721 users online (92 members and 629 guests)  

Websleuths News

Page 3 of 3 FirstFirst 1 2 3
Results 31 to 37 of 37
  1. #31
    Join Date
    May 2010
    Raleigh NC
    Quote Originally Posted by macd View Post
    Yep. And all of those sites visited would have left cookies. But, no cookies were found for that day. All of the cookies must be missing for the same reason. Private Browsing makes the most sense to me. "Planting of the google search" to explain the missing Google cookie, and "uh, i dunno" to explain the missing cookies for Hilton and Citi doesn't fly as a cogent theory.


    'nuff said.

    All posts, unless attributed, are "just my humble opinion," and they are to remain here in Websleuths and are not to be used elsewhere. Thank you.

  2. #32
    Join Date
    Jul 2008
    This is a recent post to the Free Brad Cooper Facebook Page
    One of the most important parts of the trial was blacked out - Agent Johnson's testimony when the defense questioned him about the timestamps found on Brad's computer. The creation and modification dates were identical, which is logically impossible in a dynamic search with clicking and zooming in Google Maps.

    The State's experts (Johnson and Chappell) actually duplicated the search with a clean
    install of Vista (the same OS that Brad had on his computer). The results, including the timestamps that resulted when the search was duplicated were never shared with the defense due to "national security". There is in fact a screen shot showing one section of the timestamps that were produced in this duplicated search.

    The defense tried so hard to have this revealed at trial - the fact that the timestamps will always increment when the mouse is moved and clicked across the map. They even requested that Johnson duplicate the search in court on ANY computer in the courtroom. The defense even offered the use of a Vista computer. The judge refused to allow him. This of course would have proven that the files were planted conclusively. Timestamps that don't increment is a clear sign that they were placed on the machine.

    Prosecutors are supposed to seek the truth, not hide it to "win" a conviction. The judge allowed them to hide the facts that could have proven that Brad was indeed framed.
    I've shown how using Microsofts inPrivate browsing yields timestamps that match what was found on Brad's computer.

    What baffles me is their disjointed logic.
    Normal web browsing: timestamps must increment.
    Copying files form external source: timestamps don't increment.

    Huh? How are they proposing that these files were copied on to this computer where the timestamps are not incremented?

  3. #33
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Logic is not part of the equation. The defense postulated a conspiracy and gosh dern it, that's what it must be. The flames of paranoia got fanned and the fire spread. No one is proposing or even explaining how this (file planting) was all accomplished because they can't. To those who believe the tampering conspiracy it doesn't matter if it was done; the suggestion of it is good enough to take to the bank.

    Your explanation and recreation is dismissed without further consideration because it doesn't jive with the conspiracy.

  4. #34
    Join Date
    Jul 2008
    I've been thinking about this lately, since it looks like another trial will be coming up. I did some research on the proof of tampering claims made by various sources. Here's what I found.

    Timestamps are equal down to the millisecond
    Kurtz says “There’s no way possible to have the same first-time-created and last-accessed timestamp down to the microsecond. That’s the difference between artifact and artwork. That’s artwork.” This is entirely untrue. When a file is created, all the timestamps are set to exactly the same time, every time. In fact, when modify time is equal to create time, it is an indication that the file is original, and not copied from another location.
    Source: http://www.csis.hku.hk/cisc/forensic...RuleOfTime.pdf

    Attempted Access found in CS Agent Logs
    Logs from the CS Agent showed inbound TCP connection that were rejected. Claims have been made that this is someone attempting to break in to laptop. The testimony of Agent Chappell reveals these attempts were to port 445, which is used for SMB file sharing. If you google search "inbound tcp connection port 445" you'll get millions of hits. This is a very common thing. This can be a friendly user, scanning for computers nearby to share files. Or, an infected device with a worm. In either case, CSAgent blocked the connection. In no, case is this an indication of a hacker singling out one laptop trying to plant evidence.
    Source: http://www.linklogger.com/TCP445.htm

    Order of MFT Entries
    One way digital forensic analysts find evidence of timestamp tampering is by looking at the order of entries of the MFT. If 100 files are created, we will expect to see them in order in the MFT. If someone adds 100 more files and then changed the timestamps to predate the first batch, it will look suspicious as the older dated files come after the newer dated files. Agent Chappell testified that the MFT was in order and that was how he ruled out tampering. If the search files were installed on the computer later with forged timestamps, then thousands of entries in the MFT would need to be moved to maintain the order.
    Source: https://blogs.sans.org/computer-fore...oster-2012.pdf

    All Internet History Files were modified
    The Internet history files on Brad's computer were modified at a time when he was out of the house. The claim is that this is evidence of tampering. There is a simple explanation however.
    Internet explorer keeps a set of history files. There are daily files, weekly files, and monthly files. Periodically, the daily files are swept into a weekly file, and weekly files are swept into monthly files. It is very normal for Internet history files to be modified.
    Source: http://www.forensicswiki.org/wiki/In...ry_File_Format

    No Cookie for the search
    Google stores a number of cookies on your computer when you use it. There's one for ad tracking, one for preferences, one for account information, and so on. There is not one per search; it is one per user for each purpose. The cookies are updated by Google when web pages are used in certain ways. If a cookie is deleted, you get a new one next time you go to Google.

