Justice for Brad

Computer Evidence

Forensic Protocols Ignored

The Chain of Custody on Brad's IBM Thinkpad was broken.

  • The laptop was powered down 27 hours after it was in the custody of the police department. There is no record of who had access to that equipment during those 27 hours, and no photographs of how it was collected.
  • Until July 28, 2008, the computer was unsecured in a storage room. There was no sign out sheet, no video surveillance, and no organization. It was simply equipment sitting on a table.
  • The Cary Police Department evidence sheet shows Detective Young turning over the laptop on July 25, 2008 to Agent Bonin (a Cary police officer assigned to the FBI). The FBI evidence sheet shows Detective Thomas of the Cary Police Department giving the same laptop to Detective Bonin on July 28. We know the evidence arrived at the FBI on July 28. We do not know what happened with that computer once it arrived at the FBI. No notes have been turned over, no evidence forms showing who signed the equipment in and out, who performed tests, or who had access to the machine.

Hashing

  • The machine was not hashed until August 22, 2008. That means the computer could have been altered between July 15 when it was seized from Brad Cooper's home and any time before August 22, rendering the hash useless.
  • A hash is like a digital fingerprint--it's a seal on the evidence proclaiming that it has not been tampered with. Generating a hash value on a computer that late in the game serves no purpose, other than to attempt to mend an already broken seal.

The unsecured manner of the computer for 27 hours after the computer was in the sole custody of the Cary Police Department resulted in a Windows Update installation. This is suspect for various reasons:

  • The Windows Update wasn't even installed.
  • The Windows Update was pushed out a week late.
  • The Windows Update wasn't pertinent to Brad's computer.
  • Mr. Masucci testified that this is direct evidence of spoliation.

The prosecution and the police department used National Security as both a sword and shield. They were able to hide behind the court's ruling that withheld information from the defense.

  • They were not required to turn over notes of their examinations. There was no requirement to disclose tests that looked for tampering. The court basically allowed them to testify that "we found this, it's real, just trust us."
  • The $MFT file from Brad's own computer was deemed relevant to "National Security" and was not required to be turned over until weeks after the trial began.
  • No video of any examination was disclosed.
  • No photographs of any examination were disclosed.
  • The FBI performed a mock Google Maps search. They did not include the last access time for the cursor they handed over to the defense. Even if exculpatory, they were not required to do so because of "National Security".

No analysis for tampering

  • It is significant that the FBI claimed to do an analysis for tampering when they did not. The programs that the police used (FTK and Encase) to evaluate the computers are not effective at detecting tampering, simply because they don't look for tampering.
  • Really, all they did was carve out information. Their claim that the investigation ruled out tampering is misleading.
  • They tested Brad's computer for evidence of an automated phone call (finding none), but did not perform any tests for tampering.

Accepted forensic protocol would have followed up with a third party source to verify the Google Maps search or look for signs of tampering.

  • They did no examination of Brad's home routers.
  • They skipped the network logs.
  • They failed to subpoena Google to verify the search.
  • They failed to disclose any documentation from Cisco on whether a Google Maps search had been executed at 1:14 on July 11th from their servers.

In the months prior to this case, Cary Police were investigating another murder in the area that also contained digital evidence.

  • In the Harish Patel case, Cary Police executed a search warrant for digital evidence that included standard language:
    • Financial documents and financial inquiries
    • Files relating to news coverage of the death of Vanlata Patel
    • Files relating to methods of committing murder
    • Files relating to methods of disposing of a body
    • Files indicating travel, including maps
  • The language of the digital evidence search warrant for Brad Cooper's computer mirrors the standard language, except that it does not include any reference to maps. In other words, the Cary Police Department failed to include in the standard language the sole piece of evidence that might tie him to the murder