Good afternoon. Good afternoon. Could you please introduce yourself to the jury and spell your last name for the record? My name is Jessica Hyde. Jes space hyd. What do you do for a living? I'm a digital forensics examiner. I'm also an associate I'm also an adjunct professor at George Mason University where I teach mobile device forensics in their graduate program. I also own a digital forensics company that does training services and research. In addition to teaching at Georgetown University, do you teach in other ways? Uh, correction. I teach at George Mason University, not Georgetown. Uh, but thank you. Uh, I also teach, my company writes and develops training courses. I teach a mobile forensic analysis course and a data structures course there to law enforcement, civilians, etc. Do you engage in any other type of academics or research? Um, I do. I do other research uh as part of some volunteer activities I do in the digital forensics field. So, I'm the chair of DFIR review, which is a body that reviews practitioner created research so that it can go through peer review. I often do reviews as a member of a reviewer for Forensic Science International Digital Investigations Journal, which I was a previous associate editor of. What does peer Oh, I'm so sorry. What does peer review mean? Peer review means that when a study is done or a research paper is done on a topic that an assessment is done of it. There are three types of assessments that can be done. One is a methodological assessment where you read through the methodology of the academic or practitioner created paper and state if it is acceptable or not. The second is you conduct your own testing using the same methodology to conduct a peer review with your own generated data sets. And the third is if the original author has shared their data sets, reviewing their data sets and checking that against their work. Has any of your work been peer- reviewviewed in the past? I've had two peer-reviewed journals. Um, I've had an article that was peer-reviewed and published uh in Forensic Science International Digital Investigations regarding the standardization of file classification of recovered items. The layman's term of that would be talking about what deleted means. And then I have another paper that's been accepted um that I was a co-author on in terms of timelines and correlations of forensic evidence. You mentioned you work in forensic data analysis. Generally, what does that mean? It means that I look at evidence of digital forensics devices be them mobile phones, computers, internet of things devices and do analysis to provide meaning and context to the data that's recovered from them as well as performing data recovery of those same computer related devices. Did you have any specific education or training to learn about forensic data? Absolutely. Um, I have professional training both from courses I've taken as well as I have a master's in digital forensics from George Mason University, a master's degree in that. I've taken uh multiple courses, advanced mobile uh advanced mobile analysis, uh iOS forensics courses from SANS, uh computer forensics courses from SANS. I have multiple certifications. I hold the GIA GCF which is the GIA certified forensics examiner. I also hold the NWC3 3CF which is a certified forensics examiner. Do you through your company teach other forensic examiners how to study forensic data? Correct. to teach government agencies uh both federal and state and local how to do digital forensic analysis as well as private sector digital forensics examiners. How do you teach private digital forensic examiners? How what's the method? Um I've developed an online virtual course that we teach virtual live so I'm always there when I'm teaching but I also have a team of instructors. So for example, uh the mobile forensic analysis course that I developed right now this week is being taught to a police department in Texas right this moment. Forensic data analysis seems like a broad field. Is there certain parts that you focus in? I personally specialize in mobile phones and internet of things devices. I want you to just give us some very basic, very general and brief background. When you're looking at a forensic device and you're analyzing it, do you rely on any tools? That is a really interesting question. Um, reliance on tools is not precisely what we do. We utilize tools to extract data from a device and then we utilize a variety of tools to attempt to parse results from those device. But the forensics examiner has to take the additional step to both understand, validate and provide meaning to those results. Is there any shortcomings or dangers in simply relying on a forensic tool for a result or an opinion? There is absolutely a danger in just relying on parsed results. When an algorithm is used to determine what data is stored as, it doesn't tell you what that data means. And that's where you need a forensics examiner. Tools don't necessarily understand how the data got there and what causes the data to exist. And that takes deeper and further human analysis as well as you know if you think about it if on your phone you can go to the Google play store or the app store and you can actually download millions of apps. There's like six million apps between the two stores. Digital forensics tools maybe support generously a thousand applications. So in order to be able to parse and understand the data from applications that the tools don't know how to support, you need a forensics examiner who knows how to dig into that data, conduct testing, and determine the meaning of the data. Were you asked by the North County District Attorney's Office to look at and analyze a phone that was uh related to a person by the name of Jennifer McCabe? Yes. with a very very specific scope to a specific date range. Were you asked during that scope and date range to analyze it and provide an opinion about whether there were any user initiated deletions of any web searches or Safari type searches? Yes, I was asked to look for deletions of Safari searches within the scope of the time frame that was dictated by the purpose of the exam. Were you asked to look at the phone device and determine whether or not there were any user initiated deletions of phone calls on the device? Yes, I was asked to look for deletions of phone calls in that same date range. And did you do both of those tasks? Yes, that's correct. Did you ultimately have opinions on both of those issues? I do have opinions on both of those issues. That's correct. And in engaging in the efforts to answer those two questions, did you necessarily have to review and analyze a web history that included searches on January 29th, 2022 at 2:27 a.m.? I did analyze web searches that occurred at 2:29 a.m. on local time here in Norfolk on January 29th, 2022 from the device that was provided. Yes. not the device of forensic image for clarity. So before we get to the two opinions that you were asked to consider or what your opinions were after analyzing the data, I want to begin by giving the background and having you share with us your analysis and your observations and opinions about the search on Safari relative to this 227 time frame. Um before we begin that, let me just ask you one question. Did you do anything to ensure the integrity of the data that you were looking at? Upon receiving the forensic image, the first thing I did was I did what's called a hash of the image. So a hash is an algorithmic representation of a file. So a forensic image, all the data from the phone, it comes in one file that can then be extracted and have the rest of the data. that singular file that's re received. There's actually three, but focusing on the one that has all of the data, that archive file, you can run what's called a hash algorithm against it. There's actually multiple hash algorithms. and I hashed it and then I validated that hash to the document that was provided along with the image file that contained the hashes that were contained in those hash values matched. Now just for clarity if you change one bit in a file it will not have the same hash. So the hash provides integrity and having used both hashes which are available in that report and ran two different algorithms, they both matched. Additionally, I reviewed the PDF that was received for signs of alteration. The PDF that comes with a great key report is not signed by Adobe Acrobat. However, I was able to take that PDF and then examine it just like I would a phone. So, I'm using the same techniques on the phone using a tool called XIF tool. I was able to learn a lot about the creation of that particular PDF. And what I was able to learn about it was that it was created by it. It's labeled it as being produced by Grayshift using a particular um codebased application to create the PDF called PYF PDF standing for Python framework PDF. It is on a it's a program that you can download and developers who create tools like magnet forensics who owns a gray key utilize that script which is why it says it's produced by it to create the actual PDF. That's what the the evidence there in the data tells me. It also contains a time of when that is created and that time was uh fe I'm sorry February 2nd 2022 at global UTC that's the global constant time think what's in the UK at 2249 which would local time would be 5:49 p.m. So that says that it was created approximately 2 hours and 45 minutes after the document said the image started and it correlated with the im the document information. So that provided some level of certainty that that document was factual and on top of that I further opened the file of that PDF in what's called a hex editor which lets me see like every bite every one and zero. And from doing that, I looked for tag markers that are made sometimes in some modifications of PDFs called XMPPS, which is Adobe's format of markup. And I did not find any evidence of those tags. When you're trying to determine whether there's integrity in the data, are you able to tell whether or not there's been any alterations or tampering before the item is put on the gray key machine to make the extraction? That would be when you're talking about if the physical device had been manipulated. Is that correct? Yes. I cannot tell if the physical device has been manipulated prior to it being imaged. I can only validate if the image was correct. Um, in theory, all of the data of any any thing that you did on that device would still show in the evidence of device logs and whatever locations that were touched or communicated with, but at that point, it's the same as any user interacting with the device itself. After the phone's extracted, or at the time it's extracted, does it have the history of the device on that extraction? Could you rephrase? Yes. At the time the phone is extracted and the copy copy is made and the PDF and the digital copy um does the digital copy and the PDF contain the history of searches and calls and other items on that phone? The forensic image itself contains a variety of different artifacts or traces that are left behind by activities that a user does on a phone. Yes. You use the term artifact. What does that mean in a basic sense? An artifact is any type of evidence that is left behind on your phone of an action. So for example, if you receive a call, there are multiple places in the phone that show that a call was received. That can be in the call log, that could be in a notification, that could be in a unified log that tracks the activity that the phone's doing. there's multiple locations and each one of those residue of the fact that the call came in. That's what I would refer to as an artifact. So, you could have an artifact not just but about a call, about a web search, about taking a photo, any action you take on your phone may create an artifact. Before we get into those two questions about an alle any alleged deletions from Safari, a Google search or internet search and any alleged deletions of phone calls, I want to start with you um your explanation or your sharing how the time stamp works relative to that search beginning at 2:27 a.m. on January 29th, 2022. So for clarity, there's more than one search that happens actually at 227. Um there is some activity that's looking at and I don't want to mispronounce this the name of the town. I'll I'll try Hakamok sports uh looking at activities uh for the sporting events at that school system I assume or county uh location. There is a timestamp for the search hos long to die in cold. However, that timestamp isn't about active searches. It's about the time that a tab was either opened or moved to the background. So, h long to die and cold is the most current search in the tab that you opened at 2 that was opened at 227. So, if you're using your phone and you go to your browser, you have some choices. You can just open an existing tab or you can open a new tab. A new tab was opened at 2:27 a.m. and that search was done there. Another tab actually at 227 was moved to the background and its last search at the time it was moved to the background was uh for uh uh I believe it's raining men the YouTube video. Uh so those two searches both exist as what's called browser state searches but that's browser state isn't about the time that it was searched. It's about the time that the browser tab that you opened either went to the background or if it's never been moved to the background, the current search. So the time in the instance of the it's raining men video is the time that that video was moved to the background and the new tab took over as the tab that's active. And that tab, the last search done in that tab is how long to do die in the cold because that database holds the current search. It constantly gets updated and the time that the tab was either opened if it's the first time it's opened or moved to the background if it's an existing tab. Did you put together an exhibit that would help explain some of the different I did. I did put it together an exhibit that would show that. May I approach? Yes. handing you piece of paper. Do you recognize that? I do. This is uh table one from the first report I created on this case on the phone that I was told was for Jen McK. Is that the will help you explain? It will. I move this. Okay. Before we look at any chalk, I want you to explain the entire basis for that chalk and your ultimate opinions that are reflected in the chalk. So, let's start from the beginning. May I look at my copy of the chart or no? Um, why don't I just ask you see if you can answer the questions and if you can Yes, your honor. When you looked at the phone to analyze it, were you trying to determine when a particular search was made, specifically the search how long to die in cold? Correct. I was looking for two searches, both how long to die in CIKD and how long to die in cold. So as a forensic examiner, how do you begin the process to try to identify and determine when that search is actually made? So the first thing we would want to identify is what application was being used at the time to make the search. So looking at that date timestamped was able to on that date be able to determine that Safari was the application that was being used as the Google browser. And then you would begin looking at the artifacts for Safari, both those that are parsed by the forensics tools, but then further looking into the data structures that hold that data itself, and then ultimately conducting testing to determine why a certain artifact exists. So you mentioned you begin the beginning step is the forensic tool or tools. Did you use forensic tools to get information or parse any data regarding this potential search at 227? Yes, I used multiple forensics tools. Can you share with us the multiple forensic tools that you used? Absolutely. I used celebrate physical analyzer. I used magnet Axiom. I used just the tools I used at first. I used there are further tools I used later but those were