A lot of things stood out about this year’s Case of the Year, People v. Zumot in Palo Alto, Calif. Those things were enough to get the case featured in major mainstream news media, including Dateline NBC and ABC’s 20/20. For us, though, it was all about the networking that HTCIA was founded to promote.
The networking started when Palo Alto Police Det. Aaron Sunseri contacted Tracy Police Det. Kipp Loving, HTCIA Central Valley chapter president and a member of both the Sacramento Valley Hi Tech Crimes Task Force and the FBI’s Sacramento-based Cyber Crimes Task Force. Sunseri needed help analyzing the iPhone call detail records of a suspect and victim in a domestic violence homicide. Loving, who had trained Sunseri on cell phone evidence collection, had worked extensively with such records.
But Sunseri needed a level of expertise that Loving, with his own full-time caseload, couldn’t provide. Loving referred Sunseri to Jim Cook, a wireless telephony expert in Modesto who uses Microsoft MapPoint to help juries visualize mobile call details: what suspect and victim call patterns look like in the time leading up to, during and after the incident; where and how far they traveled in those times, based on the cell towers that managed their calls or text messages; and how those patterns relate to other evidence.
Even so, there was one piece of evidence that neither Sunseri nor Cook could access: deleted text messages. Although Sunseri had brought the iPhone to Jonathan Zdziarski, a New Hampshire-based iPhone expert who had developed a forensic iPhone imaging methodology, he needed someone in the Bay Area who could recover the data from the forensic images.
Neither the task force local to Palo Alto nor the FBI’s Regional Computer Forensics Lab (RCFL) could help. Meanwhile, James Eichbaum, then a detective with the Stanislaus County Sheriff’s Department and Cook’s fellow Central Valley HTCIA chapter officer, had been working with Loving to recover deleted iPhone text messages related to a homicide in Loving’s jurisdiction. Aware of that work, Cook referred Sunseri to Eichbaum.
“I had been analyzing the iPhone SMS database file to try and figure out how to find them in the deleted space on the phone,” says Eichbaum. “Once I figured it out, I recovered thousands on [Loving’s] homicide and then went to Guidance Software’s EnScript course to learn how to write my own script. I then used that script on the Palo Alto phones, which worked, and I recovered the 74 texts they were looking for, along with 39,000 others.”
From there, the text messages went back to Palo Alto, where Sunseri and his sergeant, Con Maloney, read each one, parsing them for content and sentiment. They also worked with Cook to establish which messages were sent from where, and what it all meant to the case. Together, using the messages and the call detail records, they were able to differentiate between messages that the victim herself had sent before her death, and those that her killer had sent in an effort to give himself an alibi. (This process is outlined in more detail in a Law Enforcement Technology article from May 2011.)
But the networking wasn’t just important as investigators built their case. It also came into play during trial preparation, as investigators presented their findings to Deputy DA Chuck Gillingham. “I give kudos to Chuck, who took all the information that Jim and Jon and I gave him, understood it quickly and asked the questions he needed to help the jury understand it,” says Eichbaum.
The investigators’ working relationships helped again when the defense called the evidence into doubt. As noted in Law Enforcement Technology:
Geragos also attacked Cook’s assertion that the phones had traveled together at all. To refute that, Eichbaum used GPS data from the mobile devices to verify Cook’s methodology and establish his credibility. “GPS data overlaid on a Google Map worked as a rebuttal to the defendant’s claims,” says Eichbaum.
Cook adds: “It was very satisfying to see the jury visualize, grasp and understand the truth in the data we presented. Our maps, call detail records, text messages and other forensic evidence corroborated everything that other witnesses had already testified to. We just helped the jurors put the puzzle pieces together in their own minds.”
Ultimately, says Eichbaum: “It took a lot of resources to get this job done. Everyone needed to steer each other in the right directions to get to the resources we needed.” He credits the connections made over the years via HTCIA, as well as via the training that he, Cook and Loving all provide law enforcement in their area and beyond.
Image: deBurca via Flickr