Commonwealth v. Read — Trial ArchiveJessica Hyde - Cross
528 linesMR. ALESSI: I just need a witness.
JUDGE CANNONE: Yes. Sure. Good afternoon.
JUDGE CANNONE: Yes. Good afternoon, Miss Hyde.
JUDGE CANNONE: I notice you have some documents with you. Could you just state what is in front of you so I know — I might be able to help expedite this if I know what you have in front of you?
MS. HYDE: Absolutely. I have the first digital forensic analysis report I completed for the previous trial.
JUDGE CANNONE: Do you have a date? You have several of them.
MS. HYDE: I do. It's the first one. I apologize. I — this is the one, I believe it's May — I don't remember the date. 2023.
JUDGE CANNONE: I have 2023, obviously.
MS. HYDE: Then I have the second one. This was the one that was used in the pre-trial motion. December 2024.
JUDGE CANNONE: December 20—
JUDGE CANNONE: Very nice. Uh, then I have the third one?
MS. HYDE: This is the final one regarding the phone that was identified as Miss McCabe's. Yes. And then I have the fourth one which is the phone of Mr. O'Keefe. And then I do have the opinion from state v. Herrera, but if we don't need that, that's fine.
JUDGE CANNONE: Okay. Very well. I appreciate you telling me that.
MR. ALESSI: In March — and you recall on your direct examination, uh Attorney Brennan asked you questions going to your experience and qualifications. Do you recall those questions?
MR. ALESSI: You were involved in a case — actually a murder trial — in the state of Maryland in a case called state v. Herrera, uh, as recently as March of 2025. Correct.
MR. ALESSI: Attempted murder. And in that particular case, you had attempted to offer various opinions to the court. Correct.
MR. BRENNAN: I object.
JUDGE CANNONE: You have to move along from this case — from what you're talking about, you have to move along from that case.
MR. ALESSI: So with regard — do you recall another case, from the state of Massachusetts, the Arrington case, in which you submitted an amicus curiae?
MR. ALESSI: And is it correct that in that case you submitted arguments on behalf of the prosecution in that case?
MS. HYDE: I submitted an amicus brief, which is not on behalf of anybody. It's as a friend of the court.
MR. ALESSI: Right. But as friends of the court, you took a position in that quote, "friends of the court" brief. Correct.
MR. ALESSI: And the position you took on the evidence was that the frequent location history data is reliable and should be used. Is that correct?
MS. HYDE: The statement is — a frequent — I do not have that amicus in front of me. It has been a year and a half since I've read it. Um, but that amicus does discuss frequent location history records and I want to be clear it speaks to both bias on both sides — negative and positive — of submitting it. It was an unbiased writing and it was not specifically in support of a prosecution.
MR. ALESSI: So, um, you are testifying in this case on behalf of the prosecution, correct?
MR. ALESSI: And the prosecution is paying you for your services in this case. Is that correct?
MR. ALESSI: And with regard to this case, you have been paid and have been on this case since May of 2023. Correct.
MR. ALESSI: With regard to the various reports that you have submitted in this case, you have mentioned one which is a report with regard to the iPhone of John O'Keefe. Is that correct?
MR. ALESSI: And in that report you have made a statement, have you not, that from 12:20 a.m. on January 29th of 2022 and after, there is no indication of interaction with the device. Is that correct?
MS. HYDE: There is no indication of user interaction with the device. There is — all received — until about 6:04 a.m. when there is again Apple Health data that picks up.
MR. ALESSI: Well, I'll ask it again. And you can feel free to turn to page NDA-0529 — or page seven.
MR. ALESSI: I can do either way. Oh, I'm sorry. I thought you were saying page 15 in the report.
MR. ALESSI: Okay. Roger. Okay. So, page Page seven, you see there's a heading, "Interactive Phone Activity." Correct.
MR. ALESSI: And at the top it says, "Using a variety of different artifacts, we can see active interaction with the mobile device up until 12:20."
MR. ALESSI: Okay, sorry about that. I'm just trying to move it along, but I will be slower. I'll repeat. Using a variety of different artifacts, we can see active interaction with the mobile device up until 12:20 a.m. ET. Do you see that statement?
MR. ALESSI: And if you skip down — I'm going to skip a couple sentences to the paragraph under the chart. This is the key part.
MR. ALESSI: It says from that point — and I'm understanding that point to be 12:20:50 a.m. Correct?
JUDGE CANNONE: You need to say yes or no.
MR. ALESSI: "There is no indication of interaction with the device." Did I read that correctly?
MR. ALESSI: So, I am going to —
MR. ALESSI: No, I'm sorry. I'm just asking if that statement is correct. Not if you have other information, but is that statement correct?
MR. LALLY: I object.
MR. ALESSI: Can you answer that?
JUDGE CANNONE: Can you answer that? Yes or no?
MR. ALESSI: Did I read that correctly?
MR. ALESSI: Thank you. If we could, your honor, have a document that is put up already in evidence and publish Exhibit 39.
JUDGE CANNONE: Okay.
MR. ALESSI: And if we could go to slide 82, please. And Miss Hyde, if I could draw your attention to the entry — it says 3209 under "App Lock," but we know that the 00 is a 12. So, it's 12:32:09 a.m. on January 29, 2022. And I'm going to read what it says in red. And this is a timeline of Mr. Whiffin. You know Mr. Whiffin.
MR. ALESSI: And so he put in red, not us. He said "device locked with lock button for the last time." Do you see that?
MR. ALESSI: And you know that to lock a phone, you actually have to hit the side button with regard to an iPhone to make it locked. Do you know that?
MR. ALESSI: Okay. And that is an interaction with a phone, is it not?
MR. ALESSI: So that means that that interaction with the phone occurred at 12:32:09. Correct?
MS. HYDE: I did not review that specific artifact. I cannot attest to Mr. Whiffin's exam, only to my own.
MR. ALESSI: Do you have any reason to believe — what is in evidence in this case that Mr. Whiffin has produced — do you have any basis to contest the fact that the device was locked with a lock button for the last time on the phone of John O'Keefe at 12:32:09, as you sit here?
MR. ALESSI: Don't you think it would have been appropriate to be accurate as a digital forensic analyst on the topic of the last indication of interaction with the device? Don't you think it would have been appropriate to look at that 12:32:09 in any of the tools you said you used on direct?
MR. ALESSI: I understand you did not. And my question is — you made a statement. Well, let me back up. Do you understand that in this case, as in many cases, that matters of seconds of inactivity can be determinative of a case? Do you understand that from your experience?
MR. ALESSI: So it's important, therefore, to get activity right for any digital forensic examiner when they're issuing reports about activity — particularly of a decedent. Is that important?
MR. ALESSI: So isn't it correct that the statement you make on page seven of your report — that from that point, 12:20:50, there is no indication of interaction with the device — is incorrect?
MS. HYDE: I cannot make that without going back and reviewing and validating the artifact you just produced from Mr. Whiffin. I would need to validate that in order to respond to that.
MR. ALESSI: But as you sit here, you have no basis to contest what Mr. Whiffin has stated — that there was a lock button pressed on the side of the phone of Mr. O'Keefe a full 12 minutes after you say there was no interaction with the device. Is that correct?
MR. ALESSI: Is there anything that had prevented you from reviewing that data before you wrote this report?
MS. HYDE: Not that I can think of. I would have to go and re-review that. I don't know if — I have not reviewed that artifact. So I cannot speak to an artifact I have not reviewed, and I did not — that is not my report. That's Mr. Whiffin's report. So I cannot speak to that without going back and reviewing that evidence.
MR. ALESSI: Isn't the interaction with the device lock button readily available to you in the data that you have and had in your possession when you wrote this report?
MR. ALESSI: Thank you. If you could please turn to, in the same report, page NDA-1528, which is your page number six. And I just want you please to — just put a placeholder in that. And if you can now just go to the conclusion, which is your page 50. Let me know when you're there.
MR. ALESSI: So, in the conclusion, you state that starting at 12:01 a.m. on January 29, 2022, the mobile phone was in use with activity of: Waze navigating to 34 Fairview Road, Canton, MA; active interaction with the screen; steps; audio playing; text messages; and calls — until 12:31 a.m. EST on January 29, 2022. Did I read that correctly?
MR. ALESSI: That statement is also incorrect, isn't it?
MR. ALESSI: Do you believe that statement is correct or incorrect?
MS. HYDE: I believe that the statement is correct regarding those artifacts that are mentioned in that statement. Yes.
MR. ALESSI: Okay. If you could please turn to page NDA-1535 of the same report. Can you give me my page number, please?
MR. ALESSI: You're welcome. If you could turn to your page 13.
MR. ALESSI: And do you see an entry that says 12:31:56, which is the same time in the conclusion, but I'm going to develop it.
MR. ALESSI: Well, hold on. I'm sorry. I need to ask the questions. I — appreciate you looking to help, but if I could, I'd appreciate —
MR. ALESSI: So, it's got "health steps" and it has steps: 36, duration 20.398 seconds. Did I read that correctly?
MR. ALESSI: So, if you look at this data point in your report on page 13, the steps began at 12:31:56, but they ended 20.39 seconds later at 12:32:16. Is that correct?
MR. ALESSI: So therefore your statement in your conclusion — if you could go back to page 50 — and this is in your conclusion, your statement there is that the mobile phone is used with activity including steps until 12:31 a.m. EST. That should read until 12:32. Correct?
MS. HYDE: It depends on your interpretation of interaction. As a user is walking, they're not actively interacting with their device. It's their movement — it's not direct interaction with the screen. But I would agree to your view that that could be interpreted as needing an additional 20 seconds.
MR. ALESSI: Isn't the more correct way to state the conclusion — that the active interaction when it comes to steps is not calibrating using the screen, but the phone is calculating steps taken. Isn't that correct?
MR. ALESSI: I understand, but the sentence reads "include steps." And the more accurate way to have stated that would have been to put 12:32:16 instead of 12:31 a.m. Correct?
MS. HYDE: I'm sorry, you just said 12:30. We — I did this to the minute, not to the second. Could you rephrase what you were citing?
MR. ALESSI: I'll state it again. I appreciate that. You're welcome. So, isn't the more correct way to state this important data point in your conclusion — instead of saying active interaction with the screen and steps, etc., until 12:31 a.m. EST — the 12:31 should be 12:32, because the steps that you have on your page 13, by what you concede is the duration of 20 seconds, would have brought it to 12:32:16. Correct?
MS. HYDE: I would state that depends. I believe either is a correct way to state that, based on interactivity, based on your interpretation. Your definition is more correct.
MR. ALESSI: Okay. Thank you. And it's not my interpretation. I'm reading from your report.
MR. ALESSI: Your interpretation that 12:32 is a more correct representation of interaction is based on your theory that interaction concludes when the steps end. And I'm saying both would be acceptable.
MR. ALESSI: So, last follow-up on this.
MR. ALESSI: Isn't it correct that it isn't my theory — when the steps ended? I — if I could just finish — because if we talk over each other, the stenographer is not going to get both of us.
MR. ALESSI: So it's not my theory. It's just the simple math from an entry you've made on page 13 — that the steps began at 12:31:56. They ended 20.39 seconds after that, which, just doing the simple math, is 12:32:16. Did I do the math correctly?
MR. ALESSI: Okay. So, I'm not debating that. Thank you very much. So, now what I'd like to do is go to page NDA-1528 of your report. Do you have my page number for that?
MR. ALESSI: Yes. And I appreciate that you go by page number. So, I'll center in on the lower one, then I'll go immediately to the one. So, it's your page six, Miss Hyde.
MR. ALESSI: Welcome. Just let me know when you're there.
MR. ALESSI: If you could please go to Apple Health data steps.
MR. ALESSI: And we've been talking about steps because they're important enough that you put them in a report. Correct.
MR. ALESSI: So let's go to an important data point, therefore, in your report in the chart, which is the second entry, which is, as you've stated, 12:21:10 a.m. Do you see that?