the three that I started with. What tools did you use later? later I used specifically uh D I've used um Sanderson's forensics toolkit um the forensics browser in Sanderson's forensics toolkit which helps exploit SQLite databases and then I further reviewed in a tool called rabbit hole to begin with celbrite is that a tool that you're familiar with yes is it a commonly used tool in the industry yes commonly used mobile forensics tool is it reputable highly reputable. Why did you use Celebrate? I use Celebrate because on any mobile exam, I'm going to validate what is captured by Celebrate and Magnet Axiom. Uh because they have the most uh robust parsing of what is in my tool arsenal. Uh and then I would also follow up uh with ILE uh closely behind because IP has a lot of artifacts that aren't supported by either of those tools. Using a variety of tools is going to give you different coverage and each tool has a different perspective on how they view and display data. You said you also use magnet Axiom. That is correct. Is that a leading forensic tool as well? Yes, that is also a leading forensics tool. Are you familiar with that company? I'm very familiar with Magnet Forensics. I was actually their director of forensics for five years, then continued to consult for them for an additional two years under my company, Hexordia, and my company continues to be a reseller of Magnets products. You mentioned different tools may present information a different way. Do those tools change the underlying data at all? That's a great question. So when we're talking about the results that a tool shows, the tools maintain the integrity of that original forensic image. And that's actually something we verify as we continue through our exams to make sure that the underlying data hasn't been ch changed. There are some tools um I I did use some other tools. I apologize. But I also used art X um and mushy. But the um I'm sorry. Art X is capital A lowercase RT capital E lowercase X and then mushy is m uh h y. You're welcome. I'm sorry. Can I repeat the question? I got this the spelling threw me off. Um I mentioned or I asked you about using multiple tools and whether or not the use of different tools changes the actual underlying data. So the actual underlying data is always maintained and we do validate that. Some tools allow you to see parsed results and then allow you to dig deeper into looking at the actual files and data structures. Those would be tools like celebrate um physical analyzer and magnet axiom. Some tools show you the parsed results and tell you where they got them like. It shows you the parsed results and tells you the file location and then you would open that up in an external tool. And then some of the tools I used are not tools that parse the results but are tools that allow me to manually look at the data structures. So they directly allow me to look at the data structures and all of the tools I use in this instance are tools that do not change the underlying data. Is it important or critical to go beyond the tools presentations and actually analyze the data yourself? It is absolutely critical. Actually in the NIS scientific foundations uh paper uh from the National Institute of Science and Technology that states the foundations of digital forensic science. It states that it is the examiner's duty to not only verify and validate tool results but also to provide meaning to forensics parsed results. Does software update regularly? Oh, the software updates all the time. Uh typically we get an update about once a month and to be honest it's not enough to keep up with how many new apps are developed and how many new phones come out and how many of your applications get updates new features for example maybe in Instagram or Facebook. So the tools update very very regularly. When you used the celbrite tool to analyze the 227 search, did the search how's long to die in the cold have a time stamp on it? There are actually multiple artifacts for howl long to die in cold. Um remember earlier we defined an artifact and we spoke about it was um one of the types of traces. So there are multiple traces for that hl long to die in cold. Only one of them is associated with the 227 time stamp, but there are other instances of evidence of that that was parsed by celebrate. Is there any danger for an untrained eye to rely simply on the software when looking at a search like this? How long to dive into the cold and seeing the 227 time stamp? Absolutely. There's a really scary danger that an examiner who has not dug into the artifact and tested to see what it means may assume erroneously that that 227 timestamp is the time that what is there is searched. The search in that field of that artifact is going to always be the most recent search in the tab. But that timestamp actually means either the time that that tab was backgrounded or if it's the first time the tab's been opened when it was opened. So you could erroneously uh implicate a search was done hours or some time period or even days before it actually occurred. Some of us leave our tabs open forever. In your teaching examiners and students, do you teach about this specific concern and concept? Yes. Uh I teach about this concern both in my mobile forensic analysis class, my mobile forensics course that I teach at George Mason University in their digital forensics masters program and in the data structures course where we specifically learn how to analyze uh these databases in question. In your experience, how common does an untrained examiner make this mistake? I wouldn't be able to speak to how common an untrained examiner does it, but regularly my students get those questions wrong on earlier examples I give them in class to kind of indicate to them that it they could easily make mistakes without understanding meaning. And I use it as a teaching aid. So teaching, you know, 90 100red easy students a year. Um, I regularly see that in untrained examiners that I'm teaching in my class, but I wouldn't be able to say that across the discipline. Um, you mentioned that Celbrite showed the search on the report as how long to die in the cold with a time stamp of 227. Is it 22740? Yes, that's correct. Do you know whether or not Celebrate has updated its software? Uh in May, Celebrate of last year, um Celebrate made an update to their software actually to remove this artifact because of its ambiguity and the risk that an examiner may overstate or misstate uh what it is. Is this ambiguity reflected in other types of software? Could you rephrase please? Sure. For example, when you did a report in Axiom, did it have similar reflection in the report? Ask it differently. Did you run a report regarding this time frame through Axiom software? I did process the image through Axiom. Yes. When you did that, was it the same or a different result? Axium and Celebrate really show their data very, very differently. So, Celebrate takes a perspective of alerting people to possible um deletions by annotating either a question mark or a red X next to artifacts that come from different areas. Um, magnet instead marks if the artifact was parsed or carved. I feel like now I need to explain to you parsed or carved. Um so parsed means that the data was where it was expected to be found and the algorithm was able to cleanly see that this is there. Carve means that it had to run that algorithm against the data structure as a whole and found it as a partial result. So, it carved it out, went and found it uh instead of it just sitting there exactly where it was expected to be and shows you both the results. So it'll show all of the results of in this instance um the the sessions uh tab sessions but d the data browser DB the tab state it's going to instead of telling you um this has a red X uh it'll instead say it was carved. So it's a different presentation of the same data. And so I want to and talk about deletions in a little bit, but I want to get back to the 227 search. Sure. Um, so when you produced or you looked at the report for celebrate and it showed this timestamp as well as the phrase how long to die in the cold, where did you look? How did you make an analysis to determine whether or not that search was actually made at 227 or another time? What was your next steps for us? So in looking at that timestamp, the first thing I did was actually go and look at what literature exists on the artifact if anybody had reviewed this artifact fact before. Um I also created my own data set and tested how we could get what that time stamp means. So if I make a search in a tab and then I make another search in a tab, which timestamp is it? If I make a search in a tab and then open a different tab, what changes? I also looked at the documentation in the artifact reference guide for Axiom which does state uh it describes that timestamp as the time in which the tab is backgrounded and it gives a stipulation that in certain circumstances the timestamp can be earlier than the search. Did you specifically look in any databases or for artifacts in the data to help make an analysis of when this search happened? Of when the search happened as a whole? Absolutely. Um so there are multiple data bases that I looked at that show search information for Safari. So I looked at the um the P list mobile Safari P list. I looked at the browser state database. I looked for um the history database. Um I also looked at the knowledge CDB. The knowledge CDB is a little bit different. That isn't a database um for Safari. It's a database for all of Apple so it can predict your behavior. So it takes in information that Apple wants to take in including browser history and it saves that in information so it can make predictive information. I also looked at the uh caches in the Safari which is uh the things that Safari is trying to make quick reference to. This would include suggested terms uh for commonly searched items. When a URL or a search through Safari is typed in or if it connects, does it leave a trace in different parts of the computer or the phone? Yeah. So, uh when you actually do any search, you're going to leave traces. Now, it does depend if you are in private browsing or non-private browsing. So, non-private browsing is what most of us use regularly. Uh, private browsing might be what you elect to use. Well, some people would elect to use it if they're doing searches they wouldn't want their spouse to see, like maybe they're looking at porn or maybe you're doing something secure like looking at your banking information. You may intentionally use a private browser. For Google users, this would be the equivalent of incognito in Google Chrome. And you may intentionally use that. And so the artifacts for that are more limited than the artifacts for non-private searches. So some of these artifacts only exist for non-private searches and some exist for private searches. And in this case, this phone, was it on non-private or private? So the specifically the two searches we're talking about, how's long to die in cold and how long to to die in K CI KLD, excuse my differentiation there. Um, both of those searches were done in non-private browsing, so they weren't hidden. They I don't understand the question. Yeah. Um, was there any applications on to mask those searches? Not to the best of my knowledge. I did not see any. We began with the 22740 time stamp. The next uh recording on that tab, do you recall what time that was? I believe the next and I'm trying to remember the chart from memory um if if that's correct. So I believe the next thing we're looking at is the 623 uh suggestion from from Apple search terms for how long to digest food is am I matching what you're seeing on your chart? Um well let me ask you um when you saw that do you look on the same tab or a database when you find that information? Fair. Understood. Uh so all of those databases I was just mentioning before, we're looking at all the parse results from all of those. Uh and I was looking in the entirety of the scope from uh the time of midnight till noon. That was the time frame of my scope of all of the content that was done in the tabs sess the tabs for browser state DB um cloud tabs artifacts uh history DB mobile Safari P list uh knowledge C each one of those and then I was combining them to timeline out the activity at 62351 did you look into How long t I d i e in c i kd? So that would be the uh next thing that we see after the um after the apple suggested term of how long to digest food. That's the next thing we see is we see an entry of that. Uh there's there's two immediately next to each other. I don't remember the precision on the seconds of which one's first off the top of my head, but one is in knowledge C and one is in the mobile Safari P list. Can they appear in different rooms in the datab bank in different places? The same search uh searches appear in many different places they can leave traces such as that knowledge CDB. I love that Apple calls that knowledge. It's like what it's trying to learn. So the knowledge CDB what Apple's trying to learn about you as well as uh in that mobile Safari P list as well as at the moment of that search which I don't have the device in that moment but just so there's an understanding that open tab the URL would have been updated or URL is the website would have been updated to that search at that moment had we imaged it at that moment it would have been um how long to to die in CID CLD CI KD CID and finally at 62447 did you identify any artifacts with that search that appears at with a time stamp of 22740 did you find the same correct at 624 we have two time stamps in those same two locations for Hoslong to die in cold the knowledge se and the mobile safari pis so based on your analysis in that issue did you come to an opinion in whether or not the phrase house long to die in cold was actually searched at 2:27 a.m. on January 29th, 2022. There are no artifacts. So, the answer is yes or no. Can you repeat the question, please? And so based on your analysis of the phone and the data using all of those softwares, did you come to an opinion whether or not the phrase how long to die in cold was searched at that time stamp tab of 22740? Yes, I came to an opinion. And what is your opinion? Your honor, rephrase the question as to the opinion. I'm sorry. I'll see you inside, Mr. Les. You've explained to us the analysis you engage in in the process you engaged in in forensic data analysis. Is there a methodology that you use not just looking at the print out of the programs? a methodology you use that is accepted in the industry for experts to analyze this data and come to your opinion. Absolutely. Uh beyond looking at what was in the tool results, I further looked at those databases independently and conducted testing of the artifacts. And in addition to what you did, can you share with us how and why this methodology is accepted in your practice as forensic analyst? This methodology is accepted um by NIST uh and by organizations like the scientific working group of digital evidence. um intimately familiar as both a member of the scientific working group on digital evidence who helps work towards the building and development of these consensusbased documents of procedures to be followed in digital forensics analysis and as a member of the National Institute of Science and Technology NIST organizational scientific area committees OSAC digital evidence subcommittee uh where we also produce guidelines such as the data set guidelines for generation of the guidelines for data set generation uh which is how you do your actual testing and creation of data sets and I was also a part of the subcommittee that drafted that. So I'm intimately familiar with the accepted policies and procedures because I am also a member of the groups that help author these as well as review them and look and use them. Are there articles and guidance in the industry about this particular practice of analysis? Uh for analysis uh just for clarification you're talking about for analysis of Safari artifacts of mobile forensics of browser state DB. Just for clarity on the question let's work our way through it. How about through Safari? for Safari. There are multiple different blogs that talk about Safari as well as I have analysis of Safari through classes I took such as SANS 45508 which is their I'm sorry 518 SANS 4518 which is the Mac and iOS analysis course which I took. How about the specific guidance regarding searching the different databases for artifacts in terms of methodology for digging into databases. Is that correct? Um there are multiple I've again I've taken courses um from I throughout my master's program courses on how to analyze digital forensics artifacts including mobile device forensics uh throughout uh my GIA certifications. I've taken multiple instructor-led courses on how to do these as well uh specifically that cover mobile safari history in mobile forensics at GMU in his master's program as part of the SANS 4518 class. Um and in terms of data structures, I've taken study on how to analyze databases like SQLite and P lists are covered in those courses. Um there are books on study on this methodology. Uh there are multiple books on digital forensics many of which I've read and including books uh specifically on analysis of SQLite databases uh such as Sanderson SQLite forensics uh which is probably the most authorative because not only was it written uh by Sanderson who makes a tool, it was tech edited by three renowned forensics examiners as well as Dr. Richard Hip who created SQite itself. the methodology, the technique you use to look past the reports and actually look at the data to make your determination and provide your arrive at your opinions. Is that methodology regularly accepted within the forensic data community? Absolutely. Again, do using the methodology from the consensus based documents from the community from the scientific working group digital evidence on best practices for analysis as well as uh specifically for the SQLite databases. I was looking at um I do that uh deeply verifying and in accordance with uh the understandings from Sanderson's book. Now you share with us that you had an opinion regarding the time stamp and whether that was applicable to the search term how long to die in cold. That is correct. Now I want to ask you to a reasonable degree of forensic data scientific certainty. What is your opinion about whether the phrase how long to die in cold was made at the time of the time stamp 22740? It's the last time Mr. on this issue. Okay. All right, go right ahead. Mr. G, I'm now going to ask you for your first opinion. So you shared that you have an opinion about whether that time stamp 22740 was whether or not that was the time the search how long to die in the cold occurred. Can you tell us to a reasonable degree of scientific certainty your opinion about whether that search how long to die in the cold occurred at 2:2740 a.m. on January 29th, 2022? Same objection. Okay. The objections are removed. What I can state to a scientific degree of certainty is that that search occurred at 6:24 a.m. and was the last search in the tab that had been opened at 2:27. Do you have a an opinion to a degree of scientific certainty um whether there was any other searches similar to how's long to die in the cold that evening on that tab? Your honor, I'm going. May I first inquire? Uh you meant morning I sorry that morning. Yes, just clarifying. I did not look at evening searches. Um I and can you repeat? I apologize. I dis I disrupted my own train. You have an opinion to a reasonable degree of scientific certainty where whether there were any other searches on that tab before the final search at 62447. How's long to die in cold? Just ensuring that I that I have the question correct. You're asking if what else occurred in that tab prior? Yes. That I cannot say with a clear degree of certainty. Okay. Um, did you develop a chalk that I showed you earlier? Yes. As to approach. Yes. Again, I show you the same document. You recognize it? Yes. What is it? It is the exhibit that I created that was labeled table one in the first report. I delivered and does that provide information that will assist us in understanding your opinion? Yes. I move subject to redaction that this be introduced into evidence. Your honor, I have no issue with regard to the redaction aspect, but consistent with my prior objections, I would reject that. Okay. I'm going to allow this into evidence. Your rights are safe. Thank you. Appreciate it. 82. Madam clerk, 82. Exhibit 82. Thank you. With the court's permission, I'd like to show exhibit 82 to the jury. Okay. Could we enlarge the first two? And we're going to need to get the right column in if we can, please. Thank you. Can you see it from there? I can. Thank you. If you can walk us through how this exhibit assists us in understanding your explanation and the basis for your opinion. This exhibit shows the Safari artifacts and artifacts of Google searches in Safari related to the two searches in question. How long to die in CKD and how long to die in cold that occurred on the morning of November 29th, 2022 on the device under examination. If I look at this chart and I see in the top left it says 22740 a.m. and then under the search term it says how's long to die in cold? How do I understand your opinion that that search didn't happen at 22740? This document is showing you the data that is the parsed result. The source of that artifact that you see uh in the last column, it's a little bit cut off. The browser state DB-W wall file that database does store how the data is stored. the search term has long to die in cold with an associated Mac absolute epoch timestamp that translates to 2:27 a.m. That is what is physically stored. That does not annotate the meaning of that artifact. That was determined through testing following the NIST OSAC data generation guidelines for testing. In the second row, we see a time stamp on the lefth hand column 62349 and it provides artifact a cache record. Mhm. What is the term? What does that mean under the search term? iOS Safari cache records. Uh a cache refers to something that a computer program wants quick and easy access to. when we search on our phones um anything a lot of times be it in Google or in Safari depending on what type of phone you own it'll suggest what it thinks you're going to type in right so you can click it it's trying to be helpful in this instance at 62349 we have a cache record that indicates that Apple suggested the phrase how long does it take to digest food and And then under that 62351 it appears it says a recent web search and the spelling has changed. How long? T I D I E I N C I K D. So this in reference to these two search terms. This is the first actual search that occurs at 6:20 3:51 a.m. Um, upon beginning the typing of that phrase, Apple provided the suggested search and the person inputting into the phone at that time continued to type out uh a phrase and finished it as how long ti in CI KD um which that is available to us in the mobile Safari P list which tracks recent web searches and then we'll see six seconds later we get that reference in that knowledge C database that I mentioned before. That's the next line. So that's the the knowledge C database is Apple's way of keeping knowledge about what the user's doing. It sees and holds your knowledge. It's easy way to remember it. That's what I teach my students. So that knowledge CDB tracks a lot of things for predictive purposes. And so six seconds later, it's logging that uh same search. So that search is being tracked in two places. And so one search can be left as artifacts in different locations on the database. Correct. And there can be multiple traces or artifacts of the same user action in different places on a mobile device. And if we go down to the bottom, the last column at 62447, we again see house long to die in cold. And if you look in the first column, it's the same phrase. Is that a coincidence that it appears at the bottom at 62447 and also appears up at 22740? As mentioned before, through testing of the artifact for browser state DB, that artifact will hold the most recent search that happened in the tab. So it is logical that how long how's long hos long to die in cold was searched at 62418 tracked in that mobile Safari P list repeated in knowledge C knowledge made its tracking in knowledge CDB and then that table for browser state DB which again has the time that the tab was opened or the last time it was backgrounded and updated just the website that was visited. So the website that is why we get that 227 time that's actually as far as the data storage is the first thing I have in there because I wanted to put it in chronological time order for exhibit purposes is actually the last thing to happen because it's the update to what's in the tab and you offered that the house long to die in cold is the last thing to happen. Do you have an opinion to a reasonable degree of scientific certainty the time when that search was made? Objection your honor. Oh, to a reasonable degree of certainty, I can say that Hosong to die in cold was searched at approximately 6:24 a.m. Now, moving on from the 227 search, there are two other issues that you are asked to analyze. We talked about them at the beginning. Let's begin with um whether or not you've looked at the data and analyzed the data and came to any opinions about whether that phrase how long to die in code was userdeed on that device. So there's two really key elements as to if that was userdeed. If the question is did I come to opinion? Yes. And can you explain how you came to that to an opinion that we'll ultimately share with the jury? The first um line in that exhibit, the ending of that, if you remember, it said browserstate.db-wall. That's important. So, we'll talk about that in a second. But the first thing uh I want to bring up is is kind of how the database works because I didn't just look at the tool result. I extracted that database and I did a deeper analysis on it using Sanderson's tool because that information was in that dash wall file. Um so when a SQLite database which is a specific way of storing very very common on mobile phones actually one of the most common um when that database stores data it has two versions. The most recent version and the version in use here uses what's called a write ahead log. So before data is committed it is written to a write ahead log. I'll kind of explain it. So, let's say we're in a restaurant and we're sitting at a table and we're ordering food. Our table is the table. Data that's going to come to the table and that's going to be our food. So, when we order food, let's say we've got a chicken sandwich, a burger, and a pizza coming to the table. The chicken sandwich, the burger, and the pizza, the kitchen puts it in the warming area. It's the write ahead log. The server grabs it from there. It's where data sits before it goes to the table. Just like your food goes to that serving station before your server brings it to your table. Table server brings it to the table. That table's got its burger, its chicken, and its pizza. Another table orders waffles and pancakes. They think it's breakfast. The waffles and pancakes are made by the kitchen. They're put on the serving area. Waitress comes over. This pizza has pepperoni. I don't eat pepperoni. Can you send it back? Waitress picks up that pepperoni and sends it back. That's a deletion. Pepperoni pizza was just removed from the table, right? We're deleting it. We're moving. We said it's not what we wanted. The waitress is removing it. She brings it back to that serving area. At that moment, that serving area has the deleted pizza, but also the waffles and pancakes that are waiting to go out to the table. That's how a write- ahead log works. any changes that are happening sit in the write ahead log until the database is closed and then when it's reopened all those changes are made both additions and deletions. So often when a phone is imaged when we make a forensic image the applications are still open so we have those wall files. When we look in our Safari browser, the database knows to read it to you in its current state. So, it tells you where the waffles and pancakes are going, they're going to that table. So, it shows it as if it's in the table, but it's not in the table yet. So, if when we parse the data and we look at the restaurant and we don't look at the back kitchen, we would only at that time see the chicken and the burger, right? Pizza got sent back. Waffles and pancakes haven't come out yet. So when we get the data, we get two files. We get the restaurant, that's the database, and we get the serving area, that's the wall file. Just because it's in the wall file, does not mean it's deleted. It means that that record wasn't where it naturally sits yet. It could be. That wall file can contain deleted and food or data that hasn't yet been delivered to the database. So the wall file consists of both. So an assumption that the data was deleted just because it's in the wall file is actually not true. And the peerreview paper I mentioned earlier that I had accepted in forensic science international uh actually has a section that explains this exact presence. um for SQLite databases about how we refer to that as recovered and not deleted. Actually through that entire document we don't use the phrase deleted. We refer to things in statement of recovery because we need to determine why it's there. So we can't say that it's deleted just because it came from the wall file. Some tools will automatically indicate to the examiner that they need to dig deeper into that. I did do further analysis by looking at the wall file. Um that particular item it and it's a little bit more complex actually exists on multiple pages because it moves as the database is being created but all of them have the same unique identifier. So it's the same entry. It's not more than one search of hos to dying cold. If there was more than one search that had occurred where it became the top element in that database, we would we would see that um there are as I mentioned other carved from the database um from the wall file elements such as the search for the YouTube video it's raining men because at some point that was the last viewed item in a tab when that tab was retired. right before also at 2:27 a.m. but a couple of seconds before the hoslong to die in cold search. So we can see that that table is put to the rear. The newest tab that's open which is why it's in the wall file. It's the most recent thing because it's like our waffles and pancakes hasn't been delivered to the table yet. So it can sit in the wall file for that reason that doesn't indicate it's deleted. The second reason is there is no user interaction in the interface to delete a tab. You can open and close a tab and open and closed tabs are tracked in that database, but you cannot delete a tab. There's no if you were to pick up your iPhone, I know you don't have them right now, but if you were to pick up your iPhone and look, that that wouldn't be a physical option you have in the interface. So it could not be deleted by a user through the interface for that most basic reason. So a user could they delete a tab if they wanted to. There's no actual option to delete a tab for your web history. You could clear the cache for example. Um most of us are familiar with clearing the cache in your web history. Uh you might do it because you don't want your kids to see what you searched or maybe your kids don't want you to see what they searched so they'll delete it. Um but you can't delete the tab history. It's just what tabs are there. The device is tracking that. When you looked at the software, whether it was Axiom or Celbrite, when you look just at the report, not the data itself, do either of those reports have any indication noting that