Recreating the Google Search

Madeleine74 said:

There's much talk about a .cur file. However, Google stores the file as a .bmp file in the cache. This is shown, very clearly, in screen shot below. Look at the name of the cache file in the middle (closedhand_8_8[1].bmp)

There is no conspiracy with these files.

Click to expand...

Madeleine-- I think you just proved that Brad used private browsing.
Notice you have a September 2009 create date on the file. Could that be the first time you used Google Maps from that browser? That file has stayed in your cache and your browser has re-used it since then. In my recreate, my create date is the same time as the search I did. I was using private browsing. Since Brad's cursor file matches the time he did the search, his previous copy must have been erased! So... he either was using private browsing (which automatically deletes the files), or he was manually deleting files.

macd,

I actually picked up that image from a much earlier posting on this site by another poster. (I forget who it was now.) I was interested in the .cur versus the .bmp issue, which that picture illustrates perfectly. I think it's a semantics problem. One side is calling it a .cur file and the other side is calling it a .bmp file. It is stored as a .bmp file in the cache. But yes, that image also shows a non private browsing session in which an earlier visit was made to the maps site.

Your private browsing scenario explains the access times very well, I think. A cookie deleted points back to the person who did the search or the manner and tool he used (i.e. inprivate browsing in IE). Sometimes a cigar really is just a cigar. Same access time file stamp is, as you showed, a function of inprivate browsing. Those system event logs corroborate the search day & time and login status as being on 7/11/08 @ 1:14pm.

WolfpackWoman said:

--If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).

Click to expand...

One more comment on this.
I found a blog post on a digital forensic's site investigating why Vista sometimes updates the last access timestamps and sometimes not.

http://secureartisan.wordpress.com/2010/07/01/upcoming-last-accessed-research/

So, finding some files on the hard drive that has updated last-accessed times does not imply that all files should be updated.

WHAT? You mean Microsoft is sometimes buggy? Microsoft Vista has been inconsistent? Say it ain't so! Does that make Bill Gates culpable in this crime? I gave up using IE a long time ago and finally dumped Vista off my newest laptop. Give me WinXP any day. Even Win7 has it's issues, as I sadly found out first hand; I still use it on one system though. WinXP and Firefox have been most consistent for me.

:wink:

The final aspect of the Google search files that has been claimed to be suspicious is the SIA entry timestamp of the files. The defense presented these timestamps as "Invalid".

The first thing I found in my research is technically there is no such thing as an invalid timestamp. An NTFS timestamp is a 64 bit number. The value indicates the number of 100 nanosecond periods that have passed since 1/1/1601 at Midnight UTC.

So if all the bits are zero, the timestamp is 1/1/1601 12:00:00.
If all the bits are one, the timestamp is sometime on 5/28/60056.
Every number in between is some time in between.
No number is invalid.

So, calling a timestamp invalid means a judgement call was made, by software or by person, that something was weird about that number. Since the actual number assigned to that timestamp has not been released, there's no way to recreate and verify that the condition was recreated.

But, I'll present one possibility. If the SIA entry timestamp is less than the MAC timestamps, that would give me pause. I might even consider that "invalid".
Due to private browsing the cursor files would have been repeatedly erased and replaced. It turns out that if NTFS has an entry with deleted file and a new file is copied with the same name, the SIA entry timestamp of the original file is kept. Which would look weird: the entry would look created before the file was created.

There are a few forensic sites that delve into this. Here's one.
http://secureartisan.wordpress.com/2010/07/01/upcoming-last-accessed-research/

I'm afraid without more info, this is the best I can do for explaining the "invalid" SIA entry timestamps. Something was judged weird about them, and we have one scenario (delete-and-replace file) that we know was happening that causes weird SIA entry timestamps.

macd,

Bottomline: based on what you know and from what you've learned about the workings of Microsoft, MS Vista, Google Maps, IE, and the $MFT, systems event log, etc, do you think the Fielding Dr. Google map or any other files were planted or tampered with in order to pin a crime on BC?

Holy Bitmap, MacdMan!! :hero:



What a whale of a job you have done here! :clap: My hat is off to you -- it was a bit of work, huh? ('scuse the unintended pun, please).

:clap:And thanks to Madeline74 for coming at it from her angle. Her work showed that what you did could be re-produced, and that's how theories and experiments are validated. :great:

Both of you spoke in down-to-earth terms that most folks could understand, despite the squirrelly-ness of the PC/MS/Gates world.

