Brad Cooper: Appeal info

Discussion in 'Nancy Cooper' started by jrb0124, May 9, 2011.

Thread Status:
Not open for further replies.
  1. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    Since this is a non-DP case, appeal will go to NC Appellate Court (comprised of 15 judges roatated in groups of 3).


    May 4: Notice of Appeal issued at the end of the trial (Kurtz)

    (total time elapsed) next steps:

    (65 days) request for transcripts (court has 65 days to provide these to the defense)

    (100 days) using transcripts and other material, proposed record on appeal is due within 35 days (30 day extension(s) can be granted)

    (121 days) upon completion, pros is served with proposed record and has 21 days to request revisions.

    proposed record includes Q&A/statements re: potential errors (assignments of error) with references to the record/transcript, supporting arguments of unfair prejudice in trial errors which require address and relief.

    if pros and def attorney agree on the record, it becomes a record on appeal and goes to the appellate court. If they don't agree, a judge will take up the issue in conference and decide the content for the record on appeal.

    (151 days) once the record is formalized, defense has 30 days to serve a brief: legal arguments with references and citation, summary of proceedings and evidence.

    (181 days) AG then has 30 days to respond with State's brief/arguments.


    ***Appellate Court then schedules record for consideration.

    (300-400 days?)

    Defense/State may or may not be called to present oral argument. There is no evidence introduced or presented. Appellate Court will determine only if legal errors were committed. Such errors which unfairly prejudiced the defendent may result in relief in the form of (for this case): dismissal of the charges, or a new trial.


    Record will appear here: http://appellate.nccourts.org/dockets.php?court=2, once its on the Appellate dockets.
     
  2. Loading...


  3. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    I compiled a list of potential legal errors Kurtz may showcase, and will post that from home. When HK indicated in his interview that he feels BC has a good shot at relief I don't think he's shooting from the hip.
     
  4. RaleighNC

    RaleighNC New Member

    Messages:
    596
    Likes Received:
    0
    Trophy Points:
    0
    HK's interview with David Crabtree was interesting. He was strong in his conviction (sorry, bad pun) that Brad was framed and innocent.

    I am not sure I agree with that - but - I do agree that judges should have technical consultants (impartial / 3rd party) at their disposal to help understand the items on which they are going to rule.

    For example - is there a listing of "types" of experts? i.e. is it like getting a degree or recognized professional certification? or is it rather fluid and, I for example, with 10 years of dog rescue experience, being a non profit VP, tending to medical care for over 500 dogs, being the intake coordinator for 3 years / 400 dogs and performing the duties of a treasurer could be named a "dog rescue expert" if I sit on the stand and both attorneys agreed that I have expert knowledge?

    I ma trying to determine if there's a recognized pool of applicants as a "Computer forensic expert" or that the determination is rather broad and agreed to at that time in court.

    That might be a judicial error - not allowing someone with certain skills - many of which might overlap with another "expert" to testify.
     
  5. sunshine05

    sunshine05 New Member

    Messages:
    1,914
    Likes Received:
    0
    Trophy Points:
    0
  6. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    The appellate judges will no longer look at evidence in the case. They will only consider judicial error and it sounds like that is an uphill battle for any felon, taking up to several years to get the case heard.

    Michael Peterson, convicted in 2003, lost his appeal at the N.C. Court of Appeals in 2006 and lost his appeal at the N.C. Supreme Court in 2007. Because his case involved blood evidence, he is appealing again (after the SBI problems surfaced).

    From conviction to first appeal: 3 yrs
    From conviction to State Supreme Court: 4 years

    I don't know if that's an average timeline or not.
     
  7. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    Of the grounds for appeal, there is no doubt the exclusion of GM expert testimony as well as the limit placed on JW's testimony will come into play. There are other grounds, of course. The extracts are from NC evidence code.

    Relevant evidence is "evidence having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence." N.C.G.S. § 8C-1, Rule 401 (1992).

    "All relevant evidence is admissible" unless it is excluded by some other constitutional or statutory exclusionary rule. N.C.G.S. § 8C-1, Rule 402 (1992).

    Relevant evidence may, however, be excluded "if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or misleading the jury, or by considerations of undue delay, waste of time or needless presentation of cumulative evidence." N.C.G.S. § 8C-1, Rule 403 (1992).

    case;

    “The determination of whether relevant evidence should be excluded under Rule 403 is a matter that is left in the sound discretion of the trial court, and the trial court can be reversed only upon a showing of abuse of discretion.”  State v. Hipps, 348 N.C. 377, 405-06, 501 S.E.2d 625, 642 (1998), cert. denied, 525 U.S. 1180, 119 S.Ct. 1119, 143 L.Ed.2d 114 (1999).

    -----------------------------------------------------------------------

    Was the probative value "substantially" outweighed? or was this abuse of discretion?

    Remember, this is evidence of which cross was limited due to "national security" concerns. While that could be a different error assigned altogether, it does speak to both the weight and vulnerability of the evidence.
     
  8. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    They will not look at any new evidence. Proffered testimony from expert witnesses excluded by the judge are fair game.

    ETA: that's not the average timeline - enter MP name in the link in the first post you will see (motions/party) why that dragged as long as it did.
     
  9. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    I got 56 hits in the Appellate Court opinion database involving Judge Gessner.

    Of those 56 Gessner cases, 12 were either vacated, remanded, reversed or reversed in part.

    So roughly 21% of the Gessner cases appealed and heard have resulted in a finding of legal error, and relief to the petitioner.

    This report on intermediate appellate court outcomes does not include NC, but judging by the region, 10% seems to be the average for cases resulting in relief.

    5 December 2000
    Gessner Reversed and remanded
    "Accordingly, summary judgment was not proper and this case is remanded to the trial court"

    21 May 2002
    Gessner REVERSED
    "The decision of the trial court is reversed and the matter is remanded for a new hearing applying the common law presumption in favor of defendant."

    18 March 2003
    Gessner REVERSED IN PART
    "This evidence is insufficient to support the trial court’s determination..."

    6 May 2003
    Gessner REVERSED IN PART
    "The order of civil contempt is reversed"

    21 October 2003
    Gessner REMANDED IN PART
    "The trial court did not have the authority to modify this contract."

    Gessner vacated and remanded in part
    18 July 2006
    "the trial court exceeded its mandate on remand by awarding a lump sum for the interval without considering evidence

    8 May 2007
    Gessner Reversed and remanded
    "Accordingly, we reverse the judgment of the trial court and remand for a new trial"

    04 September 2007
    Gessner REVERSED and REMANDED
    "The trial court erroneously granted summary judgment in favor of defendant"

    3 June 2008
    Gessner REVERSED and REMANDED
    "Accordingly, we reverse the judgment of the trial court and remand for a new trial"

    3 March 2009
    Gessner REVERSED IN PART
    "The trial court erred in not dismissing the portions of plaintiffs’ complaint based upon general promises of protection"

    6 October 2009
    Gessner VACATED AND REMANDED
    "For the reasons stated herein, we vacate the order and remand for additional proceedings"

    4 May 2010
    Gessner VACATED
    "The judgment of the trial court is vacated..."
     
  10. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    How does that % compare to the other superior court judges in the district?
     
  11. johnfear

    johnfear Member

    Messages:
    815
    Likes Received:
    0
    Trophy Points:
    16
    M74,

    It's about average. If you take a look at the various judges here and the judgments, the judges are rotated (for example, see www.nccourts.org and look at the judicial calendar).

    Additionally, in North Carolina, we see a lot more of these cases being picked up for appeal (it's almost become an expected practice) without as many judicial errors. If you take a look at the cases overall, (and in this case in particular) the response has been to qualify cases much more clearly and quickly when the attorneys are aware of the issues and raise them in the trial record. It helps quash some of the backlog and makes the appeal less of a solution and more a part of the process. (This is why Kurtz and Trenkle spoke softly throughout the case with Gessner and you heard a lot of "Objection" "Noted for the record, overruled" throughout the testimony.) It helps flag the case as judicially flawed from the outset and speeds up the process of getting noticed. Unfortunately, when everyone does that, it kinks the justice system.

    I think this case (on appeal) has some merit on the technology-side, but I think the most that the defense can hope for is that it plays out something like this:

    1) Brad Cooper sits in jail for 2-5 years while the appellate process unfolds and gets a chance at a retrial. This is good in two respects. It probably will allow for much closer scrutiny of the respectively disagreed upon evidence on the computer. It will also allow the time to ferret out either A) exculpatory evidence or B) damning evidence.

    2) A and B above would potentially then limit the suspect pool. Let's face it. Tampering is a far-fetched idea. If it happened, it will become obvious with further scrutiny. The number of people connected to Nancy Cooper who COULD have done it would be limited. This would in effect exonerate him and justice would be appropriately served on those parties.

