Commonwealth v. Read — Trial ArchiveNicholas Guarino - Redirect
92 linesMR. LALLY: You were asked about qualifications — as far as certifications that you received in prior training — correct?
MR. GUARINO: Yes.
MR. LALLY: What are some of the areas that you received certifications in?
MR. GUARINO: Cell phone report creation, extraction, cell phone repair, the Berla motor vehicle forensics, advanced database — a class called CASA, but it's a Cellebrite class that goes deeper into database searching — SQLite, programming to write code to do your own searches — things of that nature.
MR. LALLY: Now, at any point in time did Trooper Proctor ever tell you that he retrieved Mr. O'Keefe's cell phone directly from 34 Fairview Road?
MR. GUARINO: No, he didn't.
MR. LALLY: Is it in your understanding, or did you subsequently learn, that Kerry Roberts actually recovered the phone from under Mr. O'Keefe's body — from the grass under his body at 34 Fairview Road, when he was placed onto a scoop stretcher?
MR. GUARINO: I don't know who recovered the phone that morning, but I —
JUDGE CANNONE: I'll allow it.
MR. GUARINO: I don't know.
MR. LALLY: Your answer is you don't know who recovered it?
MR. GUARINO: No. I just know that it was found underneath his body and then taken to Canton PD.
MR. LALLY: Now, with regard to the location data post 6:15 a.m. — what if anything did you observe in reference to that?
MR. GUARINO: There was some intermittent native locations that showed at the Canton PD — it's there for a handful of different points, and then it shows it back at our office when I put it into the digital evidence lab and powered it on.
MR. LALLY: You received the phone from Trooper Proctor — was that either in airplane mode or a Faraday bag?
MR. GUARINO: I don't remember offhand. But there were no locations — or GPS locations — observed from the phone from approximately 11-something a.m. until I received it — excuse me — at 7:30 p.m. on the 29th. There was — like I said, there was only the handful that showed it at Canton PD, and then when it's back at the office that night. And if it wasn't in airplane mode, it would have been something I would have done. So I don't remember if Proctor did it before he gave it to me or if I did it after.
MR. LALLY: Now, the other Troopers in your unit — in the detective unit with the Norfolk DA's office — are they as well versed on cell phone extractions and cell phone data as you are?
MR. GUARINO: No.
MR. LALLY: And so, how many people within your specific unit actually perform data extractions or forensic analysis of cell phones?
MR. GUARINO: Myself, Trooper Connor Keefe —
MR. LALLY: And everyone has been trained in how to use Cellebrite and to do these extractions?
MR. GUARINO: They all just sort of dump them on my desk and say "do this phone for me."
MR. LALLY: So now, as far as what you provide to the investigating Troopers — such as Trooper Proctor — can you explain to the jury that process, and what if any differences there are between what you're looking at as far as the device when you're extracting the information and what you provide to the trooper?
MR. GUARINO: So when I plug in to GrayKey or Cellebrite, or whatever tool I'm using to extract the data, it creates that zip file, and then I open it up in Cellebrite or Magnet AXIOM. The guys are only trained in Cellebrite Reader, so that's what I open the extractions initially in for them. If there's something that we find that they don't understand and that I want to look more into, I'll load it into AXIOM as well. But that's normally how it would go.
MR. LALLY: Now, is there any way — from the version or the extraction that you provide to the trooper — for that, or any trooper, to change or manipulate that data from what is initially contained on the phone?
MR. GUARINO: Well, in essence you could, but you'd have to go in — so once I create that UFED reader, which is the portable case, you would have to go into the folders and then delete stuff, which would change all of the data. And then when I would load it up later, it probably wouldn't work right. That's why we save the encrypted extraction onto the server — so if anything ever messes up, we can go back and reload it, and I can create whatever reports I need with it.
MR. LALLY: And so, from your view of the data and the phones in this case — what if anything did you observe in regard to any manipulation of data, or deletion of data, or removal of data from the encrypted files?
MR. GUARINO: None. And then we didn't have passcodes for the phones for John O'Keefe's until the 31st, and then again from Ms. Read's — ...until — geez — like I said, August, once the program was able to open it.
MR. LALLY: Now, you were asked questions about Mr. Green's affidavit. Following your review of Mr. Green's affidavit, what if any steps did you take in relation to what was indicated in there?
MR. GUARINO: So as I said, didn't really go through the phones much when we first got them. I don't know everything about the case as the investigators do. So I got his report and I went through it and basically just went step by step. So he says this happened, I went to confirm, and if it didn't, then I need to find out why — he was either incorrect or slightly off — either just completely wrong or just... ...misinterpreted the data, and that was it.
MR. LALLY: And in addition to yourself going through some of the data, who if anyone did you contact to assist, or to also go through the data, specifically as it related to the searches?
MR. GUARINO: So initially when I first found it, I spoke with Chris Vance of Magnet AXIOM — excuse me, Magnet Forensics. He's their head technical guy for AXIOM. He's like the forensic specialist. So he was at the cyber crime conference. I brought him —
JUDGE CANNONE: I'm going to allow this.
MR. GUARINO: — I brought the extraction there and I said, hey, this is what I'm seeing, this is what it parsed out, why are we seeing it marked this way? And he goes... ...well, first off, you have to look exactly where it's coming from — the browser State DB. So — I'll strike that last. What he told you, okay. Reviewing the data, we saw that it came from the browser State DB file and WAL file, I should say, at the end. So it set off a lot of red flags. And then from there we contacted Cellebrite, and ultimately Jessica Hyde, and ultimately Mr. Whiffin as well.
MR. LALLY: Is that correct?
MR. GUARINO: Yes. He came in after Cellebrite. I reached out to them and they escalated it up, and he reached out to us to help us.
MR. LALLY: Now with respect to the health data that you were asked about — again, if you could explain to the... ...jury — when something in there in the health data says "steps," what exactly does "steps" mean?
MR. GUARINO: As I said before, the phone is seeing movement. It doesn't necessarily mean you're taking steps. If you have the Apple Watch paired to it, you're going to get a greater level of accuracy, and I would be more apt to say that steps are being taken, because it's going to also bring your heart rate. So if you're taking a large amount of steps, it's going to correspond.
MR. LALLY: Now you were asked a lot of questions on cross-examination about just the health data. And why is it that you would look beyond just the health data?
MR. GUARINO: Well, you have the... ...GPS points as well as health data. We're trying to look at everything together as a whole. You take one artifact and say, well, this means this, but you could have five others that disclaim it. So that's why we look at all of this stuff.
MR. LALLY: Now from that same information, as far as the GPS data that indicated that Mr. O'Keefe's phone arrived at 34 Fairview Road at 12:25 a.m. — correct?
MR. GUARINO: Yes.
MR. LALLY: Now as far as the clocks — or the three different clocks — that was presented to you, which has now been marked for identification — you indicated those were not accurate. Is that correct?
MR. GUARINO: Well, the file that it's coming from is not accurate. So it came from a power log... ...file — that's the database it pulled from. So it's telling you the power of the phone. So when I looked at that, that also shows the battery level, and that's how I was able to show — or see, I should say — that John O'Keefe's phone never turned off. It dropped down to about 17% battery level. Being under his body, it was actually saved from dying overnight. And it also shows the timestamps of when it gets plugged in, and as it goes up — that has three different timestamps. That's what that is from. That is not when Waze started. That is not when the address is put in. That is strictly for the power log. There's nothing... ...to do with anything else.
MR. LALLY: And so again, just sort of to that point — what if any connection do those timestamps in the document marked for identification that Mr. Yannetti showed you — what if any relationship does that have to the timestamps contained within either the Waze or GPS native locations, or anything else that you were testifying about before?
MR. GUARINO: It's literally showing that Waze has been opened and that it's pulling power from the phone. And that is it — that is nothing else.
MR. LALLY: Now with regard to — you were asked questions about Miss McCabe signing consent for extraction on February 2nd, 2022. Correct?
MR. GUARINO: Yes.
MR. LALLY: And Miss Kerry Roberts... ...she did the same on the same date. Is that also correct?
MR. GUARINO: Yes, I believe so.
MR. LALLY: Now the entirety of those extractions from both Miss McCabe's phone and Miss Roberts's phones — those were both provided well in advance of the dates the counsel was indicating. Correct?
MR. GUARINO: That is correct.
MR. LALLY: Now in regard to the Cellebrite extraction, in regard to Mr. Green's affidavit — Cellebrite periodically updates its versions of their software. Correct?
MR. GUARINO: That is correct.
MR. LALLY: And if you could speak a bit about the update in those versions and how that pertains to this case, and specifically Miss McCabe's searches.
MR. GUARINO: So the initial report that I... ...created with version 7.53 did not have that item — to be able to be taken out. I was told by Cate? that 7.55 was the version that was enabled. Mr. Green used version 7.61. So that's why it presented itself.
MR. LALLY: Just — let me stop you there for one second. The version that Mr. Green used — was that available at the time that you did the initial extraction?
MR. GUARINO: No, it wasn't available for like a year later. It was like 10 upgrades later.
MR. LALLY: Sorry, sir. Continue.
MR. GUARINO: So again, he did the extraction, he looked at it, finds this artifact that's parsed out, and then I had to go back in and scramble to say, why didn't I see it the first time — when that report — why... ...didn't it pull. So I reloaded the 7.53 version — it's not there. And then when I loaded into 7.61, it is. So there's just an issue with the software at the time.
MR. LALLY: So sir, with regard to those Google searches — what if any opinion did you have as to when those Google searches were conducted?
MR. GUARINO: When Miss McCabe told us — that happened at 6:23 and 6:24 — and then there was a third one later at 10:35. That, again, if she reopened that browser window, it's going to reload the search, and then that was it. Those are the three times that I saw in the phone extraction that were real searches.
MR. LALLY: And why is it your opinion that they occurred at 6:23... ...and 6:24 in the morning, and not 2:27?
MR. GUARINO: Well, it's physically impossible to search two things at once. Her phone — she's searching the daughter's basketball at 2:27, and then she's searching "It's Raining Men" and a few other things on her phone, listening to music, and I think then she goes to bed a few hours later. So at the — I was told that the defendant asked her to search for those terms — that's when we believe that they were done.
MR. LALLY: Now as far as WAL files — write-ahead logs — having things listed as deleted: if you could just speak a little bit more about that as far as why would something be listed as deleted in a WAL file, and... ...what does that mean?
MR. GUARINO: Again, the user has no input on how a WAL file is deleted. It's an automated thing that the database does to clean up. It just auto-deletes after either programs are closed or it reaches a max data allotment for that page. That is it.
MR. LALLY: And that includes any sort of call log history that was contained in the write-ahead log of the WAL file as well?
MR. GUARINO: That is correct.
MR. LALLY: And so what if any opinion do you have as to those phone calls that you were shown in relation to the contact listed in Mr. O'Keefe's phone as "Coco" — as far as whether or not they were user-deleted?
MR. GUARINO: Well, again, the — what they showed me? was a limited thing. I know there should be two other locations that that phone call was listed. From looking at it myself, I don't know why they gave me just the two deleted things, but there should be other spots in the database for that phone call. So I don't believe that it was user-initiated — it was phone-initiated.
MR. LALLY: And that's in reference to the write-ahead log — sort of first in, first out as far as data that comes in. Is that correct?
MR. GUARINO: That's correct.
MR. LALLY: Now again, as far as your unit was concerned — you were the only one who created any Cellebrite reports in relation to any of the phones in this case, with the exception of the defendant's phone... ...that was created by the Attorney General's office following their extraction of privileged material. Correct?
MR. YANNETTI: Objection.
JUDGE CANNONE: Sustained as to the form. This seems a good place to stop. So jurors, we'll take the lunch break. There is a chance that we may be able to go a full day tomorrow, so just think about that at lunch. If there's any emergency that would prevent you from being able to go — okay — all right. All yes. broadcast artifact: "so chris you are muted" Thank you. Welcome back.
JUDGE CANNONE: All right, so jurors, when we were doing scheduling — and I know scheduling has changed a lot in this case — but my main goal is to get this case to you folks by next week. When we all want the case to you by next week. So originally on the 21st we were either going to do a whole day, and then we couldn't do a whole day and it was all of this back and forth, and it was a half a day, and it was because I had something scheduled in this courthouse that was not going to be continued — from forces that we weren't aware of. It is going to be continued tomorrow. So in light of that, I would like us — and we will be doing a whole day. I understand that for one of you it — you planned on an earlier stop to the weekend or a vacation day or something from the afternoon on.
JUDGE CANNONE: But really all I'm asking of you is to go from instead of a 1:00 stop to a 4:00 stop. And where I guess 14 of you are able to do that, we're going to do that. So tomorrow will be a full day. Okay. I don't know who I'm inconveniencing — I apologize for that — because when I said "emergency," an early start for the weekend was not an emergency. All right. Could we call the witness back, please?
COURT OFFICER: Please step up and remain. Thank you.
JUDGE CANNONE: No — All right, Mr. Lally. Thank you.
MR. LALLY: Good afternoon, sir.
MR. GUARINO: Good afternoon.
MR. LALLY: So with reference to this case, this investigation — who, if anyone besides you, created any Cellebrite CBR reports or abstractions from any of the phones involved in this case?
MR. GUARINO: Other than the AG's office, it was just myself.
MR. LALLY: And now, you had mentioned that there was some deleted material from the defendant's phone from the afternoon of January 29th, 2022. Is that correct?
MR. GUARINO: Yes, that's correct.
MR. LALLY: And what was that?
MR. GUARINO: That was deleted — there were some search items that were not there in the phone but found cookies related to said searches and websites visited.
MR. LALLY: So as far as search terms or web history, with those the areas that were deleted?
MR. GUARINO: Yes, that's correct.
MR. LALLY: I have nothing further.
JUDGE CANNONE: Oh, okay. Okay, so we brought you back for that. Trooper, thank you very much.
MR. GUARINO: Thank you.