April 22 weekend of Sleuthiness

[ncsu95]

Okay, take this with a grain of salt, but here is MOO:

This timestamp and intrusion is all smoke and mirrors.

http://www.bizforum.org/whitepapers/cisco-6.htm

Port 445 is for file sharing amongst. If you are trying to file share on a local network, away from Cisco, they may not be able to stop the actual intursion into the network, however, the Cisco Security Agent will prevent the actual file sharing over that port. So it is possible that BC took a home pc, or who knows what on his local connection, bc he would be unable to use the cisco connection without a cisco computer and the csa software, but because he allowed file sharing, and his computer COULD use the local network, there was still no way to share the files over the LAn becasue the CSA would prevent that. So it could appear that someone "hacked" into the system, yet were denied the file sharing over port 445. i would need more infor on the time stamp inconsistincies, and how it could relate to this, but it seems brad was trying to move that file to a different computer.

So, what are your thoughts techies?

The laptop was under police control at that time.

 

[RoughlyCollie]

OMG, he's adorable! I have so much wanted a little dog for such a long time now. I've always had big dogs, but I really want a little fella.

The breeder we went to had the smallest Yorkie I have ever seen -- she weighed only 2.5 lbs. and was 3 years old. At first, she didn't seem like a dog to me (more like a windup toy), but I treated her like a dog anyway, and sure enough, she was one! She had another pet dog of a breed I had never seen, a Coton De Tulear - very cute, small, nonshedding, with hair that felt like silk.

Aidan will be about 50 lbs when he grows up, according to the vet. He weighs 17.5 lbs. now and has gained 7 lbs and 3" in height since we got him a month ago.

It does feel like we have a little dog right now, and it's nice to be able to pick him up and carry him around. He is so darned cute and extroverted and full of tricks that he keeps us laughing.

We had a Collie, until he died of cancer in February. I prefer big dogs, but our kids did not want another Collie. In a couple of years, I want to get an adult one, though. As cute as puppies are, they are a lot of work!

 

[NCEast]

It is sort of like trying to solve an equation when you are given several different equations with several different variables but you aren't told which ones go with which problem.

These 3 attempts were within milliseconds of each other. That sounds like an automated program. If this was the testimony they talked about with JW where they also had that 10. address, that would sound like something coming over automatically on the Cisco network, not the Time Warner home network.

The best course of action is to make it very simple for the jurors and put it into simple language. The problem is that delving into the underlying files of a computer definitely do not lend themselves to any simple explanation and it's easy to "make a point that isn't really a point". I know that when JW was testifying, at least twice he made mention of how simple it was to do what he was doing. No special skills necessary. And then he started using the "alphabet soup" of terms and words that just aren't familiar to everyday people. It reminds me of times I would try to explain something to my husband that I considered very simple. I would finish my explanation and he would look at me and say, "I have no idea what you just said".

My bottom line assessment and this is without being in the courtroom and not even hearing all of the testimony that has been broadcast: I believe Brad did that search and it was found on his computer. I believe the defense will try to confuse the issue to the point where they will (in their hopes) get reasonable doubt out of at least one juror and obviously hopefully more jurors. If they can get the jurors to believe that the state side would do something so unbelievably devious, they can try to get them to look with suspicion on the entire case presented by the state. MOO

You absolutely know computer technology and if you feel that Brad did the search that's good enough for me.
We have said so many times in this case that there are no coincidences.
I'll also stick by my guns that if the CPD were so inept that they did very little right, especially in the early stages of this case, I cannot very easily seeing them with the forethought and wherewithal to tamper with, delete from, or place evidence on any of Brad's computers or cell phones.

 

[SleuthinNC]

One more bit of testimony I'd love to hear from the techies on, from Ward's direct:
K- You heard Det. Chappell's testimony yesterday, with regard to cursors.
W-Yes.
K-Are all the date stamps with the open hand cursor the same?
W-Yes.
K-Are all the closed hand cursor time stamps the same?
W-Yes.
Z-Objection! Sustained by G.
K-What do files that are created and modified at the same time mean?
W-Either the content is static or it is not a valid file--in other words a manufactured file.
K-Is the opposite of static dynamic?
W-Yes.
K-With dynamic content, what would you expect to see w/regard to timestamps?
K-How could all time stamps be the same?
W-Only if you didn't interact with the page.
K-Are you able to tell if these files were interacted with?
Z-Objection! Sustained by G

Okay, techies--what are your thoughts? TIA

This one is easier. When you go through the process of doing a google maps search, then zoom, scroll to the right, zoom again, etc. Let's say it takes you 41 seconds to do that. You would expect to see the files created while you are doing that process to have timestamps that are different within the range of that 41 seconds which correspond to the actual time the snapshot of what you are looking at each phase of the process is taken.

 

[NCEast]

The laptop was under police control at that time.

But Brad wasn't so is it possible that he could have 'made' it do something remotely? I know this has been asked previously but I don't recall the answer or if there was an answer?

