Ian Whiffin - Direct

MR. WHIFFIN: I do.

MR. WHIFFIN: Good morning.

MR. WHIFFIN: Good afternoon.

MR. WHIFFIN: Thank you.

MR. WHIFFIN: Yes. It's Ian Whiffin — W-H-I-F-F-I-N.

MR. WHIFFIN: I'm currently a decoding product manager at Cellebrite.

MR. WHIFFIN: Cellebrite is one of the world leaders in mobile forensics software.

MR. WHIFFIN: Yes. So forensic software is used to gain access to people's devices — cell phones, primarily — to extract that data and to allow examiners to parse and decode that data to make sense of it in a more user-friendly way, so that a report can be created for investigators.

MR. WHIFFIN: Okay. I didn't get a degree. I'm originally from the UK, where I did qualifications in computing — a Higher National Certificate in Computing — and then joined the police in 2004.

MR. WHIFFIN: That was response work, so South Yorkshire Police, as a response officer.

MR. WHIFFIN: In 2009, I immigrated to Canada, where I was able to continue policing with the Calgary Police Service, where I spent approximately four or five years, again, working patrol before moving to the digital forensics team of Calgary Police.

MR. WHIFFIN: So once I had made it into the digital forensics unit, I was sent to Ottawa for three weeks to do a foundational computer forensics course, covering all manner of digital forensics to begin with. Throughout my eight years with Calgary Police, I did constant courses each year to keep information updated, including a two-week course, again at the Canadian Police College in Ottawa, specifically about cell phone forensics — and then also during that time, additional courses for extracting data, for interpreting internet artifacts, or any other kind of information found on a phone or computer.

MR. WHIFFIN: In 2020, I left Calgary Police Service and began working at Cellebrite as the senior digital intelligence expert, where I would use my knowledge ...of the forensic community, to assist the developers with creating and maintaining a program that examiners would want to use. And finally, about two years ago, I moved to the decoding product manager position.

MR. WHIFFIN: Yep. So right now in the position that I'm in, again I use my knowledge of the digital forensics landscape in the community. I talk with users about their daily challenges — what applications are causing them problems, what they need to get access to, what they need to understand — and I take that information, create a priority list, and then determine with our developers what we will tackle, how we will tackle it, and how it will appear to the end user.

MR. WHIFFIN: No specific certifications. I've done the Cellebrite coursework since joining Cellebrite, but other than the — the two — sorry, the three-week course — and then again the two-week course — I don't have the SANS training or any of that kind of training certifications.

MR. WHIFFIN: Sorry, could you rephrase that?

MR. WHIFFIN: Yes. So since working as an examiner, I identified that there were times that I needed to parse artifacts from applications that the main vendors didn't support. In response to that, I would do my own research. That research turned into a selection of digital forensics tools, and I created a website for myself to share that research — to share those tools with the community. And directly related to that, I have published articles related to accessing data on phones, related to SQL databases, related to various other artifacts — primarily locations.

MR. WHIFFIN: Yes. Related to digital forensics, I've testified approximately 20 times, mainly in Canada, but also once in Michigan, once in Australia, once in the UK.

MR. WHIFFIN: So the product is used globally. There are a select number of countries that we don't export to, but generally, if a police service is interested in digital forensics, then they're using at least some of our tools. We operate an email address which is open to any user, called Stumpers, and the idea is that users, if they come across an artifact that they can't explain, they can email to myself and some of my colleagues, and we can research the artifact and we can try and give them an answer as to why the artifact's there and how it should be interpreted.

MR. WHIFFIN: Yeah. So I would refer to an artifact as essentially any piece of data which I've recovered from the phone which is of interest. It could be a web history visit, it could be a text message, it could be a photograph — any piece of information.

MR. WHIFFIN: Eventually, yes. Initially, I was contacted by a member of sbr, and —

MR. WHIFFIN: My understanding was there was an artifact found on a device and people were looking for an explanation as to how this particular timestamp was relevant to the case.

MR. WHIFFIN: So the original question was just basically how can we explain this 2:27 timestamp. I spoke to my colleague and requested if he could contact the investigators, and any information that they could share about where this particular timestamp was found, so that I could investigate it. I was advised at that time that the case had already been uploaded to our own support network, so the full extraction of the device in question was already in Cellebrite's possession, and I was able to access it from there and start to examine what the issue was that was causing the confusion.

MR. WHIFFIN: Yes. So the issue, as I was led to believe, is there was a timestamp for a web history artifact of 2:27 and 40 seconds a.m. local time — which would be UTC-5 — and it didn't make sense to the investigators, and the question was, is there any other interpretation for what this timestamp could mean?

