Quote :

"But he claimed to be asleep in his daughters bedroom at 10pm. I dont recall him saying ever that he was on his computer that night."

My router stays on and connected to the internet 24/7, whether I'm home or away, asleep or awake, on the computer or not. I don't think router activity necessarily contradicts him being asleep.

Where's the evidence the router was in use the next morning?

I'm also curious if there's sufficient information to physically place the router in his home.

[Edited on April 30, 2011 at 2:44 PM. Reason : ]

4/30/2011 2:43:50 PM

Quote :

"^ that fits your theory very nicely then. [Edited on April 30, 2011 at 2:39 PM. Reason : seems like everything you bring up only fits your theory. how convenient..]"

Notice how he neglected to comment on the post that tore his theory to shreds.

4/30/2011 2:53:56 PM

What's wrong with having a theory?

4/30/2011 5:21:01 PM

A man shouldn't be convicted for murder based on a "theory" instead of facts.

4/30/2011 6:03:05 PM

Quote :

"I'm also curious if there's sufficient information to physically place the router in his home."

That's the crucial point isn't it? I believe that is why the IP address conflict is the important fact here.

At this point I have to admit I looked up the websleuths site and started reading. Buried among the necklace discussion and the nancy had no money discussion I found this:

Quote :

"The thinkpad would be set to use dhcp, which means it is dynamically assigned an IP address by the home router (not the 3825). If the 3825 was connected when the thinkpad wasn't, it could have been assigned the IP address the thinkpad usually gets. Then the thinkpad, when it connects, could try to obtain the same IP address, but would be told that there is a conflict with the 3825 since it already has that address. Of course, I could be way off on this, so somebody please correct me if I am wrong. If this is what happens, it would explain why there was only 1 event log. Since the thinkpad would then get a different IP address, there wouldn't be future conflicts with the 3825. So, theoretically (again, someone correct me if I am wrong), he plugged the 3825 into the network the night of the 11th, then turned his laptop on, which had the conflict and needed to get a new IP address via dhcp. Then you wouldn't see anything else about the 3825 because both would now have valid IP addresses. "

Perhaps one of you network engineers out there can chime in?

4/30/2011 6:05:15 PM

Why does it matter if there is equipment in the home that *could* have spoofed the call, if there's no proof that the call was ACTUALLY spoofed?

And it is a good question, what would cause an IP address conflict?

[Edited on April 30, 2011 at 6:23 PM. Reason : ]

4/30/2011 6:21:37 PM

Quote :

"A man shouldn't be convicted for murder based on a "theory" instead of facts."

i think he has already said that he didn't think they had proved anything beyond a reasonable doubt, just that he thought he did it.

4/30/2011 6:27:49 PM

^I missed the first part of that. But if that's the case, I can understand that. I on the other hand, think the prosecution is a bunch of lying fuckers, and the guy is innocent.

4/30/2011 6:32:16 PM

Quote :

"The thinkpad would be set to use dhcp, which means it is dynamically assigned an IP address by the home router (not the 3825)."

IMO, This is likely so.

Quote :

"If the 3825 was connected when the thinkpad wasn't, it could have been assigned the IP address the thinkpad usually gets. Then the thinkpad, when it connects, could try to obtain the same IP address, but would be told that there is a conflict with the 3825 since it already has that address. Of course, I could be way off on this, so somebody please correct me if I am wrong. If this is what happens, it would explain why there was only 1 event log. Since the thinkpad would then get a different IP address, there wouldn't be future conflicts with the 3825. So, theoretically (again, someone correct me if I am wrong), he plugged the 3825 into the network the night of the 11th, then turned his laptop on, which had the conflict and needed to get a new IP address via dhcp. Then you wouldn't see anything else about the 3825 because both would now have valid IP addresses."

This is unlikely, IMO. The DHCP lease would, more than likely, have kept the list of the previous MAC address associated to it, such that, plugging in a 3825 would have given it a different IP address. Of course, since the dunderheads at CPD didn't actually get any of the router information, it is difficult to tell how long the DHCP lease was previously set for to prove/disprove this theory.

PLUS, the IP address that showed the "Conflict" was an IP address that you'd not expect to find on a home network. Lastly, the MAC address that is reporting the conflict is (supposedly) actually showing the MAC of the router chassis and not the actual MAC address of the interface that holds this conflicting IP address.

Certainly, I don't know everything there is to know about Cisco Routers, but that's surely odd to me.

Quote :

"I on the other hand, think the prosecution is a bunch of lying fuckers, and the guy is innocent. not guilty."

THIS!

