Nervous System: iPhone Witness Testimony

In a 2016 murder trial, the alleged killer’s iPhone took center stage. But as David Kalat explores in this month’s history of cybersecurity, it wasn’t what the phone held, but how the data was extracted that made this a case to watch for digital forensic examiners.

On July 15, 2013, police in southern Illinois arrested Anthony Garcia, a person of interest in a series of murders dating back to 2008. The state had significant evidence against Garcia, but there also were significant gaps in the case against him. In many ways, the case came down to some seemingly damning evidence allegedly found on Garcia’s iPhone. Problematically, the way in which detectives went about collecting electronic evidence from Garcia’s iPhone became as much a point of contention as the evidence itself.

Dr. Roger Brumback and his wife, Mary, were murdered on May 12, 2013. Investigators in Omaha, Nebraska, noticed similarities to the unsolved murders of 11-year old Thomas Hunter and 57-year old Shirlee Sherman on March 13, 2008.

Investigators realized not only that the evidence suggested the crimes were committed by the same person, but that all four victims had connections to a Creighton University School of Medicine student named Anthony Garcia. Garcia had been terminated from the program by one of the victims killed in 2013, and by the father of one of the victims killed in 2008. Closer investigation revealed that months before the 2013 killings, Garcia had been denied an Indiana medical license—in part because of his termination from Creighton. Weeks before the 2008 killings, Garcia had been denied a Louisiana medical license—for the same reason.

Just weeks after emerging as a person of interest in the Nebraska killings, Garcia was pulled over while driving in southern Illinois. The officers found a .45-caliber handgun in his possession and discovered the Nebraska connection while booking him.

As Garcia sat in a Union County, Illinois, jail, Omaha Police Detectives Ryan Davis and Nick Herfordt executed a search warrant on Garcia’s Terre Haute, Indiana, home. Among the items they found was a garbage bag full of chemicals, in the process of destroying a clutch of documents. These included Garcia’s termination letter from Creighton—signed by Dr. Roger Brumback and Dr. William Hunter. The detectives also found credit card receipts showing Garcia was in Omaha in March 2008. They found the empty box from a gun Garcia purchased in March 2013, some pieces of which were found along the highway near Garcia’s home and other pieces of which were found at the scene of the Brumbacks’ murder. The detectives also found an iPhone.

In the trial that followed, the evidence from that iPhone became a prominent point of contention.

The State of Nebraska put Anthony Garcia on trial in the fall of 2016. His defense attorney pointed out holes in the state’s case: the eyewitness who did not identify Garcia; the police sketch from 2008 that does not look anything like Garcia; the fact that investigators had spent five years developing a case against an entirely different suspect for the 2008 murders; and the absence of a forensic trail establishing that Garcia was ever at either crime scene.

Then there was Garcia’s iPhone. Officer Herfordt testified that in his examination of that device’s data, he found evidence that the iPhone had been used to conduct an internet search for Dr. Brumback’s address on the same day that Brumback was killed. He also found a search for the phrase “If you wrong us, shall we not revenge?”—a quote from Shakespeare’s The Merchant of Venice

It was compelling evidence connecting Garcia to the crime—assuming it could be believed.

The defense brought in forensic expert Giovanni Masucci to rebut the state’s conclusions. Masucci did not argue that the electronic evidence had been misinterpreted, nor did he assert that it contained exonerating information that the state had overlooked. Instead, Masucci focused on challenging the integrity and authenticity of the evidence.

Mobile devices likes iPhones occupy a worrying nexus between, on the one hand, being used to store deeply personal types of data, and on the other, being small objects with a heightened risk of being lost or stolen. Consequently, the manufacturers of mobile device hardware and software often deploy engineering solutions that can present technical challenges for forensic preservation.

There are forensic tools customized to the purpose of collecting data from mobile devices. Those tools are often expensive, and can be complicated to use. Faced with the technical challenges of collecting the data from the seized iPhone, Officer Herfordt did not use those tools. Instead he opted to download Garcia’s iCloud account data to a second device. Specifically, he downloaded the account data to his own phone, after first resetting his device to factory settings.

The defense expert portrayed this as “cross-contamination” of the accused’s data with the detective’s. As Masucci argued, although the officer’s phone had been wiped before the downloading of the iCloud data occurred, he had left in the device’s SIM card.

The extent to which this was a genuine issue of concern was debatable. Although other types of phones might store certain kinds of user data on the SIM card, such as text messages or databases of contacts, Apple’s iPhone only uses the SIM card to administer the connection between the subscriber and the carrier. No commingling of user data was likely. Furthermore, if commingling had occurred, what were the odds the investigating detective had been coincidentally searching for Dr. Brumback’s address on the same day that he was murdered? Nevertheless, Masucci had raised questions about the reliability of the otherwise damning findings from the phone. Sometimes that is enough to win an acquittal.

In this instance, though, the jury convicted Garcia on all four counts of first-degree murder. In the period between Masucci’s testimony and the verdict, the wider community of digital forensic examiners had watched the case keenly. The iPhone evidence had been only one piece of evidence in a larger prosecution, but the fact that the important electronic evidence it contained had ever been questioned in that way speaks to the importance of the right forensic practices.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.