Commonwealth v. Read — Trial ArchiveJessica Hyde - Redirect/Recross
170 linesJUDGE CANNONE: Thank you. Of course, whenever you're ready.
MR. BRENNAN: You were asked when you began working on analyzing phones in this case and you said it was in May — was that May of 2023?
MS. HYDE: May of 2023. May 4th, 2023 is the email I have of a note. Yes. It's easy to remember because May the 4th be with you.
MR. BRENNAN: When you first were asked to begin work on this case in May of 2023, what was the catalyst for you to begin working on this?
MS. HYDE: I was contacted by Lieutenant Tully and then a contract was signed and I began work on the initial request to look at those two search terms on January 29th. Does that answer your question?
MR. BRENNAN: Sure. Okay. Was there a certain claim that was lodged that you were to focus on?
MR. BRENNAN: And would you inform — why was there any context to that?
MS. HYDE: Probably. I don't recall the exact conversation that I had with the DA's office and Lieutenant Tully at that time, but I'm assuming that I was given that context. I have in my notes that I was to look at those two searches on that date and do an analysis about those.
MR. BRENNAN: Were you asked to reach any particular result?
MR. BRENNAN: Were you asked to reach a conclusion that the 2:27 timestamp was inaccurate?
MR. BRENNAN: When you engaged in your analysis, was it independent of the district attorney's office?
MS. HYDE: My analysis was independent of the district attorney's office. I actually in the first case had very little communication with the district attorney's office during the period of my analysis.
MR. BRENNAN: Was there any input from any outside source on what your result or ultimate opinions would be?
MR. BRENNAN: Would you ever allow anybody to affect your input?
MR. BRENNAN: Throughout the course of your efforts with this phone, have there been changes to software?
MR. BRENNAN: I want to ask you about changes to the Cellebrite software. You were asked about certain reports you wrote. Were the reports that you wrote relative to different requests for analysis?
MR. BRENNAN: The report regarding — report number three — regarding changes to Cellebrite software. Was that report limited to the timestamp change or was it to include other efforts?
MS. HYDE: The scope of that report — may I review what I have documented as a scope? I believe we're talking about report two. That's the one about the Cellebrite change. Yes. And I have — the request was to understand changes made in the newer version of Cellebrite Physical Analyzer to artifacts pertaining to the timeline of a particular Google search on January 29, 2022, namely "how long to die in cold."
MR. BRENNAN: When you looked at the Cellebrite software and report, was the timestamp characterization changed or removed?
MS. HYDE: Yes, it was removed. That timestamp in the version starting in May of 2024 — Cellebrite actually removed that and they put a release note stating that it was due to the ambiguity and potential for misconstruing the meaning of that data.
MR. BRENNAN: Was there any other releases informing other reasons why that was changed other than the potential that somebody could misconstrue, misinterpret or distort the information?
MR. BRENNAN: Cellebrite's statement — to yourself.
MR. BRENNAN: Was there any reason other than the concern about misinterpreting or misconstruing?
MS. HYDE: [unintelligible] — they said. Okay. So what's your understanding? My understanding is that it is not a reliable timestamp and that is why Cellebrite removed it.
MR. BRENNAN: You were asked about AXIOM. AXIOM — is it the same or different?
MS. HYDE: Magnet AXIOM and Cellebrite Physical Analyzer are two different tools that both do forensic analysis of mobile phones.
MR. BRENNAN: You were asked whether AXIOM still has a timestamp that was similar to Cellebrite before the change.
MS. HYDE: AXIOM shows — what I spoke to on direct — where they have it as a parsed versus carved result and so that particular result shows in the suspended state DB artifact as carved.
MR. BRENNAN: Do companies like AXIOM and Cellebrite give releases, updates, information about how to interpret their reports?
MS. HYDE: So, AXIOM actually has a document that's released with it called the artifact reference guide and that actually gives a brief description of the fields and of artifacts. All tools when they release new artifacts, they put out a release note. Not all artifacts are clearly documented that are parsed. However, all of the vendors regularly put out webinars and blog posts that explain their new artifacts, but not necessarily all.
MR. BRENNAN: Is there any releases or cautions from AXIOM on the same issue about misinterpreting a timestamp?
MS. HYDE: AXIOM in their artifact reference guide for this artifact does speak to the possibility of misinterpretation and states that the timestamp can be earlier
MR. BRENNAN: Than the search had occurred, based on what different reasons could cause that timestamp. Let me ask you about a Faraday bag. You said that best practice is to isolate an item in a Faraday bag.
MR. BRENNAN: Do you have any information, or did you know the travel of Mr. O'Keefe's phone that night or where it went after?
MR. BRENNAN: On January 29th, 2022, from say 6:04 in the morning until later that afternoon.
MR. BRENNAN: When you analyze data from certain devices, are they always placed in a Faraday bag immediately after an incident?
MS. HYDE: There are a lot of times when this is situation dependent. An example of when you would not put something in a Faraday bag is when you have a deceased victim and you're going to be using their biometrics to possibly unlock the device, because a Faraday bag is enclosed and then can't be opened. If your intent — if you don't have the password — is to use a deceased person's fingerprint to unlock the phone, we don't want to put the person's finger in the Faraday bag. So, usually those phones would not be Faraday-bagged, but they would typically have airplane mode enabled or SIM card removed — but no, SIM card removed doesn't actually work on iOS, so I won't get into that.
MR. BRENNAN: Understanding or having the opinion that this item was not placed in a Faraday bag at 6:04 in the morning — does that in any way affect your opinions about the data that you analyzed on this phone and the conclusions that you reached regarding Mr. O'Keefe's phone?
MS. HYDE: It does not have any impact on the conclusions, other than the fact that it wasn't Faraday-bagged and more data came in. So we have additional data.
MR. BRENNAN: You were asked a very specific question about the History DB, and it was simply whether or not "how long to die in cold" appeared in the History DB. That isolated question — does that provide any context to you and your analysis and conclusions about "how long to die in cold," and that it occurred at 6:23 and 6:24 the next morning?
MS. HYDE: The absence of the History DB artifact doesn't mean that that search didn't occur at that time. We have multiple corroborating artifacts, which is usually what we look for. Two artifacts that demonstrate it is very good — you don't necessarily need that. But in this instance, we have both from the MobileSafari plist, which tracks the history, as well as the KnowledgeC DB. So we do have two artifacts showing that those searches were done at that time — of course, 6 seconds apart for the difference between the KnowledgeC and the MobileSafari plist.
MR. BRENNAN: On direct examination, you were not asked questions about Mr. O'Keefe's phone.
MR. BRENNAN: You were on cross-examination. So let me follow up. You have a report that you authored regarding Mr. O'Keefe's phone.
MR. BRENNAN: And you had an opportunity to look at the health care data for — I'm sorry — January 29, 2022.
MR. BRENNAN: Page six of your report. Thank you. You noted that there were steps that began at 12:21:09 a.m. Is that accurate?
MR. BRENNAN: And the way health care data works, do you have an understanding whether "steps" means a person actually took a number of steps, or does it mean something else?
MS. HYDE: Steps doesn't necessarily mean that you took a number of steps. It's based on the motion of the device. So it could be steps, it could be you're carrying it, it could be that you're in some other kind of motion. You could be on a bicycle — any number of things. And the number of steps is based on the presumed gait, based on the input into the Apple Health app in terms of gender and height. So it determines a gait and then prescribes a number of steps. But it is possible for other things to cause steps to occur.
MR. BRENNAN: You were asked specifically if you saw that there were reported movement or health steps at 12:21:10 a.m., and specifically pointed out to you a notation or characterization of 80 steps. Is that accurate?
MS. HYDE: That is what's stored in the database. I try to clarify, as I did for you, sir, that that's what's stored in the database. I'm not saying that 80 steps were taken.
MR. BRENNAN: And by the way, in addition to the health care analysis, you did some analysis on the movement of a car, didn't you?
JUDGE CANNONE: I'm going to deny that question.
MR. BRENNAN: Can these health steps occur if somebody's holding a phone while traveling in a car?
MS. HYDE: As mentioned in my report, it's caused by motion. It could be various motions that could cause it. You could be using an elliptical, you could be in a vehicle, you could be on a bicycle. It's not necessarily steps taken.
MR. BRENNAN: Based on your analysis of Mr. O'Keefe's phone and the report that was pointed out to you in cross-examination — do you have information or an opinion where Mr. O'Keefe's phone was located around 12:21:10 while those steps registered?
MR. ALESSI: Objection. Scope. I think that's beyond the scope of the cross.
MR. BRENNAN: It was pointed out to you at 12:21:10 there was a registered 80 steps. Is that accurate?
MR. BRENNAN: Okay. And then you were also asked about the last health care data, the last movements of this phone, and it was pointed out that that began at 12:31:56 for 20 seconds.
MR. BRENNAN: And is that the last movement of Mr. O'Keefe's phone that evening before 6:04 that you saw when you analyzed the entire data in the phone?
MR. BRENNAN: Yes.
MR. BRENNAN: And so that 20 seconds — if it began at 12:31:56, what was the last movement in seconds in time at that time of Mr. O'Keefe's phone?
MR. BRENNAN: Yes. If that was a 20-second interval at 12:31:56, what was the last second that evening that Mr. O'Keefe's phone moved?
MR. BRENNAN: And then when you analyzed the phone and were asked about these times, is there any movement between that last movement and 6:04:01? Between the 12:32 — yes, 12:32:16 — and 6:04:01. Any movement of that phone whatsoever?
MR. BRENNAN: Do you know what was going on with Mr. O'Keefe's phone at 6:04:01 a.m. on the morning of January 29th, 2022?
MS. HYDE: I do not know precisely what was happening with his phone at that time in terms of movement — or are you asking me? I'm sorry. Can you clarify what you mean by the question?
MR. BRENNAN: The next movement after 12:32 is the 6:04:01, correct?
MR. BRENNAN: Do you have any information about where or why there was movement of the phone at that time?
MR. BRENNAN: And the last question is — the next movement at 6:15. Do you know if that phone was being moved by somebody, or somebody other than Mr. —
MS. HYDE: The phone was in motion. I do not know. It could be by a person. It could be on a rail car. I don't — I don't think it was on a rail car, for clarity, but I don't know what is causing that motion at that time.
JUDGE CANNONE: Thank you very much. Any follow, Mr. — We have a moment here. Yes. Excuse me, thank you.
MR. ALESSI: Miss Hyde, you were asked questions by Mr. Brennan just moments ago about Cellebrite release notes. Do you recall those questions?
MR. ALESSI: And did Cellebrite, beyond stating that their opinion was the 2:27:40 a.m. timestamp was not reliable, did they give any reason at all for why they concluded it was not reliable?
JUDGE CANNONE: We'll wait. Thank you. I appreciate it.
MR. ALESSI: I'll repeat the question for you. Thank you. May I, your honor? Thank you. In that release note, does Cellebrite state any reason for why they wrote "not a reliable timestamp"?
MR. ALESSI: My question is, do they state in the release note whether there's a reason for why they concluded?
MR. ALESSI: Thank you, ma'am. Thank you, your honor.
JUDGE CANNONE: And please try not to talk.
MR. ALESSI: Not asking you to read it, just asking whether or not they give any reason for the conclusion "not a reliable timestamp."
MR. ALESSI: Absolutely.
MS. HYDE: Yes, they do. They state that further research is the reason that they're doing it — that there is further research.
MR. ALESSI: Do they state what that research is?
MR. ALESSI: All right. They don't state what the further research is.
MR. ALESSI: Now, what I'd like — [unintelligible] — move on to Magnet AXIOM.
MR. ALESSI: You were asked questions by Attorney Brennan, and you referred to Magnet AXIOM as using a different parlance with a timestamp of "carved." Correct?
MS. HYDE: Correct. Cellebrite uses the "deleted" demarcation or "recovered" demarcation. Magnet AXIOM does not do that at all. They speak to how they recovered the artifact — be it that it was parsed. When I say "parsed," I mean the item was where it was expected to be in the algorithm: found it, located it, and said it's here — versus "carved," which is when they have to go into an unexpected area, such as slack space, which would be areas that are not yet used or were previously used, to extract the data from that. So, Magnet AXIOM actually recovers the timestamp, but Cellebrite does not.
MR. ALESSI: Is that correct?
MS. HYDE: Yes. Currently — previously, when we did the first case. But currently, the opposite: Cellebrite doesn't, but Magnet AXIOM does.
MR. ALESSI: Magnet AXIOM recovers 2:27:40 a.m. as a timestamp. Correct?
MR. ALESSI: So now I'd like to go back to the next topic — our discussion about Mr. O'Keefe's phone and secured or not. You talked about one example of maybe needing to use a biometric to unlock a phone, and that might be a reason, as I understand it, as to why someone might not put it in a Faraday bag or box. Do I have that correct?
MR. ALESSI: Okay. Do you know whether the passcode was immediately provided on the phone of Mr. O'Keefe?
MR. ALESSI: Assume that the passcode was immediately provided for the phone of Mr. O'Keefe. Can you think of any other reason why that phone wouldn't be put in airplane mode, Faraday bag, or Faraday box?
MR. ALESSI: Okay. And that phone was obviously not put in airplane mode, Faraday box, or Faraday bag after 6:04 a.m. on January 29th, 2022. Correct?
MR. ALESSI: Now, let's go to — well — I don't know if, at some point past 12:00 —
MR. ALESSI: Fair enough. But from 6:04 a.m. until approximately noon — correct? — on January 29, 2022, at least that time, that phone is not in airplane mode, in a Faraday bag, or a Faraday box. Correct?
MS. HYDE: Correct. It would appear such, because I didn't analyze past that. I don't know if it had been potentially Faraday'd and then it broke Faraday and got data, but I don't suspect that based on this. It appears that that data was live, but I just — I just have to speak to the fact that I just don't know because I didn't go past noon.
MR. ALESSI: But — but — but you're going past noon, right?
MR. ALESSI: Okay. My question is to noon. It does not appear to be Faraday. So to be clear, from 6:04 a.m. on January 29, 2022, until at least noon of January 29, 2022, the iPhone of Mr. O'Keefe is not in airplane mode. It's not in a Faraday bag, and it's not in a Faraday box. Correct?
MS. HYDE: Correct. Unless it was in a broken Faraday bag — like they put it in and it was failing — but — yeah. It does not appear to have been placed in a Faraday bag. All right. Well, I'm just being honest — you should test your Faraday bags. They go bad. I use Dr. Cat's testing methodology, but 100% it appears to have been receiving signal for that entire period and not in a Faraday bag, which would be best practice unless biometrics were needed.
MR. ALESSI: So, let's now go to hopefully the last two categories of questions with regard to the iPhone of Jen McCabe. Do you have any knowledge as to whether over 200 calls were autodeleted on her phone? You analyzed it.
MS. HYDE: We can see that calls were autodeleted. You're asking me if the number of — I just want to make sure I understand the question — if the number of calls that were autodeleted exceeded 200.
MR. ALESSI: My question is, do you know whether there were autodeletions on Jen McCabe's phone?
MS. HYDE: I know that. I — I'm uncomfortable with the term autodeletions because I don't know what that — I don't know what that is inferring. Okay.
MR. ALESSI: Did you analyze her phone at all for deletions?
MS. HYDE: I analyzed her phone to see if there had been deletions of call logs. And what I found was that there were records that were removed by the system and not recoverable from that database, but were recoverable from Biome.
MR. ALESSI: Understood. Now, what I'd like to do is address your answer in response to Mr. Brennan's questions, where you said that the issue with regard to Mr. O'Keefe's — or just generally — your proposition that there was no impact on your conclusion because more data had been obtained. Did I get that correct?
MS. HYDE: I believe my statement was there was no impact on my conclusion with the fact that it had not been in a Faraday.
MR. ALESSI: Right. So isn't it though the case that when a phone's not in a Faraday, and is therefore active, data can be overwritten?
MR. ALESSI: So if data can be overwritten when it's not in a Faraday, you can lose that data.
MR. ALESSI: Is there data that we're concerned about?
MR. ALESSI: Right.
MR. ALESSI: You talked about in response to attorney Brennan the 12:31:56 steps, and you said the last — according to you, last movement — 12:32:16. Do you recall those questions?
MR. ALESSI: To boil it down, isn't it correct that that phone was moving at that time?
MS. HYDE: May I check the timestamp again? I apologize. There are a lot of timestamps going back and forth.
MR. ALESSI: Please do.
MR. ALESSI: That's the start. Yep.
MR. ALESSI: So, doesn't matter what kind of movement, but that phone was moving starting at 12:31:56 and still moving until 12:32:16 a.m. on January 29, 2022. Correct?
MR. ALESSI: Thank you. I appreciate — again — you answering my questions. Thank you.
JUDGE CANNONE: All right, Miss Hyde, you are all set.
JUDGE CANNONE: I see counsel — please feel free to stand up and stretch. Okay. All right. So, folks, I talked to the lawyers briefly about scheduling at sidebar, and I'm told we're actually ahead of schedule. So, with that, rather than beginning a witness who is probably going to take a while, we may as well let you go and enjoy the rest of this beautiful day. So, we're on schedule — ahead of schedule. We'll re-evaluate that tomorrow. Now, I will see the lawyers in camera and ask the jurors about talking about scheduling. Same cautions. Please do not discuss this case with anyone. Don't do any independent research or investigation into this case. If you happen to see, hear, or read anything about this case, please disregard it and let us know, and be very careful with your searching.
JUDGE CANNONE: So, see us tomorrow morning. Thank you.
COURT OFFICER: All right. Please follow me. [unintelligible] All right.