Case Study

Unlocking Case-Changing Evidence

With the help of Cellebrite’s Unlock Service, the Southern Oregon High-Tech Crimes Task Force accesses a suspect’s iPhone after 20 months

As a former detective sergeant in Major Crimes and now Forensics Examiner with the Southern Oregon High-Tech Crimes Task Force, Colin Fagan has seen firsthand the degree to which digital evidence – or lack thereof – can impact a criminal case. Together with physical, toxicology and other case evidence, it has the power to change the course of investigations and prosecutions.

AgencySouthern Oregon High-Tech Crimes Task Force, Medford, OR

SolutionCellebrite Unlock Service

2 Cellebrite Case Study

Making the Case for Digital AccessIn March of 2015, Fagan and the Task Force were involved in an unusual investigation. A divorced woman arrived at a local hospital reporting that she believed she was drugged and sexually assaulted the evening prior by her ex-husband. Investigators responded and a sexual assault exam was conducted with samples sent to the crime lab for analysis. The victim indicated the two had been involved in a contentious custody battle, but her ex-husband had requested a meeting the night before to discuss a potential agreement to resolve their differences for the sake of their daughter.

The victim is a manager of a winery, which serves as her residence. She requested they meet there as an added measure of security. The suspect poured them both a glass of wine and they talked about their issues. The next morning, she awoke well past her alarm and without her clothing. Her iPhone – which he previously helped her set up fingerprint security on -- was on the floor of her room, not in its usual location. After scanning through its contents, she found a series of deleted MMS texts that included provocative pictures that had been sent from her phone to her ex-husband’s phone at 4:30 am. There were also deleted “sexting” texts indicating she had initiated a sexual encounter. Seeing all this, she contacted local law enforcement and subsequently submitted her phone to Forensics for further examination.

Corroborating the Victim’s Side of the Story“The pictures, SMS/MMS and location information we extracted corroborated the victim’s observations and concerns,” said Fagan. “Investigators located the suspect later that day and seized his phone, however he retained counsel and refused to provide the phone’s unlock code. We were ultimately unable to unlock the phone or find the suspect’s MacBook Pro with hopes of finding a valid pairing file. Despite knowing key details were locked in plain sight, we were stuck.”

As the investigation progressed, enough physical and biological evidence was collected to arrest the suspect and put him in jail. However, he continued to deny his ability to access her phone due to the fingerprint security he set up for her.

“The suspect was unwilling to entertain any negotiated plea offers,” said Fagan, “clearly confident that without his consent, any evidence on his phone would continue to be locked away and inaccessible to police. What he didn’t count on, was Cellebrite’s Unlock Service capabilities, which gave us the key that exposed critical evidence.”

“ In context with other evidence, the data from the iPhone was indisputable and compelling evidence that ed and carried out the crimes.”

3 Cellebrite Case Study

The Only Solution for Bypassing Current Device Encryption MethodsPart of Cellebrite’s Service offerings, the Unlock Service empowers forensics examiners to overcome sophisticated technological barriers on the latest mobile device platforms running iOS and Android.

“Sometimes you don’t know what you don’t know until you know it,” said Fagan. “This service proved game changing to our case, giving us the SMS/MMS, web search history, timeline and location data we needed to place the suspect at the scene, destroy his alibi, and show how he planned the crime. Cellebrite’s commitment to ongoing research ensures we can keep pace with new encryption methods and access the digital intelligence needed quickly to keep investigations moving forward.”

Access Previously Undiscoverable DataBacked by the largest dedicated research and development team in the industry, Cellebrite’s Service experts provide law enforcement agencies with forensically sound, early access to sensitive mobile digital intelligence. These services provide:

• Unlock capabilities for key Apple devices and physical extraction of data whilebypassing locks on key Samsung Galaxy devices

• First ever “decrypted physical extraction” capability for many iPhone devices,allowing forensics specialists and investigators to access a phone’s full file system to recover downloaded emails, third-party application data, geolocation data and system logs without needing to jailbreak the device

Cellebrite’s cutting-edge, exclusive services is designed to meet an agency’s digital forensics needs on a variety of levels. Whether to accelerate a time-sensitive, high profile case or clear the shelves of locked or encrypted mobile devices from cold cases, Unlock Service will help extract the previously inaccessible data and intelligence that can propel investigations forward.

“ Cellebrite is a valuable partner in our ongoing efforts to find justice for our victims.”

About Cellebrite

4 Cellebrite Case Study

Digital data plays an increasingly important role in investigations and operations of all kinds. Making data accessible, collaborative and actionable is what Cellebrite does best. As the global leader in digital intelligence with more than 60,000 licenses deployed in 150 countries, we provide law enforcement, military and intelligence, and enterprise customers with the most complete, industry-proven range of solutions for digital forensics, triage and analytics.

By enabling access, sharing and analysis of digital data from mobile devices, social media, cloud, computer and other sources, Cellebrite products, solutions, services and training help customers build the strongest cases quickly, even in the most complex situations. As a result, Cellebrite is the preferred one-stop shop for digital intelligence solutions that make a safer world more possible every day.To learn more, visit www.cellebrite.com

The Power of Indisputable ProofAll the evidence they were able to obtain from the suspect’s previously locked device helped bring the full weight of the facts to bear in this complex, disturbing case. According to Fagan, one of the most valuable items of evidence included proof that the suspect’s device was connected to the winery’s wireless router “Wi-Fi” connection from 0250 to 0530 on the morning of the incident as confirmed by its SSID and BSSID.

“In context with other evidence, the data from the iPhone was indisputable and compelling evidence that he was there and he planned and carried out the crimes,” said Fagan. “We knew if we could access it, his phone contained everything we needed to place him at the scene. Using the powerful search capabilities of UFED Physical Analyzer, I also found evidence that the suspect researched the effects of the powerful sleep aid Zolpidem tartrate (Ambien) that was detected in the victim’s wine glass reside and toxicology report. Combined with time-relevant chat communications about Ambien between the suspect and a friend, the suspect’s defense challenges were mounting.

Due to the success with this case, we are reviewing other cases to see if we have locked devices we can now unlock. Cellebrite is a valuable partner in our ongoing efforts to find justice for our victims.”

“ Sometimes you don’t know what you don’t know until you know it. This service proved game changing to our case, giving us the SMS/MMS, web search history, timeline and location data we needed to place the suspect at the scene, destroy his alibi, and show how he planned the crime. Cellebrite’s commitment to ongoing research ensures we can keep pace with new encryption methods and access the digital intelligence needed quickly to keep investigations moving forward.”

© 2017 Cellebrite Inc. All rights reserved. | v170725