MR. WHIFFIN: Correct.

MR. WHIFFIN: Yeah. Several weeks later — so probably around December time last year — I was contacted by a police investigator in Austria with a very similar question, but related to obviously a different internet search. And about a week later, the defense expert in the same case also contacted me asking the same question. The defense expert in that case was able to provide the database, and I was able to provide the answer.

MR. WHIFFIN: So I did work with the full extraction, but my interest was focused on just the web history artifacts.

MR. WHIFFIN: So the 2:27:40 timestamp was correct in so far as that is the time that is shown within the database. It was indeed a deleted record, but the interesting thing was why the timestamp said 2:27:40, and I did some testing on this and discovered the reason why 2:27:40 was actually listed in the database, even though that's not the time — in my opinion — that the search was conducted.

MR. WHIFFIN: There's plenty of other evidence on that extraction that shows what activity was occurring at 2:27:40, and there's plenty of evidence later on in the day that shows that that particular search was conducted at 6:23 — I believe, 51 seconds — and then a similar search at 6:24 and 18 seconds, I believe.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: This was the internet history — the history.db database table showing activity from the morning of the 29th of January 2022.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Of course. So this was a table I created based on the data from the phone. The first column shows the local time of a record that was written to the history database. This is a database which is tracking all web pages which are loaded as you use them. The second column starts with the URL — so the uniform resource locator — so what you would type in, or how the browser knows which website you want to visit. The title is part of the website which is loaded; one of the top attributes of the website will load the title. Visit count relates to an internal counter within Safari which just tracks how many times a particular website is visited in order to make suggestions to you down the road.

MR. WHIFFIN: And then finally the last column shows the source of this information — so history.db is the name of the database, history_visits is the name of the table, and then the number is the unique identifier which is assigned to that particular record in consecutive order — every time you add a new record that number will increase by one.

MR. WHIFFIN: That's my understanding, yes.

MR. WHIFFIN: Correct.

MR. WHIFFIN: An extraction — in this case, all of the files and folders had been extracted from the device, saved on a computer in a zip file container, so essentially in a way that is as close to the original from the device as possible.

MR. WHIFFIN: It's decoding product manager at the moment.

MR. WHIFFIN: So once the extraction has been extracted and we have the zip file, then Physical Analyzer is the tool that Cellebrite creates to allow examiners to look at that extracted data in a meaningful way. And my role is somewhat shaping how examiners will see that data when they open up Physical Analyzer and look at the extracted data.

MR. WHIFFIN: Again, so after being an examiner for 10 or 11 years I've got that kind of understanding of how examiners work. Being someone who also writes my own software and does my own research, I can kind of cross that void that usually exists between developers and examiners, and help both parties try to come to a meaningful conclusion.

MR. WHIFFIN: Yes. So the lower two records, which are highlighted in green — two records which occurred at 2:27:42 seconds local time, so 2 seconds after the Google search had allegedly been made, and then the second record is 5 seconds after that at 2:27:47 seconds. Both those URLs relate to a website of Hammock Sports.com.

MR. WHIFFIN: So again, every SQLite database will assign a unique contiguous identifier number. So again, the very first record created will be given a record ID of one, the second record will be two, and so on and so forth. Those numbers are never reused — so if I was to delete record 3, that record number will never be reused and I can see that there's a gap and deleted data in that database.

MR. WHIFFIN: Yeah, a SQLite database — essentially it's a series of tables. It's a way for data to be stored in a meaningful, organized fashion that can be queried, can be examined, can be filtered, searched, et cetera. It can be useful for anybody who wants to get data from an organized file.

MR. WHIFFIN: Sorry, can you rephrase that?

MR. WHIFFIN: Okay, so within the history.db file, there were no missing numbers from the beginning of January essentially until early February. That told me as an examiner that no records had been deleted during that time.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: This is the browser state record which identified a search at 2:27:40 a.m.

MR. WHIFFIN: It is, yes.

MR. WHIFFIN: Okay. So this is a searched item exhibit. It's technically a derivative of a different exhibit that we find on the device. So we found what we consider a web history record — so a web history record would just mean we have a URL that was visited and potentially a timestamp and a title. Searched items looks at all of the web history items that we've found and tries to identify — were these actually searches that were conducted? So for example, if you were to do a search on Google, you'd see that the website that you're taken to is google.com/query, and then it contains the query string that you've typed in. We extract that information, we extract that query, and provide it to the user as a searched item. In this case I can see that it came from the BrowserState.db file.

MR. WHIFFIN: The search query itself was "how long to die in cold," and it shows as a deleted record.

MR. WHIFFIN: I don't recall saying "KnowledgeC," but I can explain what KnowledgeC is in this case, yes. The KnowledgeC database is at the heart of iOS — it stores lots of information about the activity on the device at any given time. Things like when the backlight's turned on, when the device is unlocked, what application is in focus at the time and how long it's in focus for. And, important to this case, which website's on screen at any given time as well.

MR. WHIFFIN: So in terms of iOS itself, when it's in focus it would be the primary item that's visible on screen. So with iOS you can have applications in the background that you aren't using, but the one that you are currently using is considered in focus, taking up the entire screen.

MR. WHIFFIN: Correct.

MR. WHIFFIN: BrowserState.db is just the name of the database — the name that Apple gave it. It's gone through some changes over the last few years. For example, in iOS 14 it did store the state of the tabs that were open within a browser. In iOS 15 there was a significant change, and the only time that records were written to the database is when the tab was closed — so a significant difference in that it doesn't show you what's currently open, it only shows you what's previously been closed.

MR. WHIFFIN: Related to the search, this record is not mentioned at all within the history.db database.

MR. WHIFFIN: There were no missing records in the history.db database within this time frame. Within the BrowserState database there were three deleted records.

MR. WHIFFIN: These are records that have been deleted — not necessarily by the user, potentially by the system — but they are considered deleted records that we're able to recover.

MR. WHIFFIN: The phone. But our tool is designed as a forensic tool — it's not going to edit, delete, or affect the data in any way, just present what is in the extraction. But there are multiple times on an iOS device or an Android device where cleanup essentially happens and we start to lose data after a certain amount of time.

MR. WHIFFIN: Yes, so Cellebrite Physical Analyzer has been available for approximately 12 to 13 years in various versions.

MR. WHIFFIN: Obviously in the digital forensics landscape, whenever a provider creates a new feature we have to change our code to adapt to what they've now introduced. There can be research that's been done, so we now learn new things and we add support over time. So something can be supported in a new version of Physical Analyzer that may not have been supported or even existed in a previous version.

MR. WHIFFIN: Yes.

MR. WHIFFIN: So I have my own tool called ARTX, which I've been working on for around five years — since being an examiner myself and struggling to parse any particular application I needed. So I started to write my own tools, and that's the one I still maintain on the side in my own time, partly for my own knowledge but partly because I think it still introduces some fantastic features which aren't available in any other tool for research purposes. So yeah, I continue to write this tool to this day.

MR. WHIFFIN: A-R-T-X.

MR. WHIFFIN: Sorry — is it deleted?

MR. WHIFFIN: The record itself has been deleted. As I said, through my testing I've only found two ways that that kind of record can be deleted by the user, and I don't believe either of those ways was actually utilized on this device.

MR. WHIFFIN: The user has the option to selectively delete history items — so you can delete either one at a time, or the entire day's content, or the last two days' content, or you can delete all content altogether. Now if all content had been deleted we wouldn't have found any information on this phone at all related to web history, so I was able to discount that one quite quickly.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: It's a document highlighting both the search terms that were found in the Mobile Safari plist and the method of searching.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Correct.

MR. WHIFFIN: Yes. So a plist, or property list, is Apple's way of storing serialized data — that essentially means a list of data with names and values.

MR. WHIFFIN: Yeah, so again this is a table I created from the data within the Mobile Safari plist. The term shown down the left is what the user would have typed into the search bar — sorry, I keep blinding somebody — the search bar at the bottom of the Safari browser window. The UTC time is the time which is actually recorded within the plist — it's recorded as a string, so just text, as it's presented on the screen there. And then I converted that and subtracted 5 hours to bring it into local time. [unintelligible]

MR. WHIFFIN: Yes.

MR. WHIFFIN: Yes. So private browsing mode is a setting that you can set on iOS devices, or primarily most devices, that prevents any of your browsing activity being recorded — so it won't save the searches, it won't save the navigations. It protects everything so that it can't be found later on.

MR. WHIFFIN: If these searches had been conducted while in private browsing mode, these searches would not exist within this file.

MR. WHIFFIN: Correct.

MR. WHIFFIN: Yes.

MR. WHIFFIN: Yes. So obviously whenever you try to visit a web page there's a stream of information coming from the web to the device, which then renders onto the screen. At the completion of the load event, there's a function effectively which runs, and that records the visit to the history database. If for some reason the page doesn't load and it shows up with an "unable to load" message — so for example you don't have an internet connection at all — that "unable to load" will be recorded. If however the device stalls and it just sits kind of waiting to load, nothing gets written to the history database. And if you were to close the browsing window prior to the page completing its load event, nothing will be written to history.

MR. WHIFFIN: Technically the only place I found would be the BrowserState.

MR. WHIFFIN: Primarily it's used to save preferences, so you'd have a lot of information in there — if it's using light mode or dark mode, or when you want tabs to auto-clear — that kind of information. But it also records several days' history of searches. The actual number of days of searches I actually don't know.

MR. WHIFFIN: In order for the search item to be saved to the Mobile Safari plist, you need to actually type into this particular search bar. If you were to just visit google.com and start typing into the Google search bar, it will not be recorded within the Mobile Safari plist.

MR. WHIFFIN: So these particular two searches were conducted at 6:23:51 and 6:24:18 respectively. They were searched using the search bar that's built into Safari. The fact that they didn't exist within history.db and that there were no deleted records from history.db leads me to believe that they never successfully loaded.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: This was the additional items from the history.db, I believe.

MR. WHIFFIN: Yeah, so it's a comparison between the search terms found in the plist — the Mobile Safari plist — and the search terms found within the history.db database.

MR. WHIFFIN: Correct.

MR. WHIFFIN: Okay. So the first list — the plist term — shows the term within the Mobile Safari plist, excluding the two that we've already mentioned which are of note. And the first timestamp column shows the timestamp according to that plist. The history item shows the search term as recorded in the history database, and then we have the timestamp as per the history database. So the purpose of this document was to show that we have a search for "reigning men" and a history item related to the Google search for "reigning men," and they show within a second of each other. Again, the next one down — [unintelligible] and basketball — and the associated Google search, and again the timestamps are within a second.

MR. WHIFFIN: This list was non-exhaustive; there were hundreds of examples within the history.db, but limited examples within the Mobile Safari plist. And as I mentioned, the two searches of interest — "how long to die in the cold" and "how long to die in the cold" — didn't exist within the history.db at all.

MR. WHIFFIN: Yes, so initially, pre- and including iOS 14, the browser State database would show all tabs that you currently had open. So as soon as I go into my browser and open a new tab, a record is created. It includes information such as the time that I opened the tab or the time I last viewed the tab, the current URL which is being displayed within that tab. It shows information whether it's in private browsing mode or not. So in that kind of case in iOS 14 and below, we're able to see current private browsing records, and subsequently recover deleted ones. But in iOS 15, things changed. The record was no longer written as soon as the tab was opened; it was only — when the tab was — sorry, the record was only created when the tab was closed.

MR. WHIFFIN: That meant that our ability to recover that kind of history was significantly lower. It means that it no longer makes use of the private browsing field, because now private browsing records are simply never written to that database. So now we can only really see a list of all of the tabs that have been closed, not which are currently open.

MR. WHIFFIN: There is, yes. That's one of the fields within the database.

MR. WHIFFIN: Yes, so from my research, that timestamp relates to the time that the tab took focus. So that's either when the user creates a brand new tab, when they switch between tabs and bring a tab back into focus, when they close a tab — which automatically brings one of the background tabs into focus — or if Safari has been completely closed and reopened, that essentially acts like almost a new tab, and the timestamp gets updated at that point.

MR. WHIFFIN: I think I followed that. Okay. So, for example, at 12:00 p.m. I create a new tab. I can do a search for whatever I want, and at that point if I close the tab, then the record that gets created will show that I opened a tab at 12:00 p.m. and I did a search. Excuse me. However, if I open the same tab at 12:00 p.m., do a search, close it — like, completely close down Safari — and reopen Safari, that would actually also update the same timestamp to show that I'd opened it up again. What I meant to say is: at that point, if I create a 12:00 tab, minimize Safari, I can leave it for several hours, for several days, for several weeks — the time difference is not really important. When I come back to it and open up Safari again from a background state, the timestamp is not updated.

MR. WHIFFIN: So it will still show 12:00 p.m. today, and it will show whatever my most recent navigational event is. So I can search for something three weeks' time using the same tab I opened today, and the timestamp will show today's time.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: This is the entire Google URL that was found on the browser State record, broken down into each of its important sections.

MR. WHIFFIN: Okay. So the — sorry, the left side of the table is the entire URL that was recovered from the browser State record. What I've done is broken it down into each of its individual components and explained what each of those components means. So the very first row is "google.com/search" — that just tells the browser that we're going to the Google website and that we want to run a search. The second part, "q equals," is telling the browser what the query term is. So the query term here is "how long to die in cold." The little plus symbols in between are in place of a space, because spaces can't be part of a URL.

MR. WHIFFIN: Next we have the input encoding and the output encoding, which just explains what kind of characters to use and what language to use when accepting the search query and giving it back to the user. And finally, the important part is the "client equals Safari." This is something that just tells Google that this query is being done using the Safari client. Again, if I was to use Safari and just visit the Google web page and type that in, or type a search in, that part of the string wouldn't be there. That's only there because I used the Safari search bar as part of the Safari application to do that search.

MR. WHIFFIN: Quickly, again, that confirms that this search was conducted via the Safari search bar feature that's part of the Safari browser application — the same one that caused the records to be recorded in the plist.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: This is the live records from the browser State.db database.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Yes. So this timestamp is the last view time according to the database itself. It's already been offset so that it's in local time. This particular table — we can see there are records missing. Between records 4025 and 4031, we have — sorry — 4026, 4027, 4028, 4029, and 4030 missing. And typically the timestamps that we do have here, some of them are separated by as little as a second or two.

MR. WHIFFIN: That's correct.

MR. WHIFFIN: So, first of all, the task was to try to recover the deleted — sorry — the deleted history records from the browser State. Uh, so first of all, I was reading the deleted pages essentially to find the records that had been deleted from this current version of the page.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Uh, this is the same data source, so it's still browser State.DB, uh, but now looking at it with the unique recovered records.

MR. WHIFFIN: Uh, so typically there can be lots of different versions of a page within a WAL file, so you may have several page ones, several page twos, uh, and so on. Uh, what I'm doing is recovering the data — whether uh records that I recover are different from each other. So if I recover the same record multiple times, uh, I can ignore it, but if I recover the same record with a slight change, uh, then I would show it in this view.

MR. WHIFFIN: Yes. So again, the very first column on the left is the unique identifying number. Uh, you'll notice that there are some numbers here which are repeated. Uh, this is, as I said, because the records are recovered from multiple versions of the same page. Uh, there were actually 16 versions of this record, uh, across — across 23 different versions of this particular page. Uh, these three had some difference — primarily it was the what's called the tab order field, uh, but that's the only difference that showed up across these three "how long to die in the cold" records. All the rest show the same URL, the same uh ID number at the beginning — or tab ID number — and the same timestamp. Uh, worth noting there is no title shown uh in this particular record.

MR. WHIFFIN: Again, that speaks to the fact that this page didn't successfully complete loading; otherwise there would be a title uh of "Google search how long to die in the cold," as you saw on some of the examples earlier.

MR. WHIFFIN: Uh, no. In iOS 15, as I mentioned, if you are using private browsing mode there are no records recorded in this database at all. Uh, so the fact that that's not listed in this table —

MR. WHIFFIN: Uh, everything that was recorded in this database was conducted not in private browsing mode.

MR. WHIFFIN: Yes.

MR. WHIFFIN: Uh, essentially the life of the particular tab. So when I start a tab and I start to use navigation — I go to different websites — uh, all of my navigation events would be considered part of the same uh browsing session essentially.

MR. WHIFFIN: Yeah, so so far the bulk of what we've discussed — the history.DB, the browser State.DB, uh, and mobile safari.plist — are all particular to uh the Safari application on iOS. KnowledgeC is much more global, uh, it's much more ingrained within iOS. Uh, everything is essentially recorded in there on iOS 15. Uh, so again, backlight activity, unlock activity, application uh state activity, and web usage activity is all recorded as part of KnowledgeC.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Uh, this is a document I created based on the KnowledgeC web usage records.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Okay. This is a particular — what's called a "stream" within KnowledgeC. Uh, a stream is basically all like information being grouped together. Uh, so in this particular case the stream is related to Safari, uh, and it's telling us what web page was visible on screen, uh, what time it started and what time it finished.

MR. WHIFFIN: , and that the "how long to die in the cold" first appeared on screen at 6:23:56, and "how long to die in cold" first appeared on screen at 10:33 a.m.

MR. WHIFFIN: Correct.

MR. WHIFFIN: Uh, I highlighted the sections in green due to their timestamp. So typically these items last between uh 2:22:37 a.m. and 2:27:53 a.m., so around the time of the Google search, if you were to believe the browser State.

MR. WHIFFIN: Uh, the ones in blue are the actual KnowledgeC records that show when the "how long to die in the cold" uh and the "how long to die in the cold" uh web pages were actually visible on screen.

MR. WHIFFIN: , YouTube, ozone basketball, uh, and that's it for the main domains.

MR. WHIFFIN: Uh, at 2:27:40, the only websites that were visible on screen were related to uh ozone basketball and

MR. WHIFFIN: Correct.

MR. WHIFFIN: Uh, so essentially, uh, ignoring the browser State timestamp is important because that is not a reliable timestamp to show when that URL was visited. We have mobile safari.plist uh record searches that show 6:23 and 6:24, uh, and we show uh the same searches with very similar timestamps — within half a second — uh as showing up on screen in KnowledgeC. Uh, for the "how long to die in the cold," uh, and "how long to die in cold" was actually several hours later, uh, which took a little bit more uh explaining, looking at KnowledgeC and when the applications were opened up.

MR. WHIFFIN: Uh, I actually didn't look at any Wi-Fi connection information.

MR. WHIFFIN: Uh, so according to the KnowledgeC records, uh, which were mostly also reflected with the history.DB as well, it was

MR. WHIFFIN: Uh, yeah, I don't remember looking at Wi-Fi history.

MR. WHIFFIN: reviewing

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: Uh, I believe it was 02:07. I didn't actually remember the timestamp just then.

MR. WHIFFIN: I can't recall.

MR. WHIFFIN: 05:39. There was no further Wi-Fi activity until 11:00 a.m.

MR. WHIFFIN: I am, yes.

MR. WHIFFIN: Yes. So a write-ahead log is essentially a temporary store for database pages. When I'm talking about database pages, it's not something that the user ever sees — it's part of the structure of an SQLite database. Just as chapters in a book can span multiple pages, data in a database can span multiple pages also, and it's not necessarily in the expected order. It's up to the database application to find those pages and order them correctly in order to display the data to the user. The WAL file, on the other hand, still contains pages, but they're organized in frames, essentially. A frame is the same as a page but with additional information at the top that identifies what page it is. So I mentioned earlier that it's possible to have multiple versions of the same page within the WAL file.

MR. WHIFFIN: That's because every time I write a record to the database, a new frame is created and the page is updated. So, for example, if I was to have a new database, create a record, a new frame is created with page one, and it adds my record. As soon as I add a second record to that database, a new frame is created again, so I now have frame one and frame two. Both of those frames would contain a version of page one. The first frame would contain only record one; the second frame would contain records one and two, and so on. Forensically, where it gets interesting is on the edit or deletion of a record, because the same process is applied.

MR. WHIFFIN: So now a new frame is created, the page number is the same as previously — so we'd still have page one — but now only the records that I don't want to delete are copied across. So I could end up in a situation where I have four versions of page one: one has record one; one has records one and two; one has records one, two, and three; but the most recent version of the page only has records one and three, for example. Now, a normal piece of database software will only look for the most recent version of the page, so you would only see records one and three. The forensic software can look at all previous versions of the page as well, and that's how we're able to recover record two in that instance. And that's essentially how we were able to recover the browser State record from WAL.

MR. WHIFFIN: So again, if I create a record that's in the WAL and delete it before it gets committed — which means before it gets merged into the main database — then it exists only in the WAL. It could be that it's a brand-new record that just hasn't been written yet, or it could be one which was deleted from the database prior to the commit occurring.

MR. WHIFFIN: A commit is a process where essentially the database looks at all of the most recent versions of each page in the WAL file, copies them out from WAL, and puts them into the main database, and then deletes the WAL file altogether. So at that point we lose the ability to recover data from WAL, because the WAL doesn't exist — but we have all the most recent versions of the page.

MR. WHIFFIN: Recovering data that's been deleted from plist is not really possible, so all we can say is if this record exists within the plist, it hasn't been deleted.

MR. WHIFFIN: There was no evidence of any records being deleted from history.DB since early January — I think it was like the 3rd of January — up to February 2nd.

MR. WHIFFIN: With regard to the history.DB, again, every record is given a unique number, and there'd be a gap in that numbering system if a record had been deleted. The fact that there were no gaps indicates that nothing had been deleted.

MR. WHIFFIN: KnowledgeC contains such a large amount of different types of data that's always being added and deleted for various reasons — not at the discretion of the user; it's a completely system-driven event to delete information from KnowledgeC. So we can't say what was deleted from KnowledgeC, but we can see that during the times of Safari usage, records exist within KnowledgeC that indicate — or certainly appear to indicate — that nothing was deleted.

MR. WHIFFIN: Browser State.DB did have numerous records that have been deleted. Some we were able to recover — three records from browser State, all with a timestamp very similar to 2:27:40. These were three records that had been deleted at some point.

MR. WHIFFIN: So the first, most prominent option is to delete absolutely everything from the device, or delete all history from the device — which, as I mentioned earlier, we know that didn't happen because we still have other records. So the only other real option is to delete selectively. That could mean delete one at a time, and it could mean delete either the full day, the last two days, or the last hour. But in all of those cases, the record must exist in history.DB in order to be deleted from browser State. The fact that this record — that the "how long to die in the cold" searches — don't exist within the history database would mean that the user would never have the option to selectively delete that record.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: So this is a list of the browser State.DB records, showing a red line where a record or more have been deleted.

MR. WHIFFIN: Again, it means the record has been marked as deleted. If you were to read this database in a regular database application, you would not see it, but it doesn't necessarily mean that we can't recover it.

MR. WHIFFIN: Yes.

MR. WHIFFIN: So again, we can use the number down the left side, which will identify the unique identifier given to each of these records. And we can see that the red line between the first two records indicates that records between 3,986 and 3,993 have been deleted. We can see that record 4,001 is deleted. Records between 4,004 and 4,019 had been deleted. Record 4,020 was deleted. And then finally, records between 4,025 and 4,031 had been deleted also.

MR. WHIFFIN: So these particular records show up at 2:27:31 and 2:27:33 respectively. And this matched records within KnowledgeC that showed that at this particular time, when the tab took focus, that particular website was also shown visible to the user in Safari.

MR. WHIFFIN: Sorry — 4,026 was approximately a second or two after the record here, 2:27:33. I believe it was at 2:27:35. And then again there was another record, 4,027, which again was another two or three seconds after that time. So within a nine-second period between 2:27:31 and 2:27:40, there were four — sorry, five — records within browser State.DB that had a timestamp within that nine seconds, all with completely different types of website, ranging from PayPal, banking, YouTube, and "how long to die in the cold."

MR. WHIFFIN: I believe so.

MR. WHIFFIN: It's not a term that I would use, but essentially a cleanup operation would occur on the device where it would look for orphan records — records that are old enough to not be required anymore — and they would just be deleted by the system without any direction from the user.

MR. WHIFFIN: I wasn't able to replicate the spontaneous deletion. I was able to replicate completely orphaned records — a record that existed in browser State without a corresponding record in history.db — and it meant that there was no way for me to delete that record manually without deleting everything from the device regarding history.

MR. WHIFFIN: I do. Yes.

MR. WHIFFIN: This is a report from my ARTX tool showing the history database at 2:39:34 on the 27th of January and 2:25:59 on the 27th of January.

MR. WHIFFIN: Yes, I believe we are.

MR. WHIFFIN: Yeah, so in the right column we see the source of the information — so history.db is the database, history_unordered_visits would be the table — and then the unique identifying number of 31407 and 31408. We see that the start time, or the time that that particular website was navigated to according to history.db, was — as I say — both on the 27th of January: one at 21:39:34 local time and one at 22:55:09 local time. And both of these websites are related to Hawk and Mock Sports. We have the URL at the top, followed by the title of the page, followed by a visit count that tells us how many times that page has been visited before.

MR. WHIFFIN: I do, yes.

MR. WHIFFIN: This is the same kind of report. This is related to the YouTube record that was part of the browser State database, related to "It's Raining Men" on YouTube.

MR. WHIFFIN: It is, yes.

MR. WHIFFIN: It is, yes.

MR. WHIFFIN: Yeah, so again we have five records related to the YouTube video "It's Raining Men," starting at record 31398, 31399, 31400, 31401, and 31402. These were all accessed on the afternoon of the 27th of January 2022.

MR. WHIFFIN: I do.

MR. WHIFFIN: This is the same again, related to record 4029. It shows that a website was visited on the 28th of January 2022.

MR. WHIFFIN: It is, yes.

MR. WHIFFIN: Yeah, so this URL — canton-ma.org — relates to the URL that was provided in record 4029 of the browser State database. It shows that this web page was accessed at 1:17:00 p.m. and 1:17:08 p.m. on the 28th of January 2022.

MR. WHIFFIN: I do.

MR. WHIFFIN: Again, the same kind of report — this time for record 4030 from browser State — and it shows access to Ozone basketball.

MR. WHIFFIN: Correct.

MR. WHIFFIN: Yeah, it's something that I'd say I've worked on for around five years. I've given it away free to the digital forensics community for five years. There's approximately 600 users globally, and it's taught as part of the SANS digital forensics training courses.

MR. WHIFFIN: Yeah, so again we have records from the history database related to Ozone basketball, and it shows that this website was accessed at 11:26 a.m. on the 25th of January 2022.

MR. WHIFFIN: Yes. So in conclusion, I determined that the tab that was used was focused at 2:27:40 — so the tab was opened at that time — at which point it was being used to show Ozone basketball and Hawk and Mock Sports websites. The Exhibit 623 timestamp is when the search was first conducted — the page never loaded, otherwise there'd be a record in the history database. And while that page was still loading, a second search was conducted for "how long to die in the cold." Again, that page never loaded either, although these both did show up in the KnowledgeC database to show that the browser was trying to display these pages. Safari was closed prior to the "how long to die in the cold" record being shown on screen at all.

MR. WHIFFIN: But when it was reopened at 10:33 — in regard to whatever other Safari activity was to be conducted — it appeared on screen. So we have a 10:33 a.m. record where "how long to die in the cold" was shown on screen, even though the page never successfully loaded.

MR. WHIFFIN: Yeah, so again — we know that she didn't, we know that nobody deleted the entire history — so that leaves the only option to be selectively deleting records. The fact that there are no missing records in history.db shows that it's impossible that that record could have been deleted by the user. It would have just been orphaned in the database, and I believe would have deleted itself at some stage whenever a particular cleanup function ran — although, as I said earlier, I haven't been able to replicate that. I was able to continue to read the various versions of the page that contained "how long to die in the cold" — the browser State record — and found that it existed at the same time as another record that was created at least two days later.

MR. WHIFFIN: Therefore, I can determine that that particular record was not deleted until at the earliest 10 p.m. on the 31st of January. And it's not possible that the user could have created or caused that deletion to occur.

MR. WHIFFIN: I did, yes.

MR. WHIFFIN: I had issues with several of the statements being made as part of the affidavit.

MR. WHIFFIN: Namely, it specified that the Cellebrite report identified that the search was conducted at 2:27:40 — and as I've explained, I believe the tab took focus at 2:27:40, not when the search occurred. The report mentioned that the Cellebrite report identified it was deleted by the user — we don't do that. We'll tell you that a record is deleted, but we don't specify how the record was deleted; that's something for the examiner to determine. I forget — oh, and then there was a mention of the purpose of the browser State database. The explanation given was correct for iOS 14 and below, but not for 15 and above, which is relevant in this case.

MR. WHIFFIN: Okay. We recognize that this timestamp could be misleading — regardless of how we label that timestamp, the very fact that a timestamp is there, we feel, would be potentially misrepresented — so the decision was taken to remove the timestamp altogether. together from that information. So now we show the web page was visited but we don't attribute a time to that, purely because it could be wildly inaccurate.

MR. WHIFFIN: Yes. Thank you.

MR. WHIFFIN: I was, yes.

MR. WHIFFIN: Correct.

MR. WHIFFIN: That's correct.

MR. WHIFFIN: So first of all, on the left there you can see a screen of an iPhone, and that is a phone I have in front of me live. It's just demonstrating what I can see on the phone. This is my ARTX tool, and the feature which I continuously use this tool for — which is not available really in any other vendor tools — is the ability to create a live connection between my computer and the phone. The live connection is what I've just started here, and what's going to happen is all of the files and folders that exist on the phone will be mapped to my computer so that I can navigate it. I can look around and I can take a look at live — near enough live — records on the device.

MR. WHIFFIN: Prior to the availability of this tool I would have to test a theory on a phone, do an extraction, and then parse the extraction, which could take anywhere between 20 minutes and several hours. The reason that I'm using this tool today is because I can do those same tests within 10 or 20 seconds typically. So I just need to wait for this section to do so. It's already mapped out all the files and folders. It's now asking for a few important pieces of information which it will then populate on the screen. So information such as the device serial number, et cetera. What we're interested in though is the browser state record. So I can go to the browser state database and take a look at that and open that up.

MR. WHIFFIN: And you can see that at this moment in time I have no records in the database at all. If I go back into the live view of the phone, you can see I have Safari open from last night, so it's been sat in the background overnight and not doing anything. But at 10:08 last night I performed this search in a brand new window. So started Safari, opened up a new tab, immediately searched for "new tab" at 20:10 on the 16th of June. If I now search for the time right now — 14:42 — what I can do is go back to my ARTX tool and press this reload button. That's going to delete the database from my computer only and copy the most recent copy of the database and WAL file from my phone back to my computer, where it shows me I still have no records.

MR. WHIFFIN: That's expected behavior, because at the moment I've not closed the — so if this again was iOS 14 there would be a record there to say what tab I had open, but iOS 15 doesn't work that way. If I now go back to my tabs and actually just close this window, I can go back into ARTX and hit reload again, and we now see we have some records. I can look at this particular record and you'll see the title is "1442 Google search." You'll see the Google search record here. So I just need to change the time zone as well to Eastern time. So you see it's the most recent search which I conducted, the 14:42 search. The last viewed time though still shows as 8:10 p.m. last night, because that's the time that the tab was focused, not the time that the search was conducted.