Justice for Brad

Computer Evidence

Google Map Search Was Planted

The alleged Google Maps search took just 42 seconds from the moment Internet Explorer was opened, to the moment it was closed.

In those 42 seconds, maps.google.com is typed into Internet Explorer. When the screen first comes up, it's in the map version, but then it's switched to satellite. That means you can see the terrain and the streets, instead of just the streets. It also means that for every page, it has to load two different maps. It starts out as a full map of the United States before '27518' is typed into the Google search box. From that point, the search hones in on Fielding Drive. There are six separate times when the mouse is clicked, to zoom in further. At each zoom level you have to wait until every tile on the screen populates. So at each level, you've got to wait for every tile to load, and since you've have two maps (the street names and the satellite) that's two tiles per space, until you are allowed to click, in order to zoom again. This is done six separate times until it reaches the exact spot that the body is found, where it sits for 2 seconds. Then the browser closes. There is no wandering, no hesitation: just open a browser, go to maps.google.com, switch to satellite, allow the whole map of the US to populate, type 27518, allow it to populate, and then perform six separate zooms where, each time, the whole screen is given time to populate, before the browser is closed.

First View

Second View

Third View

Fourth View

Fifth View

Final View

After doing this, the State would have you believe that Brad Cooper, the man they claimed to be a computer genius who created a digital alibi, leaves behind a perfect digital trail for police to follow.

The single missing part of that trail was the piece that would have proven whether Brad had Googled the map on that day. That one piece of evidence was a Google cookie. A cookie is a text file that's automatically saved to your computer every time you go to a web page. It stores information about your activity to make Internet browsing easier by keeping some of your preferences, like passwords and settings. But cookies can be incredibly valuable in a forensic investigation. If law enforcement finds a cookie on a computer, they can use a court order to make Google look up information about when, where, and by whom that search was done. It's a foolproof way to verify whether something digital--something that can easily be manipulated, is real. Their own experts claim that they found the cookie that matches up with this map search. But they did not. They will not show you that cookie because there was no cookie that matched up with the map search. But there are plenty of other cookies on Brad's machine. Brad had terrible Internet hygiene. He had cookies on his machine from April all the way up through July 15. Not one of them is a Google cookie from July 11th. And if there was a cookie on Brad's machine that matched up with the search, they could have asked Google when the search was performed, and from what computer. Although they received tons of information from Google spanning over the course of a year, they never asked about a Google cookie for that search. The only possible reason why law enforcement wouldn't have requested this information is because they didn't want to know the answer.


Missing Cookie

Despite writing a report asserting that there was a Google cookie for that search, Officer Chappell never found one, not even a deleted cookie.

There should have been a cookie on that machine. There are cookies that pre-date and post-date the alleged Google Maps search.

But the one thing you can't just drop onto a machine is a cookie. Because when you trace that cookie back to Google the jig is up, and they'll know it's not real. So there's no Google cookie for the map search, because it wouldn't have pointed back to Brad.

A Google cookie is third party verification of a unique IP address and time. It is not alterable, and a local time change doesn't change Google's own server time. It's an industry standard to verify events with Google cookies.

Google Privacy Policy

Law enforcement is aware of the value of information from Google. And law enforcement has become so accustomed to requesting information from Google that Google has placed restrictions on the length of time that it will retain data. After nine months, Google removes all identifying data from its half of the cookie. After nine months, nothing is left.

About 11 months after the alleged search, the defense received images of the computers for the first time, even though the FBI had finished their examination six months earlier.

So you are able to see how many people did a search for the zip code 27518 after nine months, but not by whom or by what computer. More to the point, any information from Google servers would be useless at that point.

Invalid Timestamps

SIA Entry Modified Timestamps is the only category that cannot be manipulated with a program like Timestomp. And they are not analyzed by FTK and Encase. The FBI had no explanation for why there were invalid timestamps. However, Agent Johnson testified that they could indeed be the product of dropping files onto a system.

There are 169,281 entries in Brad Cooper's $MFT. Over the lifetime of the computer, there are only 2% invalid timestamps.

The computer was created on April 28, 2008. From that date until June 22, 2008, there are no invalid timestamps.

But between July 10, 2008 and July 12, 2008 there are 83% invalid timestamps.

And for the Google Maps search, there are 100% invalid timestamps. That did not happen with any other Google search. It only happened with the search that convicted Brad.

The FBI did a comparison of Invalid SIA Entry Modified Timestamps on Brad's ThinkPad with the FBI's own clean installation of Vista. They stated that the percentages were roughly the same. On the FBI's Vista install, where they say there were 2% invalids, they weren't talking about the same category. In the FBI install there were three Invalid Timestamps in the SIA Entry Modified. Three out of 47,232 files (0.006%) showing an Invalid Timestamp in the SIA Entry Modified. Their tests confirmed that 2% is an anomaly that can't be explained by innocent means, and they were intentionally misleading when they stated 2% instead of 0.006%. They knew exactly what their data showed. It confirmed that invalid timestamps in the SIA Entry Modified were not standard for any install of Vista.

The Cursor File

Jay Ward and Giovanni Masucci conducted tests on the Google cursor files. They both confirmed that the format that Google used to save their cursors was a .cur file in 2008, as it is today. But the cursor file from the alleged map search was a .bmp file. That's like saying an incriminating Word file was found whose file extension was .xls instead of .doc.

Furthermore, all MACE Timestamps were equal, down to the millisecond. This is an anomaly. As the sole openhand file on the machine (if it were valid), it would have a creation date prior to the search performed on July 11. The Modification Date and Access Dates would also be updated. By the very nature of the file, it is not possible for each timestamp to be exactly the same across the board.

With every test replication, as the page is maneuvered (whether it's by a mouse, track pad, or dial), the cursor updates. The search that was allegedly done to find Fielding Drive included several levels of zoom. This could not happen without updating the cursor files. Yet, as you can see, all seven timestamps are the same (the eighth is, of course, Invalid). This is direct evidence of tampering. The Google openhand and closedhand files were not artifacts of a valid search, but were placed inside the computer to frame Brad Cooper for murder. There is no other valid explanation.

Logic

If Brad created a digital alibi, why would he leave a digital trail?

Why erase one cookie only? Forensically, it's harder to selectively erase one cookie than to erase all Internet history in one fell swoop (which would look more innocent, since many users do this all the time).

If you know where to dump a body, why search on a map? But if you don't know where to dump a body, wouldn't your search last longer than a few seconds?

If you are tech savvy, you would know that satellite images are old. Wouldn't you know about private browsing, or deleting Internet history?

  • Google Maps for the July 2008 search of Fielding Drive would have been taken in June 2007, showing a construction area.
  • It's easy to delete Internet history.

Why would Brad create a digital alibi on the morning of July 12th, but then leave a digital trail on the same computer?

Neither the Cary Police Department nor the FBI made any efforts to verify the search.

  • They could have gotten router logs from home.
  • They could have gotten router logs from Cisco.
  • They could have sent all Google cookies to Google for verification.
  • They withheld access to the defense until Google scrubbed all identifying data at their end.