Justice for Brad

Computer Evidence

Brad's Computer was Not Secured

All computers contain metadata, which describe how data has been modified, or who has modified it.

Software programs exist to modify that metadata, whether it's changing a file’s access date and time, the user who modified it, or the original author. Anyone can download and operate these programs for free. Such programs can change the metadata to reflect that a certain document was downloaded or opened at a specific time, or that a certain user modified it. They are easy to run and, if used correctly, will leave no trace.

Anti-forensics tools are widely available to modify data parameters and timestamps in order to mislead computer forensics investigators. One of those tools is Backtrack or Timestomp through the metasploit framework. This allows the user to modify the NTFS timestamp parameters, which could be used in Windows Vista. With Timestomp, all four file attributes (MACE) can be altered permanently, causing forensic tools like Encase and FTK to consider these values as legitimate timestamps.

A whole field of computer science is devoted to anti-forensics. The purpose of anti-forensics is to confuse or fool computer examiners. The best example of a tool used to modify time is Timestomp. When files are created or modified on computers, they are assigned time values known as timestamps. A timestamp on a computer file is like a timestamp you get on the bottom of a receipt. It lets you know when your receipt was issued; just like a computer timestamp lets you know when the file was created. If you know where to look on the computer, you can read those timestamps. Timestomp can be downloaded for free and it shows you, step by step, how to change timestamps on computer files (such as documents, web pages or spreadsheets). Following the instructions on Timestomp is like following a recipe. Timestomp and other programs can change timestamps down to the nanosecond. It can be used on individual files, or lots of files at the same time. It can change the timestamp to a specific date or stagger the files so they appear to go in sequence, just like you would expect. It's easy, it's effective, and it's nearly undetectable.

Of course, in order to change timestamps on files, you must first get into the computer. Brad left the barn door wide open on that computer. The reason that encryption is important is because encryption is the deadbolt to the door. The FBI themselves held a press conference in 2007 at which they said the type of encryption Brad had, WEP, was just about useless. As a result, people with WEP encryption had no protection against intruders. On their website, the FBI goes on to say that, '...after they tap into the connection, they can do all sorts of things, including illegally sending spam or pilfering your computer's data. You might not even know if these hackers have gained access to your connection. They may be a couple houses over or on the next street. But if they're doing something illegal with your Internet connection, it's going to come back to you.'

Brad had an easily crackable WEP password (12341234123412) on a system whose wireless range exceeded 100 yards. So it would be easy to get into his wireless network with such a password. But in the case of Brad's network, even that wasn’t required because he had given his password to several neighbors. Furthermore, if you had physical access to that computer, you wouldn’t even need to worry about wireless. Anyone with physical access to Brad Cooper's computer before it was hashed six weeks later could have rebooted the computer as an administrator with a free admin crack CD, dropped files onto his drive (while hooked up as an external drive), changed the time on the computer before doing a live search, and altered selected files.