Commonwealth v. Read — Trial ArchiveNicholas Guarino - Direct (Part 1)
407 linesJUDGE CANNONE: All right, Mr. Lally, your next witness please.
MR. LALLY: Yes. The Commonwealth calls Trooper Nicholas Guarino to the stand.
COURT CLERK: Do you swear to tell the truth, the whole truth, and nothing but the truth, so help you God?
MR. GUARINO: Yes, sir. Thank you.
MR. LALLY: Okay. Good afternoon.
MR. GUARINO: Good afternoon, sir.
MR. LALLY: Could you please state your name and spell your last name for the jury?
MR. GUARINO: Yep. Nicholas Guarino. G-A-R-I-N-O.
MR. LALLY: And how are you employed, sir?
MR. GUARINO: I work for the Massachusetts State Police.
MR. LALLY: And how long have you been a member of the Massachusetts—
MR. GUARINO: This is my ninth year now.
MR. LALLY: Now, prior to working with the state police, what if any prior experience did you have in the field of law enforcement?
MR. GUARINO: I was a local police officer in Norwood for almost 11 years.
MR. LALLY: Now with respect to your role within the state police, where is it that you work now?
MR. GUARINO: I currently work at the Norfolk District Attorney's office.
MR. LALLY: And within the detective unit, is that correct?
MR. GUARINO: Yes, that's correct.
MR. LALLY: And with respect to that, what if any specialized role do you have within the detective unit attached to the Norfolk DA?
MR. GUARINO: I conduct cell phone forensics, computer forensics, and I also do sexual assault investigations.
MR. LALLY: Now with regards to the electronic forensics, what if any specialized training have you received in that particular area?
MR. GUARINO: I have about 300 or so hours — Cellebrite CCO, CCPA — cell phone repair forensics, Berla motor vehicle forensics, Magnet AXIOM cell phone computer forensics, X-Ways — these are all different programs used for cell phone and computer forensics, sir.
MR. LALLY: At some point, did you become involved in the investigation involving the defendant Karen?
MR. GUARINO: Yes.
MR. LALLY: And with respect to that — let me just ask it — at some point did you become aware of an affidavit from a defense expert named Richard Green?
MR. GUARINO: Yes, I have.
MR. LALLY: And sometime following that, did you have occasion to reach out to Cellebrite with regard to what had been posited by Mr. Green as in regard to two Google searches contained within Jennifer McCabe's phone?
MR. GUARINO: Yes, I did.
MR. LALLY: And eventually, at some point, did you have occasion to speak with the gentleman who came in right before you, Mr. Whiffin?
MR. GUARINO: Yes, I did.
MR. LALLY: And so that wasn't Trooper Proctor that reached out to Mr. Whiffin, or had any communication that you're aware of with Mr. Whiffin?
MR. GUARINO: Correct. No, that was me. I reached out after the defense expert's findings were released, and I read his report.
MR. LALLY: And did you also have occasion to review a report from Jessica Hyde?
MR. GUARINO: Yes, I did.
MR. LALLY: And with respect to those two reports, what if any conclusions or opinions did you come to independently in relation to those opinions
MR. JACKSON: Objection.
JUDGE CANNONE: Sustained.
MR. LALLY: Now, Trooper Guarino, you had mentioned that you've had specialized training in regard to something called Berla. Correct?
MR. GUARINO: Yes.
MR. LALLY: Could you please explain to the jury what Berla is, and how it is used in criminal investigations — in your line of work?
MR. GUARINO: Okay. So Berla is a specialized hardware and software used to download the infotainment and telematics modules in a vehicle. The telematics module is basically like the SIM card for the car, and the infotainment system is your radio head unit that enables you to have CarPlay, or Android — Google Play — for the vehicle.
MR. LALLY: And at some point, were you made aware of a search warrant that was authored in regards to seizing the infotainment system from Miss Read's vehicle?
MR. GUARINO: Yes, sir.
MR. LALLY: And just so the record is clear, can you describe Miss Read's vehicle as far as what type of vehicle we're talking about?
MR. GUARINO: Yes. It's a Lexus LX 570 SUV.
MR. LALLY: And specifically on February 2nd, 2022, did you have occasion to remove that infotainment system from the vehicle pursuant to that search warrant?
MR. GUARINO: Yes, I did.
MR. LALLY: And once that item was removed from the defendant's vehicle, what if anything did you do with it?
MR. GUARINO: After we removed it from the vehicle, it was brought back to Norfolk DA's office for data extraction, or an attempt to.
MR. LALLY: And that data extraction — if you know, based on your training and experience — sort of how is that conducted, or what is the process of extracting data using Berla?
MR. GUARINO: So depending on the system, it's dismantled. They have the specialized hardware that actually goes onto the motherboards of these systems, and we're able to pull the data, or the other option — if that's not viable — is to do a chip-off, where we have to basically destroy the motherboard and take the memory chips off the devices to try to get the data that way.
MR. LALLY: Now with reference to this specific device, what if any efforts did you undergo in order to extract the information without using a chip-off?
MR. GUARINO: So at the time that we pulled the system, it was not supported. I emailed Berla and called them to see if they had a timeline of when this might be supported so we could get the data. We deemed chip-off — excuse me — as a last resort, because it is a destructive process. So once those memory chips are taken off, the likelihood of trying to reattach them and get it to work again is very slim.
MR. LALLY: Let me stop you there for a second. When you talk about an item being "supported," what does that mean?
MR. GUARINO: Whether or not Berla has the ability to pull the data from that vehicle.
MR. LALLY: And how is that sort of determined, or how— are you able to ascertain whether or not a particular vehicle make and model is supported by the Berla device?
MR. GUARINO: They have an app and they also have their tech support, but if you put in the VIN of the vehicle — or if you don't have the VIN, you have the make, model, and trim level, like "Limited" or "XLE" or whatever — you would be able to go in and look it up, and basically Berla will tell you "yes, it's supported for GPS points," or "it's supported for diagnostic data," or whatever they're able to get out of the vehicle. And they work with the automakers to get this data.
MR. LALLY: And approximately how many different types of — if we're looking at sort of the entirety of different makes and models and manufacturers — if you know, sort of what percentage of those types of vehicles are actually supported and Berla can actually extract information?
MR. GUARINO: I don't know. As of right now, it's a lot, and they're constantly updating it, so they are able to do more vehicles as time goes on.
MR. LALLY: Now, at this particular time, as you sit here today — June 17, 2024 — the vehicle that the defendant was operating on January 29, 2022 — is that vehicle available or supported by Berla at this time?
MR. GUARINO: The trim level that the defendant had is not still supported. There is Toyota and Lexus support now, but it's not, unfortunately, for her model.
MR. LALLY: Now, you mentioned that you had reached out to the Berla company for updates as far as the availability, or when the defendant's vehicle might be supported. Is that correct?
MR. GUARINO: That's correct.
MR. LALLY: And about how many times and over what time period are we talking about that you reached out to ascertain?
MR. GUARINO: Immediately — when I took the system out of the vehicle — I had to reach out to Berla, because where it wasn't supported, they actually had to send me a tech diagram so I could go in and — again, not destroy the whole vehicle — I just took those components out. Over the next — God — almost two years, year and a half, of going back and forth with them, with their support and their sales team.
MR. LALLY: And when you say "going back and forth" — about how often were you reaching out to them, or how often were you getting a response with regard to the vehicle?
MR. GUARINO: Usually every few months — I want to say every three months, give or take. I forget the exact number, but phone calls or an email to them asking.
MR. LALLY: Now, beyond that, are you familiar with a national cyber crime conference?
MR. GUARINO: Yes.
MR. LALLY: And do you attend that on an annual basis at least?
MR. GUARINO: Yes, I do.
MR. LALLY: And with respect to that, what if any time at those conferences did you spend dedicated to ascertaining the availability — the supportability — of this vehicle with reference to Berla?
MR. GUARINO: Berla has a booth at the national cyber crime conference. I spoke with their sales team there. Their response was to keep calling Berla, keep pestering them, and they might actually get the support sooner rather than later.
MR. LALLY: And again, were you ever able to ascertain or get the support to download the information from them?
MR. GUARINO: No, unfortunately.
MR. LALLY: Now, at some point, were you able to download any information from that particular infotainment system from the defendant's vehicle?
MR. GUARINO: Not from the infotainment system, but Berla released a new item — similar to a mechanic's scan tool — it plugs into the OBD2 port, which is underneath the dash. So, basically, if a mechanic went in there with a scan tool to tell you why you have a check engine light, this does something similar. So you plug it in and then it pulls the car's diagnostic data from that.
MR. LALLY: And as far as the data that you received from that, what if anything did you observe?
MR. GUARINO: I got a series of 14s — was the number — it was no readable data. I reached out to Berla and asked them — I said, "you know, is there a reason why it pulled this data, but when I put it into the software it's not telling me anything, not giving me any readable data?" And they said they know it as diagnostic data, but they haven't got anything from Lexus to say these 14s — these codes — mean this. They only know it as emissions.
MR. LALLY: So was Berla itself able to read that information and transform that sort of binary code into any sort of readable data for you, other than the number 14?
MR. GUARINO: No.
MR. LALLY: Now, from there, what if anything did you do with regard to the Berla — the defendant's vehicle?
MR. GUARINO: It was placed back into our digital evidence lab, and then we did eventually do a chip off to the device.
MR. LALLY: With respect — excuse me — to the chip off that was done, sometime in December of 2023 — is that correct?
MR. GUARINO: Yes, that's correct.
MR. LALLY: And again, if you could expound upon it a little — can you describe for the jury sort of the chip off process, why you were reluctant to do it, and what's entailed in it?
MR. GUARINO: As I said before, it is a destructive process. As soon as we do it, we take those memory chips off — it's applying extreme amounts of heat to the motherboards to take the memory off. That'll heat it — you lose a lot of the soldering and capacitors, anything that's on that motherboard. So, like I said, once the memory chips are taken off, it's going to destroy the board.
MR. LALLY: And as far as that chip off process, who if anyone was present with you, or who if anyone assisted you in conducting that chip off process with regard to the motherboard from the infotainment system?
MR. GUARINO: At the time that we actually did the chip off — yes — it was myself, AGP, and Maggie Gaffney.
MR. LALLY: And who is AGP?
MR. GUARINO: AGP has his own forensic company, I guess you could call it, for Berla. I would consider him an expert in the field — former California Highway Patrol officer that exclusively handled stolen cars.
PARENTHETICAL: [objection — basis unintelligible]
MR. LALLY: And who is Miss Gaffney?
MR. GUARINO: She was the defense's expert. She's the one who actually did the chip off, applying the heat and taking the chips off in our presence. And she — I believe — works for — I'm sorry, the name of the company escapes me at the moment.
MR. LALLY: Now, with respect to the information that you, Miss Gaffney, and Mr. AGP were able to remove pursuant to that chip off process, what if any usable information were you able to glean from that?
MR. GUARINO: As I was told by AGP, there was no data that was recovered off the infotainment system or the telematics module from the chip off.
MR. LALLY: And as far as Miss Gaffney — did you have any conversation with her as far as the information that she was able to glean or read or decipher?
MR. GUARINO: No. Once she did the chip off, I had not spoken with her since.
MR. LALLY: May I have a moment, Your Honor?
JUDGE CANNONE: Yes.
MR. LALLY: Now — at some point in late January, early February 2022 — were you provided with a laptop and/or a desktop computer from the home of Mr. O'Keefe?
MR. GUARINO: Yes, I was.
MR. LALLY: And what if anything did you do with those?
MR. GUARINO: One was a Dell laptop, the other was an HP all-in-one desktop. I removed the hard drives from both systems and used —
MR. GUARINO: ...linked to that account — not that I know of.
MR. LALLY: And I'm sorry — not that there weren't any devices, or not that you could tell?
MR. GUARINO: Not that I could tell, or that I ever heard of.
MR. LALLY: Now, Trooper Guarino, let me ask you some questions just in general about a cell phone extraction. You're familiar with that term?
MR. GUARINO: Yes.
MR. LALLY: And can you explain to the jury sort of what is involved in that, and how a cell phone extraction is performed as far as your experience with regard to investigations that you've been involved in?
MR. GUARINO: Yeah. Most investigations we get the cell phones from the scene, from a suspect, from a victim. They're put into airplane mode to preserve the data, so that way a remote wipe can't be sent to the phone from iTunes. If we can't put it into airplane mode, we'll put it into a Faraday bag, which blocks the cell phone signal. And then it's brought back to the lab and put into a Faraday box, which has electrical outlets inside of it, so that way we can keep the phone charged.
MR. LALLY: And with regard to this investigation, were you involved in the extraction of data, or the examination of extracted data, from any particular phone?
MR. GUARINO: Yes. John O'Keefe's phone, Karen Read's phone, and we had two witnesses' phones, but I don't remember doing the extractions themselves.
MR. LALLY: But as far as the data from those phones — have you had opportunity to look at that data? And specifically, I'm asking about both Jennifer McCabe's phone and Miss Kerry Roberts.
MR. GUARINO: Yes, I have.
MR. LALLY: Now, were you also at some point provided with some material from Brian Higgins's phone?
MR. GUARINO: Yes. I saw screenshots of text messages.
MR. LALLY: And from the material that you were provided with reference to Mr. Higgins's phone, were you then able to cross-reference that eventually at some point with respect to the information on both Miss Read's phone and Miss Roberts?
MR. GUARINO: Yes, I was.
MR. LALLY: From what you reviewed, was the information contained within the material provided by Mr. Higgins consistent with what you observed in Miss Read's phone as well as Miss Roberts?
MR. GUARINO: Yes. I didn't see any differences in those messages.
MR. LALLY: Now, with respect to — starting with Miss Read's phone — that was received by you on January 29th, 2022, is that correct?
MR. GUARINO: That's correct.
MR. LALLY: And do you recall about what time it was and where you were when you received that phone?
MR. GUARINO: I want to say six or seven o'clock at night, at the Norfolk DA's office.
MR. LALLY: And who did you receive that phone from?
MR. GUARINO: Trooper Proctor.
MR. LALLY: And with reference to that phone, what condition was it in at the time — as far as you referenced the airplane mode, Faraday bag, things of that nature — how was it when you received it?
MR. GUARINO: I believe it was in airplane mode. The phone was in good working order, and it was placed downstairs in our lab, plugged in to keep the phone battery charged.
MR. LALLY: Now, the same with respect to Mr. O'Keefe's phone — when and from whom did you receive that, and what kind of condition was that in when you received it?
MR. GUARINO: I also got that from Trooper Proctor, at the same time as Miss Read's phone. Same condition.
MR. LALLY: Now, with respect to the defendant's phone — at the time that you received it, did you have any passcode or any way to get into the phone? I'm sorry — whose phone?
MR. GUARINO: Miss Read's phone.
MR. LALLY: Oh.
MR. GUARINO: No. The software we used to try to bypass passwords — to be able to extract the evidence, or I should say the extraction of the data to look for evidence — her phone at that time was not supported.
MR. LALLY: Now, what if anything did you do with her phone in regards to that?
MR. GUARINO: Again, made sure it was in airplane mode and just kept it plugged in until such time as the phone was supported, and then we could download it with a device called the GrayKey.
MR. LALLY: And can you explain to the jury what that is, and what if anything you did with regard to the defendant's phone and the GrayKey?
MR. GUARINO: Yep. So GrayKey is again specialized hardware and software used to plug in the phones — can do Apple or Android phones — to bypass passwords.
MR. LALLY: And how does that sort of function, or how does that work, as far as when you hook a cell phone or a cellular device up to a GrayKey tool — what is it doing and how does it work?
MR. GUARINO: If I knew that I'd be a millionaire. But it basically installs software onto it, and instead of — when you put in ten passcodes to an iPhone, on the tenth one if it's wrong it kills the phone forever — this has some secret software that's able to bypass that and basically keep hitting the phone with passcodes until it finds the right one.
MR. LALLY: But essentially it runs a bunch of different combinations of passcodes into the phone until it comes up with one that actually opens the phone?
MR. GUARINO: Yes, that's correct.
MR. LALLY: And at some point did the GrayKey device actually break into the defendant's phone?
MR. GUARINO: Yes, it did.
MR. LALLY: You know about when that was in relation to when you —
MR. GUARINO: Yes. So we got the phone in January. It took — I believe support came out in, I want to say, May or June, I don't remember the exact month — but we didn't actually get the passcode until August 16th of 2022.
MR. LALLY: And once that passcode was obtained — broken into by the GrayKey device — then you're able to look into the phone, is that correct?
MR. GUARINO: Yes. Once the passcode is obtained, we download the data, and then we're able to take that extraction data and open it up in Cellebrite or AXIOM or whatever tool we're going to use to view it.
MR. LALLY: And the tools — as far as you're referring to Cellebrite and AXIOM — you're familiar with those tools through your work as an investigator with regard to electronic devices?
MR. GUARINO: Yes.
MR. LALLY: And if you could explain to the jury — sort of when you say Cellebrite and AXIOM, as far as those tools are concerned — how do they work, and what is it that you do with the device? With reference to — so, what do you do with the extractions once you go to open them? Well, how is the information extracted first of all, and then what if anything do you do with that?
MR. GUARINO: So GrayKey will pull the extraction — well, it just — once the passcode is received, it again uses its software, pulls the data out, puts it into an encrypted — it's MD5 or SHA — it's an encryption key that — it's a unique key, so if you changed anything inside that zip file it would change the encryption number to show that something was tampered with. We take that encrypted zip file and we open it up in the software, and that's able to show you, you know, the call logs, the chats, the photos, the time — — the whole timeline of the phone.
MR. LALLY: Now, in addition to yourself, is there anyone else that works in this sort of capacity within your unit at the District Attorney's Office?
MR. GUARINO: Yes, two other people.
MR. LALLY: And who are those two other —
MR. GUARINO: The director of our lab, Samantha Vote?, and Trooper Connor Keefe.
MR. LALLY: Now, beyond yourself, Trooper Keefe, and Miss Vote? — anybody else from the detective unit, as far as the Troopers — would they have access to these devices, being the defendant's, Mr. O'Keefe's, Miss McCabe's, or Miss Roberts'?
MR. GUARINO: If they're in the digital evidence lab, no. Once the data is extracted from them, normally we give them back to the investigator or return them to the family, so that would be the only time that they would have access to the devices — or unless we kept them in the lab just for storage reasons.
MR. LALLY: Now, with reference to your review of any of the extractions related to any of those four devices — at any point in time, did you observe anything in reference to any information being taken off or deleted from any of those devices at any point in time?
MR. GUARINO: No, sir.
MR. LALLY: Now, with respect to Miss Read's device — the defendant's device — it was sometime in August of 2022 that the GrayKey was able to break into the passcode and get into the device, correct?
MR. GUARINO: That's correct.
MR. LALLY: And so then, once an extraction is done, that's then subsequently reviewed by someone within your unit, is that correct?
MR. GUARINO: Yes. So again, normally the investigators for the homicides know far more information about the crime and what occurred, so if need be I'll load the phone up for them — they can go through it because they know what they're looking for. If they ask me, I'm happy to go through it if they can say, you know, "I'm looking for calls between this time period," or GPS locations, things like that.
MR. LALLY: Now, with reference to the defendant's phone — at some point, were you made aware that there was some privileged information contained within her phone?
MR. GUARINO: Yes, I was.
MR. LALLY: So as a result of that, what if anything happened with the phone from there?
MR. GUARINO: We notified our supervisors, and we did not look at her extraction until the privileged communications could be removed, and then we could again go back and re-inspect the data.
MR. LALLY: Now, as far as that whole process that was undertaken in regard to that — how long a time period, or when was it that you were able to have the privileged information extracted and then actually get to look at the defendant's phone?
MR. GUARINO: Took months. I don't think we got it back from the AG's office until later — I want to say Springtime of 2023.
MR. LALLY: Now, with respect to the extraction from each of these four respective devices — that being the defendant's, Mr. O'Keefe's, Miss McCabe's, and Miss Roberts' — what kind of tools were used to conduct those extractions?
MR. GUARINO: GrayKey, Windows 10, and then [unintelligible] Physical Analyzer and AXIOM — that's Magnet's program.
MR. LALLY: And so as far as — I guess my question is — as far as the different devices that are used, why are there different devices, and what is it that one does versus the other?
MR. GUARINO: So they both do great work with, you know, decoding the data. I've noticed that AXIOM does a better job at pulling GPS spots because it gives a speed and an estimated range of — how strong the GPS signals are, as opposed to Cellebrite — they give native locations, but they don't have that extra data with it. So I like to look at both tools to make sure that I'm seeing everything that I need to.
MR. LALLY: Now with respect to the defendant's phone, you at some point reviewed the extraction from the defendant's phone, correct?
MR. GUARINO: Yes, I did.
MR. LALLY: And with respect to that phone, what if anything did you observe with regard to GPS locations associated with that device?
MR. GUARINO: I didn't see that many — maybe a handful, showing different spots in Canton, but nothing that stood out to me.
MR. LALLY: Now with respect to your review of the phone, what if anything were you able to — — ascertain as to whether or not those GPS locations were allowed or permitted, or turned off or on by the user?
MR. GUARINO: I — I can't say. I didn't see anything, like I said, that stuck out to me. Normally if the GPS points aren't there, then location services are probably turned off.
MR. LALLY: What I'm asking though is — the device itself was capable of retaining that data as far as GPS locations, correct?
MR. GUARINO: Yes, if it's turned on.
MR. LALLY: And there were no real GPS locations to speak of that you observed in your review of the extraction of the defendant, correct?
MR. GUARINO: That — yes, that's correct.
MR. LALLY: Now with regard to Mr. O'Keefe's phone, what if anything were you able to ascertain — — from that, as far as GPS locations were concerned?
MR. GUARINO: There's quite a bit, especially on January 29th.
MR. LALLY: Now sir, before we get into that, if I could ask you some questions in regards to McCabe's — excuse me — McCabe's phone extraction. You had occasion to review that, is that correct?
MR. GUARINO: Yes sir.
MR. LALLY: And so in regard to that, you had also mentioned that you had reviewed an affidavit from a defense expert, or defense witness, named Mr. Richard Green, correct?
MR. GUARINO: That's correct.
MR. LALLY: And based on your review of that, what if anything — based on your review of what Mr. Green said or did — what if anything did you then do with regard to McCabe's —
MR. GUARINO: So I — — basically went point by point through his report to confirm or deny if what he was placing in there was true.
MR. LALLY: And what if anything were you able to ascertain or learn from going through McCabe's phone with reference to what Mr. Green stated?
MR. JACKSON: Objection.
JUDGE CANNONE: I'll allow that.
MR. GUARINO: It was mostly incorrect.
MR. LALLY: And when you say "mostly incorrect," what was mostly incorrect?
MR. GUARINO: So he states that there's a Google search that's done at 2:27 in the morning. That immediately stuck out to me because when I went back and looked, that file that was parsed was not from the database that should have showed searches — this came from the Session State tabs — — for Safari, which is a big red flag. It also came from a WAL file, which is a dropping ground for where data is put before it's actually put into the main database itself, and then once it reaches a certain point, that data is automatically deleted by the device — not by a user — which Mr. Green had stated that a search was done and that it was purposely deleted. There was also an item regarding phone calls being deleted. Again, they came from a WAL file.
MR. GUARINO: Looking at it again, it's stored in the KnowledgeC main database. It was also stored in the biome, showing in the extraction, which is another storage area that Apple is — — using. Again, nothing — most of the stuff that I was reading in his report was either incorrectly written down, or he's interpreted it incorrectly.
MR. LALLY: Now with regard to the phone calls, or the contacts, that Mr. Green indicated were user-deleted, or deleted by the user — what if any information did you look into in regard to that? What did you ascertain in regard to —
MR. GUARINO: Yeah, so he stated that McCabe deleted 18 phone calls from the morning after John O'Keefe's body was found. Looking at the data from her call log, those calls — while they do show marked as deleted — again, they come from the WAL file, and they're also located — — in two other parts of the database. Again, as a user of an iPhone, you can't go in and just delete these files — they're handled by the operating system. It's impossible.
MR. LALLY: So as far as — what if any opinion do you — well, let me ask you this first. As far as the WAL, or Write-Ahead Log file — can you explain what you understand that term to mean to the jury, as it pertains to these particular —
MR. GUARINO: Yeah, so as I said, these files are a dropping ground. So when you're using your apps, using the phone, it takes that data and puts it into this WAL file until you either close the app, or you shut down the phone, or it reaches a certain amount of data in the phone — that WAL — — file will automatically delete from the phone. So this can be on a first-in, first-out basis. Again, like I said, it could be when data reaches a certain level. But those calls that are being marked as deleted — seeing it as "deleted" doesn't mean the user deleted them. It just means they're being removed from the WAL file.
MR. LALLY: And you indicated that from your review of the phone extraction, there were other areas, or other databases — excuse me — within the phone that contain that same information?
MR. GUARINO: Yes. So the main database of the iPhone is the KnowledgeC database. They're also using biome, and then if you're using the newest software, now it's — — another area. I won't bore you with it, but depending on the iOS you're using for the phone, it's going to depend on where that data is being stored.
MR. LALLY: Now specifically with respect to McCabe's phone, one of the contentions Mr. Green had was in regard to a contact for Brian Albert, is that correct?
MR. GUARINO: Yes, that was another one.
MR. LALLY: With respect to that, what if anything were you able to find within McCabe's phone in regards to contact information for Brian?
MR. GUARINO: Yeah, so Mr. Green's report said that he located a deleted screenshot of Brian Albert's contact that was in her phone. The contact for Brian Albert was still in her phone — not deleted. So I don't know — maybe she just deleted the screenshot.
MR. LALLY: Now with respect to McCabe's phone, what if anything did you do with regards to the call log history in McCabe's —
MR. GUARINO: I exported it all out to a PDF so I could view it. And again, like I said, there's — I think 114 phone calls going all the way back to October of 2020, I want to say — phone calls, FaceTime — all the calls are there. All the records are there, and they're all stored in different areas of the phone. The only ones that show the WAL file as deleted were the ones from the 29th, going up towards the end of the day on the 29th.
MR. LALLY: And now with respect to the — — call history, where, or how, is that typically stored within an iOS device?
MR. GUARINO: I believe that's stored in the CallStore SQLite database.
MR. LALLY: And with reference to — what, if any, difference, storage-wise, is that SQLite database versus the WAL?
MR. GUARINO: So again, yeah — that database where the call logs are sent, it's going to have a corresponding WAL file where the data is going to be put temporarily, and then as I said, it gets automatically deleted by the iOS, by the operating software — it's not user-enabled.
MR. LALLY: And so from your view of those 114 phone call history records from the extraction of McCabe's phone, what if any opinion do you have in regards to — — whether or not those items were deleted by any user?
MR. GUARINO: I don't believe they were. And I will say — one of the phone calls was from the actual main CallStore database, which could have been user-deleted, but again it's in two other spots in the operating system, so I don't know how or why the iOS stores it the way it does, and then marks — — [unintelligible].
MR. LALLY: Now sir, from your review of the four phone extractions you reviewed in this case, were you able to export or print certain chat reports from specific people's phones, or between specific people's phones with other individuals?
MR. GUARINO: Yes, I was able to.
MR. LALLY: May I approach?
JUDGE CANNONE: Any objections? Yes.
MR. LALLY: I'm showing you what's been marked as Exhibit 48. Do you recognize that, sir?
MR. GUARINO: Yes.
MR. LALLY: And what do you recognize?
MR. GUARINO: The first page is Facebook Messenger chats between Karen Read and John O'Keefe.
MR. LALLY: And what's contained in there — is that a fair and accurate portrayal of what you observed from the extraction from Mr. O'Keefe's phone?
MR. GUARINO: Yes, it is.
MR. LALLY: And specifically with reference to those chats between Mr. O'Keefe and the defendant, you also reviewed that material from the defendant's phone as well?
MR. GUARINO: Yes, I did.
MR. LALLY: And the material that you reviewed from the defendant's phone — is that consistent with what you observed in Mr. O'Keefe's?
MR. GUARINO: Yes, it — — is.
MR. LALLY: Your Honor, with the Court's permission, if I could request certain portions of what's been marked as Exhibit 48 be published to the jury as we go through them.
JUDGE CANNONE: Okay.
MR. LALLY: Sir, if I could just start you out on page one.
MR. GUARINO: Okay.
MR. LALLY: If I could have that now — with respect to what's up on the screen, the portion that you can see, you recognize that, sir?
MR. GUARINO: Yes, I do.
MR. LALLY: You have before you as Exhibit 48?
MR. GUARINO: Yes.
MR. LALLY: Now within this particular — from the perspective of — this is from Mr. O'Keefe's phone, is that correct?
MR. GUARINO: Yes, it is.
MR. LALLY: So there will be blue bubbles and green bubbles, is that correct as well?
MR. GUARINO: Yes.
MR. LALLY: And so who — as far as the blue bubbles would —
MR. GUARINO: ...speaking in that the blue bubbles will be from Miss Read and the green bubbles are from Mr. O'Keefe. Miss Gilman, if you could please scroll down.
MR. LALLY: Now with respect to what's contained on this page one, at the bottom, if you could read the date and the time and indicate who is speaking and what is said there, sir.
MR. GUARINO: Yeah, so the blue bubble is Karen Read, and 1/28/2022 at 3:30 p.m., "Hello." John says, "Hi," at 3:35 p.m.
MR. LALLY: Yes.
MR. GUARINO: Yep, those are the Facebook ones.
MR. LALLY: I'm sorry? What's contained in Exhibit 48 is the entirety of the chat report from Mr. O'Keefe, correct?
MR. GUARINO: Uh, yes, I believe so.
MR. LALLY: Okay. May I approach?
JUDGE CANNONE: Yes.
MR. LALLY: My apologies. Showing you another — do you recognize that?
MR. GUARINO: Yes.
MR. LALLY: What do you recognize that to be, sir?
MR. GUARINO: These are the native chats, native messages from John O'Keefe and Karen Read. So these are just specifically broken down as far as the chats between Mr. O'Keefe's phone and Miss Read's phone, correct.
MR. LALLY: Correct. And as far as your view of both of the extractions from both of those phones, the material contained within Mr. O'Keefe's phone is consistent with the material contained in the defendant's phone?
MR. GUARINO: Yes, that's correct.
MR. LALLY: Okay. May I approach?
JUDGE CANNONE: Yes.
MR. LALLY: [Exhibit 627.] Yes, that could be returned to the witness, your Honor. If we could, with the Court's permission, we'd publish.
JUDGE CANNONE: Yes, go right — — ahead.
MR. LALLY: And now, Trooper, do you recognize what's up on the screen as the next — I'm sorry. Miss Gilman, if you could scroll down just a little bit.
MR. GUARINO: Yes.
MR. LALLY: And again from this first page, the blue bubble is from Miss Read, is that correct?
MR. GUARINO: Yes, that's correct.
MR. LALLY: And the green bubble being from Mr. O'Keefe, is that correct?
MR. GUARINO: Yes.
MR. LALLY: And if you could again read from this first page as far as date, time, who is speaking, and what is said.
MR. GUARINO: Yeah, at 9:49 a.m., Karen says, "You've really hurt me this time." 10:02 a.m. — I'm sorry, this is — sorry, it's kind of hard to read. "I'm sorry, this has been an issue with me for eight years. It physically hurts me to see everyone else in their —" yep, "in their life do things for them and of —" "— course to always be the bad guy." At 10:09 a.m., Karen says, "I am not the same as everybody else. Most of the time I try to do what is healthy, smart for them. More importantly, I try to support you and what you need. You just lashed out at me and said terrible things. I don't know how you've gotten to this point with me when I'm just trying my hardest. You made your point and continue to beat me down. I have a lot going on too.
MR. GUARINO: Physically, I'm falling apart and trying to get answers and help."
MR. LALLY: I'll stop there. If I could direct your attention — I can direct you to page five, sorry, bottom of — — page. All right. And starting with the blue bubble on the bottom of page four, again if you can indicate as to who is speaking, what is said, and the date and times.
MR. GUARINO: Yeah, Karen says to John at 1:21 p.m. on the 28th, "Maybe you can call someone."
MR. LALLY: If you could continue on through page five, sir.
MR. GUARINO: Yes. On the 28th at 1:46 p.m., John says, "Like who?" 1:47 p.m., "What time are you coming here?" And then there is at 2:05 a message but no content. And the next message at 2:06 —
MR. LALLY: Sir?
MR. GUARINO: Yes. 2:06, from Karen: "I don't know what time. Feel kind of out of it, just trying to clear my head." 2:06 p.m., John writes back, "Okay." 2:06 p.m., again Karen says, "Text me later —" "— when you guys settle in later." I'm sorry — "Text me when you guys settle in later." John says, "Sure," at 2:06 p.m. Again, Karen says at 2:16, "I feel pretty shitty about this —" excuse me, "feel pretty shitty about how this morning went down. I know you said sorry but it really stung, especially when I've been trying pretty hard lately. I feel like a loser turning around and just coming back over after everything you said."
MR. LALLY: If I could ask you to continue on to page seven, sir.
MR. GUARINO: Okay. At 2:17 p.m., John says, "Not sure what else you want me to do. I said I'm sorry and I was out of line. If you prefer to stay home, I totally get it." Karen replies back at 2:17, "Things in my —" "— own life have been difficult too, you know." John writes back at 2:17, "I know." At 2:25 p.m., from Karen: "Tell me if you're interested in someone else. Can't think of any other reason you've been like this."
MR. LALLY: Could you continue on through page eight, sir?
MR. GUARINO: At 2:25, John responds back, "Nope. Things haven't been great between us for a while. Ever consider that?" That was at 2:26. Uh, 2:29, he writes, "Kids are here, not in the mood to talk."
MR. LALLY: And how does she respond to that at the bottom of page eight?
MR. GUARINO: "So you're not into it anymore, that's fine, but I don't want to keep trying and you keep treating me like this," at 2:29 p.m.
MR. LALLY: If I could direct you to the next page.
MR. GUARINO: Yes. Read says, "I'm trying to hug and kiss you this morning and you whack me in the face with the pillow," at 2:29. At 2:30, she says, "Last night you — you're basically like, 'Yeah, what about when we talk about the future?' So why don't you just admit you're not into it so much anymore?" 2:30 — oh, sorry — 2:30. John says, "Not how it went down, but okay."
MR. LALLY: Now, how does Miss Read respond to that?
MR. GUARINO: "Can you please admit your head is out of the game, out of the game with us?"
MR. LALLY: If you could, sir, please continue on to page 10.
MR. GUARINO: Okay. At 2:32 p.m., "Sick of always arguing, fighting. It's been weekly for several months now, so yeah, I'm not as quick to jump back into being lovey-dovey as you apparently." From John. And then John again at 2:32, "Oh my God, stop calling."
MR. LALLY: I'll stop you there for just a moment. With regard to January 28th, were you also able to extract a report specifically in regard to calls received by Mr. O'Keefe on that date?
MR. GUARINO: Yes, I was.
MR. LALLY: I mean on that date into the next date of January 29th?
MR. GUARINO: Yes.
MR. LALLY: May I approach?
JUDGE CANNONE: Yes.
MR. LALLY: Here we go. Do you recognize that, sir?
MR. GUARINO: Yes. It's John O'Keefe's call log.
MR. LALLY: And that's the entirety of the call log from January 28th into the 29th, is that correct?
MR. GUARINO: Yes, from the 28th at 9:19 a.m. to the 29th at 6:03 a.m.
MR. LALLY: May I approach?
JUDGE CANNONE: Yes.
MR. LALLY: May I approach?
JUDGE CANNONE: Yes. Showing you another document — look up when we finish.
MR. LALLY: Do you recognize that, sir?
MR. GUARINO: Yes. This is Karen Read's call log from January 29th at 12:33 a.m. to January 29th at 6:03 a.m.
MR. LALLY: And those are specifically calls between the defendant and Mr. O'Keefe, correct?
MR. GUARINO: Yes, that is correct.
MR. LALLY: May I approach again, your Honor?
JUDGE CANNONE: Yes.
MR. LALLY: I'd move to admit — no objection. Thank you. Now, Trooper, from the text messages that you were just testifying from, Mr. O'Keefe indicates "OMG, stop calling" at 2:32 p.m. Is that correct?
MR. GUARINO: Yes, that is correct.
MR. LALLY: Now from your review of those call logs, how many times did the defendant call Mr. O'Keefe on January 28th from approximately 9:19 a.m. to about 2:58 p.m.?
MR. GUARINO: There are 18 calls, from 9:19 to — — about 2:59 p.m.
MR. LALLY: Those calls are listed within those records as various — as far as rejected, or missed, or answered, or things of that nature. Is that correct?
MR. GUARINO: Yes, that is correct.
MR. LALLY: How many of them are rejected?
MR. GUARINO: 11.
MR. LALLY: How many of them are missed?
MR. GUARINO: Uh, four.
MR. LALLY: And how many are answered?
MR. GUARINO: Three.
MR. LALLY: Now, following that text message at 2:32 p.m. from Mr. O'Keefe to the defendant asking her to stop calling him, does the defendant keep calling?
MR. GUARINO: Yes, she does.
MR. LALLY: And at some point does Mr. O'Keefe call Miss Read back?
MR. GUARINO: Yes, at about 3:00 p.m. on the 28th.
MR. LALLY: Double-check. Thanks. May I approach?
JUDGE CANNONE: Yes, sir.
MR. LALLY: I can take each of the call logs — I want to keep — okay. Now, if I can turn your attention back to page 10 on those text messages, with respect —
JUDGE CANNONE: Okay, so, Mr. Lally, when you put your head down and when you walk away we can't hear you, and there won't be a record of this, so you have to keep your voice up.
MR. LALLY: I will.
JUDGE CANNONE: Well, you just put your head down and your voice went down, so keep your voice up. It's really important.
MR. LALLY: I will do so. Trooper, turning your attention back to page 10 of these text messages — Read's response to Mr. O'Keefe at 2:32?
MR. GUARINO: Yes. So 2:32 p.m., she says, "Then why would you start with me this morning?" And then followed up by 2:33, "You're setting me up to fail."
MR. LALLY: If I could turn your attention to page 11 and ask you to continue from there.
MR. GUARINO: Yeah. Miss Read says — excuse me — "You start a number of fights from your end, John." That's at 2:33. At 2:33, John writes back, "I've explained it a few times already, not doing it again."
MR. LALLY: How does the defendant respond to —
MR. GUARINO: ...so you're not into this anymore, and then John says not into fighting all the time.
MR. LALLY: Correct. That's at 2:34 p.m. If I could turn your attention to the top of page 12.
MR. GUARINO: Yes. Uh, 2:34, uh, Ms. Read says if you tell me you're interested in someone else, you will never hear from me again, you can have all the space in the world. John writes back, but there's no — no content at 2:34. And then at 2:34 she says then stop starting with me.
MR. LALLY: How does Mr. O'Keefe respond to that at 2:34?
MR. GUARINO: He writes back I'm not answering, stop calling.
MR. LALLY: And if I could turn your attention to the top of page 13.
MR. GUARINO: Uh, Ms. Read says can you please answer after how you treated me earlier. John responds back at 2:35, Kaylee is right here. Read says you're starting a rager with me out of nowhere, and then you tell me you're sick of fighting with me, at 2:35. And she writes at 2:38, I'm going to grab a drink in a bit.
MR. LALLY: So if I can direct you to the top of page 14, sir.
MR. GUARINO: She says can you answer please at 2:38. He writes back at 2:39, no, Karen, not sure why you need to announce that you're going drinking, but have fun. Karen writes back at 2:40, seeing if you want to meet me later, can you please call me.
MR. LALLY: Right after that, again, if I can direct you to the top of page 15.
MR. GUARINO: Uh, John writes back at 2:40, have to take them to the doctor, he has practice. Karen writes back, yeah, five minutes. Uh, John writes back at 2:43, my father just walked in. Karen writes back, okay, can you please call me for two minutes, at 2:44.
MR. LALLY: The top of page 16, sir.
MR. GUARINO: 2:44, John writes back, not right now. Karen writes back, I'm there when anyone else needs me, at 2:44. And 2:46 — yes John, you gave me utter grief this morning, I'd like you to call me for a minute. And the last one from that page, sir — 2:47, I've been trying to get over the hump with uh, with this arguing, and now you tell me you're not into things, and if you don't want to fight weekly but fly off the handle at 8 a.m. with me, like you're setting me up to fail.
MR. LALLY: Sir, if I could uh draw your attention to page 42.
MR. GUARINO: Okay.
MR. LALLY: Sir, if I could ask you to start reading from the top of page 42.
MR. GUARINO: Yep. At 7:41 p.m., Karen writes, okay, let me know if you end up leaving. John writes back at 7:42, why, now you're not coming? Karen writes back, I'm waiting for the plumber, actually think he's in the driveway. 7:42 — John says at 7:43, we're taking Mike's car, so I'm relying on you for a ride home if he leaves. Karen writes back at 7:43, he's not going home after. John writes back at 7:43, 8 on a Friday he may have to — get Michael, and you have a plumber coming over at 8, knowing me and Papa could have handled it, good luck. And that was at 7:44.
MR. LALLY: Thank you, sir. Um, I could direct your attention to page 49.
MR. GUARINO: Okay.
MR. LALLY: I could ask you to uh start from the top of page 49, sir.
MR. GUARINO: 8:29 p.m. — yeah, but he lives uh right down the road. John writes back at 8:30, Karen, the — is going to be intense, can't drive. 8:30, she writes back, okay, well if he can't, he can't. John writes back, I'll do it Monday. Karen responds at 8:31, ha, I better not still have this problem on Monday. John writes back, plan on being there. Karen writes back at 8:32, I'd like to know — I could take a hot shower here if I need to. John writes back, figured you'd be in Canton till Monday.
MR. LALLY: If I can direct you to the top of next page, 51.
MR. GUARINO: John — I'm getting off my phone, let me know what you're doing. Karen writes back at 8:33, I think the four of us together uh is toxic to this relationship, would like to limit it. And says you've said so yourself for probably a year now. And John writes back at 8:33, blizzard tomorrow, nobody is going anywhere.
MR. LALLY: Sir, if I can direct you to the top of page 52.
MR. GUARINO: Okay. Uh, Karen says, maybe I'll come back late tonight, bad snow in uh — it's in the early a.m., that's at 8:35. And again 8:35, I'll head up there in a few minutes, let me know if you leave. John replies back, sure. And then the next one's not until 12:55 a.m. on the 29th — I'm going home. And the "I'm going home" is from the defendant, 12:55 a.m.
MR. LALLY: Is that correct?
MR. GUARINO: Yes, that is correct.
MR. LALLY: And if I could direct your attention to the top of page 53.
MR. GUARINO: Yes. At 12:55 again — uh, see you later. At 1:02, your kids are — alone. Uh, 1:29 — uh — 10:04 a.m., I'm back in Mansfield, the kids are home alone.
MR. LALLY: Thank you. May I approach — to retrieve?
JUDGE CANNONE: Yes. Can I see counsel at sidebar about scheduling? You are — with this witness, but can we go until 4:15? I know it's been a long day, but does that work for you all? All right, thank you very much. Why don't we do that, and then I'll talk to the schedule after. All right, you are unmuted.
MR. LALLY: I may have one — yes. May — yes. Now, Trooper Guarino, you were also able to uh get some uh chats as well as some phone calls between uh the defendant and certain individuals, is that correct?
MR. GUARINO: Yes.
MR. LALLY: And uh, may I approach?
JUDGE CANNONE: Yes.
MR. LALLY: I'm showing you two documents.
MR. GUARINO: Okay. Okay.
MR. LALLY: And uh, do you recognize those, sir?
MR. GUARINO: Yes, I do.
MR. LALLY: And what do you recognize those to be?
MR. GUARINO: Uh, the single page is uh Karen Read to Laura Sullivan phone calls — or I should say — yep — calls from Laura Sullivan to uh Karen Read, and the other one is Karen Read and Laura Sullivan's chat uh messages.
MR. LALLY: What's contained in those documents — is that a fair and accurate portrayal of what you were able to extract from the defendant's phone?
MR. GUARINO: Yes, sir.
MR. LALLY: Yes. I seek to introduce —, next. No objection.
JUDGE CANNONE: Okay. Um, no —
MR. LALLY: Thank you. May I approach?
JUDGE CANNONE: Yes.
MR. LALLY: Showing witness documents. Do you recognize that?
MR. GUARINO: Yes. These are Karen Read and John O'Keefe uh phone calls.
MR. LALLY: And what is uh contained in that — is that a fair and accurate portrayal of what you observed uh conducting the extraction of the defendant's phone with regard to the communications with John O'Keefe?
MR. GUARINO: Yes.
MR. LALLY: May I approach again, your honor.
JUDGE CANNONE: Yes. No objection.
MR. LALLY: Right, no objection. [Exhibit —] — I'm very sorry. May I approach, your honor?
JUDGE CANNONE: Yes.
MR. LALLY: I'm showing you what's previously been marked as Exhibits 51 and 52. Do you recognize those?
MR. GUARINO: Yes. These are phone calls from Karen Read and Katie Camerano, and 52 is chats between Karen Read and Katie Camerano.
MR. LALLY: Approach just to retrieve — yes. What's contained in those Exhibits 51 and 52 — is that a fair and accurate portrayal of what you observed during the extraction of the material from the defendant's phone?
MR. GUARINO: Yes.
MR. LALLY: May I approach again, your honor?
JUDGE CANNONE: Yes.
MR. LALLY: I'm showing you what's marked as Exhibits 94 and then 95.
MR. GUARINO: Yes. Sorry. Uh, they are chats between Karen Read and Jen McCabe — text messages — and 95 is Karen Read and Jen McCabe phone calls.
MR. LALLY: And again, what's contained in those uh records before you — is that a fair and accurate portrayal of what you observed in the defendant's phone during the course of your extraction of materials from her phone?
MR. GUARINO: Yes.
JUDGE CANNONE: Yes, so these are already in evidence, Mr. Lally, so you don't need the fair and accurate portrayal.
MR. LALLY: Can I approach, your honor?
JUDGE CANNONE: Yes. Thank you. Jurors, you know what, I'm going to send you home. Okay. Uh, so I need to see counsel inside, back in just a minute, to figure out the next two days. You are excused. We will be here, but you won't be. All right, so it's very important that you don't watch TV or listen to anything, um — or read about anything. So we will be here tomorrow. Wednesday is the federal holiday, so we're not in session. I know there's supposed to be some big heat wave this week. I really appreciate that everybody dresses respectfully for court — I suggest you come in comfortably. It's an old building, the air conditioning's been great today. I don't know that that — will hold up when really pushed, so feel free to dress comfortably. We'll plan on seeing you on Thursday.
JUDGE CANNONE: If that changes, the court officers have your contact information, but we plan on seeing you on Thursday. All right, so please — those three cautions: do not discuss this case with anyone, don't do any independent research or investigation into this case. If you happen to see, hear, or read anything about this case, please disregard it. Let us now recess until Thursday morning. All rise for the court, please. All right. And Trooper, you can just follow out behind them. Okay, thank you.