Nicholas Guarino - Direct (Part 1) - Day 2

Kerry Roberts's credibility collapses under cross-examination after admitting false grand jury testimony about the Google hypothermia search, while Margaret O'Keefe recounts Karen Read telling her 'I left him there.'

← Day 1

Day 3 →

Direct

1 5:45:30

MR. BRENNAN: May I call my next witness, please?

2 5:45:37

COURT CLERK: The Commonwealth calls Nicholas Guarino. Do you swear that the evidence you shall give the court and jury in this case shall be the truth, the whole truth, and nothing but the truth, so help you God?

3 5:46:12

MR. GUARINO: Thank you.

4 5:46:12

JUDGE CANNONE: You can — do you want to stand or sit, however you're most comfortable.

5 5:46:19

MR. GUARINO: Okay. Thank you, your honor.

6 5:46:21

JUDGE CANNONE: You may proceed.

7 5:46:22

MR. BRENNAN: Yes. Good afternoon.

8 5:46:24

MR. GUARINO: Good afternoon, sir.

9 5:46:25

MR. BRENNAN: Could you please introduce yourself to the jury?

10 5:46:29

MR. GUARINO: Yes. Uh, my name is Nicholas Guarino.

11 5:46:32

MR. BRENNAN: Mr. Guarino, where do you work?

12 5:46:34

MR. GUARINO: I work for the Massachusetts State Police at the Norfolk District Attorney's Office.

13 5:46:40

MR. BRENNAN: How long have you worked for the Massachusetts State Police?

14 5:46:45

MR. GUARINO: Uh, this is year 10 now.

15 5:46:47

MR. BRENNAN: How long have you been assigned to the District Attorney's Office?

16 5:46:52

MR. GUARINO: Uh, since November of 2019. So, uh, a little five-ish years. Six years.

17 5:46:58

MR. BRENNAN: I want to go backwards a little bit. Can you tell me a little bit about what you did before you began working for the Massachusetts State Police?

18 5:47:11

MR. GUARINO: Yes, sir. I was a Norwood police officer for almost 11 years.

19 5:47:16

MR. BRENNAN: So, how long have you been in law enforcement between being a Norwood police officer and a Massachusetts State Police officer?

20 5:47:25

MR. GUARINO: Uh, February of this year started my 20th year in law enforcement.

21 5:47:31

MR. BRENNAN: Did you go to school before you became a law enforcement officer?

22 5:47:36

MR. GUARINO: Yes, I went to Westfield State College — uh, Westfield State University.

23 5:47:42

MR. BRENNAN: Now, did you graduate?

24 5:47:43

MR. GUARINO: Yes, I did.

25 5:47:44

MR. BRENNAN: Can you remember what year you graduated?

26 5:47:47

MR. GUARINO: Yes, it was uh 2003.

27 5:47:49

MR. BRENNAN: Did you have a particular degree from Westfield State?

28 5:47:52

MR. GUARINO: Yes, I double majored. I got a major in criminal justice and mass communications.

29 5:47:57

MR. BRENNAN: When you began as a police officer with the Norwood Police Department, did you have to go into any type of specific training?

30 5:48:06

MR. GUARINO: Yes, I went to the uh police academy.

31 5:48:09

MR. BRENNAN: And how long is the police academy?

32 5:48:12

MR. GUARINO: Uh, six months, generally.

33 5:48:13

MR. BRENNAN: And briefly, what was taught at the academy?

34 5:48:16

MR. GUARINO: Uh, how to conduct investigations, uh, respond to calls, uh, they did a standard field sobriety testing week, uh, physical training, uh, Massachusetts law and criminal procedure.

35 5:48:27

MR. BRENNAN: When you began as a Norwood police officer, were you a patrol officer?

36 5:48:31

MR. GUARINO: Yes, I was.

37 5:48:32

MR. BRENNAN: And did you remain a patrol officer for the 10 or 11 years you were there?

38 5:48:38

MR. GUARINO: Yes. I was also uh part-time in the detail office.

39 5:48:42

MR. BRENNAN: But what does that mean?

40 5:48:44

MR. GUARINO: Uh, handling uh jobs when we're off, so uh filling details like road construction.

41 5:48:49

MR. BRENNAN: I'm sorry. When you left Norwood and began working with the Massachusetts State Police, um, based on your prior training, did you have to go through further training or were you ready to just begin?

42 5:49:02

MR. GUARINO: No, I had to go to the state police academy for six months.

43 5:49:07

MR. BRENNAN: After you got out of the state police academy, um, were you assigned to a barracks?

44 5:49:12

MR. GUARINO: Uh, yes, I was assigned to the South Boston barracks for my training. Uh, and then once my break-in training was done, I was assigned to the Holden barracks near Worcester.

45 5:49:21

MR. BRENNAN: At some point during your career with the Massachusetts State Police, did you start to receive any type of training in any specific field? I'm sorry. Did you receive any specialized training at the Massachusetts State Police after the academy?

46 5:49:34

MR. GUARINO: Uh, once I'd gone into the district attorney's office, yes.

47 5:49:37

MR. BRENNAN: And can you tell us a little bit about what type of specialized training you received when you were assigned to the Norfolk County District Attorney's Office?

48 5:49:46

MR. GUARINO: Yes. Uh, so I was hired by the District Attorney's Office. I do uh cell phone and computer forensics, as well as I'm a sexual assault investigator. Um, I had prior sexual assault investigator school done, and I went for uh digital forensics classes uh as part of my now daily duties.

49 5:50:01

MR. BRENNAN: In order to work with cell phone forensics, did you have any particular background in it at that point?

