Commonwealth v. Read — Trial ArchiveShanon Burgess - Direct
712 linesJUDGE CANNONE: You are all set. Who is the Commonwealth's next witness?
MR. BRENNAN: Next witness is Shanon Burgess.
COURT OFFICER: Are you going to step up?
COURT CLERK: Raise your right hand. Do you solemnly swear that the testimony you shall give to the court and the jury in the matter now pending shall be the truth, the whole truth, and nothing but the truth, so help you God?
MS. BURGESS: Yes, sir.
JUDGE CANNONE: Good morning.
MS. BURGESS: Good morning.
JUDGE CANNONE: All right, Mr. Brennan, whenever you're ready.
MR. BRENNAN: Thank you, Your Honor. Good morning, sir.
MS. BURGESS: Good morning.
MR. BRENNAN: Could you please introduce yourself to the jurors? Spell your last name for the court reporter.
MS. BURGESS: Yeah, absolutely. So my name is Shanon Burgess. Last name B-U-R-G-E-S-S.
MR. BRENNAN: Mr. Burgess, what do you do for a profession?
MS. BURGESS: Sure. So I'm a digital forensics examiner. I investigate digital devices to see what evidence they may record or hold.
MR. BRENNAN: Do you specialize in any type of forensic analysis?
MS. BURGESS: Sure. So digital forensics is kind of a broad field, but I do specialize in vehicle forensics and cell phone forensics.
MR. BRENNAN: How long have you been a digital forensic analyst?
MS. BURGESS: Sure. So I've been a digital forensic analyst for approximately 10 years.
MR. BRENNAN: Before you were a digital forensic analyst, what type of work did you do?
MS. BURGESS: Sure. So before I was a digital forensics analyst, I was working in the automotive manufacturing field, specifically related to automotive presses and industrial robotics.
MR. BRENNAN: I want to talk to you about some of your experience in digital forensics. Did you receive any certifications in digital forensics?
MS. BURGESS: I did. I've received several certifications — one being what's called GIAC Advanced Smartphone Forensics, another from Cellebrite, a company — certified mobile examiner, and then certifications from Magnet Forensics as well.
MR. BRENNAN: Is Magnet a company that also includes Magnet AXIOM?
MS. BURGESS: Yes. Magnet is a company that produces the software known as Magnet AXIOM.
MR. BRENNAN: In addition to your certifications, how many hours of specialized training approximately have you had in digital forensics?
MS. BURGESS: Sure. So approximately, over the last 10 years, I've had around 700 hours of training, including courses and conference attendance, in digital forensics.
MR. BRENNAN: In addition to your training and your study, do you have experience over the 10 years? Have you involved yourself in many cases regarding forensics found from a motor vehicle?
MS. BURGESS: Yes, I have.
MR. BRENNAN: Can you give a general estimate of how many cases you've worked on?
MS. BURGESS: Not off the top of my head, I couldn't. But it's been numerous.
MR. BRENNAN: You said that you specialize in mobile phones and digital forensics in motor vehicles. Is that correct?
MS. BURGESS: That is correct.
MR. BRENNAN: Do you teach seminars on those issues?
MS. BURGESS: I do. I teach seminars and presentations specifically in those disciplines.
MR. BRENNAN: Who are some of the audiences that you teach to?
MS. BURGESS: Sure. So it ranges from attorneys to engineers that specialize in accident reconstruction, to police agencies such as Interpol, which is a global police organization.
MR. BRENNAN: Have you testified as an expert in digital forensics in court before?
MS. BURGESS: Yes, I have.
MR. BRENNAN: Have you ever testified as an expert regarding digital forensics in state courts?
MS. BURGESS: Yes, I have.
MR. BRENNAN: And could you share with us those state courts?
MS. BURGESS: Sure. Those state courts would be Oregon, Texas, Arkansas, New Mexico — and those would be the ones in the last four years that I can recall off the top of my head.
MR. BRENNAN: Have you testified as an expert in digital forensics in federal courts before?
MS. BURGESS: No, just in state courts.
MR. BRENNAN: Have you testified in state courts in civil cases?
MS. BURGESS: Yes, I have.
MR. BRENNAN: Have you testified for plaintiffs in civil cases?
MS. BURGESS: I have testified for plaintiffs and defense in civil cases.
MR. BRENNAN: And have you testified in criminal cases before?
MS. BURGESS: I have testified in criminal cases as well.
MR. BRENNAN: Have you testified for the prosecution before?
MS. BURGESS: I have. I have testified for the prosecution as well as the defense.
MR. BRENNAN: Does the data change regardless of who you testify for?
MS. BURGESS: No, it does not.
MR. BRENNAN: Where are you presently employed, Mr. Burgess?
MS. BURGESS: Sure. So I'm presently employed with a company known as Aperture, and I'm located in their Dallas office.
MR. BRENNAN: Is Aperture a company that has offices outside of Texas?
MS. BURGESS: Sure. So Aperture is a company across the country. They've got a number of locations and offices, and they offer a number of service lines, specifically related to forensics.
MR. BRENNAN: Do you ever work on different cases or scenarios with people in the Texas office?
MS. BURGESS: Yes, I do.
MR. BRENNAN: Do you ever work with other employees of Aperture outside of the Texas office?
MS. BURGESS: Yes. So I do occasionally collaborate with other experts in the Texas offices as well as the other offices across the country.
MR. BRENNAN: In this case, was there another professional who worked with Aperture that was related to this case that you talked to?
MS. BURGESS: There was.
MR. BRENNAN: And who was that?
MS. BURGESS: That would be Dr. Judson Welcher.
MR. BRENNAN: Is Dr. Welcher's profession and job the same as yours?
MS. BURGESS: No, it is not.
MR. BRENNAN: What's the difference between what you do and what Dr. Welcher does?
MS. BURGESS: Sure. So what I do is investigate digital devices. That can range from cell phones to vehicle modules to computer systems. What Dr. Welcher does is specifically related to accident reconstruction and biomechanics.
MR. BRENNAN: So you are not an accident reconstruction engineer.
MS. BURGESS: I am not.
MR. BRENNAN: You are focused on the data.
MS. BURGESS: I am focused on the data.
MR. BRENNAN: Did you ever publish any writings or papers regarding the area of your expertise?
MS. BURGESS: Sure. So I have published two papers — specifically one related to damaged devices. And that is referencing event data recorders, which is your black box or your airbag control module, and specifically related to developing proof of concepts, because a lot of times these modules will store data in different places on the module. Proof of concepts are ways to verify and validate where that data is stored, so you're not missing data.
MR. BRENNAN: So that first article that you wrote about damaged modules, was that peer-reviewed?
MS. BURGESS: It was.
MR. BRENNAN: And was it accepted?
MS. BURGESS: It was accepted.
MR. BRENNAN: Could you tell us briefly what peer-reviewed means?
MS. BURGESS: Sure. So peer review is a process of your peers or colleagues reviewing your work and determining that it's valid.
MR. BRENNAN: Are peer-reviewed articles often relied upon by other experts in the field?
MS. BURGESS: Yes, they are.
MR. BRENNAN: You said that the first article you mentioned had to do with damaged modules. Is that one of the areas specifically that you're going to talk to us about in this case?
MS. BURGESS: Sure. So it is specifically one of the areas I'm going to talk about in this case. And to kind of go back a little bit, the idea of proof of concept applies not only to damaged modules, but also other vehicle modules such as infotainment and telematics modules.
MR. BRENNAN: I don't think we're at infotainment and telematics yet. So if we can just understand a little better — basically, what is proof of concept in action? What does that mean?
MS. BURGESS: Sure. So proof of concept is taking a vehicle module, for example — this is typically an unidentified vehicle module that other individuals have not looked at or verified what is recorded and where it is stored. So a proof of concept is taking exemplar modules and doing tests on those modules, creating events that are recorded within the modules. A lot of times when those modules are damaged in vehicle crashes, or if they're just unsupported by your forensic tools, you will have to go to what's called chip-off or chip-swap forensics. That is specifically taking the chips off of the circuit board.
MS. BURGESS: So think of the hard drives from your computer — moving those hard drives to another module, a working module, to recover the data, and validating that you've recovered all the data that you would expect to see.
MR. BRENNAN: Are there times and cases or studies where you need to recover data because it's not available to you through the traditional methods?
MS. BURGESS: Yes, many times.
MR. BRENNAN: Let me ask you — you said there was a second article. What was that second peer-reviewed article about?
MS. BURGESS: Sure. So that second peer-reviewed article was specifically related to mobile forensics, specifically iPhones and how they track your device interactions as well as speed and location data, and validating how accurate that data was.
MR. BRENNAN: In addition to talking to us about damaged modules as you're going to do in this case, are you also going to talk to us about the timing information from mobile phones?
MS. BURGESS: Yes, I am.
MR. BRENNAN: When did you first become involved in the study of this case?
MS. BURGESS: So I first became involved in this case around October of 2024.
MR. BRENNAN: When you became involved in October of 2024, were you in receipt of any information or reports or documents to look at?
MS. BURGESS: Yes. So I did receive some raw data as well as some photographs from the vehicle in this case.
MR. BRENNAN: When you say raw data from the vehicle, what does that mean specifically?
MS. BURGESS: Sure. So again, when you take these chips or hard drives off of these modules, you can read those chips individually and recover any type of data that is recorded on those chips. So when I reference raw data, that is looking at that data in hexadecimal format, which is — you know — as close to binary data, which is what computers use to store data, as you would want to get when reviewing this type of data.
MR. BRENNAN: When you receive data, does that presume it's already been downloaded by somebody?
MS. BURGESS: Yes, that is correct.
MR. BRENNAN: In addition to looking at the data, you received photographs. Do you know where those photographs came from?
MS. BURGESS: I do not know specifically who those photographs came from, but I do know those photographs came from an initial download attempt on those modules.
MR. BRENNAN: You said there was an initial download attempt. When you looked at the information you received, did you learn whether or not there was an attempt prior to your involvement in October 2024 to obtain data from the modules or the so-called black box in the Lexus vehicle?
MS. BURGESS: Yes. So there was an attempt to download data from the modules in the vehicle.
MR. BRENNAN: Did you understand whether or not there was a chip-off process — whether anybody attempted to take the computer chips off the computer boards and learn or download the data?
MS. BURGESS: Yes, there was an attempt to remove various chips off of the boards and read those chips individually.
MR. BRENNAN: Did you have an opportunity to read any reports submitted regarding that earlier process that occurred before you even got involved?
MS. BURGESS: Not before I got involved. Well, sorry. Yes, I was able to read a report from an individual known as ag speak about that process, that initial process.
MR. BRENNAN: Did you learn — the name of the person that actually conducted the original process before you were involved in this case?
MS. BURGESS: Yes, I understand that person to be Miss Maggie Gaffney.
MR. BRENNAN: Do you know generally when Miss Gaffney engaged in trying to download
MS. BURGESS: Information from the computer boards of the defendant's car? Yeah, if I can recall correctly, that was around December of 2023.
MR. BRENNAN: And in your review of materials and study materials, did you receive additional materials?
MS. BURGESS: Yes, I did receive additional crash reports just detailing the events of the night.
MR. BRENNAN: When you say crash reports, what does that mean?
MS. BURGESS: So that's going to be crash reports from the Massachusetts State Police.
MR. BRENNAN: Is a crash report just a written report or is it data?
MS. BURGESS: No, it's just a report, no data.
MR. BRENNAN: Did you receive any other reports from any other individuals or experts?
MS. BURGESS: No, not at that time.
MR. BRENNAN: Did you later over time receive any more additional information during your studies?
MS. BURGESS: Yes, I believe so. And let me reference my report just so I don't misspeak.
MR. BRENNAN: Let me ask for the court's permission before you do that.
MS. BURGESS: Sure. Sorry. Yes. So I did — again, I reviewed a vehicle forensics report by ag speak. I reviewed documentation that was identified to me as evidence review, a prior testimony of Trooper Guarino, and I reviewed some surveillance videos as well as a report by Mr. Whiffin.
MR. BRENNAN: When did you receive any study or reports from Mr. Guarino? Do you remember?
MS. BURGESS: I do not remember exactly.
MR. BRENNAN: Okay. Was it recently? Some time ago?
MS. BURGESS: It would have been some time ago. Probably — you know, late 2024, after we got involved last year. Yes.
MR. BRENNAN: And how about Mr. Whiffin's reports?
MS. BURGESS: Mr. Whiffin's report I believe I received in January of this year.
MR. BRENNAN: In the video — do you know when you received any video?
MS. BURGESS: It would have been this year. I don't remember the exact dates.
MR. BRENNAN: Was it last month, months ago?
MS. BURGESS: No, probably around January or February as well. Well, I take that back. It would have been early January, maybe late December.
MR. BRENNAN: Okay. I want to ask you just generally so we have a general perspective on this. When you began your study, was there something specifically that you
MS. BURGESS: Were looking for? There was. So specifically what we're looking for when we do a chip off on these vehicle modules, we're expecting to see one of two things: user data in a raw hexadecimal format, or a file system where user data is stored.
MR. BRENNAN: Were there certain events that you were focused on relative to the data in the defendant's Lexus?
MS. BURGESS: Sure. So there were specific events that we were looking for, specifically — that would be including timestamped ignition-on events or power-on events, as well as other data.
MR. BRENNAN: Did you have any information or understanding that there were TechStream events that you would have focused on?
MS. BURGESS: Yes. I did have an understanding that there were TechStream events located in an airbag control module.
MR. BRENNAN: How many TechStream events were you focused on?
MS. BURGESS: Two TechStream events.
MR. BRENNAN: Could you just generally characterize those two events?
MS. BURGESS: Sure. So one event has been identified as a three-point turn maneuver and the other has been identified as a backing maneuver.
MR. BRENNAN: Now the studies of those events — is that the role of the accident reconstructionist?
MS. BURGESS: Yes, it is.
MR. BRENNAN: So then what was your role — your specific role related to those two characterized events, the three-point turn event and the backing maneuver event?
MS. BURGESS: Sure. So within that TechStream data, those events are documented with what's called a time count. So that's going to be a running timer from the time the vehicle powers on or the ignition comes on. So that counter will count seconds incrementally. And specifically, the focus was looking for any timestamped data that would offer when that power-on event occurred.
MR. BRENNAN: Did you put together a PowerPoint presentation regarding your assessment of some of this case?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Can I approach?
JUDGE CANNONE: Yes.
MR. BRENNAN: Handing you a package. Do you recognize that?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what is that?
MS. BURGESS: That is my PowerPoint presentation that I prepared.
MR. BRENNAN: Just turn a few pages and look and see if that accurately reflects the presentation you put together.
MS. BURGESS: Yes, it appears so.
MR. BRENNAN: And does this reflect some of your study of this case?
MS. BURGESS: It does reflect some of the study in this case.
MR. BRENNAN: Is it an entire comprehensive study of everything that you learned, or is it an overview?
MS. BURGESS: No, it is an overview.
MR. BRENNAN: Court's permission — I would mark this for identification. I intend to use this before permission as a chalk.
JUDGE CANNONE: Okay. So we'll mark it for identification. [unintelligible] May I proceed, your honor? Yes.
MR. BRENNAN: Sir, I want you to teach us a little bit about the computers in a motor vehicle. Is there one computer, like a black box in an airplane?
MS. BURGESS: No. So there are actually many — depending on the vehicle, there could be hundreds — with very specific functions to what they're meant to do.
MR. BRENNAN: Tell us a little bit about why there's a need, or why many computers are used in a single vehicle.
MS. BURGESS: Sure. So there are so many functions within your modern vehicle nowadays. So for instance, your infotainment module — that is a computer that operates your radio, your head unit. So that's going to be your obviously your radio, any type of built-in navigation, Android Auto, Apple CarPlay. There's what's called a telematics module. That's going to be what actually allows the vehicle to communicate with internet services. So if you've got an app that can track your vehicle or unlock your doors, that's being allowed through that telematics module.
MR. BRENNAN: With the court's permission, I'd like to have Miss Gilman show page three of the PowerPoint.
JUDGE CANNONE: Okay. Any objection, Mr. Alessi?
MR. ALESSI: No objection, your honor.
MR. BRENNAN: Thank you, sir. On your PowerPoint page three, you have a chalk or diagram of a car. You may have a pointer in front of you if it helps.
MS. BURGESS: Sure.
MR. BRENNAN: You could direct your attention to the TV to your right. Could you explain to us what this diagram shows us?
MS. BURGESS: Sure. So this is a diagram that just shows a small number of modules that you can find in specifically the Lexus in this case. Again, what we're focused on and looking at is the infotainment module and the telematics module in orange. For example, there are other modules known as the body control module and the airbag control module. The engine control module, which runs your vehicle. In addition to that, there are other modules that operate your door locks and unlocks, your windows, and various other functions.
MR. BRENNAN: When you use the word module, is that the same thing as a separate computer, or is it different somehow?
MS. BURGESS: Yeah. So — using parlance — a module would be referring to a separate computer within the vehicle.
MR. BRENNAN: Do all of these separate computers in a vehicle connect with each other?
MS. BURGESS: They do. So all of these modules are connected to one another and they do communicate with each other.
MR. BRENNAN: The information that would be commonly referred to as "black box," or information that captures some of an event — where would that be in this diagram?
MS. BURGESS: Sure. So the black box would be in the airbag control module.
MR. BRENNAN: And then as far as the radio system you shared with us — that's the infotainment module?
MS. BURGESS: Yes. So the radio system — that data is going to be stored within the infotainment module.
MR. BRENNAN: In the telematics module specifically, what are we looking for there?
MS. BURGESS: Sure. So the telematics module again is a module that allows communication with internet services. So if you've got an app on your phone that you can unlock or lock your doors, that's the telematics module allowing that function to occur.
MR. BRENNAN: Do all make and model cars have the same setup as this diagram?
MS. BURGESS: No, they do not. It will vary.
MR. BRENNAN: Does it vary from car maker to car maker?
MS. BURGESS: It does. It varies from car maker to car maker. It varies from trim level as well.
MR. BRENNAN: Could two different cars from the same manufacturer, same style — could they have different components in those cars?
MS. BURGESS: They could. Yes.
MR. BRENNAN: Why is that?
MS. BURGESS: Sure. So during the manufacturing phase, depending on cost and other things, manufacturers will source these modules from different third-party manufacturers. So one vehicle may have a module from, for instance, LG Electronics, one may have a module from Denso, and depending on how those individual manufacturers implement that software and hardware, they may record and store different types of data.
MR. BRENNAN: So from your experience, you've reviewed or you've studied a 2022 Lexus — and then you see another Lexus, whether it's 2022, would you be able to say you've seen it, you've already done it, or do you have to individually look at each car?
MS. BURGESS: Sure. So you would typically look at — and to correct, it's a 2021 Lexus. But if you want to understand what may be stored in a subject module, you would take an exemplar vehicle and conduct some testing to determine what is being recorded and how that data is being recorded.
MR. BRENNAN: You mentioned that you were looking for time information or power on/power off information regarding two events.
MS. BURGESS: Correct.
MR. BRENNAN: Can we characterize those events as TechStream events?
MS. BURGESS: Yes, we can.
MR. BRENNAN: Do people sometimes refer to them as triggering events? Are they often or sometimes referred to as something else other than a TechStream event?
MS. BURGESS: They can be referred to as other things besides TechStream events.
MR. BRENNAN: Can you give us an example of what else they may be referred to as?
MS. BURGESS: Sure. So that would be triggering events.
MR. BRENNAN: Why is it called a triggering event?
MS. BURGESS: Sure. So the event is actually created when there is a trigger. And those trigger thresholds will vary and could be for a number of different reasons.
MR. BRENNAN: When a TechStream event happens, or so-called triggering event, what happens in the data?
MS. BURGESS: Sure. So when a TechStream event happens, when that trigger is met, there are certain data parameters or data types that are recorded for a specific time frame.
MR. BRENNAN: In this case, how many of those events were you looking at?
MS. BURGESS: Just one.
MR. BRENNAN: When you mentioned time, I want to have you explain to us a little bit about time. You said there's a running clock. Can you explain that in a little more detail and simply what that means?
MS. BURGESS: Sure. So in what's recorded within the TechStream events, I'll refer to as a running clock. Essentially what it is — when the vehicle is powered on, this clock starts to run and it counts seconds from power on. So when you press the ignition on, this clock starts, and when there is a TechStream event that occurs within that cycle or within that ignition on, that is recorded as the time that that trigger occurred.
MR. BRENNAN: Does that give an actual time like when you look at your watch or you look at your cell phone?
MS. BURGESS: It does not give an actual time.
MR. BRENNAN: Yeah.
COURT OFFICER: Your honor, pardon the interruption. The chalk remains on the screen.
JUDGE CANNONE: Okay. Are you still reviewing the chalk?
MR. BRENNAN: We can take it down if it pleases.
JUDGE CANNONE: Mr. Alessi.
MR. ALESSI: Thank you.
MR. BRENNAN: So, getting back to the clock — you said it's like a running clock. Is that like a stopwatch?
MS. BURGESS: Yeah, that could be referred to as a stopwatch.
MR. BRENNAN: Where is that running clock kept in the data?
MS. BURGESS: Sure. That running clock is kept within the airbag control module.
MR. BRENNAN: Is that the so-called black box part of the data?
MS. BURGESS: That is correct.
MR. BRENNAN: With the running clock, how do you determine the actual time as it relates to, say for example, your digital watch or your iPhone or another clock?
MS. BURGESS: Sure. So in that instance, you would need to have an event that occurs, such as a power on event with a timestamp, to reference back that running clock.
MR. BRENNAN: When you got involved in this case and you looked at the information that was previously downloaded by Miss Gaffney, was there any data regarding power on/power off to mark that time from the initial download?
MS. BURGESS: There was not.
MR. BRENNAN: When you involved yourself in your study, what was your primary focus as far as information you wanted to get and why?
MS. BURGESS: Sure. So my primary focus when I initially got brought on was to look at the modules and see if there was any data that was not recovered. And then specifically, again, looking at any timestamped data that may have been recorded within the modules.
MR. BRENNAN: You talked about the differences in modules in your PowerPoint. Did you provide a couple of photographs of the modules so we can see what you're talking about?
MS. BURGESS: Yes, I did.
MR. BRENNAN: With the court's permission, I'd like to put on page four of the PowerPoint.
JUDGE CANNONE: Okay.
MR. BRENNAN: Could you explain to us the photograph on the left and then the photograph on the right?
MS. BURGESS: Sure. So the photograph on the left is a top-down view of the infotainment module from the Lexus. The photograph on the right is a top-down view of the telematics module from the Lexus.
MR. BRENNAN: Are these modules from this specific car or is this a general photograph of a car and how it works?
MS. BURGESS: These modules are from this specific vehicle.
MR. BRENNAN: The car you studied.
MS. BURGESS: Correct.
MR. BRENNAN: On the left — infotainment module — you have different manufacturers. Why is that?
MS. BURGESS: Sure. So again, these modules are not manufactured by Lexus or Toyota themselves. They are manufactured by third parties that are providing these modules to them, the car manufacturer. And these are just some examples of what we have seen within these specific vehicles and what type of manufacturers provide modules for these vehicles.
MR. BRENNAN: If we could turn to page five, please. When you looked at the data that was provided in this case, did you draft a report?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Your initial impressions — can you share with us what your initial impressions were?
MS. BURGESS: Sure. So initial impressions were that data was missed from the initial download.
MR. BRENNAN: What type of data do you think was missed, or did you conclude was missed, from the initial download?
MS. BURGESS: Sure. So that would be essentially all of the user data was missed during that initial download.
MR. BRENNAN: How did you conclude, or come to the opinion, that data was missed on the initial download?
MS. BURGESS: Sure. So reviewing the raw data, you can see that what we would expect to find — which would be things like contacts from devices, or device connections, or timestamped data — was not there in those initial downloads.
MR. BRENNAN: When you first looked at the data and you came to the conclusion that there was missing data, did you have a working theory on what you thought or how you thought the information was missing?
MS. BURGESS: Sure. So I did have a working theory initially of why the data was missing.
MR. BRENNAN: And what was your initial theory?
MS. BURGESS: Sure. So — I'll reference kind of to the slide a little bit.
MR. BRENNAN: We can take that down if you'd like.
MS. BURGESS: Sure. So, sorry — can you repeat the question?
MR. BRENNAN: When you had your initial theory of data missing, what was it based on?
MS. BURGESS: Sure. So the initial theory was based on two things — either one of two things. Initially I thought could have happened: a bad or partial read of the chips, or it could be that the data-bearing chip that we are looking for was overlooked and not downloaded.
MR. BRENNAN: When you — your first thoughts were that this was a partial read of chips. Was there anything about the chips when you looked at them that you concluded or came to an opinion on?
MS. BURGESS: Sure. So initially, when I was reviewing the data and reviewing the part numbers on the chips, we can see how much storage is on each chip. And that can kind of get complicated, but essentially what we're looking at is data stored as either bits or bytes — represented as a capital B or a small lowercase b. So initially, upon reviewing the data and with the assumption that a competent examiner would not miss a chip or a die or a data-bearing chip on the board, I misinterpreted and wrote a capital B when I should have written a lowercase b in my notes, which led me to believe that there was a partial download of those initial chips.
MR. BRENNAN: Now as a forensic analyst, do you rest on your initial impressions or do you go through a continued process?
MS. BURGESS: No. So I do not. Just like the scientific method — if you have a working theory, you then review and research to either prove or disprove that theory.
MR. BRENNAN: And did you engage in that scientific process and working theory?
MS. BURGESS: I did.
MR. BRENNAN: And how soon after you wrote the report did you realize there may be another source of the material?
MS. BURGESS: Sure. So I'll clarify — that initial was not a report, it was just a protocol that was proposed. But I believe that there was a supplemental protocol written within a week or two of the initial protocol.
MR. BRENNAN: And when you used the scientific method and studied the theory that you had, what did you decide or what did you learn?
MS. BURGESS: Sure. So upon further review and research, I discovered that there was an SD card or a micro SD card that was on the circuit boards of one of the modules that was never looked at.
MR. BRENNAN: Now you weren't present at the original process.
MS. BURGESS: That is correct.
MR. BRENNAN: When you looked at the modules, those computer boards, did you notice anything about them that happened during the original process?
MS. BURGESS: Sure. So I did notice during the chip-off process — what you do to take these chips off is you apply heat to them. So that essentially liquefies the solder, which is a low-temperature metal that connects the chips to the board and makes those connections so the board can communicate. And there was some damage caused from that initial chip off.
MR. BRENNAN: And again, why would you take the chips off a board if they're already attached? Why would you need to do that?
MS. BURGESS: Sure. So when you don't have — you know, typically if you think about downloading data from your cell phone, you have a USB port on your cell phone that you can easily plug into, plug that into a computer. That's not the case with vehicle modules. So you have to remove these chips from the board and then you've got programmers or readers that will read the data from these chips.
MR. BRENNAN: Did you have a chance to study the boards that were already accessed during an earlier chip off process before you got involved?
MS. BURGESS: Yes, I did have opportunity to study some photographs of the boards.
MR. BRENNAN: Could we have page 14, please, Miss Gilman? Any objection, Mr. —?
MR. ALESSI: No, no objection. Thank you. Okay, if we could turn to page 15. Tell us what this is, please.
MS. BURGESS: Uh, sure. So this is the infotainment module that you saw earlier. This is just two photographs during the disassembly process of taking that module apart.
MR. ALESSI: Okay, that's the best we can do. That's fine right there. Could you share with us a little bit about what this is?
MR. BRENNAN: Could you zoom in on the right photograph, Miss Gilman?
MS. BURGESS: Sure. So this is how I received the modules when we took a secondary look at them. Essentially, if you see from the right photograph, there are many boards that are contained within this infotainment module. This specific board that we're looking at here on the right is the board where they removed chips from. So what we're looking at is the circuit board itself as well as two components that were previously removed during that initial download attempt.
MR. BRENNAN: So if you can't read the chips on the board — if you remove them — is there a tool that you can use to actually read the individual chips in isolation?
MS. BURGESS: Yes. So there are various tools that you can use to read those chips and read the data from those chips.
MR. BRENNAN: If we could have page 16, please. Can you tell us what you see here?
MS. BURGESS: Sure. So what you see here is two of the components that were initially removed from the board during that first download attempt. I've documented an additional chip that was still on the board that was not identified during that initial download, on this side of the circuit board. And then I've got photographs matching the chip and where its placement was initially on the circuit board.
MR. BRENNAN: Could we have page 17, please? And what do we see there?
MS. BURGESS: Sure. So this is some of the damage that occurred to the circuit board itself during the initial chip off download attempt.
MR. BRENNAN: Do you have a pointer on the stand?
MS. BURGESS: I do. Yes.
MR. BRENNAN: Could you show us with the left photograph — point out what you mean by damage?
MS. BURGESS: Sure. So right here on the left part, you've got these two highlighted blocks. What this is — if you remember back to the last slide, the larger chip that we were looking at — this is directly underneath that. So when you're removing that larger chip, what you're doing is you're applying heat to it. If you apply too much heat during that chip off process, the underside of the board will actually heat up and you'll have chips fall off of the underside of the board. So that's what's occurred here on the left side. On the right side, as you heat up these chips, if you're not careful as you pick them up off the board, you can displace other components, and that is what you see right here in this highlighted box — a small passive component that has been displaced where it should be parallel.
MR. BRENNAN: What is the risk of damaging components when they're taking off — taking them off the board during a chip off?
MS. BURGESS: Sure. So the risk of that is causing damage that could be internal that we can't see. And if you want to put the chips back on the board and assemble everything back together, it may not work appropriately.
MR. BRENNAN: In addition to seeing the damage with your eyes on these photographs, do you look at data when you engage in the analysis of whether or not you think data is missing?
MS. BURGESS: Yes, I do.
MR. BRENNAN: Could we have page six, please? Could you tell us what this is?
MS. BURGESS: Sure. So this is just some examples of what user data would look like and what we're expecting to see when we look at the raw data from the chips that are removed from the board. So typically there are two ways to look at data. One way is looking at the file system, similar to the file system you would see on your computer when you store documents. Same thing exists in vehicle modules. There are instances, though, where you cannot rebuild the complete file system and you've got to actually look at the raw data in hexadecimal format. So that hex data — the bottom photograph or screenshot is what that would look like in hexadecimal format.
MR. BRENNAN: When you looked at the data that was provided during the original chip off process and was produced by Miss Gaffney, were you able to at this point identify any date and time or power on or off information that you were looking for?
MS. BURGESS: No, I was not.
MR. BRENNAN: You mentioned that you went beyond the original data from the testing and you discovered something on the board.
MS. BURGESS: Yes, that's correct.
MR. BRENNAN: Could we have page 18, please? Tell us what you found.
MS. BURGESS: Uh, sure. So this is a micro SD card that I identified on the subject vehicle and later validated that existed on an exemplar vehicle as well.
MR. BRENNAN: Could you use the pointer?
MS. BURGESS: Sure.
MR. BRENNAN: I know there's a red square, but I want you to describe for us what you saw and what that meant to you.
MS. BURGESS: Sure. So if you look at this side of the circuit board — obviously this is a zoomed-in view — what you see is, kind of underneath the SD card, is a silver casing. That is the slot that the SD card would go into, similar to the slot you would have on your computer. And again, what we're looking at is the SD card, just both sides, top and bottom.
MR. BRENNAN: You had mentioned earlier that when you looked at the data, you believed there was data missing. When you found this SD card and discovered this, what did you conclude?
MS. BURGESS: Sure. So at that point I concluded that the data that we were missing was most likely stored on this SD card.
MR. BRENNAN: Did it appear whether or not this SD card had ever been removed from the board?
MS. BURGESS: No, it did not.
MR. BRENNAN: Did you receive any information that this SD card was ever studied or downloaded?
MS. BURGESS: No, I did not.
MR. BRENNAN: Could you just take this board and put it back in the car and use software to read it?
MS. BURGESS: Uh, there are instances where you can do that. For this vehicle, though, we could not.
MR. BRENNAN: Why couldn't you?
MS. BURGESS: Sure. So there are commercial forensic tools that are available for vehicle systems. One of those tools is referred to as Berla. Berla is a company that develops hardware and software that pulls data from vehicles in a user-friendly way, so that non-technical people can gain access to this data without having to go through the steps that we did in this case.
MR. BRENNAN: When you discovered this SD card and had your hypothesis that there may be data on it, did you have concerns about simply removing the SD card and trying to read it?
MS. BURGESS: Yeah. So anytime you see an SD card on a vehicle module — in the past there's research and documentation of finding these SD cards. Most of the time they are what's called Command 42 locked. So what that means is there's a lock put in place. So if you take this SD card out and plug it into your computer, your computer is not going to recognize it. The SD card is actually looking for a passcode from the vehicle itself to unlock it and allow access to the data.
MR. BRENNAN: What if you don't have that passcode?
MS. BURGESS: Sure. So when you don't have that passcode, there are ways around that lock. Specifically, if we look at the left photo, you can see a lighter-shaded black area on the SD card. What that is is a protective covering that is covering what's known as test pads. Those pads allow access to reading the data and bypassing that lock.
MR. BRENNAN: Is gaining access to an SD card on a board like this a simple process?
MS. BURGESS: It is not a simple process.
MR. BRENNAN: Are there a lot of advanced studies on it?
MS. BURGESS: There are advanced studies on it. And it is an in-depth process to recover this data and interpret it.
MR. BRENNAN: Are there any concerns that you had about spoiling or destroying the data if you tried to access the SD card without a passcode?
MS. BURGESS: Uh, no, not that I'm aware of. There's no documentation or research that suggests you would spoliate or lose data by bypassing that lock.
MR. BRENNAN: Were you concerned at all in trying to get the information from the SD card about the process of it?
MS. BURGESS: Yes, I was.
MR. BRENNAN: Why?
MS. BURGESS: Uh, to get data from this SD card — we suspected that the user data that we were expecting was on this card. So in order to validate that that user data existed on this card, we processed and went through a set of testing and validation on an exemplar vehicle.
MR. BRENNAN: What's an exemplar vehicle mean?
MS. BURGESS: Sure. So an exemplar vehicle is a 2020-2021 Lexus LX570, that is as close to the same trim and features that the subject vehicle was.
MR. BRENNAN: We could take that down. Miss Gilman, why did—
MS. BURGESS: You want a similar but very separate vehicle to do testing before you tried to crack into the SD card? Sure. So, it's kind of multiple reasons. First, to validate that the process that we're theorizing to recover data is viable. But also this is a vehicle that there's no documentation on as far as the data that is stored and the data how it's recorded and what it means. So, as well as being able to validate that process, we also wanted to do testing and create some of our own known data sets on a vehicle so that when we got the data, we were able to look at it and compare it to our known data sets and we were able to validate and correctly interpret what that data means.
JUDGE CANNONE: Mr. Brennan, why don't we take our break right now?
MR. BRENNAN: Yes, your honor.
JUDGE CANNONE: All right, folks. We'll take a 15-20 minute break. Okay, thank you.
COURT OFFICER: All right, please jurors close your notebooks. Follow me. Court is back in session. You may be seated.
JUDGE CANNONE: All right. Whenever you're ready, Mr. Brennan.
MR. BRENNAN: Mr. Burgess, when we left off, we were talking about an exemplar vehicle that you were using for tests and studies. If we could put up page nine, please, Miss Gilman, could you tell us what this is, Mr. Burgess?
MS. BURGESS: Yes. So, this is the photographs of the exemplar vehicle that we conducted testing on. So again it's a 2021 Lexus LX570 and the reasoning that we did this testing was again to validate that the user data that we were expecting to see was stored on that SD card. Additionally, in addition to that we were also looking to create an exemplar data set. So a known data set and we did that by connecting these cameras here. There's a camera here looking straight out. There's a camera here looking at the infotainment screen. What those cameras are doing is they're synced together and they're recording timestamps as well as they're recording any interactions that we have with the vehicle.
MS. BURGESS: So us opening the doors, turning on the vehicle, turning off the vehicle, driving the vehicle, interacting with the infotainment system is all being documented and then that way we can go back when we get the data off of the SD card and we can compare it to that documentation.
MR. BRENNAN: How closely were you trying to match the exemplar vehicle to the defendant's vehicle?
MS. BURGESS: Obviously, as closely as we could get. If I recall correctly, this is almost a perfect match to the subject vehicle.
MR. BRENNAN: If we could turn to page 20, please. You tell us what this shows. And Miss Gilman, if you could, could you focus in on the top gray and white line part if you could? A little further out if you could. We'd like to see all three rows if possible and if not we'll do it from a further view. Okay. Could you share with us what this slide represents, Mr. Burgess?
MS. BURGESS: Sure. So this slide represents a comparison between the exemplar data and the data from the subject Lexus. In this comparison we're looking at navigation system software. So that's going to be the infotainment system software. There's a number of different softwares running on this infotainment system for various functions. So you can see here there is a firmware version for the Wi-Fi functionality as well as the OS version. The audio, the DVD function. And I believe there's a section for the CD or disc version. So what we're looking at is we're looking at the software versions that are running on the exemplar. We're comparing that to the software versions that are running on the subject and those match. So we would expect to see the user data to be stored in the same way.
MR. BRENNAN: Is it common that an exemplar vehicle will match the focus vehicle exactly like this?
MS. BURGESS: Yeah. So, you know, I wouldn't say it's common or uncommon. I have seen it in the past. A lot of times with your newer vehicles, you'll probably notice some of them tend to update more often than others. For this one, it looks like the Lexus doesn't update quite as often. So we are able to see that the software versions are the same.
MR. BRENNAN: If we could take that down, please. And if you could remind us before we go into your findings in that SD card that was left behind, what was the most important thing you were looking for as far as data on that SD card?
MS. BURGESS: Sure. So, the most important thing we're looking for is timestamped data specifically related to power on or ignition on events.
MR. BRENNAN: If you were to find timestamp data for power on, power off, ignition events, how would you use that? What would you use that in unison or comparison with the information that you already had?
MS. BURGESS: Sure. So, we would use that in comparison with provided surveillance videos to compare and see how accurate those timestamps are and how consistent they are.
MR. BRENNAN: Specifically on the night of January — or the morning of January 29th, when you analyze the SD card, did you get viable information?
MS. BURGESS: Yes, we did.
MR. BRENNAN: What information did you get?
MS. BURGESS: So, we got a couple different data types. We got contact list from some of the connected devices, as well as serial numbers and phone numbers associated with the connected devices. Call logs and then power on and power off events.
MR. BRENNAN: Was your focus on one particular aspect of that data?
MS. BURGESS: Primarily the focus was on the power on and off events.
MR. BRENNAN: And did you find information regarding power on and power off events that could date and time those?
MS. BURGESS: Yes, we did.
MR. BRENNAN: If we could have number 29, please — 30. Can you share with us what you found?
MS. BURGESS: Sure. So, this is some screenshots from our exemplar testing. So, again, these are from those cameras that I pointed out earlier. What we see when we go back and review this camera footage is we see when I press the ignition on button there is actually a logo that appears on the infotainment screen as it's booting up. The time that that logo appears on the screen is associated with a time that we see in the raw data. And that's in the hexadecimal data that is very small so it's kind of hard to see. But essentially what you have is you've got a date and you've got a time in UTC. And then you've got an identifier that suggests that the vehicle has been powered on.
MS. BURGESS: So, we've got four of these tests that we can kind of compare back to and determine that this is the time that the infotainment system powers on and that first logo screen appears. And then through testing we can identify that ignition on is approximately 3 seconds before that timestamp.
MR. BRENNAN: So do I understand — if you press the button to start the vehicle there's a 3-second delay before the actual vehicle starts?
MS. BURGESS: Correct. So not the actual vehicle starting. So, you press the ignition on button. There's a 3-second delay in when the infotainment system powers on.
MR. BRENNAN: Is there any way, Miss Gilman, to focus in on one of those two photos? Can you tell us what this information is?
MS. BURGESS: Sure. So, this is those camera angles. And what you see is I'm pressing the ignition on at this time. In that second photo on the right, you'll see that this is specifically approximately 3 seconds after I press that ignition on. And you see the Lexus logo appearing on the infotainment module.
MR. BRENNAN: Let me ask you something about the clocks while we're here. You see a local time on there?
MS. BURGESS: Yes, I do.
MR. BRENNAN: Is that local time measured by a particular clock system?
MS. BURGESS: Sure. So, that's measured by our reference equipment. So, we're using what's called VBOX equipment to capture these videos. So here that local time is actually UTC time. So it's not actually local time for this area. That could be a little — that could be an error in how that's reporting, but essentially what we're seeing is the infotainment system is powering on at that exact time of 21:48:08.
MR. BRENNAN: And this was for power on. Can we have number 31, please? How's this different than the one we just looked at?
MS. BURGESS: Sure. So this is power off. So this is myself pressing the ignition to power off the vehicle. And what we see at this exact time — when you power off and press the ignition button, the screen on the infotainment system becomes blank, and associated with that it powers off, and you see a log within the raw data that indicates that—
MR. BRENNAN: You mentioned that you found power on, power off information. Can you explain what that means?
MS. BURGESS: Sure. So through this testing, what we were able to do is see that there are timestamped power on and off events for when the infotainment system is recording a power on and power off. And then we validated that with the exemplar testing.
MR. BRENNAN: Ultimately, were you able to use that power on, power off, timestamp information to identify the times of the later two events, the Techstream events, the three-point turn and the backing maneuver?
MS. BURGESS: Yes, in combination with other data, we were able to determine that.
MR. BRENNAN: Did you test the power on, power off data?
MS. BURGESS: Yes, we did.
MR. BRENNAN: Could we have number 32, please? Can you tell us what this is?
MS. BURGESS: Sure. So, this is the first power on event after 12:00 on January 29th. That power event is happening at 12:12:36 up here in the top. And the vehicle is powered on and it's not powered off until 12:42:00.
MR. BRENNAN: Is there any power on, power off events in between those two times?
MS. BURGESS: No, there's not.
MR. BRENNAN: And do you have an opinion to a reasonable degree of scientific certainty as to whether or not the first power on event for that night, January 29, 2022, was 12:12:36 a.m.?
MS. BURGESS: Yes—
JUDGE CANNONE: I'll sustain it at this point.
MR. BRENNAN: Do you have an opinion as to the first power on event of that Lexus on January 29th, 2022?
MR. ALESSI: Objection, your honor.
JUDGE CANNONE: Sustained at this time.
MR. BRENNAN: When you study the information from the data, does this slide reflect the information that you studied?
MS. BURGESS: Yes, it does.
MR. BRENNAN: Were you able to determine from your data study the time that was registered of when that Lexus was turned on for the first time on January 29th, 2022?
MS. BURGESS: Yes, I was.
MR. BRENNAN: How were you able to do that?
MS. BURGESS: Sure. So through our exemplar testing and determining that those timestamps are accurate to when the vehicle was powered on, we are able to say that this power on event is the first power on event of January 29th after 12:00 a.m.
MR. BRENNAN: And based on your study of the exemplar and the data from the SD card, did you arrive at an opinion as to the time of the first power on event of that Lexus vehicle on January 29, 2022?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Is your opinion to a reasonable degree of scientific certainty?
MS. BURGESS: Yes, it is.
MR. BRENNAN: And what is your opinion?
MR. ALESSI: Objection, your honor.
JUDGE CANNONE: I'll see you inside.
PARENTHETICAL: [sidebar]
MR. BRENNAN: Mr. Burgess, could you explain for us how you can identify the power on event from the data that you discovered on that SD card that was left behind?
MS. BURGESS: Sure. So through our exemplar testing, we can identify a power on event, which is depicting the time the logo on the infotainment system comes on, and then the time the infotainment system goes blank. So that is representing a power off event. And then we can reference that back to the ignition on, which occurs approximately 3 seconds before the power on — the infotainment power on event.
MR. BRENNAN: Is this a methodology that is used in your standard of practice?
MS. BURGESS: Yes, it is.
MR. BRENNAN: And have you used this type of methodology before?
MS. BURGESS: Yes, I have.
MR. BRENNAN: Is it a methodology that is regularly accepted in this type of analysis?
MS. BURGESS: Yes. So this is a methodology that is regularly accepted in the digital forensics community, and it is a process of testing and then validating.
MR. BRENNAN: How does that process further validate the accuracy of the times that you are registering and finding?
MS. BURGESS: Sure. So through that testing we are able to validate that accuracy. And through that testing we've got four tests that represent a power on event and two tests that represent a power off event. In addition to that, we are comparing that data to surveillance video with timestamps as well to show the consistency.
MR. BRENNAN: When you engage in your testing, you said there were four test runs or examples. Did you analyze it to see how in fact accurate it was?
MS. BURGESS: Yes, I did.
MR. BRENNAN: And how accurate was it?
MS. BURGESS: It was accurate to the second compared to our reference clock.
MR. BRENNAN: And when you actually take the data from that SD card, how do you interpret it? How do you get it from a piece of plastic with metal on it to actual numbers and data?
MS. BURGESS: Sure. So, the process of that again is we're making connection to those contact pads on the SD card and we're pulling that raw data. Once we have that raw data, there's a few processes we have to go through to make that raw data interpretable. So those processes are what's called XOR scrambling. So when data is stored on an SD card, there are two components to that SD card. There is what's called the NAND component and then there is a controller component. The controller component is where — if you remember that Command 42 lock — that is located in that controller component. So what we're doing is we're bypassing that controller.
MS. BURGESS: We're accessing that NAND and then we're using forensic software to determine and interpret the XOR scrambling that is put in place on that NAND so that we can take that scrambled data and be able to read it and interpret it — as well as what's called error correction code. So NAND devices are not, you know, they're not great at keeping voltages accurate like they should. And that's just based on how the architecture and how the NAND components are manufactured. So what the manufacturers have done is they've put in place error correction code to correct any bit errors within that data. So what we've done is we've identified the error correction code and the XOR scrambling using software known as Resolute.
MS. BURGESS: That software again is hardware and software that we use to access that data and process it and interpret it. From there we can take that data and we can review it in that hexadecimal format.
MR. BRENNAN: And based on that methodology and that process and that study, were you able to extract the data from the SD card and identify the first power on event of the defendant's Lexus on January 29th, 2022 to a reasonable degree of scientific certainty?
MS. BURGESS: Yes, I was.
MR. BRENNAN: And do you have an opinion about what time that Lexus, the defendant's Lexus was powered on on December 29th, 2022 for the first time?
MS. BURGESS: Yes, that would be approximately 12:12:36.
MR. BRENNAN: And is that to a reasonable degree of scientific certainty?
MS. BURGESS: Yes, it is.
MR. BRENNAN: On your chalk on the screen, does the power on event — is that the same as your interpretation?
MS. BURGESS: Yes, it is. The 12:12:36 a.m. time.
MR. BRENNAN: What time clock is that based on?
MS. BURGESS: Sure. So, that's based on the internal clock in the Lexus.
MR. BRENNAN: The clock in the Lexus, is that a universal time or do clocks on different devices run differently?
MS. BURGESS: Sure. So, it's not a universal time. Clocks on different devices run differently. So if you've ever noticed that your microwave clock is not running in sync with your iPhone, the same thing is occurring here. Even though the Lexus clock is communicating back and forth with GPS satellites and other things, the clock is still not synchronized perfectly. So you would not expect this clock to match up perfectly with other devices.
MR. BRENNAN: When you're considering two very different or separate devices, if the time is different, what would that be called?
MS. BURGESS: Sure. So, that would be called a clock variance.
MR. BRENNAN: I want to get into that later, but I want to finish what we have in front of us now.
MS. BURGESS: Sure.
MR. BRENNAN: In addition to identifying the first power on event of January 29, 2022 of the defendant's Lexus at 12:12:36, were you able to identify the first power off event of that same Lexus of January 29, 2022?
MS. BURGESS: Yes, I was. And that was at 12:42:00 approximately.
MR. BRENNAN: Did you use the same methodology and vetting that you did in testing that you did with the power on event?
MS. BURGESS: Yes, I did.
MR. BRENNAN: And do you have an opinion if that time is accurate to a reasonable degree of scientific certainty?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what is that opinion?
MS. BURGESS: So that opinion is that time is reliable to the second as far as the Lexus clock is concerned.
MR. BRENNAN: What is the graph on the bottom showing us?
MS. BURGESS: Sure. So the graph is just a graphical representation of the same data, representing the power on event on a timeline at 12:12:36 and the power off event at approximately 12:42:08.
MR. BRENNAN: When you're looking at times, power on and power off events to date and time it, are you obtaining that information independent of other outside information?
MS. BURGESS: Yes, I am.
MR. BRENNAN: Is the data simply the data or does something affect it?
MS. BURGESS: Sure. So, no, the data is simply the data. So when we get the data we can compare it to outside sources or external sources to verify that it's consistent with other sources. But the data does not depend on any outside sources.
MR. BRENNAN: Do you often times use outside sources to vet or test the data even though it's a totally separate concept?
MS. BURGESS: Yes I do.
MR. BRENNAN: After this power on, power off event, when you studied the data from the SD card using the same methodology and technique, did you find any other subsequent power on and power off events of the defendant's Lexus on January 29th, 2022 after this event?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Could we have slide 33, please? Mr. Burgess, can you tell us what the next event is that you found in the data?
MS. BURGESS: Sure. So, the next power on event occurs at 5:07:46. That's this top timestamp here. The infotainment system records a power off event after that at 5:46. And what we have here is we've got surveillance video that was provided that depicts the approximate time range that those two events happen. So these videos do not capture the actual power on or power off event but they occur around the same time frame and they are consistent with one another.
MR. BRENNAN: The power on event time that you've listed is 5:07:46. Where does that time come from?
MS. BURGESS: That time is coming from the internal Lexus clock.
MR. BRENNAN: And based on the data from the Lexus clock, do you have an opinion as to the accuracy of that time of 5:07 a.m. as it relates to the Lexus clock?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what's your opinion?
MS. BURGESS: So compared to the Lexus clock, that time is accurate to the second.
MR. BRENNAN: The videos you have, are those timed from the same Lexus clock or a different source?
MS. BURGESS: No. So those videos — those timestamps of the videos are coming from external sources. In the example of these videos, I believe that is a ring camera.
MR. BRENNAN: Why would you try to vet the timestamp that you've identified to the second from the Lexus clock with another item including a video that uses a different clock?
MS. BURGESS: Sure. So that further validates that those timestamps are accurate and they're consistent with timestamps we're seeing from other devices.
MR. BRENNAN: Can there be a variance with other devices?
MS. BURGESS: There can be a variance.
MR. BRENNAN: If there's a variance, could that still corroborate or support the original timestamp from the Lexus clock?
MS. BURGESS: Yes. So even with a variance, those timestamps can still be consistent with one another.
MR. BRENNAN: And on the two photographs, are those videos or photographs?
MS. BURGESS: Those are videos.
MR. BRENNAN: What is the purpose of including a video?
MS. BURGESS: Sure. So the purpose of including the video is just to depict that the video does not actually capture the power on or power off event. But again, it is around the same time frame that the power on and power off event occurred.
PARENTHETICAL: [video plays]
MR. BRENNAN: Okay, thank you. What about that video vets or corroborates the 5:07:46 Lexus time on the power on event?
MR. BRENNAN: Miss Gilman, are you able to play the video to the left?
JUDGE CANNONE: A little bit more before you get to that, Mr. Brennan.
MR. BRENNAN: Okay. Did you use the video that we just saw in an attempt to vet or corroborate the timestamp for the power on event on the Lexus?
MS. BURGESS: Yes, I did.
MR. BRENNAN: How did you do that?
MS. BURGESS: Sure. So looking at the start timestamp on the video, we can see that the video starts at approximately 5:07:58. Keeping in mind this timestamp is coming from the camera — the ring camera itself. And when we look at the power on event, we see that it occurs at 5:07:46. So although we don't see the actual time of the power on event, that is consistent with what we would expect.
MR. BRENNAN: What does the video on the right help us do?
MS. BURGESS: So the video on the right helps us do the same thing. So when we look at the power off event that occurs at 5:46:20, again when we look at the ring video on the right, that start timestamp of that video is 5:46:29. So again, we missed the power off portion of when that occurs, but that is consistent again with what we would expect.
MR. BRENNAN: Could we play the video on the right? If you can enlarge, that would be helpful. If not — if you could stop the video, please. Mr. Burgess, you see the lights are on on that vehicle?
MS. BURGESS: Yes, I do.
MR. BRENNAN: Okay. Can you tell if the vehicle is on or off at that point?
MS. BURGESS: Sure. So I cannot tell if the vehicle is on or off at that point. Typically when you power off a Lexus or a modern vehicle, the lights will stay on for some portion of time afterwards. But again, that is consistent with the timestamp from the power off event.
MR. BRENNAN: And do you have an opinion to a reasonable degree of scientific certainty as to the accuracy of the power on and power off events as they pertain to the Lexus clock?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what is that opinion?
MS. BURGESS: That is that those timestamps are accurate to the second.
MR. BRENNAN: Did you further follow the data to see if there were any other power on and power off events relative to the Lexus for January 29th, 2022?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Could you take us to exhibit 34, please? What is this, Mr. Burgess?
MS. BURGESS: Sure. So this is the next time that the vehicle is powered on and subsequently powered off. That power on event occurs at 12:35:01. The power off event occurs at 2:12:01. And then this video is a video from Alarm.com surveillance that depicts the vehicle pulling into a driveway and shutting off. So when we look at the video and we watch the video, you can actually see at 2:12:01 in the video timestamp that the windshield wipers stop moving and the vehicle's suspension begins to lower, indicating that the ignition button has been pressed.
MR. BRENNAN: Let's start with the power on event. Was there any video available to show the power on event at 12:35:01?
MS. BURGESS: There is no video available that I'm aware of.
MR. BRENNAN: On the last slide, you had the power off event at 5:46:20 a.m. Correct.
MS. BURGESS: Correct.
MR. BRENNAN: Was there any other power on and power off events between 5:46:20 a.m. and this event here?
MS. BURGESS: No, there was not.
MR. BRENNAN: Did you try to obtain any corroborative video or evidence relative to the power on event of 12:35:01?
MS. BURGESS: I did request, or make a request, to see if there was any video available, and as far as I'm aware, there was not regarding the power on event.
MR. BRENNAN: Do you have an opinion to a reasonable degree of scientific certainty as to the accuracy of the power on event as it relates to the Lexus clock on the system?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what is that opinion?
MS. BURGESS: That is that that power on event is accurate to the second in reference to the Lexus clock — 12:35:01 p.m.
MR. BRENNAN: Correct. And do you have an opinion as to the power off event to a reasonable degree of scientific certainty as to the accuracy from the data you recovered from the SD card?
MS. BURGESS: Yes, I do. And that power off event again occurred at approximately 2:12:01 according to the Lexus clock.
MR. BRENNAN: I don't know if you can enlarge the video, Miss Gilman, but if you can — and if not, could we play anyways? Thank you. And could you explain for us the graph on the bottom of that exhibit — pardon me, of that diagram?
MS. BURGESS: Sure. So that graph again is just a timeline — a graphical representation of when the power on event occurred and when the power off event occurred at 12:35:01 and 2:12:01.
MR. BRENNAN: Based on the data you analyzed from the SD card, was there any further power on and power off events on January 29, 2022 after this 12:35:01 to 2:12:01 event?
MS. BURGESS: Yes, there was.
MR. BRENNAN: Could you display for us page 35, Miss Gilman? And what is this, Mr. Burgess?
MS. BURGESS: Sure. So this is the next power on event that is recorded within the system. That power on event occurs at approximately 4:11:46 and the power off event occurs at 4:12:56. The video we see is that same Alarm.com surveillance video. The start timestamp of that video is 4:12:30. So again we don't see the actual power on and off event within the video. But it is consistent with what we would expect, as the power on event occurring at 4:11:46 and then the video starting and we see the car backing up at 4:12:30.
MR. BRENNAN: Would the Alarm.com be using a different clock than that of the Lexus?
MS. BURGESS: It would be. Yes.
MR. BRENNAN: And based on your methodology and vetting and testing and view of the data on the SD card, do you have an opinion to a reasonable degree of scientific certainty as to the time of this power on event?
MS. BURGESS: Yes. So that power on event would be 4:11:46.
MR. BRENNAN: And do you have an opinion as to the time of the power off event related to this diagram?
MS. BURGESS: Yes, that would be 4:12:56.
MR. BRENNAN: Is that opinion as well to a reasonable degree of scientific certainty?
MS. BURGESS: Yes, it is.
MR. BRENNAN: Is that a photograph or a video?
MS. BURGESS: That is also a video.
MR. BRENNAN: Miss Gilman, could you help us? Thank you. And similarly, does the graph give a general idea of the time?
MS. BURGESS: Yes. So similarly, the graph is a timeline representation of the power on and power off event.
MR. BRENNAN: Mr. Burgess, was there an additional power on and power off event after the power off event at 4:12:56 p.m. at the Dighton residence?
MS. BURGESS: Yes, there was.
MR. BRENNAN: Miss Gilman, could you show us number 36, please? Mr. Burgess, could you take us through this?
MS. BURGESS: Sure. So this is the next power on event that occurs. And that power on event occurs at 5:34:51 p.m. The power off event occurs at 5:36. Again, the video that is associated with this does not show the power on or the power off event. But it shows the time just before the vehicle is arriving to this location on a tow truck. And that would be consistent with the vehicle then being powered off and backed off of the tow truck at that time.
MR. BRENNAN: And based on your analysis of the data, do you have an opinion to a reasonable degree of scientific certainty what time this power on event took place?
MS. BURGESS: Yes. And that time would be 5:34:51. And that's according to the internal Lexus clock.
MR. BRENNAN: Yes, it is. Do you have an opinion to a reasonable degree of scientific certainty when this vehicle was then powered off?
MS. BURGESS: Yes. And that would be 5:36:42. Again, pursuant to the Lexus clock.
MR. BRENNAN: Correct. After this event at 5:34:51 p.m. to 5:36:42 p.m., when you studied the data, were there any other power on or power off events for this Lexus vehicle on January 29th, 2022?
MS. BURGESS: Not that I studied after this event.
MR. BRENNAN: Could you take that down, please? Now, we touched on an issue earlier. I want you to give your opinions and explain to the jury. You mentioned the word "variance" between different items. I don't think you used the word "items." You said something else.
MS. BURGESS: Sure. So, that's going to be the clock variance between different devices. So in this instance, what we're referring to is the difference in the clocks of the Lexus module and an iPhone. We would not expect those clocks to be perfectly synced. Typically what we see, and what is generally accepted, is a clock variance of up to 60 seconds. And that is because when you think about when you're looking at your radio and you're looking at the clock, it's representing to you the hours and the minutes. It's not representing the seconds. So again, it's accurate.
MR. BRENNAN: When you were looking for power on, power off information from the data on the SD card, what clock would that information, that time be dependent on?
MS. BURGESS: Sure. So that's going to be dependent on the Lexus clock. That Lexus clock is continuously running. But it also syncs up with GPS systems to update the clock on occasion. We do not know how frequent that activity occurs, because that is proprietary to the manufacturer themselves.
MR. BRENNAN: To bring us back — when you started this case there were two important techstream events. Correct?
MS. BURGESS: There were two techstream events.
MR. BRENNAN: Remind us what those were.
MS. BURGESS: Sure. So one is going to be associated with a three-point turn and the other is going to be associated with a backing maneuver.
MR. BRENNAN: And those two techstream events — are they related in any way to the running clock that is on the techstream data?
MS. BURGESS: Sure. So when we think back, the techstream events have that running clock from ignition on, and because we know the power on events from the infotainment module we can reconcile when those time counts occurred.
MR. BRENNAN: If there's information about timing from techstream data on the Lexus, what would you have to do if you took a separate device like an iPhone and you wanted to reconcile the variance?
MS. BURGESS: Sure. So if we want to reconcile the variance, what we would need is an event that occurs that both clocks record. So for instance, if you've got two cameras that are recording you jumping up and down, you would take your motion of jumping up and down — or your event of jumping up and down — and you would use that event to sync the clocks of those two cameras. So essentially we're doing the same thing with the Lexus clock and the iPhone clock.
MR. BRENNAN: When you did your analysis during this case, initially, did you have any interest in trying to reconcile those clocks?
MS. BURGESS: No, I did not.
MR. BRENNAN: Why not?
MS. BURGESS: Because it is generally accepted that the clock variance is up to 60 seconds. And while reviewing the power on and off events and comparing that to the surveillance videos that were provided, that was consistent with what we would have expected.
MR. BRENNAN: Did something compel you to further your study and compare the Lexus clock information on those two techstream events — the three-point turn and the backing maneuver — to a different device?
MS. BURGESS: Yes. There was a claim of attempting to synchronize those two clocks that I believed was potentially misleading.
MR. BRENNAN: And so based on reviewing that information and coming to that conclusion, did you on your own do any further study about the difference in clocks and attempt to synchronize them?
MS. BURGESS: Yes, I did.
MR. BRENNAN: You said that you can synchronize if you have more than one device identifying a particular time. What did you mean by that?
MS. BURGESS: Sure. So if we've got two devices that are recording a similar event — so let's say for instance a three-point turn — if that is recorded with an iPhone with the iPhone's clock, we can compare that event to the time that that event occurs and is recorded by the Lexus.
MR. BRENNAN: Were you aware of any device other than the Lexus recording that three-point turn?
MS. BURGESS: Yes, I was.
MR. BRENNAN: What were you aware of?
MS. BURGESS: That would be an iPhone from Mr. O'Keefe.
MR. BRENNAN: Did you have data and information from Mr. O'Keefe's phone at some point?
MS. BURGESS: I did have partial location data from Mr. O'Keefe's iPhone.
MR. BRENNAN: Did you do something with his iPhone data as it relates to the Lexus clock on those two events, the three-point turn and the backing maneuver?
MS. BURGESS: I did on the three-point turn. Yes. And the backing maneuver.
MR. BRENNAN: Tell us what you did.
MS. BURGESS: Sure. So I looked at when the three-point turn occurred within the iPhone data and the location data, in reference to that clock, and then looked at the same three-point turn event as it was recorded from the techstream and the Lexus clock.
MR. BRENNAN: At some point, did you have enough data to make that full analysis?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Now, as a general concept — before we get to the three-point turn in detail — I want to turn to page 39 of your PowerPoint. I'm sorry, if you could turn to page 38, please.
MS. BURGESS: Okay.
MR. BRENNAN: Can you explain to us the concept of synchronizing clocks?
MS. BURGESS: Sure. So this is kind of a graphical representation of how to synchronize a clock. So essentially, like I said, we're taking an event that occurs. In this instance it's a three-point turn. We have data where that three-point turn is recorded within an iPhone. And we have data where that three-point turn is recorded within the Lexus. Those events have clocks associated with them. So in order to reconcile the difference in those clocks, we are comparing the clock times for the event from each device, and moving or adjusting the clock for one compared to the other.
MR. BRENNAN: In addition to specializing in data and computers and cars, you also mentioned that you specialize in mobile phones. Yes?
MS. BURGESS: Yes, I do.
MR. BRENNAN: Did you use your experience and your training and your education to analyze the iPhone data from Mr. O'Keefe's phone as it related to the information from the Lexus vehicle? DEFENSE COUNSEL: Objection, your honor.
JUDGE CANNONE: Did you answer that yes or no?
MS. BURGESS: Yes.
MR. BRENNAN: Yes. You did?
MS. BURGESS: I did.
MR. BRENNAN: Okay. Did you see what type of information was being stored on Mr. O'Keefe's cell phone as far as location data?
MS. BURGESS: Yes, I did. In reference to location data, Mr. O'Keefe's iPhone is recording timestamps, GPS position, speed, and heading. So heading is going to be the direction that the iPhone is facing.
MR. BRENNAN: Was there any particular application that you were aware of that he was using?
MS. BURGESS: Yes. As far as I'm aware he was using the Waze app for navigation.
MR. BRENNAN: Could we have number 39, please? Could you tell us what this shows, Mr. Burgess?
MS. BURGESS: Sure. So specifically what we're looking at within the location data is a two-minute window. That two-minute window we see here graphically plotted on a map, and we see — it's hard to tell, but you can see a white dot which is the center of a radius for a GPS position. The orange circles are the horizontal accuracy for each one of those positions. And then down here you can see a black line coming off of each GPS position that represents the heading, or the direction that the iPhone is facing.
MR. BRENNAN: You mentioned you had some materials from Mr. Whiffin. Did you ever see any materials from Mr. Whiffin regarding location data that was acquired through the application Waze?
MS. BURGESS: Yes, I did see a report by Mr. Whiffin.
MR. BRENNAN: Did you rely on his report or did you independently on your own test the location information?
MS. BURGESS: Sure. So I independently on my own looked at the location data from Mr. O'Keefe's phone.
MR. BRENNAN: This diagram that we see with all the points on it — is this developed from your own independent view and review of Mr. O'Keefe's location data?
MS. BURGESS: It is.
MR. BRENNAN: To the top left is a round circle. What does that indicate?
MS. BURGESS: Sure. So top left — so yeah, that's going to be again the GPS coordinate beginning for this two-minute interval that we're looking at. The orange circle is going to be the horizontal accuracy for that GPS point. And then
MR. BRENNAN: Bring us down and up to the left. There seems to be a bigger circle on the top.
MS. BURGESS: Sure. So as we come down, I believe what is Cedarcrest — and go up Cedarcrest — we have a position where the course heading of the iPhone changes. The speed lowers and we have a lot more GPS points in a centralized location. So that's why you see those overlapping circles in that location.
MR. BRENNAN: When you're following and analyzing Mr. O'Keefe's location information, does this in any way relate to the first of those two techstream events that you originally were focused on?
MS. BURGESS: It does relate to the first techstream event which identifies a three-point turn.
MR. BRENNAN: And again, although you're not an accident reconstructionist, do you know if there's data that was captured regarding this three-point turn as far as an event?
MS. BURGESS: Yes, I'm aware of data that was captured during that three-point turn event.
MR. BRENNAN: If we could turn to page 40, please. I want you to explain to us how this chart works. What does a point mean?
MS. BURGESS: Sure. So when we were initially provided the location data, again we were provided a partial view or partial data set of that location data, and within that Excel spreadsheet that data was provided in, it was identified as GPS points. So what we've got here is we've got the partial data along with the full data set that I was provided later on. So we've got a couple of columns here. We've got "point," which is GPS point from that partial initial data set that I was provided. We've got timestamps — so these timestamps are every second. With every second there is a latitude and a longitude recorded, as well as a horizontal accuracy, a speed, and again a course heading.
MR. BRENNAN: When you looked at data point 154, is there a time ascribed to that?
MS. BURGESS: There is a time ascribed to that as 12:23:58.
MR. BRENNAN: Before you did this more in-depth analysis, were you relying on anything beyond GPS point 154, that one line?
MR. BRENNAN: Why?
MS. BURGESS: Because again, we were initially provided a partial data set of the location.
MR. BRENNAN: And why didn't you seek earlier on to break this down with more specificity?
MS. BURGESS: Again, because the generally accepted clock variance is up to 60 seconds. And that data was consistent with everything else we were seeing. So there was no need to look any further.
MR. BRENNAN: And what compelled you again to look further?
MS. BURGESS: A claim of misinterpreting and a misleading calculation trying to adjust these clocks.
MR. BRENNAN: Were you given a report?
MS. BURGESS: I was not given a report. I was given a PowerPoint presentation.
MR. BRENNAN: When you decided to delve deeper into this, was that on your own initiative or were you requested to do it?
MS. BURGESS: That was on my own initiative.
MR. BRENNAN: Now, rather than simply relying on GPS point 154, what does breaking it down with all of the times and numbers between the green and orange do for your analysis?
MS. BURGESS: Sure. So breaking it down, we can see between the green — so the green, highlighted in green, is position, or time stamp 12:23:59. What we see happening before that time is the speed is pretty consistent between 15 and 8 miles per hour. The speed starts to drop at that point. And if we look at the course heading, we can see that the course heading before that time is pretty consistent as well, between 339 and 348. So at position, or at time 12:23:59, the speed drops and the course heading changes from approximately 360 — so straight north — to 284, which is in a northwesterly direction. After that time of 12:23:59, the speed recorded is zero. The course heading is 352. And at time 12:24:07, you see the speed pick back up and the course heading is around 179°.
MS. BURGESS: So that's going to be in a southern direction. So based on this information, we can tell that the vehicle between 12:23:59 and 12:24:07 made a three-point turn maneuver, changing from the northern direction of heading to the southern direction.
MR. BRENNAN: Is this data generated from Mr. O'Keefe's phone or from the Lexus?
MS. BURGESS: Sure. So this data is generated from Mr. O'Keefe's phone.
MR. BRENNAN: Where you initially relied on GPS point 154 as a time stamp to identify the time and location of the car at a later point, does this give you more of a benefit breaking it down?
MS. BURGESS: This does give you more of a benefit breaking it down.
MR. BRENNAN: The zeros in the speed — what does that indicate to you as far as the data relative to the portion of the three-point turn?
MS. BURGESS: Sure. So it doesn't necessarily mean the vehicle is at 0 miles per hour. Again, if you look at the horizontal accuracies, we've got anywhere between 16 and 29 feet. So that's the range in the GPS and what it's seeing. So if the car is, you know, slightly moving — or moving like you would expect during a three-point turn — you would expect to see that speed at, you know, zero miles per hour.
MR. BRENNAN: Did you develop a photograph with some detail to explain this in more of a picture format?
MS. BURGESS: Yes, I did make a graphical representation of this.
MR. BRENNAN: If we could have slide 41, please. Could you break this down for us, Mr. Burgess?
MS. BURGESS: Sure. So this is again a zoomed in version of the map that we showed earlier. And what we've done is we've cleaned out, or just removed for the sake of simplicity, the other points leading north to this point and the points leading south. Those are going to be those zero mph indications. So what we're looking at is the heading change and that speed change which occurs at 12:23:59. And you can see the heading change from the black arrow leading off of the center radius of the GPS position. And then at 12:24:07, you see the heading change to a southern direction. And then the other GPS points are consistent with the vehicle moving southbound on Cedarcrest.
MR. BRENNAN: So the claim that you analyzed, did that actually compel you to analyze and identify a more accurate variance than you originally had?
MS. BURGESS: It did.
MR. BRENNAN: And do you have an opinion to a reasonable degree of scientific certainty what the variance is between the clock on the defendant's Lexus on January 29, 2022 and Mr. O'Keefe's cell phone on January 29, 2022?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And to a reasonable degree of scientific certainty, what is that variance?
MR. ALESSI: Objection, your honor.
JUDGE CANNONE: Sustained. Need a little more, Mr. B.
MR. BRENNAN: Okay. After you studied GPS point 154, what did that help you do? What did you learn from that?
MS. BURGESS: Sure. So after studying GPS point 154 and these further GPS positions, we are able to identify the approximate time that the three-point turn occurred according to Mr. O'Keefe's iPhone data. So now we've got that event of when that three-point turn occurred. Now we can compare that to the three-point turn from the TechStream data and that running clock. Again, what we're doing is taking the power-on event at 12:12:36 and adding the time count from the TechStream data to come up with the time of 12:23:38 in the TechStream data. So the TechStream data indicates a three-point turn ended — or a trigger event, a TechStream event ended — at approximately 12:23:38. The iPhone indicates that a three-point turn occurred between 12:23:59 and 12:24:07.
MS. BURGESS: So since we've got that shared event between the two devices, we can reconcile any type of clock variance. So adjusting the Lexus clock to the iPhone clock, we can calculate that clock variance.
MR. BRENNAN: Is this a methodology that is commonly used in your practice?
MS. BURGESS: It is.
MR. BRENNAN: Is it commonly used in the scientific community which you're part of?
MS. BURGESS: It is.
MR. BRENNAN: Are there scholarly papers about this type of methodology in comparison of synchronizing clocks?
MS. BURGESS: There are.
MR. BRENNAN: One of the papers you wrote — did that have anything to do with synchronization of clocks?
MS. BURGESS: It did not have anything to do with synchronization of clocks. But it was relative to how accurate the time stamps are of events from iPhones.
MR. BRENNAN: And that was one of your peer-reviewed papers?
MS. BURGESS: Yes, it was.
MR. BRENNAN: And are there scholarly journals and studies on the synchronization of clocks?
MS. BURGESS: There are.
MR. BRENNAN: Did you use that methodology in your analysis to arrive at an opinion about the time variance between the defendant's Lexus and Mr. O'Keefe's phone?
MS. BURGESS: Yes, I did.
MR. BRENNAN: Okay. And do you have an opinion to a reasonable degree of scientific certainty?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what is that opinion?
MS. BURGESS: The clock variance is between 21 and 29 seconds.
MR. BRENNAN: If we could have number 42, please. What is this, Mr. Burgess?
MS. BURGESS: Sure. So this is — if we think back to the last slide, we've identified the three-point turn event in both data sets. So now if we want to adjust one clock to the other, we can do that. And doing that, we've identified that the variance is between 21 and 29 seconds. So we would need to adjust the Lexus clock forward by 21 to 29 seconds to synchronize it with the iPhone data. So in doing that, the end of TechStream event 11621 goes from 12:23:38 to between 12:23:59 and 12:24:07.
MR. BRENNAN: These two clocks — one on the left being the Lexus clock that reads 12:23:38 a.m., and the other clock on Mr. O'Keefe's iPhone showing a different time, 12:23:59 to 12:24:07 — do you have an opinion to a reasonable degree of scientific certainty if these two clocks pertain to an event that's happening at the same time or a different time?
MS. BURGESS: Yes. So these two clocks — we are synchronizing these clocks to an event that is happening at the same time. This is relative to the first TechStream event, the three-point turn.
MR. BRENNAN: You said there was a second TechStream event that you were analyzing.
MS. BURGESS: Correct. There is a second TechStream event.
MR. BRENNAN: And what is that second TechStream event?
MS. BURGESS: That second TechStream event is a backing up maneuver.
MR. BRENNAN: Are you familiar with the time frame on the Lexus clock relative to that second TechStream event?
MS. BURGESS: Yes, I am.
MR. BRENNAN: And what is that time frame?
MS. BURGESS: So it is approximately 19 minutes from the ignition on.
MR. BRENNAN: Okay. And do you know what time that is on the Lexus clock?
MS. BURGESS: Yes, I do.
MR. BRENNAN: With the court's permission?
JUDGE CANNONE: Yes.
MS. BURGESS: So that is going to be 12:31:43 — that is going to be the end of that TechStream event.
MR. BRENNAN: That TechStream event — by the way, when it captures data, what window of data does it capture when there's a TechStream event, or a triggering event?
MS. BURGESS: Sure. So when the trigger occurs it captures data 5 seconds before and 5 seconds after the trigger.
MR. BRENNAN: What if the event is less than 10 seconds?
MS. BURGESS: So if it's less than 10 seconds, it would capture the entire event. If it's more than 10 seconds, it would only capture a partial snapshot of that event.
MR. BRENNAN: And so when you talk about the data for the backing event, is that the 10-second window you're speaking of?
MS. BURGESS: Yes, that is that 10-second window.
MR. BRENNAN: Does that have anything to do with defining the length of the actual event?
MS. BURGESS: No, it does not.
MR. BRENNAN: Okay. When you looked at the time from the Lexus clock regarding that backing event, did you do an analysis of John O'Keefe's phone considering the variance that you identified?
MS. BURGESS: Yes, I did. So I applied the same variance to that second TechStream event.
MR. BRENNAN: When you apply that variance between the Lexus clock and Mr. O'Keefe's phone, what is the — could I turn to slide 43, please? What is the time of that event if we're referring to Mr. O'Keefe's phone?
MS. BURGESS: Sure. So the time of that event with the clock variance adjusted is between 12:32:04 and 12:32:12.
MR. BRENNAN: And do you have an opinion to a reasonable degree of scientific certainty as to the accuracy of that time from Mr. O'Keefe's phone considering the variance?
MS. BURGESS: Yes, I do.
MR. BRENNAN: And what is your opinion?
MS. BURGESS: And that the opinion is that the TechStream — the second TechStream event — ends between 12:32:04 and 12:32:12. When you say TechStream event, that's the 10-second window, correct?
MS. BURGESS: That's the 10-second window.
MR. BRENNAN: Does that necessarily include the entire event?
MS. BURGESS: No, it does not.
MR. BRENNAN: The graph on the bottom — what does that show us? It looks a little bit overwritten.
MS. BURGESS: Yeah. So that graph is a timeline representation of the TechStream event ending — being adjusted with the 12:32:04 to 12:32:12 — in comparison with the last lock event that is recorded by Mr. O'Keefe's phone at 12:32:09.
MR. BRENNAN: Your analysis relative to the data that you obtained from the SD card — is your analysis and opinions separate from the other information you looked at that corroborated or supported your analysis?
PARENTHETICAL: [Inaudible informal remarks — recess]
PARENTHETICAL: [Inaudible — court returning to session]
MS. BURGESS: Yes, they are.
MR. BRENNAN: I have no further questions.
JUDGE CANNONE: Lights, please. That's as good as they can be, huh? One's burnt out.
COURT OFFICER: All rise for the court, please. [unintelligible] follow me.
JUDGE CANNONE: You may be seated. Whenever you're ready, Mr. Alessi.