Serial Homicide – Absence as Evidence
A suspected serial killer left no eyewitnesses, as he executed them all on the spot. He used new gloves for each robbery. He used a revolver, so no shell casings, and used frangible ammo to prevent ballistics. Anti-forensics all the way. I was brought in not to find something—but to explain what wasn’t there.
By analyzing gaps in Apple’s `fseventsd` logs, I showed the phone had been powered off during each homicide window. Though the supplemental report was excluded due to discovery deadlines, I testified under oath that a powered-off device would cause those gaps—linking absence to intent.
Found guilty and serving seven life sentences. Read more!
Insider Threat – Forged Laptop, Time Manipulation
In a high-security IP theft case, a programmer handed me a MacBook he claimed held no proprietary code. Something felt wrong.
Using newly introduced Apple Unified Logs, I discovered system time rollbacks designed to forge usage history. The device had been purchased two weeks before the inspection—evidence clearly manipulated. Contrived evidence, especially an entire computer system such as a laptop, is an incredibly difficult task to achieve.
Unified Logs screamed when time was altered, and I documented every inconsistency.
Federal Tampering – Chain-of-Custody Breakdown
In a major federal trial, I was part of a team examining the data report from a Canon CF card alleged to contain critical child exploitation evidence. The evidence had been attached to a computer without a write-blocker and signed out by someone not authorized under FBI CART policy.
My major contribution? Canon writes image data, clusters, to CF cards in a fast, burst-optimized pattern that’s predictable—until it’s not. Windows, by contrast, writes clusters in a way that favors recoverability. I identified and mapped those cluster write pattern discrepancies between the two operating systems. That distinction allowed us to identify that the card had not just been accessed without a write-blocker, but manipulated.
Despite stonewalling and denial of access to the original CF card, our findings stand. The matter is anything but resolved. Read more!
Digital Crash – Phone Off, Logs Silent (Demonstration Case)
In a distracted driving fatality scenario, we set out to determine what a phone could or couldn’t show during a crash event. I parsed sysdiagnose logs and confirmed: the phone had been off or wiped during the crash window.
Fall detection, power logs, charging events, and motion logs all confirmed a silent period that aligned with the incident. While hypothetical, this protocol has been fully tested and will serve in future cases. Read more!
Spoliation Claims – Opposing Expert Failed to Find Over 11,000 Messages – Client Exonerated
My client was accused of spoliation based on the opposing expert having failed to find messages that were known to exist. The opposing expert’s software failed to find over 11,000 AIM messages that were present on my client’s iPhone. To make matters worse, they examined only the iPhone when a Mac laptop existed and was in their possession. Their inability to find these additional SMS and iMessages on the iPhone formed the basis for their spoliation claims.
In short, they tried to save money by examining only one device and by not using two tools to validate their findings. The only problem was that all the messages, which were no longer present on the iPhone, were fully intact on the Mac in the Messages app. Further, by using a different tool than that used by the opposing expert, I was able to fully recover those ‘missing’ AIM messages in addition to the messages on the Mac laptop.
The spoliation claims were immediately dismissed against my client. One of the best referrals I’ve ever received was from the opposing counsel in this case.
Always, always use a second tool to validate your findings.
“Every case is different. But the patterns don’t lie. If something’s been planted, deleted, or rewritten—I find it.”