    3) If the evidence is then correctly linked back to BC, it would allow for a bigger, firmer smoking gun. Perhaps even indicate an accomplice in the "tampering" and "spoofing".

    Again, it's all just part of the process at this point.
     
  12. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    I'm well aware of why K & T were making multiple objections for the record and to preserve the info for an appellate court and also very aware of the issues raised for review.

    My question is how does Gessner's % of reverses/errors compare to each of the other judges in superior court. What are the other judge's %'s?
     
  13. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    NC Appellate does not post those stats (though they do for NC Supreme), you would have to search each judge and do the math.

    I noted 10% though based on the region in general from stats available on nearby states (who do post those, VA, TN...) and who also have a distinct appellate court.
     
  14. calgary123

    calgary123 New Member

    Messages:
    228
    Likes Received:
    0
    Trophy Points:
    0
    It is more important to consider how many of those involved jury trials. Overturning a summary judgment ruling is relatively common and summary judgement never involves a jury. Jury verdicts are the most difficult to overturn.
     
  15. PolkSaladAnnie

    PolkSaladAnnie Preventing Truth Decay

    Messages:
    3,227
    Likes Received:
    0
    Trophy Points:
    0
    WOwwww!

    Excellent .... and I sure hope Kurtz is taking some serious real live-time notes. There's groundbreaking stuff here that he had 30 months to explore.

    Just sayin.... :D
     
  16. cassius

    cassius New Member

    Messages:
    170
    Likes Received:
    0
    Trophy Points:
    0
    I don't think a jury verdict has any impact to the likelihood or unlikelihood of this case being overturned or otherwise remanded. All of the big issues in this appeal are going to be directed at JGs alleged abuse of discretion in allowing and disallowing certain items of evidence.

    If you are suggesting, however, that appeals based on the sufficiency of the evidence are rarely victorious, I will agree with that.
     
  17. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    My thoughts exactly - and watching the Masucci proffer, the questions, the direction, its clear HK was generating a transcript for the Appellate Court, and not attempting to enlighten JG. In fact, JG at the times he appeared in the video seemed not to be listening at all - was preoccupied with something else during the testimony. When HK asked a procedural question JG said "fine do whatever you have to".

    I'll hold off posting more on this until I post the complete transcript here (hopefully tonight).
     
  18. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    4/28/11

    Defense offer of proof

    Defense attorneys question computer forensics expert Giovanni Masucci outside the presence of the jury for the purpose of appeal, if Brad Cooper is found guilty. Masucci has not been allowed to testify in the case.

    PART 1

    Giovanni Masucci (digital forensic examiner - 9 years experience)

    -started own digital forensics company in 2002
    -uses 50+ different digital forensics tools
    -performed over 500+ forensic examinations (machines)
    -also certified in cellphone forensics, GPS forensics, smart phones, went to Federal LE school for cyberterrorism.
    -started National Digital Forensics in 2008.
    -has been an expert for both pros, state, civil cases in NC - Superior and district court, qi=ualified in computer forensics for each instance.
    -serves on Charlottes secret service task force (cyber)
    -serves on various national and regional cyber forensics organizations (STCIA, Infoguard, Digital Forensics Association).
    -Tendered and accepted as expert in digital forensics

    HK: Mr. Masucci, have you had the opportunity to review the data from Mr. Cooper's IBM thinkpad computer?
    GM: I have

    HK: ...and have you had an opportunity to read through the FBI's report as well as law enforcement reports detailing the means by which the evidence was collected?
    GM: yes

    HK: do you have...in doing so have you formed any opinions in respect to the protocols that were or were not followed during the collection of that evidence?
    GM: I do, and that's one of the reaons why I am here as a computer forensic examiner, and one of my big things is when I do teaching - train law enforcement and government agencies, and corporate personnel, attorneys and judges and so on...is protocol. Its very important that you're dotting your i's and crossing your t's, starting with chain of custody, and that you
    follow it so you don't have nay issues of spoilation - or anything that can come back, but you need to address it. I did see some issues early on.

    HK: When you say 'spoilation' what exactly do you mean in computers?
    GM: If I'm involved in an examination - or any digital forensics or computer forensics exam which is one in of the same...if we notice after the fact that it was taken into custody, that if files are altered - to us that's suspicion of spoilation. Anything that you work on, you should have a write-protect. Now there are instances, if when we are doing a server, because that is volitile data - we can't shut down a company, we can go in and document what we're doing...as long as we have documentation, its acceptable that we will be accessing a live server.

    HK: in this particular case, how was the IBM collected, and how should it have been collected?
    GM: It is my understanding that the computer was left on. I kind of cringed when I heard that, because typically if there's RAM data on there, because a computer is left running, before they collect that they should use a forensic tool to collect RAM data and then shut the computer down, but there's a full process before we even get to that point: documenting exactly and taking digital photographs of the scene, taking digital photographs of the computer itself, logging and documenting serial number, model number, the type of computer it is. You are not going to get access to that hard drive right there and then. You take it back to the lab and do the same thing, follow processes: log it in, document the hard drive, take pictures of the hard drive. In our lab, part of the protocol - and pretty much stanfard protocol is that you have to document everything - from the time you get it, to the time you log it in and secure it. This computer, the IBM Thinkpad of BC was left on. That's an issue, because my understanding was that it was still connected to a VPN, it was connected to a wireless network as well, so anyone can gain access to that computer. Now you will have things that can be changing, files that will change, there could be updates - I know BC was connected to the Cisco network. There could be updates through the Cisco network. I saw file changes, I mean I saw numerous file changes, just based on the reports I read there were several hundred files that were changed. To me, again that's spoilation to a forensic examiner.

    HK: Now when you talk about the reports that you read, are you in part referring to the FBI's own databases of files that included timestamps?
    GM: Yes

    HK: Do you recall how many files the FBI's own access database reflects as having been changed after it was out of BC custody?
    GM: I don't have that in front of me but I velieve it was 674 or 694. Somewhere around there.

    HK: 692 ring a bell?
    GM: that could be it.

    HK: Why is it that file changes like that are problematic with computers?
    GM: Things will be altered. Once its in custody - say I'm getting a computer in, and I'm doing a forensic examination on it, I have to make sure nothing is disturbed on it - so I'm going to take a forensic image of that internal hard drive. From there, I'm going to make two copies. One's going to go in our vault for safekeeping, in case something happens to that first copy we made. The original is going to be stored, unless we need to utilize that, but typically we don't, only in rare circumstances. We work off the forensic image to do the analysis, and we take hashes off both of those images.

    HK: Can you briefly explain what that means: "taking hashes"?
    GM: A hash validates that when I first do a forensic image, and I've used EnCase to get the first hash as when I first received the data to look at to know what I would be talking about, we'll take an initial hash saying okay this is the image, and when we go about acquiring the image we'll take another hash. Those two better match. If they don't - that means I did something wrong, and I've altered some data. If you alter data, you created spoilation. Then we'll take another hash at the end, and we'll corelate that to make sure all the hashes match. Typically we do an MD5, and then we do a Shaw.

    HK: And those are just two different types of has techniques?
    GM: Yes, the MD5 is a typical one, the second one is a 256 bit hash.

    HK: Now I believe the prosecution and the FBI have asserted that many of the files that were altered after Mr. Cooper had left the house were relates to a Microsoft update. Were you able to determine if there was any update?
    GM: I saw access through the VPN where Cisco was communicating with that laptop. That in and of itself is an issue, because files were getting changed when they shouldn;t have - that laptop should have been off. I did not see an actual update as far as Microsoft to the operating system.

    HK: The files that did download that said update, were they actually appropriate for that system? or were they mismatched?
    GM: It was more like...when you have a VPN tunnel, and files can get updated - updating the system of the VPN network itself. If there were any updates to the program of the VPN tunnel, that was getting updated. That was just part of it, but then there were other files that were accessed and deleted...which was alarming to me. When I see deleted files after the fact - that's another problem.

    HK: You taken a look at the FTK - or parts of the FTK report that you were provided that originated with the FBI?
    GM: yes

    HK: and in that FTK report did it say how many files were actually on the computer when it was imaged?
    GM: the FBI report had over 800,000 files listed on the FTK report

    HK: now they also provided an access database that had a number of files in it, how many files were in the access database?
    GM: I believe it was under 200,000...which didn't make sense to me.

    HK: Why doesn't that make sense to you?
    GM: Well, if the access database was supposed to do the file listing like you can do with FTK, they should have listed all the files in there.

    HK: you would expected-
    GM: I would have expected to see the files database showing all the files, or at least an HTML that you can click on to make an HTML listing of every file that's on that computer.