that web or that Safari search is characterized as deleted. The tools celbrite denotes it with a red X which means that it is recovered. Axiom indicates that it is carved. Uh in the same paper uh that I referenced earlier that I authored there's a there's a chart in there that shows the distinction between how different tools some will use red X's some will use question marks some will list carved or parse. So every tool chooses to do that differently. That does not mean deleted. It means it needs further analysis. Should a an examiner who looks just at the reports of the software assume that if it is marked as recovered in celbrite or carved in axiom should an examiner should never assume something's deleted without doing a manual examination. The manual examination is that a method that's used that's generally accepted in the forensic data um field. The NIS science foundation paper as well as the uh data set generation guidelines both speak to conducting testing to verify and validate and it states clearly that an examiner is to verify and validate findings and to determine meaning. So given that you've used multiple tools to look at reports regarding this phrase how long to die in cold and have seen indications or characterizations of recovered and carved and in addition to the fact that you actually analyze the data, did you arrive at an opinion to a reasonable degree of scientific certainty whether or not the user deleted any user deleted the phrase how long to die in Yes, if it's Hlong to die in cold. Sorry, trying to clarify. Pardon me. Did you come to an opinion to a reasonable degree of scientific certainty whether any user deleted the phrase how long to die in cold? Yes. And what is your opinion? My opinion is there was no deletion that occurred by the user because it is not something a user can delete. Finally, I want to ask you about your analysis of the phone records on this phone tributed to Miss McCabe. Did you go through an analysis of the phone logs and the phone records on? I analyzed the call logs uh and the phone logs on the device that I was given that I was told belong to Miss McCabe. Yes. Would a suggestion or a claim that a user deleted irregularly a number of phone calls would that be accurate or inaccurate in your experience? It is inaccurate in this instance. Can you explain to us why and how you came to that conclusion? Yeah, this is actually really interesting um because of what it appears in the forensics tools and additional artifacts that I looked at that are not parsed by the forensics tools. So, the call logs um when you look at it, it appears I I don't remember if it's 8:57 or 8:59 a.m. in my in in my mind at the moment, but approximately either 8:57 or 8:59 um is the earliest phone call we see on the um 29th of January. We see no call logs before, but we do see FaceTime logs before. So if an examiner again was making assumptions without testing or reviewing, the first assumption might be well things must have been deleted because there's data that exists before but not current data. So then you have to go how do phone logs work and again create test data and review. What the situation here is that there are three types of call logs on this particular phone. There's regular calls incoming and outgoing. There are FaceTime video chats incoming and outgoing and FaceTime audio chats incoming and outgoing. The storage for that is actually 200 records. So you can only store up to 200 of each. Now, if you were a user of, let's say, WhatsApp or Signal or Telegram, those would each count too, and they'd get their own logs. So, when we look at the database for the number of calls between 8:59 a.m. or 8:57, again, I apologize, I'm not looking at that precise time, uh, on the 29th of January in 2022, there are exactly 200 calls still in that record from then until the imaging of the phone. There are 199 FaceTime video calls and only 27 FaceTime audio calls. So the question is how do you validate that that's what's happening? So we actually have call logs that we can pick up in other places for recent call logs in the last 7 to 30 days depending on the the exact version of the device and and how the biomes are running. We can actually see uh incoming call logs uh the number they go to and if they're incoming or outgoing in the biomes. So we actually can see the history going back for the entirety of that day on January 29th till midnight. Again, my scope was from midnight until noon. So we can actually see all of the calls. They're just not on the call history state DB. Now the call history state DB from a user perspective. That button on your phone doesn't say call history. It actually says recents. And what it's determining is recents is the most recent 200 of each category. Now how did I determine this further? There is a running log that exists in a phone lasts about 3 days. It's called the unified log. The unified log tracks multiple things that are happening on the phone. In manual analysis of the unified log from this phone, I can clearly see each time a 20st call comes in, the 200th call gets deleted. So it's constantly just the last 200 calls. It may not be typical that we see 200 calls in three days, but on this device, we do see 200 regular phone calls in the three days between uh 8:59 a.m. on the 29th and when the phone was image. Do you have an opinion to a reasonable degree of scientific certainty whether there was any user deletions from the phone call log that morning? Yes. And what is that opinion? the the opinion is that I can see that it's done by the device itself utilizing unified logs that the system is deleting the 20st call every time a new call is received or outgoing. Thank you. I have no further questions. Mayor, your honor. Yes. Good afternoon, Miss Hyde. Good afternoon. I notice you have some documents with you. Could you just state what is in front of you so I know that I might be able to help expedite this if I know what you have in front of you? Absolutely. I have the first digital forensic analysis report I completed for the previous trial. Do you have a date? Um, you have several of them. I do. It's the first one. I apologize. I This is the one I believe it's May. I don't remember the date. 2023 2020, obviously. Then I have uh the second one. This was the one that was used in the pre-trial motion. December 2024. December 20. Yes, that's correct. Very nice. Uh then I have the third one. This is the final one regarding the phone that was identified as Miss McCabe's. Yes. And then I have the fourth one which is the phone of Mr. O'Keefe. And then I do have um the opinion from State versus Hera, but if we don't need that, that's fine. Okay. Very well. I appreciate you you telling me that. in March uh and and you recall on your direct examination uh attorney Brennan asked you questions going to your experience and qualifications. Do you recall that those questions? Yes, I do. In uh you were involved in a um case is actually a murder trial in the state of Maryland in a case called state v. Herrera uh as recently as March of 2025. Correct. Correction. It's an attempted murder. attempt attempted murder and and in that um particular uh case you had um attempted to offer various opinions to the court correct I object um you have to move along from this case from what you're talking about you have to move around along from that Maryland case so with regard um do you recall uh another case um from the state of Massachusetts Arrington case uh in which you submitted a uh a prosay amikas. Do you recall that case? I do. And is it correct that in that case you submitted um arguments on behalf of the prosecution in that case? I submitted an amicus brief which is not on behalf of anybody. It's as a friend of the court. Right. But the friends of the court, you took a position in that quote friends of the court brief. Correct. Uh took a position on the evidence. Right. and and you the position you took on the evidence was that the frequent location history data uh is uh reliable and should be used. Is that correct? The statement is that frequent I do not have that that amicus in front of me. It has been a year and a half since I've read it. Um but that amicus does discuss frequent location history records and I want to be clear it speaks to both bias on both sides and negative and positive of of submitting it. It was an unbiased writing and it was not specifically in support of a prosecution. So, um, you are testifying in this case on behalf of the prosecution, correct? In this case, I was hired by the prosecution. That is correct. And and the prosecution is paying you for your services in this case. Is that correct? Yes. And uh with regard to this case, you have been paid and have been on this case since May of 2023. Correct. That is correct. With regard to the various reports that you have submitted in this case, you have mentioned one which is a report with regard to the iPhone of John O'Keefe. Is that correct? That is correct. And you have in that report you have um made a statement, have you not? That from 12:20 a.m. on January 29th of 2022 and after there is no indication of interaction with the device. Is that correct? There is no indication of user interaction with the device. There is all received until about 6:04 a.m. when there is again uh Apple Health data that picks up. Well, I'll ask it again. The and and you can feel free to turn to um page uh 1529 in that report. Page 15. Page 151529. The pa the the report is Would you like the page of the report or the page NDA number at the bottom? I can do either way. Oh, I'm sorry. I'm sorry. I I thought you were saying page 15 in the report. No, no, it's NDO 1529 or page seven. Whatever way is page seven. Okay, Roger. Okay. So, page seven, you see there's a heading interactive phone activity. Correct. Yes. And at the top it says using a variety of different artifacts, we can see active interaction with a mobile device up until 12. Yeah. You have to slow down. Okay. Sorry about that. I'm just trying to move it along, but I will be slower. Um, I'll repeat. Using a variety of different artifacts, we can see active interaction with the mobile device up until 12:20 a.m. ET. Do you see that statement? Yes. And then if you skip down, I'm going to skip a couple sentences to the paragraph under the chart. This is the key part. Okay. says from that point and I'm understanding that point to be the 12 2050 a.m. correct you need to say yes or no I'm sorry there is no indication of interaction with the device did I read that correctly that is correct so I am going to um and you believe that statement is correct until 6:08 6 something a.m. I'm I'm sorry. I'm just asking if that statement is correct. Not if you have other information, but is that statement correct? I object. Can you answer that? Can you answer that? Yes or no? Did I read that correctly? You read it correctly. Yes. Thank you. If we could, your honor, have a document that is put up already in evidence and publish exhibit 39. Okay. And it will be Thank you. And if we could go to uh slide 82 please. And Miss Hyde if I could draw your attention to the entry that is it says 3209 under app lock but we know that the 00 is is a 12. So, it's 12:329 a.m. on January 29, 2022. And I'm going to read what it says in red. And this is um uh a timeline of of Mr. Whiffin. You know Mr. Whiffin? I do know Mr. Whiffen. And so he put in red, not us. He said device locked with lock button for the last time. Do you see that? I do. And you know that to lock a phone, you actually have to hit the side button with regard to an iPhone to make it locked. Do you know that? Yes, sir. Okay. And that is an interaction with a phone, is it not? I concur. So that means that that interaction with the phone occurred at 12:329. Correct. I did not review that specific artifact. I cannot attest to Mr. Whiffan's exam only to my own. So, um, do you have any reason to believe that what is in evidence in this case that Mr. Whiffin has produced and that you do you have any basis to contest the fact that the device was locked with a lock button for the last time on the phone of John O'Keefe at 12329 as you sit here? I cannot contest it because I do not recall looking at that specific artifact. Don't you think it would have been appropriate to be accurate as a digital forensic analyzer on the topic of the last of of an indication of interaction with the device? Don't you think it would have been appropriate to look at that um 123209 in any of the tools you said you used on direct? I did not correlate that artifact in my timeline. I I understand you did. And in my question is you make a statement well let me back up. You do you understand that in this case as in many cases that matters of seconds in activity can be determinative of a case. Do you understand that from your experience? Absolutely. So it's important therefore to get activity right in any for any data forensic examiner when they're issuing reports about activity particularly of a deedent. Is that important? Absolutely. So isn't it correct that the statement that you make on page seven of your report that from that point 122050 there is no indication of interaction with the device is incorrect. I cannot make that without going back and reviewing and validating the artifact you just produced from Mr. Whiff and I would need to validate that in order to respond to that. But as you sit here, you have no basis to contest what Mr. Whiffen has stated that there was a lock button on the side of the phone of Mr. O'Keefe a full 12 minutes after you say there was no interaction with the device. Is that correct? I don't. I would have to review that portion. Is there anything that had prevented you from reviewing that in that data before you wrote this report? Not that I can think of. I I would have to go and re-review that. My question is I don't know if that artifact I have not reviewed that artifact. So I cannot speak to an artifact I have not reviewed and I did not that is not my report. That's Mr. Wam's report. So I cannot speak to that without going back and reviewing that evidence. Isn't the interaction with the vice lock button readily available to you in the data that you have and had in your possession when you wrote this report? Yes. Thank you. If you could please turn to in the same report, page 1528, which is your page number six. And I just want you please to go to the just put a a placeholder in that. And if you can now just go to the conclusion which is your page 50. Let me know when you're there. I am there. So, in the conclusion, you state that starting at 12:01 a.m. on January 29, 2022, the mobile phone was in use with activity of ways navigating to 34 Fairview Drive, Canton, MA, active interaction with the screen, steps, audio playing, text messages, and calls until 12:31 a.m. PST on January 29, 2002. Did I read that correctly? Yes. That statement is also incorrect, isn't it? On what basis? I I Do you believe that statement is correct or incorrect? I believe that the statement is correct regarding those artifacts that are mentioned in that statement. Yes. Okay. If you could please if you could turn to page 1535 of the same report. Can you give me my page number, please? I I will. I just You're welcome. If you could turn to your page 13. 