50 5:50:07

MR. GUARINO: I had taken some classes when I was at Norwood PD, but I didn't have any of the Cellebrite or AXIOM classes that I do now.

51 5:50:15

MR. BRENNAN: We'll talk about those in a minute so you can give a little more explanation. Did you ever receive a specific advanced degree in data forensics?

52 5:50:23

MR. GUARINO: No, I didn't.

53 5:50:24

MR. BRENNAN: Did you ever receive any specialized further degree, a master's in data forensics?

54 5:50:29

MR. GUARINO: No.

55 5:50:30

MR. BRENNAN: So, your training came while you were a Massachusetts State Police officer through the uh Massachusetts State Police?

56 5:50:37

MR. GUARINO: Yes, that's correct.

57 5:50:39

MR. BRENNAN: What type of courses did you take to learn about forensics?

58 5:50:43

MR. GUARINO: Uh, the first one I took was uh Cellebrite certified, uh, CCO — CCPA is their intro course — that teach you how to use the program and how to extract cell phones using the Cellebrite program.

59 5:50:59

MR. BRENNAN: There are a couple of words I want you to help us understand.

60 5:51:05

MR. GUARINO: Yes.

61 5:51:05

MR. BRENNAN: The first is an extraction. What is — as simple as you can — a cell phone extraction?

62 5:51:11

MR. GUARINO: Yes, uh, quite literally it is plugging the phone into specialized hardware or software and it pulls the data from that device to make a digital copy of it. So that way we can load it up later to look at it.

63 5:51:24

MR. BRENNAN: So when you extract the phone through a download, it basically mimics the content of the phone, but it's in a different shell. It's in a different form than inside the actual phone itself.

64 5:51:35

MR. GUARINO: Yes, exactly. That way we're not manipulating or changing any data while looking. Uh, because if we were to open the device, it would change data by going through the phone itself or computer.

65 5:51:46

MR. BRENNAN: Okay. When you plug it in, can you explain a little bit about what you're plugging it into?

66 5:51:51

MR. GUARINO: Yes. So, the main program and hardware that we use is GrayKey. It is again specialized software and hardware that once the phone's plugged into it, the software is able to extract the information if we have the passcode. If we don't have the passcode and the phone is supported, it's able to guess that passcode. Depending on how long — like for an iPhone, if you have a four-digit passcode, it could take months. If you have a six-digit, it could take up to 35 years.

67 5:52:19

MR. BRENNAN: So, does the phone have to be accessible to actually do that download through GrayKey? Do you have to be able to open the phone with the passcode?

68 5:52:28

MR. GUARINO: Uh, no. So, if we don't have the passcode and it's supported, it can guess the passcode without making the phone useless — after, say, for an iPhone, I believe it's 10 passcodes.

69 5:52:34

MR. BRENNAN: Is it a quicker process if you do have the passcode?

70 5:52:37

MR. GUARINO: Much — it would take hours to download the device depending on how much information is on it.

71 5:52:40

MR. BRENNAN: How do you ensure that the information that you extract from the actual device is accurate and the same when you're making a copy? How do you ensure the integrity of it?

72 5:52:47

MR. GUARINO: So, with GrayKey, it produces a progress report as it goes through its process. The only two fields that we can sort of amend in that PDF that it spits out is the ID number and then the investigator name. So after the data is pulled out, it creates a hash value which is like a digital fingerprint for that specific information. So if you had gone in to edit or change it, that digital fingerprint would change. It would change the big long string of numbers that it attaches to that file.

73 5:53:07

MR. BRENNAN: The digital fingerprint, is that the same thing you're referring to as the hash value?

74 5:53:23

MR. GUARINO: Yes, exactly.

75 5:53:26

MR. BRENNAN: And how do you ensure that the hash value of the product, the copy, is the same as what's on the phone?

76 5:53:51

MR. GUARINO: You can run the zip file that it creates with the information into a hash calculator and it will give the same hash as what is produced from the GrayKey PDF report. So if something had changed or there was an error with it, the hash would not be the same as what was given from the PDF. And that's how we would know that the data is not the same.

77 5:54:11

MR. BRENNAN: So if you download a phone and it has a hash value — this digital fingerprint — and then someone was to manipulate the phone and remove anything, even a period from that data, if it's run again will the hash value change?

78 5:54:23

MR. GUARINO: Yes, it would not be the same, because it will show — I'm sorry — even if it's just a period, yes, any alteration to that initial extraction, with that number it immediately would change.

79 5:54:33

MR. BRENNAN: So, if you have an item, a computer or a phone, and you put it through the GrayKey program, and you do an extraction, a copy, where do you store that copy of information? If it's not on the phone that you originally have, what do you do with it?

80 5:54:53

MR. GUARINO: So once the program pulls that information, we have to place it onto our secure server at the office, and we'll take any of the files that we're given via the extraction process, and it's saved there for us.

81 5:55:09

MR. BRENNAN: And so you copy it on another link or another digital file?

82 5:55:14

MR. GUARINO: Yes, we'll save it to the server at the district attorney's office.

83 5:55:17

MR. BRENNAN: Can it be put on a physical item like a zip drive or a hard drive?

84 5:55:21

MR. GUARINO: Yes.

85 5:55:21

MR. BRENNAN: If you put that download onto a zip drive or hard drive, how will you know if that information on the hard drive matches the same information you originally downloaded from the phone to the server through GrayKey?

86 5:55:30

MR. GUARINO: Again, like I said, you could run the hash value of that file again to correlate it with the PDF that we were given once GrayKey has given us the information. So that's how you would know all the information is the same, nothing has changed.

87 5:55:42

MR. BRENNAN: So, for example, if you download an iPhone and it has that digital fingerprint hash value attached to it and you make a copy or multiple copies, is the way to test whether or not those copies are exactly accurate is to look at the hash value of each copy?

88 5:55:55

MR. GUARINO: Yes. And copying the zip file would not change the hash value. The only way it would change is if you physically went into it and deleted information somehow.

89 5:56:10

MR. BRENNAN: So now that you have the item, say for example an iPhone, and you've downloaded it through GrayKey, which is hardware and software, and it's on a digital file, can you just open it up and start reading it like a report or a book, or do you have to do something else to it?

90 5:56:40

MR. GUARINO: No. Once it's pulled into that zip file, it has to be opened into another program. There are many forensic tools, but the ones at the office we use are Cellebrite or Magnet AXIOM. They're two brands. And then those programs make that information readable so we can actually look at it.

91 5:56:59

MR. BRENNAN: So if you were to download a forensic copy and you were to open it up without using that subsequent software, would you be able to read or see anything that's on that data?

92 5:57:11

MR. GUARINO: To be honest, I don't know because I've never opened one of those zip files.

93 5:57:17

MR. BRENNAN: Okay.

94 5:57:17

MR. GUARINO: To know what's actually in them.

95 5:57:20

MR. BRENNAN: After the extraction happens, after that copy is made, did you mention this further software you would use to be able to actually read the data?

96 5:57:28

MR. GUARINO: Yes. So, that's Cellebrite and Magnet AXIOM. They're two different programs, but those programs will make the information readable.

97 5:57:34

MR. BRENNAN: Are those the programs that you typically use?

98 5:57:37

MR. GUARINO: Yes, they are. And there are other programs out there, but those are the two that we normally use at the office.

99 5:57:44

MR. BRENNAN: Are they commonly used in the Massachusetts State Police?

100 5:57:47

MR. GUARINO: Yes, they are.

101 5:57:48

MR. BRENNAN: Are there other programs beyond Magnet AXIOM and Cellebrite that can be used to decipher the information so you can read it?

102 5:57:56

MR. GUARINO: Yes, there's many.

103 5:57:57

MR. BRENNAN: Okay. In your entire time with the Massachusetts State Police, have you used any other programs other than Magnet AXIOM or Cellebrite to look at cell phones?

104 5:58:07

MR. GUARINO: Yes. We have Sanderson forensic software that can look at databases that are in the phone to look at information. I don't normally use those because — I don't want to say — I'm probably not proficient enough that I would know this exactly means this, or I wouldn't want to confuse anything that I'm looking at.

105 5:58:28

MR. BRENNAN: When you look at the information after it's been through the extraction and then an analysis through the software, is the data still available if you want to look into the data from the zip file itself?

106 5:58:42

MR. GUARINO: Yes, yes. It's always available. Like I said, the data in the zip file that GrayKey gives us is never changed. It's just being loaded into another program so we can see it.

107 5:58:55

MR. BRENNAN: The software that you use, whether it's Cellebrite or Magnet AXIOM, does that do the work for you as a forensic examiner?

108 5:59:04

MR. GUARINO: Yes. So, as the program runs, I should say, it will bring up different tabs — phone calls, chats, photos, the databases — all different things that Cellebrite's software has run to pull this information out to make it easier for investigators to find what they're looking for.

109 5:59:25

MR. BRENNAN: Beyond the initial report that you can look at and look for the information if you wanted to as a data forensic examiner, could you look deeper beyond the production of those software programs?

110 5:59:33

MR. GUARINO: Yes, you could.

111 5:59:34

MR. BRENNAN: Forensic data analysis — when you look at these tools that provide these initial reports, is that the beginning or does it dig deeper when you're a digital forensic analyst?

112 5:59:41

MR. GUARINO: No. These reports are finding the low-hanging fruit in the proverbial tree. So, that's showing you the stuff that the program has set that most people are looking for. As I said, the phone calls, the chats. If you need to go deeper into it, as I said, there's other software out there where you can pull these databases and try to go through the code to find what you're looking for. Once you find something, you would have to corroborate it with other evidence or data to make sure what you're looking at is exactly what you're looking for.

113 6:00:06

MR. BRENNAN: Have you been involved in the download, extraction, and analyzing data on phones as your role with the Massachusetts State Police?

114 6:00:20

MR. GUARINO: Yes, that's my primary role.

115 6:00:23

MR. BRENNAN: What — in the DA's office currently? And how many years have you been in that role?

116 6:00:35

MR. GUARINO: Since November of 2019 — about 5 years now.

117 6:00:41

MR. BRENNAN: Have you worked on a number of different cases that involve forensic data?

118 6:00:50

MR. GUARINO: Yes, I have.

119 6:00:50

MR. BRENNAN: Is there a routine or a practice in your present role when you make a copy about what process you use and how you produce it in a case?

120 6:00:57

MR. GUARINO: I wouldn't say there's a normal process. It's all case dependent. A lot of cases we get, people want PDFs of the information, portable cases that we can create. So, it's basically the portable program that I'm using. That way, someone could find the information they're looking for. Or I give the raw information if requested.

121 6:01:10

MR. BRENNAN: What's the difference between PDF form and raw information?

122 6:01:12

MR. GUARINO: So, Cellebrite can create a PDF form of every bit of information in the phone. It could be like a 10,000-page PDF. It literally just lists everything that's in there. If I create a portable case, as I said, that is basically like me giving you the thumb drive and it's showing you exactly what I'm seeing and you can click on the tabs yourself from your own computer. And then if I give the raw file, that means someone has to go in and load it themselves to look for it.

123 6:01:33

MR. BRENNAN: Typically when you are producing evidence of discovery in a case, do you produce PDF or the raw file?

