By John Ahearne, Forensic Analyst When data is is needed for use as evidence, it…
Who: Law enforcement forensic examiners in Carrollton and Dallas, Texas, in cooperation with DriveSavers Digital Forensics Department in Novato, California.
What: Use of Cellebrite UFED Physical Analyzer to prove a murder suspect faked text messages from his victim.
Why: Without the evidence from the victim’s badly waterlogged phone, prosecutors couldn’t prove premeditated homicide.
Results: UFED Physical Analyzer helped establish that the victim had not recanted her rape accusation, and that her abuser lured her to her death.
The destruction of evidence has become an increasing problem for digital investigators, who are often faced with mobile phones that have been crushed under the wheels of vehicles, submerged in water, and even charred in accelerant-fueled blazes or explosions.
This kind of physical damage can compound the difficulties investigators experience in recovering evidence stored on the devices. Device data ports may be crushed, displays unreadable, memory chips corroded. In one such case, device damage was the only thing standing in investigators’ way as they sought to bring a child killer to justice.
Shania Gray was just 16 when she was shot to death in Carrollton, Texas in September 2012. Prosecutors believed that her killer, Franklin Davis, had lured her to her death. His motive: keep her from testifying that he had raped her.
Davis had thrown both her iPhone and his own into two separate ponds. Police had recovered both devices, reported a DallasNews.com article, but Davis’ device revealed text messages, which appeared to be from Shania. One contained an apparent confession that stated she had lied to police about his involvement in her rape.
Still, prosecutors believed there was more to it than that. The text messages tone and content were inconsistent with other messages Shania had sent, and although Davis’ phone showed that they had come from her number, her wireless carrier had no record of her number having sent them.
To prove their case, prosecutors needed her device. However, her iPhone was so badly waterlogged that neither state nor federal law enforcement forensic labs had been able to recover its data. Prosecutors desperately approached Apple, who referred them to a Novato (Calif.)-based rm, DriveSavers Data Recovery.
“When [Dallas County District Attorney] Brandon Birmingham first approached us, we didn’t know whether he was looking for data recovery, or a full forensic image,” said Bob Mehr, DriveSavers’ Legal Services Advisor. “But, based on the case details, I recommended the forensic image.”
The iPhone arrived disassembled in multiple pieces, owing to an earlier lab’s effort. “We thoroughly cleaned all the components and repaired the resistors/jumpers ,” said Rene Novoa, one of DriveSavers’ Forensic Project Managers. “Then we assembled the pieces and placed them into a known good housing. Once connected, the device vibrated, but we still couldn’t see an image on the screen.”
Novoa then turned to UFED Physical Analyzer to perform the extraction. “I was able to obtain a full image on the first attempt,” he said.
“Because it parsed the data so quickly, we didn’t have to carve data manually; we identified the key data based on the easy access Physical Analyzer gave us to the data categories, and we were able to provide [DA Birmingham] with response within forty-eight hours of receiving the phone.”
The next step was to make sure that the Carrollton Police Department had access to the latest version of UFED Physical Analyzer so that its examiners could read the data and validate the evidence. They could, and the investigators were able to parse the victim’s Facebook timeline along with the text messages.
They found that Davis was pretending to be a man named “D,” and had used phone calls, text and Facebook messages to contact Shania and gain her trust. The forensic image also definitively showed that Shania had not sent the text messages, and that the message that claimed she’d lied to police was a fake.
Prosecutors ultimately were able to show that Davis used an app called FakeSMS to send himself spoofed text messages, which appeared to come from Shania. That evidence and other data proved that the murder had been premeditated, not a reckless act as the killer claimed. This meant that the state could prosecute for a capital offense.
Following Davis’ sentence, Birmingham noted that Shania had “had a right to speak out about her abuse,” a right that Davis tried to deny her and that ultimately, investigators’ work with UFED Physical Analyzer gave her a voice.
Founded in 1999, Cellebrite is known for its technological breakthroughs in mobile forensics. Its Universal Forensic Extraction Device (UFED) is used internationally by law enforcement, military, intelligence, corporate security, and eDiscovery agencies to extract data from legacy and feature phones, smartphones, portable GPS, tablets and phones manufactured with Chinese chipsets.
DriveSavers works extensively with law enforcement agencies, attorneys, corporate legal, IT departments, HR departments and individuals to provide legally defensible investigations and reports.
DriveSavers delivers electronic discovery solutions that are legally defensible, repeatable and auditable. The company offers customized solutions to help control costs and manage the collection, processing, review and production of Electronically Stored Information.