13. Roger. Yes, I'm there. And do you see an entry that says 12:3156, which is the same time in the conclusion, but I'm going to develop it. I I believe I believe I know where you're going. That Hold on. I'm sorry. I need to ask the questions. I I appreciate you looking to help, but if I could, I'd appreciate. Absolutely. Thank you. So, it's got health steps and it has steps 36 duration 20.9 or 20.398 seconds. Did I read that correctly? That is absolutely correct. So, if you look at this data point in your report on page 13, the steps began at 123156, but they ended 20.39 seconds later at 123216. Is that correct? That is correct. So therefore your statement in your conclusion if you could go back to 50 and this is in your conclusion your statement there is that the steps um the the mobile phone is used with activity and including steps until 12:31 a.m. EST that should read until 12:32. Correct. It depends on your interpretation of interaction. As a user is walking, they're not actively interacting with their device. It's their movement that is. It's not direct interaction with the screen. But I I would I would agree to your view that that could be interpreted as needing an additional 20 seconds. Isn't the more correct way to state the conclusion that the the active interaction when it comes to steps is not calibrating using the screen but the the phone is calculating steps taken. Isn't that correct? That is correct but that's not interactivity with the device. I understand, but the the sentence reads include steps and the more accurate way to have stated that would have been to put 12:3216 instead of 12:31 a.m. Correct. Uh, I'm sorry, you just said 12:30. We I did this to the minute, not to the second. Could you rephrase what you were citing? I'll state it again. I appreciate that. You're welcome. So, isn't the more correct way to state this important data point in your conclusion instead of saying active interaction with um with the screen and steps etc until 12:31 a.m. EST the 1231 should be 1232 because the steps that you have on your page 13 by what you concede is the duration of 20 would have brought it to 12 3216 correct I would state that depends I believe either is a correct way to state that based on interactivity based on your interpretation your definition is more correct okay thank you and and It's not my interpretation. I'm reading from your report. Correct. Your interpretation that 1232 is a more correct representation of interaction is based on your theory that interaction concludes when the steps end. And I I'm saying both would be acceptable. Okay. So, last followup on this. Sure. Isn't it correct that it isn't my theory when the steps ended? I If I could just finish. I because if we talk over each other, the stenographer is not going to give both of us. Thank you. So, it's not my theory. It's just the simple math from an entry you've made on page 13 that the steps began at 123156. They ended 20.39 seconds after that, which just doing the simple math is 12 3216. Did I do the math correctly? That is correct. I am not debating that. Thank you very much. So now what I'd like to do is to go to um page 1528 of your report. Do you have my page number for that? I'm sorry. Yes. And I I I appreciate that you go page number. So I I center in on the the the lower one, then I'll go immediately to the one. So it's your page six, Miss Hyde. Thank you. You're welcome. Just let me know when you're there. I'm there. If you could please go to Apple Health data steps. Mhm. And we've been talking about steps because they're important enough that you put them in a report. Correct. That is correct. So let's go to an important data point therefore in your report in the chart which is the second entry which is as you've stated 122110 a.m. Do you see that? I do. And you note under the data that John O'Keefe's phone registered 80 steps at 122110. Did I read that correctly? You did read that correctly. And those 80 steps constituted 191.253 seconds as you state. Correct. That is what is stored in that database. Correct. And is my math correct so that the jury understands this perhaps a little better? Sure. That 191.253 seconds equals 3.2 2 minutes approximately. Yes, approximately. I'm doing the math in my head, so that's why I said approximately. Understood. Um, so am I reading this entry correct that you're stating what the data shows that 80 steps were taken by the phone Mr. Whomever had the phone of Mr. O'Keefe. There were 80 steps taken at 12:21 10 a.m. on January 29th, 2022 for a length of time of 3.2 minutes. That is what the phone registered. That's what the phone registered. Very well. Now, what I'd like to do is to turn to the phone of Jennifer McCabe. Okay. And that is for your reports. You don't date your reports, so I can't give you a date, but it says it's report three, I believe, is what exactly. It's it's three and there is bear with me. I'm I'm I'm I'm accommodating your page reference and I'll have it soon for you. It is your page seven and let me know when you are there. I am there. Are you aware of an issue regarding the time of an interactive phone activity on Jennifer McCabe's phone at 5:07 a.m.? Are you aware of that issue and particularly a communication to a person named Coco? Are you aware of that? I would need to check in my report. May I turn to the page? Absolutely. For that time, I do see an outgoing call uh to someone labeled Coco at 50721 a.m. And you can tell that because in your report on page 11, you list a 50721 a.m. call to a Coco as outgoing. Correct. Correct. Have you discussed that call with any member of the Commonwealth? No. And again, this call is at 5:07 a.m. on January 29th of 2022. Correct. That is correct. There is no duration listed for that call. And if you just follow my questions if you can. Yes or no. Is that correct? There's no duration yet listed. Correct. So what I want to do is to also note that that omission is not the only omission of durations from this report. Or I'll state it differently. Let me withdraw that. There is no population of the duration column for any call from 124:30 a.m. on January 29th, 2022 all the way through this 50721 call. And you don't start listing durations until 8:59 34 a.m. Is that correct? Yes. And explainable the artifact. I understand Mr. Brennan can can handle those on his redirect. Absolutely. So, so there's not a population of duration of calls after numerous early calls and phone as you call it interactive phone activity. Nothing populated in this report until 8:594. That's correct. Yes. All righty. Now what I'd like to do is to turn to the 22740 artifact that had was the subject of much discussion on direct and I am going to refer to that as an artifact. Is that a parlance that is uh familiar to you? Yes. And if I refer to that as a timestamp also, is that a parliament that's familiar to you? Absolutely. So I can refer to 22740 as a timestamp and you would find that parliament acceptable. Yes. Thank you. So I'm going to do that just to keep it simple. I would refer to it as a time stamp. Now you've been on this case working for the Commonwealth since May of 2023. Correct. May 4th, 2023. That is correct. So you've been on this case for 2 years, correct? Not actively the entire time, but you started on this case in May 2023. You issued a report in May of of of 2023. Correct. Correct. You issued a report in December of 2024. Correct. Correct. After being rehired in November, right? And you issued more reports in 2025. Correct. That is correct. So all of that activity has been on this case. Correct. All on this case. That is correct. And that's been all on behalf of the prosecution. Correct. That is correct. None of that work has been done on behalf of the defense. Correct. That is correct. So let us now go to the timestamp of 22740. Your opinions on what is the meaning of that timestamp have varied from May of 2023 until today. Is that correct? No, that is incorrect. Let's cover that issue. Sure. Let's turn to your May 2023 report. Isn't it correct that the report and your your your findings were pursuant to a request from Detective Lieutenant Brian Tully? Correct. And how many interactions have you had with Lieutenant Detective Brian Tully on this case approximately? I I really don't know. I'd have to go look back at email and call locks. Is it more than five? Yes. Is it more than 10? Yes. Is it more than 20? I don't know. So, somewhere between 10 and 20. Would that be fair? Again, I'd have to review my call logs. I'm not going to test. More than 10. More than 10, I'm sure. So the issue was your use of various forensic tools that revealed a timestamp uh 22740 a.m. timestamp on January 29, 2022. Is that correct? Is that a fair characterization of an issue you looked at? Correct. So, if you could um go to page five of that report and I would ask that you go to the last paragraph that starts with in the instance of the Google search and let me know when you're there. I'm there. So it reads in the instance of the Google search house long to die in cold that was recovered from the write ahead log associated with the X browser state DBSQite database with the timestamp of 22740 a.m. was marked by celbrite as having this timestamp and being deleted. Did I read that correctly? Fair. Yeah. So you use the words that that Google search house long to die in cold was associated with the time stamp of 22 2740 a.m. Isn't that what your words are in this report? In that database they are associated. That is correct. Right. And in terms of page three, if you could go back of your report under relevant findings. Mhm. It starts with there were two searches of interest that took place on the iOS device. And we're talking about Jennifer McCabe's device. Correct. The device that was identified to me as Jennifer Mabes. Yes. That's identified to you as Jennifer McCabe. And it's what you talked about on direct examination as her device. Right. It's not a mystery as to whose it is. It's not like you don't know. Right. In indirect I also use the phrase identified to me as Jennifer McCab. Right. But your conclusion is the device you've been working on and analyzing for two years is the device of Jennifer McCabe. That is how it was identified to me. Did you have a different conclusion as to whose device it is? I always am very very careful that I do not as I did not assess the ownership. But that was information that was given to me, not information that I personally assessed. So are you uncertain as to whether the device you've been working on for two years is the form of the device that I have been working on for two years is the device that was identified to me by the Massachusetts State Police Detective Tully as belonging to Jennifer McCabe when I began working and received that device as stated in the evidence analyze section on this same page. So, let's go. And and we're talking about again to get back to the center of gravity, we're talking about a time stamp of 22740 a.m. Correct. That is correct. And when you issued your first report in May of 2023, the time stamp you were looking at was 2:27 40 a.m. January 29. Correct. I was looking at multiple timestamps associated with the same two searches. Right. So what I'd like to do, you said multiple timestamps. What times are in the multiple category? I was, what I was tasked to do was to look at the times asso the search the Google search history. I'm sorry, not Google search history, the Safari history, which includes Google searches associated with those two search terms within that tw 12-hour period. That was the particular task, not the task of looking at the 227 just for clarity. Right. And and I appreciate that, but my question wasn't that. My question was I thought I heard you on direct examination, which is why I repeated the question what I heard thought I heard on direct, but I'll ask you the question. Sure. You looked at and talked about on direct two potential time for a Safari search, which includes Google. One of which was 2:270 and the other one was 6:23 a.m. Is that correct? I analyzed the meaning of those two timestamps. Right. So, we're just talking about two times 2:270 and then 6:23. Is that correct? So, you are only talking then about the one that we're also talking about 6:24 a.m. Okay. So, Eastern time for clarity because some of these records are in UTC, some are in local. Fair enough. So, you've got 22740, you've got 623, and you got 624 that you were looking at. Correct. Uh, there are other timestamps that exist in the realm of what I was looking at, but those ones, correct, are the ones that are relevant in this report. Exactly. That and that's what we're talking about. We're just talking about this report. Yes. And so if you look under relevant findings um at the very bottom paragraph you say second sense a Google search for how long to die cold at approximately 11:23 a.m. and then how long tidie in cold took place at 11:24. That is in UTC. I apologize for not having the timestamp format there but that is the UTC time. The UTC time equivalent in Eastern Local time would be 6:23 and 6:24. So to be clear, in your report, you wrote 11:23 a.m. and 11:24, and you didn't put UTC next to correct. They should, you are correct. That should say UTC. That is a typo. And there's a significant difference between 11:23 and 22740. Correct. Uh 11:23 the in is UTC. So its equivalent in eastern time would be 6:23. The artifact of 227 is already in local time. So that is in eastern time. So what we would be comparing is 227 and 623 and 624 to be appropriate taking into account the data storage and which ones are in UTC and which ones are in local time. I I understand your explanation now. Perfect. But in this report there is no UTC time down. You have two additional times in addition to the two times two different numbers added to the two. Correct. The UTC was a typo. It should say UTC next to those. And the chart shows all of those artifacts in EST and is clearly labeled that they're all in EST. So, you would agree that it's better stated to state it a different way than you have in your report. I would say that both are equivalent. I should have had UTC there. Um, but yes, it's easier for the audience to speak in EST. I would say forensics examiners typically communicate in UTC, but we translate for our reports and I should have either communicated that in EST or included UTC. I will definitely contend that. So in terms of your May 2023 report, your first report in this matter, yes, you on page five Mhm. In the sentence underneath the block paragraph state, in the instance of the Google search, house long to die in cold that was recovered from the write ahead log associated with that's correct. The X browser stage with a timestamp of 202740 a.m. was marked by Celebrite as having this time stamp and being deleted. Did I read that correctly? You read that correctly. Now, let's move ahead. to page seven of your report. Mhm. Up at the top above conclusion. Importantly, at this time, you state testing shows great inconsistency with timestamps parsed from this file. It is however definitive that the page existed in a tab. Correct. While a definitive reason as to why the timestamp is listing the time of 22740 is unknown. Mhm. The time is inconsistent with the timestamps associated with the same search. Did I read that correctly? You did read it correctly. So, as of May 2023, you said the definitive reason as to why the time stamp is listed as 22740 is unknown. Correct. I'm just asking is is that what you wrote? Unknown. I believe that the wording here is sorry I do I do use the word unknown. It says uh while a definitive reason as to why the TAM stamp listing is a time of 022740 is unknown. Sorry. So you use the word unknown your word in your report. Yes. Okay. So now what I'd like to do is to go on to the first proceeding in this matter. Do you remember giving testimony in a proceeding about a year ago under oath? Yes, I do. I am now going to go to that testimony and if at any point you would like to have a copy of that if it's the honor if your honor would like I I will do it but I'm going to start and then we'll see how it goes. So bear with me a moment. Do you recall in that testimony stating that you processed the image in several forensic tools? I use Celbrite physical analyzer and then you list many other tools. Do you remember giving that testimony? We have a page. I'm sorry, Mr. Brennan. I I thought I'd given it 1-12. Um my apologies if I didn't. It's June 14, 2024, page 1-12. Thank you. You're welcome. So, do you recall um giving testimony about the various tools you use for this time stamp? I do. And do you recall stating that those those