MR. ALESSI: And you note under the data that John O'Keefe's phone registered 80 steps at 12:21:10. Did I read that correctly?
MR. ALESSI: And those 80 steps constituted 191.253 seconds, as you state. Correct.
MR. ALESSI: And is my math correct so that the jury understands this perhaps a little better?
MR. ALESSI: That 191.253 seconds equals 3.2 minutes.
MS. HYDE: Approximately. Yes, approximately. I'm doing the math in my head, so that's why I said approximately.
MR. ALESSI: Understood. So am I reading this entry correctly — that you're stating what the data shows, that 80 steps were taken by the phone — Mr. Whomever had the phone of Mr. O'Keefe — there were 80 steps taken at 12:21:10 a.m. on January 29th, 2022, for a length of time of 3.2 minutes.
MR. ALESSI: That's what the phone registered. Very well. Now, what I'd like to do is to turn to the phone of Jennifer McCabe.
MR. ALESSI: And that is for your reports. You don't date your reports, so I can't give you a date, but it says it's report three, I believe, is what — exactly. It's three. And there is — bear with me. I'm accommodating your page reference and I'll have it soon for you. It is your page seven, and let me know when you are there.
MR. ALESSI: Are you aware of an issue regarding the time of an interactive phone activity on Jennifer McCabe's phone at 5:07 a.m.? Are you aware of that issue and particularly a communication to a person named Coco? Are you aware of that?
MR. ALESSI: Sure.
MR. ALESSI: And you can tell that because in your report on page 11, you list a 5:07:21 a.m. call to a Coco as outgoing. Correct.
MR. ALESSI: Have you discussed that call with any member of the Commonwealth?
MR. ALESSI: And again, this call is at 5:07 a.m. on January 29th of 2022. Correct.
MR. ALESSI: There is no duration listed for that call. And if you just follow my questions if you can, yes or no. Is that correct?
MR. ALESSI: So what I want to do is to also note that that omission is not the only omission of durations from this report. Or — I'll state it differently. Let me withdraw that. There is no population of the duration column for any call from 1:24:30 a.m. on January 29th, 2022, all the way through this 5:07:21 call. And you don't start listing durations until 8:59:34 a.m. Is that correct?
MS. HYDE: Yes. And explainable — the artifact. I understand Mr. Brennan can handle those on his redirect.
MR. ALESSI: Absolutely. So there's not a population of duration of calls after numerous early calls and phone — as you call it — interactive phone activity. Nothing populated in this report until 8:59.
MR. ALESSI: All righty. Now, what I'd like to do is to turn to the 2:27:40 artifact that was the subject of much discussion on direct, and I am going to refer to that as an artifact. Is that a parlance that is familiar to you?
MR. ALESSI: And if I refer to that as a timestamp also, is that a parlance that's familiar to you?
MR. ALESSI: So I can refer to 2:27:40 as a timestamp and you would find that parlance acceptable.
MR. ALESSI: Thank you. So I'm going to do that just to keep it simple. I would refer to it as a timestamp. Now, you've been on this case working for the Commonwealth since May of 2023. Correct.
MR. ALESSI: So you've been on this case for two years. Correct.
MR. ALESSI: You issued a report in May of 2023. Correct.
MR. ALESSI: You issued a report in December of 2024. Correct.
MR. ALESSI: After being rehired in November, right? And you issued more reports in 2025. Correct.
MR. ALESSI: So all of that activity has been on this case. Correct.
MR. ALESSI: And that's been all on behalf of the prosecution. Correct.
MR. ALESSI: None of that work has been done on behalf of the defense. Correct.
MR. ALESSI: So let us now go to the timestamp of 2:27:40. Your opinions on what is the meaning of that timestamp have varied from May of 2023 until today. Is that correct?
MR. ALESSI: Let's cover that issue.
MR. ALESSI: Let's turn to your May 2023 report. Isn't it correct that the report and your findings were pursuant to a request from Detective Lieutenant Brian Tully?
MR. ALESSI: And how many interactions have you had with Lieutenant Detective Brian Tully on this case, approximately?
MR. ALESSI: Is it more than five?
MR. ALESSI: Is it more than ten?
MR. ALESSI: Is it more than twenty?
MR. ALESSI: So somewhere between ten and twenty. Would that be fair?
MR. ALESSI: More than ten. More than ten, I'm sure. So the issue was your use of various forensic tools that revealed a timestamp — a 2:27:40 a.m. timestamp on January 29, 2022. Is that correct? Is that a fair characterization of an issue you looked at?
MR. ALESSI: So if you could go to page five of that report, and I would ask that you go to the last paragraph that starts with "In the instance of the Google search," and let me know when you're there.
MR. ALESSI: So it reads: "In the instance of the Google search 'how long to die in cold' that was recovered from the write-ahead log associated with the X-browser-state SQLite database with the timestamp of 2:27:40 a.m., was marked by Cellebrite as having this timestamp and being deleted." Did I read that correctly?
MR. ALESSI: So you use the words that that Google search "how long to die in cold" was associated with the timestamp of 2:27:40 a.m. Isn't that what your words are in this report?
MR. ALESSI: Right. And in terms of page three, if you could go back of your report, under relevant findings.
MR. ALESSI: It starts with "There were two searches of interest that took place on the iOS device" — and we're talking about Jennifer McCabe's device. Correct.
MS. HYDE: The device that was identified to me as Jennifer McCabe's. Yes, that's identified to you as Jennifer McCabe. And it's what you talked about on direct examination as her device. Right. It's not a mystery as to whose it is. It's not like you don't know. Right. On direct, I also used the phrase "identified to me as Jennifer McCabe's."
MR. ALESSI: Right. But your conclusion is the device you've been working on and analyzing for two years is the device of Jennifer McCabe.
MR. ALESSI: Did you have a different conclusion as to whose device it is?
MS. HYDE: I always am very careful that I do not — as I did not — assess the ownership. It is — that was information that was given to me, not information that I personally assessed.
MR. ALESSI: So are you uncertain as to whether the device you've been working on for two years is the phone?
MS. HYDE: The device that I have been working on for two years is the device that was identified to me by the Massachusetts State Police, Detective Tully, as belonging to Jennifer McCabe when I began working and received that device, as stated in the evidence analysis section on this same page.
MR. ALESSI: So let's go. And we're talking about — again, to get back to the center of gravity — we're talking about a timestamp of 2:27:40 a.m. Correct.
MR. ALESSI: And when you issued your first report in May of 2023, the timestamp you were looking at was 2:27:40 a.m., January 29. Correct.
MR. ALESSI: Right. So what I'd like to do — you said "multiple timestamps." What times are in the multiple category?
MS. HYDE: What I was tasked to do was to look at the times associated with the search — the Google search history. I'm sorry, not Google search history, the Safari history, which includes Google searches associated with those two search terms within that 12-hour period. That was the particular task — not the task of looking at the 2:27 just for clarity.
MR. ALESSI: Right. And I appreciate that. But my question wasn't that. My question was — I thought I heard you on direct examination, which is why I repeated the question — what I thought I heard on direct, but I'll ask you the question.
MR. ALESSI: You looked at and talked about on direct two potential times for a Safari search, which includes Google. One of which was 2:27:40 and the other one was 6:23 a.m. Is that correct?
MR. ALESSI: Right. So we're just talking about two times — 2:27:40 and then 6:23. Is that correct?
MR. ALESSI: Okay. So Eastern time, for clarity, because some of these records are in UTC, some are in local.
MR. ALESSI: So you've got 2:27:40, you've got 6:23, and you've got 6:24 that you were looking at. Correct.
MS. HYDE: There are other timestamps that exist in the realm of what I was looking at, but those ones, correct, are the ones that are relevant in this report.
MR. ALESSI: Exactly. And that's what we're talking about — we're just talking about this report.
MR. ALESSI: And so if you look under relevant findings, at the very bottom paragraph, you say — second — [unintelligible] a Google search for "how long to die in cold" at approximately 11:23 a.m., and then "how long to die in cold" took place at 11:24.
MS. HYDE: That is in UTC. I apologize for not having the timestamp format there. but that is the UTC time. The UTC time equivalent in Eastern Local time would be 6:23 and 6:24.
MR. ALESSI: So to be clear, in your report, you wrote 11:23 a.m. and 11:24 and you didn't put UTC next to it — correct?
MR. ALESSI: And there's a significant difference between 11:23 and 2:27:40.
MS. HYDE: Correct. 11:23 is in UTC. So its equivalent in Eastern time would be 6:23. The artifact of 2:27 is already in local time. So that is in Eastern time. So what we would be comparing is 2:27 and 6:23 and 6:24 to be appropriate, taking into account the data storage and which ones are in UTC and which ones are in local time.
MR. ALESSI: I understand your explanation now. Perfect. But in this report there is no UTC notation. You have two additional times — two different numbers added to the two.
MS. HYDE: Correct. The UTC was a typo. It should say UTC next to those. And the chart shows all of those artifacts in EST and is clearly labeled that they're all in EST.
MR. ALESSI: So you would agree that it's better stated — to state it a different way than you have in your report.
MS. HYDE: I would say that both are equivalent. I should have had UTC there. But yes, it's easier for the audience to speak in EST. I would say forensics examiners typically communicate in UTC, but we translate for our reports, and I should have either communicated that in EST or included UTC. I will definitely concede that.
MR. ALESSI: So in terms of your May 2023 report — your first report in this matter — on page five —
MR. ALESSI: In the sentence underneath the block paragraph, you state: "In the instance of the Google search 'how long to die in cold,' that was recovered from the write-ahead log associated with" —
MR. ALESSI: — "the X-browser-state" — with a timestamp of 2:27:40 a.m. — "was marked by Cellebrite as having this timestamp and being deleted." Did I read that correctly?
MR. ALESSI: Now let's move ahead to page seven of your report.
MR. ALESSI: Up at the top, above "Conclusion." Importantly, you state: "Testing shows great inconsistency with timestamps parsed from this file. It is however definitive that the page existed in a tab."
MR. ALESSI: "While a definitive reason as to why the timestamp is listing the time of 2:27:40 is unknown."
MR. ALESSI: "The time is inconsistent with the timestamps associated with the same search." Did I read that correctly?
MR. ALESSI: So as of May 2023, you said the definitive reason as to why the timestamp is listed as 2:27:40 is "unknown." Correct. I'm just asking — is that what you wrote? "Unknown."
MS. HYDE: I believe that the wording here — I'm sorry — I do use the word "unknown." It says: "While a definitive reason as to why the timestamp is listing a time of 2:27:40 is unknown." Sorry again.
MR. ALESSI: So you use the word "unknown" — your word — in your report.
MR. ALESSI: Okay. So now what I'd like to do is go on to the first proceeding in this matter. Do you remember giving testimony in a proceeding about a year ago under oath?
MR. ALESSI: I am now going to go to that testimony, and if at any point you would like to have a copy — if your honor would like, I will do it — but I'm going to start and then we'll see how it goes. So bear with me a moment. Do you recall in that testimony stating that you processed the image in several forensic tools? You listed Cellebrite Physical Analyzer and then many other tools. Do you remember giving that testimony?
MR. BRENNAN: We have a page.
MR. ALESSI: I'm sorry, Mr. Brennan. I thought I'd given it — page 112. My apologies if I didn't. It's June 14, 2024, page 112.
MR. BRENNAN: Thank you.
MR. ALESSI: You're welcome. So do you recall giving testimony about the various tools you used for this timestamp?
MR. ALESSI: And do you recall stating that those tools were commonly used digital forensic tools that are very standard? Do you recall that?
MR. ALESSI: Would it be helpful to refresh your recollection if I showed you that?
MS. HYDE: It would be great. I would greatly appreciate that, because I do not recall the precise wording, but I know that I spoke to the tools I used.
MR. ALESSI: May I approach, your honor?
JUDGE CANNONE: Yes. Mr. Alessi, you offered a transcript — do you have the whole transcript?
MR. LALLY: I have the whole transcript. That helps. It might speed things.