It helped a lot to show & explain it in baby steps, especially the part about private browsing and what it does, etc.

A big thanks to you for your cyber-sleuthing. :websleuther:..... :justice:


:yourock:

The Free Brad Blog recently posted some information about the Google search. One of their claims caught my eye. Since they only accept "He Was Framed" comments to be posted on their blog, I'll post their claim and my reply here.

***** This is the most important finding that can NOT be explained away. ****** There was NO cookie anywhere on the computer corresponding to the search. In fact, there were NO cookies at all for July 11th. There were plenty of cookies the preceding and following days though. The MFT not only lists visible cookies; it also lists deleted cookies. It was checked and there wasn’t even a deleted cookie for the search. (pg. 44)

Click to expand...

According to the Blog this is the "most important" finding. The finding is that there were no cookies found at all on the computer for July 11.

There are two ways to not have cookies on your computer for a day:

1) Not use the Internet at all. This was not the case, since the browser history file showed visits to an airline website and Brad's bank's website, in addition to the Google Search.. We know he was using his computer for much of the day at work and later at home. There should have been cookies from the bank, the airline, and any other website Brad visited that day.

2) Use Private Browsing. The Private Browsing feature of Internet Explorer intercepts cookie write requests and does not save the cookie. Voila... missing cookies.

Hey MacD! Hope all is well in computerLand.

Buggy MS beta 2008 private Inbrowsing feature in IE foils a good conspiracy theory. Oops. The good news is Microsoft fixed it eventually...

Remember too there were also "invalid" timestamps for all of July 11, which included https sites such as HiltonHonors, CitiBank, and several Cisco-owned websites. Computer usage all day from 11am login on, except for the 90 min lunch hour and other logoff times. There was also a weather search of the zip code, same as what BC did in google maps. Those secure (https) sites required logins and passwords. Yet none of these other sites including the weather site have been alleged to have been planted or tampered with even though their timestamps were called "invalid."

Madeleine74 said:

Hey MacD! Hope all is well in computerLand.

Buggy MS beta 2008 private Inbrowsing feature in IE foils a good conspiracy theory. Oops. The good news is Microsoft fixed it eventually...

Remember too there were also "invalid" timestamps for all of July 11, which included https sites such as HiltonHonors, CitiBank, and several Cisco-owned websites. Computer usage all day from 11am login on, except for the 90 min lunch hour and other logoff times. There was also a weather search of the zip code, same as what BC did in google maps. Those secure (https) sites required logins and passwords. Yet none of these other sites including the weather site have been alleged to have been planted or tampered with even though their timestamps were called "invalid."

Click to expand...

Yep. And all of those sites visited would have left cookies. But, no cookies were found for that day. All of the cookies must be missing for the same reason. Private Browsing makes the most sense to me. "Planting of the google search" to explain the missing Google cookie, and "uh, i dunno" to explain the missing cookies for Hilton and Citi doesn't fly as a cogent theory.

macd said:

Yep. And all of those sites visited would have left cookies. But, no cookies were found for that day. All of the cookies must be missing for the same reason. Private Browsing makes the most sense to me. "Planting of the google search" to explain the missing Google cookie, and "uh, i dunno" to explain the missing cookies for Hilton and Citi doesn't fly as a cogent theory.

Click to expand...

Bravo!!



'nuff said.

This is a recent post to the Free Brad Cooper Facebook Page

One of the most important parts of the trial was blacked out - Agent Johnson's testimony when the defense questioned him about the timestamps found on Brad's computer. The creation and modification dates were identical, which is logically impossible in a dynamic search with clicking and zooming in Google Maps.

The State's experts (Johnson and Chappell) actually duplicated the search with a clean
install of Vista (the same OS that Brad had on his computer). The results, including the timestamps that resulted when the search was duplicated were never shared with the defense due to "national security". There is in fact a screen shot showing one section of the timestamps that were produced in this duplicated search.

The defense tried so hard to have this revealed at trial - the fact that the timestamps will always increment when the mouse is moved and clicked across the map. They even requested that Johnson duplicate the search in court on ANY computer in the courtroom. The defense even offered the use of a Vista computer. The judge refused to allow him. This of course would have proven that the files were planted conclusively. Timestamps that don't increment is a clear sign that they were placed on the machine.

