cookies on your computer for a day:

    1) Not use the Internet at all. This was not the case, since the browser history file showed visits to an airline website and Brad's bank's website, in addition to the Google Search.. We know he was using his computer for much of the day at work and later at home. There should have been cookies from the bank, the airline, and any other website Brad visited that day.

    2) Use Private Browsing. The Private Browsing feature of Internet Explorer intercepts cookie write requests and does not save the cookie. Voila... missing cookies.

  14. #29
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,269
    Hey MacD! Hope all is well in computerLand.

    Buggy MS beta 2008 private Inbrowsing feature in IE foils a good conspiracy theory. Oops. The good news is Microsoft fixed it eventually...

    Remember too there were also "invalid" timestamps for all of July 11, which included https sites such as HiltonHonors, CitiBank, and several Cisco-owned websites. Computer usage all day from 11am login on, except for the 90 min lunch hour and other logoff times. There was also a weather search of the zip code, same as what BC did in google maps. Those secure (https) sites required logins and passwords. Yet none of these other sites including the weather site have been alleged to have been planted or tampered with even though their timestamps were called "invalid."

  15. #30
    Join Date
    Jul 2008
    Posts
    362
    Quote Originally Posted by Madeleine74 View Post
    Hey MacD! Hope all is well in computerLand.

    Buggy MS beta 2008 private Inbrowsing feature in IE foils a good conspiracy theory. Oops. The good news is Microsoft fixed it eventually...

    Remember too there were also "invalid" timestamps for all of July 11, which included https sites such as HiltonHonors, CitiBank, and several Cisco-owned websites. Computer usage all day from 11am login on, except for the 90 min lunch hour and other logoff times. There was also a weather search of the zip code, same as what BC did in google maps. Those secure (https) sites required logins and passwords. Yet none of these other sites including the weather site have been alleged to have been planted or tampered with even though their timestamps were called "invalid."
    Yep. And all of those sites visited would have left cookies. But, no cookies were found for that day. All of the cookies must be missing for the same reason. Private Browsing makes the most sense to me. "Planting of the google search" to explain the missing Google cookie, and "uh, i dunno" to explain the missing cookies for Hilton and Citi doesn't fly as a cogent theory.

Page 2 of 3 FirstFirst 1 2 3 LastLast


Similar Threads

  1. Replies: 1
    Last Post: 05-02-2012, 06:30 PM

Tags for this Thread