April 22 weekend of Sleuthiness

[gracielee]

According to Det. D's testimony, there were two times when Brad mentioned sports of a specific color. The first was the one you are describing when asked what she might have been wearing and the second was when Brad said something about a red and black sports bra and just stopped after saying that. MOO

IIRC, the time that peaked the interest of the detectives, was when they told brad about finding a body, but it wasn't identified yet. Again, IIRC, that was when the red & black description came out, and then he clammed up. That's the way I remember it anyway. MOO

 

[Bottle Cap]

Sorry to be dense, but its hard for a non gearhead to get all this stuff. Three failed attempts means nobody did get in remotely? So the data would have had to be manipulated from someone sitting right there at the computer?

 

[gracielee]

Don't we all know that television stations are owned and what we see on TV has a slant.
I thought that was common knowledge.

Can we all say FAUX news. :great:

 

[dramamama]

Okay, I posted an article last night or the night before about timestamps...

http://www.forensickb.com/2009/02/detecting-timestamp-changing-utlities.html

This was about detecting the utilities that change timestamps, but it does reference a few other ways they can change and be incorrect in the MFT:

"There are undocumented circumstances as to when the timestamps in the FNA are changed; the most notable one is renaming a file. "

Here is another link with a description as to how to change timestamps without a utility tool:



http://securitybraindump.blogspot.com/2010/04/tampering-with-master-file-table.html

 

[gracielee]

I had 3 rules for my daughters when they were getting married:
1. You may not marry anyone with the last name "Peterson"
2. You may not move to North Carolina
3. You may not honeymoon in Aruba

So far, so good!

Good rules, I'm thinking you might want to think about adding 'don't marry anybody named Brad'. Look back at the old 'Brad Bishop' murders, bodies found in N.C. too.

 

[cody100]

Here is one of the reason people, in my opinion, rightfully question LE. You may agree with the LEO here, but I am not sure how you can. This is not specific to the Cooper case, but relates to why, especially after the erasing of the blackberry, and the unasked opinions on the stand by LEO in the Cooper case, that people may question some of the tactics or lack of tactics in the CPD.

http://www.lvrj.com/news/exclusive-...-on-tape-120509439.html?viewAllComments=y&c=y

This is one of the examples of why people question LE. Just in North Carolina, we have examples of this distrust not only in LE but in the judicial system. Then when you add in past inaccurate testing by the FBI and questions regarding blood analysis reporting during the 1990's and early 2000's, one can definitely see why it is good to question LE. In high profile cases, defense usually requires higher accountability of both LE and forensic evidence. Again this is MOO. I think it is very important for the defense to get their computer forensic expert on the stand to interpret the data. Hopefully, that will clarify for all of us exactly what is going on with the google map time stamp and files. AGAIN IMO

 

[dramamama]

Was it three network intrustions? Or three attempts? He had the password, so if it was three intrusions, why couldn't he have gone in there three times?

If it was three attempts, if you look at the article i just referenced, the changed timestamps without a utility requires you actually manually change the system time which would create an admin alert of compromised system...

does any of this make sense?

I think I am confusing myself.:waitasec:

 

[FullDisclosure]

It was three failed attempts. And I agree, he knew the password to get into the machine, so I wouldn't expect any failures, or at least not more than 1 if it was him.

And there's no way to pinpoint where an attempt is coming from?

From Ward's testimony:
K-Referring to W's report, p. 339--TCP port 445 opens up over physical wire. On 7/15, denied by CISCO security agent (CSA). What time? Is time on local machine alterable?
W-Yes. This action/event happened 3 times in a row. Within milliseconds.
K-Would this indicate typing?
W-No, an automated program--all you have to do is indicate a target address/computer and the program does the rest.

 

[ncsu95]

And there's no way to pinpoint where an attempt is coming from?

It didn't look like the log showed it.

 

[FullDisclosure]

An Easter reminder: I recommend the hot cross buns when you make your next HT trip. I think I get some extra packs and put them in the freezer with the Moravian sugar cake.