5/1/2011 12:56:11 PM

OMF DUBBLE POAST!!1

Quote :

"And it is a good question, what would cause an IP address conflict?"

1. Vista being extremely buggy

2. A system administrator assigns two computers on the LAN the same static IP address.

3. A system administrator assigns a computer a static IP address within the local network's DHCP range (dynamic IP range), and the same address is automatically assigned by the LAN DHCP server.

4. A malfunction in the network's DHCP server allows the same dynamic address to automatically be assigned to multiple computers.

5. An ISP accidentally assigns two customers the same IP address (either statically or dynamically).

6. A laptop computer is put into standby / hibernate mode and then awakened later.

7. One computer may experience an IP address conflict with itself if that computer is configured with multiple network adapters.

8. System administrators may also create IP conflicts by accidentally connecting two ports of a network switch or router to each other.

9. Virtualization software (e.g. VMWare, etc.) or other third party software randomly assigning MAC address.

10. ARP poisoning routing (APR) via a program like Cain

11. NIC teaming

IIRC, there was a hotfix released for the issue of IP address conflicts in Vista coming out of hibernation in April 2008.

and here it is: http://support.microsoft.com/kb/948363


[Edited on May 1, 2011 at 1:19 PM. Reason : ]

5/1/2011 1:13:39 PM

Points for keeping it in the scope of network security expert, and not computer forensics

Lol

[Edited on May 1, 2011 at 1:18 PM. Reason : .]

5/1/2011 1:17:51 PM

Quote :

"What's wrong with having a theory?"

we got a theory

about magic

and miracles

5/1/2011 1:26:38 PM

LOL, nice one.

What's so fucking absurd is that what the prosecution is asking CFry to do (and the judge is allowing) is the EXACT same circumstances that I was denied the ability to testify to:

Using the FBI extracted and created results to form an opinion as to if the fucking Google map evidence was legitimate. It is NOT, BTW, and trivially provable.

I guess FB pics and posts (which, BTW, the prosecution flat out lied to the judge about having gotten that morning - again, trivially provable) undermines any credibility and testimony that I would have given - despite having ANOTHER independent 3rd party confirm the findings himself.

Know what the actual "certification" for FTK is? It requires ZERO training and it's a 90 question, untimed test. Once you finish that, you're "certified". Absolutely absurd, which makes it so much funnier to me.

That the FBI testified that there was no malware and they didn't see anything untoward regarding tampering of files indicates that either: they have no fucking clue what they are actually looking at and testify only to the reports that the FTK program generates or they are flat out lying.

I'll certainly give them every benefit of the doubt and chalk it up to the fact that they actually have zero clue about Windows internals and what actually looks suspicious. I guess it's the difference of actually having a clue as to what you're looking at/for and using a tool and relying on it.

5/1/2011 1:28:01 PM

We know... hopefully this other dude masucci or whatever gets his chance to do his thing.

5/1/2011 1:31:21 PM

I could be wrong here, but if the google maps search files were dropped on the thinkpad would it have to have be done in the 27hrs before the computer was shut down/disconnected from the docking station? I suppose my question assumes that whoever took control of the laptop at that point imaged the hard drive immediately and I seem to remember hearing that wasnt done...

Another ignorant question, could the meta data for a file be edited somehow? Or say if the system clock on a computer anywhere between the end user and the google maps server was set to say, the year 2300... you see where I am going here.

5/1/2011 3:04:05 PM

Are you suggesting BC could have faked the files himself?

---

Never noticed until today, but Dillard Drive behind Lowe's has been adopted "In memory of Nancy Cooper".

5/1/2011 3:15:50 PM

^ Are they keeping it clean? I hate when there's an adopted road that had litter strewn all over it.

5/1/2011 4:09:52 PM

There were some shoes and what looked like a router lying next to the curb.

5/1/2011 5:28:15 PM

^Ahahah. That's fantastic.

5/1/2011 5:31:28 PM

Quote :

"I could be wrong here, but if the google maps search files were dropped on the thinkpad would it have to have be done in the 27hrs before the computer was shut down/disconnected from the docking station? I suppose my question assumes that whoever took control of the laptop at that point imaged the hard drive immediately and I seem to remember hearing that wasnt done... "

You are mistaken. It's a trivial matter to remove the hard drive, put it in another computer and mount it with an alternate OS and move files to it at ANY time. I showed how this could be done in one of the videos I made for my testimony.

As a matter of fact, doing so would (you guessed it), cause the Standard Information Entry date to show "Invalid Timestamp" because the MFT would have NO record of it ever being on the system. You would necessarily have to change that value with another program. HAY, GUISE, guess what? ALL of the Google Maps had Standard Information Entry "Invalid Timestamps"!!1

It would ONLY have to be done before the machine was hashed, which thankfully for the FBI, they didn't go on about the MD5 hash, which would have been blown out of the water with a quickness.