    HK: And how many files were in the Master File Table?
    GM: On the...I don't have that, couldn't tell you right off hand...

    HK: Was it 800,000?
    GM: It would be exactly what was on the computer according to the FBI report.

    HK: When those numbers don't add up, what is your thought process at that point as to what the potential causes are?
    GM: It leads me to a little bit of suspicion. What happens is that anytime we see any kind of deviation or any kind of issue with a computer - we're going to look further and investigate what may have caused that. We're going to look at the whole parameters of what the case is, what we're looking at if there was chain of custody involved, if anything was touched...and we already knew when I looked at it that things were touched, even as I read and was able to do an FTK indexing and do an EnCase image I can now actually see things that were touched.

    HK: And when you say "touched" are you talking about things that had been changed because of an automated process, or things that had been done by somebody actually at a keyboard or somehow accessing the computer?
    GM: Both. It led me to believe that at some point a write-block was not utilized.

    HK: And what do you mean by that?
    GM: A write-block put the computer you are going to analyze or the image you are going to analyze in a read-only format. If that is not connected correctly, if there is something wrong with that write-block, or if one isn't used: the files will change. The last access...or if a file was created and never touched again, the metadata behind there: created, modified, last accessed will all show the same. Now I saw that where there were deleted files where the metadata: created, modified, last accessed, were all the same but they were deleted at the time they were created - which didn't make any sense to me.

    HK: files are deleted at the same moment they are created?
    GM: as soon as they were created they were deleted.

    HK: how can that happen?
    GM: Somebody - I don't know who did it, or what had happened...all I can tell you is that I went through the file extension, the file date and at the time the law enforcement had it in custody, and all these files came up as showing 'deleted'. I did a data carve, like the FBI did a data carve, I did a data carve...my files show less than what they had on their report, as far as their total files that they data carved...and show that all these different files were deleted. It just doesn't make sense, it doesn't add up right because if somebody deleted something all of the metadata's there and it should have had a creation date a little bit different, but it was all done at the same time it would lead me to believe.

    HK: were you able to determine exactly what those files were?
    GM: Some of them. Again, I haven't really had enough time to dig into it, but some of those files were accessed through the Cisco VPN network, some of them were documents, temporary folders, temporary files, temporary internet files that were accessed...BC's email, archived email, history, PST, .pst files which is your mailbox, and there were some deleted hidden files that were deleted during that time...and archived.

    HK: Now in addition to the files that you can see being changed or deleted after BC was out of the house, did you also notice anomolies with other files on the computer?
    GM: I did

    HK: And were those essentially timestamp anomolies?
    GM: I did, numerous

    HK: Where...in what type of timestamp were the anomolies?
    GM: they were in the Google searches, there were timestamps that were anomolies.

    HK: And when you say they were in the Google searches, the entire map search were there any...am I correct that there were 507 files that were associated with that search?
    GM: I believe so, I don't have the exact figure infront of me.

    HK: Was there a single one of those files that did not show an invalid timestamp?
    GM: I believe no, there wasn't any...based on the Google only.

    HK (to judge): your Honor, I have previously admitted for appellate purposes exhibit 154 which is Mr. Massucci's report. That report actually includes a number of visuals and I would just wish to able to publish them electronically without numbering them individually since they are all in the report.
    Judge: that's fine, whatever you need to do um, that's fine.

    HK: Mr. Massucci would it help to look at the graphic images to chart out the timeframe of timestamp anomolies?
    GM: please

    HK: (okay, if we can show the overall...? slide up)
     

    Attached Files:

  19. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    PART 2

    HK: Now taking a look at this particular chart, can you explain what it is that is actually showing?
    GM: We're looking at what I believe is the last accessed times, last modified - the times that the files were last modified.

    HK: and essentially - well, is it somewhat self-explanatory?
    GM: Well, you have actual files, we inspected all the files that were on the machine from June to July 16th, and we looked at which ones were good timestamps and which ones were not good timestamps. And again, suspicion arose when I found multiple - I looked at the two reports, the one by the FBI and the one by the other expert J Ward - I found an additional several hundred files that were unaccounted for, that had invalid timestamps. There was more than what was reported by both witnesses.