    In 2008, apparently, Google had 9 different cookies for different purposes.
    If someone were to open a browser and look for Google cookies, if one of them is missing then one of two things must be true: Either this browser has never been to the Google site before or a cookie was deleted. Certainly Brad had used Google before. Therefore, proof positive that a Google cookie was deleted. Proof positive that someone tried to destroy or hide digital evidence on the laptop. (Or was running in private browsing mode which deletes cookies.) The missing cookie is proof that Brad tried to cover his tracks. It is not proof that 592 files were "dropped" on the laptop.
    Source: https://www.google.com/policies/technologies/types/

    So, much of the information about the file tampering in this case is in fact misinformation. Kurtz did an amazing job creating the appearance of tearing down the technical witnesses on the stand, but the theories do not hold water. The new defense attorneys won't be able to repeat this performance.

  5. #35
    Join Date
    Mar 2011
    Wake Forest, NC
    MacD - You continue to try to explain away all of the issues associated with the alleged Google search, but you aren't giving an accurate picture of the evidence. You're one-siding it, like the prosecutors did with so many things throughout trial. Brad didn't do a search of Fielding Drive and the new defense team will be perfectly capable of showing that at a new trial.

    Again, you are suggesting private browsing to explain why there's a missing cookie. That is flat out false. Agent Johnson testified that he looked for evidence of private browsing and there wasn't any. And there is no "deleted" cookie. Again, the forensic examiners can detect the presence of a deleted cookie. Johnson testified that he did look for one and there wasn't one.

    Regarding the ability to detect the presence of files that don't belong based on sequence - that is false too. (Agent Chappell cross examination)

    Q: You go on in your report to talk about how a master file table of a computer would show if something was out of order.

    A: There could be signs that would indicate that, yes sir.

    Q: In fact, Microsoft Windows does not work in a sequential file system, does it?

    A: No, it doesn't.

    Q: It works in a parent file with sub folders?

    A: Well, I think there's an element of it, yes sir.

    Q: And so it -- it's not like things are numbered one to a hundred thousand?

    A: There's not like there's an I-note, like in a UNIX file system, no, sir.

    Q: So something that is moved from number 70 to number 30 is not necessarily going to be reflected as having been moved that way?

    A: Well, the master file table, their entries can be reused. When it gets reused, it gets a sequence number that gets incremented. So if I see something that has a sequence number that's 65,000, I can conclude that's been reused a number of times.

    Q: But you can't necessarily determine if a particular file has been moved within the master file table unless it happens to be placed in a strange location like that.

    A: Just by looking at the master file table, no sir.


    You also mentioned elsewhere that you are puzzled about the indication that files have been placed on the machine from an external source. It's not the fact that the files haven't incremented. It's the fact that they are all invalid. They aren't recognized so they can't be assigned a valid timestamp. That is often seen when files are placed/planted.

    You must really be stressed out to consider that anyone would possibly go to these lengths to frame Brad Cooper so you keep trying to justify all of the anomalies. The truth is that he was framed with this search. It's all here, plain as day. That's why the prosecutors (and the Judge) worked so hard to keep the defense testimony out of the trial. They knew the evidence didn't hold up to scrutiny.

    Answer this: Why didn't they take 5 minutes to subpoena Google to verify the time/date and IP address of the search?

    Why didn't they take the time to check the Cisco servers?

    The fact is they didn't because they knew they could never track the search back to Brad.

    They stalled in giving the defense a copy of the hard drive for almost a year and didn't supply it until the Google privacy policy had lapsed, they brought in an FBI affidavit citing national security concerns, they hired the FBI to examine the computer so that they could pull the national security thing. They thwarted the testimony of two defense experts, even going so far as to create clear grounds for appeal, they refused to allow their own expert to share one simple document in court that would answer the question about how the cursor files should behave and then refused to allow him to duplicate it in court - more grounds for appeal. They didn't seek to make the evidence airtight by verifying it, even though that is standard protocol. What is it exactly that you aren't seeing here? It's crystal clear what went on here. They proceeded with their antics knowing full well that it was grounds for appeal. That's how badly they wanted to win.

  6. #36
    Join Date
    Jul 2008
    When analyzing the order of an MFT there are three things an investigator can look at:
    1) The "slot" that the entry for a file takes which is assigned sequentially until it runs out of slots.
    2) The record id, which is a number in each entry which is assigned incrementally (first entry is 0, then 1, then 2).
    3) The timestamp (there are 8 of them for each file).

    In a typical MFT, all of these will be in the same order.
    If they are not in the same order, that is a sign of tampering.
    If they are all in the same order, that is an indication of no tampering.

    According to Chappel, the MFT was in order, which means that the slots, ids, and timestamps are all in the same order. This means there was no tampering. Everything else that Kurtz brought up in cross examination is a valiant effort at confusing the facts in an attempt to manufacture a doubt.

    By the way, an empty slot in an MFT or a missing record number would indicate a file was securely deleted. Perhaps in the next trial, a prosecution expert can look for those and find out how many files were securely deleted. I'll bet a lot.

  7. #37
    Join Date
    Apr 2011
    Quote Originally Posted by macd View Post
    In a typical MFT, all of these will be in the same order.
    If they are not in the same order, that is a sign of tampering.
    If they are all in the same order, that is an indication of no tampering.
    I am not claiming to be an expert on MFT's, but I think this is a logical error. IF NOT A THEN B does not automatically mean IF A THEN NOT B.

Page 3 of 3 FirstFirst 1 2 3

Similar Threads

  1. Replies: 1
    Last Post: 05-02-2012, 06:30 PM

Tags for this Thread