In order to dream about this case, you first have to quit posting in the middle of the night. Many of us appear in need of an intervention, but please not until after this trial.

unc70, are you Moravian, perchance, or do you just love sugar cake?

 

[unc70]

unc70, are you Moravian, perchance, or do you just love sugar cake?

No, Methodist --- Methodists do have a strong historical connection with Moravians. I also spent a summer long ago on the Salem College campus.

I do love the sugar cake. Who wouldn't?

 

[cody100]

No, Methodist --- Methodists do have a strong historical connection with Moravians. I also spent a summer long ago on the Salem College campus.

I do love the sugar cake. Who wouldn't?

I went to school at Wake Forest in Winston-Salem and became quite hooked on Moravian sugar cake and cookies. Dewey's has been around a long time.

 

[dramamama]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

 

[NCEast]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

It's way over my head but I hope somebody will break it apart and explain it. My lack of a technical background makes much of this trial hard for me to understand and follow. That's why I love you guys who take something like this and break it down for those of us who don't get it.

 

[FullDisclosure]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

It's way over my head but I hope somebody will break it apart and explain it. My lack of a technical background makes much of this trial hard for me to understand and follow. That's why I love you guys who take something like this and break it down for those of us who don't get it.

It's over my head as well, which is why I just scribble it all down as quickly as possible. I would love for the techies to weigh in.

 

[unc70]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

If I remember correctly, the time of those attempts were after the computer was in CPD custody, along with the house and other computers. I recall that Brad is accounted for this entire time and could not have been the one breaking in via wireless or otherwise.

IMNSHO

 

[SleuthinNC]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

I am not really following what you are saying. Are you saying BC was trying to move some sort of file off his laptop from a computer on his own LAN?

 

[Cheyenne130]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

It is sort of like trying to solve an equation when you are given several different equations with several different variables but you aren't told which ones go with which problem.

These 3 attempts were within milliseconds of each other. That sounds like an automated program. If this was the testimony they talked about with JW where they also had that 10. address, that would sound like something coming over automatically on the Cisco network, not the Time Warner home network.

The best course of action is to make it very simple for the jurors and put it into simple language. The problem is that delving into the underlying files of a computer definitely do not lend themselves to any simple explanation and it's easy to "make a point that isn't really a point". I know that when JW was testifying, at least twice he made mention of how simple it was to do what he was doing. No special skills necessary. And then he started using the "alphabet soup" of terms and words that just aren't familiar to everyday people. It reminds me of times I would try to explain something to my husband that I considered very simple. I would finish my explanation and he would look at me and say, "I have no idea what you just said".

My bottom line assessment and this is without being in the courtroom and not even hearing all of the testimony that has been broadcast: I believe Brad did that search and it was found on his computer. I believe the defense will try to confuse the issue to the point where they will (in their hopes) get reasonable doubt out of at least one juror and obviously hopefully more jurors. If they can get the jurors to believe that the state side would do something so unbelievably devious, they can try to get them to look with suspicion on the entire case presented by the state. MOO

 

[FullDisclosure]

One more bit of testimony I'd love to hear from the techies on, from Ward's direct:
K- You heard Det. Chappell's testimony yesterday, with regard to cursors.
W-Yes.
K-Are all the date stamps with the open hand cursor the same?
W-Yes.
K-Are all the closed hand cursor time stamps the same?
W-Yes.
Z-Objection! Sustained by G.
K-What do files that are created and modified at the same time mean?
W-Either the content is static or it is not a valid file--in other words a manufactured file.
K-Is the opposite of static dynamic?
W-Yes.
K-With dynamic content, what would you expect to see w/regard to timestamps?
K-How could all time stamps be the same?
W-Only if you didn't interact with the page.
K-Are you able to tell if these files were interacted with?
Z-Objection! Sustained by G

Okay, techies--what are your thoughts? TIA

ETA-I really do think I understood this testimony. I just want to know what the real tech gurus came away with.

 

[momof7]

No, Methodist --- Methodists do have a strong historical connection with Moravians. I also spent a summer long ago on the Salem College campus.

I do love the sugar cake. Who wouldn't?

By chance another Gov's School East Alum?

Kelly