Prosecutors are supposed to seek the truth, not hide it to "win" a conviction. The judge allowed them to hide the facts that could have proven that Brad was indeed framed.

Click to expand...

I've shown how using Microsofts inPrivate browsing yields timestamps that match what was found on Brad's computer.

What baffles me is their disjointed logic.
Normal web browsing: timestamps must increment.
Copying files form external source: timestamps don't increment.

Huh? How are they proposing that these files were copied on to this computer where the timestamps are not incremented?

Logic is not part of the equation. The defense postulated a conspiracy and gosh dern it, that's what it must be. The flames of paranoia got fanned and the fire spread. No one is proposing or even explaining how this (file planting) was all accomplished because they can't. To those who believe the tampering conspiracy it doesn't matter if it was done; the suggestion of it is good enough to take to the bank.

Your explanation and recreation is dismissed without further consideration because it doesn't jive with the conspiracy.

I've been thinking about this lately, since it looks like another trial will be coming up. I did some research on the proof of tampering claims made by various sources. Here's what I found.

Timestamps are equal down to the millisecond
Kurtz says “There’s no way possible to have the same first-time-created and last-accessed timestamp down to the microsecond. That’s the difference between artifact and artwork. That’s artwork.” This is entirely untrue. When a file is created, all the timestamps are set to exactly the same time, every time. In fact, when modify time is equal to create time, it is an indication that the file is original, and not copied from another location.
Source: http://www.csis.hku.hk/cisc/forensics/papers/RuleOfTime.pdf

Attempted Access found in CS Agent Logs
Logs from the CS Agent showed inbound TCP connection that were rejected. Claims have been made that this is someone attempting to break in to laptop. The testimony of Agent Chappell reveals these attempts were to port 445, which is used for SMB file sharing. If you google search "inbound tcp connection port 445" you'll get millions of hits. This is a very common thing. This can be a friendly user, scanning for computers nearby to share files. Or, an infected device with a worm. In either case, CSAgent blocked the connection. In no, case is this an indication of a hacker singling out one laptop trying to plant evidence.
Source: http://www.linklogger.com/TCP445.htm

Order of MFT Entries
One way digital forensic analysts find evidence of timestamp tampering is by looking at the order of entries of the MFT. If 100 files are created, we will expect to see them in order in the MFT. If someone adds 100 more files and then changed the timestamps to predate the first batch, it will look suspicious as the older dated files come after the newer dated files. Agent Chappell testified that the MFT was in order and that was how he ruled out tampering. If the search files were installed on the computer later with forged timestamps, then thousands of entries in the MFT would need to be moved to maintain the order.
Source: https://blogs.sans.org/computer-for...rensics-and-Incident-Response-Poster-2012.pdf

All Internet History Files were modified
The Internet history files on Brad's computer were modified at a time when he was out of the house. The claim is that this is evidence of tampering. There is a simple explanation however.
Internet explorer keeps a set of history files. There are daily files, weekly files, and monthly files. Periodically, the daily files are swept into a weekly file, and weekly files are swept into monthly files. It is very normal for Internet history files to be modified.
Source: http://www.forensicswiki.org/wiki/Internet_Explorer_History_File_Format

No Cookie for the search
Google stores a number of cookies on your computer when you use it. There's one for ad tracking, one for preferences, one for account information, and so on. There is not one per search; it is one per user for each purpose. The cookies are updated by Google when web pages are used in certain ways. If a cookie is deleted, you get a new one next time you go to Google.

In 2008, apparently, Google had 9 different cookies for different purposes.
If someone were to open a browser and look for Google cookies, if one of them is missing then one of two things must be true: Either this browser has never been to the Google site before or a cookie was deleted. Certainly Brad had used Google before. Therefore, proof positive that a Google cookie was deleted. Proof positive that someone tried to destroy or hide digital evidence on the laptop. (Or was running in private browsing mode which deletes cookies.) The missing cookie is proof that Brad tried to cover his tracks. It is not proof that 592 files were "dropped" on the laptop.
Source: https://www.google.com/policies/technologies/types/

So, much of the information about the file tampering in this case is in fact misinformation. Kurtz did an amazing job creating the appearance of tearing down the technical witnesses on the stand, but the theories do not hold water. The new defense attorneys won't be able to repeat this performance.