124 6:01:44

MR. GUARINO: As I said, it's all case dependent. Not all cases have forensic experts to come in to look at the information. So I'll supply whatever is requested. Normally the PDF or the portable case is what I give. But if more is requested, that's readily available.

125 6:02:13

MR. BRENNAN: And so the raw data — if requested — do you provide that as well?

126 6:02:22

MR. GUARINO: Yes, if requested.

127 6:02:23

MR. BRENNAN: In this case, were you involved in any type of forensic data extraction?

128 6:02:31

MR. GUARINO: Yes, I did the extractions of multiple phones and analyzed multiple phones.

129 6:02:38

MR. BRENNAN: In this case, you mentioned that there's a software and hardware, the GrayKey unit. Where's that located?

130 6:02:49

MR. GUARINO: That's located in the digital forensics laboratory, which is key card access and alarmed — excuse me — at the north DA's office.

131 6:03:03

MR. BRENNAN: Are there other cases — multiple cases that are occurring at the same time?

132 6:03:09

MR. GUARINO: Yes, we constantly have phones coming in and out and being worked on.

133 6:03:14

MR. BRENNAN: What if you have a phone and the GrayKey unit is being used? What do you need to do?

134 6:03:22

MR. GUARINO: We need to wait for that phone to finish. Because if we unplugged it, it would interrupt that data transfer and we could lose it. So we wait until the phone's done and then the next phone goes up.

135 6:03:39

MR. BRENNAN: Did you become involved in some way in this case?

136 6:03:43

MR. GUARINO: Downloading devices, sir.

137 6:03:45

MR. BRENNAN: Well, I'm asking generally. Yes?

138 6:03:47

MR. GUARINO: Sorry. Yes.

139 6:03:48

MR. BRENNAN: Were you involved in investigating this case as far as speaking to witnesses or going to the scene?

140 6:03:56

MR. GUARINO: No.

141 6:03:56

MR. BRENNAN: Can you describe the best you can what your role was relative to this case?

142 6:04:03

MR. GUARINO: Yes. So I was brought, as I said, phones from this case to have the data extracted and then have it ready in our Cellebrite program for the investigators to look at.

143 6:04:18

MR. BRENNAN: At some point were you provided a phone that you later identified as a phone belonging to Mr. John O'Keefe?

144 6:04:27

MR. GUARINO: Yes, I was.

145 6:04:28

MR. BRENNAN: Do you remember when you were provided that phone?

146 6:04:32

MR. GUARINO: Yes, it would be January 29th, 2022, about 7 to 7:30 p.m. that night.

147 6:04:38

MR. BRENNAN: Do you remember where you received that phone from?

148 6:04:43

MR. GUARINO: Yes. I was at the DA's office. I got it from Sgt. Bukhenik and Michael Proctor.

149 6:04:49

MR. BRENNAN: Do you remember about what time of night that was?

150 6:04:53

MR. GUARINO: As I said, about 7 to 7:30 p.m.

151 6:04:56

MR. BRENNAN: Thank you. When you received that phone, did you have the passcode?

152 6:05:01

MR. GUARINO: No, we didn't.

153 6:05:02

MR. BRENNAN: Without the passcode, what were your next steps?

154 6:05:06

MR. GUARINO: So the phone was placed in our digital forensics lab until we could get the passcode. I was told that a family member was going to be bringing it in so we could download the device.

155 6:05:20

MR. BRENNAN: Did you ultimately get that passcode?

156 6:05:23

MR. GUARINO: Yes, we did.

157 6:05:24

MR. BRENNAN: And do you remember when you received it?

158 6:05:27

MR. GUARINO: January 31st, 2022.

159 6:05:29

MR. BRENNAN: After you received the passcode for Mr. O'Keefe's phone, can you walk us through the process of what you did?

160 6:05:35

MR. GUARINO: Yep. So once the passcode's obtained, we'll unlock the phone and then plug it into GrayKey and then it's able to pull the full information from it without having to guess the passcode.

161 6:05:46

MR. BRENNAN: How long does that take?

162 6:05:48

MR. GUARINO: Again, depending on the size of the phone, a few hours.

163 6:05:52

MR. BRENNAN: After the information was downloaded, then what happened?

164 6:05:54

MR. GUARINO: We'd place it on our digital evidence server at the DA's office and then if the phone is evidence, it would go into evidence. If it was a consent, we'd give it back to the person who gave it to us immediately.

165 6:06:09

MR. BRENNAN: Did this phone go into evidence?

166 6:06:13

MR. GUARINO: Yes, it did.

167 6:06:15

MR. BRENNAN: When you downloaded the information through GrayKey, which you said was the hardware and software, does it produce a report with that digital imprint?

168 6:06:31

MR. GUARINO: Yes, it does. It produces a report from the time you plug it in to the process it completes, and then the amount of data, and then like I said that digital fingerprint hash value at the end.

169 6:06:56

MR. BRENNAN: And did you do that with this phone? [unintelligible] May I approach, your honor?

170 6:07:06

JUDGE CANNONE: Yes.

171 6:07:07

MR. BRENNAN: All right, I'm going to show you a document, sir.

172 6:07:13

MR. GUARINO: Okay. Sorry. Yes. Thank you.

173 6:07:17

JUDGE CANNONE: I'm sorry. Did you show it to Lally?

174 6:07:22

MR. BRENNAN: I'm sorry.

175 6:07:24

JUDGE CANNONE: Thank you.

176 6:07:24

MR. BRENNAN: Yes. I'm showing you a document. Could you look at both pages, please?

177 6:07:30

MR. GUARINO: Yeah. Okay.

