If you have been obsessed with true crime TV series or have watched police procedural shows, there’s a good chance you’ve seen dramatic depictions of a mobile forensic investigation. Usually we see an investigator examining the phone then clicking some buttons in order to get the user’s text messages and call history, which instantly appear on the screen.
Yes, information retrieved from a mobile phone can offer crucial evidence. But the reality of obtaining that information is very different.
Let’s consider an actual murder case and some of the questions that need to be answered to solve it: What can a forensic examination recover from your mobile phone? How is it done? Can deleted data be recovered from a phone?
Bulos “Paul” Zumot, owner of a Palo Alto, California lounge, Da Hookah Spot, was charged with murdering his girlfriend, Jennifer Schipsi.
The couple’s home went up in gasoline-fueled flames in October 2009. After firefighters put out the blaze, investigators found Jennifer’s burned and strangled body inside. The police believed that Zumot killed Jennifer and then set their home on fire with her body inside.
Did Zumot think he could get away with “the perfect crime?”
Zumot kept insisting on his innocence till the end, shouting over and over again “I’m innocent” to convince a packed courtroom that he did not strangle his girlfriend and then set the fire.
So, what actually happened in Zumot’s case?
Both Jennifer and Zumot were heavy iPhone users. And those iPhones had more to say than either of them might have suspected. “The couple had two years of passionate breakups and makeups and a history of domestic abuse,” according to the police.
On October 15th, 2009, the couple were out with friends to celebrate Zumot’s 36th birthday. After dinner, he and Jennifer – according to testimony – left to go to the hookah lounge he owned. On the way they got into an argument. Jennifer ended up getting out of the car and walking home.
Zumot told the police that Jennifer sent him several angry text messages but that they made up.
However, after the argument their home burned down. The medical examiner concluded that Jennifer had been killed before the fire occurred.
Zumot denied killing Jennifer, saying that he didn’t have time to start the fire. He was too busy, running between a weekly domestic violence prevention class and his hookah lounge that evening.
He did, however, acknowledge that while in class he deleted dozens of text messages that Jennifer had sent him the previous night and early morning, including messages in which she threatened to go to the police.
Jennifer’s iPhone 3GS was found in the center console of her car which was parked in the driveway and not with her body.
Behind the scene:
Palo Alto Police officer Aaron Sunseri, the case detective, was able to retrieve live text messages from the logical extraction obtained using mobile forensic tools. Sunseri, however, had message transaction logs from service provider AT&T that showed thousands of messages back and forth from Jennifer’s iPhone, including 75 messages between her and Bulos on the night of her death. Those messages were not found in the mobile forensic reports and were presumed deleted.
Sunseri and his partner, Sergeant Con Maloney, realized that they needed help to try to recover the deleted messages.
Sunseri contacted Tracy Police Detective Kipp Loving, who had trained him on mobile phone evidence collection, but Loving referred Sunseri to Jim Cook, a wireless telephone expert, who used the mobile phone records to map the location of Zumot’s and Schipsi’s phones on the day of the murder.
The mobile phone data showed Zumot and Schipsi’s phones traveled together on the day of her death.
Even so, there was one piece of evidence that neither Sunseri nor Cook could access from both iPhone 3GSs: the deleted text messages.
Loving referred Sunseri to officer James “Ike” Eichbaum, who had worked with Loving to recover deleted iPhone text messages in another homicide case. (Eichbaum is currently MSAB’s Global Training Manager. Prior to joining MSAB, he served 16 years with the Modesto Police Department and Stanislaus County Sheriff’s Office in California.)
Eichbaum used the same script he had developed for Loving’s case on the Butos and Schipsi phones and it worked.
“I was able to recover over 75,000 records from the unallocated space of Jennifer’s iPhone, including 74 of the 75 texts they were looking for, that the defendant allegedly deleted from the night of her murder,” Eichbaum said.
“From there, Sunseri and his partner Maloney, read each text message. By using the messages and the call detail records, they were able to differentiate between messages that the victim herself had sent before her death, and those that Zumot had sent in an effort to give himself an alibi,” added Eichbaum.