Karen Read Retrial (Pt 11.2) — Ian Whiffin — Cross Examination

[00:00:00] Speaker 1: thank you your honor may i proceed with the administrative matters may i approach yes thank you your honor pursuant to a stipulation with uh the prosecution i would like to mark and enter into evidence three documents the these are each portions of a march 2025 report prepared by mr whippen [00:00:34] Speaker 2: the first one so yes they can come into evidence they can come into evidence there's a stipulation so we can mark it as the next exhibit if we can that's page 29 for the next exhibit [00:00:48] Speaker 1: separately please the next exhibit will be pages 77 and 78 of the same report okay the third and last is page 43 and page 44. may i yes please good afternoon mr whiffen i don't believe we've had the pleasure of meeting cell phone data when correct and when correctly analyzed can help tell a story of what may have happened under various circumstances correct correct and in cases like this literally seconds on cell phone data can be significant correct correct what i'd like to do is to go back to your powerpoint presentation and specifically go to uh the timeline uh the timeline that you had gone through with mr brennan and rather than repeating everything there'll be select aspects of the timeline i'm going to reference and with the court's permission we will put the timeline back on that's already in evidence okay thank you so what i'd like to do is to start with page uh 70 which we have is 78 of the deck if you could mr wolf go to that and what i'd like to do uh if i could please mr whiffen is draw your attention to the very last entry which says look at the bottom location 12 24 38 and it indicates description first location record showing speed of zero do you see that sir i do and this is the arrival of john o'keefe's phone at 34 fairview correct we could go to the next page please we have up at the top 12 24 59 about uh 21 seconds later after arrival we have device unlock with face id correct correct is it possible for anyone other than john to unlock that uh device with face id if a secondary user was set up do you have any indication that a second user was set up on john's mobile phone i never looked at that i'm sorry i never looked to see if a secondary user was was set up in terms of the next entry 12 25 08 it says read message you coming here with three question marks what i'd like to do because you did not know who that was from but i want to go back a few slides so we can identify who that message was from we could go back to 76 please mr yes so in the last line there message reading uh left to right 20 12 20 49 it says message received from someone listed in context as brian higgins do you see that correct so if we could go back to slide 80 excuse me if we could go back to slide 79 that phone reading the message you coming here is reading the message from brian higgins correct correct but you you didn't note that in the timeline that that was from brian higgins correct uh no i was [00:05:18] Speaker 3: just highlighting the fact that a message was read and that the contents of the message were you [00:05:22] Speaker 1: coming here but you didn't note in this entry when it was read by john that that message was from brian higgins correct correct now the next entry lock again i'm always going to be leading reading left to right unless otherwise indicated sir is a time of 12 20 509 and it says device locked with lock button yes you see that sir i do that requires human volitional conduct in other words someone has to actually manipulate their phone and hit it right correct now at this particular point isn't it correct that in your report that you mentioned in your direct your march 2025 report that you had more of a description of what was happening at this time with the phone namely device bearing shifts to a westerly direction as location records also show the device moving west from the roadside towards the house isn't that what you had in your report yes that's covered in the location section of this report the powerpoint so so there is no statement in this timeline under any type where you had concluded that at this time the record showed that the device was moving west [00:07:10] Speaker 3: from the roadside towards the house correct uh the location latitude longitude was moving westerly but at the same time the accuracy was increasing so it didn't intrinsically prove the device was moving [00:07:25] Speaker 1: my question mr whiffin is straightforward in this sense that i'm just looking for an answer of whether on this timeline you included the analysis that you had in your report that the device at this time was moving west from the roadside towards the house did you include it in that time no i left out of the timeline okay next entry 27 33 that's 12 27 33 you you note that there's a message received from jen mccabe here exclamation point question mark you see that sir correct now at this point you have two people in just 2.5 minutes brian higgins and jen mccabe trying to find out if the john is coming to 34 fairview fairview fairview is that a fair conclusion it appears so i'll allow it is that a fair conclusion it would appear so yes so just because of the colloquy that occurred i want to repeat the question now you have at this point at 12 27 33 you have two people brian higgins and jennifer mccabe in just 2.5 minutes trying to find out if john or the phone is coming to third every john is coming to 34 fairview sustained ask it differently thank you your honor now at this point you have two people trying to find out if john is coming to 34 fairview correct correct sustained mr whiffin in terms of the information at this stage there are two communications with mr o'keefe on this phone and that is they're trying to find uh excuse me i'll rephrase it there are two communications one from jennifer mccabe and one from brian higgins correct correct now let's go to the uh next uh deck 80 please mr wolk this is 20 uh 12 27 45 device unlock with face id correct correct and then right under that is 12 27 48 it says read message which it says here and is it correct that that is the message that was sent by jennifer mccabe correct i just like to point out it says red message not read message red message thank you and and that the fact that jen mccabe sent that message and that it was red was not indicated in your timeline at this point correct uh so you repeat that question yes you did not it does not appear in that timeline that you've drafted that that message that was read was from jennifer mccabe is it correct next entry 2750 device locked with lock button next entry down that 2937 doppler pocket state and i want it want to want to be clear does doppler pocket state mean that someone takes an iphone because up above there's red messages we went through on 2748 so if somebody reads the message and then it goes at 2937 into doppler pocket state does that mean someone has for example put it in their pocket no what does it mean [00:11:26] Speaker 3: that's the pocket state so the only times that i was able to cause a pocket state to be recorded is when the camera was blocked and when the uh device received a phone call or was picked up in a particular um in a particular way so that the the device thinks that you're about to try to use it if the camera is not blocked from the outset then nothing's recorded at all and in order to get the pocket state cleared the camera must be blocked to begin with so again you have to receive a phone call with it in your pocket and remove it in order to get a pocket state cleared thank you because [00:12:08] Speaker 1: that helped me because that's exactly where i was going with the next question which is pocket state cleared what did you conclude from 2937 to 2942 that it was in pocket state and then pocket state cleared [00:12:24] Speaker 3: uh there was some activity on the device that caused the pocket state to be checked the device was in a pocket state up until 29 42 when whatever was obstructing the camera was removed next entry is a call [00:12:39] Speaker 1: at 12 29 44 and that you state is an incoming call from jen mccabe so there you do indicate the name and you say answered seven seconds correct correct correct is the phone at this time that there's an incoming call from jen mccabe that is answered out in front of 34 fairview uh yes it would be according to the location data right so now we have at 12 29 44 the phone's out in front of 34 fairview there's an incoming call from jen mccabe it's answered seven seconds is how long the duration of the call was is that correct correct and then uh 12 29 51 incoming call ends and that's that's end of that second seven second duration correct so you've concluded that this was a call that was indeed answered by the user of the phone correct correct now let's go to um 12 uh mr wolk 81 which is starting up at the top of 12 31 47 there is as you indicate an i message received from someone with a contact named jen mccabe you see that sir i do can you just state for the jury what an i message is [00:14:24] Speaker 3: an i message is essentially a text message sent from primarily from iphone to iphone via the apple service uh not like a an sms message which goes through carriers and the is it correct that the message [00:14:41] Speaker 1: that was received from jen mccabe said from a contact of jen mccabe says pull behind me correct and then at 12 31 52 we're back to doppler pocket state correct correct now let's go to the next uh entry which is deck 82 it's under health type and what i want to do is is see if we can clarify the commonwealth on direct examination in multiple times referred to this as healthcare data do you remember hearing that healthcare data care i do is that a correct term is it healthcare data or is it health data that is health data so it's incorrect to refer to this as healthcare data correct [00:15:35] Speaker 3: healthcare data is encompassed within apple health but primarily if we're talking about steps being [00:15:41] Speaker 1: taken it would just be health data right so the correct parlance is health builder yes particularly when we're getting to steps is that correct correct it's important to be precise about the parlance yes so in this entry 31 uh 12 31 56 you state that there's the start of health event quote 36 steps slash 25 meters correct correct is it accurate to say that because we're in the united states and we don't work on the metric system that 25 meters is about 84 feet are you able to make that calculation um it's approximately that yeah right would you accept approximately 84 feet so as we discuss meters [00:16:33] Speaker 3: we can go to feet about about i would accept approximately three times 25 right so um [00:16:44] Speaker 1: in your report of march 2025 isn't it correct that for this time you stated that the device the device began moving began moving for a period of 20 seconds correct uh yes so again your conclusion from your analysis is with these 36 steps the device at this point began moving correct correct next entry 12 32 03 pocket state clear correct correct so does that mean that there's some human activity going on interaction with the phone or not it could have been a received [00:17:35] Speaker 3: phone call it could have been movement of the phone to be lifted but but something is happening [00:17:41] Speaker 1: next 12 32 04 device unlocked with face ID correct correct and then at 12 32 05 it states application focus messages yes can you clarify what that means in terms of what is happening with the phone for [00:18:03] Speaker 3: the jury yeah so at 22 32 minutes and five seconds the messages application was in focus on screen so [00:18:11] Speaker 1: it was the application that was being used by the user at that time now the next entry is message 12 32 06 and it states red red message quote pull behind me close quote correct correct now you don't indicate who that message is from in your timeline but that's the message that was sent by jennifer mccabe at 31 12 31 47 correct correct next entry is application lock at 32 0 12 32 09 and you've got here end application focus and then you state the boss device lock with lock button for the last time correct so that's again pressing the side button on the iphone that locks it correct and that requires human conduct human interaction with the phone correct correct correct and then the next entry under health data at 12 32 16 that is seven seconds after seven seconds after the last time lock it's the end of the lock it's the end of the health event of 36 steps 25 meters and as we agreed approximately 84 feet correct correct so in terms of the steps correct so in terms of the way i want to turn to some further information with regard to your previous your the report that you mentioned on direct which is the march um 2025 report your honor your honor indicated a time for the break and i'm going to go into a little bit of different [00:20:27] Speaker 4: variety would you like me to keep continuing all right mr leslie um thanks we'll stop um turn on your lights [00:20:34] Speaker 1: may i your honor yes thank you morning mr whiffen good morning and welcome back thank you mr whiffen good morning and i just handed you which is in evidence as exhibit 43 and this is a portion of your march 2025 report if you could just take a moment to look at it and when you've had a fair opportunity to do that i'd ask you to turn to page 28 okay and just if you could sir just pick up your head and let me know when you're ready to proceed okay thank you thank you you ready mr wiffen i am thank you so what i'd like to do is to uh with your honor's permission is to publish um pages 28 29 and 30 and start with page 28. okay thank you your honor mr wolf and if you could you could enlarge the text down below uh as much as you can so the jury can see it uh thank you so uh mr whiffen this summary section of your report is a summary of the location section that you wrote in your march 2025 report correct that's correct and it states the location the location data on this device contains a vast number of records while traveling between uh 12 19 33 and 12 24 38 these records all have a high horizontal accuracy value as well as bearing and speed information which conforms to the streets being traveled next paragraph the device arrived outside 34 fairview at 12 24 38 where it remained static for about 30 seconds do you see that sir i do yes and did i read that correctly you did did i read that correct sorry yes you did yeah so so so so at the end of it says show the device moving west from the roadside towards the house that's what you wrote correct correct i would like you to um mr wilker if we could switch uh back to the timeline uh of mr whiffen that we had published yesterday in in deck 739 mr wiffen if you could please we just read that portion of your report that says at 25 30 the device bearing shifts to a westerly direction as location records also show the device moving west from the roadside towards the house did you put that in your timeline i did not it's kind of important [00:24:06] Speaker 3: information isn't it i believe with the declining accuracy the value that those records provided was [00:24:14] Speaker 1: more limited but it was it was important enough for you to write it in your report but you didn't put it in the timeline correct correct correct now if you could continue on your report page 29 mr wolk if we could put and we're going to be flipping back and forth between the timeline in your report okay if we could go to page 29 enlarge it the text so the jury is able to read it along with us we're going to start from the top so the next says from the combination of device location and bearing the indication that the device started to move towards the house however since the bearing information appears to be based on the location records rather than the direction the device is facing it is difficult to say with any degree of certainty if the device actually moved did i read that correctly you did so so so the first part is again a statement that the device has started to move toward the house now if we could go to the next paragraph this location data is immediately followed by 12 minutes of low accuracy records which offer no reliable location information so i just want to make sure i've got the time period here right the 12 minutes is from 12 25 correct uh yes and so 12 25 plus 12 is 12 30 7. so the range we're talking about here is from 12 25 through 12 37 correct correct then if we could go to uh mr wolk please back to the timeline slide 82 so i want to uh discuss with you the very top entry health 12 31 56 where you have the entry start of health event 36 steps 25 meters and yesterday we agreed 25 meters is approximately 84 feet correct correct and that is what you have in in the timeline let's understand what that means at that time period 12 31 56 do you recall writing in your march in a march 25 25 25 report that the device began moving for a period of 20 seconds [00:27:37] Speaker 3: related to the location data i believe yes yes [00:27:50] Speaker 1: now if we could mr wolk go back to page 29 of the report so what i want to do is go back to that paragraph up at the top from the combination of the device from the combination of device location of bearing it does appear that the device started to move toward the house however since the bearing information appears based on the location records rather than the the direction of the device is facing it is difficult to say with any degree of certainty if the device actually moved so you're talking about difficulty saying with certainty correct correct correct but it is certainly possible that the device was at that location and was moving toward the house that's possible correct based on location data yes now what i'd like to do uh please is to go uh stay on that report in the third paragraph says the reason for such low accuracy location data at this time is not known as there are many possible reasons why the accuracy was be reduced there's a little grammar issue there but correct in fairness to you sir we we we do that when we write long reports but i i think that your intention here is you know why the accuracy is reduced at this point correct correct thank you this could include reasons such as the device entered a building covered area the result of weather conditions geography poor connectivity or interference to name a few so those are the reasons you gave which could contribute to some low accuracy correct correct in interesting the very first reason you gave is that the device could be entering a building or covered area and that phraseology could include a house correct correct it could include a garage attached to the house correct correct and it could include the house at 34 fairview and it could include the garage attached to the house at 34 fairview because both of those are buildings or covered areas correct correct then you go on in the next paragraph to say it is known that the device was not being used at this time and is this time that include that 12 37 12 minute range 12 25 to 12 37 yes it was not being used for location purposes so that's another reason why right the accuracy could be a little bit on the lower side correct now the next paragraph says at 12 38 13 when the device begins recording higher and that's relative to what it was recording before it's not that it's high but it's higher than what it was just moments before correct the data centers on a location slightly closer to the house than the roadside although several records show the same center coordinate with differing accuracy radii some of these location records are shown in the map below in white so let's go down and look at what you had in your report for the area in the area in white in the area in white that you're referring to there are two white circles the largest one there this in fact was a depiction that you included in your report on page 29 correct correct interesting and notable you did not include that depiction in your timeline that you discussed with the jury yesterday did you i did not know but it was important enough for you to put that depiction in your report correct correct correct and notably the larger white circle covers a substantial amount of the house at 34 fairview correct correct so given your testimony on direct yesterday with attorney brennan the phone of john o'keefe according to this depiction could be anywhere within the largest white circle circle correct correct correct correct and this depiction was not offered by you or the commonwealth in your presentation to the jury yesterday correct correct not in the powerpoint now if we could go back mr wolk to page 29 of your report into the text and if we can enlarge the text just a little bit please for for the jury mr wolk so the paragraph that begins with at 12 38 13 when the device begins recording higher accuracy information again the data centers on a location slightly closer to the house than the roadside although several records show the same center coordinate with differing accuracy radii some of these location records are shown on the map in white below and i repeated that just to tether to connect this part of the text to that diagram with the big white circle have i done that correctly yes correct thank you sir the next paragraph over the next few hours the gps coordinate and the associated accuracy radius jumps around numerous times between the house and the road did i read that correct correct and therefore over the next few hours according to your report the phone of john o'keefe could be in the house correct based on the low accuracy information yes the answer is yes yes the next paragraph well we'll we'll we'll stop there for a moment and i would like to mr wolk put back go down scroll please to that diagram that's right below that text again yesterday you discussed ways the ways application with miss attorney granted correct correct and you stated that ways location data is more accurate than the data that comes from the apple apps like health data and location correct incorrect no i'm sorry is ways location data in your view accurate [00:36:03] Speaker 3: location data there isn't really a thing such as ways location data ways i'm having trouble here ways location data doesn't really exist ways is requesting location data from location services and location services uh would respond with high accuracy information okay [00:36:22] Speaker 1: i appreciate that correction so when someone is using a ways application is the information they get through that ways app accurate it tries to be accurate yes and as a general matter is the ways application more accurate than the apple information regarding location it's the same thing it's the same thing because it's coming essentially from the same source yes apple provides that information to ways right so you had testified yesterday that at a certain point the ways applications ceased functioning correct correct but just because it ceased functioning the ways the apple applications were still taking effect and that's why you could make this depiction on this uh item that is on the screen now correct correct if we could mr wolk go to page 30 in the what i'd like to highlight uh please is the text so if we can enlarge it up at the top okay so so you then state while location data from this data source cache sqlite is usually able to identify the location of the device with a high degree of accuracy and reliability these records are so close that making a distinction between the device's actual location on the front garden the location is impossible correct correct correct your words impossible correct did you provide any of the information in that paragraph in your timeline or to the jury in your direct testimony yesterday uh not in the powerpoint no the location records are limited to just the records between 0 0 25 which is 12 25 and uh 6 a.m and with an accuracy radius of 10 meters or less there are 46 records all of which fall within the red circle shown below go ahead uh mr wolk you could scroll down in in that is the only depiction there that you included in your timeline yesterday correct correct so you took one of two depictions in your summary of the location this one in terms of your timeline presentation correct correct now in terms of the timeline and mr wolk if we could go back to the previous with the the other uh depiction it's on page 29 if we could enlarge that depiction please so you testified that the flagpole in the fire hydrant are more down toward the small black circle is that correct that's my understanding yes and yesterday you rendered an opinion that you believed that the phone was mostly in the location by the flagpole in the fire hydrant correct right objection [00:40:53] Speaker 4: i'm going to see council inside by for a minute please [00:40:58] Speaker 1: may i your honor yes thank you we could uh dim the lights again please thank you so if we can enlarge that depiction so uh yesterday mr whiffin you focused your testimony and your opinions on the smaller black circle correct correct correct and you didn't discuss at all or disclose at all this depiction and therefore didn't discuss or disclose at all the larger white circle correct not when discussing my overall opinion right yeah so so so the answer is is no right so the fair way to interpret and this is what you put in your report this is your depiction is that it based upon what you said yesterday the phone could be at the very edge of the top of the circle correct correct correct and the phone could also be at any point so you can in theory put a phone anywhere around the very edges of that entire circle correct there's caveats to that but yes well i'm just asking that according to your testimony yesterday in this depiction the phone could be anywhere in that location within the area of that white circle correct i would like to now go back to the timeline mr wolf where we had left off which is slide 82 and at the very top entry you have health time 3156 and then the description start of health event 36 steps 25 meters and we agreed about 84 feet and this is where the device began moving toward the house for a period of 20 seconds is that correct [00:43:20] Speaker 3: it's it's the time that 36 steps started to be recorded i've got no idea of the direction of travel [00:43:28] Speaker 1: i want to focus on the time 12 31 56 are you aware that a firm called aperture on behalf of the commonwealth has submitted a report that states that there was a trigger event at 12 31 56 that they refer to as the supposed collision are you aware of that objection [00:44:05] Speaker 3: i recall seeing a report sorry you don't have to answer that please [00:44:15] Speaker 1: mr whiffin do you are you familiar with a firm called aperture [00:44:22] Speaker 3: i'm vaguely aware of them i've heard of them once are you familiar with a person by the name [00:44:27] Speaker 1: of dr judson welter i'm not no but you're familiar with the firm aperture i am and do you know that the aperture firm is working on this case that's the only reason i'm aware of this company right and do you know that the aperture firm has used your data in your report do you know that i believe i saw something about that do you believe you saw something or do you know that they've used your data for a report in this matter i recall seeing a report i don't recall whether it was my data that was being referenced do you recall we're seeing a report from aperture i do so you reviewed a report from aperture uh several months ago yes and did you read the whole report it was a powerpoint presentation i believe yes yes i reviewed it and you recall reading that entire [00:45:21] Speaker 3: powerpoint presentation i don't recall what it said but i remember reading through it fair enough [00:45:28] Speaker 1: do you remember as you sit here today reading about a trigger of a number 1162 [00:45:42] Speaker 3: do you recall reading that i recall seeing reference to a trigger event what did you [00:45:49] Speaker 1: understand the aperture firm that's retained by the commonwealth what do you understand they meant by trigger 1162 to i'm getting sustained do you recall the specific slide that discussed a trigger objection do you recall that mr whiffen very vaguely would it would it would it help your recollection if i showed you a slide from that report that you said you reviewed to refresh your recollection okay all right so why don't i see council [00:46:30] Speaker 4: outside but i bring that with you mr lessee please [00:46:36] Speaker 1: mr whiffen i'm handing you uh this i'm handing you this document thank you may i stand by the way sure tell me when you've had a fair opportunity to take a look at that okay mr whiffen does that refresh your recollection with regard to an aperture report that discusses a trigger of 11 62 2. it does thank you pardon me it does thank you and and and how does it refresh your recollection i remember seeing that uh several months ago i i'm sorry your honor there's a blower on here that i'm having trouble hearing mr whiffen if you sir could bring the mic it's not your fault if you could bring it and speak a little louder i'd appreciate it i recall seeing that as part of the report that i read two months ago and you recall the time of 12 31 38 now correct correct let's go back to your timeline 82. so you just spoke about a trigger 11 62 2 associated with a time of 12 31 38 and we are now at the timeline of 12 31 56 correct objection we sustained we are now uh going back to the timeline uh deck 82 and you see up at the top where it says health 3156 you see that here i do and and then it says start of health event 36 steps 25 meters which we have said is is 84 feet or so and this is when the device begins uh moving correct correct correct and that is after the trigger trigger of 11 62 2 correct objection let's go to the next entry on the timeline which is 32 12 32 0 3. you see that that's doppler i do and then you state pocket state cleared is the uh phone at that time is the uh phone at that time in a pocket uh it's impossible for me to say [00:49:23] Speaker 3: i can say that the camera was blocked but i don't know what was blocking it [00:49:27] Speaker 1: you're saying at this point the camera is blocked it had been blocked and at that point it became unblocked so at this point it became unblocked from a previous block steps correct yes does there have to be some human manipulation of the phone at 12 32 03 for that to happen uh technically not there are scenarios that wouldn't require it is it more likely than not that there had to have been some human contact in action for this pocket state clearing event to occur yes 12 32 04 is the next it's a type unlock device unlock with face id you see that sir i do is there some human action that has to occur for the device to unlock with face id uh typically you must be paying [00:50:36] Speaker 3: attention to the phone i'm sorry you must be paying attention to the phone assuming that that settings [00:50:42] Speaker 1: enabled so someone had to be looking at the phone yes at 12 32 05 [00:50:50] Speaker 3: application focus what does that mean uh that the messages application was uh at the foreground of the [00:50:58] Speaker 1: device being used next entry 12 32 06 um we discussed this uh excuse me it says read message pull behind me and that is associated with a gen mccabe it's the gen mccabe message of 3147 correct correct and does a human have to be reading that for that entry to be made [00:51:30] Speaker 3: the message needs to be on screen uh if the conversation with gen mccabe was already on screen when the device was unlocked then that message would automatically be considered read next entry [00:51:43] Speaker 1: app lock 12 32 09 and application focuses messages and then it says device locked with lock button for the last time that requires human interaction with the phone correct correct and it actually requires somebody to take the cell phone and press the side button to to do that correct it does yes so there has to be some degree of coordination for that to occur for a human to be able to have a something that that hits that button correct certainly yes yes do you understand what the term fine motor skill means do you understand that and would that person have to be using fine motor skills to do that yes next entry 12 32 16 end of health event 36 steps 25 meters again 80 84 feet um that is in your timeline because that's when you believe the end of the health event the end of the 36 steps [00:52:56] Speaker 3: occurred correct correct that is the time that the device data shows the end of the health event yes [00:53:04] Speaker 1: may have a moment your honor yes thank you do you recall writing in your march 2025 report the following the final health activity of note on john's phone can be seen to have occurred between 12 31 56 and 12 32 16 during which 36 steps were recorded covering a distance of 24 25.4 meters again at 84 feet according to health db secure dot db do you recall do you recall writing writing that i did and you used in your report 36 steps were recorded covering a distance of 25.4 meters or any four feet correct correct do you know a trooper named nicholas guerrino i'm aware of him yes are you a little more than aware of him you've worked with him on this case haven't you uh he sent me some of the files related to it [00:54:20] Speaker 3: but further than that i've got no relationship with him but isn't someone sending you files on a case [00:54:26] Speaker 1: you're working on working with the person isn't that a fair conclusion it could be do you recall reading any reports of nicholas galeno i don't recall reading a report by nick does that mean you didn't read it or you just don't recall [00:54:46] Speaker 3: reading it i honestly can't remember if i did or not i remember some of the reports that i read for [00:54:51] Speaker 1: this case i don't recall one was by nick would it refresh your recollection if i showed you a portion of his report to determine whether you would have read it please thank you [00:55:02] Speaker 2: so mr bernard yes i just want to make sure i got the entire reports [00:55:19] Speaker 1: mr whippen thank you i am and may i stand by the witness your honor thank you i am uh providing you with a document and i would ask if that refreshes your recollection as to whether you've read a report of mr barino a report or this report this i'm sorry this report thank you [00:55:44] Speaker 3: i don't recall ever seeing this report [00:55:57] Speaker 1: have you ever had any conversations with trooper nicholas garino very briefly but you had the answer is yes yes did trooper garino tell you that he measured the distance from the flagpole to the front door and it was 72 feet did he ever tell you that [00:56:18] Speaker 4: sustained [00:56:22] Speaker 1: did you ever have a conversation with trooper nick garino about the distance from the flagpole to the front door of 34 fairview maybe maybe maybe so is it maybe then you had a conversation with him in which he stated to you that that distance is 72 feet it's maybe so if we go back to what we were discussing earlier about the steps and the distance covered and this is in your report of march 2025 where we've talked about this and and it's the final health activity of note on john's phone can be seen to have occurred between 12 31 56 and 12 32 16. is this the correct slide no god it's it's it's not let's take it down thank you your honor let me start that that over the final health activity of note on john's phone could be seen to have occurred between 12 31 56 and 12 32 16 during which 36 steps were recorded covering a distance of 24 5.4 meters or 84 feet 84 feet is greater than 72 feet is greater than 72 feet correct correct so if the distance from the flagpole to the front of the house is 72 feet and your report notes steps 36 steps covering a distance of 84 feet that would put those steps within the house correct it would let's continue on with the timeline we now have doppler 12 33 14 and then doppler pocket state do you recall in your report adding a word to this that your report said pocket state detected do you recall writing that more than likely yes yes but the detected word is not on that slide is it it's not no what does pocket state detected mean uh that there was an active check by the doppler [00:59:12] Speaker 3: function and it detected that it was in a pocket state [00:59:25] Speaker 1: i would now uh like to change gears a bit and go to temperature with uh an iphone you recall that discussion in your direct testimony i did thank you mr wolk if we could uh please have the slide deck but a different page uh slide 60 and just tee it up but please don't put it on the screen yet iphones don't record ambient or the environmental temperature uh where the phone may be at any given time correct correct correct but the iphones including the iphone of john o'keefe log the temperature of the battery inside of it correct correct and as a result of that function examiners and folks like you can use the battery temperature of an iphone to identify increases or decreases in temperature within the environment that the iphone is physically located in true i believe so yes and that's right out of your report right your march 2025 report makes that very statement correct the battery temperature of an iphone generally matches the pattern of the rise and the fall of the thermometer temperature correct from my testing yes and when an iphone is in a locked state with little activity occurring on the device the battery temperature is heavily affected by the ambient temperature in the environment again matching the pattern of the rise and the fall of the thermometer temperature right correct and what i just read is right out of your march 2025 report correct it sounds like it is yes and you actually establish this in various temperature testing and test scenarios in your march 2025 report correct correct just those two tests you had an appendix to your report that discussed two test scenarios with regard to temperature correct correct [01:02:08] Speaker 4: correct can i just ask i'm sorry mr whiffen do you have your report with you sir i don't have [01:02:12] Speaker 1: a copy i'd be happy to provide him with a copy of his report so we can have him follow along i think that's great thank you okay sure would that be helpful mr [01:02:30] Speaker 4: yeah you're right yes thank you there you go [01:02:35] Speaker 1: is it mr whiffen feel free at any time to to reference that report thank you and if you could turn to page 77 i don't know if you're up to the right to the right to the right to the right to the right to the right to the right to the right to the right to the right to the right to the right to the right to the right so are you ready sir i am yes thank you so let's look at test scenario one test scenario one test scenario one you took uh an iphone uh if my if i'm remembering correctly say model is john [01:03:02] Speaker 3: o'keefe um i believe john keys was uh iphone 11. i used an iphone 10. but sufficiently similar for [01:03:11] Speaker 1: purposes of this experiment correct for this same ios version yes so it's the same ios version the software inside the phone just a different model yes and it's the software that's important for this test correct i believe so so you state that you placed um the iphone inside a freezer correct correct correct and now if we could um mr woke if we can uh put that do we have that in in uh it would be page 77 and if we could enlarge that chart please enlarge it just a little bit more we're not concerned with the text at this point we so we can just get the chart as large as possible thank you thank you so what i'd like to do is focus on january 29th um excuse me this is this is your your experiment uh when did you do test scenario one approximately the date um it's a good question it was [01:04:42] Speaker 3: sometime probably in december last year i'm sorry in december last year [01:04:47] Speaker 1: i believe december 2024 correct so what you did here was you you took the phone you put it inside a freezer what was the temperature of the freezer i actually don't know but it was a a freezer it was it was freezing it was sort of your just regular the freezer that everybody has a regular chest nothing special about it let's look at some of the the data that you you have uh from let's let's start at the 17 10 time frame where it's placed in the freezer and you've got and we're going to go with fahrenheit if that's okay with you of course yes thank you 73.4 degrees correct correct correct and then if you go all the way down to the 1725 which would be 15 minutes correct correct can you state what the drop in temperature is of the battery temperature is of the battery temperature in just 15 minutes in a freezer uh approximately 50 degrees fahrenheit so it drops 50 degrees fahrenheit in just 15 minutes correct and is it fair to say that if you do the math that that's about a little over three and a half degrees per minute and if you if your honor if he wants to use a calculator calculator or just accept my estimate whatever your honor thinks is appropriate however [01:06:34] Speaker 3: you can answer the question i'm happy to accept your answer that's fine let me just make sure [01:06:41] Speaker 1: if i have a moment you're on 3.33 would that sound fair sir that sounds fair so it's about 33 3.3 degrees fahrenheit per minute drop correct correct now let's go to the next page uh of your report page uh 78 where test scenario two and in test scenario two you took the same phone with the same software and you placed it outside at a temperature of 33.8 degrees fahrenheit correct correct so if we take the time the time that we we start out with a control uh temperature and then we've got uh a battery temperature at 902 and this is the battery temperature of the iphone correct correct correct and we've got 66.2 degrees fahrenheit correct correct so is it fair to call that a baseline [01:07:50] Speaker 3: for purposes of what this chart is uh the device had already been outside for two minutes at that point [01:07:55] Speaker 1: but yes okay so we'll just refer to 66.2 and then if we go from 902 down to 915 a period of 13 minutes correct correct so at 33.8 degrees and 13 minutes what is the drop in temperature in degrees what's what's the drop sorry between the 902 and the 915. right so is the is it does it go from 66.2 to 35.6 it does and sir so i don't have to have you do a math on the fly i've calculated that drop at 30.6 does that sound about right that sounds correct yes so you got a drop of 30.6 degrees in just 13 minutes at an outside temperature of 33.8 correct correct we're going to come back to this but what i'd like to do is to compare these two test scenarios the one you just saw 32 degrees fahrenheit where it dropped 30.6 degrees in just 13 minutes again in an outdoor temperature of 33.8 and then test scenario one in a freezer where it dropped 61.2 degrees in just 15 minutes now let's go to the slide 60 which is in your slide presentation yesterday of what you stated was the temperature change in the iphone of john o'keefe on the morning of january 29th you with me sir yeah thank you so if we start out at 12 13 we see a battery temperature of 82 degrees fahrenheit correct correct then it drops a little bit to 77 a little bit to 72 and what i want to focus on is keeping the starting point for my questions here at the 12 37 time period on the morning of january 29th and that's 72 degrees fahrenheit correct correct so if you take the time period from 12 37 to 12 53 that's a 15 minute interval correct correct the phone only drops 11 degrees fahrenheit in 15 minutes correct correct if you then go to 12 37 and give it a little bit more time down to 136 a.m the temperature and that's that's just about an hour right correct correct and the temperature drops from 72 to 50 only 22 degree drop in an hour correct correct now if you compare this chart in the drop in temperature for example 12 37 12 53 in 15 minutes it's it's only dropping 11 degrees to your experiments where with the first scenario with the freezer it dropped 50 degrees 50 degrees in a 15 minute period is it correct to say that there was a much more dramatic drop in temperature in your test scenario one than what actually occurred on john okey's phone for the time period we just covered in january 29th yes and then with regard to even test scenario two where the temperature is 33.8 degrees that's the end of the outdoor temperature right at that temperature just above freezing you've got a [01:12:32] Speaker 3: sorry below freezing i'm sorry it's below freezing what is freezing in fahrenheit i don't know but it's zero degree celsius right and it was minus five [01:12:41] Speaker 1: degrees celsius at the time right but do you would you agree that and i want to be fair to you because i know you use celsius more than americans who use fahrenheit but would you agree that 32 degrees fahrenheit is the freezing point in fahrenheit i honestly wouldn't know okay fair enough so in any event in your experiment at 33.8 degrees fahrenheit you're getting a drop in your experiment in 13 minutes of 30.6 degrees right correct but much less drop in temperature on slide deck 60 of the actual iphone of john o'keefe on the morning of january 29th correct yes correct do you know do you know what the temperature was in canton in january 29th 2022 i do not know don't you think that that would be an important piece of information in analyzing where the phone of john o'keefe was on the morning of january 29th i didn't think it was so you didn't think it was important even though you issued a report discussing the temperature of the iphone and you did two test scenarios one in an ambient temperature of slightly above 33 degrees and you didn't think it important to take the final step to see whether there was a anything to be gained from that comparison to determine where that phone was located my testing proved that the battery temperature is affected by [01:14:45] Speaker 3: ambient temperature my report shows the data that was on the device i also don't know the condition that the phone was found in whether it was in a case whether it was in a pocket so to me the ambient temperature in canton at the time wasn't particularly relevant i just wanted to show [01:15:02] Speaker 1: what data the device had recorded the information that you create from your digital forensics analysis including everything that's in the slide in your report including battery in digital forensics you work with law enforcement often correct correct and you work in law enforcement in investigating cases do you not yes and so oftentimes the law enforcement is using your digital forensics information to help them solve cases correct correct you didn't suggest to anybody on law enforcement that they may not know that they might want to take a look at this temperature information to assist in determining where this phone could have been by the temperature you never raised that with them i did not and do you know whether any law enforcement person was aware that you had done all this temperature analysis it was in my report so you create a report as part of this case and you deem the temperature important enough to do two test scenarios important enough to put it in a slide presentation to this jury yet there's no discussion of that between you and any member of law enforcement as well the details were provided in my report and there was discussions but [01:16:56] Speaker 3: it never came up as to say what was the temperature in canton that night oh so there were discussions not not with law enforcement as part of my preparations for trial oh tell me about who you discussed this [01:17:10] Speaker 1: temperature information with uh it was uh with hank you're you're hesitating i and i can't hear you who did you discuss with hank excuse me uh with mr brennan attorney brennan yes you discussed temperature [01:17:25] Speaker 3: with prosecutor brennan it was in my report it was in your report but you said you discussed which is it it's in my report and the discussion was that it is in my report i'm not in a position to suggest that investigations uh take place and uh change based on my report findings oh sir i'm i'm not [01:17:51] Speaker 1: suggesting what you just stated i'm just trying to get information about you mentioned the verb disgust didn't you in your answer moments ago yes isn't disgust a verbal thing it's not a written thing it was discussed in preparation for trial yes oh so so there was a discussion a verbal discussion with attorney brennan about temperature in your preparation for trial yes was there any interest at all as to what this could actually mean for the potential location of mr o'keefe's phone on these very important time periods in january 29th that might assist to determine at various times whether mr o'keen is mr o'keefe is in a covered building based upon the temperature rather than outside in a in a nor'easter on january 29th i'm sorry what was the question there yeah the question is there was no was there any discussion about the investigative value of what you had done in determining where that phone could have been on key time periods on the morning of january 29th that wasn't part of the discussion now it wasn't part of the discussion we went through you may recall in my questioning in your report where you stated that it was possible that the phone could be inside the house of 34 fairview based upon that big white circle you testified that the low accuracy at certain points could be because of it entering a covered building correct correct and yet and you do a temperature experiment to track the very accurate temperature change of an iphone and it doesn't match up the actual data with either of your test scenarios and you [01:19:55] Speaker 4: don't raise that with anybody you're sustained you can ask it differently [01:20:02] Speaker 1: did you ever put together in any kind of form your test scenario one your test scenario two and the actual temperature chart of the iphone of mr okeefe so how do you mean put it together as in compare the two exactly compare the two and reach any conclusions about location because you spent time did you not sir a lot of time in your reports on location of the phone yes but yet with all that data all that testing all the experiments that you did you didn't include in your slide presentation and you didn't include in your report what that could mean for the location of the phone did you sir i'm struggling to see the comparison there let me see if i can ask it in a different way nowhere in your slide presentation did you have any discussion yesterday about how your test scenario did you bring up by the way in your slide presentation yesterday your battery temperature at all your tests not the tests no great so you didn't even raise yesterday in your presentation about where the phone might be located you didn't even raise the experiments that you did correct okay sustained us today terminology ask it differently did you did you yesterday in your presentation to the jury in any way discuss your battery test scenario one and two in your march 2025 report [01:21:49] Speaker 3: i believe there was mention of testing but not to the amount of detail to say what the testing was [01:21:55] Speaker 1: right so there was no detail given at all you just mentioned that it occurred but no detail in your discussion and are you aware with regard to the battery temperature that battery temperature in investigations can be used to determine locations of phones at certain times are you aware of that no so you have never used battery temperature information in all your years in any way for any investigation of a case in [01:22:37] Speaker 3: determining location of a phone again i don't see how you can determine location of a device from a temperature reading other than to say whether it was inside or outside oh oh oh so so battery temperature [01:22:52] Speaker 1: and the chart that you gave that is up there in your opinion has no relevancy to the topic of where a phone might be to investigators in a case is that what you're saying [01:23:07] Speaker 3: is that what you're saying mr whiffin i'm saying i i can't take a temperature reading and make a determination about a gps location based on the temperature reading that's not my question though [01:23:19] Speaker 1: sir and i appreciate your answer though my question is you work with law enforcement investigators regularly correct isn't this information of potential relevance based upon your experience with investigations isn't this information at least potentially relevant in investigations i believe [01:23:40] Speaker 3: it could be that's why i included it in my report thank you but you didn't include a discussion of it in your [01:23:48] Speaker 1: testimony in you yesterday correct correct correct i just want to be clear on the final point on as regards to temperature were you aware of the temperature in canton on january 29 2022 i know it was a blizzard uh but i don't know what the temperature was uh your honor if i if if i may i have one last point to make with with temperature if we could put uh deck 60 back up please mr whiffin if you bear with me i just have one one one one final set of questions if you look at this chart um and you under january 29th at 1213 battery temperature of 82 degrees uh but you then go down what i'd like to start with it is 1237 again and this is a key key time point 1237 you've got a temperature of 72 degrees and then eight minutes later eight minutes the temperature only drops six degrees correct correct again using 1237 is what i refer to as the baseline you you go all the way down um and you you see to 1253 a temperature drop of only 11 degrees do you see that i did thank you that you can excuse me your honor one moment okay the final data point on this slide mr whiffin and thank you for bearing with me on this at 136 there's a temperature of 50 degrees fahrenheit correct correct several hours later at 606 four and a half hours the temperature drop is only seven degrees correct correct correct mr whiffin i'm handing you exhibit 42 yes do you recognize exhibit 42 from your uh march 2025 report i do and and sir just take a fair time to familiarize yourself with the exhibit before i start asking you questions they're going to be very brief and i'm going to be you look what you need to but i'm going to be focusing on just under detailed analysis communications on paragraph three uh excuse me on page 43 the top three or four entries okay tell me when you're ready sir okay thank you your honor may i have 43 which is in evidence public yes thank you your honor mr wolf please and if you could enlarge you don't need the text so we can just go to detailed analysis communication call history and now if you could just super enlarge the first few entries yes that is great so what i want to do is just cover um the information here whose phone is the subject of the entries on this chart this is john's phone and if we start with the first entry reading left to right um 12 14 36 end time 12 15 20 incoming call um from jen mccabe duration 44 seconds you see that sir i do you see and is that a call that is answered you see and is that a call that is answered yes if you go to the next entry 1847 just 12 1847 to 12 19 23 outgoing call duration 36 seconds to jen mccabe duration 36 seconds do you see that sir i do is that a call that is answered i [01:28:31] Speaker 3: difficult to say that could be a outgoing call that lasted 36 seconds of [01:28:36] Speaker 1: ringing i believe it was answered well how is it that you can tell the first one was answered but not the second one because it's an incoming call okay fair enough so if we go to the third entry 12 29 44 12 29 51 incoming call from jen mccabe you see that sir i don't mean to drop could i [01:28:59] Speaker 5: ask about the display [01:29:09] Speaker 1: whenever whenever you're ready mr lessee thank you your honor may i approach please yes okay so your honor i have a replacement exhibit 42 redacted um obviously in place exhibit 42 and it's pretty much a little bit of a particular uh yeah i presented to mr whiffen yes thank you you're welcome may i publish your honor yes mr whiffen we had started going through the top three uh entries uh the first one uh you had indicated uh the second one you uh as i understand it could not tell is that correct correct and then the third entry which is reading left to right 12 29 44 and time 12 29 51 uh incoming call the third one so because it's so mr lessee we need to enlarge this okay your honor uh mr wolf can you enlarge that pursuant to the judge's order is that sufficient your honor [01:30:31] Speaker 4: um if you can make it as large as possible for the jurors please even if you have to do smaller segments [01:30:38] Speaker 1: if we have to uh mr wolf knock off the final right hand column that's insignificant there you go all right that's better okay that's fine thank you may i your honor yes thank you so i want to now go to the last one for um this exhibit 42 it's uh reading from left to right 12 29 44 12 29 51 incoming call to race in the seconds from jen mccabe again restates duration eight seconds correct given that it's an incoming call you can conclude that that was answered correct correct now if we could in uh go back down and focusing on just the first three by way of example mr wolf do just as uh her honor has requested enlarge it as large as possible uh those three uh after the first three yep starting there just take the first three by way of example all right mr whiffin you uh should feel free to look at the hard copy exhibit 42 if that's more helpful to you but what i want to do is to focus on uh starting uh start time 12 33 35 reading across activity incoming call unanswered and then to the right karen reed do you see that sir i do and do you see the same uh types of entries for uh 3409 and 34 38 and 34 38 and those calls are unanswered correct correct correct so in contrast to the now mr walker we can go back to to the uh chart trying to capture six in enlarge those one last time thank you so in the first uh one at 1436 and then skipping one to 29 44 those are answered but then starting excuse me at 33 35 and 34 0 9 those are unanswered correct correct you can take that down mr wolf thank you mr whiffin when did you start working on this case what was the date approximate date [01:33:08] Speaker 3: on this case or on this exhibit on this case um approximately september 2023 [01:33:22] Speaker 1: so over a year and a half correct how many times have you been in norfolk county uh this is my second time so you were here once previously correct do you recall yesterday discussing uh what you had done with an iphone driving around and then moving it with your hand correct correct in the year and a half that you've been on this case did you ever take an iphone and do the same activity on the route that you were discussing yesterday between 34 fairview and one metals i did it on sunday night i'm sorry i did it two days ago on sunday night and with regard to um your time on this case um well what was the results of of that [01:34:27] Speaker 5: i object uh [01:34:31] Speaker 4: i'm sorry okay [01:34:41] Speaker 1: yeah your honor yes mr uh with and i am now going to proceed uh to a different topic um do you recall discussing the uh google search uh house long to die in the cold i do and you discussed that in your direct testimony correct i did you were a police officer for years before getting into the data forensic analysis of cell phones correct correct you were a response officer of the south yorkshire police from 2004 to 2009 correct you continued policing with the calgary police um working patrol correct correct correct you work frequently with law enforcement i do indeed law enforcement is the predominance of your work correct [01:35:43] Speaker 3: uh probably about 80 percent of the work yes would present about 80 80 80 80 [01:35:51] Speaker 1: your work is used in investigations for law enforcement correct sometimes yes in your area of work uh in your area of work uh you use and apply various forensic methods that are extracted the data is extracted from a cell phone correct correct and you have various forensic methods to analyze that data correct correct and that data that you analyze is often used by law enforcement in their investigations right it can be yes it can be but it also is from your experience correct i'm sorry are we talking [01:36:37] Speaker 3: about my actual analysis or uh analysis that's created by the tools that me and celebrate create your analysis okay my analysis is is typically used in investigations yes so it's typically your analysis [01:36:51] Speaker 1: is typically used by law enforcement on the cases i work yes right and you know that is going to be the case oftentimes when you're doing your analysis correct correct and forensic software is used uh to gain access to people's devices correct correct such as cell phones right correct so and there's something called an extraction process from the cell phone that you discussed in your direct testimony yes now i'm not going to go into too much detail but i want to cover because it would be covering old ground but i want to cover some of it okay it's important is it not that the extraction process that the extraction process on a cell phone be performed correctly it is yes and that's so that the data that's extracted from a cell phone is complete correct correct correct so that the data is correct correct and so that the data is reliable correct and data forensic examiners and people in your area of work need to ensure that the extraction file has not been tampered with correct correct because if an extraction file has has the possibility of tampering then the information and data from it can be unreliable correct correct and there's a generally accepted methodology for how to perform an extraction of data from a cell phone correct typically yes one of the key ways to determine whether the data extracted from a cell phone is valid and has integrity is to evaluate the whether the extraction process created what is called a hash value correct correct and a synonym for a hash value is a hash signature correct correct and a hash value or has a hash signature i'm just going to use hash value is that acceptable to you i'm fine with that thank you so a hash value is a unique and usually consists of a long string of numbers and letters that's generated from the data file from a cell phone using a computer algorithm right correct and one of the computer algorithms is sha sha 256 right correct and is it a fair analogy to state that a hash value can be thought of as fingerprint for a data file from a cell phone yes and is it also a rough analogy that a hash value can function like the seal on a milk container in other words if you open the milk container and the seal's broken that the same analogy can be provided that if you don't have a valid hash value then there is a question with regard to the contents of a cell phone just as there might be concern about contents of a milk carton is that a fair general analogy yeah if the hash doesn't match then something has changed in the data so if the hash doesn't match and you can't return a valid hash file it's sort of like opening up a milk container in that that seal top is all correct [01:40:29] Speaker 3: okay i'll accept that thank you [01:40:35] Speaker 1: now if a data file is altered in any way the hash algorithm is going to produce a different letter an alpha numeric string than the previous um parent value for that same alleged data correct correct so that the the that alpha numeric number is important because it can if it's different then it means something happened to that data correct and isn't it important for examiners anybody in data forensics to know whether or not the data they're looking at has a valid hash value [01:41:20] Speaker 3: it would depend in my opinion on the origin of the data [01:41:25] Speaker 1: but you would agree that it's much better to have a valid hash value for data than not correct i'd like to see the hash value match yes you would like to see the hash value match correct now once data from an iphone is properly extracted and you get a hash value then the examiners of the data seek to pass and decode the data to try and make some sense of the data in a more user-friendly format so that a report can be created for investigators correct correct correct do you recall preparing a report for the iphone belonging to jen mccabe dated december 2024 i do yes and in that report you discussed your views of a google search of house long to die in the cold correct correct correct and in that report you rendered various conclusions about that google search correct correct and you rendered various conclusions about what is called a time stamp correct and the time stamp that was in question was 220 uh 2 27 40 a.m on january 29th on jen mccabe's phone correct correct and the question that you were looking at is that time stamp that appeared in the data that time stamp of 220 7 40 a.m whether that belongs to the google search house long to die in the cold correct correct and you testified yesterday with regard to that very issue correct correct now in your report of december 2024 you discussed the hash value of that cell phone correct i believe so yes yesterday in your direct testimony you didn't mention anything about the hash value with regard to jen mccabe's phone did you not in my testimony no the answer is no correct however isn't it correct that in your report of december 2024 you had an issue with the hash value from [01:44:22] Speaker 3: the data from that phone i didn't have an issue with the hash value at all no so you [01:44:32] Speaker 1: didn't note that the it was not possible with the gray key extraction as the pdf containing the extraction hash value that it was unsigned that was not an issue in your report the hash value matches [01:44:50] Speaker 3: but because i didn't do the extraction i'm unable to actually validate that was an original hash and [01:44:54] Speaker 1: hadn't been modified exactly so you didn't do the extraction but you couldn't validate the hash value could you no so you couldn't determine whether or not any of the data on that cell phone [01:45:15] Speaker 3: of jen mccabe had been tampered with correct i take a holistic view of the data and try to find anomalies and didn't see any that raised any flags that wasn't my question okay i'll try it a different way [01:45:30] Speaker 1: you concluded that the hash value was unsigned correct correct they're always unsigned okay apologies you concluded that the hash value was unsigned correct correct thank you and you went on did you not in your report to say that this hash value could be used as a suggestion of authentication but cannot be guaranteed 100 100 correct correct correct correct correct did you discuss any of that doubt that suggestion of authentication but can't be guaranteed 100 percent it all in your direct testimony yesterday i didn't know and again hash values are very important concepts for data forensic examiners correct for integrity yes do you know the chain of custody of jen mccabe's iphone i don't know so you don't know the chain of you have an unsigned hash value you have an unsigned hash value and you can't guarantee the hash value the hash value authentication correct no the objections overruled uh not from the hash value no let's go back to the 227 40 time stamp and the question of whether that time stamp is associated with a google search how long to die in the cold you understand there is a dispute as to whether that search was performed at 227 40 a.m as the time stamp states or whether that was performed later in the morning say around 6 23 a.m correct correct you understand there's a dispute yes and do you understand that the defense asserts that that time stamp means what it says the google search occurred at 227 40 a.m thank you do you understand that i do i i didn't hear your answer sir but i understand you understand that yes uh so there are various data forensic tools are there not to evaluate what is called an artifact this this time stamp correct correct and those data forensic tools include celebrate tools your company's tools and some of those celebrate tools uh are called physical analyzer correct and then you have another tool [01:48:48] Speaker 3: i believe called insights uh insights is a suite that includes physical analyzer okay yes it's [01:48:55] Speaker 1: insights it's essentially the same tool essentially the same tool so this insight well essentially but there are two different tools correct the two different versions of the same tool thank you two different versions of the same tool yes but there are other tools from other companies are there not sir there are and a competitor of celebrite that can be used to analyze that 227 40 a.m time stamp and to potentially resolve that dispute of whether the google search house long to die in the cold occurred at 227 40 a.m or later of uh at 6 23 or so a.m uh there's other companies and tools that can be used for that correct correct and isn't one of the companies that can be used the competitor of celebrite called magnet forensics correct correct and they have a tool called axiom axiom that evaluates questions such as this correct they do it is magnet forensics uh a reputable company they are am i correct that yesterday you essentially said that as of today no celebrite tools no celebrite tools no insight suite such as physical analyzer today shows that 227 40 [01:50:24] Speaker 3: a.m time stamp correct if you use any version from the last uh approximately year uh that time [01:50:31] Speaker 1: stamp won't show up it won't show up as you sit here today correct but that's not always been the case correct with regard to celebrite forensic tools correct correct correct is a matter of fact in the first proceeding in this case in june of 2024 when you testified under oath the situation where the forensic tools was another version of physical analyzer did show it correct correct correct in that second program that second tool physical analyzer not only showed it at 227 40 a.m but it shows it is a deleted state correct it's a deleted record yes a deleted record yes did you mention that yesterday in your direct testimony [01:51:37] Speaker 3: i don't believe so you don't believe so no we changed it since then [01:51:43] Speaker 1: exactly you've changed it since then yes your company removed it yes after the first trial before the first trial well you removed it from one tool before the first trial but you didn't remove it from the other physical analyzer program did you up until the following version was released no no i'm talking about the time of trial when you were [01:52:05] Speaker 3: testifying i appreciate that there's some uh complexities with how we released the software which resulted in one being released several weeks later and one being released several weeks earlier [01:52:16] Speaker 1: at the time of trial yes last year in june when you were testifying under oath one of the celebrite tools showed the timestamp of 22 27 40 a.m correct correct but that time stamp doesn't exist anymore it doesn't exist today does it correct celebrate removed it yes [01:52:46] Speaker 4: could i see consulate zybar for just a minute please [01:52:55] Speaker 1: go ahead mr leslie thank you your honor so with regard to the first proceeding there was one celebrite forensic tool that still showed the 227 40 a.m time stamp correct and it was shown in a deleted state [01:53:17] Speaker 3: the record was deleted yes the record was deleted and then after that celebrate [01:53:24] Speaker 1: outright removed the stop time stamp from from so none of its programs had correct again if i could explain a little bit about how it works no i i'm sorry okay if you could just respond to my question is that correct the time stamp has been removed yes however the competitor of celebrite that we just talked about magnet forensics axion yes that program at the first proceeding showed the 227 40 a.m time stamp correct correct and as a matter of fact as a matter of fact as you sit here today the magnet forensics program axiom still shows the 227 4 a.m time stamp correct as far as i know yes and magnet forensic axiom is a reputable company correct celebrite removed that celebrite removed that 227 40 a.m time stamp which is in a deleted state in response to issues raised in the first proceeding correct [01:54:40] Speaker 3: it was changed because of the research that i did and that was verified by the forensic research group [01:54:45] Speaker 1: but the issue arose because of what had come up in the first proceeding correct in the first investigation prior to the proceeding yes in the first investigation in this case correct yes so celebrate after the first proceeding after the investigation just outright went and removed the time stamp it's not unusual to change i didn't ask if i just asked whether they removed it but magnet forensic axiom still shows that 227 40 a.m time stamp right again they refer to it differently [01:55:19] Speaker 3: which is why they could still show they do still show it we need to finish the answer sorry just let [01:55:26] Speaker 1: him finish the answer is that what you said mr yeah my my apologies but i'm having trouble hearing but i'll i'll pause more just to make sure you're done in that 227 40 a.m time stamp the dispute is whether it's associated with the search house long to die in the cold correct correct let's talk a little bit more about the first proceeding in this case in terms of your testimony under oath in that first proceeding do you recall stating that it was your opinion as to whether that 227 40 a.m time stamp was associated or not with the google search house long to die in the cold i believe so right so you called it your opinion yes you didn't describe it as a fact you described it as your opinion correct correct because you realize that there are other fair interpretations of that time stamp and when the google search occurred correct [01:56:58] Speaker 3: i think even if i believe it's a fact it's my opinion right so it's your opinion yes so [01:57:04] Speaker 1: you also do you recall stating that there's plenty of other evidence on that extraction that shows what activity was occurring at 227 40 you recall that correct and you use the word evidence correct correct but that evidence on the celebrate program is now gone correct no it's not gone it's not gone so the 227 40 time stamp still exists in celebrate programs [01:57:42] Speaker 3: sorry are we talking about the additional evidence that shows what happened at 227 40. [01:57:46] Speaker 1: no i'm just i'm just asking whether okay i thought we had that clear but i thought is the 227 40 am time stamp show up on any celebrate program as you sit here today the decoded [01:57:57] Speaker 3: value does not show a time stamp for that artifact [01:58:08] Speaker 1: sir does your work include shaping shaping how examiners will see the data when they open it yes [01:58:22] Speaker 3: so you shape how the data is going to be correct yes we have yes ways to create the data so it's usable yes so so the answer is yes you shape the data yes [01:58:37] Speaker 1: These various forensic tools, Celebrite, Insight Suite, including Physical Analyzer, Magnetic Forensics Axiom, these are all tools and we know that no one has access to the Apple source code on iPhones, correct? Correct. And the best source of information about what may be happening inside of an Apple iPhone would be if one could get the source code and look into the source codes to see what's actually happening, correct? Correct. So what happens is in data forensics because Apple considers it proprietary and people can't access the source code, there's these various data forensic tools that in some ways try to serve as a surrogate given the fact that there's no access to source code, correct? Correct. So the best information would come from the Apple source code, but nobody has access access to that or few people do, therefore these other forensic tools are used. Correct. So sometimes examiners have to give opinions like you give because you don't have access to the source code, correct? Correct. Correct. You have a moment, Your Honor, to switch topics, please. [02:00:17] Speaker 3: Yes. Thank you. [02:00:19] Speaker 1: Before I do switch topics, one, a couple points on the 22740 timestamp if I may, Mr. Whippen. The Google search in question associated with that timestamp, the dispute over that, is house-longed to die in the cold, correct? Correct. Correct. And you understand, sir, do you understand the significance if Jen McCabe made that Google search, house-longed to die in the cold at 22740 a.m. instead of 623 a.m.? Do you understand the significance of that? Of course. [02:01:15] Speaker 4: It's a stain. [02:01:17] Speaker 1: He said yes, Your Honor. [02:01:19] Speaker 2: I'm sorry? [02:01:21] Speaker 1: I said sustained. Oh, thank you. I didn't hear that. [02:01:24] Speaker 2: Geri, strike any answer that may have come. [02:01:27] Speaker 1: What do you understand to be the significance of the dispute over 22740 timestamp? [02:01:37] Speaker 4: Sustained. [02:01:38] Speaker 1: Mr. Whippen, with regard to the 22740 a.m. timestamp, have you looked at any forensic tools to answer that question other than Celebrite tools and your tool, Ardex? [02:02:07] Speaker 3: I've used Axiom as well. Right. [02:02:09] Speaker 1: So you used Axiom, and so did you therefore see that that 22740 a.m. timestamp still appeared? Yes. Did you discuss that with the jury yesterday, that you analyzed the Axiom program and that 22740 a.m. timestamp still appears? I didn't, no. You did not? I did not. Could we please, with the court's permission, put the PowerPoint presentation back up and go to Deck 26. Mr. Whippen, does an iPhone discriminate between whether it's in a car, a bus, a bicycle, or walking? [02:03:01] Speaker 3: It can, but I don't have the research on that. Right. [02:03:07] Speaker 1: So as you sit here today, you can't say that an iPhone can tell the difference between a car, a bus, a bicycle, or walking, correct? [02:03:18] Speaker 3: The iPhone can, but I don't, I haven't researched that data fully enough to understand it forensically. So you, you… I can't, but the phone can. [02:03:28] Speaker 1: Does an iPhone merely register movement? Let me rephrase that. Does an iPhone register movement? It does. Do you recall yesterday discussing movement at a speed of about 1.4 miles per hour at 12:24:37 a.m. Yes. On January 29th, 2022? I do. A person walking at a normal to even a slow pace can walk at approximately 1.4 miles per hour. Is that correct? It sounds reasonable. And does it sound reasonable that a normal speed of walking is between 2 and 4 miles per hour? Reasonable. [02:04:25] Speaker ?: So, I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. [02:04:29] Speaker 1: I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. I'm going to go ahead and see what's going on. [02:04:36] Speaker ?: I'm going to go ahead and see what's going on. [02:04:37] Speaker 1: I'm going to go ahead and see what's going on. You used an operating system called iOS 14, correct? [02:04:48] Speaker 3: That's one of the versions of iOS I used, yes. That was one of the versions. Yes. [02:04:52] Speaker 1: Do you understand that Jen McCold's phone was actually using iOS version 15? Yes, I did. [02:05:03] Speaker 3: 15.2.1. [02:05:04] Speaker 1: 15.2? 2.1. Thank you. And do you recall saying with regard to iOS 15.1, et cetera, that the iOS operating system, your words, had fundamentally changed, correct? Correct. Now, with regard to, we're back to Jen McCold's phone, we're back to 2740. The issue of deletions. You stated yesterday that that deletion occurred after January 31 of 2022, is that correct? Correct. [02:05:52] Speaker ?: Correct. But you couldn't determine how that deletion occurred with certainty, correct? Correct. [02:05:54] Speaker 1: And you gave three possibilities that you analyzed, correct? Three or four, yes. Three or four. [02:06:09] Speaker ?: Correct. [02:06:10] Speaker 1: And one of them was deleted by user, correct? Correct. Another one was that the search occurred but never loaded. [02:06:26] Speaker 3: That would be the reason that there was no data found in the history.db file. [02:06:30] Speaker 1: But that was another of the three or four reasons, correct? [02:06:35] Speaker 3: That wouldn't cause the deletion of the record, necessarily. Right. [02:06:38] Speaker 1: Right. And then you discussed those possibilities, but you can't state with certainty how that deletion occurred, can you? Correct. You have doubts about how it occurred, is that fair? [02:07:01] Speaker 3: Yeah, I have an idea how it occurred, but I can't prove it. I'm sorry. Yeah, it's okay. Okay. [02:07:09] Speaker 1: No, please finish. [02:07:10] Speaker 3: I want to make sure you finish. I have an idea of how it occurred, but I've not been able to replicate it. So my idea is unsubstantiated. [02:07:17] Speaker 1: So is it fair to say you had some doubts about how the deletion occurs? That's fair. And you believe your doubt is reasonable? Yes. Under the circumstances? Yes. Your Honor, that is the extent of my questions of the witness at this time. Okay. [02:07:36] Speaker 4: Mr. Brayden? Thank you. [02:07:40] Speaker 5: Good afternoon. Good afternoon. As a forensic analyst, do you study data? I do. Do you consider it a science? [02:07:51] Speaker 3: I do. [02:07:53] Speaker 5: Are you a criminal investigator, like a police officer, in your present role? Not anymore. Are you a detective in your present role, helping aid one side or another in an investigation? I'm not, no. At some point, you and I spoke about reviewing phones? We did. You had begun your whole process in some of this work before you had met me. Correct. And I'd ask you to look at Mr. O'Keefe's phone? Correct. Did I ever tell you what you should look for? [02:08:20] Speaker 3: No. [02:08:21] Speaker 5: Did I ever tell you what I wanted to see or what I wanted the results to be? No. Did I ever share with you parts of the investigation that had nothing to do with your actual data analysis? No. Would it be inappropriate or not helpful for an advocate to provide you information that might taint or influence your thinking when you're looking at data in a case? [02:08:50] Speaker 1: No. [02:08:51] Speaker ?: No. [02:08:51] Speaker 5: No. [02:08:52] Speaker 3: No. No. No. [02:08:55] Speaker 5: No. [02:08:56] Speaker ?: No. [02:08:56] Speaker 5: No. No. Did I express any opinion whatsoever that I cared, one way or another, what your results would find? [02:09:03] Speaker 3: No. [02:09:05] Speaker 5: Did I ever attempt to shape or influence your process by offering you information that had nothing to do with your assessment of data? [02:09:15] Speaker ?: No. [02:09:17] Speaker 5: And so as a scientist, what a legal investigator or an advocate for either side thinks, is that relevant to you? No. The data is the data? [02:09:28] Speaker 3: The data is the data. I can explain my opinions on the data. The science is the science? The science is the science. That's sustained. [02:09:35] Speaker 4: Watch the form. [02:09:38] Speaker 5: Now, counsel showed you some parts of your report regarding Ron O'Keefe's cell phone, didn't he? Yes. You saw select pages from that report? Correct. A few pages you were asked about? Yes. But you wrote an entire report, didn't you? I did. And would you, do you think that your entire report, report, puts into perspective some of those select pages that you were shown? Definitely, yes. [02:10:07] Speaker 3: I move to introduce Mr. Whiffen's entire report. [02:10:08] Speaker ?: May we approach your eyes? [02:10:08] Speaker 5: Okay. Do you still have your report with you, Mr. Whiffen? I do, yes. [02:10:11] Speaker 1: Okay. Okay. [02:10:13] Speaker ?: Do you still have your report with you, Mr. Whiffen? [02:10:13] Speaker 1: I do, yes. [02:10:14] Speaker ?: Okay. [02:10:15] Speaker 5: Let's start with questions that counsel asked you about the battery. The battery. When you were trying to determine how the battery worked, you shared with the jury that you did certain testing. Correct. What was the purpose of that testing? [02:10:41] Speaker 3: To make sure that the battery temperature sensor would be affected by environmental temperatures such as being in the freezer, such as being outside, being brought back indoors, and to make sure that the fall and rise of the temperature sensor, at least the pattern would match the expected pattern and would match the thermometer that was alongside it. [02:11:04] Speaker 5: When you put the batteries or the phone in the freezers, did it matter what the temperature of the freezer was when you put it in it? [02:11:14] Speaker 3: I didn't believe it did. [02:11:16] Speaker 5: What was the purpose, again, of putting it in the freezer? [02:11:19] Speaker 3: Just to remove the device from a warm environment, which was outside of the freezer, placing it inside the cold environment of the freezer and just seeing how the temperature dropped. [02:11:29] Speaker 5: As you mentioned, you look at data through science, correct? [02:11:32] Speaker 3: Correct. [02:11:33] Speaker 5: Okay. So, did anybody ever share with you the important points of the decrease in temperature of the cell phone battery to try to influence your results? [02:11:45] Speaker 4: Judge, Your Honor. I'm voting 11. [02:11:47] Speaker 3: I'm sorry. Could you rephrase? [02:11:49] Speaker 5: Did anybody try to tell you important points of the evening on January 29th, 2022, in an attempt to influence your studies on the fact that a battery or a phone when it gets colder, the battery temperature decreases? No. So, when you developed the graph of the battery temperature and you followed the progress of that temperature declining through the night, was there any other scope or focus of yours other than to simply track the data? [02:12:21] Speaker 3: Just tracking the data. [02:12:22] Speaker 5: Similarly, when you looked at healthcare data, were you asked to try to see if the healthcare data could fit a certain theory or argument? [02:12:34] Speaker 3: No, I was not. [02:12:35] Speaker 5: You were looking at the healthcare data, were you looking at it independently? [02:12:40] Speaker 3: I was. [02:12:41] Speaker 5: Now, it's not your opinion or you're not taking the position what the meaning of that data matching up is, are you? No. No. No one's asked you to give them an opinion about the coordination of data, have they? No. So, if the data just coordinates on its own, that has nothing to do with your opinion? [02:13:01] Speaker 4: No. No. No. [02:13:04] Speaker ?: No. [02:13:05] Speaker 5: No. No. No. in a colder environment, like a freezer, you noted that the temperature goes down. [02:13:13] Speaker 3: Correct. [02:13:13] Speaker 5: Do your studies also show that when the cell phone is taken out of a certain temperature and put in an increased temperature, the cell phone battery temperature goes up? It does. Do you have available for the screen the battery graph that we had on your PowerPoint? [02:13:33] Speaker 3: I do. Two seconds. [02:13:37] Speaker 5: If you could go back one to where it's just the chart, please. And if you could enlarge it, we'll start near the top. Okay. At 12-20-43 on January 28, 2023, the battery temperature is 77 degrees. [02:13:58] Speaker 3: I'm sorry, that's 8.43 p.m. [02:14:02] Speaker 5: That's 8.43 p.m.? [02:14:05] Speaker 3: Yes, the first record. [02:14:06] Speaker 5: 77 degrees? [02:14:08] Speaker 3: Yes. [02:14:09] Speaker 5: And if we look down to the last box on January 28, 2023. Yes. So at 23-28, that's 12-23-28? [02:14:22] Speaker 1: Okay, Chair, I'm going to need your approach, please. [02:14:26] Speaker 2: Okay. [02:14:30] Speaker 5: Mr. Griffin, I'm going to ask you to start at 12-13 on January 29, 2022. Battery temperature, 82 degrees, and now you are also tracking healthcare data. You are also tracking location information. Correct. At 12-22, the battery temperature is 77 degrees Fahrenheit. And during that time, 12-22, that is the time with the location data where we see Mr. O'Keefe's car traveling near Cedarbrook, isn't it? [02:15:06] Speaker 4: The form sustained. [02:15:09] Speaker 5: And at 12-22, on January 29, 2022, where does the location data show Mr. O'Keefe's phone in progress? It's around Oakdale Road, I believe. And the travel that you're noting, is that consistent given the speed of being within a car? [02:15:31] Speaker 3: I believe so. [02:15:33] Speaker 5: And do you know whether or not that car had heat on? [02:15:37] Speaker 3: I've got no idea. [02:15:40] Speaker 5: You have healthcare data that the phone moves for a 20-second period, right? I believe so, yes. And that is after the Waze information starts. Correct. [02:15:54] Speaker 4: So you have to watch the form. I know it's hard to orient. You have to watch. [02:16:00] Speaker 5: In your PowerPoint presentation, you are tracking the Waze information, aren't you? I am, yes. And at some point, that switches to more local location data? [02:16:14] Speaker 3: Again, Waze is not recording the location data. Waze is requesting location data from Apple Location Services. And Location Services is doing the recording of the location data. [02:16:24] Speaker 5: So if we're following the phone through Waze, at 12-24-25, is it in the car moving at 16.6 miles per hour? [02:16:37] Speaker 3: According to the data, yes. [02:16:40] Speaker 5: At 12-24-26, according to the data, is it still in a car moving at 17 miles per hour? Sure. Stand is to 40. Can you pull up your PowerPoint and we'll start at 12-24-25? We can show the jury the progress of that phone. Okay. And at 12-24-25, how fast is Mr. O'Keefe's cell phone moving? [02:17:09] Speaker 3: The data on the device says that it was moving at around 16.6 miles per hour. Next page, 24-26? 17 miles per hour. [02:17:19] Speaker 5: Next page, 24-27? [02:17:21] Speaker 3: 15.9 miles per hour. [02:17:24] Speaker 5: Next page, 24-28? [02:17:26] Speaker 3: 14.5 miles per hour. [02:17:29] Speaker 5: 24-29? [02:17:31] Speaker 3: 12.1 miles per hour. 24-30? 11.5 miles per hour. 24-31? 10.4 miles per hour. 24-32? 8.9 miles per hour. [02:17:44] Speaker 5: 24-33? [02:17:46] Speaker 3: 7 miles per hour. [02:17:47] Speaker 5: 24-34? [02:17:49] Speaker 3: 5.2 miles per hour. [02:17:52] Speaker 5: 24-35? [02:17:54] Speaker 3: 3.5 miles per hour. [02:17:56] Speaker 5: 24-36? [02:17:57] Speaker 3: 3.2 miles per hour. 24-37? 1.4 miles per hour. And 24-38? 0 miles per hour or 0 meters per second. [02:18:08] Speaker 5: And at 24-38, that phone is stopped near the flagpole? [02:18:13] Speaker 3: I would say so, yes. [02:18:16] Speaker 5: Then the location data gets more broad. [02:18:20] Speaker 3: It does. [02:18:24] Speaker 5: There is no movement at that time after the car stops. Is there any movement when the car stops at 24-38, between 24-38 and 24-30? Is there any movement indicated on the health care data? [02:18:39] Speaker 3: Not from the health data now. [02:18:45] Speaker 5: At 12-31-57, does the phone demonstrate any movement? [02:18:56] Speaker 3: If I may just look back at my report, just to recall. Yes, around 12-31-56 or 57 is the start of the health event, 36 steps. [02:19:09] Speaker 5: How long, how many seconds does that phone move for? Well, 20 seconds. 12-31-56 to 12-32-16? Correct. And is that the only time that the phone moves from the point it stops at the flagpole until the next morning? Correct. The only time? [02:19:34] Speaker ?: Correct. [02:19:34] Speaker 5: 12-31-56 to 12-32-16? [02:19:39] Speaker 3: Yes. [02:19:43] Speaker 5: And when that phone moves, you can't tell if it's walking a straight line or in a circle? Correct. You don't know if the phone is pacing back and forth? [02:19:50] Speaker 4: Judging, Your Honor. Sustained as to fool. [02:19:52] Speaker 5: Can you tell how far a phone moves from its origin, from its original point, when you're counting steps? [02:20:00] Speaker 3: No, iOS creates the calculation, number of steps times the person's gait, and provides the 25.4 meters volume. [02:20:15] Speaker 5: At 12-32-16, when that phone stops moving, John O'Keefe's phone stops moving. Do you know the next time it moves again? [02:20:28] Speaker 4: I'm going to a line. [02:20:31] Speaker 3: It's approximately 6-15. [02:20:36] Speaker 5: Now, less than five minutes later, 12-37, that battery in that cell phone gets another temperature reading, doesn't it? It does. Does it go up? It goes down. Yeah. And it goes down to what degrees? 72 degrees. And over the next eight minutes, does that temperature even or go up? [02:21:04] Speaker 3: At 43 minutes past, there was another reading of 66 Fahrenheit. [02:21:11] Speaker 5: And then at 12-53, that's about, what, 21 minutes or so after that phone stops moving. What's the temperature? [02:21:25] Speaker 3: I'm sorry, at 12-53? [02:21:27] Speaker 5: Yes. Oh, 61 Fahrenheit. 61 degrees? Yes. And over the next 14 minutes, does it drop again? [02:21:41] Speaker 3: It does. It drops to 55 degrees at 1-07. [02:21:46] Speaker 5: And at 1-36 a.m. that morning? [02:21:49] Speaker 3: It's down to 50 degrees. [02:21:50] Speaker 5: And this health data shows that that phone hasn't moved. Does this health care data show that this phone hasn't moved? No more steps were recorded. Now, you had studies where you put the phone in a freezer? Correct. When you put the phone in the freezer, did you wrap it in anything? I didn't, no. Did you use any type of heat source that would slow down the process of the temperature dropping? No. Let me ask you a hypothetical. If a person, a human, was lying prone on a cell phone outside and had a body temperature directly touching the phone, in your opinion, could that slow the process of the temperature decreasing as compared to just simply putting a phone in a freezer? Objection, Your Honor. [02:22:55] Speaker 4: Sustained. [02:23:01] Speaker 5: When you put the phone in the freezer, did you wrap it in any warmth? [02:23:05] Speaker 3: No. [02:23:06] Speaker 5: Any clothing? [02:23:08] Speaker 3: Nothing at all. [02:23:10] Speaker 5: Now, you don't know the temperature, but you said there was a blizzard outside? That's my understanding, yes. At 6.06 a.m., is there a change in the battery temperature of John O'Keefe's phone? [02:23:25] Speaker 3: Yes, the temperature has dropped to 43 degrees Fahrenheit. [02:23:30] Speaker 5: So there's a 7 degree drop in temperature at 6.06? Correct. Were you shared any of the facts or information that has nothing to do with data and science? Were you shared any facts or information about what may have occurred to that cell phone and its exposure to colder air that morning, minutes prior to 6.06 a.m.? [02:23:53] Speaker 3: I may have heard that around that time is when John was found. [02:24:02] Speaker 4: So could you answer the question, yes or no, that Mr. Doan asked you? Did anybody share information with you about that, sir? [02:24:10] Speaker 3: Nobody shared it with me, no. [02:24:14] Speaker 5: If the phone was in an environment and it was exposed to further colder air or drop in temperature, could it register a reading? I'm sorry, can you just ask that again? Sure. Let me ask a different question. The phone drops to 43 degrees. John's phone at 6.06. 6.14, is there another change with this phone dropping in temperature? [02:24:47] Speaker 3: Yes, it drops to 37 Fahrenheit. [02:24:50] Speaker 5: Do you know what, if anything happened as far as the environment that phone was exposed to seconds before 6.14? I don't know. Do you know if that phone, at 6.15.01, was then placed in a warmer environment, like a pocket or a car? Do you know? I have no idea. But your data shows at 6.35, there's an increase in temperature. Correct. Doesn't it? It does. So at 6.14, you don't know if there's any increased exposure, do you? [02:25:29] Speaker 3: No, I know that according to the battery temperature, it's increased, but I don't know the reason for that. [02:25:36] Speaker 5: Now, if you look at the battery temperature, it's 6.06 a.m., it's 43 degrees. Yes. That's a change in temperature, isn't it? Yes, you're right. Is that a change in temperature from 136? It is. Looking at your healthcare data, is there something happening relative to the phone at 6.04 to 6.11? [02:26:06] Speaker 3: There is, that is, 432 steps were recorded at that time. [02:26:12] Speaker 5: Can a phone record steps if it's being moved back and forth? [02:26:17] Speaker 3: It may record some. It's difficult to say how many would be misunderstood as being steps taken. [02:26:24] Speaker 5: If you're taking an object that moves the phone violently, could it record steps? [02:26:31] Speaker 3: Again, potentially, it could record some, but it's not a consistent enough pattern of movement for it to be recorded as lots of steps. [02:26:42] Speaker 5: Now, at 6.14, the temperature is 37 degrees, and you just offered us that by 6.35, over the next 21 minutes, the degrees goes up by 6 degrees. Correct. You don't know what was happening with that phone at 6.15.01, do you? I don't. [02:27:00] Speaker 4: Do you know? [02:27:03] Speaker 5: I don't know. [02:27:03] Speaker 4: Next question. [02:27:04] Speaker 5: But what you do know is this healthcare data at 6.15.14? Correct. And that demonstrates what? [02:27:13] Speaker 3: At 6.15.14, it was the start of 180 steps. [02:27:17] Speaker 5: So the phone at 6.15.14 is again moving? [02:27:21] Speaker 3: Correct. [02:27:23] Speaker 5: And after that starts moving wherever the phone may go, it starts getting warmer temperature? Correct. Correct. Now, you shared with us location data, and you explained the difference between ways and other types of location data. I had asked you an opinion about where the phone was located based just on location data, nothing else. And when I asked you that opinion, I didn't ask you to a reasonable degree of scientific certainty, did I? I don't recall. I asked you if it was consistent with being near the flagpole the entire night. [02:28:02] Speaker 2: Yes. [02:28:03] Speaker 5: In your arm. Sustained. Based on location data alone, are you offering an opinion to a reasonable degree of scientific certainty where that phone was? [02:28:17] Speaker 3: It's difficult to say with a reasonable degree of certainty based on the randomness of the location data. [02:28:25] Speaker 4: I'm going to ask you to keep your voice up, Mr. Wortham. Could we turn the AC off, please? Thank you. [02:28:33] Speaker 3: No, it's difficult to give an answer based to a high degree of scientific certainty based on the sporadic nature of the records that night. [02:28:42] Speaker 5: Based on the data you have, just on location data alone, is that location data consistent with that phone being near the flagpole area from midnight until 6:15 the next morning? It, it is, yes. There's also information because the broadness that it could have been somewhere else? Correct. Yet it is consistent? [02:28:55] Speaker 3: It is. [02:28:56] Speaker 5: You didn't just rely on location data for your opinion though? I didn't, no. Watch the form, Mr. Brennan, sustained. Yes. Did you rely just on location data for your opinion? No, I didn't know. Did you also consider the health data? That phone being near the flagpole area from midnight until 6:15 the next morning? It is, yes. [02:29:09] Speaker 4: It is, yes. There's also information because the broadness that it could have been somewhere else? Correct. [02:29:12] Speaker 5: Yet it is consistent? It is. You didn't just rely on location data for your opinion though? I didn't, no. I didn't, no. Did you also consider the health data? I didn't. And did you also consider the battery temperature? [02:29:26] Speaker 4: Objection, Your Honor. Sustained. [02:29:28] Speaker 5: In addition to location data, what are the other things you considered, in your opinion, to a reasonable degree of scientific certainty, that that phone was at the flagpole of the entire loan from 12:30 until 6:00 the next morning? [02:29:44] Speaker 4: Objection, Your Honor. I'm going to allow that. [02:29:47] Speaker 3: It was based on the location data that recorded high accuracy. Based on the health data that showed when the device moved and how far. Based on the battery temperature information and based on the Doppler face detection information. [02:30:02] Speaker 5: Let me ask you some more questions about the health data. You were shown pieces of information on examination. You told us that that health data, well, the phone was, was it your opinion the phone was in the car until it stopped at the flagpole? [02:30:18] Speaker 1: Objection, Your Honor. Sustained. [02:30:20] Speaker 5: At 12:31:56 and 12:32:16, does the data show that is the time that the phone was moving? At what time, sorry? 12:31:56 to 12:32:16. [02:30:41] Speaker 3: I'm sorry, the rest of the question was? [02:30:43] Speaker 5: Does that demonstrate movement of the phone at that time? Yes, it does. [02:30:51] Speaker ?: Yes, it does. [02:30:52] Speaker 5: You shared that you can't tell the direction or the distance of steps. Objection, Your Honor. If, if that phone moved from the flagpole and it's straight along the way from the flagpole, like, for example, towards the house, wouldn't it have to move again before 6:04 to get back to the flagpole? [02:31:25] Speaker 1: Objection, Your Honor. [02:31:29] Speaker 5: I would presume so. [02:31:31] Speaker 4: Are you asking me to strike that, Mr. Presley? Yes, Your Honor. [02:31:35] Speaker 2: I'm going to strike that. [02:31:36] Speaker 5: Does health data register when a phone moves? It does. I'll ask you some more detailed questions about your research into a phone that's been attributed to Jennifer McCabe. You looked at one piece of your report on the screen and that was a phone call register. Oh, yes. Could you turn to that phone call register, please? [02:32:06] Speaker 4: What are we doing with the slide that's up there, Mr. Brennan? [02:32:10] Speaker 5: I would like to change it to the phone call register. That's not me. This is now marked as exhibit 42. In the phone call register, you noted that there was a call at 12:14:36? Yes. Have you found it? Is that your? This is not me. No. I think it's Ms. Gilman. Thank you, Ms. Gilman. Could you enlarge that, please? On examination, you read that at 12:14:36 there was a phone call incoming? Yes. That appeared to be from Jennifer McCabe? Correct. At 12:14:36, the location information is the John O'Keefe's cell phone at Sir Hugh by that point? Yes, Your Honor. So the question, is it? Yes. Is it? [02:33:07] Speaker ?: No. [02:33:08] Speaker 5: And then at 12:18:47, there's another call, and again from Jen McCabe? That's an outgoing call to Jen McCabe. It's an outgoing call to Jen McCabe? Yes. 12:18:47, the location information, does that place Mr. O'Keefe's cell phone at Fairview? No, it does not. Then at 12:29:44, there's an eight-second call that you said you believe is answered. Do you know if there was any conversation in that call? [02:33:37] Speaker 3: No way to know if there's any conversation. [02:33:39] Speaker 5: And at 12:29:44, does the location information placed on O'Keefe's cell phone somewhere? [02:33:47] Speaker 3: It does, at Fairview Road. [02:33:49] Speaker 5: At the flagpole? Yes. Your Honor. [02:33:52] Speaker 2: I'll strike that. [02:33:53] Speaker 5: Thank you. Now, there is not a call, well, let me ask you. The next call. What time is the next call? [02:34:02] Speaker 3: 33 minutes and 35 seconds after midnight. And who's that call from? From Karen Reid. [02:34:07] Speaker 5: Is that before or after John O'Keefe's health data stops? After. At 12:37, you offered us that the cell phone battery's temperature is decreasing. Yes. How many calls have been made from the defendant to John O'Keefe by the time that cell phone battery starts dropping in temperature? Seven. I want to turn now to some questions about your analysis of Ms. McCabe's phone. You were asked about hash values, a way of trying to confirm the integrity of the data on an extraction. [02:34:57] Speaker 3: Yes. [02:34:58] Speaker 5: When forensic analysts look at phones, do you sometimes get to actually see the phone? Yes. Do you sometimes have to use an extraction, a copy of the phone? Yes. Is it important to try to look and research or search the item to determine whether or not there's been any tampering? [02:35:17] Speaker 3: Yes. [02:35:18] Speaker 5: You were asked if hash values is one way to do that? Almost. And you were shown or read part of your report about hash values? Yes. There's a second part to that, isn't there? [02:35:30] Speaker 3: There is. [02:35:31] Speaker 5: You didn't get a chance to share the second part, did you? Yes, Your Honor. Just came. In this case, there was a hash value, wasn't there? There was. Well, just so we can understand simply, how is a hash value created during the extraction process? What does that mean? [02:35:49] Speaker 3: In very, very simple terms. At the end of the extraction, an algorithm is run on every piece of, every byte of data within the extraction and it comes out with a value at the end. The idea is that if any of that data ever changes, be it through user interaction or through corruption of data in how it was stored, then that value will change at the end. [02:36:14] Speaker 5: You mentioned GreyKey. Is that a software, hardware that makes the copy of the phone? [02:36:19] Speaker 3: It's a piece of hardware and includes software. [02:36:21] Speaker 5: How commonly is GreyKey used in the industry? [02:36:24] Speaker 3: It's very common. [02:36:27] Speaker 5: I hear you say that with GreyKey, the hash value is never authenticated. Objection, Your Honor. [02:36:32] Speaker 4: Sustained as default. [02:36:34] Speaker 5: Does GreyKey authenticate the hash value? [02:36:37] Speaker 3: The hash value is placed inside a PDF, which is not signed. [02:36:40] Speaker 5: And is that common or typical in the industry? [02:36:43] Speaker 3: Yeah. That is the way that GreyKey do it. [02:36:46] Speaker 5: Was there anything anomaly or untoward or different about the way this one was done? [02:36:51] Speaker 3: No. [02:36:52] Speaker 5: Did the hash value from the GreyKey extraction match the hash value? [02:36:58] Speaker 3: It did. [02:37:00] Speaker 5: Anything irregular whatsoever about it? [02:37:02] Speaker 3: No. [02:37:03] Speaker 5: Not that I could say. Now, you don't just read software programs when they spit out reports, do you? No. As an analyst, as one of the leaders of Celebrite, do you have a history of being a researcher? Yes, I do. A history of study? Yes. Have you written reports and papers for people to learn? [02:37:22] Speaker 3: I've written multiple blogs, done multiple presentations, webinars. Some of my blog posts have become peer-reviewed articles. [02:37:29] Speaker ?: Okay. [02:37:30] Speaker 5: Is it sufficient to simply look at a report that is generated by Celebrite or Axiom or any other service and make conclusions just on the report? No. I don't believe it is, no. Why do you think that's imprudent? Yeah. Sorry? Why do you think that is not prudent to simply rely on a report? [02:37:48] Speaker 3: The tools are very good at surfacing data, but I believe it's up to the examiner to understand what that data means and to provide context to the information which the tool itself can't do. [02:38:02] Speaker 5: Yes. And when you were considering the hash value and determine whether or not you thought there was anything wrong with the data, aside from the hash value, how do you do that? [02:38:14] Speaker 3: How do I do what? [02:38:15] Speaker 5: How do you make a determination whether or not this has integrity, the data hasn't been tampered with, so to speak? [02:38:21] Speaker 3: Okay. So, notwithstanding the hash value, I've been looking for issues with the data that don't make sense. In this particular case, there was lots of data points that all appeared to work together. You would see one artifact change in one database and an artifact would change somewhere else, and it all just made perfect sense in how it was functioning. That kind of leads you to believe that it's not been tampered with or the person tampering with it did an exceptional job to be able to cover all of these different tracks and make it undetectable. [02:38:57] Speaker 5: Did you try to summarize that perspective in the part of the report that wasn't read to you on examination? I did. Do you have an opinion to a reasonable degree of scientific certainty if there was any data integrity issues in the information you reviewed? I don't believe there was any. It was characterized on examination. There was a dispute about the time origin of the search, how long to die in code. Do you remember being asked the question about a dispute? Yes. Have you, in your studies and in your position, is there any viable dispute in the forensic data scientific community about that issue? [02:39:41] Speaker 3: I don't believe there is anymore. [02:39:43] Speaker 5: Now you got involved in this case because you received a complaint from the consumer? [02:39:48] Speaker 3: I received a question from the consumer, yes. [02:39:50] Speaker 5: Have you attempted to resolve that? Correct. Other than that source, have you received any information, feedback, opinions that would [02:40:07] Speaker 2: make this issue in any way a dispute? [02:40:08] Speaker 3: I'm sorry, can you rephrase the question? [02:40:10] Speaker 5: Other than that one person, that one consumer, have you received any information in the forensic community which you're part of? Any data, any information that would suggest that your conclusions are in dispute? [02:40:20] Speaker 3: Yeah, I received a very similar question from an examiner in Europe. Fairly similar circumstances with a case and with a timestamp that didn't make sense, that was originating from the same database. I applied the same logic and theory to his question, and he confirmed it solved the issue for him. It all made sense then. [02:40:43] Speaker 5: And since then, has in your world, academic and research world, forensic data science, other than the person who originally raised the question, has there been any dispute brought to you by anybody about your conclusions about when this search actually happened? No. [02:41:01] Speaker 3: If anything, I've heard people who have confirmed the research that I did. [02:41:06] Speaker 5: Do you know Jessica Hyde? I do. Is she well known in the forensic community? She is. You were asked questions about your law enforcement background and the fact that Celebrite is used as a forensic tool oftentimes by law enforcement? [02:41:23] Speaker 3: Yes. [02:41:24] Speaker 5: No. Did you go into your company's software and change it to accommodate law enforcement? No. Definitely not. Would you ever do such a thing? No. Why wouldn't you do something like that? [02:41:39] Speaker 3: Aside from being unethical to change the data in that way, this is an artifact that is easily validated by any examiner. And if I was to temper it for the purposes of changing the outcome of the case, it would be detected by all of our customers immediately and would destroy the reputation of Celebrite, which I've got no intention of doing. [02:42:03] Speaker 5: Before, prior proceeding, the printout from the software, when it was showing the timestamp of the Safari search, was it labeled something in particular before? [02:42:21] Speaker 3: The Celebrite search was labeled last visited time. Last what? Last visited time. [02:42:28] Speaker 5: And when it was labeled last visited time, did it show 227 on the report? [02:42:32] Speaker 3: Yes. [02:42:33] Speaker 5: It did. Celebrite after research and consideration removed that label? [02:42:38] Speaker 3: We removed the timestamp when we determined that it was not relevant to the last time that that page was visited. [02:42:44] Speaker 5: Why was it important to remove that timestamp from the program and the software? It was clearly causing confusion. Does the company have concerns when consumers are confused about information? Of course. Yes. Do companies have concerns if a consumer tries to manipulate the use of that information? Of course. Are companies concerned that a label could be misleading for somebody who may not have a higher level of experience? Yes. When that decision was made to change that for clarification, do you make that solely by yourself? [02:43:24] Speaker 3: No, I do not. [02:43:25] Speaker 5: Who do you consult with and who's part of that decision process? Yes. [02:43:30] Speaker 3: So again, after my research, I passed the results of my research to the forensic research group. Uh, this is a team based at CellRite, uh, whose sole job is to do the research, uh, do the coding to make sure that what we're giving to customers is correct. Uh, they spent some time validating the research that I did, verifying that my research was correct, and then they were responsible for making the change based on the updated research. [02:43:56] Speaker 5: It was suggested that a separate software program, not the company you work for Celebrate, but Axiom reflects, um, this search as deleted. That's not entirely accurate, is it? Judging. [02:44:09] Speaker 2: Sustained as defended. [02:44:10] Speaker 5: Running an Axiom program, would it reflect this search as deleted? [02:44:15] Speaker 3: Uh, yes, and it is a deleted search. [02:44:18] Speaker 5: Okay. Does it have a label on it? It does. Is that carved? [02:44:22] Speaker 3: Uh, yes, it would be. [02:44:24] Speaker 5: Now, um, are you familiar with the Axiom artifact reference guide when it talks about the dangers of relying on the timestamp? [02:44:33] Speaker 3: Um, I'm not familiar with it referencing dangers, but I'm aware of the document. [02:44:39] Speaker 5: Are you aware of the reference guide when it talks about Safari suspended state tabs? Yes. More opposite, since these are local tabs states, results from this artifact may contain an earlier date and time compared to the results in the Safari history artifact if iCloud Safari synchronization? Objection, Your Honor. Sustained. Are you aware of the reference guide? I am. Are you aware that it cautions that its timestamp can be misinterpreted? [02:45:07] Speaker 1: Objection, Your Honor. Sustained. [02:45:09] Speaker 5: Yes, sir, when you came to your opinion that the search for how long or how long to die in the cold at 6:23 and 6:24 in the morning of January 29, 2022, um, was the time that they were actually inputted, not 2:27. In the informing your opinion, um, did you consider both celebrate and axiom software? [02:45:39] Speaker 3: I did. [02:45:40] Speaker 5: Did you consider other tools as well? Uh, yes, my own. Um, and tell us a little bit about your own tool. [02:45:44] Speaker 3: Uh, again, this is a tool I've been writing for approximately five or six years now, uh, partially for fun, partially for research purposes. Uh, and it's a tool I make available to other examiners globally. [02:46:00] Speaker 5: And, sir, um, when you were trying to examine these searches that, in your opinion, were 6:23 and 6:24 AM, um, did you ever try to test it yourself and actually take a phone so you could either prove or disprove to yourself that that earlier timestamp didn't mean it was the time that it was searched? [02:46:24] Speaker 3: Oh, definitely, yes. That's the kind of thing I do all the time when verifying, uh, artifacts. [02:46:29] Speaker 5: And in your opinion, is that helpful in understanding how a timestamp earlier can relate to a later search? [02:46:36] Speaker 3: Uh, exactly, very helpful. [02:46:37] Speaker 5: Would you be willing to do a live demonstration for us on the screen and show us how that works? Yes. Okay. How long would that take? [02:46:44] Speaker 3: Uh, probably about five minutes. [02:46:46] Speaker ?: Okay. Could you show us? [02:46:48] Speaker 3: Of course. [02:46:49] Speaker 1: Okay. [02:46:50] Speaker 5: Mr. Whiffen, I'd like to ask you a couple of general questions. Yes. You mentioned, with reference to location data, that the scope of identifying a location of a phone can change depending on what information the phone is receiving. [02:47:10] Speaker ?: I'm sorry. [02:47:11] Speaker 5: Yep. I'll try again. You've shown us a number of graphs and exhibits that show different circles. Some might be smaller, some might be larger than others. Yes. Um, and you shared with us that location information is being received from a number of different sources. Yes. Can you remind us again, what can affect that location data as far as receiving some high accuracy, mid and low level? What could affect the receipt of that information? [02:47:38] Speaker 3: So primarily the requesting application, uh, defines how accurate it needs the data. iOS location services then determines the best technology to use in order to work out that location. Uh, and it can use GPS information for the most accurate. It can use wifi, uh, cell sighting. So it understands, uh, the wifi networks that it can, uh, detect close by and it knows where those networks are. And from that it can derive, uh, where it itself is. Uh, similar idea, uh, with both Bluetooth beacons and with cell tower technology. It understands where the cell towers are. It understands where the Bluetooth beacons are. And if it can see those particular, uh, cell towers or beacons, it knows roughly where itself must be. [02:48:24] Speaker 5: You share with us, there are some factors that can affect that location data. [02:48:30] Speaker 3: Yes. [02:48:31] Speaker 5: In addition to being in a building like a house or a business, that's one way it can be affected? [02:48:37] Speaker 3: It is. [02:48:38] Speaker 5: And there are other ways as well, isn't there? There are. And could you share again the other ways that location information could change? [02:48:44] Speaker 3: Yeah, the weather can play an effect on it. Uh, the geography of the area, whether it's in a rural or urban environment, uh, other kinds of interference. Uh, if there are, uh, other items close by that are emitting electrical interference, it could affect the location data as well. [02:48:58] Speaker 5: How about a body being on the phone? Could that affect location data? Injection, Your Honor. Injection, Your Honor. [02:49:05] Speaker 4: I would ask it differently. Injection, Your Honor. [02:49:07] Speaker ?: Injection, Your Honor. I would ask it differently. [02:49:09] Speaker 5: Okay. If a human being was covering the phone, so it wasn't exposed to the air, could that affect the location data? Injection, Your Honor. [02:49:17] Speaker 4: Injection, Your Honor. I'm going in a room. [02:49:19] Speaker 3: I believe it could, yes. [02:49:21] Speaker 5: You were shown Exhibit 40. It was one select piece of your report. It was a graph. With the court's permission, I'd like to show Exhibit 40. Yes. Exhibit 40 has two circles, one darker, one white. Yes. And do you remember being asked questions about this particular exhibit? [02:49:38] Speaker 3: I do. [02:49:39] Speaker 5: And in addition to this exhibit, is there other information in your report that wasn't shown to you that would put this in context? There is. This exhibit is to demonstrate a window of when location data was taken for a particular time. [02:49:57] Speaker 4: Injection, Your Honor. Watch the formula questions. [02:50:00] Speaker 5: Okay. This photograph, what does it represent? [02:50:04] Speaker 3: There were two particular time periods of approximately five seconds where multiple records showed identical latitude and longitude. So the same center point of the radius, but the radius themselves differed. So in this case, the white circle or the white circles show the lowest accuracy and the highest accuracy for five records that were all within a five second time period. And that shared the same latitude and longitude as the central point. [02:50:39] Speaker 5: Looking at this snapshot of five seconds, is this still consistent with your opinion that to a reasonable degree of scientific certainty, you opine that the cell phone was in the flagpole area the entire evening of January 29th, 2022? [02:50:55] Speaker 4: Yes. I'm going to allow it. [02:50:57] Speaker 3: Yes, it still aligns with my opinion. [02:51:02] Speaker 5: When you provide a report of all the different graphs and explanations, do you expect it's going to be shared with the defense attorneys? [02:51:13] Speaker 3: Of course. [02:51:14] Speaker 5: And you understand this case, everything is shared? Of course. And when you shared your report with this piece of information, did you include a summary chart that wasn't shown to you on examination? I believe I did, yes. [02:51:25] Speaker 3: May I approach? Yes. [02:51:27] Speaker 5: Thank you. [02:51:28] Speaker 2: Do you recognize your report? [02:51:29] Speaker ?: I do. [02:51:30] Speaker 2: And what page do you want? 22. [02:51:32] Speaker 5: Do you recognize anything in particular as far as a chart on that page? I do. [02:51:46] Speaker 3: There's a chart at the top with the location data that was used to create the image show. [02:51:52] Speaker 5: Does that chart help explain this photograph? [02:51:55] Speaker 3: It does. [02:51:56] Speaker 5: And move that chart into evidence chart. [02:51:59] Speaker 4: Any objection, Mr. Lassie? No objection, Your Honor. [02:52:02] Speaker 5: With the court's permission, I'd like Ms. Gilman to show us the chart. Yes. How long of a time period does that photograph encompass? [02:52:18] Speaker 3: The photograph has got two time periods of five seconds each, which are approximately 40 minutes apart. [02:52:25] Speaker 5: And what does this show us? Can you explain the chart that goes along with that photograph that was shown to you? [02:52:31] Speaker 3: All right. So this chart is, the map shows five of the records from this particular chart. But we can see that all of these records have a consecutive timestamp one second apart. The latitude and longitude is identical for all of these records. But at the same time, the accuracy drops from 43 meters to seven meters within that same eight-second time period. The idea was to demonstrate that if you have one of these records on its own, if you only had the 43-meter accurate record, for example, then the phone could be anywhere within that 43-meter radius. But as time goes on, the accuracy is refined. The same central point is used by iOS, but we've now got an accuracy of seven meters. And again, if you were to say that the phone is anywhere within that seven meters, it's a much more accurate representation, according to the data, than the 43 meters would be. And with an eight-second time period, if the device was actually moving during that time, I wouldn't expect to see the latitude and longitude remain exactly the same. There'd be some degree of movement in the coordinates. [02:53:46] Speaker 5: When you're producing location information in the circles that represent the location change, small, medium, large, at different times, does this chalk help represent that there can be changes in the location data, but the item can remain dormant? [02:54:09] Speaker 2: I'm going to ask that differently, Mr. Brown. [02:54:13] Speaker 5: What is the exact point of the demonstration of this chalk? How does that help us understand the movement or the lack of movement of a cell phone? [02:54:22] Speaker 3: I believe it demonstrates the fact that the phone is constantly refining the location data or the accuracy of the location data, even though it's using the same central point, the latitude and longitude, as the reference point. It doesn't necessarily mean the device had to move. [02:54:40] Speaker 5: If I could go back to exhibit 40, please. So looking at your photograph that you were asked about, there are two different circles, one dark and one light. Yes. And those circles are in different spots. Yes. Based on the chalk, the chart you just showed us, are both of those different color circles consistently consistent with a phone being in the same spot and not moving. [02:55:11] Speaker 3: The previous chart that was shown only accounts for the white circles on this map. And it only shows the highest and the lowest accuracy. 20 minutes later, there was another similar scenario where there were multiple records with the same central GPS coordinates, but with different accuracy levels. And that's what was used for the black circles. Importantly, in my opinion, they all overlap. So it's possible that the device is somewhere in between those two circles for the duration of the time. [02:55:44] Speaker 5: Now, finally, I want to turn back to the phone that was attributed to Jennifer McCabe. And you had shared with us your opinions about the time in which the searches at 6:23 and 6:24 were made. Correct. And I asked if you could just show us live right now how it works that a person can open a tab and there's a timestamp, the time when it's open, and then make a latest search but still retain the original timestamp. Yes. Is that something you can do for us? It is, yeah. With the course permission, I'd ask Mr. Whiffen to give us a live demonstration of this. Yes. [02:56:17] Speaker 3: Do you want the light off, Mr. Whiffen? The light off would be better, thank you. Okay. Thank you, Dave. Okay. First of all, I will highlight on the left side of the screen here, this is actually a live representation of what I have on a phone that's in front of me. So as I move this around, you can actually see on the screen that the screen refreshes. I'll also point out the iOS version here is 15.2.1, which matches that from Jennifer McCabe's phone. On the right side of the screen is the tool which I spoke about earlier, the one that I've been writing for several years. I make it available for free for any examiner who wants to download it and research primarily iOS devices. Here you can see I've got a live connection to the device. So every file and folder that is on the device I can see within this directory view as you would normally see on a regular computer. And we can see the browser state.db database. If I open that database up, you can see there are four tables, one of which is called tabs. Mr. Whiffen, I hate to interrupt you. [02:57:28] Speaker 2: Can we make this larger? I can try to. [02:57:31] Speaker 4: Is that going to impact your demonstration in any way? It shouldn't. [02:57:42] Speaker 3: I should be able to work around it. Thank you. [02:57:44] Speaker 4: Is that better for the jurors? Perfect. [02:57:46] Speaker 3: Yes. [02:57:47] Speaker 4: If it's just a little closer. [02:57:50] Speaker 3: Oh. Let me pull forward. [02:57:52] Speaker 4: Thank you. [02:57:57] Speaker 3: So at this moment in time, the tabs table has two records. I'm just going to ask you to ignore those for now. They're from a previous demonstration. I can't delete those without taking longer to do this demonstration. If I go back onto the phone itself, just takes a second to refresh and open up Safari. I can open up a new tab. What I will just do now is search for the time that we're on now. So 14:10 and hit go. So right now that page is loaded. Sure. And I can go back into the database and just hit reload. That will bring the most recent version of the database from the device back onto my computer and show it back in this window in exactly the same way as I was doing it a second ago. And you can see right now there's still only two records. So the fact that I did a new tab and a new search has had no effect on what I can see. This is different to on previous versions of iOS where you would already now see a new record with the 14:10 search, which I've made. I'm going to do another search. Oh, please. I'm going to catch up with me. It's now 14:11. So I'll do a search for 14:11. Okay. We can see the page is loaded and I can go back over to this tool and reload the database. We still don't have a new record that shows that a search is being conducted. I'll just take the time to do another little search. You just do 14:11 X. Reload the page again. Still nothing's appeared. I can even close down Safari. Just minimize it into the background. And then bring it back into the foreground by just pressing the Safari icon. I can hit reload again. We still don't have a new record. And I can do a further search for now 14:12. 14:12 is loaded and I can reload the page. Still no records present. I can now go into Safari and just close the tab. So now that tab is closed. And I can just prove that. So that tab is now closed. And I can go back over here and reload. And you'll see a new record has appeared. I'm just going to change the time zone just so that this shows accurately. And tell my tool to treat the timestamps as Eastern time. So we look at this particular record. You can see the title is 14:12. That's the last item that I searched for. You can see the URL is the google.ca/search1412. Again, that is the content that I searched for. And then we see this field here. The last viewed timestamp. And the time here still says 14:10. Because that's the time that I first loaded the tab. The fact that I navigated between. The fact that I minimized and reopened Safari. There's no relevance to this timestamp. It is purely the timestamp that that tab was created or brought back into focus. [03:01:43] Speaker 5: To an unplayed eye, can that development of a timestamp become confusing? [03:01:47] Speaker 3: Yes, the name last viewed time clearly has implications that would make you believe that it was the time that the page was last viewed. It's a very simple test that I just demonstrated to prove that that's not the case. [03:02:02] Speaker 5: Is there any other reason that Celebrite removed that process as timestamp? Other than to clarify that issue? [03:02:11] Speaker 4: No, I'll allow it. [03:02:12] Speaker 3: Purely because we determined it was unreliable to use as a time that the page was last viewed. [03:02:19] Speaker 5: If an examiner simply made a report from Axiom or Celebrite or another software but didn't have the time or skill to actually go into the data, could they be easily confused by this? [03:02:31] Speaker 3: Yes, the way that Celebrite provided this information showed as a last viewed timestamp. The way that Axiom provides this data is called last interaction time. So there is some leeway there to misunderstand it less from Axiom because it's talking about tab interaction rather than a webpage that was last viewed. [03:02:52] Speaker 5: Thank you. I have no further questions. All right. [03:02:55] Speaker 2: Thank you. The light's on, please. Mr. Lessie. [03:02:58] Speaker 1: Thank you. [03:03:00] Speaker 2: Do you want Mr. Whitten to take this down? [03:03:04] Speaker 1: Yes, please, Your Honor. Good afternoon and hello again, Mr. Whitten. Good afternoon. Magnet Forensic Axiom still shows a 227:40 a.m. timestamp on its forensic tool, correct? Correct. [03:03:30] Speaker ?: Correct. And Magnet Forensic is a reliable forensic tool company, correct? As reliable as they come, yes. [03:03:30] Speaker 1: The demonstration that you just performed, when did you create it? The... [03:03:43] Speaker ?: Sorry, the demonstration? What you just... Literally just now as I was doing it live. So you just created the demonstration now live on the stand? That particular demonstration? Yes. [03:03:45] Speaker 1: Yeah. That particular demonstration, yes. [03:03:47] Speaker ?: Yeah. [03:03:47] Speaker 1: So... [03:03:48] Speaker ?: That demonstration, therefore, was created after Celebrite. [03:03:50] Speaker 1: removed the 227:40 [03:03:53] Speaker 3: timestamp from all of its tool programs, correct? Correct. Yes. No. Incorrect. I mean, that demonstration I just provided was... [03:03:59] Speaker 1: Right now. That's how you mean? You just created the demonstration now live on the stand? That particular demonstration, yes. [03:04:03] Speaker 3: Yeah. So... [03:04:05] Speaker 1: That demonstration, therefore, was created after Celebrite removed the 227:40 timestamp from all of its tool programs, correct? [03:04:23] Speaker 3: No. Incorrect. I mean, that demonstration I just provided was... Right now, it was live. Initially, when I did these tests, I did the same kind of experiment, the same type of testing back in late 2023, I believe. And after I did those tests and used that research, that is when Celebrite removed the timestamp. [03:04:45] Speaker 1: Maybe my question wasn't clear, let me see if I can rephrase it. [03:04:52] Speaker ?: Yes. [03:04:53] Speaker 1: The demonstration that you just gave, when did you prepare it? The demonstration, not just the demonstration that you just showed on the screen. When did you create that demonstration on your computer? [03:05:08] Speaker 3: Again, I've been doing this demonstration for two years. [03:05:14] Speaker 1: My question, again, is the demonstration you just gave. Yes. When was the last time you altered that demonstration? [03:05:25] Speaker 3: Other than to use different search terms, it's the same demonstration. [03:05:31] Speaker 1: I'll try a different one. [03:05:33] Speaker 3: Yes, please. [03:05:34] Speaker 1: When was the last time you altered, in any way, the demonstration you just gave? [03:05:40] Speaker ?: Right now. [03:05:41] Speaker 1: So you altered it right now. And that alteration was made after Celebrite had removed the 2:27:40 a.m. timestamp from its programs. Correct? Yes. Okay. Thank you. No further questions, Your Honor. [03:05:58] Speaker 4: Thank you.