Evidence of Tampering on the Computer
Brad's computer was connected to an unsecured wireless network for 27
hours. During that time, after the computer had left Brad's custody,
over 692 files were modified.
- Agent Chris Chappell and Special Agent Johnson could not specify how
they ruled out tampering for each of those 692 files.
- 251 files were deleted and created on July 16th, and 70 files were
There is even evidence of files that were changed on July 28, 2008 - the
day that Brad’s computer arrived at the FBI.
- There are indications that timestamps had been changed on that machine.
Officer Chappell testified that the last time that timestamps were set
was after Brad left his computer in the custody of the Cary Police
- Date/Time for the machine was last edited on July 15, 2008 at 21:00
- The password for Brad's user account had been changed. It was not
present in the SAM registry. It was not included in the report for the
- Chappell actually testified that he never included passwords, thus the
reason why it was absent. In reality, he included passwords on the other
machines he examined in this case. This password was altered after it
was in police custody. It resulted in a Key Properties Registry update
for Brad Cooper's User Profile.
- Key Properties for the profile bracoope was last written on July 16,
2008 at 17:55 UTC.
- The Administrator password had also been altered.
- It was not the current local administrator password given by
- It was not set to any known previous Cisco password.
- It was uncrackable by any combination of Rainbow tables.
- Brad would not have known the Administrator password, according to
- There were three invalid login attempts on that Administrator account.
The last one included three successive attempts at 3:10 pm on July
- These login attempts do not show up in the event logs.
- This is a sign of someone else trying to log into the computer.
- There would be no reason to reset the Administrator password, as Brad
had administrator privileges under his own account.
- All internet history .dat files were modified on July 16, 2008 at 4:42
pm after Brad was out of his home for almost 24 hours.
Internet history files are set up by week. There is no innocent reason
for an internet history .dat file from June to be modified.
The internet history file that allegedly included the Google Maps search
was also modified at this time.
- There was an unexpected shutdown and reboot on July 12, 2008 at 1:42 pm,
when nobody was home. A login is also registered. This indicates a time
- The last event logged through the Windows System 32 Event Logging
Application is not on Tuesday July 15, or Wednesday July 16, but occured
Saturday July 12, 2008 at 13:43:53, immediately after this forced,
- Furthermore, the C:CSCOADLS.log corresponds with the last time the
computer was run. These are the last entries:
- 7/12/2008 1:43:47 PM - CSCOADLS.VBS - Start of script execution
- 7/12/2008 1:43:47 PM - Ensure NS Client is enabled
- 7/12/2008 1:43:54 PM - NS Client is installed
- 7/12/2008 1:44:03 PM - Apply AD Kerberos Reg Keys if missing
- 7/12/2008 1:44:05 PM - Apply Altiris Reg Keys
- 7/12/2008 1:44:05 PM - Cleaning Log Files for CiscoTrustAgent
- 7/12/2008 1:44:05 PM - CSCOADLS.VBS - End of script execution