This is a response to a blog post from another site made today.
A summary of computer related facts:
Cary Police neglected to follow forensic protocols the computer was left on and connected to the internet for 27 hours while in police custody.
The Cary Police followed there protocol: seal the crime scene until a trained detective gets there. The computer was left exactly as Brad left it, until a computer-trained detective arrived to collect it. The computer was inside the house, the house was sealed with yellow tape and kept under guard. The computer remained powered on with the screen and keyboard locked, and with the network secured by VPN.
During that 27 hour time frame, close to 700 files were altered and they were not all due to normal updates. Included was internet history files and email archives.
The updates were normal updates pushed from Cisco through the VPN. Normal updates include software updates, automated backups, automated email downloads, and defragmentation.
The computer wasnt hashed until August 22nd, 08 so files could have been planted on the computer anytime up until that point.
ok
All of the timestamps associated with the search were invalid, 100% of them, compared to only 2% over the lifetime of the computer.
There were 8 timestamps associated with each file. 7 of the 8 were valid and indicated that Friday afternoon. One was reported "invalid". No testimony was given on what was invalid about it.
The Cary Police neglected to subpoena Google for the cookie data on the computer, even though it is a common thing for law enforcement to do to verify that files originated from the computer being investigated. Even cookies from after the search could have provided the browsing history.
ok
Cary Police never requested verification of the search through the Cisco routers.
Routers do not store logs of packet routing.
No cookie exists for the alleged search. This is suspicious because it is the only type of file that can not be manufactured.
Or, it means that private browsing was used, or it means that Brad erased it.
Cary police waited until after the Google Privacy policy expired to give the defense access to the computer and files making it too late for the defense to contact Google to obtain the metadata on the cookies.
ok
No cookie exists but the temporary internet files were there. There is no explanation why anyone would take the time to delete the cookies but leave the temporary internet files.
Use of private browsing is one explanation.
Cookies for other searches were found on the computer.
Private browsing turned off is an explanation for that. Turning private browsing on and off regularly is normal for that feature.
The alleged search lasted a total of 42 seconds, not long enough to locate a site to place a body.
I suggest the plan was in place for at least a week and he had searched this area before. Who knows what he was thinking: second thoughts, mental rehearsing? Certainly the planning did not begin on Friday morning.
The script that pushes software updates to a company's computers would use the administrator's password. It would be normal for this password to be changed remotely as part of an update.
Time/date and timestamps were changed while the computer was in police custody.
That would be normal due to the normal automated processes: backups, downloads, defrags, and updates.
The prosecutors used national Security concerns as a reason not to share the MFT and file extraction methods with the defense team so that their own experts could duplicate the file extraction.
The judge ruled that the MFT did not have to be handed over, but the prosecution handed it over anyways. The MFT was on the evidence table for the jury to see, and GM's powerpoint slides on the MFT was part of defense closing arguments.
Chain of custody documentation is unclear.
ok
All told, to sum up everything is normal or just saying the police didn't do a thorough enough job collecting data. I wish they did get more data from Google... I'll bet there would have been searches on choking, decomposition, and cleaning. He got those things right.