MacD - You continue to try to explain away all of the issues associated with the alleged Google search, but you aren't giving an accurate picture of the evidence. You're one-siding it, like the prosecutors did with so many things throughout trial. Brad didn't do a search of Fielding Drive and the new defense team will be perfectly capable of showing that at a new trial.

Again, you are suggesting private browsing to explain why there's a missing cookie. That is flat out false. Agent Johnson testified that he looked for evidence of private browsing and there wasn't any. And there is no "deleted" cookie. Again, the forensic examiners can detect the presence of a deleted cookie. Johnson testified that he did look for one and there wasn't one.

Regarding the ability to detect the presence of files that don't belong based on sequence - that is false too. (Agent Chappell cross examination)

Q: You go on in your report to talk about how a master file table of a computer would show if something was out of order.

A: There could be signs that would indicate that, yes sir.

Q: In fact, Microsoft Windows does not work in a sequential file system, does it?

A: No, it doesn't.

Q: It works in a parent file with sub folders?

A: Well, I think there's an element of it, yes sir.

Q: And so it -- it's not like things are numbered one to a hundred thousand?

A: There's not like there's an I-note, like in a UNIX file system, no, sir.

Q: So something that is moved from number 70 to number 30 is not necessarily going to be reflected as having been moved that way?

A: Well, the master file table, their entries can be reused. When it gets reused, it gets a sequence number that gets incremented. So if I see something that has a sequence number that's 65,000, I can conclude that's been reused a number of times.

Q: But you can't necessarily determine if a particular file has been moved within the master file table unless it happens to be placed in a strange location like that.

A: Just by looking at the master file table, no sir.

End

You also mentioned elsewhere that you are puzzled about the indication that files have been placed on the machine from an external source. It's not the fact that the files haven't incremented. It's the fact that they are all invalid. They aren't recognized so they can't be assigned a valid timestamp. That is often seen when files are placed/planted.

You must really be stressed out to consider that anyone would possibly go to these lengths to frame Brad Cooper so you keep trying to justify all of the anomalies. The truth is that he was framed with this search. It's all here, plain as day. That's why the prosecutors (and the Judge) worked so hard to keep the defense testimony out of the trial. They knew the evidence didn't hold up to scrutiny.

Answer this: Why didn't they take 5 minutes to subpoena Google to verify the time/date and IP address of the search?

Why didn't they take the time to check the Cisco servers?

The fact is they didn't because they knew they could never track the search back to Brad.

They stalled in giving the defense a copy of the hard drive for almost a year and didn't supply it until the Google privacy policy had lapsed, they brought in an FBI affidavit citing national security concerns, they hired the FBI to examine the computer so that they could pull the national security thing. They thwarted the testimony of two defense experts, even going so far as to create clear grounds for appeal, they refused to allow their own expert to share one simple document in court that would answer the question about how the cursor files should behave and then refused to allow him to duplicate it in court - more grounds for appeal. They didn't seek to make the evidence airtight by verifying it, even though that is standard protocol. What is it exactly that you aren't seeing here? It's crystal clear what went on here. They proceeded with their antics knowing full well that it was grounds for appeal. That's how badly they wanted to win.

When analyzing the order of an MFT there are three things an investigator can look at:
1) The "slot" that the entry for a file takes which is assigned sequentially until it runs out of slots.
2) The record id, which is a number in each entry which is assigned incrementally (first entry is 0, then 1, then 2).
3) The timestamp (there are 8 of them for each file).

In a typical MFT, all of these will be in the same order.
If they are not in the same order, that is a sign of tampering.
If they are all in the same order, that is an indication of no tampering.

According to Chappel, the MFT was in order, which means that the slots, ids, and timestamps are all in the same order. This means there was no tampering. Everything else that Kurtz brought up in cross examination is a valiant effort at confusing the facts in an attempt to manufacture a doubt.

By the way, an empty slot in an MFT or a missing record number would indicate a file was securely deleted. Perhaps in the next trial, a prosecution expert can look for those and find out how many files were securely deleted. I'll bet a lot.

macd said:

In a typical MFT, all of these will be in the same order.
If they are not in the same order, that is a sign of tampering.
If they are all in the same order, that is an indication of no tampering.

Click to expand...

I am not claiming to be an expert on MFT's, but I think this is a logical error. IF NOT A THEN B does not automatically mean IF A THEN NOT B.