If you have been obsessed with true crime TV series or have watched police procedural shows, there’s a good chance you’ve seen dramatic depictions of a mobile forensic investigation. Usually we see an investigator examining the phone then clicking some buttons in order to get the user’s text messages and call history, which instantly appear on the screen.

Yes, information retrieved from a mobile phone can offer crucial evidence. But the reality of obtaining that information is very different.

Let’s consider an actual murder case and some of the questions that need to be answered to solve it:  What can a forensic examination recover from your mobile phone? How is it done? Can deleted data be recovered from a phone?

The case:

Bulos “Paul” Zumot, owner of a Palo Alto, California lounge, Da Hookah Spot, was charged with murdering his girlfriend, Jennifer Schipsi.

The couple’s home went up in gasoline-fueled flames in October 2009.  After firefighters put out the blaze, investigators found Jennifer’s burned and strangled body inside. The police believed that Zumot killed Jennifer and then set their home on fire with her body inside.

Did Zumot think he could get away with “the perfect crime?”

Zumot kept insisting on his innocence till the end, shouting over and over again “I’m innocent” to convince a packed courtroom that he did not strangle his girlfriend and then set the fire.

So, what actually happened in Zumot’s case?

Both Jennifer and Zumot were heavy iPhone users. And those iPhones had more to say than either of them might have suspected. “The couple had two years of passionate breakups and makeups and a history of domestic abuse,” according to the police.

On October 15th, 2009, the couple were out with friends to celebrate Zumot’s 36th birthday. After dinner, he and Jennifer – according to testimony – left to go to the hookah lounge he owned. On the way they got into an argument. Jennifer ended up getting out of the car and walking home.

Zumot told the police that Jennifer sent him several angry text messages but that they made up.

However, after the argument their home burned down. The medical examiner concluded that Jennifer had been killed before the fire occurred.

Zumot denied killing Jennifer, saying that he didn’t have time to start the fire. He was too busy, running between a weekly domestic violence prevention class and his hookah lounge that evening.

He did, however, acknowledge that while in class he deleted dozens of text messages that Jennifer had sent him the previous night and early morning, including messages in which she threatened to go to the police.

Jennifer’s iPhone 3GS was found in the center console of her car which was parked in the driveway and not with her body.

Behind the scene:

Palo Alto Police officer  Aaron Sunseri, the case detective, was  able to retrieve live text messages from the logical extraction obtained using mobile forensic tools. Sunseri, however, had message transaction logs from service provider AT&T that showed thousands of messages back and forth from Jennifer’s iPhone, including 75 messages between her and Bulos on the night of her death. Those messages were not found in the mobile forensic reports and were presumed deleted.

Sunseri and his partner, Sergeant Con Maloney, realized that they needed help to try to recover the deleted messages.

Sunseri contacted Tracy Police Detective Kipp Loving, who had trained him on mobile phone evidence collection, but Loving referred Sunseri to Jim Cook, a wireless telephone expert, who used the mobile phone records to map the location of Zumot’s and Schipsi’s phones on the day of the murder.

The mobile phone data showed Zumot and Schipsi’s phones traveled together on the day of her death.

Even so, there was one piece of evidence that neither Sunseri nor Cook could access from both iPhone 3GSs: the deleted text messages.

Loving referred Sunseri to officer James “Ike” Eichbaum, who had worked with Loving to recover deleted iPhone text messages in another homicide case. (Eichbaum is currently MSAB’s Global Training Manager. Prior to joining MSAB, he served 16 years with the Modesto Police Department and Stanislaus County Sheriff’s Office in California.)

Eichbaum used the same script he had developed for Loving’s case on the Butos and Schipsi phones and it worked.

“I was able to recover over 75,000 records from the unallocated space of Jennifer’s iPhone, including 74 of the 75 texts they were looking for, that the defendant allegedly deleted from the night of her murder,” Eichbaum said.

“From there, Sunseri and his partner Maloney, read each text message. By using the messages and the call detail records, they were able to differentiate between messages that the victim herself had sent before her death, and those that Zumot had sent in an effort to give himself an alibi,” added Eichbaum.

If you have been obsessed with true crime TV series or have watched police procedural shows, there’s a good chance you’ve seen dramatic depictions of a mobile forensic investigation. Usually we see an investigator examining the phone then clicking some buttons in order to get the user’s text messages and call history, which instantly appear on the screen.

Yes, information retrieved from a mobile phone can offer crucial evidence. But the reality of obtaining that information is very different.

Let’s consider an actual murder case and some of the questions that need to be answered to solve it:  What can a forensic examination recover from your mobile phone? How is it done? Can deleted data be recovered from a phone?

The case:

Bulos “Paul” Zumot, owner of a Palo Alto, California lounge, Da Hookah Spot, was charged with murdering his girlfriend, Jennifer Schipsi.

The couple’s home went up in gasoline-fueled flames in October 2009.  After firefighters put out the blaze, investigators found Jennifer’s burned and strangled body inside. The police believed that Zumot killed Jennifer and then set their home on fire with her body inside.

