Forensic Protocols Ignored
The Chain of Custody on Brad's IBM Thinkpad was broken.
- The laptop was powered down 27 hours after it was in the custody of
the police department. There is no record of who had access to that
equipment during those 27 hours, and no photographs of how it was
- Until July 28, 2008, the computer was unsecured in a storage room.
There was no sign out sheet, no video surveillance, and no organization.
It was simply equipment sitting on a table.
- The Cary Police Department evidence sheet shows Detective Young
turning over the laptop on July 25, 2008 to Agent Bonin (a Cary police
officer assigned to the FBI). The FBI evidence sheet shows Detective
Thomas of the Cary Police Department giving the same laptop to Detective
Bonin on July 28. We know the evidence arrived at the FBI on July 28. We
do not know what happened with that computer once it arrived at the FBI.
No notes have been turned over, no evidence forms showing who signed the
equipment in and out, who performed tests, or who had access to the
- The machine was not hashed until August 22, 2008. That means the
computer could have been altered between July 15 when it was seized from
Brad Cooper's home and any time before August 22, rendering the hash
- A hash is like a digital fingerprint--it's a seal on the evidence
proclaiming that it has not been tampered with. Generating a hash value
on a computer that late in the game serves no purpose, other than to
attempt to mend an already broken seal.
The unsecured manner of the computer for 27 hours after the computer was
in the sole custody of the Cary Police Department resulted in a Windows
Update installation. This is suspect for various reasons:
- The Windows Update wasn't even installed.
- The Windows Update was pushed out a week late.
- The Windows Update wasn't pertinent to Brad's computer.
- Mr. Masucci testified that this is direct evidence of
The prosecution and the police department used National Security as both
a sword and shield. They were able to hide behind the court's ruling
that withheld information from the defense.
- They were not required to turn over notes of their examinations.
There was no requirement to disclose tests that looked for tampering.
The court basically allowed them to testify that "we found this, it's
real, just trust us."
- The $MFT file from Brad's own computer was deemed relevant to
"National Security" and was not required to be turned over until weeks
after the trial began.
- No video of any examination was disclosed.
- No photographs of any examination were disclosed.
- The FBI performed a mock Google Maps search. They did not include
the last access time for the cursor they handed over to the defense.
Even if exculpatory, they were not required to do so because of
No analysis for tampering
- It is significant that the FBI claimed to do an analysis for
tampering when they did not. The programs that the police used (FTK and
Encase) to evaluate the computers are not effective at detecting
tampering, simply because they don't look for tampering.
- Really, all they did was carve out information. Their claim that the
investigation ruled out tampering is misleading.
- They tested Brad's computer for evidence of an automated phone call
(finding none), but did not perform any tests for tampering.
Accepted forensic protocol would have followed up with a third party
source to verify the Google Maps search or look for signs of tampering.
- They did no examination of Brad's home routers.
- They skipped the network logs.
- They failed to subpoena Google to verify the search.
- They failed to disclose any documentation from Cisco on whether a
Google Maps search had been executed at 1:14 on July 11th from their
In the months prior to this case, Cary Police were investigating another
murder in the area that also contained digital evidence.
- In the Harish Patel case, Cary Police executed a search warrant for
digital evidence that included standard language:
- Financial documents and financial inquiries
- Files relating to news coverage of the death of Vanlata Patel
- Files relating to methods of committing murder
- Files relating to methods of disposing of a body
- Files indicating travel, including maps
- The language of the digital evidence search warrant for Brad
Cooper's computer mirrors the standard language, except that it does not
include any reference to maps. In other words, the Cary Police
Department failed to include in the standard language the sole piece of
evidence that might tie him to the murder