State v Bradley Cooper 04-20-2011

[less0305]

what on his Facebook page has anything whatsoever to do with what he testified to as an expert witness?

Things exactly like today happen. Someone wants to hire a company or a person and they google the company or the representative or look up their facebook or other internet sources - it's gotten lots of people fired from jobs and lots of people overlooked for jobs. If I was looking for a professional in internet security to come to my place of work and lecture my employees I certainly wouldn't hire anyone who uses a derogatory name against a class of disabled people. I certainly wouldn't hire someone who might have some unflattering pictures as their company icon or logo. He was stupid not to privacy protect his facebook page - which would make me think, hmmmm, is this guy on the ball or not, is he worth the money I'm going to pay him, or is he overblowing his abilities. You put yourself out there, you get exactly the reaction you deserve. It clearly showed this person was not the epitome of a professional you want to represent you or your client. Kurtz and Company asked for that - they should have checked out their "expert" a little closer.

 

[CyberPro]

So, are you saying that the only ones who could access and alter BC's pc is a Cisco employee? tia

Not at all. My point was that when, and only when, it is on the VPN, it is for all intents and purposes a part of the Cisco network. It is using the home network as a pathway, but it is a secure tunnel.

So, let's put it like this.

You have a wide open WiFi network in your home. No security of any kind. With this, anyone who has a WiFi device can hook up to your network and use the connection, and possibly see files on your systems. OK?

Now, same thing, same non-secure network, but one computer is on the VPN to Cisco, or any other company that uses a VPN. Now the connection from the computer connected by VPN is secure, and would have no files that the same anonymous hacker could see, because all the traffic between it and the VPN endpoint are encrypted. So even if that computer had a file share that was something like "super important secret stuff", the hacker could not see it.

BTW, VPN stands for Virtual Private Network, so it is like the Cisco network has a really long cable connecting it to wherever the computer using it is.

I won't name the company that I work for, but we are pretty big. I can connect to the VPN and see printers that I could use in China and other parts of the world, just like I was there. All part of being on the same network.

 

[unc70]

Regarding printer security, see my post a few minutes ago.

ETA: at 8:47

 

[jrb0124]

Things exactly like today happen. Someone wants to hire a company or a person and they google the company or the representative or look up their facebook or other internet sources - it's gotten lots of people fired from jobs and lots of people overlooked for jobs. If I was looking for a professional in internet security to come to my place of work and lecture my employees I certainly wouldn't hire anyone who uses a derogatory name against a class of disabled people. I certainly wouldn't hire someone who might have some unflattering pictures as their company icon or logo. He was stupid not to privacy protect his facebook page - which would make me think, hmmmm, is this guy on the ball or not, is he worth the money I'm going to pay him, or is he overblowing his abilities. You put yourself out there, you get exactly the reaction you deserve. It clearly showed this person was not the epitome of a professional you want to represent you or your client. Kurtz and Company asked for that - they should have checked out their "expert" a little closer.

His business (I think his company revenue was $500K-$1m last year) is generated through business contacts, not advertising on Facebook or the web (thus no need for a website). So he left a facebook page out there and unattended...did that hurt his business last year? obviously not. Does that discredit his testimony? obviously not as the pros had NOTHING to say about it. ZIP. The jury wants his expert testimony, not his facebook page and the fact that the pros completely ignored the bulk of his testimony in cross in fact validates that testimony - facebook page or not.

 

[Cheyenne130]

He showed a report (full report in evidence) showing examples of the timestamps all the same, with the report noting timestamp errors. He talked several times about different ways that could happen (copying files from elsewhere, the touch command, etc.) and how that would not be the case in normal operations. Most of that made it into testimony, some questions were disallowed but the problem was still "exposed" to the jurors.

Overall, a very effective job once all the pieces are assembled. Not sure quire when or how that might be done. By raising the possibility of hacking the home network, the jury can believe that tampering likely happened without also having to believe that it was done by CPD or FBI.

Or it could have been done by the user of the computer ineffectively attempting to delete incriminating files. He did not go into ALL the ways the inaccuracies could have been generated. MOO

 

[jmflu]

His business (I think his company revenue was $500K-$1m last year) is generated through business contacts, not advertising on Facebook or the web (thus no need for a website). So he left a facebook page out there and unattended...did that hurt his business last year? obviously not. Does that discredit his testimony? obviously not as the pros had NOTHING to say about it. ZIP. The jury wants his expert testimony, not his facebook page and the fact that the pros completely ignored the bulk of his testimony in cross in fact validates that testimony - facebook page or not.

We really don't know what effect FB has had on hiring in his particular case, but he seemed to have no prior experience testifying on the stand, so he wasn't in great demand as an expert witness. And I'll bet he won't be in the future, either, because companies don't want someone representing them that looks as foolish as he did when his FB page came to light today.

 

[otto]

mmmm I am sure they had them on. A left and a right each. I dunno, hat kind of shoes do tekkies usually Wear? After We Were told to not look at the jury, I pretty much didn't. Didn't you see hoW mad Gessner can get? I tend to avoid angry men.

... it's about the quality of shoes ... if you want to know what people do for a living; what they are worth ... look at their shoes.

It's not important though. The Judge has requested that we leave them alone, and I suppose we should.

 

[Cheyenne130]

I was just listening to some of yesterday's testimony with JW and now know that he did do at least some forensic work. I see no reason at all why he was barred from discussing anything that was in the FBI reports. I really think the judge made a huge mistake barring all of that.

I've done some forensic work and I'm FAR from an expert. It was a potential criminal case and I had to evaluate data on a phone. In another instance I was asked by someone being accused of inappropriate activity on a computer to evaluate his internet history and the files and times associated with it. You will never see me in a courtroom testifying as an expert.

 

[Madeleine74]

I don't know this guy's credentials or his history and I don't much care. I do not believe, nor have I seen through testimony, that anyone actually altered files on the Cooper laptop.

If someone is trying to frame Cooper through this method, they picked a really obscure and weird way to frame him. Hoping some computer expert might find a search? Hmmmm.

They would also have to be psychic and know exactly where Cooper was on July 11, and know what evidence wouldn't be found.

It's not a reasonable scenario for me.

 

[CyberPro]

Even with the USB to your system, it could still be spying on you, particularly if the wireless is still functional for the other systems. They also phone home to HP or whoever supposedly just ink levels, etc. but who knows. Then there is that "little" problem with the yellow dot watermark on everything you print or copy that is traceable to the specific printer and date and time the page was printed. Search on "EFF yellow dots" and get really paranoid.

I saw something about printer dots a few years ago, but did not follow-up with it. It would be pretty easy to get paranoid, especially with this Google Maps stuff and the hand cursor. Software is so complicated these days there is pretty much no way to know what it is all doing, saving and reporting back to the mothership unless you have a lab full of test stuff and the time to dissect it all.

One reason I would have liked to have seen an expert on the Cell phone evidence. It looked like the AT&T guy had some interesting data, and he was not qualified as an expert. I was hoping the state would follow him with an expert who could graphically relate all the cell phone stuff.

 

[dramamama]

Things exactly like today happen. Someone wants to hire a company or a person and they google the company or the representative or look up their facebook or other internet sources - it's gotten lots of people fired from jobs and lots of people overlooked for jobs. If I was looking for a professional in internet security to come to my place of work and lecture my employees I certainly wouldn't hire anyone who uses a derogatory name against a class of disabled people. I certainly wouldn't hire someone who might have some unflattering pictures as their company icon or logo. He was stupid not to privacy protect his facebook page - which would make me think, hmmmm, is this guy on the ball or not, is he worth the money I'm going to pay him, or is he overblowing his abilities. You put yourself out there, you get exactly the reaction you deserve. It clearly showed this person was not the epitome of a professional you want to represent you or your client. Kurtz and Company asked for that - they should have checked out their "expert" a little closer.

I agree and see your point. However, I was disappointed there was not more cross on his actual testimony. Perhaps the strategy was to discredit the witness and then not bother with anything more so as not to wastr the jury's time. If that was the case, i wish he had used a more neutral tone, and let the jury draw their own conclusions. The tone he used, I felt, seemed too arguementative and defensive, and could make anyone on the fence suspect he was wanting to hide something. i fear that if that was his strategy, it may have backfired on him in the eyes of some. (And Lord knows, I have had my own pictures from my college days tagged on my profile, and I delete, delete, delete!)

 

[WolfpackWoman]

I don't know this guy's credentials or his history and I don't much care. I do not believe, nor have I seen through testimony, that anyone actually altered files on the Cooper laptop.

If someone is trying to frame Cooper through this method, they picked a really obscure and weird way to frame him. Hoping some computer expert might find a search? Hmmmm.

They would also have to be psychic and know exactly where Cooper was on July 11, and know what evidence wouldn't be found.

It's not a reasonable scenario for me.

1. Computer forensics are common in just about every case now (and in 2008). Look at all of the search warrants from Cary for that year, or previous years for homicides--they all include temporary internet data. There was an article on that back when this case (and the Young case, and the Patel case) first came around. So, it's not an obscure way. It's a pretty darn good way. What's more incriminating than a map of the location? And what's easier to do as an outsider if you're going to frame a guy, especially if you believe he's guilty?

2. You don't have to be a psychic to know what was going on with BC on Friday. Just have to look at his internet history, and pick a time that's close, but doesn't overlap.

I'm not saying we saw proof today. I think the prosecution fought against that at every turn. But I am willing to listen to what they have to say before foreclosing the opportunity altogether.

 

[otto]

I agree. I do think BC is G, but I did not like his cross at all. I don't remember Kurtz ever speaking that way in cross. I was disappointed. And perhaps the FB thing was offensive, but it had nothing to do with this trial. I, too felt he was playing dirty and it undermined any points he was trying to make.

They're not at a tea party. The expert was expected to back up everything he said with credentials, professional reputation, etc. On cross, he sounded a little nervous, and his remarks about conspiracy theories on his personal webpage were unprofessional, as were his photos. There was no reason to tip toe around this man. He was an expert that should have been able to deflect everything that came his way questioning his credibility.

I think it has everything to do with this trial if he is presented as an expert, and it is discovered that he lacks credentials, has an unstable work history and has demonstrated poor judgement.

 

[Madeleine74]

If I'm someone who thinks Cooper needs to be framed, the best way to do that is to bring along something from the dump site to his house. Or one of Nancy's earrings and drop it on the floor of his house. Or some of her hair and sprinkle it in places it should be (garage, trunk of car, upstairs in his room...etc). Something physical, something that can be tested by a lab that will match the victim or tie the murder to the house...something. There is a lot to choose from.

The last thing I'm going to do is figure out how to get into his secure laptop from CSCO and try to manipulate a file timestamp in the hope that someone may find it. What if they didn't? What if that laptop got erased by CSCO? Why take that kind of chance.

Juries love to see DNA and physical evidence. That makes their eyes open wide. The CSI effect.

 

[KellyCrash]

... it's about the quality of shoes ... if you want to know what people do for a living; what they are worth ... look at their shoes.

It's not important though. The Judge has requested that we leave them alone, and I suppose we should.

My husband is quite techy geek & he shops for his shoes at Walmart/Kmart/Target. I try hard to lead him to a better quality shoe. I think he is wearing New Balances that are falling apart at the moment. I don't think shoes always tell the story.

 

[sunshine05]

I'm still reviewing the video from today, but thought I would share my initial "take-away", pretending I'm a juror and taking notes. I am female, no computer background at all, background is in science.

1) While first viewing the CSA logs:
They were looking for evidence of tampering/penetration and found an example of it, a TCP port 445 attempted connection that occurred on 7/15. It was denied.

Is time on a local machine alterable? JW: Yes.

Same event occurs several times within milliseconds. What would cause that? JW: It seems to be an automatic program.

CSA marks this resource as untrusted and shuts off any further connections.

My take-away : Someone was trying to run a program on the Cooper network on the 15th, while BC was out of the house.

Another indication of penetration/tampering: packet w/ICMP channel detected. (operation denied)

Another indication of penetration/tampering: malicious content detected on wireless interface IGMP

Take-away: These are the unexplained occurrences that even the FBI had no explanation for as they were not simply updates.

2) Registry Updates: Can indicate when a file was installed/de-installed or when someone logs on/off, programs installed and times.

Take-away: Could anything change the time settings? JW Yes, an external piece of equipment could do that. (Zellinger wouldn't let him ask much more about the registry entries.)

3) *Most Important*
Cursor files: Cursor files were shown that included creation, moderated, access and entry times/dates. The time was 1:15 on 7/11

ALL times/dates were indentical!

What could this mean? If one went to a site and nothing changed, meaning no movement, nothing done with the cursor, no activity.

