Holy moly…

The jury deserves a BIG margarita after today’s testimony on cellular data.

The topic is complex and likely quite boring to the average person, but I will say that the expert, Jessica Hyde, is a fantastic teacher. She did a great job simplifying such layered and intricate details for listeners.

ON THE STAND TODAY:

1. Trooper Connor Keefe (MSP Officer)

2. Jessica Hyde (Digital Data Scientist)

TROOPER CONNOR KEEFE (MSP Officer)

• Trooper Keefe works for the MSP DA’s office in the Homicide Unit. He also plays a role as a Digital Examiner.

• Keefe was the Trooper who collected Jen McCabe and Kerry Roberts’ cell phones. They provided them willingly with password access (signed a consent form).

• Trooper Keefe was on scene at the Fairview property when the SERT team was doing their search.

• Keefe was responsible for bagging evidence. When the SERT team would alert that a piece of evidence was located, Trooper Tully would take a photo of evidence, and Keefe would then bag it. He would write on the evidence bag to log the info date, time, etc. Time logged is not exact by the minute, just a general time of when it gets documented.

• Trooper Keefe was the one who brought the evidence bags from the search site to the evidence room once the search ended.

• A Nike shoe was located at the curb, and several pieces of taillight were recovered at ground level. (Some of the shards were red pieces, and some were clear pieces).

• Defense asks Keefe if he recalls interviewing witness Sarah Levinson with Investigator Proctor on 10/1/22. He doesn’t recall that, but is refreshed when shown the report.

• Keefe collected security footage from C.F. McCarthy’s Bar, but Proctor was the one who reviewed it along with the Waterfall Bar & Grill footage.

• Keefe was the officer who attended the autopsy of John. No other officer attended.

• Keefe did not provide a theory to the Medical Examiner. He said there was no theory to even give, but they do share facts they learned about the case with the ME.

• Defense asks if he knew by the end of the autopsy that the ME marked death as “undetermined”? Keefe says yes.

• Defense asks if Keefe witnessed the scratches, bite marks and lack of bruising on John’s arm? Prosecution objects. Sustained.

MORNING BREAK

**Judge sends jury on an early (and extended) morning break because the defense wanted to share a new request they had regarding the CW’s next witness, Jessica Hyde. **

Defense Attorney Alessi argued to introduce a Maryland court’s ruling determining that Hyde was once not approved to testify in a particular trial several years ago. The prosecution argued back that not only does this judgement not have context to why she did not testify (many possible reasons), it’s completely unrelated to the data topic in this trial and is simply an attempt meant to dehumanize her. Judge denies the defense’s request.

JESSICA HYDE (Digital Data Scientist)

• Professor at George Mason University, and specializes in mobile devices.

• Former Forensic Director for Axiom.

• Owns her own digital forensic training company. Teaches many people, including government entities about forensic data.

  

• Hyde states that a person should not “rely” on extraction tools, they should “utilize” the tools. There is “absolutely a danger” to rely simply on parsed tool data. It requires human analysis for a proper and thorough conclusion.

• Hyde was given a specific scope and timeframe to analyze regarding Jen McCabe’s phone. She was requested to review a few of the web searches, as well as the report’s “deleted” artifacts.

• She was able to ensure the integrity of the forensic image taken of the phone’s contents through means like ‘hash values’ to rule out any manipulation.

• Jessica Hyde reaffirms what the jury heard last week from Cellebrite’s Digital Forensic expert, Ian Whiffin, about 2:27 AM being a ‘last tab open’ timestamp. It was not the google search time for ‘hos long to die in cold’. The hypothermia search was not made until after 6:30 AM, confirming Jen McCabe’s testimony.

• Hyde explains the difference between search times and tab open times. Says her newer students frequently get this topic wrong on exams. She explains that it’s dangerous to not look into the data and simply assume a timestamp means it’s a time of search.

• In May 2024, Cellebrite’s software update removed the parsed 2:27 timestamp issue due to the ambiguity.

• Cellebrite and Axiom are leading digital forensic tools, and they parse information in different ways for different purposes. Hyde explains the difference between ‘parsed’ and ‘carved’ results.

• Hyde explains how a WAL file works using a restaurant analogy. If an artifact is in the WAL file, it does not mean it’s deleted.

• There was no way to manually delete a google search. You can manually delete the cache or visible search history, but there is no way a user can manually delete the actual search, therefore, Jen McCabe did not delete any google searches.

• Hyde is also asked about the parsed phone call data that shows as being in a deleted state. She explains that our mobile devices manually move older calls to a deleted folder after it exceeds 200 calls. Meaning, the oldest of 201 calls is moved automatically for memory storage purposes, and so forth.

• Hyde says that Jen McCabe’s phone exceeded that number of calls on 1/29/22 and days after, which means the oldest artifacts are reported as ‘deleted’ in the report.

• Hyde says it is her expert opinion that Jen McCabe never manually deleted any calls.

• The morning John was found on the lawn, his phone shows activity starting at the time EMS arrived, and throughout the next few hours. Defense asks if it would have been best practice for the officers to put John’s phone in a faraday bag immediately (or into airplane mode) after collection, and Hyde says yes. However, the conclusions made about John’s last activities are not effected by that at all.

• Hyde also says there are reasons why a faraday bag may not be used like a victim dies, and the officers need physical ID to open the phone. (Fingerprint, face)

• Hyde’s report states that the victim, John O’Keefe, took 82 steps beginning at 12:21 AM. She explains that ‘steps’ are inferred through motion. Steps can also be registered if someone is on a bicycle, car, etc.

The trial ends with this clip of Karen Read played for the jury: