Commonwealth v. Read — Trial ArchiveRichard Green - Direct/Cross
505 linesCOURT CLERK: Raise your right hand. Do you swear to tell the truth, the whole truth, and nothing but the truth, so help you God?
MR. GREEN: I do.
COURT CLERK: Thank you. Good afternoon.
JUDGE CANNONE: You may proceed.
MR. YANNETTI: Yes. Sir, if you'll pull that microphone as close to your face as you can so your voice will be kept up — and I'd ask you to state your name and spell your last name.
MR. GREEN: Sure. Richard Green. That's G-R-E-E-N.
MR. YANNETTI: Where do you live, sir?
MR. GREEN: I now reside in Coldwater, Michigan.
MR. YANNETTI: What do you do?
MR. GREEN: I own and operate a company called United States Forensics.
MR. YANNETTI: And what is United States Forensics?
MR. GREEN: Sure. We're a digital investigation firm. We have — we're licensed in Florida and Michigan, but we do cases across the country.
MR. YANNETTI: All right. And again, I'd ask you to keep your voice up, only because we have an air conditioner there and we have jurors behind me — okay? As best you can. Now, you are president of that company, sir?
MR. GREEN: I am.
MR. YANNETTI: In addition to managing the company, what do you do on a day-to-day basis?
MR. GREEN: Well, I perform the majority of the investigations.
MR. GREEN: I specialize in computer, cell phone, Cloud, auto video, metadata, media, surveillance systems — things of that nature.
MR. YANNETTI: Do you work in conjunction with others?
MR. GREEN: Certainly.
MR. YANNETTI: Describe that, please.
MR. GREEN: Certainly. Well, we do take cases from individuals, or — prefer to take cases from attorneys. We've also worked with numerous public defenders, we've worked with a federal public defender, we've worked with law enforcement — so quite a variety of clientele.
MR. YANNETTI: Civil cases?
MR. GREEN: Yeah, civil and criminal. I would put it about 60% criminal, 40% civil.
MR. YANNETTI: Okay. And on the criminal side, you've done both law enforcement and defense, correct?
MR. GREEN: Yeah.
MR. GREEN: Most of the law enforcement ones, though, have been more geared towards civil — is when they had — perhaps they were party to a suit and it was just improper for them to use their own experts. So that's where we've provided assistance.
MR. YANNETTI: Now, how long have you been involved in the field of data forensics?
MR. GREEN: Sure. Well, my first case and testimony was 28 years ago. I'm not even sure we called it data forensics back then, but that was 28 years ago. And then about 16 years ago, I started the company United States Forensics, and been full-time in the industry since that point.
MR. YANNETTI: All right. Now, you mentioned that you actually testified for the first time 28 years ago — that would have been 1996, if my math is correct?
MR. GREEN: That's correct.
MR. YANNETTI: You were qualified as an expert witness at that time?
MR. GREEN: Yes, sir.
MR. YANNETTI: In order to have been qualified as an expert witness, you must have had experience before that?
MR. GREEN: Yeah, specifically in computers. We didn't do much with cell phones back then — by about a decade or so in computer IT networking. We actually built a line of computers, a lot of repairs, so I was pretty deep into the computer IT world at that point.
MR. YANNETTI: Okay. And you say you formed your company in 2006, correct?
MR. GREEN: Correct.
MR. YANNETTI: And you work full-time? Part-time? What's your schedule?
MR. GREEN: Oh, it's been full-time ever since.
MR. YANNETTI: Would you describe for the jury, please, your educational background, your training, certifications, etc.
MR. YANNETTI: — but why don't we break it down into smaller —
MR. GREEN: Sure.
MR. YANNETTI: Okay. First, with regard to your training that you've received —
MR. GREEN: Sure. So the — that would have to do with an associate's degree in digital forensics.
MR. YANNETTI: Well, that would more be your education, right? You received an associate's degree in digital forensics, correct?
MR. GREEN: Okay.
MR. YANNETTI: So why don't we start with education, since you did?
MR. GREEN: Well, that was part of the work, and more or less the formal training to get that degree. The certification — which, again, this all kind of goes hand in hand — but the certification training would be the CCE, which is Certified Computer Examiner, from the International Association of Criminal Investigation Specialists. I also have a...
MR. GREEN: ...certification as a computer crime-related investigator, cybersecurity, as well as computer first responder. The training aspect — over the last 18 years, on really a daily basis, I've participated in — I've done research into the newest developments in computer forensics, and really on usually a weekly basis will target some training seminar. I found in this business, even if you took — like, six months off — you would start to get behind. It changes that rapidly. And you really need to do continual training.
MR. YANNETTI: Okay. And again, your voice trailed off a little bit at the...
MR. YANNETTI: —end. So, I'm sorry, I'm sorry to keep reminding you, but I just want to make sure everybody hears. Um, with regard to the amount— you know, your case load at US Forensics— can you give the jury some idea of how many cases you handle on a yearly basis, or historically?
MR. GREEN: Yeah, we average— I'd say between -- and 120 cases a year. We probably get inquiries to about three times that amount.
MR. YANNETTI: Okay. And have you testified as an expert witness in the area of computer forensics since that 1996 first appearance?
MR. GREEN: Yeah, we testify about two dozen times in various state and federal courts.
MR. YANNETTI: Okay. And when you say "various states and courts"— is that state court, federal court, both?
MR. GREEN: Both.
MR. YANNETTI: Now, directing your attention to September of 2022— were you contacted by somebody to become involved in this matter?
MR. GREEN: Yes, sir.
MR. YANNETTI: Remember who that was?
MR. GREEN: I believe it was Miss Little.
MR. YANNETTI: What were you asked to do?
MR. GREEN: Well, there were three cell phones related to this case, and to provide relevance with the data on those phones as related to the incident on January 29th, 2022.
MR. YANNETTI: Okay. And were you aware of the owners of those three phones?
MR. GREEN: Certainly. It was Karen Read, John O'Keefe, and Jennifer McCabe.
MR. YANNETTI: Now, I'd like to ask you first, if I can, about John O'Keefe's phone. How did you receive the data from that phone, if you remember?
MR. GREEN: Yeah, we received what's called an image file, and that's a forensic term that we use. Essentially it's a copy of the data that's encapsulated into a single file. In this case it was a zip file.
MR. YANNETTI: Did you examine that data?
MR. GREEN: I did.
MR. YANNETTI: What were your goals during your examination of John O'Keefe's phone? What were you— what were you looking for?
MR. GREEN: Well, initially what was supported was the location data. We wanted to get an idea of when he had arrived, and anything else that we could tell from that as far as location.
MR. YANNETTI: And when you say "when he arrived," do you remember the location that you were asked to learn about— when you— 34...
MR. GREEN: Fairview, in Canton?
MR. YANNETTI: Yes, sir. All right. Were you able to determine, as a result of your examination, approximately when his phone arrived at 34 Fairview Road, according to the location data?
MR. GREEN: Yes, sir.
MR. YANNETTI: And how did you do it?
MR. GREEN: Sure. Well— I say "we," so that's the proverbial "we." I extracted the location cache data, which is stored on your phone, and it's in a certain location. We exported that out, and then we use a tool called CellHawk, and we import it in there so it can take literally, you know, thousands of data points and automate that process to specific GPS locations— and, just as importantly, the range of accuracy that that location is reporting.
MR. YANNETTI: Okay. So, according to the process that you underwent, what time did the location data indicate that John O'Keefe's phone arrived at 34 Fairview on January 29th, 2022?
MR. GREEN: So the first one right to the driveway was at 12:24 and 28 seconds.
MR. YANNETTI: 12:24 and 28— correct?
MR. GREEN: Correct.
MR. YANNETTI: Um, now, if I asked you to filter John O'Keefe's location data within an accuracy of 3 feet using CellHawk, could you try to do that?
MR. GREEN: Yes, sir.
MR. YANNETTI: Um, in fact, did you try to do it?
MR. GREEN: I did— when? Last night.
MR. YANNETTI: Who asked you to do that?
MR. GREEN: You did, sir.
MR. YANNETTI: May I approach, your honor?
JUDGE CANNONE: Yes.
MR. YANNETTI: So I've placed it for you. Could you familiarize yourself with that and look up at me when you're done?
MR. GREEN: All right.
MR. YANNETTI: Recognize that?
MR. GREEN: I do.
MR. YANNETTI: What is it?
MR. GREEN: So this is a screenshot from the CellHawk program. It has a kind of a central box here that says "database settings," and this is where we apply a certain filter.
MR. YANNETTI: And what filter did you apply?
MR. GREEN: This was for the accuracy of less than or equal to 3 feet.
MR. YANNETTI: With regard to what?
MR. GREEN: John O'Keefe's location data.
MR. YANNETTI: Um— is that— is the data on that document exactly what you received when you used the CellHawk program to filter the data?
MR. GREEN: Yes, sir.
MR. YANNETTI: I would offer that, your honor.
MR. LALLY: No objection.
JUDGE CANNONE: No objection— sir—
MR. YANNETTI: Oh, I'm sorry, I thought you said "objection." So you need to give it to Madam court reporter. I'm all flustered. Sorry. And if the witness could have that again— thank you. With permission, I'd like to publish that.
JUDGE CANNONE: Okay. Okay.
MR. YANNETTI: So, Mr. Green, what are we looking at?
MR. GREEN: Okay. So that is the screenshot from CellHawk.
MR. YANNETTI: And what can you tell us about what you learned from that exhibit?
MR. GREEN: Well, I'll just use the pointer here— might help— but you can see up in this part here, where this is where we apply the filter for 3 feet or less— that'd be the accuracy— and then it actually returned zero results, meaning all of the data within there had an accuracy rating higher than that 3-foot. It could be 5 meters or 10 meters, but none of it was granular enough at a 3-foot or less accuracy level.
MR. YANNETTI: Okay. And if you had input an accuracy of within, say, 500 feet, what would you find?
MR. GREEN: Yeah, you would see then a large number of circles, each circle representing the meters that the accuracy would be related to. What's really important to understand, though, is you don't want to look at just the middle of the circle— that accuracy indicates it could be anywhere in the circle. So if you saw one and it encompassed two or three houses, you could only draw that inference of somewhere in that circle. So it's— it's kind of like how— the hurricane, they say, "Don't just look at the cone," right? Because it could be different than that. Um, also, the accuracy— this is Apple's best guess at what the accuracy is, so it could actually be different than that. Apple is using a number of services, and they're giving back the best estimation that they can for the accuracy.
MR. YANNETTI: Okay. So we've talked about the location cache data and where it put John O'Keefe's phone in terms of arriving at 34 Fairview. But was there also Apple Health Data on John O'Keefe's phone during that time?
MR. GREEN: Certainly, yes.
MR. YANNETTI: Is Apple Health Data generally accepted within the forensic science community as being reliable?
MR. GREEN: Well, the Apple Health Data comes from something called HealthKit, but it's integral to the iOS system, so anyone that has an iPhone has probably seen Apple Health Data. And— it's known to have extremely valuable data that the forensic tools work with and present to us. The degree of accuracy— it depends on the type of data that's being pulled out, on the artifacts. For example, steps are known to have an accuracy of around 98 percent on the actual steps occurring. So if the Apple Health Data returns, for instance, steps of, you know, 20 steps within a certain time period, 98% of the time Apple's going to be right— that's what studies have shown.
MR. YANNETTI: All right. May I approach the witness, your honor?
JUDGE CANNONE: Yes.
MR. YANNETTI: You want this back? Okay. I've placed another document for you. Do you recognize what that is?
MR. GREEN: Yes, I do. This lists out Apple Health Data that was from John O'Keefe's phone on January 29th, 2022.
MR. YANNETTI: All right. That came from the data that you received— the image file of John O'Keefe's phone— correct?
MR. GREEN: That is correct.
MR. YANNETTI: I would offer that, your honor.
MR. LALLY: No objection.
MR. YANNETTI: And with the court's permission, may I publish that, your honor?
JUDGE CANNONE: Okay.
MR. YANNETTI: Um, specifically, I'd like to start with page two, record two. Hey, Mr. Green, are you wearing the right glasses to be able to see the— yeah?
MR. GREEN: I probably need bifocals. I keep switching glasses.
MR. YANNETTI: Can you— are you able to read what is on the screen? And if it's easier, you can look on your document in front of you. It's page two, record—
MR. GREEN: Yeah, you know, I think I'm going to have to do that. I can probably still see good enough to do the laser one.
MR. YANNETTI: I'm sorry, which record is this you're looking at?
MR. GREEN: Page two, record number two.
MR. YANNETTI: Okay. Yes, I have that in front of me. Okay. What does record number two show on page two of John's Apple Health Data?
MR. GREEN: Sure. So this is the number of meters— it's listed as 87.74— and the time is listed between 12:21 and 10 seconds, and— there's a milliseconds after that, but I'll just round it off to the second, if you don't mind— so 12:21 and 10 seconds to 12:24 and 22 seconds.
MR. YANNETTI: Okay. And you said that it showed 87.74 meters of travel during that time period— correct?
MR. GREEN: Correct.
MR. YANNETTI: And with regard to that same time period— 12:21 and 10 seconds to 12:24 and 22 seconds— please turn to page 5, and, Mr. Bates, if you would zoom in on record number two.
MR. GREEN: I have that.
MR. YANNETTI: Okay. What does record number two reflect?
MR. GREEN: It's the same time— in the steps taken is recorded— is 80 steps.
MR. YANNETTI: Okay. And you said the same time period— so, again, 12:21:10 to 12:24:22?
MR. GREEN: Correct. Correct.
MR. YANNETTI: All right. Now I'd like to direct your attention to page four, record number one. Mr. Bates, are you ready? Mr. Green, if you could tell the jury what that reflects.
MR. GREEN: Sure. So this indicates three sets of— um— floors, that represents elevation change, so it doesn't indicate to us up or down, but three -- in the time period— for that is 12:22:04 to 12:04:37.
MR. YANNETTI: Okay. Did you say 12:21:04 to 12:22?
MR. GREEN: I'm sorry— 12:24:37. Yeah, yeah, 12:22:04 to 12:47:37.
MR. YANNETTI: Um, and with regard to all of this data— the 80 steps and the three flights of stairs that you mentioned— um, is it possible to pinpoint where within the time frame that's given those steps or flights of stairs were ascended or descended?
MR. GREEN: No. The most granular we can get is the time period, and it doesn't— it doesn't signify it as any more likely at the beginning of the time period, then at the end of the time period, then at some time in the middle. And if you think logically— like distance traveled— that doesn't happen at a split moment, it happens over a certain period of time. So time is a factor in that equation, and this is how Apple records that data.
MR. YANNETTI: You got it— you've got to look at the time overall. Okay, so you don't know if the steps are bunched up toward the beginning or toward the end or more evenly spread out?
MR. GREEN: No, I would not be able to tell you that.
MR. YANNETTI: Now, we've discussed the Apple Health Data. I want to go back for a second to talk about the location data on the iPhone. Does that data that you've already talked about, in terms of the arrival time that it gave for John O'Keefe's phone at 34 Fairview Road — does that arrival time fall within or outside the range of 12:21 and 10 seconds, or 12:21 and 10 seconds and 12:24 and 37 seconds?
MR. GREEN: Well, there is — that certainly indicates an overlap. The health data is ending after the arrival.
MR. YANNETTI: And we can — now, I'd like to discuss with you the concept of clocks used by apps on an iPhone.
MR. GREEN: Sure.
MR. YANNETTI: Are you aware of the three different clocks that are used by iPhone apps?
MR. GREEN: I am.
MR. YANNETTI: What are they?
MR. GREEN: You have — so we have three separate internal clocks. You have a monotonic clock, a baseband clock, and a wall clock.
MR. YANNETTI: And is the wall clock also called the display clock?
MR. GREEN: Yeah, that would also be a common name for that.
MR. YANNETTI: And what is the significance of the existence of three clocks regarding, you know, different times that may show up within these records?
MR. GREEN: Sure. Well, app developers can access Apple's program library, and they can call upon any of the clocks to use within their apps.
MR. YANNETTI: Okay. Now, in your investigation and examination of this case, did you find examples on this phone of different clocks being used?
MR. GREEN: So in this particular case, I had reprocessed the data with the newest version of the Magnet AXIOM forensic program. It's similar to Cellebrite — they're competitors. So Cellebrite — and we use both programs. And this newest version had a feature in there where you can filter for the Waze application. And again, just following up and seeing how this functions, we filtered for the Waze application, and for the first time we saw this monotonic timestamp being related to the Waze application.
MR. YANNETTI: Okay. I want to show you Exhibit 640. If I approach — I've placed Exhibit 640 before you, sir. Do you recognize what that is?
MR. GREEN: Yes, sir.
MR. YANNETTI: What is it?
MR. GREEN: So this is a screenshot from the Magnet AXIOM program I was referring to. It's the 8.1 — actually, it looks like 4.2.8.7 —
JUDGE CANNONE: Voice up, sir.
MR. YANNETTI: I'm sorry.
MR. GREEN: So it's the newest version of the program, and we have it filtered for the Waze app, and it's giving us the timestamps associated with it.
MR. YANNETTI: Okay. With the Court's permission, may I publish that?
JUDGE CANNONE: There you go.
MR. YANNETTI: First of all — that is probably too small. Okay, thank you. I'll go off to this one. There we go. With regard to what we are looking at there on that part of the screen, what are we looking at, Mr. Green?
MR. GREEN: Okay, so this is listing details of this particular artifact, and you can see that this is the bundle — "com.waze.iPhone" — that's a standard bundle type name where it always starts with "com." and then the application reference.
MR. YANNETTI: And what does that mean when it says — it's highlighted on the screen — "com.waze.iPhone"? What does that mean, what we're in right now?
MR. GREEN: Well, this is an artifact specifically related to the Waze program. Waze — yes, sir.
MR. YANNETTI: All right. Go on.
MR. GREEN: And we can see here our entry for the monotonic time, the baseband time, and the display time.
MR. YANNETTI: And what did you notice about the relationship of the three of those?
MR. GREEN: Certainly. Well, most noticeable about this — the monotonic is running a little over 3 minutes ahead of the display. So — I think it's 3 minutes and one second, give or take a little. So, you know, in a lot of cases 3 minutes may not seem like much, but in this case, this struck me as important to —
MR. LALLY: Objection. Move to strike.
JUDGE CANNONE: Sustained. I will strike that. Next question.
MR. YANNETTI: I apologize. You can hand that back to Madam Court Reporter.
MR. GREEN: Sure.
MR. YANNETTI: And I'd like to go back to the Apple Health Data. Mr. Bates, if you would put that back up. And this — so this would be page two, record number three. And do you — you don't still have that in front of you, do you?
MR. GREEN: Actually, I do.
MR. YANNETTI: You do?
MR. GREEN: I do.
MR. YANNETTI: Page two, record number three. So, yes, sir — what does that show?
MR. GREEN: All right. Okay, so this is another entry from John O'Keefe's cell phone data, and this records 25.46 meters occurring between 12:31:56 to 12:32:06.
MR. YANNETTI: Okay, so we have 36 steps being taken according to Apple Health Data on John O'Keefe's phone, for a time period that ends at 12:32:06.
MR. LALLY: Objection.
JUDGE CANNONE: Sustained. Ask it differently, Mr. Yannetti.
MR. YANNETTI: With regard to those 36 steps, do we know where within that time frame they were taken?
MR. GREEN: Sure. Let me reread that. January 29th, 2022 — 12:31:56 a.m. — it's actually 12:31:56.190 to 12:32:06.507 a.m.
MR. YANNETTI: Okay. All right. So now I'd like to switch, if we can, to Jennifer McCabe's phone and your analysis of that. During the course of your examination, when you reviewed data from her phone, did you find a particular artifact of interest?
MR. GREEN: Yes, I did.
MR. YANNETTI: What did you find?
MR. GREEN: We found a Google search that happened — first of all, the search was "how's long to die in cold," and it happened at or before 2:27 a.m.
MR. YANNETTI: All right. Where was that search found?
MR. GREEN: Sure. So the artifact on that was called a Safari suspended tabs artifact, and there's a database associated with that called the browserState.db database. And a companion file, which is by the same name but ends in "-wal," which stands for write-ahead log. And the write-ahead log is where the data first gets written to, and then at certain points that data then gets committed and written to the main database.
MR. YANNETTI: All right. So — if I'm correct — that browserState.db-wal file, that's a temporary file, right?
MR. GREEN: It's temporary by nature, but — that's not to say — it's integral. It's part of the way SQLite functions. So it's not like a throwaway file. It's part of the way the whole system works.
MR. YANNETTI: And is it helpful to you when evaluating artifacts?
MR. GREEN: Certainly. Yeah, by nature of it, we'll find a lot of the newest artifacts in that WAL file.
MR. YANNETTI: Now, how do you determine the timing — in terms of the timestamp on the browserState.db-wal file?
MR. GREEN: Sure. So the WAL file has different rows and columns. You can kind of think of it as an Excel spreadsheet. And in this one particular column — it was a time column; that'd be the nature of the data going into it — the heading on this particular one was "last view time."
MR. YANNETTI: Okay. Regarding that Google search for — "how's long" — and I say "how's long to die in cold" — found in the browser State.db-wal file, what was the date and time for that artifact?
MR. GREEN: Sure. So that's recorded in what's called Apple Cocoa time, and it's actually the number of seconds since January 1st, 2001. So you end up with this large number, but that gets converted to present to us something that's human readable, and then you have to apply the offset for the local timezone. So once you do all those calculations, that's where we get January 29th, 2022 at 2:27.
MR. YANNETTI: The specific — do you remember the number of seconds?
MR. GREEN: I believe it's 40 seconds. 2:27:40.
MR. YANNETTI: And in what state did you find that artifact?
MR. GREEN: Yeah, so the specific artifact — it comes from a record, and the record number on this is 4028, I believe — and it was in a deleted state.
MR. YANNETTI: Now, what would you normally expect to find along with the artifact, sir?
MR. GREEN: So you'd have the date and time, the URL — which, the way the URL presents itself, we know that as a Google search — but you also see a history of other places that tab has been.
MR. YANNETTI: And with this particular artifact, did you learn the full internet history of websites related to that record?
MR. GREEN: No, that wasn't possible. We were only able to get the one website. I would say — I'm sorry — go ahead. Go — I interrupted you.
MR. YANNETTI: Well, no, is —
MR. GREEN: So we definitely got the one artifact — the Google search — and we have the time related to it, but we do not know everywhere else that tab had been.
MR. YANNETTI: What significance was there to you about the fact that the full internet history related to that record could not be recovered?
MR. GREEN: Well, I wanted to do a deeper dive into that, and so I used some various other database-specific tools. One was called Belkasoft X, which has an excellent database viewer in it. Sanderson Forensics, which is known to specialize in this type of work. And ARTX — I'm sorry — ARTX —
MR. YANNETTI: ARTX, you saved me.
MR. GREEN: Yes. ARTX, which is a program known in the community for research.
MR. YANNETTI: And how did you sort of cross-reference the three of those together? How'd you use them?
MR. GREEN: Yeah, so all three of those tools, along with AXIOM and Cellebrite — which I did; they do have a low-level SQLite viewer as well — so I looked at the data with all five of those tools and I found it to be consistent amongst all the tools.
MR. YANNETTI: And in addition to using those tools, what else did you do? I want to get a little more context.
MR. GREEN: One thing — with this artifact, it is deleted. And one thing about deleted data: sometimes you get it all back, sometimes you don't, sometimes you get a fragment. Deleted data makes it very difficult to give you the whole picture of what's happening. So in this particular case, I wanted to see what other artifacts were around this time as related to web history, and particularly this browser database file.
MR. YANNETTI: And so, what do you compare the 2:27 a.m. search to in order to gain more information?
MR. GREEN: Exactly. I'm sorry — so, what we found is that when we looked at a particular URL, a particular website that was visited and then searched using that URL, the browserState database entry is the last entry in all of that. So we could see searches, video playing — there's an artifact ...called KnowledgeC that records the user's activity, but the browser state is the very last entry on the items that we observed.
MR. YANNETTI: And did you find other examples of that that you can speak to before this jury?
MR. GREEN: Yes. I believe we have one printed out there.
MR. YANNETTI: Okay. May I approach, Your Honor?
JUDGE CANNONE: Yes.
MR. YANNETTI: I place the document before you, sir. If you could familiarize yourself with that and look up at me when you're done.
MR. GREEN: I have it.
MR. YANNETTI: What is it?
MR. GREEN: Okay. So this is another screenshot from the Magnet AXIOM program, and it is showing a search that we conducted for "It's Raining Men," and then it takes that search and we have a couple of different items on there. We set the date to begin in 1970 and ending in 2100 — in other words, we only want to see artifacts that had dates associated with them — and then we listed them from the new state to the old state, and this particular one again ends up with the Safari suspended tabs artifact being the very last in the series of days and times.
MR. YANNETTI: I'd like to go through that, but first I'd offer it into evidence, Your Honor.
MR. LALLY: No objection.
JUDGE CANNONE: Admitted. Exhibit —.
MR. YANNETTI: And with the Court's permission, may it be published?
JUDGE CANNONE: Yes.
MR. YANNETTI: Certainly. So I'm going to switch glasses back here — forgive me.
JUDGE CANNONE: Do you need the light on, sir?
MR. GREEN: No, I'm fine, Your Honor. Thank you. I can certainly do this. So we are looking at here web-related history, and also I have the filter turned on for application usage, because there are some log files — sort files — that the iPhone keeps track of to record user interactions, and that can give us an idea of the history as well. And then, as I mentioned, we have it filtered so it's only showing artifacts that had dates, and we took the earliest possible date to a date way in the future. And then it's listed, and next to the date and time you'll see a little arrow — it's skinny at the top and big at the bottom — that tells you it's going from smallest, earliest time to latest time.
MR. GREEN: And this particular view is showing us the last of that series, because what's relevant and really important here is that the Safari suspended state tabs ends up being the last of the entries related to that — not one of the beginning entries related to that.
MR. YANNETTI: And what is the significance of the Safari state being the last entry? What does that tell you?
MR. GREEN: Well, it tells us the internet history happened before that. And the purpose of this tab — on at least this particular iPhone with this very specific iOS version — is to record the state of that tab when the user left it. And the whole purpose of that is: if you're on Safari, on a website, and you have to take a phone call or answer a text message and you navigate away from the Safari app — when you come back it remembers where you were and allows you to pick up from there. It also allows you to hit the tab button and see what other tabs you might have open and navigate to one of those tabs.
PARENTHETICAL: [sidebar — audio muted]
JUDGE CANNONE: Court back on record
MR. YANNETTI: All right. So as I see the last tab — and I want to confirm — the time is 1/29/22, same day, at 2:27 and 38 seconds? Is that what it says?
MR. GREEN: I'm sorry, I'm definitely getting a pair of bifocals. I apologize. I feel a little silly. reading Yes, yes. On this particular one. So that is just moments before the Google search artifact — the one that you previously talked about — "how's long to die in cold."
MR. YANNETTI: Yes.
MR. GREEN: But all the other history of this particular artifact was before that time.
MR. YANNETTI: Correct?
MR. GREEN: Correct.
MR. YANNETTI: So with regard to what that tells you about when "It's Raining Men" was either searched or accessed — was that at, after, or before 2:27 and 38 seconds?
MR. GREEN: I'm sorry, can you —
JUDGE CANNONE: Sustained.
MR. YANNETTI: Okay. Say it one more time — let me try and put it a different way. Given the timestamp of 2:27 and 38 seconds on January 29th for that Safari suspended state tab with "It's Raining Men," what did that tell you about the timing of when "It's Raining Men" was accessed by the user?
MR. GREEN: Well, so the indications would be that that tab was brought up and then went away from — to do another tab. So it can happen in less than a second; it doesn't take long to open up a tab and start a new tab, it can be done very quickly.
MR. YANNETTI: I'm not really phrasing this the right way to get what I want. What I want is the timing of the interaction with "It's Raining Men" by the actual iPhone user — when did that happen?
MR. GREEN: Well, certainly all the activity that we have is all prior to the recording of that timestamp in the browserState.
MR. YANNETTI: All right. Now, with regard to this particular example where the browserState.db is the last entry — so the activity happened before — was that unique to this phone, or were there many examples of this?
MR. GREEN: No, I found many examples of this exact behavior.
MR. YANNETTI: All right. Now, given your findings in researching these issues and how this user used this iPhone with this iOS, do you have an opinion to a reasonable degree of scientific certainty as to the timing of that search for how's long to die in cold?
MR. LALLY: Objection.
JUDGE CANNONE: Sustained.
MR. YANNETTI: Do you have an opinion to a reasonable degree of scientific certainty as to when how's long to die in cold was searched?
MR. LALLY: Objection.
JUDGE CANNONE: Sustained.
PARENTHETICAL: [bench conference]
MR. YANNETTI: Do you have an opinion as to the timing of that first search for how's long to die in cold?
MR. GREEN: Yes, I do.
MR. YANNETTI: What is that opinion?
PARENTHETICAL: [inaudible — cross-talk re: exhibit admission]
MR. GREEN: That that would have happened at or before January 29th, 2022 at 2:27:40 a.m. in the morning.
MR. YANNETTI: And what is the basis for your opinion?
MR. GREEN: Again, by how this particular phone operates with that exact operating system, and comparing to other data on that phone and the way it presented itself — it's all consistent with that search happening at or before that time.
PARENTHETICAL: [unclear]
MR. YANNETTI: And what opinions or conclusions did you reach regarding how, if any, the 2:27 a.m. search was deleted?
MR. GREEN: Well, we know that that's in a deleted state. And importantly, on that phone — I say, using the proverbial "we" — I found a lot of other deleted artifacts between midnight and the early morning on January 29th, 2022.
MR. YANNETTI: Are you aware of any internal mechanisms that could have caused that deletion?
MR. GREEN: No, not in this particular case. I know of no mechanism that would have done that.
MR. YANNETTI: All right. And you mentioned other deletions on the phone. I want to show you what has been marked — if I may approach —
JUDGE CANNONE: Mm-hmm.
MR. YANNETTI: — for identification. Do you recognize what I placed before you, sir?
MR. GREEN: Yes, sir.
MR. YANNETTI: What is it?
PARENTHETICAL: [sidebar — audio muted]
JUDGE CANNONE: You are unmuted.
MR. GREEN: Okay. This is from Cellebrite — a program, again, like Magnet AXIOM, that processes data — and this lists out record 623, a deleted call record.
MR. YANNETTI: Are you able to see from that record to whom the call was placed?
MR. GREEN: Well, we have the number, and I won't necessarily read it out loud here. But through searching — and this is from the phone of Jennifer McCabe — through searching for that number, I was able to see that it went to — do you want me to say the name?
MR. YANNETTI: Sure. Yeah.
MR. GREEN: Uncle Brian A—
MR. YANNETTI: I would offer that into evidence, Your Honor.
MR. LALLY: Same objection as before, Your Honor, as when this was previously admitted.
MR. YANNETTI: May we approach?
JUDGE CANNONE: So, folks, we're trying to streamline the exhibit numbers. It looks like this may already be in evidence — it's one of four different numbers. So I sort of wanted to keep it with that. We are so far removed from where it was that this will just come in as the next exhibit, so you will technically have it in evidence twice. Okay. [Exhibit 65.] Thank you. Yes.
MR. YANNETTI: There is one final document before you. If you can identify that for the jury, please.
MR. GREEN: Yes. This is another report generated out of Cellebrite, based on Miss McCabe's cell phone data, and it lists out the call log with a number of deleted items and a number of live items.
MR. YANNETTI: I would offer that —
JUDGE CANNONE: [Exhibit] 66. Thank you.
MR. YANNETTI: If you could hand that to the witness. Okay. With regard to that exhibit, Mr. Green, what did you find that was unusual, if anything?
MR. LALLY: Objection.
JUDGE CANNONE: Sustained. Ask it differently, Mr.
MR. YANNETTI: Yes. What did you find of note?
MR. GREEN: Certainly.
MR. YANNETTI: What was the time frame of the deleted records?
MR. GREEN: I'll just talk about this particular report here. It starts at 5:33:47 in the morning, and on the second page we see it ends at 8:50:05 a.m. And then the normal calls — we call them live data — then begin at 8:59:34, and go on throughout the day with no additional deletions.
MR. YANNETTI: Am I right that those are all — that's the call log — those are all phone calls?
MR. GREEN: Correct. Yes, this is the call log.
MR. YANNETTI: And what was the difference between the calls that were at 8:59 and after on January 29th, 2022 — and the calls that were before, at or before 8:50 a.m. on January 29th, 2022?
MR. GREEN: Yeah, well it's the state they were found in — deleted versus live data. I'm sorry: deleted data at the earlier time, and live data after the 8:59:34.
MR. YANNETTI: What percentage of phone calls were found deleted on Jennifer McCabe's phone prior to 8:50 a.m. on January 29th?
JUDGE CANNONE: All right. I have to see you — take this down for a minute, please. I have to see counsel.
MR. YANNETTI: So Mr. Green, I'm not sure if that question was clear or if you understood it. If it's not, please let me know. But I had asked you — from the first recorded call there that was listed as deleted, until 8:50 a.m. or so — what percentage of calls were deleted on Jennifer McCabe's phone within that time period?
MR. GREEN: Yeah, so we found no live data. So 100% of them have been deleted.
MR. YANNETTI: Now, are you aware of the term "spontaneous deletion"?
MR. GREEN: No sir. I know what the individual words mean, but in relation to digital forensics I'm not familiar with that term.
MR. YANNETTI: And do you have an opinion as to how those calls would have been deleted from that phone?
MR. GREEN: Those would have been manually deleted.
MR. YANNETTI: I have a moment?
JUDGE CANNONE: Sure.
MR. YANNETTI: No further questions. Thank you, sir.
MR. LALLY: Good afternoon, sir.
MR. GREEN: Good afternoon, sir.
MR. LALLY: Do you know who Miss Jessica Hyde is?
MR. GREEN: I do.
MR. LALLY: Are you aware that she wrote a report in relation to this case?
MR. GREEN: Yes.
MR. LALLY: Specifically in regard to the Google searches from Ms. McCabe's phone that you were just talking about?
MR. GREEN: Yes sir, it was very specific about that search.
MR. LALLY: And have you had a chance to review that report?
MR. GREEN: I have.
MR. LALLY: You also know who Ian Whiffin is?
MR. GREEN: Certainly, yes.
MR. LALLY: And are you aware that he wrote several reports, submitted several items, in relation to — again — the exact topic that you're testifying about, in relation to the Google searches on McCabe's phone?
MR. GREEN: Yes sir, I understand that.
MR. LALLY: And have you had a chance to review those materials as well?
MR. GREEN: Yes sir.
MR. LALLY: You understand that they both disagree with what your opinion is in relation to those searches?
MR. GREEN: I absolutely understand that, sir.
MR. LALLY: Now, just as far as your qualifications and certifications go — I'm just having a difficult time from the certifications that you have — at what point were you — or what specific certifications do you have with reference to Cellebrite as a tool, as far as your use and interpretation of data from Cellebrite?
MR. GREEN: Certainly. So my certifications are much more broad. They have to do with the fundamentals and how we conduct the investigations, and what we should know and when we need to do more work, and such like that. Cellebrite — I do not have any specific Cellebrite certifications. They offer many of them. However, I have participated in — God, I can't even count — hundreds of their training events that they offer. Both Cellebrite, AXIOM, Belkasoft — they all provide the community with fantastic support as far as that. And although certainly a class can be very good, you really need to stay up to speed. You've got to participate in the most recent understanding being put out there. Even in the changes — their tools will change from one version to another.
MR. LALLY: And so, to the point — as far as you — you have no certifications in regard to Cellebrite as a tool and how to use it, those kind of things?
MR. GREEN: That's correct, sir.
MR. LALLY: Okay. And in this specific instance, at any point did you reach out to Cellebrite to go over sort of your findings or your opinions in relation to this search?
MR. GREEN: I did.
MR. LALLY: And who, if anyone, did you speak with from Cellebrite?
MR. GREEN: As close as I can remember, I know it was Leo, and I believe it was Santos.
MR. LALLY: And do you know what part of Cellebrite they work in or what they do?
MR. GREEN: Well, he was in technical support, and I contacted him. He had informed me that they had elevated this up to some higher level technical support. When they came back, his comments to me — if you want to hear them — were —
MR. LALLY: Okay. Set aside his comments. But at some point, I understand you talked to technical support. Is that correct?
MR. GREEN: Absolutely.
MR. LALLY: And they indicated that they would refer you to — actually, Mr. Whiffin's team?
MR. GREEN: No sir, they did not.
MR. LALLY: So you weren't told that you were referred to Mr. Whiffin's team, and you weren't contacted by anyone from Mr. Whiffin's team?
MR. GREEN: No. I forget the exact date — a couple weeks ago, maybe a month ago — out of the blue I got an email from Mr. Whiffin, saying — and I can't — I don't want to misquote — certainly I got an email.
MR. LALLY: I'm asking about any specific conversation you had. I'm asking about a time period — more back in 2022.
MR. GREEN: I'm sorry, I couldn't quite hear you.
MR. LALLY: Back in 2022, did you reach out to Cellebrite in relation to this search and your opinions related to it?
MR. GREEN: Yes sir.
MR. LALLY: And at that point, was that the point that you spoke to someone from technical support?
MR. GREEN: Yes sir.
MR. LALLY: And at that point, did someone from technical support actually refer you — or tell you that they were referring you — to Mr. Whiffin's team?
MR. GREEN: No sir, I had absolutely no idea about that.
MR. LALLY: So no one from Mr. Whiffin's team reached out to you, and then you just never called them back?
MR. GREEN: That didn't happen — not that I'm aware.
MR. LALLY: Now, you were asked to look at a couple of different phones, and I'm assuming by counsel for the defendant, is that correct?
MR. GREEN: Can you say that once again? I'm sorry.
MR. LALLY: You were asked to look at three different phones — is what your testimony was — and I'm assuming that was by some counsel for the defendant, correct? No one else asked you to look at these phones?
PARENTHETICAL: [unclear]
MR. GREEN: — when it comes to GPS data, can you tell three feet from GPS data? And no, it's not known to be that reliable. And particularly Apple location services — how that applies to the trooper's testimony, you know, I can't say with specificity. I'm happy to opine on location data, though.
MR. GREEN: Correct. Yes, it was from the defense that asked me, yes.
MR. LALLY: And so the phones that you were asked to look at were Mr. O'Keefe's phone, the defendant's phone, and Miss McCabe's phone, correct?
MR. GREEN: Correct.
MR. LALLY: Now, as far as Kerry Roberts's phone — were you ever asked to look at that?
MR. GREEN: No.
MR. LALLY: And with respect to the defendant's phone, was there any GPS location information or data that you observed in her phone?
MR. GREEN: So we had an indication that location services had been in use. There was something called Apple map tiles, and those populate when you use the Apple Maps app — in order for it to work, it will create these little tiles. They're little pieces of pictures, and they get stitched together to give you the view that you see on your phone. Now, for that to have been working, we know location data had to be working. This particular location data — the location data cache is known to only be present on the phone for a couple of weeks. Now, what I don't know — and Mr.
MR. GREEN: Lally, if I'm going too far, just please stop me — what I don't know is what measures were taken to preserve that data: whether it was put in airplane mode where the location services were turned off, or whether it was put in a Faraday bag. And quite frankly, Mr. Lally, I don't know if they did all that — if the location data would have remained or not. I've never tested that. But all indications are it would have had location data on the day that it was seized, because we received the Apple map tiles. But when I got the full extraction, there was no location data there. Now I did observe that.
MR. LALLY: So there was no GPS location data on the defendant's phone?
MR. GREEN: Correct. What I observed. And again — there was — I did find deleted location data from April of 2022.
MR. LALLY: Now, with respect to the defendant's phone, did you also find deleted web history data from the afternoon of January 29th, 2022?
MR. GREEN: No. I'm sorry, I didn't observe that.
MR. LALLY: Didn't observe it, or didn't look for it?
MR. GREEN: You know, I really don't have a recollection if I specifically looked for deleted data. I don't believe I did. I don't know if I would have had to have a cause to.
MR. LALLY: Now, with reference to your — asking about location accuracy within three feet — you did some sort of analysis last night on CellHawk, using that tool. Is that correct?
MR. GREEN: Certainly.
MR. LALLY: And you were asked to do that after the trooper testified yesterday, is that correct?
MR. GREEN: I understand he testified yesterday.
MR. LALLY: And so, with relation to you creating sort of that document — and that's now been marked as an exhibit — was that something that Mr. Yannetti asked you to do in relation to the trooper's testimony?
MR. GREEN: Yes. Well, in all fairness, you need to ask Mr. Yannetti. I — I could make an assumption. Yeah, here — I mean — I'm not — I don't know quite any — I'm not trying not to answer you. You know, but I was asked by Mr. Yannetti to perform that search.
JUDGE CANNONE: So Mr. Green, please be cautious about that.
MR. LALLY: Yes, so Mr. Green, with respect to that three-feet of accuracy — are you aware that what the trooper was testifying to, in regard to that, had absolutely nothing to do with phone applications, or anything to do with data from a phone or CellHawk or a tool, or anything like that?
MR. GREEN: Now, I don't know the full extent of what the trooper has been testifying to.
MR. LALLY: And so you're not aware that his testimony was actually in regard to reviewing a cruiser camera video from the Canton Police Department, and photographs of where Mr. O'Keefe's body was, and then mapping that using GPS latitude and longitude — based on that — within three feet?
MR. YANNETTI: Objection.
JUDGE CANNONE: Sustained. Ask it differently.
MR. LALLY: Sure. Are you aware of any of what the trooper testified to yesterday?
MR. GREEN: What you're mentioning — I may vaguely remember. And again, I'm not trying to not answer your question exactly. My conversation with Mr. Yannetti —
MR. LALLY: There's no question. Thank you. Now sir, with reference to Safari and ...deleted tabs — isn't it true that there is no way for a user to delete a tab, only to close it? You agree with that?
MR. GREEN: Yeah. Well, when you close a tab, you're taking it out of the active state and it's going to an inactive state that some people could call deleted. Now the Safari history allows you to go in and delete history by certain date ranges, but you can also go into specific websites that you visited and delete those. Now, if you want me to continue — the WAL file itself, you can't open up a WAL file and say "I want to delete that record." But functioning the phone to the user interfaces will have an effect of deleting data within that WAL file.
MR. LALLY: Isn't it also true that Cellebrite uses that red X to annotate that the record is no longer active and has been recovered — leaving it, making comment upon the examiner, being you in this instance, to determine if it was actually deleted? Correct?