Did Zumot think he could get away with “the perfect crime?”

Zumot kept insisting on his innocence till the end, shouting over and over again “I’m innocent” to convince a packed courtroom that he did not strangle his girlfriend and then set the fire.

So, what actually happened in Zumot’s case?

Both Jennifer and Zumot were heavy iPhone users. And those iPhones had more to say than either of them might have suspected. “The couple had two years of passionate breakups and makeups and a history of domestic abuse,” according to the police.

On October 15th, 2009, the couple were out with friends to celebrate Zumot’s 36th birthday. After dinner, he and Jennifer – according to testimony – left to go to the hookah lounge he owned. On the way they got into an argument. Jennifer ended up getting out of the car and walking home.

Zumot told the police that Jennifer sent him several angry text messages but that they made up.

However, after the argument their home burned down. The medical examiner concluded that Jennifer had been killed before the fire occurred.

Zumot denied killing Jennifer, saying that he didn’t have time to start the fire. He was too busy, running between a weekly domestic violence prevention class and his hookah lounge that evening.

He did, however, acknowledge that while in class he deleted dozens of text messages that Jennifer had sent him the previous night and early morning, including messages in which she threatened to go to the police.

Jennifer’s iPhone 3GS was found in the center console of her car which was parked in the driveway and not with her body.

Behind the scene:

Palo Alto Police officer  Aaron Sunseri, the case detective, was  able to retrieve live text messages from the logical extraction obtained using mobile forensic tools. Sunseri, however, had message transaction logs from service provider AT&T that showed thousands of messages back and forth from Jennifer’s iPhone, including 75 messages between her and Bulos on the night of her death. Those messages were not found in the mobile forensic reports and were presumed deleted.

Sunseri and his partner, Sergeant Con Maloney, realized that they needed help to try to recover the deleted messages.

Sunseri contacted Tracy Police Detective Kipp Loving, who had trained him on mobile phone evidence collection, but Loving referred Sunseri to Jim Cook, a wireless telephone expert, who used the mobile phone records to map the location of Zumot’s and Schipsi’s phones on the day of the murder.

The mobile phone data showed Zumot and Schipsi’s phones traveled together on the day of her death.

Even so, there was one piece of evidence that neither Sunseri nor Cook could access from both iPhone 3GSs: the deleted text messages.

Loving referred Sunseri to officer James “Ike” Eichbaum, who had worked with Loving to recover deleted iPhone text messages in another homicide case. (Eichbaum is currently MSAB’s Global Training Manager. Prior to joining MSAB, he served 16 years with the Modesto Police Department and Stanislaus County Sheriff’s Office in California.)

Eichbaum used the same script he had developed for Loving’s case on the Butos and Schipsi phones and it worked.

“I was able to recover over 75,000 records from the unallocated space of Jennifer’s iPhone, including 74 of the 75 texts they were looking for, that the defendant allegedly deleted from the night of her murder,” Eichbaum said.

“From there, Sunseri and his partner Maloney, read each text message. By using the messages and the call detail records, they were able to differentiate between messages that the victim herself had sent before her death, and those that Zumot had sent in an effort to give himself an alibi,” added Eichbaum.

From left, Duncan Monkhouse HTCIA President 2011, James Eichbaum, Jim Cook, Aaron Sunseri, and Con Maloney.

The real scenario:

The data obtained from the mobile phones was critical in enabling the jury to visualize and understand the truth in this case.

“After the argument between the couple, a heated text battle ensued throughout the night where Jennifer told Zumot that the relationship was over and that he would need a lawyer and that he was going to have to pay her a lot of money he owed her and to pay for items he had destroyed,” said Eichbaum.

“You are nothing but a selfish, cold-hearted ungrateful human being scam artist liar,” Jennifer wrote in one of the messages.

“U turned part of my heart black,” she also wrote in another message. “Stay the f*** away so I can regain my happiness and satisfaction.”

Zumot returned home at around 2:00 a.m., texting Jennifer to let him in. She threatened to call the police if he didn’t go away. Zumot ended up in the house, where he eventually strangled Jennifer to death. The next day, he went to his court-ordered domestic violence class in San Jose. On the way back, he bought a can of gasoline, then went to the home, poured gas on Jennifer’s body. He turned on the stove burners and lit the body on fire. He then left the house and drove to work, expecting the place to blow up. But neighbors saw smoke coming from the home and called 911. Fire crews arrived and put the fire out. Jennifer’s body was found in her bed.

“Zumot had deleted the conversation they had with each other from the night before from both his and her iPhones. Cell tower evidence showed that he had her phone with him while traveling to his domestic violence class,” added Eichbaum. “Zumot had sent messages to her friends and family, pretending to be her, pretending she was still alive.”

Zumot was found guilty of murder and arson and was sentenced to 33 years to life in prison.

The successful prosecution in the ‘People v. Zumot’ case shows how valuable it is to have investigators collaborate closely and to combine both digital and physical evidence.

The officers who worked on the Schipsi murder investigation were honored with the “Case of the Year” award in 2011 from the High Technology Crime Investigation Association (HTCIA).