State v. Bradley Cooper 4-29-2011

[oenophile]

http://www.newsobserver.com/2011/04/29/1164010/coopers-defense-rests-but-more.html

After the jurors went home for the weekend, the judge agreed to let a Cisco security investigator return to the stand in the prosecutor's rebuttal case to talk about a router the defendant checked out from the company.

Chris Fry testified outside the presence of the jury that his examination of computer evidence the prosecution gave him as part of their effort to challenge testimony about the computers introduced by the defense. During that examination, Fry hit on information showing that Brad Cooper had used a router on July 11, 2008.

Prosecutors have argued that Brad Cooper used a router to send a phone call from his home phone to his cell to make it look like Nancy Cooper was alive shortly before 7 a.m. on the day investigators say she was killed.

Investigators never found that router.

Fry said he found evidence that Cooper had checked out two routers from Cisco and only one had been returned.

That account is inaccurate. It has already been entered into testimony that Cisco does not have an inventory control mechanism to "check out" routers.

 

[LyndyLoo]

so is this cisco guy going to testify as an expert again?

Dont know if Cisco Rep even needs to be an expert..except as a Cisco person of records..as I think these are logs or records in their perview..Not someone who interprets....What the records show is what the records show..JUST like the phone records (ATT&T) of time, date, length of call where it came from and went to..Ya dont have to be an expert to look or testify to that!!!

ETA~~ Internet connection tho different is really no different than phone calls..in the end

 

[macd]

Earlier posts in this thread referred to some mention of VPN being somehow involved. I'm not sure how or why it would have come in to play in spoofing a call, but evidently it was brought up somehow. That would mean that the router would need an Internet connection as well.

I'm assuming that VPN was not involved, and that early mention of it was in error. All the words I heard in court today (duplicate MAC address, system log), before the feed was cut, made it sound like nothing to do with VPN. We'll find out for sure next week.

 

[SleuthinNC]

LMAO, how can anyone "used" to work for a brewery, weren't the fringe benefits worth sticking around.

We used to work together BEFORE they opened the brewery.

 

[SleuthSayer]

Dont know if Cisco Rep even needs to be an expert..except as a Cisco person of records..as I think these are logs or records in their perview..Not someone who interprets....What the records show is what the records show..JUST like the phone records (ATT&T) of time, date, length of call where it came from and went to..Ya dont have to be an expert to look or testify to that!!!

Again, based on what I read in this thread, the prosecution kept making the argument that the defense already had this info too. That would seem to suggest that it was info from the laptop, since AFAIK that is the only device that the defense has any logging information from. If this were some log discovered somewhere within Cisco devices, I don't see how the defense would already have it.

 

[cityslick]

Dont know if Cisco Rep even needs to be an expert..except as a Cisco person of records..as I think these are logs or records in their perview..Not someone who interprets....What the records show is what the records show..JUST like the phone records (ATT&T) of time, date, length of call where it came from and went to..Ya dont have to be an expert to look or testify to that!!!

The last thing I heard before blackout was that the guy was not an expert but the logs were off the IBM Thinkpad. What's going to happen (I assume) is the guy is going to try to give opinion on what he's reading and the defense is going to go bananas with objections because he's not qualified as an expert, from a forensic to security to anything else.

 

[3doglady]

The setup I'm envisioning is his laptop and this router, sitting next to each each other connected only to each other and the home phone line. Both the router and the laptop could have made log entries on themselves. The router was presumably disposed of, so we have no way of knowing what logs are or were on it. Any log on the laptop that BC thought of could have been erased. It seems he might have missed one, we'll find out next week what info is in it. I'm guessing not much, just enough show a specific router was connected locally to the laptop at a certain time.

Thanks for helping me understand. I saw the video of today's session but wasn't clear about it.

 

[SleuthinNC]

I'm assuming that VPN was not involved, and that early mention of it was in error. All the words I heard in court today (duplicate MAC address, system log), before the feed was cut, made it sound like nothing to do with VPN. We'll find out for sure next week.

What Boz said today was that CF found an entry in the windows event log indicating an IP address mismatch and the associated MAC was that of a 3825 router.

 

[3doglady]

Again, based on what I read in this thread, the prosecution kept making the argument that the defense already had this info too. That would seem to suggest that it was info from the laptop, since AFAIK that is the only device that the defense has any logging information from. If this were some log discovered somewhere within Cisco devices, I don't see how the defense would already have it.

It's on video on WRAL now. There is a code on the laptop that shows the router was used. The defense has a copy of everything on the laptop but did not know what the code stood for. Cisco is the only one who could verify the code was for the router.

 

[LyndyLoo]

The last thing I heard before blackout was that the guy was not an expert but the logs were off the IBM Thinkpad. What's going to happen (I assume) is the guy is going to try to give opinion on what he's reading and the defense is going to go bananas with objections because he's not qualified as an expert, from a forensic to security to anything else.

:waitasec::waitasec: We dont know as to just what he will be tesifying to..so maybe best to resverve judgement until after he testifies ..Might be wise other wise many will go off the walls about what he may or may NOT testify to in the courtroom...Only a suggestion as I see some things get so speculated about, that when the dust settles no one realized what is truth or what was speculated as to testimony.....

BTW..Is he to testify on Monday?? Didnt hear about that nor what else was in store for that matter :seeya:

 

[macd]

I know very little about computers so help me out. I thought when this first came up BZ said that Cisco had found one router and one was still missing. Today he said that the laptop event log has codes and Cisco has just verified that one of the laptop codes corresponds to a router that BC used. So have they found the actual router or do they just know that it was accessed by the laptop?

I think the log will show that the laptop connected to the router over a local network, meaning it was in the house. The specific router has not been found, but BC was known to have two in the lab at work and one of those two is missing.

 

[cityslick]

O/T Looks like the Innocence Panel is at it again

http://www.wral.com/news/state/story/9524988/

 

[macd]

Again, based on what I read in this thread, the prosecution kept making the argument that the defense already had this info too. That would seem to suggest that it was info from the laptop, since AFAIK that is the only device that the defense has any logging information from. If this were some log discovered somewhere within Cisco devices, I don't see how the defense would already have it.

No devices located at Cisco are involved. Log is on the laptop hard drive.
I believe the log will show that the laptop was locally connected to a specific router that has not been located. We'll find out next week.

 

[SleuthSayer]

What Boz said today was that CF found an entry in the windows event log indicating an IP address mismatch and the associated MAC was that of a 3825 router.

Well, if that's the case, that is going to be difficult to overcome, unless someone is going to make the absurd claim that while CPD was planting Google search evidence they also planted this Windows event and were lucky enough to guess a MAC address that belonged to a 3825.

 

[macd]

It's on video on WRAL now. There is a code on the laptop that shows the router was used. The defense has a copy of everything on the laptop but did not know what the code stood for. Cisco is the only one who could verify the code was for the router.

Here's a MAC address decoder. Type in a MAC, and get back what brand of device it belongs to.
http://www.coffer.com/mac_find/

Since every MAC for every device needs to be unique, no matter who makes it, vendors have to co-ordinate. It is public information.

Cisco may be able to take it a step farther and match the MAC address to a particular purchase order made a particular person.

 

[ncsu95]

I'm assuming that VPN was not involved, and that early mention of it was in error. All the words I heard in court today (duplicate MAC address, system log), before the feed was cut, made it sound like nothing to do with VPN. We'll find out for sure next week.

Correct. I was questioning if the router was at home or if he accessed one through at Cisco through his VPN connection.

 

[SleuthinNC]

Well, if that's the case, that is going to be difficult to overcome, unless someone is going to make the absurd claim that while CPD was planting Google search evidence they also planted this Windows event and were lucky enough to guess a MAC address that belonged to a 3825.

We shall see. Should be interesting testimony to hear.

 

[ncsu95]

:waitasec::waitasec: We dont know as to just what he will be tesifying to..so maybe best to resverve judgement until after he testifies ..Might be wise other wise many will go off the walls about what he may or may NOT testify to in the courtroom...Only a suggestion as I see some things get so speculated about, that when the dust settles no one realized what is truth or what was speculated as to testimony.....

BTW..Is he to testify on Monday?? Didnt hear about that nor what else was in store for that matter :seeya:

Who and the heck kidnapped LyndyLoo and replaced her with someone I keep agreeing with? :waitasec:

 

[ncsu95]

Here's a MAC address decoder. Type in a MAC, and get back what brand of device it belongs to.
http://www.coffer.com/mac_find/

Since every MAC for every device needs to be unique, no matter who makes it, vendors have to co-ordinate. It is public information.

Cisco may be able to take it a step farther and match the MAC address to a particular purchase order made a particular person.

That link only providers the vendor, not the type of device.

 

[misstibbs]

Here's a MAC address decoder. Type in a MAC, and get back what brand of device it belongs to.
http://www.coffer.com/mac_find/

Since every MAC for every device needs to be unique, no matter who makes it, vendors have to co-ordinate. It is public information.

Cisco may be able to take it a step farther and match the MAC address to a particular purchase order made a particular person.

Exactly...what if the MAC address can be mapped to a serial number for the device and that serial number can be mapped to the purchase order? smoking!