MR. GREEN: Yes, sir. Thank you for asking — yes.
MR. LALLY: So that's all I'm asking, sir. Okay. Now, you stated in your affidavit and in your testimony that you use the Sanderson SQLite Forensic Explorer to examine the Safari tabs DB associated with the WAL file log. Is that correct?
MR. GREEN: Yes, sir.
MR. LALLY: Now, in your analysis using that Sanderson Forensic Explorer, was there an indication that "how long to die in the cold" was found in the WAL file?
MR. GREEN: Yes, sir.
MR. LALLY: Now, with regard to that, did you independently verify the cause of that timestamp that you observed there?
MR. GREEN: Yes, sir.
MR. LALLY: Now, is it your interpretation that the timestamp means the search appeared at that time solely based on the naming of the field in the database?
MR. GREEN: No, sir.
MR. LALLY: Now, can a WAL file contain items that are so new that they're not yet committed to the database?
MR. GREEN: Yes, sir — that's the purpose of it — so the WAL file holds the newest information until it's merged to the database, including additions, deletions, changes — all of those items.
MR. LALLY: Correct?
MR. GREEN: That is correct.
MR. LALLY: Now, according to your affidavit, the device was in active use between 2:23 a.m. and 2:31 a.m. And just to be clear, I'm talking about Miss McCabe's device. Correct?
MR. GREEN: Correct.
MR. LALLY: And what other searches did you see at that time, and where were they?
MR. GREEN: I'm sorry, can you repeat that? I couldn't quite hear.
MR. LALLY: Did you observe searches in that time frame, and where were they performed?
MR. GREEN: Well, there were a number of websites, including the [unintelligible] exhibit that we did, there was ozone, basketball I believe, there [unintelligible: "hammont smith"], and I can tell you that those — similarly, the last entry with those — there is the browser state DB file. It's not the beginning, it's not at the end. And I have a couple thoughts on why that may be in regards to Ms. Hyde and Mr. Whiffin, and I'm happy to share those with you.
MR. LALLY: I'm not asking you anything about that, sir. What I'm asking is: is it possible for a change request in the WAL to a SQLite database pertaining to one particular field, leaving the other field as what they were previously?
MR. GREEN: I want to answer your question as well as I can. Can you repeat that one more time?
MR. LALLY: Sure. Is it possible — is it possible for a change request in the WAL to a SQLite database pertaining to one particular field, leaving the other field as what they were previously?
MR. GREEN: I'm having a little trouble answering this. If I'm understanding correctly — when the WAL file gets written to the database, could that have made the change, ending with this deleted record? Is that the question? I'm sorry, I want to answer you, I'm just a little lost on how you're asking it.
MR. LALLY: Do you understand the question?
MR. GREEN: Sorry, I do not understand the question.
JUDGE CANNONE: Why don't you move on, Mr. Lally?
MR. LALLY: Is it possible that the URL field, which has the website name, was updated to the newest search, while the timestamp retained the original search? Is that possible?
MR. GREEN: No — not the way, on this particular phone, in this particular iOS, and also with how the user interacted with it, that it would have been at the 2:27 or before. The way this very specific iOS was happening, that is consistent with all the other ones that I observed out there on the phone related to specific web searches and activity.
MR. LALLY: Is it possible that the search for "how long to die in the cold" at 6:24 a.m. was the most recent search completed in the tab?
MR. GREEN: Well, not in that tab, but I certainly agree with you that there was a second search done at around that time.
MR. LALLY: Now, is it also possible that the search that you assert took place at 2:27 and 40 seconds in the morning is the same as the search that took place at 6:24:51 a.m. for that same search?
MR. GREEN: Yeah, that's inconsistent with the actual data I'm seeing on this actual phone with this precise iOS version.
MR. LALLY: Now, as far as the search in Safari — with the string, as far as "smart.app.apple.com" included — you recall that search as far as being a suggestion from Apple from the iOS, as far as the search with "how long to digest food"?
MR. GREEN: I didn't hear your whole question, but I heard the last part about "how long to digest food." I can opine on that. My feeling on that is, when the "how long to die in the cold" was put in, that was most likely an Apple suggestion. I've done some testing — now, the time period I'm doing my testing, you know, is after the fact that this would have actually occurred — but as I tested that on a live phone and using a Google search, I could see that "how long to digest food" would come up. I also noticed the specific phrase "how long does it take to die from hypothermia." So as you do this Google search, you try to repeat what's been done — those are two suggestions that actually came up. And so that was something that was a suggestion and not something that was actually searched. Correct.
MR. GREEN: Yeah — and I know that's different from my affidavit from about a year and a half ago, in all fairness, but that's entirely different.
JUDGE CANNONE: One person — Mr. Lally, I'm sorry — one person at a time.
MR. GREEN: Yes. Okay. So yeah, in fairness, I want to give you my best knowledge as I understand it, saying here today, including after my review of Mr. Whiffin and Ms. Hyde's report. So I want to do everything I can to shine as much light and clarity on this as possible. So as I repeated — you know, since that time and did the search — I would notice that that is one of the things that would come up, and it would have a little picture of like a dinner plate or something like that. And there was actually a similar, if not the same, picture found in the artifacts of that phone.
MR. LALLY: And so just to conclude — that's not what you said in your affidavit that was actually filed under pains and penalties of perjury with this court. Correct?
MR. GREEN: Yes. And on that day, that is what my true — my proper belief was. Since further testing, I have found that I now believe that that was probably an automatic one. And if I've caused you any distress, I apologize.
MR. LALLY: Did I cause you any distress? What I'm asking, sir, is that that's what you filed because that's what you thought at the time. Correct?
MR. GREEN: Yes, sir.
MR. LALLY: And subsequently, you've done further testing and that's shown that you were wrong. Correct?
MR. GREEN: That is correct.
MR. LALLY: Now, according to your affidavit, there was a search for "how long to digest food" at 6:23:49 a.m. that precedes the search for "how long to die in the cold" — the misspelling here would be the key "CL KD" — at 6:23:51 a.m. Is that correct?
MR. GREEN: Yes, sir.
MR. LALLY: Now, is it possible that the "how long to digest food" was a predictive suggestion from Apple rather than a search entered by the user? Is that also correct?
MR. GREEN: Yeah, I — I don't know the answer to that. I believe that if it had picked up an earlier search from 2:27 of "how long to die in the cold," and you want to retype it in, it may have then tried to give you something similar at the 6:23 and 6:24 timelines. So hopefully that answers your question.
MR. LALLY: So, steps — going to Mr. O'Keefe's Health data — steps doesn't necessarily mean that someone is physically taking steps. Correct?
MR. GREEN: Again, the research I've done for this — steps tend to be a very accurate artifact. Steps cannot also be coincident with, say, movement in a car or other sorts of movement of the phone, as far as the Health data is concerned.
MR. LALLY: Sure.
MR. GREEN: Well, I did some testing quite some time ago with an actual iPhone 11, the same make and model, and took a drive and tried to see if it would register steps. It did not. I sat in a chair and tried to duplicate how I thought I would walk to see if it recorded steps. It did not. I took the phone from the floor to the ceiling to see if it would record a flight of stairs. It did not. The only — with that iPhone 11, same make and model — that I got, it was very consistent with me actually doing walking steps, and that was whether I had it in my shirt pocket, my pants pocket, or clipped onto my belt.
