I'm still reviewing the video from today, but thought I would share my initial "take-away", pretending I'm a juror and taking notes. I am female, no computer background at all, background is in science.
1) While first viewing the CSA logs:
They were looking for evidence of tampering/penetration and found an example of it, a TCP port 445 attempted connection that occurred on 7/15. It was denied.
Is time on a local machine alterable? JW: Yes.
Same event occurs several times within milliseconds. What would cause that? JW: It seems to be an automatic program.
CSA marks this resource as untrusted and shuts off any further connections.
My take-away : Someone was trying to run a program on the Cooper network on the 15th, while BC was out of the house.
Another indication of penetration/tampering: packet w/ICMP channel detected. (operation denied)
Another indication of penetration/tampering: malicious content detected on wireless interface IGMP
Take-away: These are the unexplained occurrences that even the FBI had no explanation for as they were not simply updates.
2) Registry Updates: Can indicate when a file was installed/de-installed or when someone logs on/off, programs installed and times.
Take-away: Could anything change the time settings? JW Yes, an external piece of equipment could do that. (Zellinger wouldn't let him ask much more about the registry entries.)
3) *Most Important*
Cursor files: Cursor files were shown that included creation, moderated, access and entry times/dates. The time was 1:15 on 7/11
ALL times/dates were indentical!
What could this mean? If one went to a site and nothing changed, meaning no movement, nothing done with the cursor, no activity.
Dynamic content is, if you went to a site and things were changing, like a banner or (my guess) zooming in on a map on google maps! But nothing changed. What does this mean? Since all dates/times were identical - either the person was on static content OR it is an invalid file. What is an invalid file? JW: Could be a file that has been manufactured. My takeaway: I believe Kurtz and JW showed that BC could not have been zooming in on a dynamic (movement) type of page. This shows (to me) that it appears someone DID insert that file OR BC went to the page and did not even move the cursor because the date/time stamps are identical/unchanged.
You guys can probably pick my interpretation apart because I am not a computer specialist but thought it might be interesting to hear from an average person with little computer knowledge.
That's a good summary and demonstrates the reasonable doubt create by JW's testimony, although he was not allowed to testify directly to it.
This is why I believe it is significant that the pros did not ask him a single question about any of this - and there are 2 reasons IMO:
1) they could not impeach his testimony
2) they were afriad to open doors they preferred to keep shut, yet did so at the expense of compromising the integrity of their prize evidence.