 

[unc70]

By chance another Gov's School East Alum?

Kelly

No, I was there in 1964 when there was just The Governors School. Only one location. That was just the second year.

BTW we really need to get a decent alumni group in gear to financially support the school so it can remain open. IMNSHO.

 

[sunshine05]

One more bit of testimony I'd love to hear from the techies on, from Ward's direct:
K- You heard Det. Chappell's testimony yesterday, with regard to cursors.
W-Yes.
K-Are all the date stamps with the open hand cursor the same?
W-Yes.
K-Are all the closed hand cursor time stamps the same?
W-Yes.
Z-Objection! Sustained by G.
K-What do files that are created and modified at the same time mean?
W-Either the content is static or it is not a valid file--in other words a manufactured file.
K-Is the opposite of static dynamic?
W-Yes.
K-With dynamic content, what would you expect to see w/regard to timestamps?
K-How could all time stamps be the same?
W-Only if you didn't interact with the page.
K-Are you able to tell if these files were interacted with?
Z-Objection! Sustained by G

Okay, techies--what are your thoughts? TIA

Yes, I posted about this the other day. unc70 was the only person who commented but, to me this showed without doubt that this could not have been a dynamic search (such as zooming in on something).

The time stamp discussion of the cursor files begins at the very end of day 30/tape 2 but most of it is beginning on day 3. The thing that JW mentions at the end of day 2 is that generically (not even referencing the FBI logs), any movement with the cursor would generate incremented time stamps. He said it is impossible for the times to not change.

http://www.wral.com/specialreports/nancycooper/video/9474261/#/vid9474261

Here, at the beginning you can see a close up of the logs they are discussing.

 

[Cheyenne130]

You absolutely know computer technology and if you feel that Brad did the search that's good enough for me.
We have said so many times in this case that there are no coincidences.
I'll also stick by my guns that if the CPD were so inept that they did very little right, especially in the early stages of this case, I cannot very easily seeing them with the forethought and wherewithal to tamper with, delete from, or place evidence on any of Brad's computers or cell phones.

I appreciate that but I only sort of know what I'm talking about. I saw nothing of what the two state experts testified about obviously. FullDisclosure has provided some excellent notes but even that is out of context with pieces missing. (No fault to you FD. Your notes are wonderful!) I saw most of JW's testimony and what he was saying wasn't wrong. It just wasn't a complete picture. No offense to him. The defense didn't want him to give a complete picture and phrased their questions to get in only the information they wanted to raise that reasonable doubt. It is only my opinion and I'm not even close to being the expert of others here.

 

[unc70]

But Brad wasn't so is it possible that he could have 'made' it do something remotely? I know this has been asked previously but I don't recall the answer or if there was an answer?

Not likely. I believed that those particular attempts were coming through the wired, not the wireless, network connection.

 

[FullDisclosure]

Yes, I posted about this the other day. unc70 was the only person who commented but, to me this showed without doubt that this could not have been a dynamic search (such as zooming in on something).

The time stamp discussion of the cursor files begins at the very end of day 30/tape 2 but most of it is beginning on day 3. The thing that JW mentions at the end of day 2 is that generically (not even referencing the FBI logs), any movement with the cursor would generate incremented time stamps. He said it is impossible for the times to not change.

http://www.wral.com/specialreports/nancycooper/video/9474261/#/vid9474261

Here, at the beginning you can see a close up of the logs they are discussing.

I remember those posts, sunshine! Forgive me for not posting this earlier. After going to court all day, it's all but impossible to catch up here, and not a bit of time to actually post if I want to catch up reading. I got the same thing you did from that testimony. I'll add that my perspective from inside the courtroom that day, not only was Boz objecting over and over, but he was about to jump out of his skin! Then when he didn't try to impeach Ward's testimony at all, but went down the facebook road, I was pretty much convinced that something was amiss.
I've spent the last few days mulling and digesting, because it just gets curiouser and curiouser from where I sit.

 

[sunshine05]

I remember those posts, sunshine! Forgive me for not posting this earlier. After going to court all day, it's all but impossible to catch up here, and not a bit of time to actually post if I want to catch up reading. I got the same thing you did from that testimony. I'll add that my perspective from inside the courtroom that day, not only was Boz objecting over and over, but he was about to jump out of his skin! Then when he didn't try to impeach Ward's testimony at all, but went down the facebook road, I was pretty much convinced that something was amiss.
I've spent the last few days mulling and digesting, because it just gets curiouser and curiouser from where I sit.

No apology necessary at all. I really appreciate hearing the notes from court, especially the really important stuff like this! So thank you!

 

[unc70]

I appreciate that but I only sort of know what I'm talking about. I saw nothing of what the two state experts testified about obviously. FullDisclosure has provided some excellent notes but even that is out of context with pieces missing. (No fault to you FD. Your notes are wonderful!) I saw most of JW's testimony and what he was saying wasn't wrong. It just wasn't a complete picture. No offense to him. The defense didn't want him to give a complete picture and phrased their questions to get in only the information they wanted to raise that reasonable doubt. It is only my opinion and I'm not even close to being the expert of others here.

