Ian Whiffin - Cross/Redirect/Recross - Day 26

Joseph Paul's collision reconstruction testimony concludes amid ongoing methodology challenges, while Cellebrite expert Ian Whiffin places Jennifer McCabe's Google search at 6:23 a.m. and digital forensics trooper Nicholas Guarino rebuts the defense deletion theory before introducing Karen Read's final texts to O'Keefe.

← Day 25

Day 27 →

Cross Line 1

Redirect Line 80

Recross Line 89

Cross

1 5:56:31

MR. YANNETTI: Good afternoon, Mr. Whiffin.

2 5:56:35

MR. WHIFFIN: Good afternoon.

3 5:56:37

MR. YANNETTI: You had spoken a little bit about — what was your assignment here in terms of the data that was sent to you? And I believe that you testified regarding that 2:27 a.m. — or 2:27 and 42 seconds a.m. — timestamp, that it didn't make sense to the investigators, correct?

4 5:57:31

MR. WHIFFIN: Correct.

5 5:57:31

MR. YANNETTI: Were you told that one of the investigators was Trooper Michael Proctor?

6 5:57:36

MR. WHIFFIN: I don't recall any names being mentioned. The request came to me via another Cellebrite employee who had been asked about this case and asked whether we could offer any help.

7 5:57:48

MR. YANNETTI: Okay, thank you. You would agree with me that when you're making or doing a simulation, you want it to be as close to an apples-to-apples comparison as you can get, as best possible, yes?

8 5:58:02

MR. WHIFFIN: Yes.

9 5:58:02

MR. YANNETTI: And to get truly accurate research results you want to eliminate as many variables as you can, correct?

10 5:58:09

MR. WHIFFIN: Correct.

11 5:58:09

MR. YANNETTI: You wouldn't, for instance, want to use an Android operating system to try to replicate the activity from Jennifer McCabe's Apple iPhone, correct?

12 5:58:19

MR. WHIFFIN: Correct.

13 5:58:19

MR. YANNETTI: What version of iOS did you use for your testing of Jennifer McCabe's data?

14 5:58:27

MR. WHIFFIN: So this test has been undertaken on various different versions of iOS, from iOS 12, 13, 14, 15, 16, 17, and most recently on the beta version of 18 last week. This particular demonstration was on 15.8.2.

15 5:58:46

MR. YANNETTI: Okay, and you're aware that you said 15.8.2, correct?

16 5:58:51

MR. WHIFFIN: I've also tested on 15.7.

17 5:58:54

MR. YANNETTI: Oh, fair enough. You're aware, however, that McCabe was using iOS version 15.2.2, correct?

18 5:59:01

MR. WHIFFIN: Correct.

19 5:59:02

MR. YANNETTI: And you would agree that the way that an artifact is stored would depend on the iOS version that you use, correct?

20 5:59:14

MR. WHIFFIN: Correct.

21 5:59:14

MR. YANNETTI: And your simulation did not use the iOS version that Miss McCabe was running on her iPhone, correct?

22 5:59:23

MR. WHIFFIN: Correct. I used the closest version I could find.

23 5:59:28

MR. YANNETTI: So I'd like to ask you some questions about the characteristics of browser state.db-WAL and record number 4028. If I — okay — that record number, I believe you testified, was found to be deleted, correct?

24 5:59:47

MR. WHIFFIN: Correct.

25 5:59:47

MR. YANNETTI: But you were able to recover the date and time associated with it, correct?

26 5:59:55

MR. WHIFFIN: The date and time of the last viewed of that, yes.

27 6:00:00

MR. YANNETTI: And what was that date and time?

28 6:00:04

MR. WHIFFIN: 2:27:40 seconds a.m.

29 6:00:06

MR. YANNETTI: You were also able to recover the content of that particular Google search itself?

30 6:00:11

MR. WHIFFIN: I was able to recover the URL for it, yes.

31 6:00:16

MR. YANNETTI: Okay, and what was that Google search?

32 6:00:18

MR. WHIFFIN: "How long to die in the cold."

33 6:00:21

MR. YANNETTI: And it's true, however, that the session history could not be recovered, correct?

34 6:00:27

MR. WHIFFIN: That's correct.

35 6:00:28

MR. YANNETTI: Now, given those characteristics that you've just discussed, did your testing result in a WAL file record — a WAL file record — that matched the characteristics of 4028? In other words, deleted, with session history not recoverable?

36 6:00:44

MR. WHIFFIN: The issue with the session history — I was able to recover only the first page of session history. What happens is when there's a large amount of data that's split over multiple pages, if it's a live record, all those pages point to each other so that you can chain it together and get one large amount of information. Once they've been deleted, some of those pages can be overwritten and therefore the pointers don't make sense anymore. So the amount of information in this session was way larger than one page and I wasn't able to recover anything further.

37 6:01:26

MR. YANNETTI: Okay. And you'd agree that the simulation was done using a different operating system, correct?

38 6:01:32

MR. WHIFFIN: Correct.

39 6:01:33

MR. YANNETTI: Were you able to recreate the other deletions that appeared before and after that record 4028?

40 6:01:39

MR. WHIFFIN: Which deletion, sorry?

41 6:01:40

MR. YANNETTI: Well, you had testified — I believe there was an exhibit that was introduced — that showed that there were multiple deletions both before and after, correct?

42 6:01:50

MR. WHIFFIN: Correct.

43 6:01:50

MR. YANNETTI: Were you able to recreate those deletions?

44 6:01:53

MR. WHIFFIN: When I manually deleted records from the history, then the records also were deleted from the browser state.

45 6:02:00

MR. YANNETTI: Now, I believe that you testified — and if you didn't, I believe it's in your report — that there are essentially five mechanisms for record deletions in the browser state database, correct?

46 6:02:12

MR. WHIFFIN: Correct.

47 6:02:13

MR. YANNETTI: You ruled out four of them pretty quickly, correct?

48 6:02:16

MR. WHIFFIN: Correct.

49 6:02:17

MR. YANNETTI: And I believe you've testified to that today, correct?

50 6:02:20

MR. WHIFFIN: Correct.

51 6:02:20

MR. YANNETTI: The only remaining option was selective deletion by a user, or there's some internal mechanism for record deletion that is not fully understood, correct?

52 6:02:29

MR. WHIFFIN: Correct.

53 6:02:29

MR. YANNETTI: All right. And you know — as you testify today — you know of no internal mechanism for record deletion that is not fully understood, correct?

54 6:02:38

MR. WHIFFIN: I've not been able to replicate that function, no.

55 6:02:42

MR. YANNETTI: All right. If there is no unknown internal mechanism for record deletion that is not fully understood, that would leave selective deletion by a user, correct?

56 6:02:51

MR. WHIFFIN: Not in this case, no.

57 6:02:53

MR. YANNETTI: All right. Well, selective deletion — you would agree — means that a user selects what to delete, correct?

58 6:03:00

MR. WHIFFIN: Correct.

59 6:03:00

MR. YANNETTI: And regarding the — the user — the term "user," what is that? Who is that?

60 6:03:07

MR. WHIFFIN: Whoever is using the phone at the time.

61 6:03:11

MR. YANNETTI: Okay, so it's actually somebody who is using the actual iPhone itself, correct?

62 6:03:17

MR. WHIFFIN: Correct.

63 6:03:17

MR. YANNETTI: Not necessarily a computer expert, correct?

64 6:03:20

MR. WHIFFIN: Correct.

65 6:03:21

MR. YANNETTI: Would you agree with me that somebody who had access to the data before it was extracted and sent to you could have made selective deletions of the data?

66 6:03:34

MR. LALLY: Objection.

67 6:03:34

JUDGE CANNONE: Overruled.

68 6:03:35

MR. WHIFFIN: No, I don't.

69 6:03:36

MR. YANNETTI: Are you aware of an app called MySQL?

70 6:03:40

MR. WHIFFIN: Yes.

71 6:03:40

MR. YANNETTI: What is MySQL?

72 6:03:42

MR. WHIFFIN: MySQL is just a method for viewing SQLite databases.

73 6:03:46

MR. YANNETTI: All right. If someone had access to the raw data again — ...before it was sent to you, and using that app, they could make selective deletions of the data, couldn't they?

74 6:04:01

MR. WHIFFIN: I assume you're talking about opening up the extraction, and taking out the particular file and editing it—

75 6:04:07

MR. YANNETTI: I'm sorry, I interrupted you. You're right. I apologize. And I apologize to you. If you could restate your answer, or give me your full answer.

76 6:04:17

MR. WHIFFIN: Okay. So it would be possible with the extraction to take out particular databases, alter them, and put them back into the extraction, but something called a hash mechanism that we have in place — that would essentially hash the original data, and then it can be hashed again at a later date. It results in a long string of characters, and if there's any changes to the original data, then we'd see that it's been modified.

77 6:04:46

MR. YANNETTI: Would you agree with me that someone with access to that data and an appropriate application or program could also delete and renumber history.db and knowledge.db so that it would appear as though there was no break in the numbering, so that it would also appear that nothing was deleted?

78 6:05:27

MR. WHIFFIN: It's potentially possible, but would require a large amount of knowledge and skill to do in a way that can't be detected.

79 6:05:45

MR. YANNETTI: Thank you very much, sir.

Redirect

80 6:05:50

MR. LALLY: Any discrepancy between the iOS version and JM's phone — in the iOS version in the demonstration that you did — what if any impact does that have on what you showed this jury?

81 6:05:59

MR. WHIFFIN: So in this particular case, every iOS version I tested — as I mentioned, from 12, 13, 14, 15, 16, 17, and 18 — the timestamp is always referring to the time that the tab took focus. So even though there are some differences with when the record's created, the meaning behind that timestamp has been consistent.

82 6:06:14

MR. LALLY: Now, what you were asked about in regard to selective deletion — you indicated that there was no evidence of that in this case. Is that correct?

83 6:06:21

MR. WHIFFIN: Correct. Selective deletion would require that the record existed in the history database in order to be selected to be deleted. The fact that there's no missing records indicates it was never written into that database, and therefore could not have been selectively deleted.

84 6:06:33

MR. LALLY: Now, the hash mechanism that you testified to — as far as detecting whether or not someone had seriously gone in and deleted things, did you see any evidence of that in your review of the extraction?

85 6:06:46

MR. WHIFFIN: I didn't have access to the hash information to see whether any changes have been made. That's something that the original examiner would have had access to. From my point of view, there was nothing in there that would indicate that tampering had occurred. The timestamps all made sense for the files. The historical pages all made sense. I say it's probably possible, but it would take a large amount of skill to do.

86 6:07:12

MR. LALLY: Now with regard to your analysis and your testing in this case, again, what is your opinion or conclusion as to when these two Google searches were conducted?

87 6:07:38

MR. WHIFFIN: I'm of no doubt that the only time those two searches were conducted was at 6:23 and 6:24 on the morning of the 29th.

88 6:08:00

MR. LALLY: Thank you, sir. Nothing further, Your Honor.

Recross

89 6:08:07

MR. YANNETTI: Prior to today, have you ever heard of spontaneous deletion?

90 6:08:16

MR. WHIFFIN: It's not a term that I'm familiar with.

91 6:08:24

JUDGE CANNONE: All right, sir, you are all set. Thank you very much.

92 6:08:34

JUDGE CANNONE: Do you need a couple of minutes?

93 6:08:41

MR. WHIFFIN: I can probably be quite fast. Thank you.

Cross Ian Whiffin (David Yannetti)

David Yannetti cross-examined Cellebrite expert Ian Whiffin on two main fronts. First, he established that Whiffin's simulation used iOS 15.8.2 rather than Jennifer McCabe's actual iOS 15.2.2, and that artifact storage behavior depends on the iOS version — undermining the precision of the replication. Second, Yannetti pressed on the deletion mechanisms for BrowserState record 4028, getting Whiffin to confirm that only two possibilities remained: selective user deletion or an unknown internal mechanism. Yannetti then explored whether someone with access to the extracted data could have used tools like MySQL to selectively delete and renumber records, with Whiffin conceding it was 'potentially possible' but would require significant skill to avoid detection.

Legal Significance

The defense challenged the reliability of Whiffin's iOS simulation by highlighting version mismatches and raised the possibility that extracted phone data could have been tampered with before analysis — supporting the defense theory of investigator misconduct or evidence manipulation.

Examination Style

David Yannetti: Yannetti used a methodical, building-block approach — first undermining the simulation's reliability through the iOS version mismatch, then narrowing the deletion possibilities to two options, and finally planting the suggestion that someone with data access could have manipulated the extracted evidence.

Key Quotes

"You're aware, however, that McCabe was using iOS version 15.2.2, correct?"
— David Yannetti Establishes that Whiffin's simulation did not use the same iOS version as McCabe's phone, creating a variable in his analysis.

"The only remaining option was selective deletion by a user, or there's some internal mechanism for record deletion that is not fully understood, correct?"
— David Yannetti Forces Whiffin to acknowledge that if no unknown internal mechanism exists, user deletion is the only explanation for the deleted record.

"It's potentially possible, but would require a large amount of knowledge and skill to do in a way that can't be detected."
— Ian Whiffin Whiffin concedes that someone with data access could theoretically alter and renumber database records to conceal deletions, though it would be difficult.

"something called a hash mechanism that we have in place — that would essentially hash the original data, and then it can be hashed again at a later date. It results in a long string of characters, and if there's any changes to the original data, then we'd see that it's been modified."
— Ian Whiffin Whiffin explains the safeguard against data tampering, partially countering Yannetti's data manipulation theory.

Credibility Challenges

Ian Whiffin — Yannetti established that Whiffin's simulation used iOS 15.8.2 instead of McCabe's actual iOS 15.2.2, and that artifact storage depends on iOS version — calling into question whether the simulation results can be reliably applied to McCabe's phone.
Ian Whiffin — Yannetti highlighted that Whiffin received his assignment through a Cellebrite colleague relaying an investigator request, without knowing the specific investigators involved, suggesting limited independence in how the analysis was framed.

Evidence Referenced

BrowserState.db-WAL record 4028 — deleted record containing the 'how long to die in cold' Google search URL with 2:27:40 a.m. timestamp
Cellebrite hash verification mechanism

Topics

iOS version mismatch between simulation (15.8.2) and McCabe's phone (15.2.2)BrowserState.db-WAL record 4028 deletion characteristicsfive mechanisms for record deletion in BrowserState databaseselective deletion by a user versus unknown internal mechanismMySQL as a tool for viewing and editing SQLite databasespossibility of post-extraction data tamperingCellebrite hash verification mechanism for detecting data modificationsession history recoverability and page chaining in deleted records

Redirect Ian Whiffin (Adam Lally)

In a concise nine-utterance redirect, ADA Adam Lally addressed the two main points raised during Yannetti's cross-examination. Whiffin testified that every iOS version he tested — from 12 through 18 — showed the same timestamp behavior, meaning the version discrepancy between his demonstration and McCabe's phone had no impact on his conclusions. On the selective deletion question, Whiffin explained that deletion would require a record to exist in the history database first, and the absence of missing records indicates the entry was never written. He found no evidence of tampering. Whiffin concluded with an unequivocal statement that the two Google searches were conducted at 6:23 and 6:24 a.m. on January 29th.

Legal Significance

Lally uses redirect to neutralize the two vulnerabilities exposed on cross — the iOS version mismatch and the selective deletion possibility — restoring Whiffin's conclusion that the searches occurred at 6:23-6:24 a.m., not 2:27 a.m.

Examination Style

Adam Lally: Efficient rehabilitation — targeted each vulnerability from cross with a single question, then closed with a definitive restatement of the expert's conclusion.

Key Quotes

"So in this particular case, every iOS version I tested — as I mentioned, from 12, 13, 14, 15, 16, 17, and 18 — the timestamp is always referring to the time that the tab took focus. So even though there are some differences with when the record's created, the meaning behind that timestamp has been consistent."
— Ian Whiffin Directly addresses the iOS version discrepancy raised on cross, showing the core finding holds across all versions tested.

"Selective deletion would require that the record existed in the history database in order to be selected to be deleted. The fact that there's no missing records indicates it was never written into that database, and therefore could not have been selectively deleted."
— Ian Whiffin Logically forecloses the selective deletion theory raised on cross by explaining why it's structurally impossible given the data.

"I'm of no doubt that the only time those two searches were conducted was at 6:23 and 6:24 on the morning of the 29th."
— Ian Whiffin Whiffin's strongest and most definitive statement — leaves no ambiguity about his conclusion on the central search-timing question.

Evidence Referenced

Jennifer McCabe's phone extraction data — history.db, BrowserState.db

Topics

iOS version discrepancy impact on timestamp analysisselective deletion impossibility due to missing history.db recordhash verification for detecting data tamperingtiming of 'hos long to die in cold' Google searches

Recross Ian Whiffin (David Yannetti)

In a brief recross consisting of a single question, defense attorney David Yannetti asked Ian Whiffin whether he had ever heard the term 'spontaneous deletion' prior to today. Whiffin replied that it was not a term he was familiar with. Judge Cannone then excused the witness, who indicated he could pack up his equipment quickly.

Legal Significance

Yannetti's question underscored that the prosecution's explanation for the missing BrowserState record — spontaneous or automatic deletion — lacks an established forensic term or recognized mechanism, reinforcing the defense's suggestion that the deletion remains unexplained.

Examination Style

David Yannetti: A single, targeted question designed to leave the jury with the impression that the prosecution's explanation for the missing record has no basis in established forensic practice.

Key Quotes

"Prior to today, have you ever heard of spontaneous deletion?"
— David Yannetti Frames the prosecution's deletion explanation as novel and unsupported by established forensic terminology.

"It's not a term that I'm familiar with."
— Ian Whiffin A Cellebrite expert with forensic background confirming the term has no recognized meaning in digital forensics.

Topics

spontaneous deletion as a forensic conceptBrowserState record deletion mechanism

← Ian Whiffin - Direct 5 of 6 Nicholas Guarino - Direct (Part 1) →