MR. LALLY: That's your testimony?
MR. GREEN: That is my testimony, yes, sir.
MR. LALLY: Now, you're familiar with GPS native locations?
MR. GREEN: Yes, sir.
MR. LALLY: And GPS native locations takes its data, as far as defining a latitude and longitude, from a number of different sources. Correct?
MR. GREEN: Well, true GPS is going to take it from the GPS network. What you may be thinking of is assisted GPS, which the iPhone uses. And that assisted GPS will try to — it kind of does a crowdsourcing, so it'll look at cell tower powers, what's in range as far as Wi-Fi, and a number of other devices, to try to get you an enhanced GPS location and give you the best data possible.
MR. LALLY: So, GPS native locations within an Apple iOS device takes from four different sources. Isn't that correct?
MR. GREEN: It tries to get from a variety of sources like I just mentioned, not all would be available.
MR. LALLY: Now, with regard — did you look at any GPS native location data with regard to Mr. O'Keefe's phone?
MR. GREEN: Yes, sir.
MR. LALLY: And would you agree then that the GPS native locations didn't record any movement of that phone after 12:25 a.m.?
MR. GREEN: Um, 12:25 — you know, I would have to look at the exhibit to see what the time of that last entry was. I — I don't want to misstate something to you, sir.
MR. LALLY: Now, you were asked about sort of the elevation change — in three floors ascending, descending — and saying that you couldn't pinpoint a time period, or within that 12:21 to 12:24 time period, from the Health Data. Is that correct?
MR. GREEN: Correct. It happened somewhere within that time.
MR. LALLY: Could you pinpoint more specifically if you looked at the GPS native location data?
MR. GREEN: Uh — the — no. Well, we're talking Apple Health and GPS location, so — I'm — you said you couldn't do it — I'm sorry, which one are you asking about, please?
MR. LALLY: So what I'm asking is — you said you couldn't pinpoint it within the Apple Health Data. What I'm asking is, if you had looked at the GPS native location data, could you give a more specific pinpoint — as to where Mr. O'Keefe's phone was?
JUDGE CANNONE: I'm going to allow that. [unintelligible — technical/audio gap]
MR. LALLY: To be clear, sir — you had indicated earlier in your testimony that the elevation change from 12:21 to 12:24, you could not pinpoint where in that time period — or specifically where in that time period — the elevation change occurred. Correct?
MR. GREEN: That's correct. It's a time range.
MR. LALLY: Yes, sir. So what I'm asking is, had you looked at that in the GPS native location data, would you have been able to more accurately or specifically pinpoint when that occurred?
MR. GREEN: Okay — so the location — are you looking for yes or no?
MR. LALLY: I'm sorry — yes or no.
MR. GREEN: Um, I'm trying — there — there was — yes, there was location data within that time period.
MR. LALLY: Okay. And are you aware that Mr. O'Keefe's phone, from the GPS native location data, was actually a half mile away from 34 Fairview Road at the time that it made those recordings in the GPS Apple Health?
MR. GREEN: Right. Yes, I understand he was using Waze and it had made that recording. I understand that. That's why the finding that the 3-minute and 1-second offset brings into serious doubt — if that time was accurate — and when you apply that to the location offset, then the Apple Health Data and the GPS all aligns. Now, I cannot — I have not decoded Waze and found out what functions they were calling and all that, and I don't mean to indicate that I have. But I mean, that the latest version of Magnet AXIOM is bringing that up as an artifact and a timestamp related to Waze. And in the case of here where minutes are important, I thought it, you know, proper that I bring this to the attention of the case as a possible explanation.
MR. LALLY: As a possible explanation? As a possible explanation, sir?
MR. GREEN: Yes.
MR. LALLY: The three different clocks that you were talking about — are you aware that those are actually associated to power usage and not applications?
MR. GREEN: Right. That power usage was directly related to the Waze application.
MR. LALLY: So it's your testimony that those three clocks apply to the times in Waze? Is that your testimony?
MR. GREEN: I — I'm saying that the timestamps were directly related to Waze. It was reported by Magnet AXIOM when you applied the filter and said "show me every — all the [unintelligible] Waze" — these were artifacts that came up related to the Waze bundle. So I guess you need to give it the weight it deserves. Like I said, I've not decoded Waze — that's not something that has been done — but I think we need to consider the 3-minute offset as it applies to giving significance of the Apple Health Data and the Waze GPS.
MR. LALLY: Now, turning to Miss McCabe's phone again — as far as the search, what you indicated as "last view time" — are you aware that that is actually related to a time that it was actually focused on the screen, as opposed to your interpretation of it?
MR. GREEN: I — I'm aware that from that — that appears to be the last date and time it was focused, and when it was no longer focused, that's when the timestamp was written. That's what's consistent with the other data on this particular phone on this very specific iOS.
MR. LALLY: Now, with regards to looking at this search — you mentioned that you used something called an ARTX tool. Is that correct?
MR. GREEN: Yes, sir.
MR. LALLY: And are you aware that that's a tool that was actually created by Ian Whiffin?
MR. GREEN: Absolutely.
MR. LALLY: And with regard to this specific issue — as far as how this data is being interpreted from the BrowserState DB versus the KnowledgeC database and the WAL file and all of those — the plist and all of those other kinds of things — as far as the misinterpretation of the data, has that then caused Mr. Whiffin in further versions of Cellebrite to revise that so that this kind of error can't occur?
MR. GREEN: Sure, happy to answer that. So Mr. Whiffin's testing was not done with this specific version of the iOS. The iOS has been known to be changing the way this artifact works. To do proper analysis, the researcher would have needed to work with that same iOS. Now, with regards to the Cellebrite question — they have two versions of the Cellebrite physical analyzer. One is the standard physical analyzer that's been out for several years now — probably the majority use in the community. It's a tool that takes that raw data and puts it into human terms that we can look at and understand and write reports, like you've been seeing here.
MR. GREEN: So they have the Cellebrite physical analyzer that's out there — I believe it's 7.68, but don't quote me on that — and then they have a new version that's come out called Insights, and this operates more on a — where you can put multiple cases in. And it's only the Insights versions that they have bothered updating, and no longer reporting on that. Their current physical analyzer program — and I tested this a few days ago — still reports on that search occurring, and that timestamp. So currently Cellebrite is providing examiners, law enforcement, and people worldwide with two different versions giving two different results. That I can't speak to more than that, other than I've tested that and I see how those programs are working.
MR. LALLY: Now my question, sir — yes or no — is: are you aware that Cellebrite has had to modify their software based on misinterpretation of data, as you've done in this case?
MR. GREEN: Yes. With the ARTX, they updated one of two programs.
MR. LALLY: Nothing further.
JUDGE CANNONE: Okay, right. Mr. Green, you are all set.
MR. GREEN: Thank you, Judge.
JUDGE CANNONE: All right, jurors, that's it for today. Okay. All right, so jurors, we are going to send you home for the weekend. Please do not discuss this case with anyone. Don't do any independent research or investigation into this case. If you happen to see or read anything about this case, please disregard it. We are on track. We will get this case next week for your [unintelligible].
COURT OFFICER: All rise.
JUDGE CANNONE: All right, why don't I see counsel regarding scheduling. [unintelligible]: Jimmy, I'll see you in there.