CASE STUDYCase Snapshot

“

Rene Novoa

Forensic Project ManagerDriveSavers Digital Forensics Department

“Who: Law enforcement forensic examiners in Carrollton and Dallas, Texas, in cooperation with DriveSavers Digital Forensics Department in Novato, California.

What: Use of Cellebrite UFED Physical Analyzer to prove a murder suspect faked text messages from his victim.

Why: Without the evidence from the victim’s badly waterlogged phone, prosecutors couldn’t prove premeditated homicide.

Results: UFED Physical Analyzer helped establish that the victim had not recanted her rape accusation, and that her abuser lured her to her death.

With UFED Physical Analyzer, investigative team helps prove a case for capital murder

had sent, and although Davis’ phone showed

that they had come from her number, her

wireless carrier had no record of her number

having sent them.

To prove their case, prosecutors needed her

device. However, her iPhone was so badly

waterlogged that neither state nor federal law

enforcement forensic labs had been able to

recover its data. Prosecutors desperately

approached Apple, who referred them to a

Novato (Calif.)-based �rm, DriveSavers Data

Recovery.

“When [Dallas County District Attorney]

Brandon Birmingham �rst approached us, we

didn’t know whether he was looking for data

recovery, or a full forensic image,” said Bob

Mehr, DriveSavers’ Legal Services Advisor.

“But, based on the case details, I

recommended the forensic image.”

The iPhone arrived disassembled in multiple

pieces, owing to an earlier lab’s effort. “We

thoroughly cleaned all the components and

repaired the resistors/jumpers ,” said Rene

Novoa, one of DriveSavers’ Forensic Project

Managers. “Then we assembled the pieces

and placed them into a known good housing.

Once connected, the device vibrated, but we

still couldn’t see an image on the screen.”

Novoa then turned to UFED Physical Analyzer

to perform the extraction. “I was able to obtain

a full image on the �rst attempt,” he said.

Because it parsed the data so quickly...we identi�ed the key data based on the easy access Physical Analyzer gave us to the data categories, and we were able to provide...with response within forty-eight hours of receiving the phone

The destruction of evidence has become an

increasing problem for digital investigators,

who are often faced with mobile phones that

have been crushed under the wheels of

vehicles, submerged in water, and even

charred in accelerant-fueled blazes or

explosions.

This kind of physical damage can compound

the dif�culties investigators experience in

recovering evidence stored on the devices.

Device data ports may be crushed, displays

unreadable, memory chips corroded. In one

such case, device damage was the only thing

standing in investigators’ way as they sought

to bring a child killer to justice.

Shania Gray was just 16 when she was shot to

death in Carrollton, Texas in September 2012.

Prosecutors believed that her killer, Franklin

Davis, had lured her to her death. His motive:

keep her from testifying that he had raped her.

Davis had thrown both her iPhone and his own

into two separate ponds. Police had recovered

both devices, reported a DallasNews.com

article, but Davis’ device revealed text

messages, which appeared to be from Shania.

One contained an apparent confession that

stated she had lied to police about his

involvement in her rape.

Still, prosecutors believed there was more to it

than that. The text messages tone and content

were inconsistent with other messages Shania

DecodingExtraction Analysis Reporting

“Because it parsed the data so quickly, we

didn’t have to carve data manually; we

identi�ed the key data based on the easy

access Physical Analyzer gave us to the data

categories, and we were able to provide [DA

Birmingham] with response within forty-eight

hours of receiving the phone.”

The next step was to make sure that the

Carrollton Police Department had access to

the latest version of UFED Physical Analyzer

so that its examiners could read the data and

validate the evidence. They could, and the

investigators were able to parse the victim’s

Facebook timeline along with the text

messages.

They found that Davis was pretending to be a

man named “D,” and had used phone calls,

text and Facebook messages to contact

Shania and gain her trust. The forensic image

also de�nitively showed that Shania had not

sent the text messages, and that the message

that claimed she’d lied to police was a fake.

About Cellebrite

About DriveSavers

Founded in 1999, Cellebrite is known for its technological breakthroughs in mobile forensics. Its Universal Forensic Extraction Device (UFED) is used internationally by law enforcement, military, intelligence, corporate security, and eDiscovery agencies to extract data from legacy and feature phones, smartphones, portable GPS, tablets and phones manufactured with Chinese chipsets.

www.cellebrite.comsales@cellebrite.com

Prosecutors ultimately were able to show that

Davis used an app called FakeSMS to send

himself spoofed text messages, which

appeared to come from Shania. That evidence

and other data proved that the murder had

been premeditated, not a reckless act as the

killer claimed. This meant that the state could

prosecute for a capital offense.

Following Davis’ sentence, Birmingham noted

that Shania had “had a right to speak out

about her abuse,” a right that Davis tried to

deny her and that ultimately, investigators’

work with UFED Physical Analyzer gave her a

voice.

DecodingExtraction Analysis Reporting

DriveSavers works extensively with law enforcement agencies, attorneys, corporate legal, IT departments, HR departments and individuals to provide legally defensible investigations and reports.

DriveSavers delivers electronic discovery solutions that are legally defensible, repeatable and auditable. The company offers customized solutions to help control costs and manage the collection, processing, review and production of Electronically Stored Information.

DriveSavers, Inc.400 Bel Marin Keys Blvd. | Novato, CA 94949 | 800-440-1904 | 415-382-2000 | www.drivesavers.com

CORPORATECellebrite Ltd.94 Em Hamoshavot St.

Petah Tikva 49130

Israel

Tel: +972 3 926 0900

Fax: +972 3 924 7104

USACellebrite USA Inc.7 Campus Dr. Suite 210

Parsippany, NJ 07054

USA

Tel: +1 201 848 8552

Fax: +1 201 848 9982

GERMANYCellebrite GmbHAm Hoppenhof 32 a,

33104, Paderborn

Germany

Tel: +49 52 51 54 64 90

Fax: +49 52 51 54 64 9 49

APACCellebrite APAC PTE Ltd150 Beach Road

#08-05 Gateway West

Singapore 189720

Tel: +65 6438 6240

Fax: +65 6438 6280

LATAMCellebrite Ltda.Rua Quintana, 887, 3 andar, Cj. 31

Brooklin

São Paulo, SP

Brazil CEP 04569-011

Tel: +55 11 5505-3803