I've been thinking about this lately, since it looks like another trial will be coming up. I did some research on the proof of tampering claims made by various sources. Here's what I found.
Timestamps are equal down to the millisecond
Kurtz says Theres no way possible to have the same first-time-created and last-accessed timestamp down to the microsecond. Thats the difference between artifact and artwork. Thats artwork. This is entirely untrue. When a file is created, all the timestamps are set to exactly the same time, every time. In fact, when modify time is equal to create time, it is an indication that the file is original, and not copied from another location.
Source:
http://www.csis.hku.hk/cisc/forensics/papers/RuleOfTime.pdf
Attempted Access found in CS Agent Logs
Logs from the CS Agent showed inbound TCP connection that were rejected. Claims have been made that this is someone attempting to break in to laptop. The testimony of Agent Chappell reveals these attempts were to port 445, which is used for SMB file sharing. If you google search "inbound tcp connection port 445" you'll get millions of hits. This is a very common thing. This can be a friendly user, scanning for computers nearby to share files. Or, an infected device with a worm. In either case, CSAgent blocked the connection. In no, case is this an indication of a hacker singling out one laptop trying to plant evidence.
Source:
http://www.linklogger.com/TCP445.htm
Order of MFT Entries
One way digital forensic analysts find evidence of timestamp tampering is by looking at the order of entries of the MFT. If 100 files are created, we will expect to see them in order in the MFT. If someone adds 100 more files and then changed the timestamps to predate the first batch, it will look suspicious as the older dated files come after the newer dated files. Agent Chappell testified that the MFT was in order and that was how he ruled out tampering. If the search files were installed on the computer later with forged timestamps, then thousands of entries in the MFT would need to be moved to maintain the order.
Source:
https://blogs.sans.org/computer-for...rensics-and-Incident-Response-Poster-2012.pdf
All Internet History Files were modified
The Internet history files on Brad's computer were modified at a time when he was out of the house. The claim is that this is evidence of tampering. There is a simple explanation however.
Internet explorer keeps a set of history files. There are daily files, weekly files, and monthly files. Periodically, the daily files are swept into a weekly file, and weekly files are swept into monthly files. It is very normal for Internet history files to be modified.
Source:
http://www.forensicswiki.org/wiki/Internet_Explorer_History_File_Format
No Cookie for the search
Google stores a number of cookies on your computer when you use it. There's one for ad tracking, one for preferences, one for account information, and so on. There is not one per search; it is one per user for each purpose. The cookies are updated by Google when web pages are used in certain ways. If a cookie is deleted, you get a new one next time you go to Google.
In 2008, apparently, Google had 9 different cookies for different purposes.
If someone were to open a browser and look for Google cookies, if one of them is missing then one of two things must be true: Either this browser has never been to the Google site before or a cookie was deleted. Certainly Brad had used Google before. Therefore, proof positive that a Google cookie was deleted. Proof positive that someone tried to destroy or hide digital evidence on the laptop. (Or was running in private browsing mode which deletes cookies.) The missing cookie is proof that Brad tried to cover his tracks. It is not proof that 592 files were "dropped" on the laptop.
Source:
https://www.google.com/policies/technologies/types/
So, much of the
information about the file tampering in this case is in fact
misinformation. Kurtz did an amazing job creating the appearance of tearing down the technical witnesses on the stand, but the theories do not hold water. The new defense attorneys won't be able to repeat this performance.