MR. ALESSI: Agreed. Okay. We have one provided. I'm going to give you a transcript.
MR. ALESSI: So may I direct your attention — yes — to page 112.
MR. ALESSI: Turn it over — it's going to be page 112. Okay.
MR. ALESSI: You're welcome. Thank you so much. And you said we're on 112?
MR. ALESSI: Page 113. I see it.
MR. ALESSI: So — what I wanted to do — the reason I said 112 is that's where I started with my previous question. I'm not going to repeat the question, but just to orient you so you have a fair context for the questioning.
MR. ALESSI: So I started at the bottom of 112. Now I'm moving to 113 and I'm starting with line seven. Do you see that?
MR. ALESSI: And it says: "Yes, they are commonly used digital forensic tools that are very standard for other forensic examiners to use on mobile examination." Did I read that correctly?
MR. ALESSI: And then if you go down to line 22, you testified in that proceeding: "So it's important to use multiple tools so you can see the results from different tables, different data sets, and be able to compare those results and enhance those with manual analysis." Did I read that correctly?
MR. ALESSI: And then going up to page 114, line five.
JUDGE CANNONE: Slow down a little bit, Mr. Alessi.
MR. ALESSI: I will, your honor. Thank you. "Yeah, that's very, very typical for me to process with multiple tools to ensure that I'm getting the most complete interpretation from forensic tools. Of course, you go beyond that with your analysis, but it's absolutely pertinent to that." Did I read that correctly?
MR. ALESSI: And then lastly for this section, at page 114, line 17: "The Sanderson tool is meant to look at specific types of data structures called the SQLite database. SQLite databases are very nuanced, and this particular tool allows you to take that database and explore it at a deeper level than the other forensic tools allow." Did I read that correctly?
MR. ALESSI: Now if we can go to page 124 of the very same testimony, and feel free to go back a page just so you can see — to page 123 — that the topic is the 2:27:40 timestamp associated with "how long to die in cold."
MR. ALESSI: Absolutely. Thank you so much. Page 123, line 13 — but if you need to go back further, feel free.
MR. ALESSI: You're welcome. So what I want to do is start with page 123. And this is your testimony on line 16.
MR. ALESSI: "I have them in the timestamp order that is associated with the artifact." You use that word "associated" again.
MR. ALESSI: Did I read that correctly?
MR. ALESSI: And that's associated with the Google search "how long to die in cold" in a 2:27:40 a.m. time stamp. Correct?
MR. ALESSI: Now if you turn the page of the testimony — you stated back then — on page 124, line one: "The browser state DB is an artifact that speaks to when tabs are moved. So when you're using your browser and you open different tabs, you may have a search that — this time — pertains to the time that the tab moved. It could be lots of things." Did I read that correctly?
MR. ALESSI: Not one thing. You said it could be lots of things.
MR. ALESSI: And then you go on in line 10, and then you go down to the bottom — line 20 — and you testified: "We cannot tell by this particular artifact what time that search occurred." Did I read that correctly? That — specifically — pertaining to that particular artifact, that X-browser-state DB, does not tell us what time a search occurred.
MR. ALESSI: Right. So you stated — and it was your statement then — "We cannot tell by this particular artifact what time that search occurred."
MR. ALESSI: Okay. So now let's keep going.
MR. ALESSI: If you go to page 129 of this transcript —
MR. ALESSI: At the top. Sure. Line one: "2:27 isn't necessarily one time when the tab was closed. That's in my report. I say it's undetermined." Remember — we were just reading your "undetermined" in your May 2023 report.
MS. HYDE: Correct. Because there are a lot of things that can cause that timestamp to be there, including a tab being moved, a tab being minimized.
MR. ALESSI: The next sentence: "I don't know exactly what caused the tab to get that particular entry, but it's not — that timestamp is not indicative of the time of the search or any URL that's visited." But the first part of it is: "I don't know exactly what caused the tab to get that particular entry." Did I read that correctly?
MR. ALESSI: Now if we could turn to page 130 of your testimony.
PARENTHETICAL: [counsel]
JUDGE CANNONE: Thank you for your patience, Miss Hyde.
MR. BRENNAN: I need to object.
JUDGE CANNONE: Right. I'll see
MR. ALESSI: What I'd like to do is go back to your testimony in the first proceeding, and we can go back to page 130.
MR. ALESSI: So I am going to go back — just because there's been some time — and give some context. So we're talking about the 2:27:40 a.m. timestamp, correct? At this page location.
MR. ALESSI: You're absolutely correct. We've been talking about it for a couple pages. Bear with me — I think this may be either the second to last or the last. So there, you testified with regard — you. This was when you're referring to an artifact. You've agreed that "timestamp" is a fair synonym. You say on line five, that means it wasn't in the regular database. It was in the write-ahead log, and to Cellebrite's credit, that tool actually parsed the write-ahead log and displayed it where the other tools did not. Did I read that correctly?
MR. ALESSI: So, am I correct that here what you're stating is Cellebrite was actually showing the 2:27:40 a.m. timestamp at that time during your testimony in the first proceeding on that date?
MR. ALESSI: Okay. So I just wanted to establish that. And you were giving Cellebrite credit at the time of your testimony back in June of 2024. Correct?
MR. ALESSI: Okay. So now let's go to page 136.
MR. ALESSI: Thank you. And on line 12 you note that — so Cellebrite and Magnet AXIOM.
MR. ALESSI: And then you elaborate — both Cellebrite Physical Analyzer, which is a specific tool of Cellebrite, and Magnet AXIOM, another specific tool. Correct?
MR. ALESSI: Both have file system viewers that then have SQLite database viewers. And, skipping down to line 17, you talk about they don't allow for deep analysis of the write-ahead logs, which is why in my analysis I used the specialized Sanderson forensic browser for SQLite. Correct?
MR. ALESSI: So, is it fair to say that what you did up to this point in June of 2024, with regard to the 2:27:40 a.m. timestamp on January 29, 2022 — you applied a variety of tools to analyze the issue of when did the Google search occur that you used the words associated with a Safari Google search, "how long to die in the cold"?
MR. ALESSI: Right. But let me see if I can ask the question a different, more simple way.
MR. ALESSI: Thank you. So you used a variety of tools to analyze that "how long to die in the cold" search. Correct?
MR. ALESSI: Plus manual analysis and testing. All right. Now let's leave the testimony.
MR. ALESSI: And let's go to your next report. And your next report is December 2024. Do I have the correct chronology, Miss Hyde?
MR. ALESSI: So in December of 2024, just approximately six months ago, you issued another report. Correct?
MR. ALESSI: And you got the request for that report also from the Norfolk District Attorney's Office. Correct?
MR. ALESSI: And that report regarded the analysis of the same timestamp. Correct?
MR. ALESSI: The 2:27:40 timestamp. And in that report, under relevant findings, you state — and this is December of 2024 — so from your May 2023 report, it's approximately a year and a half. Is that approximately correct, from your May 23rd report?
MR. ALESSI: So a year and a half after what we just reviewed in your May 23rd report, and then just months after the testimony of June, right? It's about six months after that testimony that we just went through, you went and looked at this issue again. Correct?
MR. ALESSI: And isn't it correct that when you were asked to look at the same timestamp in December of 2024, that Cellebrite removed the timestamp from their tools?
MR. ALESSI: Okay. And that timestamp was the subject of extensive reports and testimony that you participated in in the first proceeding. Correct?
MR. ALESSI: And even though that timestamp — 2:27:40 a.m. — that showed up in Cellebrite tools, Magnet AXIOM showed up — that was removed by Cellebrite. Correct?
MS. HYDE: Cellebrite no longer reports it. The evidence is still in the data, I want to be clear — that doesn't change the data. They just removed it from their automated parsing and reporting.
MR. ALESSI: Right? So they removed it from their automated parsing and reporting. Correct?
MR. ALESSI: However, your former company — Magnet Forensics, Magnet AXIOM — still shows it.
MS. HYDE: Yeah. Magnet AXIOM currently shows it as a carved artifact and still shows that, and gives a description in their artifact reference guide as to what they believe causes that artifact.
MR. ALESSI: I'm going to ask the question. Yes, it does. Magnet AXIOM Forensics, where you used to be the director of forensics —
MR. ALESSI: — still shows that timestamp, right?
MR. ALESSI: But Cellebrite doesn't, in the auto —
MR. ALESSI: — in their automated parsing. And you would agree that Magnet Forensics is a very reputable company. Correct?
MR. ALESSI: Let's go back to your December 2024 report. Do you recall just moments ago when we went through your testimony in June of 2024 in the first proceeding, where you stated various times that — I'll use the term — best practices — to use multiple tools to analyze the timestamp. Correct?
MS. HYDE: And you used many tools back then to analyze that timestamp, and you testified to those many tools on your direct examination. Correct?
MR. ALESSI: Correct. Yes. However, in December of 2024, when you returned to analyze the 2:27:40 timestamp, how many tools did you use to analyze that timestamp? Can you give me just a number? How many tools?
MR. ALESSI: Well, in your report — let's go to your report. What does your report say?
MR. ALESSI: So, in your report, you state that under relevant findings, do you not — that review of data from Cellebrite shows that the artifact of a Google search from a Safari suspended state tab with a search term "how long to die in cold" — and I'm going to skip over "in addition to my own previous report" — no longer shows a last visited time.
MS. HYDE: I think that that is not clear. You — — the skipping there makes it sound like my report no longer shows that, and that's not what — that's a fair statement.
MR. ALESSI: That's a fair statement. Let me rephrase it this way.
MR. ALESSI: In this report, you speak about Cellebrite release notes. Correct?
MS. HYDE: Are you referring to the Cellebrite release notes that come out? Release notes at the bottom, right? You refer to that.
MR. ALESSI: That's correct. And that release note states that Cellebrite has removed the timestamp value from records — and I'm assuming that's a reference to Cellebrite's release notes?
MR. ALESSI: Correct. Right. And so I'm going to go to page four of your report.
MR. ALESSI: And I'm going to go all the way down to the conclusion. In that report, is there reference to any company other than Cellebrite in this entire report?
MR. ALESSI: Okay. Thank you. Now, let's go to your prior testimony in the first proceeding where you said that it was important to use multiple tools.
MR. ALESSI: Do you still stand by your position that you've given today and that you gave in June, that it's important to use multiple tools?
MR. ALESSI: Now, let's go back to the issue of the extraction of Jen McCabe's phone. And what I want to do is to cover a concept and see if I've got this correctly. Are you familiar with the phrase "Apple source code"?
MR. ALESSI: No worries. Are you familiar with the phrase "Apple source code"?
MR. ALESSI: And isn't it a fact that Apple keeps its source code proprietary, meaning very few people have access to it?
MR. ALESSI: Closed source. That would be the term of art. Correct.
MS. HYDE: And it's not just Apple. Lots of tools are closed source. That just means that the code isn't available like it would be for the tool I mentioned earlier — that's an open-source tool. Anyone can look at the code. For Apple, we cannot go look at the code that makes your phone run.
MR. ALESSI: That's correct. And isn't it the case — and I referred to that as the MB postulate. It's shorthand, but I don't need to have you refer to it that way.
MR. ALESSI: I'm going to skip it. I'll just go on. Basically, the concept that Apple has source code that is closed source — so I just refer to it as Apple's closed source. Wouldn't the best information about when a search occurred, what it's associated with — wouldn't the best information be in the Apple source code to answer that question?
MS. HYDE: It is acceptable in digital forensic science and in accordance with the NIST and scientific foundation papers to conduct testing to determine how the functionality of something works. You do not need access to the source code to be able to speak to an artifact.
MR. ALESSI: My question isn't that. My question is, isn't the best place — the best place to go is to the Apple source code itself? Or are you saying these physical analyzer tools are just as good, and the information they pull is just as good as Apple's source code?
MS. HYDE: Those are very — those are incongruent statements. Apple source code is not a viable way to do an examination because it would be so onerous, and we do not know the level of documentation. We don't know the language. That is not necessarily the most effective way to determine what data is. Forensics tools parse results of how data is. They don't interpret them. The examiner interprets them and provides meaning. And I would like to state that those three things should not be conflated. They are very individual concepts.
MR. ALESSI: I think you misunderstood my question.
MR. ALESSI: My question is this. Isn't the best source for information about data in an iPhone contained within Apple source codes?
MS. HYDE: Not necessarily, because that doesn't — operational performance is a better source in a practical sense to being able to determine what something is, as opposed to zillions — and no, I don't know the number because it's closed source — lines of code that may or may not have different levels of documentation. Apple themselves wouldn't be able to — any individual there who has access wouldn't know every feature of how every element works. Testing through the methodologies described in NIST is the accepted methodology in our science, not reviewing the source code.
MR. ALESSI: I'm going to try it a different way. I understand what you're saying — if I got it correct, you correct me. Are you saying that these physical tools make it easier to interpret and view the data?
MS. HYDE: I did not speak about the tools at all in the statement I just made. I spoke about manual testing and checking the functionality and what results. Parse tools — again, these are three separate concepts. The concept of code and actually reviewing code to make a determination is different from parse tool results, is different from doing testing and validation. Those are separate concepts. They should not be commingled as if they equate to each other.
MR. ALESSI: So, have you ever spoken with Mr. Whiffin?
MS. HYDE: Ian — I have spoken with Mr. Whiffin historically, but not since the term of this trial.
MR. ALESSI: Okay. Have you ever spoken to Mr. Whiffin about whether the Apple source codes are the best source of information about topics like timestamps? Have you ever — just — I have not had that conversation with Mr. —
MR. ALESSI: All righty. I want to move on. And do you regard Mr. Whiffin as a reputable —
MS. HYDE: Mr. Whiffin is a reputable forensics examiner, and I've actually reviewed his work in other instances and peer-reviewed his papers.
MR. ALESSI: So you have regard for his reputation.
JUDGE CANNONE: We have to — we have to wait for each other to talk. It's all right. No worries.
MR. ALESSI: So you have regard for the opinions of Mr. Whiffin generally.
MR. ALESSI: And you believe he has a solid reputation.
MR. ALESSI: Now, let's turn to the history DB database. You are familiar with history DB. Are you — history DB — are you familiar with that phrase?
MR. ALESSI: Okay. Do any of the how long searches appear in the history DB?
MS. HYDE: In this instance, no, we do not have artifacts in the history DB of either of those two searches.
MR. ALESSI: So I want to just repeat that in a different way. The history DB — is that considered a valid and valuable source of information in an iPhone?
MR. ALESSI: But the how long searches we've been discussing do not appear in that history DB, do they?
MR. ALESSI: You spoke about PyPDF on your direct testimony. Do you recall that?
MS. HYDE: I do. It's the Python framework for PDF. It is a GitHub tool, a tool one can download from GitHub to utilize to create PDFs using Python code. So a developer and a tool would integrate that to create a PDF, and the PyPDF can have the variables set.
MR. ALESSI: Correct.
MS. HYDE: Um, yes, the Python script allows the developer to set things such as their name that they created the document. Yes.
MR. ALESSI: I want to go to the extraction of Jen McCabe's phone that you talked about on direct examination. Is the hash value signed or unsigned?
MS. HYDE: A hash value isn't signed. I believe your question — you're asking me — is the document that contained the PDF that contained the hash values, are you asking me if that's signed? Because a hash value is something that matches. A hash value isn't signed.
MR. ALESSI: Let me ask it this way. Is there any hash value associated with Jen McCabe's phone that is unsigned?
MS. HYDE: That is not a valid question. I apologize — we don't refer to hash values as being signed or unsigned. We would refer to the PDF that contains that value as being signed or unsigned.
MR. ALESSI: Have you ever read a report of Mr. Ian Whiffin?
MS. HYDE: In this case, I have, but I have to be clear — I have not read all of Ian's reports. I've only read some, so I don't know if I read some of his earlier reports.
MR. ALESSI: Do you recall reading a report of Mr. Whiffin where he references a hash value being unsigned associated with the iPhone of Jennifer McCabe?
MS. HYDE: Can I see said report so I can validate if I did or did not? I'm — I'm not sure based on just that, because I wouldn't — I wouldn't use the term hash value being signed. I did see a report in which Mr. Whiffin spoke to the PDF not being signed.
MR. ALESSI: I just want to try to shortcut this and work off your last statement. You're now saying you do recall seeing a report of Mr. Whiffin where he said a PDF was unsigned.
MS. HYDE: I — I need to see — I do remember him referencing the PDF. I would need to see the report, especially since the characterization of hash value being unsigned is not a term of art that I am familiar with in our field.
MR. ALESSI: Let me ask if you agree or disagree with this statement. This value can be used to compare with the original hash calculated at the time of extraction in order to validate the extraction data. However, this requires authentication of the original hash value, which is not possible with GrayKey extractions, as the PDF containing the extraction hash value is unsigned. Therefore, this hash value could be used as a suggestion of authentication but cannot be guaranteed 100%. Do you agree or disagree?
MR. ALESSI: Right. But — but it's nonetheless unsigned.
MS. HYDE: Correct. The PDF is not signed. That is a correct statement. GrayKey PDFs that purport that value are not an Adobe-signed document.
MR. ALESSI: Do you know the history of the extraction of Jen McCabe's phone? It's yes or no.
MS. HYDE: Can you provide more clarity? What do you mean? Do you mean from the time the image was made? Do you mean from the time the device was received? Because I don't know the information pertaining to the receipt of the device into evidence and then when the — I only have the documentation of the image forward. So I want to be clear about what period we're talking about.
MR. ALESSI: It's an excellent point and I am going to follow up with some questions. Okay. In an extraction, doesn't the extraction from a phone start with the raw data, raw image? Tell me — when someone brings a phone in, what's the first step that gets taken in order to do a full file extraction. What's the first step?
MS. HYDE: It depends. There's got to be steps with regard to network isolation. I need to know if the device is AFU or BFU at that point. So I don't have that information from this case — the question I get is from the image forward.
MR. ALESSI: So, what I'd like to do — and this may be my last section of questioning — I'd like you to describe the ideal situation as to getting the most reliable data from an iPhone from the start. What's the most reliable way to do it?
MS. HYDE: I would say the most reliable way is following the recently released SWGDE — Scientific Working Group on Digital Evidence — document on best practices of evidence handling, preservation, and imaging. I may have that title slightly out of order, but it is the document released this January. And tell me what that is? Sure. From which point are we starting? Are we starting like — extracting the data using a tool, or are we talking on-scene, taking the device into evidence?
MR. ALESSI: The latter.
MS. HYDE: Okay. So the first thing you're going to do is you're going to ensure that you are isolating the device from the network. So typically this would be done with a Faraday enclosure in best practice. However, there are alternative ways of isolating from the network, such as disabling all of the communication protocols — such as Wi-Fi, airplane mode, etc. The next step, once you've isolated — prior, you also want to make sure you're maintaining battery state. So if a device is on, you want to keep it powered on. If it's off, you want to keep it powered off. That's a general statement. So the best way to do that is to attach a battery charger — just like when your battery runs low, you plug in a charger — in the back of these battery packs. We do that before we put it in the Faraday bag.
MS. HYDE: A Faraday bag is an enclosure that blocks signals from coming to the device. This is so a remote wipe command couldn't be sent, or so that more data isn't received to the phone, because phones are live and constantly obtaining data. So we're going to have it with a battery pack in a Faraday, presuming it was on. Again, I don't know the status of this device. The next steps are going to depend on what state that device is, and what make and model that device is, and what the current support for that device is. There are multiple types of extraction methods of phones. In the modern day on iOS, a full file system image — what we had on the devices in question in this case — is considered the gold standard because it has the most robust information.
MS. HYDE: So at this point, the next question is what's the best image type? And that's going to depend on if we have a passcode or if we don't have a passcode.
MR. ALESSI: If I could — and I'm going to allow you to continue, please. I want to break it down for the jury. So, what I now want to do — you've stopped at a certain point, but you've talked about securing — what I would call securing the phone, right? And then making sure that there's no data wipes. You talked about airplane mode, Faraday bag, Faraday box, right? Do you know whether any of those protocols were followed for either the iPhone of Jen McCabe or John O'Keefe?
MS. HYDE: As I mentioned, I was not there for those processes. I don't have documentation of it. As mentioned, what started — where my receipt of the device is from — is the image.
MR. ALESSI: Exactly. So you don't know—
MR. ALESSI: Fair enough. But do you have a little bit of a hint as to whether the phone of Mr. John O'Keefe was properly secured in airplane mode, a Faraday bag or a Faraday box based upon your own report of the iPhone of John O'Keefe. Can you determine that from page five of your report?
MS. HYDE: Obviously there is data signals that are still being made and created. I believe that is what you're referring to. So the assumption is that — I don't know at which point a Faraday bag is employed, but I also want to be clear, I don't know — I don't have information outside of the digital forensics realm about this case. So I don't know precisely when the phone was taken into custody by law enforcement.
MR. ALESSI: Fair. Fair enough. So assume that Mr. O'Keefe was deceased around the latest 9:00 a.m. on January 29th, 2022. Isn't there activity on that phone? Health data activity up to around noon of January 29?
MS. HYDE: Health data activity would continue to be reported regardless of if the device was isolated from the network or not. That data has to do with the movement of the device. So if the device was being moved even within a Faraday bag, that data would still be populated.
MR. ALESSI: How about location data?
MS. HYDE: Location data is unlikely to be reported in a device that is Faraday-enclosed, but I do not know what location data you're referring to. So I cannot speak in absolutes without having a better reference to the artifacts in question. If you're saying it's in my report, I'll look at it. But again, I never knew when the phone was seized, so it was not part of my initial analysis.
MR. ALESSI: Do I have permission to look at that?
JUDGE CANNONE: Yes.
MR. ALESSI: Thank you, your honor. So bear with me. It's a big report as you know.
MR. ALESSI: And it was at the bottom of my stack. Pardon me. It was at the bottom of my stack. I had to lift up the other ones to find it. All right. Your honor, may I assist in pointing her to a page?
JUDGE CANNONE: Sure.
MR. ALESSI: Thank you. If you could turn to that report on your page 47 and continue on to page 50.
MS. HYDE: I do see incoming data that is consistent with the device not being Faraday'd, such as the receipt of SMS messages, notifications from Ring, etc.
MR. ALESSI: So the iPhone of Mr. O'Keefe was not secured in the manner you described — we got to this as would be the best practice with regard to getting the most accurate data from a phone. That is, once it comes in, it's to either be put in airplane mode, a Faraday bag or a Faraday box. Is that correct? By your own report you see activity.
MS. HYDE: I do see activity. It was not Faraday'd. Faraday prevents wiping of the device and additional data. So actually, in this instance, it doesn't appear that the device was at risk of wipe because it was not wiped. And we actually have more data because we get to see the data that continued to come in to the device. I'm not saying that's in accordance with best practice. I'm saying that that's what I see based off of what you just had me reviewing.
MR. ALESSI: It sounds like you're trying to justify—
MR. ALESSI: You tell me. It sounds like you're trying to justify the fact it wasn't secured. Am I correct?
MS. HYDE: No, you're incorrect. I'm just stating — you asked if we had more data or less data. We actually have more data with it not being Faraday'd. But no, best practice would be to Faraday. I 100% agree.
MR. ALESSI: My question wasn't is there more or less data. My question was simply, doesn't your own report — your own report — show activity up until noon on January 29, 2022?
MS. HYDE: Correct. And for clarity, my scope was till noon, so I don't know if there was activity beyond that.
MR. ALESSI: Right. But as far as your scope goes, I want to be clear, there is activity on this phone.
MR. ALESSI: Which shows that it was not put in airplane mode. It was not put in a Faraday bag and it was not put in a Faraday box and that failure is not best practices.
MR. ALESSI: Thank you. You know, that's okay. I have no further questions. Thank you for answering my questions, miss.