178 6:07:31

MR. BRENNAN: Do you recognize that document?

179 6:07:33

MR. GUARINO: Yes. This is the —

180 6:07:35

MR. BRENNAN: A couple more if you don't mind. What is it?

181 6:07:39

MR. GUARINO: It's the GrayKey progress report that they give once the phone extractions are completed.

182 6:07:45

MR. BRENNAN: Do you recognize that as the report attributed to John O'Keefe's phone?

183 6:07:51

MR. GUARINO: Yes.

184 6:07:51

MR. BRENNAN: And does that document have that digital imprint, the digital fingerprint that you were talking about?

185 6:07:58

MR. GUARINO: Yes. So it's — yeah. So it's here on the back. I just want to see if it was in two places, but it would be here for the — sorry, it's cut off, but I put it up

186 6:08:15

MR. BRENNAN: — I'll ask you some questions.

187 6:08:20

MR. GUARINO: Okay.

188 6:08:21

MR. BRENNAN: I'd like to introduce this as an exhibit, please. DEFENSE COUNSEL: No objection, your honor.

189 6:08:34

JUDGE CANNONE: Okay. Thank you. Eighteen, mark.

190 6:08:39

COURT CLERK: Sorry.

191 6:08:39

MR. BRENNAN: May I show that exhibit to the jury?

192 6:08:47

JUDGE CANNONE: Yeah.

193 6:08:47

MR. BRENNAN: May I approach the witness to show him the pointer?

194 6:08:56

JUDGE CANNONE: Yes.

195 6:08:57

MR. BRENNAN: On this top button will be the pointer. The middle button will change the screen.

196 6:09:11

MR. GUARINO: Okay.

197 6:09:12

MR. BRENNAN: Can you walk us through what this report means?

198 6:09:15

MR. GUARINO: Yep. So here at the top — there it is. Again, it says GrayKey progress report, and then it gives the report generation date and time, and it is in UTC, which is — I'll get the exact definition — Universal Time Coordinates, I believe. So you'd have to minus 4 or 5 hours depending on daylight saving time. So this one would have been January — it's minus 5 — 1610 will be [unintelligible] for the actual time on the 31st. As we go down, device name is Johnny. The software version is the Apple iOS that was running at the time, the model number iPhone 11, and then if you were to look up the N104 AP — — is also a model number. The unique device ID.

199 6:10:07

MR. GUARINO: This one is what GrayKey assigns to the zip file that it creates, serial number of the phone, the unique chip ID, the Wi-Fi address, the Bluetooth address, and then the phone number. And then there's more information underneath.

200 6:10:19

MR. BRENNAN: Could we scroll that please?

201 6:10:21

MR. GUARINO: Thank you. This here is the IMEI, which is the International Mobile Equipment Identifier. It's not uncommon now to have multiple of those identifying numbers. The data partition size of the device, which is — excuse me — 83 GB. The lock state — if the phone was locked, it would say locked. This one is unlocked because we had the passcode. This was the GrayKey agent version for the software. And then this is the last time that the phone was backed up via iTunes or iCloud. This is the owner's name. You can have anything in this, but his phone had John O'Keefe as the iPhone owner name, and then the different accounts attributed to the phone.

202 6:10:59

MR. BRENNAN: Okay. Can you show us where the digital fingerprint is?

203 6:11:02

MR. GUARINO: Yep. It's down. So the top part here is literally every time it — when it's plugged in to every process that it completes until the progress report is generated. Here, there's the full file system that was created on this date and time, and then even though the partition size was 82 GB, it actually pulled 125 gigabytes of data. Underneath this, if you — on the next page — is that unique fingerprint right here. So it has two: a SHA-256 and an MD5. They're just two versions of hashing to show that the file — they're unique fingerprints and that's what these numbers are here. So there's one for the image of the extraction and then one for the keychain for the other documents that GrayKey creates.

204 6:11:48

MR. BRENNAN: And you mentioned that if anything has changed — even the period — that number and letter sequence will change as well.

205 6:12:28

MR. GUARINO: Yes, that's exactly right.

206 6:12:36

MR. BRENNAN: Did you have an opportunity to download and extract any other phones?

207 6:12:40

MR. GUARINO: Yes.

208 6:12:40

MR. BRENNAN: At some point, did you have an opportunity to download and extract a phone from the defendant?

209 6:12:47

MR. GUARINO: Yes, I did.

210 6:12:48

MR. BRENNAN: Do you remember when you received that phone?

211 6:12:51

MR. GUARINO: I got the phone the same time as I got Mr. O'Keefe's phone, on the 29th, around 7 to 7:30 at night.

212 6:12:59

MR. BRENNAN: And so you received both phones at the same time?

213 6:13:03

MR. GUARINO: Yes. From the same people.

214 6:13:05

MR. BRENNAN: Correct. Sgt. Bukhenik?

215 6:13:06

MR. GUARINO: Yes.

216 6:13:06

MR. BRENNAN: Trooper Proctor?

217 6:13:07

MR. GUARINO: Yes.

218 6:13:07

MR. BRENNAN: What did you do with that phone?

219 6:13:10

MR. GUARINO: Again, that was brought down to the digital forensics lab for holding until we could get into it, or warrant was written, or whatever legal process was going to be done so we could get that information.

220 6:13:24

MR. BRENNAN: Do you secure it?

221 6:13:25

MR. GUARINO: Yes, that room is locked with key card access that only myself and two others have. And it's also alarmed.

222 6:13:31

MR. BRENNAN: Do the case officers or investigators that aren't part of your unit have access to those items?

223 6:13:37

MR. GUARINO: No, the only ones that had access were myself, Trooper Connor Keefe, and then the director Samantha Vote. She's a civilian that runs our lab.

224 6:13:45

MR. BRENNAN: Okay. And at that point — were you able, after there was process, were you able to get into the phone at first?

225 6:13:52

MR. GUARINO: No, it wasn't supported by GrayKey, the phone model and number.

226 6:13:56

MR. BRENNAN: What do you mean it wasn't supported?

227 6:13:58

MR. GUARINO: So the software, even if we had a search warrant, we plugged it in, GrayKey wouldn't be able to recognize it because it just wasn't supported at that time.

228 6:14:08

MR. BRENNAN: When you say it wasn't supported, did this have anything to do with a passcode — well, for both?

229 6:14:13

MR. GUARINO: So we didn't have the passcode. So because we didn't have it, it wasn't supported for us to download that information from the device.

230 6:14:21

MR. BRENNAN: If you had a passcode, would it have been supported?

231 6:14:24

MR. GUARINO: Yes, it would have been.

232 6:14:26

MR. BRENNAN: So is there a process when you have a phone that you don't have a passcode for to be able to access the content of the phone?

233 6:14:34

MR. GUARINO: Yes, that's correct. We have to wait until we either have the passcode or the software and hardware is supported for the device where it can try to guess the passcode.

234 6:14:44

MR. BRENNAN: So let me ask you some questions about software in forensic data analysis. Does software change frequently, constantly?

235 6:14:51

MR. GUARINO: Yes.

236 6:14:51

MR. BRENNAN: When the software changes, does it advance? Does the software get better?

237 6:14:56

MR. GUARINO: Yes, it does.

238 6:14:57

MR. BRENNAN: At the time you first had the defendant's phone, the software you had was unable to access the contents.

239 6:15:04

MR. GUARINO: That is correct.

240 6:15:06

MR. BRENNAN: What do you do? Do you look for other software or do you wait for updates? What's the process?

241 6:15:13

MR. GUARINO: If there is another software out there, we will use it to try to get the information. If not, we are at the mercy of waiting for the developers to come up with the information for us.

242 6:15:28

MR. BRENNAN: Did you wait in this case?

243 6:15:30

MR. GUARINO: Yes, we did. We had to wait.

244 6:15:33

MR. BRENNAN: Ultimately, did software advance so that without a passcode you were able to access?

245 6:15:39

MR. GUARINO: Yes.

246 6:15:39

MR. BRENNAN: How long did you have to wait before you were able to access?

247 6:15:45

MR. GUARINO: I believe it was July of 2022 that the software had been upgraded enough that it was able to brute force or guess her passcode for the device.

248 6:17:50

DEFENSE: Objection.

249 6:17:50

MR. BRENNAN: Your Honor, may we approach, please. Thank you. Did you use software ultimately to open the defendant's phone?

250 6:15:56

MR. BRENNAN: And where does the device remain until you're ready to try again?

251 6:16:01

MR. GUARINO: In that locked digital forensics lab.

252 6:16:04

MR. BRENNAN: So when the software updates and advances, do you know that it will be successful, or you plug it in and you try?

253 6:16:14

MR. GUARINO: No. So on GrayKey they have a link where you can click and it brings up a whole matrix. So it shows every make and model of phone and then the software associated with it, and it says it can do a partial download, a full download, a password guess, and it tells us. So when there's a new update, we'll check that to make sure that the devices we have can be accessed.

254 6:17:50

MR. BRENNAN: Did you make an attempt to have the software access the phone without a passcode?

255 6:18:36

MR. GUARINO: Yes.

256 6:18:36

MR. BRENNAN: And how many times did you download?

257 6:18:40

MR. GUARINO: So there were two downloads. One — uh, one of the partial part of the phone, and then — in the same time that we had it plugged in, we had the password brute force guess software installed onto the phone to try to guess the passcode. So there were two downloads, one with very limited data and then one with the full file system extraction, which is everything on the phone that I can get.

258 6:19:19

MR. BRENNAN: May I approach?

259 6:19:21

JUDGE CANNONE: Yes.

260 6:19:22

MR. BRENNAN: I'm going to show you two documents. [unintelligible] — going to show you two documents. [unintelligible] The first one — do you recognize that document?

261 6:19:57

MR. GUARINO: Yes, I do.

262 6:19:58

MR. BRENNAN: Is that a result summary from GrayKey for a search of the defendant's phone?

263 6:20:05

MR. GUARINO: This is the initial extraction that we created before the password guess process went through.

264 6:20:13

MR. BRENNAN: I'd like to introduce this as the next exhibit, please.

265 6:20:18

MR. ALESSI: No objection, your honor.

266 6:20:20

JUDGE CANNONE: That's the original?

267 6:20:22

MR. GUARINO: Yes, this is the first one.

268 6:20:25

JUDGE CANNONE: Thank you. Exhibit 19.

269 6:20:27

MR. BRENNAN: I showed you a second document. Do you recognize that?

270 6:20:32

MR. GUARINO: Yes. This is essentially the same information except it goes further — all the password guess attempts — until we actually get all of the information from the phone.

271 6:20:47

MR. BRENNAN: I'd like to introduce this as the next exhibit, please.

272 6:20:52

MR. ALESSI: No objection, your honor.

273 6:20:54

JUDGE CANNONE: Exhibit 20.

274 6:20:55

MR. BRENNAN: Could I have the previous exhibit as well, please? Sir, I'm handing you back Exhibit 19, which was the partial download.

275 6:21:06

MR. GUARINO: Okay.

276 6:21:06

MR. BRENNAN: Exhibit 20, which was a subsequent download. You mentioned hash values change with the content of each download.