tools were commonly used digital forensic tools that are very standard? Do you recall that? Um I'd have to see the wording that I used at that exact time. Would it be helpful to refresh your recollection if I showed you that? Uh it would be great. I would greatly appreciate that because I do not recall the precise wording but I know that I to the tools I use for you. May I approach your honor? Yes, Mr. Leie, you offered a transcript. Do you have the whole transcript? I have the whole transcript of that helps. It might speed things. Agreed. Okay, I'll we have one. I'm going to give you a transcript. Thank you. I appreciate it. So, may I put on 112 is that's turn it over. It's going to be 112. Okay. You're welcome. Thank you so much. And you said we're on 112. Yes, please. uh 113. I see it. I see I see it's highlighted on the copy. So, I figured what I wanted to do, the reason I said 112 is that's where I started with my previous question. So, I'm not going to repeat the question, but just to orient you so you have a fair context for the questioning. Fair. So, I started at the bottom 112. Now, I'm moving to 113 and I'm starting with line seven. Do you see that? I do. And it says yes, they are commonly used digital forensic tools that are very standard for other forensic examiners to use on mobile exploitation. Did I read that correctly? That is correct. And then if you go down to line 22, you testified in that proceeding. So it's important to use multiple tools so you can see the results from different table, different data sets and be able to compare those results and enhance those with manual analysis. Did I read that correctly? You did. That's correct. And then going up to page 114, line five. Slow down a little bit, Mr. Alissa. I will, your honor. Thank you. Yeah, that's very, very typical for me to process with multiple tools to ensure that I'm getting the most complete interpretation from forensic tools. Of course, you go beyond that with your analysis, but it's absolutely pertinent to that. Do you Did I read that correctly? That is correct. And then lastly for this section at page 11417, the Sanderson tool is meant to look at specific type of data structures called the SQite database. XQ like databases are very nuanced and this particular tool allows you to take that database and explore it at a deeper level than the other forensic tools allow. Did I read that correctly? Yes, you did. Thank you. Now, if we can go to page 124 of the very same testimony and feel free to go back a page just so you can see to page 123 that the topic is the 22740 timestamp associated with how long to die in cold. Can I have a moment just to review and get context? Absolutely. Thank you so much. Page 12313, but if you need to go back further, feel free. Okay, I'm good. Thank you. You're welcome. So, what I want to do is start with page 1-23. And this is your testimony on line 16. Mhm. I have them in the timestamp order that is associated with the artifact. You use that word associated again. Correct. Did I read that correctly? Yes. And that's associated with the Google search. How long to die in a cold in a 22740 a.m. time stamp. Correct. That is correct. Now, if you turn the uh page of the testimony You state back then that on page 124 line one, the browser state DB is an artifact that speaks to when tabs are moved. So when you're using your browser and you open different tabs, you may have a search that this time pertains to the time that the tab moved. It could be lots of things. Did I read that correctly? You did. Not one thing. You said it could be lots of things. Correct. That is correct. And then you go on in line 10 and and you talk more and then you go down to the bottom. You go down to line 20 and you testified we cannot tell by this particular artifact what time that search occurred. Did I read correctly that that specifically pertaining to that particular artifact that get in browser state DB that does not tell us what time a search occurred. That is correct. Right. So it you stated and it was your statement then we cannot tell by this particular artifact what time that search occurred. Correct. That particular artifact. Okay. So now let's now let's let's keep going. Mhm. If you go to page 129 of this transcript I'm there at the top. Sure. Line one 227 isn't necessarily one time when the tab was closed. That's in my report. I say it's undetermined. Remember we were just reading your undetermined in your May 23 report. Correct. Because there's a lot of things that can cause that time stamp to be there including tab being moved, tab being minimized. the next sentence. I don't know exactly what caused the tab to get that particular entry, but it's not that timestamp is not indicative of the time of the search or any URL that's visited. But the first part of it is I don't know exactly what caused the tab to get that particular entry. Did I read that correctly? You read 100% correctly. Thank you. Now, if we could turn to page 130 of your testimony. I need to object. I'll see Thank you for your patience, Miss Hyde. Absolutely, sir. Uh, what I'd like to do is to go back to your testimony in the first proceeding, and we can go back to page 1-30. I am there. Thank you. So, I am going to uh go back just because there's been some time and give some context. So, we're talking about the 22740 a.m. time stamp, correct? At this page location. We've been talking about that for several pages. Yes, that's correct. We You're absolutely correct. We've been talking about it for several pages. And bear with me. I think this may be the the either the second to last or the last. So there you testified with regard you, this was when you're referring to an artifact. You've agreed that time stamp is a fair synonym. You say on line five that means it wasn't in the regular database. It was in the write ahead log. And to celebrate credit, they that tool actually parsed the write ahead log and displayed it where the other tools did not. So am I cor did I read that correctly? Number one, you read it correctly. So, am I correct that here what you're stating is Celebrite was actually showing the 22740 a.m. time stamp at that time during your testimony in the first place on that date. That is correct. Yes. Okay. So, I just wanted to establish that. And you were giving celebrate credit for actually showing that timestamp at that time of 22740 at the time of your testimony back in June of 2024. Correct. That is correct. Okay. So now let's go to page 1-36. 136. You said 136. Yes. Thank you. And on line 12 you note that so Celbrite and magnet Axiom. Mhm. And then you elaborate both celbrite physical analyzer which is a specific tool right of celbrite and magnet axiom another specific tool. Correct. Correct. Both have file system viewers that then have SQLite database viewers. And you skipping down to line 17, you talk about they don't allow for deep analysis of the right- ahead logs, which is why in my analysis I used the specialized Sanderson forensic browser for SQite. Correct? I read that. That is correct. So, is it fair to say that what you did up to this point in June of 2024 with regard to the 22740 a.m. time stamp on January 29, 2022. You applied a variety of tools to analyze the issue of when did the Google search occur that you use the words associated with a Safari uh Google search house long to die in the cold. There's a little bit of wording I would I would correct there if that's okay. Right. But so let me see if I can ask the question a different more simple way. Great. Thank you. You're welcome. So you used a variety of tools to analyze that house long to die in the cold search. Correct? Plus manual analysis and testing. Yes. Plus manual analysis and testing. All righty. Now let's leave the testimony. Okay. And let's go to your next report. And your next report is December 2024. Do I have the correct chronology correct miss? That is correct. So in December of 2024, just approximately 6 months ago, you issued another report. Correct. That is correct. And you got the request for that report also from the Norfolk District Attorneys. Correct. That is correct. And you state um in regard well that report regarded the analysis of the same time stamp. Correct. Correct. to 22740 time stamp. And in that report under relevant findings, you state and this is December of 2024. So it's it's uh from your May 2023 report, it's approximately a year and seven uh a year and a half. Is that approximately from your May 23rd report? Approximately approximately a year and a half. Yes. So a year and a half after what we just reviewed in your May 23rd report and then just months after the testimony of June, right? So about 6 months after your new testimony that we just went through, you went and looked at this issue again. Correct. That is correct. And isn't it correct that when you were asked to look at the same timestamps in December of 2024 that celebrate remove the timestamp from their tools? Celebrate did remove that timestamp from the tool. That is correct. Okay. And that timestamp was the subject of extensive reports and testimony that you participated in in the first proceeding. Correct. That is correct. And even though that timestamp 2:2740 a.m. that showed up in Celebrate Tools, magnet forensic axiom showed up. That was removed by Celebrate. Correct. Celebrate no longer reports it. The the evidence is still in the data. I want to be clear. Just that it doesn't change the data. They just removed it from their automated parsing and reporting. Right? So they removed it from their automated parsing and reporting. Correct. Yes, they did. That is correct. However, your former company, Magnet Forensic Axiom, still shows it. Magnet Axiom Forensics currently shows it as a carved artifact and show still shows that and gives a description in their artifact reference guide as to what they believe causes that artifact. I'm going to ask the question. Yes, it does. Magnet Forensica where you used to be the director of forensics. That is correct. Still shows that time stamp. Correct. Yes. Yes. But celbrite doesn't in the automated. That is correct. That is correct. than their automated parsing. And you would agree that Magnet Forensic uh Magnet Forensics is a very reputable company. Correct. Correct. Let's go back to your December 2024 report. Do you recall just moments ago when we went through your testimony in June of 2024 in the first proceeding where you stated various times how it was I'll use the term best practices to use multiple tools to analyze the time stamp. Correct. And you used many tools back then to to analyze that time stamp. And you testified to those many tools on your direct examination. Correct. Correct. Yes. However, in December of 2024, when you returned to analyze the 22740 timestamp, how many tools did you use to analyze that time stamp? Can you give me just a number? How many tools? At least four. Well, in your report, let's go to your report. What your report says? Mhm. So, in your report, you state that under relevant findings, do you not? that review of data from Celbrite shows that the artifact of a Google search from a Safari suspended state tab with a search term house long to die in cold in and I'm going to skip over in addition to my own previous report no longer shows a last visited time stamp. I I think that that is um not clear. Uh you the skipping there makes it sound like my report no longer shows that and that's not what's that that's that's a fair statement. That that's a fair statement. Let me rephrase it this way. You're welcome. In this report, you speak about celebrate release reports. Correct. Uh are you referring to the celebrate release notes that come out? Release notes at the bottom, right? You refer to that. That's correct. and and that release note states that celebrate has removed the timestamp value from records and I'm assuming that's a reference to celebrates. Celebrate no longer parses that result. That is the statement in this report. Correct. Right. And so I'm going to go to page four of your report for sure. I'm there. And I'm going to go down all the way down to the conclusion. In that report, is there reference to any company other than Celebrate in this entire report? Is it in this report? No. Okay. Thank you. Now, let's go to your prior testimony in the first proceeding where you said that it was important to use multiple tools. Absolutely. Do you still stand by your position that you've given today and that you gave in June that it's important to use multiple tools? Absolutely. Now, let's go back to the issue of the extraction of Jen McCabe's phone. And what I want to do is to cover a concept and see if I've got this correctly. Are you familiar with the phrase Apple source codes? I'm I'm sorry. Can you please repeat? Abs. No worries, sir. Um, are you familiar with the phrase Apple source codes? Apple's source code. Absolutely. Yes. And isn't it a fact that Apple keeps its source codes proprietary, meaning very few people have access to it? That's correct. That it's closed source is the term we would use. Closed source. That would be the term of art. Correct. And they keep it so close that they call it closed source. And it's not just Apple. Lots of tools are closed source. That just means that the code isn't available like it would be for the tool I mentioned earlier, ile. That's an opensource tool. Anyone can look at the code for Apple. We cannot go look at the code that makes your phone run. That's correct. And isn't it the case and and I referred to that as the MB postulate? It's a shorthanded, but I don't need to have you refer to it that way. I'm I'm sorry. Could you repeat that phrase? I was unfamiliar with it. I'm going to skip it. I'll just go on. Basically, the concept that Apple has a has source codes that are closed sources. So, I just refer to them as Apple's closed sources. Wouldn't the best information about when a search occurred, what it's associated with, wouldn't the best information be in the Apple source code to answer that question. It is acceptable in digital forensic science and in accordance with the NIST science foundation papers to conduct testing to determine how the functionality of something works. You do not need access to the source code to be able to speak to an artifact. My question isn't that. My question is, isn't the best place one the best place to go is to the Apple source codes themselves or are you saying these physical analyzer tools are just as good and the information they pull is just as good as an Apple source code? Those those are very very uh those are in congruent statements. Apple source code is not a healthy way to do an examination because it would be so ownorous and we do not know the level of documentation. We don't know the language that is not necessarily the most effective way to determine what data is. Uh forensics tools parse results of how data is they don't interpret them. The examiner interprets them and provides meaning. And I would like to state that those three things are should not be conflated. They are very individual concepts. I I I think you misunderstood my question. I I probably did it because I that's what I was seeing. My question is this. Isn't the best source for information about data in an iPhone contained within Apple source codes? Not necessarily because that doesn't perform operational performance is a better source in a practical sense to being able to determine what something is as opposed to zillions and no I don't know the number because it's closed source lines of code that may or may not have different levels of documentation. Apple themselves wouldn't be able to any individual there who has access wouldn't know every feature of how every element works. testing through the methodologies described in NIST is the accepted methodology in our science, not reviewing the source code. I'm going to try it a different way. I understand what you're saying is if I got it correct, you correct me. Are