It wasn't the Defense that was trying to keep information out. They were having to phrase things in convoluted ways in order to get their questions allowed by the Judge given his strange and restrictive ruling about what him was off limits wrt the FBI analysis of BC's computer.

K did not want to have to go such an indirect route. I believe JW did a report that was not allowed into evidence, at least without a rewrite.

 

[sunshine05]

I appreciate that but I only sort of know what I'm talking about. I saw nothing of what the two state experts testified about obviously. FullDisclosure has provided some excellent notes but even that is out of context with pieces missing. (No fault to you FD. Your notes are wonderful!) I saw most of JW's testimony and what he was saying wasn't wrong. It just wasn't a complete picture. No offense to him. The defense didn't want him to give a complete picture and phrased their questions to get in only the information they wanted to raise that reasonable doubt. It is only my opinion and I'm not even close to being the expert of others here.

No way. Defense wanted to ask point blank questions about this but the state would not allow it because of the "forensic analysis" component. I'm sure you remember all the objections. At least that's the way I saw it. I don't believe defense is trying to hide anything here about these files at all.

 

[dramamama]

One more bit of testimony I'd love to hear from the techies on, from Ward's direct:
K- You heard Det. Chappell's testimony yesterday, with regard to cursors.
W-Yes.
K-Are all the date stamps with the open hand cursor the same?
W-Yes.
K-Are all the closed hand cursor time stamps the same?
W-Yes.
Z-Objection! Sustained by G.
K-What do files that are created and modified at the same time mean?
W-Either the content is static or it is not a valid file--in other words a manufactured file.
K-Is the opposite of static dynamic?
W-Yes.
K-With dynamic content, what would you expect to see w/regard to timestamps?
K-How could all time stamps be the same?
W-Only if you didn't interact with the page.
K-Are you able to tell if these files were interacted with?
Z-Objection! Sustained by G

Okay, techies--what are your thoughts? TIA

ETA-I really do think I understood this testimony. I just want to know what the real tech gurus came away with.

if you moved the file to another folder or directory, then the created and modified would be the same time. If you copy a file, then they would be different.

I am not sure what utility he used to save the file as a .bmp. But with certain imaging programs, you can save a set of tiles as static content, and then specify when you open them to be dynamic and opened as another file type. Make sense?

 

[Cheyenne130]

It wasn't the Defense that was trying to keep information out. They were having to phrase things in convoluted ways in order to get their questions allowed by the Judge given his strange and restrictive ruling about what him was off limits wrt the FBI analysis of BC's computer.

K did not want to have to go such an indirect route. I believe JW did a report that was not allowed into evidence, at least without a rewrite.

I believe that the defense added an additional computer expert to the list. Hopefully I'll have a chance to listen to that testimony, direct and cross. I think that will give a much clearer picture.

 

[dramamama]

If I remember correctly, the time of those attempts were after the computer was in CPD custody, along with the house and other computers. I recall that Brad is accounted for this entire time and could not have been the one breaking in via wireless or otherwise.

IMNSHO

But where did he go is the question? The computer was powered on for hours to maintain it's preservation. They have said unless CPD had a password, they couldn't open the computer. It does not mean he did not access his computer remotely, using port 445, if file sharing was available and try to move those files himself....

 

[sunshine05]

if you moved the file to another folder or directory, then the created and modified would be the same time. If you copy a file, then they would be different.

I am not sure what utility he used to save the file as a .bmp. But with certain imaging programs, you can save a set of tiles as static content, and then specify when you open them to be dynamic and opened as another file type. Make sense?

But the user doesn't save the files from my understanding. Google maps places these files in the TIF automatically so that maps can be zoomed in from them. This is a red flag in this case because it is NOT supposed to be a .bmp file. Google maps TIF cursor files are .cur.

Correct me if I'm wrong techies.

 

[dramamama]

This one is easier. When you go through the process of doing a google maps search, then zoom, scroll to the right, zoom again, etc. Let's say it takes you 41 seconds to do that. You would expect to see the files created while you are doing that process to have timestamps that are different within the range of that 41 seconds which correspond to the actual time the snapshot of what you are looking at each phase of the process is taken.

unless you copy the files to another utility as a bmp file?

 

[LyndyLoo]

But where did he go is the question? The computer was powered on for hours to maintain it's preservation. They have said unless CPD had a password, they couldn't open the computer. It does not mean he did not access his computer remotely, using port 445, if file sharing was available and try to move those files himself....

Do you mean by usin his BlackJack Cell Phone, which happen to also be his work phone. and internet capabilities.?...Anything is possible I guess??

 

[dramamama]

Not likely. I believed that those particular attempts were coming through the wired, not the wireless, network connection.

but if one of the computers had a remote desktop enabled, he could have signed in from another computer and used the wired connection at his house.