    HK: Now were there any differences between Mr. Ward's version of the Master File Table and the FBI's version of the Master File Table with the exception of microsends being added on?
    GM: no

    HK: now, between July 10th and July 12th, there seems to be some multiple of invalid timestamps compared to files with valid timestamps. Is that something you've encountered before? have you seen that kind of situation where you end up with more invalid than valid?
    GM: That's more indicative of when a file can be dumped on a system. I found some malware. That led me to believe - and some of those malware have backdoors, as I state in my report...when a computer does not understand a file, lets say if a file was dropped on a system - and I'm using that term more in a layman's than a technical aspect, when a file may have been placed on a system the computer operating system says "well I don't recognize these files" because the metadata has been stripped out. We see this in cases where hackers have hacked in, when there's been intrusions, and they go in and they strip the metadata on the files and they go and place the data on the drive in the operating system, and the operating system says "wait I don't recognize them, I can't give you a valid timestamp", so they get an invalid timestamp, and that's what's set in the Master File Table.

    HK: How is it that those files that show an invalid timestamp in the one entry modified category, might have perfectly valid timestamps in created/last accessed and modified?
    GM: first of all...by reviewing this, I had suspicion of something wasn't right, something was tampered. Doing enough cases, similar, not homicide cases but other types of cases where there's been intrusions and so on and we're looking at everything, to me - there are so many programs like metasploit, timestomp - there are so many that can change data to make it look like one thing and not look like another thing. There's too many programs out there that hackers can use to change things.

    HK: Now the fact that there are so many invalid timestamps in the 10th through the 12th period, does that mean that that's the time that something occured to the machine?
    GM: not necessarily, because I can alter the data. I can alter the data in the registry, I can alter the data in the Master File Table - if I have the right tools I can do that. To me it means that something suspicious happened - first look at that: there's an issue.

    HK: and is there any limitation as to what time it could have actually occured, given the way computers work?
    GM: It could happen at an earlier time, things change I can use a program to make it say whatever I want ot to say...especially with Vista, Vista - when it came out, I still have my old Vista machine from 08, I purchased mine in April as well and numerous problems.

    HK: can it also happen at a later time?
    GM: it could.

    HK: And the machine was powered off, I guess on July 16th at approximately 8:30 PM. Now, after that point, but before the machine is hashed some six weeks later, is it still vulnerable insome way?
    GM: Absolutely.

    HK: How?
    GM: Protocol.Typically protocol is when you put a computer or device in custody it is logged in, it is secured, no one has access to it. Typically with law enforcement, they usually have an evidence room, and usually there is somebody in charge of the evidence room - they sign it in and they sign it out, its secure so that nobody has access to it. I have not seen any logs from the FBI or from law enforcement err from Cary PD showing the process and the chain of custody and who had access to what, with that computer. I would still like to see that so I can validate it.

    HK: next if I can show you the graph of the files modified over the lifetime, is this consistent with what you found over the lifetime of the machine in terms of files that bear invalid timestamps in the standard information attribute of the entry modified category?
    GM: yes

    HK: Would you even expect something as little as two percent for something like that?
    GM: yes
     

    Attached Files:

  20. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    PART 3

    HK: (next slide) now prior to June 23rd had you isolated even a single timestamp that was invalid?
    GM: initially when I did this I did not see

    HK: And when you limited it to, I believe its the 10th through the 12th? (next slide)
    GM: that was again astronomical in my opinion, because that shouldn't happen, unless something happened to those files, the file was manipulated - something, again it led to suspicion - "why did that occur?"
     

    Attached Files:

  21. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    PART 4

    HK: And again, does that mean that those files were genuinely created on the 10th through the 12th and something bad happened to them or could it have happened at any time?
    GM: If there is an anomoly in the system you are going to get some files that have an invalid timestamp. It happens, even with updates. But to have that degree? leads me to believe the otherwise something or somebody altered those files or potentially altered those files.

    HK: and during the time of July 11th, during the time of the Google map search (new slide), at that point is that what you encountered?
    GM: yes. Again it was brought to my attention that that was suspicious. That shouldn't have happened...why? I tried to look at...there was no metadata, there was just no metadata with those. I did not find - and I do want to state, I did not find any wiping software on that laptop. Wiping software is what we call anti-forensics software. One of the first things that I look at when I get involved with a case, I have to put myself inside that person so to speak. If its a certain case I know there certain places I'm going to look. And the first place I'm going to look is for some kind of program we call wiping software, or malware, or anti-forensics, that prevents me from finding the data.
     

    Attached Files:

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice