Get 50% off Cellebrite C2C User Summit 2026 registration with promo code: 2026-c2c-ForensicFocus
The following transcript was generated by AI and may contain inaccuracies.
Desi: Welcome everyone to the Forensic Focus podcast. You’re joined with Si and myself as always, and this week we have back Heather and Jared again. I was away for the last one, but I’ve caught up now. We’ve used AI to summarize everything. Had a few tangents already, but I’m sure we’ll get on to more.
For the listeners, Heather and Jared, do you guys want to give a quick introduction to everyone about who you are and where you’re from?
Heather: Sure. I am Heather Barnhart. I’ve been a digital forensic examiner for almost 24 years. I currently am a faculty fellow, a course author, head of faculty, and deeper curriculum lead at SANS, and also senior forensic expert at Cellebrite.
Jared: And I am Jared Barnhart. I’ve been doing digital forensics for about 13 years now. I was a police officer. I retired a little early. Went and did some fun government contracting work around mobile devices, and then came on with Cellebrite full-time as head of CX strategy and customer advocacy.
So basically just engaging with people and figuring out what they’re doing, what they need, making sure we’re on the same page.
Desi: Thanks guys. I guess we’ve got a few things to cover here today. And I don’t even know where to start. Maybe we start off lighthearted because we’re getting into some murders.
Si: What, murder is not considered a lighthearted topic anymore?
Desi: We kind of skirt around this a little until you warm up. But we’ve got the C2C summit happening next spring. So what is that for? I actually don’t know – I’m assuming it’s Cellebrite to something, or something to Cellebrite?
Heather: It’s Case to Closure.
Desi: Cellebrite’s Case to Closure. So how long has that been running and what happens there?
Heather: Well, this is the second one ever. Last spring was our first, but I have been begging for this – 2026 is our second one. I feel like it’s right now. I have begged Cellebrite since I joined, working for them for over six years ago, to have a summit and do something and just have an event where people could come together and everyone could sit back and actually hear from the customers.
Desi: So it’ll be a conference where all the customers come together and can share, and I’m guessing people will be giving talks on what’s happening within the product or just the industry in general.
Heather: So we have an advisory board and we have our group of people. We intentionally try to pick talks that aren’t about the products. We want people to talk about what they’re doing day in and day out, what makes a difference for them. If Cellebrite helps them, fantastic. If it’s research, just keep it real so it’s not a sales pitch thrown in your face.
Desi: And how did the first one go this year, I guess?
Jared: Yeah. So it went way better than expected.
Si: It’s good when that happens, isn’t it?
Jared: Yeah. Hey, we’re gonna do this, it’s gonna be great, it’s gonna be all these things. And it’s the first one, so you don’t know. And then we walked in and all of a sudden it was like, hey, good to see you, hey, thanks for coming. And we just started to rub elbows with people in the community.
And it was like, alright, this is really happening. But then once we got into the content, it was so well received. The reviews were like, hey, it was really nice to hear this case study from this person. Bill Cock talking about expert testimony and how to deliver it. The actual content was really well done.
I don’t know if we lucked into that a little bit. We were lucky to have people actually do submissions and put time in. But then when it actually was delivered, it was fantastic. And as Heather said, it’s the opposite of a sales pitch. We do this advisory board to try to get the best of the best. And in some of my notes I was like, no, it’s too much Cellebrite in here. It’s not about us. It’s about work and what’s helpful and learning. So it was good stuff.
Heather: And it’s really hard to tell a product-based company, hey, you don’t get to talk. You get to just sit and listen. But we did. They had little vendor booths. So if you wanted to learn about a product, you go out into the hallway to the booth of our own people, which was great. It was really busy. But not everybody wants to hear that because some people use it every single day and they just want to hear from each other.
Si: Yeah. That’s really awesome. So was it platform agnostic or was it just Cellebrite being discussed?
Jared: Oh, it was agnostic. Anything could be discussed. The way that we did the submissions, we did a typical call for papers, went through, graded the content to put it into some tracks.
Very few talks were Cellebrite-centric. It was almost the opposite. It was like, how did you solve the case, or what research did you do and what are the findings. We did an innovation showcase on the main stage that was like, here’s Cellebrite stuff for 45 minutes. But other than that it was mostly community people giving their thoughts.
Heather: And we do this insane thing during lunch on day two, where the advisory board sits on the stage and we let people ask us anything they want off the cuff.
Si: That’s brave. That’s brave.
Heather: But it’s some of the best questions that you get. And it’s also amazing for our product team to sit there and hear the questions they’re asked and what people are curious about or struggling with. I think it’s good. It’s a good reality check for everyone involved.
Si: Yeah. You can’t beat proper customer feedback on all of the things that they don’t tell you in the feedback forms that you give them to fill out. Yeah, definitely.
Heather: And this year we have Terry Crews. Last year we had Tim Tebow.
Si: Oh, come on. Really?
Heather: Terry Crews is gonna be fantastic.
Si: Oh, okay. I’m gonna maybe need to figure out my tickets to this, because actually I quite like to meet him. He seems like a laugh.
Heather: I know, right? I hope he comes out. Was he Brooklyn Nine-Nine?
Si: Yeah. Yeah.
Jared: He’s been in so many awesome things and always a little bit police-centric in roles, so I think it’s gonna be fantastic. It’s three days this year. Four days.
Heather: Well, it’s really two of the conference and then two of training, and then there’s the Digital Justice Awards in the evening.
Jared: Yeah, so last year we did two-day conference, and then the third day was a day of essentially free training. This year we’re doing training on the first day, and then conference two days, and then training on the fourth day. So sort of like an optional bookend if you wanted to take some training and then also enjoy the conference.
But for what we produced last year, and again, I was nervous, but it went really well. The registration’s like $250.
Desi: Yeah.
Jared: I mean, it’s amazing content for the price. And then just the networking – we had folks from all over the world that came in that presented topics from some global perspectives. It was really, really well done.
Desi: And the whole conference is just in person as well? Is anything recorded so people can watch later, or is it all just set up to be there for the conference?
Heather: Everything was in person. We had some law enforcement cases where they didn’t want to have the situation recorded or the conversation, so we just ask people to be mindful of that. But it was nice – if you think since the pandemic and how many things are remote and you can just opt out and check out and be behind your computer. It’s nice to be in person.
Jared: Yeah. And we had over 500 people actually come in person, so it was well attended.
Heather: It helped that I said there was a dating game. You could win a date with Jared.
Si: Oh. That’s the deciding factor. That’s brilliant.
Desi: This will really sway my decision. Is Jared open for the dating game again this year? Okay. Excellent. Alright. I’m gonna be talking to our bosses. Si, I’m coming over as well.
Si: You do that. You go to that, but you gotta get me something signed by Terry Crews. Sounds good. Alright. Good stuff. So aside from obviously plotting world domination with your conference game, what else is going on with you guys in Cellebrite? I mean, we alluded to a murder, but let’s again book in that one for a little while and talk about what you’re up to.
At the moment, are you doing any research or are you doing – well, I know Heather, you do research, so is there anything that you are on, anything that you’re looking at in any particular moment?
Heather: I’m in the midst of – we just finished our Cellebrite CTF, which is some of the hardest work that we do in such a short period of time. So we build the data set for about eight months and we have this whole scenario and you have two phones with you all the time and it’s absurd.
But then we write all these questions and play this game and that just ended. So that’s a huge thing. But right now I’m in the midst of my course edits, so I feel like I have no life and he does not love this. But it’s hard because mobile devices update constantly and then you have to update your training.
Si: Yes. I should have taken up something like Greek, which hasn’t changed in the last 2000 years, as opposed to forensics. It’s a terrible idea to teach forensics.
Heather: Yeah. And it’s something so simple. We were going on vacation last week and I was like, Samsung Health changed. I should take – I call it Anne, I should take Anne’s phone with me and do some workouts. He’s like, on vacation? On vacation. I was like, well, when else am I gonna do it if my course is due on the 19th?
Si: Oh, brilliant. And I mean, if nothing throws them out as a quick trip out to a resort somewhere. And as we were talking before, did your heart rate spike when you saw the octopus? This is an important question that Anne would only be able to answer.
Jared: Right. And that’s, I feel like that’s the best of what comes out of the capture the flag. Are these moments of, oh, I have this phone, oh, that just happened. I’m gonna find a question and write it about this moment, this whatever. But did the blogs go out yet?
Heather: The blogs, not Dex. Dex goes out today.
Jared: Yeah. So one of the things that Heather and Josh and the CTF team always do is we spend a lot of time – obviously they create the data, but then writing the questions can be very frustrating for the consumer. When they get it, they dig in and they’re like, this is so stupid, and this question makes no sense and it’s so hard. Yeah, great. That’s the point.
We like to have a little bit of fun with it to be like, it’s so frustrating, right? But then when you get to see the answer, it’s like, oh, I get it. Sort of free-range practice of this craft. But the blogs that come out immediately after are a really nice walkthrough of sort of the thought process of why the question may have been written, what maybe it’s trying to teach, like, hey, this question is to lead you to this thing that maybe you’ve never seen before.
So it’s always a nice process post-events to have people just sort of resonate on – I experienced it, I was frustrated, I was happy, I was whatever.
Heather: Yeah.
Jared: And now, okay, I understand a little bit better as to the why.
Heather: It also shows limitations in our own tools. We try to be really honest, like, hey, you couldn’t have done this if you stayed just in Cellebrite tools. You can’t go far enough or you need to use some of the open source community tools that our colleagues create, which is great.
Si: An interesting question that came up the other day, and it wasn’t related to mobile, but does Cellebrite have an API for the integration with other tools, or is it just you have to pull it out and use something else? Sorry, completely off the cuff question. Totally unprepared for, and I apologize in advance.
It was very fascinating talking about APIs and the ecosystem of tools in general and whether tools were able to interact with each other in certain ways. And I was just wondering if there is something for that.
Heather: Not really. Yeah. Not other than pulling cloud stuff directly from cloud providers.
Jared: No.
Heather: But no, I feel like you have to export out the data and or just take the whole extraction and put it into the other things you want to feed it into.
Si: Yeah. Okay. Fair enough. And sorry, having taken you down a tangent that then dropped dead, I’ll bring you back to the other one. Writing questions is obviously a real challenge, but it’s very interesting because obviously we talk a lot about really horrible things when we’re talking professionally.
And it’s getting people to look at that data without talking about really horrible things. So my heart rate spike, not because I’m running away from an ax murderer, but because I’ve seen an octopus. So I think there’s a degree of joy to be found in it for us to come up with these creative scenarios that mean that we don’t have to–
Heather: Oh, yeah. Yeah.
And we give each question a ridiculous name, ridiculous name, and then we’ll have a meme. And there used to be this old show and I forget what the question was. It was Mel’s Diner. And then I had Flo – I don’t even know if anyone knows this, but there’s this old show that my dad watched.
So my dad is 76 years old and it was called Mel’s Diner and it was terrible. And Josh was the only person that knew what it was. But the answer was Alice. And Alice was the main waitress in Mel’s Diner. So if you were desperate, you could have really been desperate and then keyword searched and then found her phone number. So after I murdered someone, after Anne murdered Dex, she called Alice.
Desi: I love those in CTFs. The little deep cuts of that information. You had that information, it helps you answer the question in a different way than intended. But then it’s also from someone who’s had experience creating CTFs and seeing how students sometimes interpret the question and then go down this massive rabbit hole.
Do you guys, in your CTFs, do you collect – and I guess this depends on the feedback mechanism you have during running it – but we used to have the help on a Discord server and we would collect the thought process of some students, how they would approach a question to be like, this is gonna help us create questions in the future.
Because we would’ve tested those questions eight times and no one had ever thought to solve the question in that way. And then some student has just gone off this random tangent, used some tool that we’ve never heard of and completely not got the answer. But it’s just interesting.
Heather: Okay, well we’ve had people find the answer in a different place and it’s slightly different, and then we have to change our answer and accept the flags. So we’re like, oh, that’s actually – I never saw that. Thank you.
Desi: That’s so interesting.
Si: Yeah. It’s when they’re starting to find artefacts pointing to the same stuff.
Heather: I think I had one last year on what was Sharon’s battery power or battery percentage at a certain point. And it’s because we were doing research for Idaho murders, which we couldn’t talk about then. And someone found it in another place, and it was just a percentage. It was 33 versus 34 at the same timestamp.
I’m like, I think I may have plugged in my phone and it ticked up one percentage, so I have to – I think I have to accept that.
Desi: Yeah.
Heather: But this is where we end up having drinks and then we argue with each other on what’s acceptable, what’s not. Are we being too hard? Are we being too soft?
Jared: Normally it’s too hard.
Heather: Yeah. I was nice this year.
Jared: As an observer, I help write questions and then I just watch. They’re so ruthless with the, oh, they’re close, but they’re not exactly perfect.
Heather: So you guys, here’s another eighties reference. The song’s “So Close Yet So Far Away.” It’s a slow song. I’ll respond on Discord. “You’re so close yet so far away.” Or sometimes I said you should submit that, assuming that answer is correct, and then people are like, oh, is it correct? I’m like, I dunno. I just dunno.
Jared: I think it comes off a little ruthless, but it’s meant to keep the game fair. To not have the – well you’ve asked the right question, so I’m gonna give you a nugget of information that I haven’t given anyone else. Yeah, because I guess–
Desi: That’s the–
Jared: But it comes off a little ruthless.
Desi: In real life, the battery percentage is a good example, right? If in real life, you were like, what’s the battery percentage and it’s 33, 34 in the two spaces. Either one is correct based on the information you’re finding in the phone. But in a CTF, because you can brute force it, you have to be more ruthless. Because then people could just keep guessing until they hit the correct answer.
Heather: Well that’s what we’ll do. Two for medium questions, you get two guesses. For hard, you get one.
Desi: Yeah, put the limitations on people. We tried to make the– that’s awesome. Well, we’ll put those links in the show notes as well for people if they want to check out the writeup. I assume they can. Do you guys still have the evidence if people want to go and redo the CTFs?
Heather: Oh yeah. It goes out to the NIST website. So we give all of our data sets to NIST and then it becomes free for educational purposes. We also include a document with just every question, so some people use it for training externally and in their own organization so people can take it and do whatever they want.
Si: He says very quickly, plugging the Forensic Focus Discord channel. If people ask about images, this is where I point them, in the direction of the star archives for everything. And somebody asked about drone forensics the other day. There’s a whole drone set of images and questions and things like that.
So it’s a great resource if you want to go and practice anything. They’ve got all sorts of network captures and forensic images. Some of them looking a bit long in the tooth, but then every so often you do get a Windows XP machine land on your desk. So it’s quite good to keep in practice.
Heather: But you know what we get in the last five years – I’ve had more cold cases than I’ve had fresh cases where it’s Android 4 and super old platforms and you’re like, wait, I don’t have this to test on. So it’s amazing that stuff like that exists.
Desi: Yeah. Well, I don’t know about you, Si. I think I’ve drunk enough coffee now to start talking about murders. And we’ve alluded to it a little bit.
Si: No, it’s very reasonable.
Desi: So Si and I both aren’t in the States and we’re both hermits when it comes to news. So we actually had no idea what these were at all. I think it’s been doing some rounds in the news cycle, but maybe you guys could just explain some of the background behind what the Idaho murders were and I guess when they happened.
Heather: Do you want me to start on the murders? Okay, go for it. Alright.
So a few things. We promised the victim families, if possible we would not say his name because their point is people remember, unfortunately, the criminal and not the victims.
Si: Just back that.
Heather: Yeah. So we refer to him as BK now, which is what the families prefer, and that’s what we’re trying to do. So Kaylee, Maddie, Xana, and Ethan were murdered in the early morning hours. It was November 13th, 2022 in Moscow, Idaho. A tiny, tiny, tiny town, which it’s impressive that it became international.
And I would credit the questions of the families on how it got so much attention, just wanting to know what happened to their kids. So someone came into the house and brutally stabbed the four kids while they were in the house that night.
Desi: And then I guess, getting into it, from the surface level, that doesn’t sound like a digital forensics investigator would get involved too much in just that base. So how did you get involved in this case?
Jared: Yeah, so I guess if you think of it initially, to lay a little more groundwork on it. This was a college campus scenario, so police are showing up and hours had passed and there was some confusion. It was like a call, hey, there’s something happening at this house. And they show up like, oh, people have been killed.
Let’s clear everybody out and let’s establish a crime scene and try to do the right things. But there were people that were left alive and inside of this house, living witnesses that encountered him. And so it was just a very confusing moment.
But then it starts to hit our news cycle a little bit. And so people start to pay attention that this case hasn’t been solved yet. These four kids – called kids, young college adults – have been brutally murdered, and we don’t know who did it. And so as the time passed, it became, at least in the US, hitting the news cycle of what’s happening? Why hasn’t someone been found yet? And so finally it was 46 days after the crime when BK was arrested in Pennsylvania.
Desi: In Pennsylvania, sorry. And for our listeners, how close is that to Idaho?
Jared: Coast to coast. Okay. So it’s separate sides of the country.
Desi: Yeah.
Jared: So he went on a bit of an early winter break and drove across the country with his father to his parents’ home in Pennsylvania. And then to answer sort of how we got involved, I’ll pass it over to Heather.
Heather: So I had a previous SANS student of mine work at the FBI, our CFL near us in Philly, and he reached out and just said, hey, are you interested in coming in to take a look at this? It’s weird. And that’s the thing – the data was weird. It just didn’t make sense.
When you get – you think a college TA or someone of that age, if you got my devices, they’re so busy. There’s tons of data everywhere. There’s lots of communications with friends and people, and his data just looked odd. So that’s how Jared and I got involved. We started going in and then we were immediately signed to a gag order. And that was March of ’23, and that just released this July.
Jared: So for all that time, people had questions, the news kept popping up. Every time something happened with the court process, it would be this new bit of excitement. But then it was just sort of nothingness until July of this year when all of a sudden he was gonna take a plea.
And agreed to a plea and very quickly the court process sort of completed, leaving a lot of things unanswered. I think for victim families, for the community in general. And I think that’s sort of where this moment with us having a little bit of the story to tell about who he was based on his device became attractive to news outlets.
Si: So I mean, obviously the administration of justice is unfortunately an incredibly slow process in most countries. I mean, we’re doing cases from 2022/23 here as well. So it’s not like I can say that yours is any slower than ours is.
But was there any particular reason that – I mean, one would’ve thought, I’m gonna say again, I don’t do meat space forensics particularly, but it does seem that something like that would’ve had a fair amount of biological DNA and stuff that would’ve proved the case. What was the actual sort of holdup in it?
Jared: So the – I would say the – we talked about this a couple different times as we worked through the details, but at the crime scene there was a knife sheath left behind. And that was sort of the crux of figuring out who had done it – a DNA swab from that.
And then through an ancestry search, a match to a family member and then figuring out that – especially being two sides of the country – how many people from over here in Pennsylvania have connection out there? And so he quickly became the suspect.
But the car – additionally there was a Ring video camera of this white Hyundai car just speeding away. And after some analysis, it also doing some laps and coming by before the crime. And so this car was present, it was obviously someone involved. But without the knife sheath, we said, I guess you’d have really been focusing on the car. And then without the car, I don’t know.
I mean, it seems, and look, a bunch of investigators poured a ton of time into this thing. I don’t want to simplify it down, but truly there’s these two things that if not for a knife sheath left behind, you’ve got a car that there’s tens of thousands of them. And so a little bit of – I don’t want to say luck – but investigatively, that knife sheath was sort of the crux of finding the suspect.
Si: So I mean, you said there was phone evidence – his mobile phones were seized and they were odd. Now, this is the thing that any forensic examiner wants to hear. How were they odd? Why were they odd? Or do you know? Where are we at in figuring out the digital footprint of this all?
Heather: From my perspective, the digital aspect showed his intent to commit murder. He did a really good job cleaning up the data on his laptop – that was even harder because he cleaned up the logs, and I think cleaning up laptop data on a PC is a lot easier than knowing all the log files that exist on an Android.
Desi: So–
Heather: Even though he did massive deletions and even took preparatory steps to just reduce his digital footprint – but it’s different than anything I’ve ever seen, and I believe that Jared has seen, because usually it’s like, hey, go find this thing, proves the person was at this location or did this thing or had.
And we were looking at it from where is everything? And then that became the interesting part. There wasn’t anything. And that’s what showed us his intent to isolate himself from the world for a period of time during the murders.
Si: Right. So was it an obvious gap during that period?
Jared: Yes and no. So let me take it a little bit further. If you think of, oh, if I turn my phone off and then turn it back on two hours later, I have this beautiful bookend of nothingness. A little bit of that.
The tricky part for us is he wasn’t identified for a long time after the crime. So if a crime’s committed right now and you go grab the phone and you get a good extraction right away, then great – you can tell a wonderful story of what happened. But after that much time, most of the go-to staple files that you would go look at to try to tell the story had already purged. They’d cycled data out to new data.
And so we were kind of left with, well, what don’t we know that’s in this device? And so we have this person that we learn later was so isolated in general. He didn’t have a big footprint regularly. His regular day was talking to his parents. He didn’t have friends. He didn’t have social media that was busy. So his digital footprint was very small before he started to take steps to make it smaller.
And so when you open his device and you start to look at, alright, when did the – let’s look at the timeline. And it’s like, nothing. There’s almost nothing there. And I was like, okay, you can explain it by who he was as a human.
But then additionally, we had to dig in a little bit and try to find – basically just literally going to directory, open a file. Does it have a timestamp? Yes. What does this file do? And then just like, yep, okay, here’s a – it was a lot of work.
Heather: A lot of work. Here’s this, here’s that.
Jared: Yeah. Here’s what this record is. Ah, that looks weird. It kind of looks like this. Hey, Josh Hickman, fire up a test phone or can you dig into something that you already have in front of you and sort of validate the thought process here over and over and over and over again. Just trying to figure anything out. Because the parsed data was pretty much–
Heather: It got to the point where we were going through every cheat sheet that we had. At one point I was looking through my own course slides and notes like, did I miss a file? What is– it was absurd. Absolutely absurd.
Desi: So was there a few – I’m not that familiar with mobile forensics. It kind of wasn’t around when I went through training doing that stuff–
Heather: Yeah. It’s never too late, Desi.
Desi: Like, you’re getting me very excited. I don’t – the Cellebrite CTFs are just about to come out. Oh, don’t get me on another sidetrack mission. I’m too busy with other things in life, but I’ll probably get into it now.
So was there a particular process on the phone or the collection of evidence that helped you determine that? Because I assume that’s what happened – he turned off his phone during that time and that’s what you were trying to prove in the timeline. What was it that helped you come to that conclusion?
Heather: Well, one, the investigators that collected the data did a fantastic job. So they got full file system extractions, which is exactly what we needed.
Jared: They also came to us with, we have a void in cellular records from this time to this time. It wasn’t a secret that his phone stopped talking to the network for this specific period of time.
So it wasn’t – I don’t want to say it wasn’t hard to find evidence of that void. It was more than trying to dig in very closely to that void and understand what happened immediately before and after. But it was even going back and seeing, okay, he cleaned things up, but he didn’t think about his screenshots.
And when he took this screenshot this month, you can see at the top that he was running a VPN, and then the month before he was not running a VPN. So it was the closer you got to the crime, you could see a change in his behavior with his device.
Heather: And watching his behavior change in the other direction and him get a little bit loose once the crime was done. That was fascinating as well. What is your normal, and then, oh, okay. So what we initially saw was not your normal, and then you became more relaxed and then panicked in the end. So we got to see almost his mind and behavior.
Desi: Yeah. It’s as the case was more public, you can see on his device his behavior becoming more erratic or panicking somehow.
Jared: Yeah. I don’t know if he actually looked out the window and saw someone surveilling him, but at the very end, his last moment using his device, the footprint was–
Heather: Wiretap. Federal wiretap.
Jared: Past paranoia? Yes. Paranoia.
Heather: Yeah.
Jared: I mean, he was freaking out because I think he felt sort of the walls closing in, and they were. Again, we had no connection to any of that. But then all of a sudden a search warrant’s done at this house and his devices are seized, he’s arrested. So he wasn’t wrong with his sort of last minute feeling.
But what we got to see, I think before the crime, we had very little web browser history, so we didn’t really know what normal was. We had applications that – he apparently purchased the knife that was used from Amazon. And so everyone was like, oh, well what about the Amazon? It was like the app was installed, and the app was uninstalled well before the crime.
We also saw a normal for him of, instead of using actual installed applications, of using a browser. So if he was going to do something, let’s say on Facebook, he would go to facebook.com, which just leaves a completely different footprint than if you just installed and used the thing every day. So it was just weird. It was weird the whole way through. But he was also a very odd person.
Desi: You think–
Jared: There was a session with serial killers and I mean, he was a criminal justice type of major, that was his study. But this is well outside of the boundaries with normal.
The one thing that we had was Christmas night, the 25th into the 26th. He was basically just going through this page of serial killers and just clicking one after another. And just reading biographies of serial killers into the morning hours, which happened to create one of the artifacts that he failed to get rid of.
Along the way he was using Google Chrome to download things. And so when he would go try to clean up his browser history and do all these other things, he wasn’t specifically finding that downloads directory and cleaning it up. So there was a little bit of a story that could be told of what he was up to and when, based on what he downloaded at certain times. But again, just not right there in the UI. Not easy to deal with. And so it was overlooked.
Si: So was there any – I mean, you were talking earlier that you had done, one of the reasons you had a battery question in the CTF was because you were doing research on battery stuff for this case. So I’m assuming that there are some lessons learned that have come out of this as to things to consider in future.
But also has there been anything that’s come out of it that’s gone back into Cellebrite to improve the products, to pick up on things that you found?
Jared: I would say–
Heather: Into the CTF. Yeah.
Jared: I would say the beauty of how we operate, and a very loose we, but Josh Hickman and Ian Wiffin, guys that are really connected to what our products are doing – they’re in the mix on everything.
And so the research and the confidence – we were gonna show up to court and testify to a few different files and the behavior and what they did. And that was vetted out by testing. Doing it, extracting it, doing it, extracting it, repeating it, and saying, okay, we’re super, super sure this is what this thing does.
But the battery, and Heather alluded to it earlier, premeditated murder versus something else. The one story that we were gonna be able to tell in the courtroom was that he physically pressed the button on the side of the phone at – I forget the time, 2:24 or something like that – some time in the middle of the night and powered his phone off while it was at 100% charge.
So the story of, well, your phone sometimes runs out of battery on the nightstand – yeah, no, not that. And then a physical press of the button to turn it back on on the other side of the murders. So it may seem small, but that physical button press and the battery charge sort of takes away some of the defenses for him.
Si: Absolutely. My phone didn’t run out. It’s definitely a – yeah. Yeah. Absolutely.
Desi: And so, you mentioned because you got the phone and the laptop. Were those two the only digital evidence that you had to work with?
Heather: That we had? Yeah. We saw when we would see things in the media – we didn’t pay attention to that at all while we were working the case. But after we were freed from our restrictions, we saw all kinds of things and there were some documentaries that showed people entering his apartment and another PC in the background. We didn’t see any of those things. And I did see traces of USBs entering the PC, but again, we didn’t get those as well.
Desi: And so, because you said he did a really good job at cleaning up the laptop, and I assume that the knowledge is more common – or was it he showed a level of technical proficiency? Was there any searches you found of him trying to research how to clear phones or how to clear laptops?
Heather: Well, I didn’t, because I think he researched it and then cleared it. And the reason I think that – on, I think it was December 4th, Jared said he was running NordVPN already. On his phone he was Googling how to install NordVPN on my PC. So I’m sure that is how basic his searches were. He just cleared them so I couldn’t get access to it.
Desi: Interesting.
Jared: Yeah. And we went – the talking points around, alright, he’s using a VPN. Well, so do I. Yeah, exactly. It wasn’t just that one single thing. He turned off wifi, so settings – I don’t want wifi. Two days before the murders. And wifi remained off.
Who in this world – you’re getting on a plane, like, yeah, no thanks wifi, I want to challenge cellular network?
Desi: Even getting on a plane and turning off wifi. If they have wifi on the plane, you are turning airplane mode on leaving wifi on, so yeah.
Heather: Exactly.
Jared: Right. And is it by itself damning? No. But when you start to build all these things together, it leads towards preparing to commit a crime. It’s not a random moment.
Heather: And we’re going to do our closing keynote at the C2C Summit this year. It’s going to be this Idaho case with our counterpart from FBI and potentially one of the surviving victim’s sisters taking the stage with us and just talking about the case and the pieces.
Jared: And I always like to – we did this much in this thing. There were so many hours put into so many things, and even forensics that we didn’t touch. We were asked for help with just one or two little things, and we put some time in, but there were so many people involved in sort of getting this thing done.
Si: I think we need to be careful because on the one hand, yes, we need to recognize that other investigators have done their work, but actually we mustn’t belittle the value that digital evidence has in the modern day and age.
And especially when it comes down to the difference between premeditated, especially under American law. Because you have murder, you have degrees of murder and therefore there’s shades and things. So I think the difference between showing it to be premeditated or a crime of passion or a spur of the moment thing is hugely valuable.
And that’s the sort of evidence that can only come from digital or him having a conversation with somebody before he did it. So your value to the case as a whole is immense, even though you’ve only perhaps touched a fraction of the overall evidence. So I’m not gonna let you get away with that statement.
Heather: Well, thank you, Si.
Si: No, you’re very welcome. So I mean, I think let’s step away from murder for a minute and we won’t put any references to the case in the show notes out of respect for the family’s wishes. If people want to look it up for themselves, they can go and find relevant information.
So moving on from that, the other thing we said we weren’t gonna talk about, although it’s apparently been an interesting topic for everyone, is AI. So where’s Cellebrite on the AI front at the moment?
Heather: I kind of tapped out. I’ve taken a break for a minute.
Jared: Oh, it’s exciting. Look, there is so much potential, but the guardrails have to be pretty perfect in our field on some of this stuff. We’ve for years been doing things like similar image matching and things that aren’t that exciting.
But one thing I think is true and we’re trying to solve a little bit for – today we have mountains of data and not anywhere near enough trained people to try to discern what that data means. And this Idaho case, we, with our team of people beside us saying, hey, we need to understand what this file does.
And so we were able to go through that process, but not everyone has the time, the training, and understanding to do that. So what we see today is a ton of evidence and not enough people to interpret it.
One of the interesting things that I kind of like, and people throw their hands up and say that’s the worst idea ever – working on something to be able to basically just ask questions. I don’t know what I’m doing. I am interested in asking this question against this piece of evidence and just getting an answer.
We’ve been working on something for a while, and I’ve got to see it sort of from ground level to growing, and I’m excited for what it will be able to do as a force multiplier. I don’t think we’re that close to being at market with it. But the concept of, hey, you come sit down, just ask the question that you have.
You’re an investigator, you’ve been working cases, you’re exceptional at your craft. Ask the same types of questions to this piece of data, and have this thing just sort of answer for you. And I immediately, as Heather and I tend to do, is like, oh, is this something? Let me break it. Let me ask it the worst question ever, and let me have it give me the stupidest response.
And they’ve done a great job so far of building it carefully. And again, it’s not gonna hit the market unless it’s right.
Heather: The data’s one of my old personas, so I’m like, oh, ask it this. I know what I did.
Jared: So, as an example, if I said to you, where was Heather in 2025, you would probably go to some sort of a location-based artifact and you would start looking for dots on a map. That’s just a sort of an easy win, and you’re not wrong.
But to within three seconds also have context from chat conversations, finding messages where it says, welcome to The Bahamas. Other things that you can also find them, but you would have to take a specific effort to go search for that. Same type of answer in all these different places, it sort of just surfaces it for you.
So again, it’s a baby. I love it. And other people say it’s awful and it’s gonna ruin everything, but I love it.
Heather: I liked it and I don’t love AI. I liked it.
Si: So, does it handle image data? Because I’m gonna say, I’ve seen the product whereby you feed it an image and it will – and to be fair, ChatGPT does this to a greater or lesser degree of success – if you actually give it an image and ask it, where is this image? Is that something that it can do?
Jared: I would think so.
Heather: If you said generically and it has access to all the media files.
Jared: So this is sort of the argument – if it said, well, based on external data, we believe this thing is in Mexico. Do you feel good about that or do you hate it?
Heather: She was in Mexico, so I hope you like it because–
Jared: Because now we’ve taken a piece of evidence and we have surfaced it out to the world to let it sort of collaborate and then produce a response. So you have now sought or received a response outside of evidence, which is okay, I guess.
The alternative is it focuses on metadata of location artifacts that are known, of context around the moment in time, but stays within the boundaries of the evidence that it’s been given.
Si: That’s a stunning philosophical argument though, isn’t it? Because if as an examiner, I look at an image and I can see – and I’m gonna pick an English example because that’s me – but I can see Big Ben and the Houses of Parliament in the background. I’m gonna go, that’s London. And that’s my own internalized knowledge.
Now I’m asking a system which has potentially the ability to search a far greater number of landmarks and have a far greater remembrance of it. And if it tells me that that’s Big Ben, that’s the Houses of Parliament, therefore that’s London, what’s the difference between me having done it and it having?
In fact, I’m possibly more likely to make a mistake, not on that particular example, but in general terms on identifying an image. And therefore it is an interesting one, but also like you are suggesting, I wouldn’t want necessarily to have to remove evidence from a case and take it somewhere else to get a sensible answer back. I’d need all of that knowledge internalized into the system, the intelligent system that I was asking.
Desi: Jared, for our listeners, Jared is nodding along with this with a knowing smile on his face.
Jared: And that’s – we’re in this fun moment of AI everything and every vendor’s gonna come up with some flavor of making this work. But we’re doing a hundred things. This is just sort of one example that I think is super fun, of trying to just change the way we do things a little bit and actually solve the problem.
Now isn’t – I feel like we’ve been, oh, give me everything, give me all the data. And now we’re like, holy, we have so much data. We don’t – all the data, give me less. And so if we’re in this moment of give me less, is there a way to still have everything but then attack it more strategically? I think we have to explore that. But again, this is just sort of one fun project amongst a bunch.