Quote :

"Another ignorant question, could the meta data for a file be edited somehow? Or say if the system clock on a computer anywhere between the end user and the google maps server was set to say, the year 2300... you see where I am going here."

Yes, of course it can be and in a trivial manner.

[Edited on May 1, 2011 at 5:38 PM. Reason : ]

5/1/2011 5:36:42 PM

Quote :

"Never noticed until today, but Dillard Drive behind Lowe's has been adopted "In memory of Nancy Cooper"."

There's a second on on Piney Plains/Lochmere Drive between Cary Parkway and Tryon Road. I noticed today when I ran to HT from my boyfriend's parent's house.

[Edited on May 1, 2011 at 7:32 PM. Reason : Fjfjjd]

5/1/2011 7:31:44 PM

^^I'm amazed that you can post any details about the case publicly. Didn't they have you sign a non-disclosure agreement as soon as you got brought on?

5/1/2011 8:12:38 PM

All of this has been testified to and streamed to WRAL. There is nothing proprietary in here.

5/1/2011 8:56:58 PM

even still, there's no way I would risk regurgitating information on a case I signed a non-disclosure agreement for, no matter how public the information. I'd also be worried about being perceived as a risky witness by future attorneys that want to use me.

5/1/2011 9:03:48 PM

My non-disclosure does not prevent me from posting.

If the truth prevents me from being called again, so be it. Those that want the truth may call, or not. Considering the amount of time I put into the research and investigation only to be shut down by a noob based on a judges admitted lack of understanding of technology, I'm not sure I'd want to be involved with another one in any event.

IMO, they aren't interested in justice nor the truth, but only conviction at any cost.

5/1/2011 10:59:59 PM

^I hope you keep posting. I want to hear your perspective--from someone who knows what's going on in this case.

5/1/2011 11:01:46 PM

In my spare time (HA!) I plan on outlining all of the computer evidence after the verdict, or writing an article or book or something.

heh.. spare time... who am I kidding?

5/1/2011 11:22:13 PM

Quote :

"I'm amazed that you can post any details about the case publicly."

I'm amazed that details about the case can't be brought up in the actual case.

5/2/2011 8:24:13 AM

^ This

5/2/2011 8:26:11 AM

Oooh, this thread just got interesting.

Be careful though, drhavoc. Prosecutors and judges are petty and vengeful bitches, they may come after you.

5/2/2011 8:29:01 AM

so nothing new today?

5/2/2011 10:02:45 AM

Yeah, bin laden is dead in case you haven't heard. Boz is gonna try to prosecute bc for it

5/2/2011 10:07:02 AM

at least then he would get the 25million and could pay his dues.

5/2/2011 10:11:27 AM

Boz and cod would screw him out of it somehow. Defense would object but the judge would allow it.

5/2/2011 10:24:54 AM

Seriously?? We've heard all trial that there are no checks before people take equipment home. Now they're trying to tell us they have meticulous tracking records??

5/2/2011 10:28:19 AM

fuck wrong thread

[Edited on May 2, 2011 at 10:28 AM. Reason : w]

5/2/2011 10:28:39 AM

cisco employee on the stand, not sure if it's offer of proof or the prosecutions rebuttal

5/2/2011 10:30:08 AM

Rebuttal

5/2/2011 10:30:29 AM

put another shrimp on the firewall

5/2/2011 11:22:37 AM

^LMAO

5/2/2011 11:23:19 AM

so what did i miss today?

5/2/2011 11:25:44 AM

state trying to salvage the case...not too successfully

5/2/2011 11:27:27 AM

damn if someone opens a window in the courtroom this guy is going into the back wall...EARS

5/2/2011 11:34:52 AM

Does BC have a big ass bruise on his face today?

[Edited on May 2, 2011 at 11:41 AM. Reason : maybe not]

5/2/2011 11:38:53 AM

why is the State harping so much on this Zelnick person?

5/2/2011 11:56:45 AM

Quote :

"so what did i miss today?"

After all this time prosecution still can't pronounce Cooper correctly.

5/2/2011 12:00:06 PM

LEAVE MY ROSEMARY ALONE!!!!

5/2/2011 12:02:26 PM

AND WE'RE DONE.

5/2/2011 12:04:55 PM

I'LL

ALLOW

IT

5/2/2011 12:05:01 PM

CAT

OUT

OF

BAG

5/2/2011 12:05:28 PM