Ian Whiffin

“There's plenty of other evidence on that extraction that shows what activity was occurring at 2:27:40, and there's plenty of evidence later on in the day that shows that that particular search was conducted at 6:23 — I believe, 51 seconds — and then a similar search at 6:24 and 18 seconds, I believe.”

Core opinion placing the searches hours later than the BrowserState timestamp suggests

“The fact that they didn't exist within history.db and that there were no deleted records from history.db leads me to believe that they never successfully loaded.”

Explains why the searches appear only in BrowserState and plist but not in the main history database — the pages never finished loading

“The fact that this record — that the 'how long to die in the cold' searches — don't exist within the history database would mean that the user would never have the option to selectively delete that record.”

Eliminates the possibility that someone manually deleted the search records

“Therefore, I can determine that that particular record was not deleted until at the earliest 10 p.m. on the 31st of January. And it's not possible that the user could have created or caused that deletion to occur.”

Rules out user deletion entirely based on WAL file analysis showing the record persisted days after the search

“The last viewed time though still shows as 8:10 p.m. last night, because that's the time that the tab was focused, not the time that the search was conducted.”

Live demonstration confirming the core mechanism — tab focus time persists even when a new search is conducted hours later

“something called a hash mechanism that we have in place — that would essentially hash the original data, and then it can be hashed again at a later date. It results in a long string of characters, and if there's any changes to the original data, then we'd see that it's been modified.”

Whiffin explains the safeguard against data tampering, partially countering Yannetti's data manipulation theory.

“It's potentially possible, but would require a large amount of knowledge and skill to do in a way that can't be detected.”

Whiffin concedes that someone with data access could theoretically alter and renumber database records to conceal deletions, though it would be difficult.

“So in this particular case, every iOS version I tested — as I mentioned, from 12, 13, 14, 15, 16, 17, and 18 — the timestamp is always referring to the time that the tab took focus. So even though there are some differences with when the record's created, the meaning behind that timestamp has been consistent.”

Directly addresses the iOS version discrepancy raised on cross, showing the core finding holds across all versions tested.

“Selective deletion would require that the record existed in the history database in order to be selected to be deleted. The fact that there's no missing records indicates it was never written into that database, and therefore could not have been selectively deleted.”

Logically forecloses the selective deletion theory raised on cross by explaining why it's structurally impossible given the data.

“I'm of no doubt that the only time those two searches were conducted was at 6:23 and 6:24 on the morning of the 29th.”

Whiffin's strongest and most definitive statement — leaves no ambiguity about his conclusion on the central search-timing question.

“It's not a term that I'm familiar with.”

A Cellebrite expert with forensic background confirming the term has no recognized meaning in digital forensics.

“This database is not monitoring web navigation events. It's purely monitoring the tab events. So when the tab's brought into focus or when the tab's created is the only timestamp that's relevant here.”

Core explanation of why the 2:27:40 timestamp does not reflect when the Google search was conducted

“I believe it was more than likely a system event that caused that, but I've not been able to replicate that system event.”

Whiffin's conclusion that the deletion of browser state records was not user-initiated, undermining the defense theory of evidence tampering

“According to the location and the speed data from the device, by the time it was approximately at the driveway, the phone reports it was still traveling at around 15.9 mph.”

Establishes that O'Keefe's phone never stopped at the driveway of 34 Fairview — it continued past to the flagpole area

“At 33 minutes and 14 seconds was the start of a 5 hour and 20 minute period where 26,500 Doppler checks were conducted. Every one of those checks came back to say that it was in a pocket state.”

Doppler data showing the phone's camera was continuously blocked for over five hours, consistent with the phone being face-down or covered outdoors

“Based on the totality of all of the information that we've described, my opinion is that the device never moved far away from the flag pole.”

Whiffin's ultimate conclusion — O'Keefe's phone remained stationary near the flagpole from 12:24 a.m. through 6:00 a.m.

“The location latitude/longitude was moving westerly, but at the same time the accuracy was increasing, so it didn't intrinsically prove that the device was moving.”

Whiffin explains why he excluded from his timeline his own report's finding that the phone moved toward the house — accuracy uncertainty — but Alessi has established the omission itself.

“No, I left it out of the timeline.”

Direct admission that Whiffin omitted from his jury presentation his own report's conclusion that the device was moving west toward the house.

“Correct. It would.”

Whiffin concedes that 36 steps covering 84 feet — exceeding the 72-foot flagpole-to-door distance — would place the steps inside the house at 34 Fairview.

“I didn't think it was.”

Whiffin admits he never checked the actual Canton temperature on January 29th despite conducting two battery temperature experiments, undermining the thoroughness of his analysis.

“Correct. I take a holistic view of the data and try to find anomalies, and didn't see any that raised any flags.”

Whiffin acknowledges he could not validate the hash value on McCabe's phone extraction but relied on his own judgment rather than verifiable authentication.

“They do still show it.”

Whiffin confirms that competitor Magnet AXIOM still displays the 2:27 a.m. timestamp that Cellebrite removed from its own tools after the first trial.

“I have an idea of how it occurred, but I've not been able to replicate it. So my idea is unsubstantiated.”

Whiffin admits his theory about the BrowserState deletion mechanism is unsubstantiated and that he has reasonable doubt about how it occurred.

“The data is the data.”

Whiffin's succinct framing of his objectivity — that advocacy positions are irrelevant to forensic analysis.

“No more steps were recorded.”

Confirms the phone showed no movement from 12:32:16 a.m. until approximately 6:04 a.m. — central to the prosecution's theory that O'Keefe was outside all night.

“I'd be looking for issues with the data that don't make sense. In this particular case, there were lots of data points that all appeared to work together — like you would see one artifact change in one database and an artifact would change somewhere else. And it all just made perfect sense in how it was functioning.”

Explains his methodology for verifying data integrity beyond hash values — cross-referencing multiple databases for internal consistency.

“I don't believe there is anymore.”

Whiffin states there is no longer any viable dispute in the forensic community about when the McCabe search occurred.

“Aside from being unethical to change the data in that way, this is an artifact that is easily validated by any examiner and if I was to tamper with it for the purposes of changing the outcome of a case, it would be detected by all of our customers immediately and would destroy the reputation of Cellebrite.”

Directly rebuts the cross-examination suggestion that Cellebrite altered its software to favor law enforcement.

“with an 8-second time period if the device was actually moving during that time I wouldn't expect to see the latitude and longitude remain exactly the same. There'd be some degree of movement in the coordinates.”

Explains why identical coordinates with varying accuracy circles indicate a stationary phone, not movement

“And the time here still says 1410 because that's the time that I first loaded the tab. The fact that I navigated — the fact that I minimized and reopened Safari — bears no relevance to this timestamp.”

Live demonstration proving the timestamp does not update with subsequent searches — core to the 2:27 vs 6:23 a.m. dispute

“Purely because we determined it was unreliable to use as a time that the page was last viewed.”

Explains Cellebrite's decision to remove the misleading timestamp label — addressed defense suggestion of improper motive

“The way that Cellebrite provided this information showed as 'last viewed timestamp.' The way that Magnet AXIOM provides this data is called 'last interaction time.' So there is some leeway there to — to misunderstand it less from Magnet AXIOM, because it's talking about tab interaction rather than a web page that was last viewed.”

Concedes AXIOM's labeling is slightly better while maintaining neither reflects actual search time

“Correct. As reliable as they come. Yes.”

Whiffin endorses Magnet Forensics as a reliable competitor, strengthening the defense argument that AXIOM's continued display of the 2:27 a.m. timestamp is meaningful.

“Yes.”

Whiffin concedes the demonstration was altered after Cellebrite removed the timestamp, the key point Alessi sought to establish.