you saying that these physical tools make it easier to interpret and view the data? I did not speak about the tools at all in the statement I just made. I spoke about manual testing and checking the functionality and what results. Parse tools again these are three separate concepts. The concept of code and actually reviewing code to make a determination is different from parse tool results is different from doing testing and validation. Those are separate concepts. They should not be um comingled as if they equate to each other. So, have you ever learned of uh have you ever spoken with Mr. Whiffin? Ian, I I have spoken with Mr. Wiffin historically, but not since the term of this trial. Okay. Have you ever spoken to Mr. Wiffin about whether the Apple source codes are the best source of information about topics like timestamps? Have you ever spoken that just I have not had that conversation with Mr. Wiff? No. Okay. All righty. I want to move on to and and do you regard Mr. uh Wiffin as a reputable Mr. Wiffin is a reputable forensics examiner and I've uh actually reviewed his work in other instances and peer-reviewed his papers. So you you have regard for his reputation for his reputation. We have to we have to wait for each other to talk. It's all right. No worries. So you regard have regard for the uh opinions of Mr. with him generally. Correct. Absolutely. Yes. And you believe he has a a solid reputation. Correct. Absolutely. That is correct. Now, let's turn to the um history DB database. You uh are familiar with history DB. Are you excis DB? Are you familiar with that phrase? I am familiar with that phrase. Okay. Do any of the houses appear in the history DB? In this instance, no. We do not have artifacts in the history DB of either of those two searches. So I want to just just repeat that in a different way. So the history DB is that considered a valid and valuable source of information in an iPhone? That is a valuable artifact for Safari history. That is correct. But the houselong searches we've been discussing do not appear in that history DB, do they? That is correct. You spoke about PYF PDF on your direct testimony. Do you recall that? I do. It's the Python framework for PDF. It is a GitHub tool, a tool one can download from GitHub to utilize to create PDFs using Python code. So a developer in a tool would integrate that to create a PDF. And and the pyf PDF can have the variables set. Correct. Um yes. The Python script allows the developer to set things such as their name that they created the document. Yes. I want to go to the extraction of Jen McCabe's phone that you talked about on direct examination. Is the hash value signed or unsigned? A hash value isn't signed. I believe your question you're asking me is if the Adobe document that contained the PDF that contained the hash values. Are you asking me if that's signed? Because a hash value is something that matches. A hash value isn't signed. Let me ask it this way. Is there any hash value associated with Jen McCabe's phone that is unsigned? That is not a valid question. I apologize. We don't refer to hash values as being signed or unsigned. We would refer to the PDF that it's that contains that value as being signed or unsigned. Have you ever read a report of Mr. Ian Whiffin uh in this case? I have, but I have to be clear. I have not read all of Ian's reports. I've only read some, so I don't know if I read some of his earlier reports. Do you recall reading a report of Mr. Whiffin where he references a hash value being unsigned associated with the iPhone of Jennifer McCabe? Can I see said report so I can validate if I did or did not? I'm I'm I'm not sure based on just that because I wouldn't I wouldn't use the term hash value being signed. I did see a report in which Mr. Wiffin spoke to the PDF not being signed. I'm just want to try to shortcut this and work off your last statement. You're now saying you do recall seeing a report of Mr. Wiffin where he said a PDF was unsigned. I I need to see I do remember him referencing the PDF. I would need to see the report. Um especially since the characterization of hash value being unsigned is not a term of art that I am familiar with in our field. Let me ask if you agree or disagree with this statement. This value can be used to compare with the original hash calculated at the time of extraction in order to validate the extraction data. However, this requires authentication of the original hash value which is not possible with gray key extractions as the PDF containing the extraction hash value is unsigned. Therefore, this hash value could be used as a suggestion of authentication, but cannot be guaranteed 100%. Do you agree or disagree? His statement there says the PDF is unsigned, not that the hash value is unsigned. Right. But but it's nonetheless unsigned. Correct. The PDF is not signed. That is a correct statement. Graykey PDFs that purport that value are not an Adobe signed document. Do you know the history from the of the extraction of Jen McCabe's phone? It's yes or no. Can you provide more clarity? What do you mean? Do you mean do you mean from the time the image was made? Do you mean from the time the device was received? Because I don't know the information pertaining to the receipt of the device into evidence and then when the I only have the documentation of the image forward. So I I want to be clear about what period we're talking about. It's an excellent point and I am going to follow up with some questions. Okay. In an extraction, doesn't the extraction from a phone start with the raw data, raw image? Tell you tell me when someone brings a phone in, what's the first step that gets taken in order to do a full file extraction? What's the first step? It depends. there's got to be steps with regard to network isolation. I need to know if the device is AFU or BFU at that point. So I don't have that information from this case if that is the the question I get from the image forward. So what I'd like to do and this may be my last section of questioning. I'd like you to describe the ideal situation is to getting the most reliable data from an iPhone from the start. What's the most reliable way to do it? I would say the most reliable way is following the recently released SWIGDE scientific working group on digital evidence, a document on best practices of evidence handling, preservation, and imaging. I may have that title slightly out of order but it is the document released uh this January and tell me what that is. Sure. Um in that the first thing from which which point are we starting? Are we starting like extracting the data using a tool or are we talking on scene um taking the device into evidence? The latter. Okay. So the first thing you're going to do is you're going to um ensure that you are isolating the device. Uh this is also going to depend on condition from the network. So typically this would be done with a Faraday enclosure in a best practice. However, there are alternative ways of isolating from the network such as disabling all of the communication protocols such as Wi-Fi, airplane mode, etc. The next step once you've isolated uh but prior you also want to make sure you're continuing battery stat. So if a device is on, you want to keep it powered on. If it's off, you want to keep it powered off. That's a general statement. So the best way to do that is to attach uh a battery charger. Just like when uh you your battery runs low, you plug in a charger in the back of these battery packs. We do that with that before we put it in the Faraday bag. A Faraday bag is an enclosure that blocks signals from coming to the device. This is so a remote wipe command couldn't be sent or so that more data isn't received to the phone because phones are live and and constantly obtaining data. So, we're going to have it with a battery pack in the Faraday presuming it was on. Again, I don't know the status of this device. Uh the next steps are going to depend on what state that device is and what make and model that device is and what the current support for that device is. There are multiple types of extraction methods of phones. Um in the modern day on iOS, a full file system image, what we had on the devices in question in this case is considered the gold standard because it has the most robust information. Um, so at this point the next question is is what's the best image type? And that's going to depend on if we have a passcode or if we don't have a passcode. If I could and I'm going to allow you to continue. I I want to break it down for the jury. So what I now want to do, you've stopped at a certain point, but you've talked about securing what I would call securing the phone, right? And then making sure that there's no data swipes. You talked about airplane mode, Faraday bag, Faraday box, right? Do you know whether any of those protocols were followed for either the iPhone of Jen McCabe or John O'Keefe? As I mentioned, I was not there for those processes. I don't have documentation of it. As mentioned, uh what started where my receipt of the device is from the image. Exactly. So, you don't know. I can't testify to processes I did not or was not available or aware of. Fair. Fair enough. But do you have a little bit of hint as to whether the phone of Mr. John O'Keefe was properly secured in airplane mode, a Faraday bag or a Faraday box based upon your own report of the iPhone of John McCabe? Can you determine that from page five of your report? I obviously there is um data signals that are still being made and created. I believe that is what you're referring to. Um, so the assumption is that I don't know at which point a Faraday bag is employed, but I also want to be clear, I don't know when I I don't have information outside of the digital forensics realm about this case. So I don't know precisely when the phone was taken into custody by law enforcement. Fair. Fair enough. So assume that Mr. O'Keefe was deceased around the latest 9:00 a.m. on January 29th, 2022. Isn't there activity on that phone? Health data activity up to around noon of January 29. Health data activity would continue to be reported regardless of if the device was isolated from the network or not. data has to do with the movement of the device. So if the device was being moved even within a Faraday bag, that data would still be populated. How about location data? Location data is unlikely to be reported in a device that is Faraday enclosed, but I do not know what location data you're referring to. So I cannot speak in absolutes without having a better reference to the artifacts in question. If you're saying it's in my report, I'll look at it. But again, I never knew when the the phone was seized, so it was not part of my initial analysis. Do I do I have permission to look at that timing? Yes. Thank you, your honor. So bear with me. It's a big report as you know. It is a big report. And it was at the bottom of my stack. Pardon me. All right. It was at the bottom of my stack. I had to lift up the other ones to find it. All right. So, your honor, may I assist in point her to a page? Sure. That' be great. Thank you. If you could turn to that report on your page um 47 and continue on to page 50. I do see uh incoming data that is consistent uh with the device not being Faradade uh such as the receipt of SMS messages uh notifications from Ring etc. So the iPhone of Mr. was not secured in the manner you described before we got to this as would be the best practice with regard to getting the most accurate data from a phone that is once it's it comes in that it's to either be put in airplane mode bag or Faraday box that's correct by your own report you see activity I do see activity it was not Faraday Faraday prevents wiping of the device and additional data. So, actually we actually in this instance um it it doesn't appear that the device was at risk of wipe because it was not wiped and we actually have more data because we get to see the data that continue to come in to the device. I'm not saying that's in accordance with best practice. I'm saying that that's what I see based off of what you just had me reviewing the data. It sounds like you're trying to justify Oh, I'm not trying to You tell me. It sounds like you're trying to justify the fact it wasn't secured. Am I correct? No, you're incorrect. I'm just stating we have you you asked if we had more data or less data. We actually have more data, would it not be fair? But no, best practice would be to Faraday. I 100% agree. My question wasn't is there more or less data? My question was simply, doesn't your own report, your own report? Sure. Show activity up until noon on January 29, 2022. Correct. Uh and for clarity, my scope was till noon, so I don't know if there was activity beyond that. Right. But as far as your scope goes, I want to be clear. Y there is activity on this drone. Absolutely. Which shows that it was not put in airplane mode. It was not put in a Faraday bag and it was not put in a Faraday box and that failure is not best practices. Correct. It is not in accordance with the best practices. I agree. I would a Faraday. Thank you. So if I you know that's that's okay. Uh I have no uh uh further questions. Thank you for answering my questions, Miss Pi. Thank you for your questions. Have a great day. Redirect. Thank you. Of course. Whenever you're ready. Thank you. You're welcome. You were asked when you began working on analyzing phones in this case and you said it was in May, was that of May of 2023? May of 20 2023. May 4th, 2023 is the email I have of a note. Thank you. Yes. It's easy to remember because May the fourth be with you. When you first were asked to begin work on this case in May of 2023, what was the catalyst for you to begin working on this? I was contacted by Mr. Tully and then contracted. ASA was signed and I began work on the initial request to look at those two search terms on January 29th. Does that answer your question? Sure. Okay. Was there a certain claim that was lodged that you were to focus on? I was to focus on the two search terms from January 29th, 20202. And would you inform why was there any context to that? Probably. I don't recall the exact conversation that I had uh with the DA's office and Lieutenant Tully at that time, but I'm I'm assuming that I was given that context. I have in my notes that I was to look at those two searches on that date and do an analysis about those. Were you asked to reach any particular result? No, I was asked to provide my report, not to reach a particular result. Were you asked to reach a conclusion that the 227 timestamp was inaccurate? No. When you engaged in your analysis, was it independent of the district attorney's office? My analysis was independent of the district attorney's office. I actually in the first case had very little communication with the district attorney's office during the period of my analysis. Was there any input from any outside source on what your result or ultimate opinions would be? No. Would you ever allow anybody to affect your input? No. Throughout the course of your efforts with this phone, have there been changes to software? Absolutely. As mentioned on direct uh software updates are near monthly. I want to ask you about changes to the celebrate software. You were asked about certain reports you wrote. Were the reports that you wrote relative to different requests for analysis? Yes. The report regarding uh report number three regarding changes to celebrate software. Was that report limited to the timestamp change or was it to include other efforts? The scope of that report. May I review what I have documented as a scope? I believe we're talking about report two. That's the one about the celebrate change. Yes. And I have the the request was to understand changes made in the newer version of celebrate physical analyzer to artifacts pertaining to the timeline of a particular Google search on January 29, 2022, namely how long to die in cold. When you looked at the celbrite software and report, was the timestamp characterization changed or removed? Yes, it was removed. that timestamp uh in the version starting in May of 2024. Celebrate actually removed that and they put a release note saying stating that it was due to the ambiguity and potential for misconstring uh the meaning of that data. Was there any other releases informing other reasons why that was changed other than the potential that somebody could misconstrue, misinterpret or distort the information? Can I read Celebrite's own statement, please? Celebrate's statement in to to yourself to myself. Okay, roger that. Thank you. I appreciate that. Can you repeat the question? Was there any reason other than the concern about misinterpreting or They said that uh the So what's your understanding? My understanding is that it's that it is not a reliable time stamp and that is why Celebrate removed it. You were asked about Axiom. Axiom is it the same or different? Magnet Axiom and Celebrate Physical Analyzer are two different tools that both do forensic analysis of mobile phones. You were asked whether Axiom still has a timestamp that was similar to Celebrite before the change. Axiom shows uh what I spoke to on direct where they have it as a parsed versus carved result and so that particular result shows in the suspended state DB artifact as carved. Do companies like Axiom and Celbrite give releases updates information about how to interpret their reports? So, Axiom actually has a document that's released with it called the artifact reference guide and that actually gives a brief description of the fields and of artifacts. Um, all tools when they release new artifacts, they put out in a release note. Um, not all artifacts are clearly documented that are parsed. However, all of the vendors regularly put out webinars and blog posts that explain their new artifacts, but not necessarily all. Is there any releases or cautions from Axiom on the same issue about misinterpreting a timestamp? Axiom in their artifact reference guide for this artifact does speak to the possibility of misinterpretation and states that the timestamp can be earlier than the search had occurred based on what different reasons could cause uh that time stamp. Let me ask you about a Faraday bag. You said that best practices is to isolate an item in a Faraday bag. That's correct. Do you have any information or did you know the travel of Mr. O'Keefe's phone that night or where it went after? I'm sorry. Can you clarify the time period? U on January 29th, 2022 from say 6:04 in the morning until later that afternoon. I did not have access to that information. When you analyze data from certain devices, are they always placed in a Faraday bag? um immediately after an incident. There's a lot of times when this is situation dependent. An example of when you would not put something in a Faraday bag is when you have a deceased victim and you're going to be using their biometrics to possibly unlock the device. Um because a Faraday bag is enclosed and then can't be opened. If your intent, if you don't have the password, is to use a deceased person's fingerprint to unlock the phone. Um we don't want to put the person's finger in the Faraday bag. So, usually those phones would not be Faradade, but they would typically um have airplane mode enabled or SIM card removed, but no, SIM card removed doesn't actually work on iOS, so I won't get into that. Understanding or having the opinion that this item was not placed in a Faraday bag at 6:04 in the morning. Does that in any way affect your opinions about the data that you analyzed on this phone and the conclusions that you reached um regarding Mr. O'Keefe's phone? It does not have any impact on the conclusions other than the fact that it wasn't Faraday and more more data came in. So we have additional data. You were asked a very specific question about history DB and it was simply whether or not how's long to die in cold whether it appeared in history DB. um that isolated question, does that provide any context to you and your analysis and conclusions about how long to die in cold and that it occurred at 6:23 and 6:24 the next morning? The absence of the history DB artifact doesn't mean that that search didn't occur at that time. We have multiple corroborating artifacts, which is usually what we look for, two artifacts uh that demonstrate is like very good. You don't necessarily need that. But in this instance, we have both from the mobile Safari P list which tracks the history as well as the knowledge C DB. So we do have two artifacts showing that those searches were done at that time. Of course, six seconds apart for the difference between the knowledge C and the mobile Safari P list. On direct examination, you were not asked questions about Mr. O'Keefe's phone. That is correct. You were on cross- examination. So, let me follow up. You have a report that you authored regarding Mr. O'Keefe's phone. That is correct. And you had an opportunity to look at the healthc care data for July, I'm sorry, January 29, 2022. That is correct. Page six of your report. Thank you. You noted that there were steps that began at 121:09 a.m. Is that accurate? That is accurate. And the way healthcare data works, do you have an understanding whether steps means a person actually took a number of steps or does it mean something else? Uh steps doesn't necessarily mean that you took a number of steps. It's based on the motion of the device. Um, so it could be steps, it could be you're carrying it, it could be that you're in some other kind of motion. You could be on a bicycle, you could any number of things. It's and the number of steps is based on the presumed gate based on the input into the Apple Health app in terms of gender and height. So it determines a gate and then prescribes a number of steps. But it is possible for other things to cause steps to occur. You were asked specifically if you saw that there were reported movement or hell steps at 12:2110 a.m. and specifically pointed out to you uh notation or characterization of 80 steps. Is that accurate? That is what's stored in the database. Um I I try to clarify as I did uh for you sir that that's what's stored in a database. I'm not saying that 80 steps were taken. And by the way in addition to the healthcare analysis, you did some analysis on the movement of a car, didn't you? Uh for your honor, I'm going Yeah, I'm going to deny that question. Um, can these health steps occur if somebody's holding a phone while traveling in a car? As mentioned in my report, it's caused by motion. It could be various motions that could cause it. You could be using an elliptical, you could be in a vehicle, you could be on a bicycle. It's not necessarily steps taken. Based on your analysis of Mr. O'Keefe's phone in the report that was pointed out to you on cross examination and do you have information or an opinion where Mr. Keyy's phone was located around 12:2110 while those steps registered. That's beyond the scope of the class. It was pointed out to you at 122110 there was a registr a registered 80 steps. Is that accurate? That is correct. Okay. And then you were also asked about the last healthcare data, the last movements of this phone and you it was pointed out that that began at 123156 for 20 seconds. That's correct. Per the data in the database and that is that the last movement of Mr. broke phone that evening before 6:04 that you saw when you analyzed the entire data in the phone. May I have one moment to review? Yes. That appears to be the last before the 6 a.m. hour. And so that 20 seconds, if it began at 12:3156, what was the last movement in seconds in time at that time of Mr. O'Keefe's phone? I'm sorry. Can you repeat? Yes. If that was a 20 second interval at 12 3156, what was the last second that evening that Mr. O'Keefe's phone moved? 123216. Um, and then when you analyze the phone and were asked about these times, is there any movement between that last movement and 60401? Between the 1232, yes, 123216 and 60401. Any movement of that phone whatsoever? I do not have anything supporting that in my report. Do you know what was going on with Mr. O'Keefe's phone at 6:041 a.m. on the morning of January 29th, 2024 uh 22. I do not know precisely what was happening with his phone at at that at that time in terms of movement if that's or are you asking me? I'm sorry. Can you can you clarify what you mean by the question? Um the next movement after 12:32 is the 604 60401 correct am. Correct. Do you have any information about where or why there was movement of the phone at that time? I I don't that wouldn't be inside my digital evidence, I don't believe. And the last question is um the next movement at 6:15. Do you know if that phone was being moved by somebody or somebody else? Then Mr. The phone was in motion. I do not know. It could be by a person. It could be on a rail car. I I don't I don't think it was on a rail car for clarity, but I don't know what is causing that motion at that time. Thank you very much. Follow your Thank you. Miss Hyde, you were asked questions by Mr. Brennan just moments ago about Celebrite in release notes. Do you recall those questions? Yes. And did Celbrite, beyond stating that their opinion was the 22040 a.m. time stamp was not reliable, did they give any reason at all for why they concluded it was not reliable in that? I'm sorry. We'll wait for the Thank you. I appreciate it. Yeah. And I'll repeat the question. Thank you. May I your honor? Thank you. In that release note, does Celebrite state any reason for why they wrote not a reliable time stamp? There are other I'm sorry. My question is, do they state in the release note whether there's a reason for why they concluded? Thank you, ma'am. Thank you, your honor. Please try not to talk. Sorry, your honor. Uh, two, not asking you to read it, just asking whether or not they give any reason for the conclusion. Not a reliable time stamp. One moment. I'd like to review what they wrote. Thank you. Absolutely. You're welcome. Yes, they do. They state that further research since um is the reason that they're doing it. That there is further research. Do they state what that research is? They don't. But all right, but they're just they don't state what the further research is. That is correct. They Now what I'd like to unreliable move on to Axiom. Mhm. You were asked questions by attorney Brennan and and you referred to Axiom as using a different parlance of with a time stamp of carved. Correct. CBRE uses this deleted demarcation or recovered demarcation. Um, Axiom does not do that at all. They speak to how they recovered the artifact. Be it that it was parsed. When when I say parse, I mean the item was where it was expected to be in the algorithm, found it, located it, and said it's here versus carved, which is when they have to go into an unexpected area, um, such as slack space, which would be the areas that are not yet used or were previously used to extract the data from that. So, Axiom actually recovers the timestamp, but Celbrite does not. Is that correct? Is that correct? Yes. Cate currently currently previously when we did the first case, right? But currently celebrate doesn't, but Axiom does. Axiom recovers 2:27:40 a.m. Correct. Time stamp. That is the time stamp that they show for that artifact. Exactly. So now I'd like to go back to the uh next topic. Uh our discussion about Mr. O'Keefe's phone and secured or not. You talked about one example of maybe needing to use a biometric to unlock a phone and that might be a reason as I understand it as to why someone might not put it in a Faraday bag or box. Do I have that correct? Correct. Okay. Do you know whether the passcode was immediately provided on the phone of Mr. O'Keefe? I do not have that information. Assume that the passcode was immediately provided for the phone of Mr. O'Keefe. Can you think of any other reason why that phone wouldn't be put in airplane mode, Faraday bag or Faraday box? Best practice would be to put in a Faraday bag. Okay. Sorry. And that phone was obviously not put in airplane mode, Faraday box or Faraday bag after 6:04 a.m. on January 29th, 2022. Correct. Correct. Now, let's go to Well, it's I don't know if at some point past 12:00. My my report only goes to noon, so just for clarity, I don't know anything past noon. Fair. Fair enough. But from 6:04 a.m. until approximately noon, correct? On January 29, 2022, at least that time, that phone is not in airplane mode in a Faraday bag or a Faraday box. Correct. It would appear such um because I didn't analyze past that. Um I don't know if it had been potentially Faraday and then it broke Faraday and got data, but I don't suspect that based on this. It appears that that data was live. But I just I just have to speak to the fact that I just don't know because I didn't go past noon. But but you're going past noon, right? I'm not okay. My question is after noon, it does not appear to be Faraday. So to be clear, from 6:04 a.m. on January 29, 2022 until at least noon of January 29, 2022, the iPhone of Mr. O'Keefe is not in airplane mode. It's not in a Faraday bag and it's not a Faraday box. Correct. Unless it was in a broken Faraday bag like they put it and it was failing. But that I Yeah, it does not appear to have been placed in Faraday bag. All right. Well, I'm just being honest. There's a You should test your Faraday bags. They go bad. I use Dr. Cat's testing methodology, but 100% it appears to have been receiving signal for that entire period and not in a Faraday bag, which would be best practice unless biometrics were needed. So, let's now go to hopefully what are the last two two categories of questions with regard to the iPhone of Jen McCabe. Um, do you have any knowledge as to whether over 200 calls were autodeed on her phone? You analyzed it. Can we we can see that calls were autodeleted. You're asking me if the number of I just want to make sure I understand the question. If the number of calls that were autodeleted, if that exceeded 200. My question is, do you know whether there was autodeions on Jen McCabe's phone. I know that I I I'm uncomfortable with the term autodeions because I don't know what that I don't know what what that is inferring. Okay. Are did you analyze her phone at all for deletions? I analyzed her phone to see if there had been deletions uh of call logs and what I found was that there were records that were removed by the system and not recoverable from that database but were recoverable from biomes. Understood. Now what I'd like to do is to address your answer in response to Mr. Brennan's uh questions where you said that the issue with regard to Mr. O'Keefe's or just generally your your proposition that there was no impact on your conclusion because more data had been obtained. Did I get that correct? I believe my statement was there was no impact on my conclusion with the fact that it had not been in a Faraday. Right. So isn't it though the case that when a phone's not in a Faraday and is therefore active data can be overwritten? Yes. So so if data can be overwritten when it's not in a Faraday you can lose that data. Correct. Is there data that we're concerned? Yes. Theoretically. Right. Yes. You talked about in response to attorney Brennan the 123156 uh steps and you said the last according to you last movement 123216. Do you recall those questions? I recall the questions. to boil it down. Isn't correct that that phone was moving at that time? May I check the time stamp again? I apologize. There's a lot of time stamps going back and forth. Please do. 12:3156. Is that the That's the start. Yep. Oh, yes. This this one there definitely is. Yes. Yes. Yes. So, doesn't matter what kind of movement, but that phone was moving starting at 12:3156 and still moving until 12:3216 a.m. on January 29, 2022. Correct? Yes. Thank you. I appreciate again you answering my questions. Thank you. All right, Miss H, you are all set. Thank you, your honor.