Desi: It sounds like if you did want to test the baby AI investigation assistant concept, you just put it into a CTF and see how students break it and get them to ask the questions and see all the tangents that people go on.
Heather: Yeah.
Jared: Well, and even that – is the data decoded or not? So we run into this a lot when we talk about carving for locations. It’s like, alright, we have a button you can click and you can send the tool free going to look for coordinates everywhere that it can possibly find them.
And then it puts them on a screen and people will do this and then say, hey, this really throws off everything that I know about this case, or that really locks in the case. And they’re like, what does this dot on the map mean? And they’re just like, I don’t know. Because it’s been grabbed from some database, some table that wasn’t researched, decoded, understood, and then put in some sort of analyzed data model.
So, as we say, just go find me the answer. When it hits outside of the decoded parsed data that’s been researched and embedded by whichever vendor, what do you want it to do? Do you want it to say, hey, I found this answer, and it grabs an altitude instead of a longitude? That’s why–
Heather: You validate. And that’s why validation – that’s where we end. You must validate whether the tool tells you, the AI tells you, your friend tells you. You have to validate.
Si: Yeah. Confirmation bias is a wicked mistress to follow along. If something is giving you the answers you want to hear, you very much don’t want to validate it and find out you’re wrong. So yeah, no, I appreciate it.
Jared: There was a person in the CTF that used–
Heather: Yeah, so someone used AI this year, and we weren’t aware of it initially. They ended up placing fourth overall and did really well, and we gave them an honorable mention. Josh took the time to meet with the person that used it. But I think a researcher from Stanford that developed some kind of program – it did awesome. It did really, really well. But again, this is answering pinpointed questions, not trying to solve the investigation.
Si: Right. I think one of the more interesting uses actually that we might see of AI is – and I play with ChatGPT quite a lot. I’m actually getting quite fond of it. And if you actually ask it to do its research and come back with references, at least you can find out where it’s getting its information from.
But it’s very good at allowing someone to rephrase a question that they don’t have particularly solid in their head into something that makes more sense to someone else. So I think for an investigating officer who’s not necessarily a forensic analyst, to come to it and say, I need to find out something about this person’s location at this point in time.
And it could say, go and ask your analyst about what’s the GPS tags on these images? Or what other geolocation data is there? And then all of a sudden they’ve got this language that they didn’t have before to be able to ask these questions. I think there’s probably a lot of room within the industry for that sort of thing, for putting together two groups of people who actually fundamentally speak different languages.
Because the average investigating officer is not deeply into the inner workings of Android or iOS.
Heather: Sounds like you should do a C2C Summit talk on this topic, Si.
Si: Oh, if you’re inviting me, I would happily write – I actually, I haven’t done a talk for ages and I’ve got one next week and I’ve got two next year already. So yeah, throw it in the mix. Send me an email. I’ll see what I can do. Desi can come and cover my talk.
Desi: Mm-hmm.
Jared: I think you’re right that fundamentally, we have people that are amazing at investigating and asking questions, and now they’re just – you’re putting something in front of them that they don’t know.
And so bridging the gap between all I want is that very skilled investigator to run back to the forensics lab with, hey, these five things, I really need to understand them. That would be a beautiful win for us because then we have this validation loop and confidence heading into decision making instead of just, as it gets passed along, it gets further away from the trained professionals.
Si: Yeah. There we are. Right. Well, we’re coming to the top of the hour, and it’s as always been an absolute pleasure speaking to both of you. I thoroughly enjoy these. You are the only people we interview jointly and I’m very, very happy with this. It works out so well every time.
But what’s anything else exciting coming up for you in – well, either in the rest of this year, not that there’s very much of it left – or next year. And what have you asked for for Christmas?
Heather: Quiet time. I want quiet time.
Si: Yeah. I’m not going to get that said every parent ever. That’s the one I want.
Heather: I just want my course edits to be done and have some peace.
Jared: I want her course edits to be done as well.
Heather: That’s it.
Si: Oh, brilliant. Well, yeah, again, thank you so much for joining us. It’s a pleasure. It really is. For all listeners, we will have various links in the show notes covering off the CTF in particular, I think. That is going to be fascinating and both Desi and I will be taking a look at that shortly after this, I imagine.
You can find the podcast on all good places that you can find podcasts. And you can tell that it’s me closing this, not Desi, because there’s no list of them whatsoever. But you can do a Google search. You’re all intelligent people.
Just again, thank you very, very much for joining us. We hope that in the near future, you will come back, tell us more about the adventures that you are having with Angela and any other devices you’re taking on holiday with you.
And I’ll just leave it with you – I wish you a happy holiday. If we don’t speak before – I realize I was gonna say it seems a little early, but by the time this goes out, that’s actually gonna sound a lot more sane than it is perhaps right now. But otherwise you take care of yourselves. Thank you very, very much again.
Jared: Thank you. Thanks so much.