Dynamic content is, if you went to a site and things were changing, like a banner or (my guess) zooming in on a map on google maps! But nothing changed. What does this mean? Since all dates/times were identical - either the person was on static content OR it is an invalid file. What is an invalid file? JW: Could be a file that has been manufactured. My takeaway: I believe Kurtz and JW showed that BC could not have been zooming in on a dynamic (movement) type of page. This shows (to me) that it appears someone DID insert that file OR BC went to the page and did not even move the cursor because the date/time stamps are identical/unchanged.

You guys can probably pick my interpretation apart because I am not a computer specialist but thought it might be interesting to hear from an average person with little computer knowledge.

 

[jrb0124]

I think it has everything to do with this trial if he is presented as an expert, and it is discovered that he lacks credentials, has an unstable work history and has demonstrated poor judgement.

He did not lack credentials for what he was qualified by the judge to testify to, just the opposite.

For what the judge did not qualify him to testify to - he had more experience than the state witness.

Unstable work history? I wouldn't characterize it as such - more like finding his niche. It's VERY common in the IT sector, and he has his own company now.

So, because he left a Facebook page unattended you believe this impeaches his expert technical credentials, and his uncontested testimony?

Did the pros question him about his credentials? no.
Did the pros question him about his expertise as a Network Security Expert? no?

 

[otto]

I would think the best way to attack credibility would be to go after his testimony. They didn't, which essentially validates his testimony. Having a Facebook page out there that he didn't pay too much attention to doesn't impreach his testimony as an expert.

I disagree. If they can discredit him as an expert, then his testimony falls with him. The expert was proven to demonstrate poor judgement. That much is obvious with his facebook page; not because it wasn't secure, but because of what he chose to put on that personal page. It was demonstrated that he has an unstable career. Sure, it can be argued that many people climb the corporate ladder by hopping across companies in the same field. 5-7 times in ten years is a little too often. That actually looks like an unstable career history. We also had the question of whether he was really a consultant for IBM, or whether he worked for them for a short time. I didn't hear about any university degrees, but perhaps I missed that.

 

[CyberPro]

Except I looked for the last three days to find a qualified forensic computer analyst regarding this data and was re-directed to the FBI each time to find someone locally with the qualifications.

This is fruit of the poisoned tree and the pros knows it.

Does not sit well with me legally. (Forget BC for a minute)

Sorry, went to the wayback machine and grabbed this post to comment on.

I have been very interested in Computer Security since the mid-80's and have followed that area pretty closely. I am aware of some of the certifications that you can get with regard to security, and some of the training available for computer security.

It seems that most of the actual Computer Forensic folks that you find either are in LE, or have a background in LE. This, I think, is largely because of why you are looking for forensic information in a computer in the first place. Evidence of a crime. If you are looking for evidence, it is because you think something criminal might have gone on in there, and in addition to finding out the nature of the loss and the potential ramifications of this loss to your business, you might have a criminal case on your hands. You can't just let Bob from Maintenance plunder around in Sue's computer because you think she has been up to no good, you need someone who understands how to test and preserve evidence... and some of these folks are GOOD at hiding their traces... others not so much.

I read a story about a guy who ran a business and had a lady working in his bookeeping department who happened to have a computer geek for a boyfriend. The owner got suspicious that they were stealing from him and had gimmicked the computer to cover it up. They were able to find that the boyfriend had written a program to skim money from the accounting program and store it in a file that was hidden in the sector records of the hard drive. Normal software would not look for data in that area, but with special tools they were able to examine that area and the slack space in the drive and find the theft.

Point being that it might be true that it would be hard to find a non-LE expert to testify for the Defense, but a true expert should be dedicated to the profession, not their former LE community.

 

[dramamama]

I was doing some reading on timestamp syncing system-wide on a computer last night, and I am by no means any expert, but it seemed that the consensus was with all the focus on computer forensics now, it needed to be a higher priority with software developers. From what I understand, sometimes when automatic updates are done, not every file is necessarily updated as syncing with the update as it relates to specific software and processes, etc.

I also found an interesting article regarding timestamp tampering, and how to detect.

http://www.forensickb.com/2009/02/detecting-timestamp-changing-utlities.html

Again, I am no expert, but I know how to get around pretty well, including the registry, which was discussed today. I find myself needing to research online the questioning, as I feel i don't get enough information. It seems like the prosecution could put this tampering issue to rest if they just answered some of the unanswered questions that confuse the non-techies like me, who are unable to draw any inferences from the testimony alone.