277 6:21:15

MR. GUARINO: Yes.

278 6:21:16

MR. BRENNAN: Are there hash values specifically assigned to each download?

279 6:21:21

MR. GUARINO: Yes, there is.

280 6:21:22

MR. BRENNAN: Are there the same number of digits in the digital fingerprint?

281 6:21:28

MR. GUARINO: No, they're not.

282 6:21:29

MR. BRENNAN: And explain again why they would be different.

283 6:21:34

MR. GUARINO: Again, the first one was the partial. It was only 45 gigabytes of data, so it has one number. The second download was 109 GB of data once it got the passcode. And again, that number is completely different. And again, like I said, the information is not the same, so the hash values won't be the same.

284 6:22:04

MR. BRENNAN: Were there two other phones that you ultimately analyzed?

285 6:22:09

MR. GUARINO: Yes, there were.

286 6:22:11

MR. BRENNAN: Let's start with the first one. Did you have an opportunity to create a file on a phone that came from Kerry Roberts?

287 6:22:25

MR. GUARINO: Yes, I did.

288 6:22:27

MR. BRENNAN: Now, you said it's a two-step process. First is the extraction, the copying, and then it's creating the file.

289 6:22:38

MR. GUARINO: That's exactly right.

290 6:22:40

MR. BRENNAN: With Kerry Roberts' phone, did you make the extraction? Did you plug it into the GrayKey?

291 6:22:50

MR. GUARINO: No, I didn't.

292 6:22:51

MR. BRENNAN: Who did?

293 6:22:51

MR. GUARINO: Trooper Connor Keefe. He went to meet with Kerry Roberts, received the device from her. He brought it back to the office and did the extraction. His name is also on the extraction GrayKey progress reports as well, and he wrote two state police reports regarding it.

294 6:23:09

MR. BRENNAN: How do you know what Trooper Connor Keefe did?

295 6:23:13

MR. GUARINO: Yes — I'm sorry. Yes, we do essentially the same job working together.

296 6:23:18

MR. BRENNAN: So he's in your unit?

297 6:23:20

MR. GUARINO: Yes, he is in the digital forensic unit. That's correct.

298 6:23:24

MR. BRENNAN: That phone — did it come with any paperwork, any forms?

299 6:23:28

MR. GUARINO: Yes, he had two signed waivers of consent from both parties, one for each device.

300 6:23:34

MR. BRENNAN: And so as far as the copying, the extraction — you did not do the extraction on Kerry Roberts' phone?

301 6:23:42

MR. GUARINO: No, I did not.

302 6:23:44

MR. BRENNAN: After it was plugged in and a copy was made, did you then access it?

303 6:23:51

MR. GUARINO: Months down the road.

304 6:23:53

MR. BRENNAN: Were you assigned at that point to analyze or look at any of the data on that phone?

305 6:24:01

MR. GUARINO: Initially, no.

306 6:24:02

MR. BRENNAN: At some point, did you create a file so that you could provide it to the parties?

307 6:24:09

MR. GUARINO: Yes, I did.

308 6:24:11

MR. BRENNAN: Was that upon request?

309 6:24:13

MR. GUARINO: Yes, it was.

310 6:24:14

MR. BRENNAN: And separately — let me ask it a different way. Was a phone from Jennifer McCabe extracted?

311 6:24:22

MR. GUARINO: Yes, it was.

312 6:24:23

MR. BRENNAN: Did you do the extraction?

313 6:24:25

MR. GUARINO: No, I did not.

314 6:24:26

MR. BRENNAN: Was the information, after being extracted, again provided to a digital file?

315 6:24:31

MR. GUARINO: It would have been. Yes.

316 6:24:33

MR. BRENNAN: Did you at some point later make a copy to provide to the parties?

317 6:24:38

MR. GUARINO: Yes, I did.

318 6:24:39

MR. BRENNAN: Can you tell us what a UFED reader is?

319 6:24:43

MR. GUARINO: So the UFED reader is a portable case that I can create through Cellebrite. Like I said, it's the exact same program that I would be viewing if I was sitting at my desktop, and it can be made into a thumb drive to give to defense, prosecution, investigators, whoever. And there's no chance for the data to be manipulated because it's just a reader.

320 6:25:08

MR. BRENNAN: When you have the digital file that's been extracted and then created into a PDF or form that can be read, can you print the entire file on paper if you'd like?

321 6:25:21

MR. GUARINO: Yes, you could.

322 6:25:22

MR. BRENNAN: Could you print it so it includes the entire content of the phone?

323 6:25:28

MR. GUARINO: Yes. It'd be thousands of pages, but yes, you could.

324 6:25:32

MR. BRENNAN: Is there any way to isolate particular things of interest that you might want? For example, if you wanted just the chats between two people, is there a way that you could have a program isolate just those chats and then give you all of them in a form that you could read?

325 6:25:55

MR. GUARINO: Yes. So you can go in and cherry-pick whatever information you're looking for to create into PDFs or other — it gives five, I think, different mediums you can have it output: HTML, portable cases, XML files.

326 6:26:09

MR. BRENNAN: If you wanted to create a document that had a number of people in communications, could you do that as well?

327 6:26:18

MR. GUARINO: Yes, you could.

328 6:26:19

MR. BRENNAN: So you can pretty much set the parameters how you want if you want to search for particular items.

329 6:26:26

MR. GUARINO: Yes, it's very generous that way — being able to search for keywords, phone numbers, whatever it is. And then you can export that out into a PDF so you can print it.

330 6:26:40

JUDGE CANNONE: One moment.

331 6:26:41

MR. BRENNAN: Okay. Did you go through the program and create a number of documents that isolated specific information that you wanted?

