Justice for Brad

Computer Evidence

Evidence of Tampering on the Computer

Brad's computer was connected to an unsecured wireless network for 27 hours. During that time, after the computer had left Brad's custody, over 692 files were modified.

  • Agent Chris Chappell and Special Agent Johnson could not specify how they ruled out tampering for each of those 692 files.
  • 251 files were deleted and created on July 16th, and 70 files were newly-created. There is even evidence of files that were changed on July 28, 2008 - the day that Brad’s computer arrived at the FBI.
  • There are indications that timestamps had been changed on that machine. Officer Chappell testified that the last time that timestamps were set was after Brad left his computer in the custody of the Cary Police Department.
  • Date/Time for the machine was last edited on July 15, 2008 at 21:00 UTC.
  • The password for Brad's user account had been changed. It was not present in the SAM registry. It was not included in the report for the computer.
  • Chappell actually testified that he never included passwords, thus the reason why it was absent. In reality, he included passwords on the other machines he examined in this case. This password was altered after it was in police custody. It resulted in a Key Properties Registry update for Brad Cooper's User Profile.
  • Key Properties for the profile bracoope was last written on July 16, 2008 at 17:55 UTC.
  • The Administrator password had also been altered.
  • It was not the current local administrator password given by Cisco.
  • It was not set to any known previous Cisco password.
  • It was uncrackable by any combination of Rainbow tables.
  • Brad would not have known the Administrator password, according to Cisco.
  • There were three invalid login attempts on that Administrator account. The last one included three successive attempts at 3:10 pm on July 15th.
  • These login attempts do not show up in the event logs.
  • This is a sign of someone else trying to log into the computer.
  • There would be no reason to reset the Administrator password, as Brad had administrator privileges under his own account.
  • All internet history .dat files were modified on July 16, 2008 at 4:42 pm after Brad was out of his home for almost 24 hours. Internet history files are set up by week. There is no innocent reason for an internet history .dat file from June to be modified. The internet history file that allegedly included the Google Maps search was also modified at this time.
  • There was an unexpected shutdown and reboot on July 12, 2008 at 1:42 pm, when nobody was home. A login is also registered. This indicates a time change.
  • The last event logged through the Windows System 32 Event Logging Application is not on Tuesday July 15, or Wednesday July 16, but occured Saturday July 12, 2008 at 13:43:53, immediately after this forced, unexpected reboot.
  • Furthermore, the C:CSCOADLS.log corresponds with the last time the computer was run. These are the last entries:
    • 7/12/2008 1:43:47 PM - CSCOADLS.VBS - Start of script execution
    • 7/12/2008 1:43:47 PM - Ensure NS Client is enabled
    • 7/12/2008 1:43:54 PM - NS Client is installed
    • 7/12/2008 1:44:03 PM - Apply AD Kerberos Reg Keys if missing
    • 7/12/2008 1:44:05 PM - Apply Altiris Reg Keys
    • 7/12/2008 1:44:05 PM - Cleaning Log Files for CiscoTrustAgent
    • 7/12/2008 1:44:05 PM - CSCOADLS.VBS - End of script execution