Scenario: Case involves a Full File System extraction of an iPhone, acquired by law enforcement, that was turned over in discovery with a Cellebrite Reader Report and Call Detail Records (CDR). A Cellebrite Reader Report is commonly received by attorneys which contains the contents of phones and other mobile devices. In this case, our client had a witness provide screen shots of text messages between our client and the witness. There are myriad reasons why screenshots are problematic evidence (most egregiously they can be completely fabricated). The attorney knew these messages were real and they helped strengthen the alibi. But where are they in the reader report?
Forensic tools are not perfect. They are very useful in practice, but when you do not know where to manually look for the exculpatory evidence used to build a client’s alibi, then you are relying on imperfect and incomplete data to inform your case. In this scenario, the messages were present within the sms.db, the data base within the phone the stores these types of messages.
Where they were missing is more of the story, they were not presented in manner that is easily found in the Cellebrite Reader Report, especially to someone not trained in digital forensics or familiar with the use of Cellebrite’s Physical Analyzer. The attorney I was working with was completely unable to find these vital messages within the Cellebrite Reader Report and they did not have access to the tools needed to reprocess the extraction. Thankfully for the client, the attorney reached out to us and asked for help as we were able to find the messages and other artifacts to bolster our client’s defense. If you have similar issues, we can help, email us at firstname.lastname@example.org.