332 6:26:51

MR. GUARINO: Yes.

333 6:26:51

MR. BRENNAN: For example, did you go through and create a report for all of John O'Keefe's calls for a period of time?

334 6:27:02

MR. GUARINO: Yes, I did.

335 6:27:03

MR. BRENNAN: Did you go through the program and create a report for all of the calls between John O'Keefe and the defendant for a period of time?

336 6:27:16

MR. GUARINO: Yes, I did.

337 6:27:18

MR. BRENNAN: Did you go through the program and create a specific document that would show just the text messages between John O'Keefe and the defendant?

338 6:27:30

MR. GUARINO: Yes, I did.

339 6:27:31

MR. BRENNAN: And did you go through the phone and create specific separate documents for communications, phone calls, and text messages between Mr. O'Keefe and other people, not the defendant?

340 6:27:46

MR. GUARINO: Yes.

341 6:27:46

MR. BRENNAN: For example, Miss Roberts?

342 6:27:47

MR. GUARINO: Yes, that's correct.

343 6:27:47

MR. BRENNAN: Miss McCabe?

344 6:27:48

MR. GUARINO: Yep.

345 6:27:48

MR. BRENNAN: Did you go through any of the phones and create documents to show any text or conversation between parties not involving John O'Keefe?

346 6:27:54

MR. GUARINO: If directed, I could, but I don't believe I did.

347 6:27:56

MR. BRENNAN: When you took on the task of creating these documents, was it something you did on your own or something that you would wait for a request from a prosecutor or another officer?

348 6:28:04

MR. GUARINO: I would wait for a request. Again, my knowledge of most of the cases is very limited. So if they're looking for something specific, I can assist them. If they need some type of help, I can assist them, but normally I will open it up for them and they have a better knowledge of the case, so they know what they're going to be looking for. Everyone in our office is Cellebrite trained. Or if someone new comes in, that's the first thing they'll go to is Cellebrite training, so they know how to use this program, and it doesn't put the burden on myself and Trooper Keefe to try to find everything for every case.

349 6:28:32

MR. BRENNAN: Thank you, John. At this time, I'd like to conclude this witness's testimony, to be recalled again.

350 6:29:09

JUDGE CANNONE: You're in agreement with that, Mr. Alessi?

351 6:29:16

MR. ALESSI: We are, your honor. Subject to the recall.

352 6:29:25

JUDGE CANNONE: Okay. All right, Trooper. You're all set.

353 6:29:33

MR. GUARINO: Thank you, Your Honor.

354 6:29:37

JUDGE CANNONE: We'll see you again.

355 6:29:42

MR. GUARINO: Should I—

356 6:29:44

JUDGE CANNONE: You could just leave it right there. Thank you.

Summary

Trooper Nicholas Guarino of the Massachusetts State Police digital forensics unit testified about his qualifications and the technical process of extracting cell phone data using GrayKey hardware/software, Cellebrite, and Magnet AXIOM. He explained hash values as digital fingerprints that verify data integrity, and walked through GrayKey progress reports for O'Keefe's phone (Exhibit 18) and two extractions of Read's phone — a partial download (Exhibit 19) and a full extraction after brute-force passcode recovery in July 2022 (Exhibit 20). Guarino described extracting O'Keefe's and Read's phones, which he received from Sgt. Bukhenik and Trooper Proctor on January 29, 2022, and noted that Trooper Connor Keefe handled the Roberts and McCabe phone extractions. The testimony was foundational, establishing chain of custody and forensic methodology, with Guarino subject to recall for later substantive testimony.

Direct Nicholas Guarino (Hank Brennan)

Legal Significance

Establishes the forensic chain of custody and data integrity methodology for all phone extractions in the case, laying the foundation for later testimony about phone contents including calls, texts, GPS data, and search history.

Examination Style

Hank Brennan: Methodical, educational direct examination building the witness's credentials and walking the jury step-by-step through digital forensics concepts before introducing exhibits. Prioritized making technical processes accessible over eliciting case-specific findings.

Key Quotes

"Even if it's just a period, yes, any alteration to that initial extraction, with that number it immediately would change."
— Nicholas Guarino Explains hash value integrity verification — the core mechanism prosecutors use to prove phone data was not tampered with.

"No, it wasn't supported by GrayKey, the phone model and number."
— Nicholas Guarino Explains why Read's phone could not be immediately accessed, requiring a wait until July 2022 for software to advance enough to brute-force the passcode.

"These reports are finding the low-hanging fruit in the proverbial tree. So, that's showing you the stuff that the program has set that most people are looking for."
— Nicholas Guarino Acknowledges that standard forensic tools surface obvious data first, with deeper analysis requiring additional software and corroboration.

"I would wait for a request. Again, my knowledge of most of the cases is very limited."
— Nicholas Guarino Establishes Guarino's role as a technician executing requests rather than directing the investigation — relevant to questions about what was and wasn't examined.

Evidence Referenced

GrayKey progress report for John O'Keefe's iPhone 11 extraction
GrayKey result summary for Karen Read's phone — partial extraction
GrayKey result summary for Karen Read's phone — full extraction

Topics

GrayKey hardware and software for phone extractionHash values and data integrity verificationCellebrite and Magnet AXIOM forensic analysis softwareChain of custody for O'Keefe and Read phonesDigital forensics lab security and access controlsBrute-force passcode guessing and software support limitationsKaren Read phone inaccessible until July 2022 software updateKerry Roberts and Jennifer McCabe phone extractions by Trooper KeefeUFED reader portable cases for evidence sharingSelective data export capabilities

← Procedural - Motions 7 of 8 Daniel Whitley - Direct/Cross →