JUNE 30, 2023

CSOL590 – Final
Forensics Report
FOR: DEWY, CHEETUM & HOWE

JAMES REYNOLDS
LEAD INVESTOGATOR
JAMESREYNOLDS@SANDIEGO.EDU
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

TABLE OF CONTENTS

1 Executive Summary
2 Evidence and Custodians
2.1 Evidence
2.2 Custodians
3 Methodology
3.1 Preservation
3.2 Analysis
4 Findings
4.1 Location
4.2 Communications with Hickman
4.3 Any other findings (optional)
5 Conclusion

CONFIDENTIAL
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

1.

1 EXECUTIVE SUMMARY
This investigative team was tasked by Dewy, Cheetum, & Howe with analyzing the cellphone of their
client, THISISDFIR. The investigation aimed to determine the location of THISISDFIR’s cellphone on
4/5/2020, any contact between THISISDFIR and Josh Hickman on 4/5/2020, or any evidence that
THISISDFIR was in the state of California on 4/5/2020. In order to answer these three questions, this
investigation analyzed all call logs, locational data, and messaging data for the day in question within a
image of THISISDFIR’s cellphone. In summary, this investigation concludes that on 4/5/2020 the
cellphone was located in the vicinity of Holly Springs, NC, THISISDFIR did not communicate with Josh
Hickman via this cellphone on 4/5/2020, and no evidence exists that THISISDFIR was in California on
4/5/2020.

2 EVIDENCE AND CUSTODIANS

The evidence examined in this investigation consisted of a digital forensic image of a 1 st Generation
iPhone SE (model: N69AP, Serial: DX3T126VH2XV) belonging to the individual, THISISDFIR. Josh Hickman
scanned the cellphone and created the digital forensic image on 2/25/2023. Josh Hickman retained the
digital record prior to sharing with this investigative team in both a Cellebrite Reader (UFDR) format and
an Axiom Portable Case format.

2.1 EVIDENCE
The evidence collected for this case consists of a digital image of the 1st Generation iPhone SE (model:
N69AP, Serial: DX3T126VH2XV) belonging to the individual, THISISDFIR. The image was generated on
2.25.2023 by Josh Hickman and shred with the instigative team in UFDR and Axiom Portable Case
formats. This investigation confirmed the integrity of the data by verifying the image hash using the
built-in image hash verification feature of Cellebrite Reader.

2.2 CUSTODIANS
Name: Josh Hickman

3 METHODOLOGY
The overall process for this investigation comprised of three components: location analysis, call log
analysis, and app analysis. All analyses were conducted using both the Cellebrite Reader software (v
7.60.0.27) and the Magnet Axiom Examine software (v 5.10.0.30634).

CONFIDENTIAL
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

3.1 ANALYSIS
For this investigation, the team utilized the analysis tools within both Cellebrite Reader and Magnet
Axiom Examine. Within both tools all results were filtered to only include the specific day in question,
4/5/2020. To answer the questions of where THISISDFIR was on this day and if they were in California,
this investigation used the “Location & Travel” tool in Axiom and the “Device Locations” tool in
Cellebrite Reader to parse the data from the phone which could provide insight to physical location of
the phone. For determining if THISISDFIR contacted Josh Hickman on that day, this investigation used
the “Communication” and “Email and Calendar” tools in Axiom and the “Calls” and “Messages” tools
within Cellebrite Reader to look for any communication between the two parties.

4 FINDINGS

4.1 LOCATION
Examining the data from the “Location & Travel” tool in Axiom revealed 8,092 locations for the
cellphone on that day. As depicted below in Figure 1, all of the locations were in North Carolina, in the
area around Holly Springs. Furthermore, there is no evidence that the phone was present in California
on April 5, 2020.

Figure 1
Axiom Location Data Map

Note. Screenshot from Axiom Examine (Magnet Forensics, 2022).

Analyzing the “Device Locations” data for 4/5/2020 on Cellebrite Reader shows 5,072 pieces of data
containing location information. Of these 5,072 items Cellebrite tagged one location in California,
however further analysis as shown below in Figure 2 demonstrates that this is a searched location on
the phone via an email from Zoom. The remainder of the location data concurs with the results from the

CONFIDENTIAL
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

Axiom analysis that the phone was located in the region surrounding Holly Springs, NC for the duration
of 4/5/2020.

Figure 2
Zoom Email Location

Note. Screenshot from Cellebrite Reader (Cellebrite, 2023).

4.2 COMMUNICATIONS WITH HICKMAN

Analyzing the “Communication” tool in Axiom reveals only the following three communications
which are also shown in Figure 3: one phone call, one automated text message from the messaging app
Houseparty, and one entry noting the creation of the user thisisdfir on Houseparty.

CONFIDENTIAL
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

Figure 3
Axiom Communication Log

Note. Screenshot from Axiom Examine (Magnet Forensics, 2022).

Analysis of the “Call Log” in Cellebrite Reader verify that the call shown in Figure 3 was the only call
that day, that the phone call was with the phone number +1(919)762-7808, and that it lasted 23
seconds. As shown below in Figure 4, this phone number belongs to a local business in Holly Springs, NC.

Figure 4
Mama Bird’s Ice Cream Contact information

Note. Screenshot from Google Maps (n.d.).

CONFIDENTIAL
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

Analysis of the “Email & Calendar” section of Axiom reveals that THISISDFIR sent or received 5
emails on 4/5/2020, none of which were exchanges with Josh Hickman. Analysis of “Messages” in
Cellebrite Reader reveals the same automated message from Houseparty and the same emails discover
in the analysis with Axiom.

5 CONCLUSION
It is the finding of this investigation that a thorough analysis of THISISDFIR’s cellphone reveal,
having been properly imaged and preserved, is able to answer the questions set forth by the law firm
Dewy, Cheetum, & Howe about their client’s activities and whereabouts on April 5, 2020. This report
first finds that the cellphone was located in Mount Holly, NC and the surrounding towns for the duration
of the period in question. No evidence was found on this cellphone of any communications, either by
voice call or messaging apps, between THISISDFIR and Josh Hickman. Finally, this report concludes that
no evidence exists on this phone to suggest that THISISDFIR was physically present in the state of
California on the day April 5, 2020.

CONFIDENTIAL
CSOL590 - Final Forensics Report DEWY, CHEETUM & HOWE

References

Cellebrite. (2023). Cellebrite Reader (v7.60.0.27) [Software].

Google Maps. (n.d.). Google.com.

https://www.google.com/maps/place/Mama+Bird's+Ice+Cream/@35.611697,-

78.8175411,12.87z/data=!4m6!3m5!1s0x89ac8e00a292c741:0xdbfa716a0ab1359b!8m2!

3d35.6555109!4d-78.8342173!16s%2Fg%2F11csb1mm0l?entry=ttu

Magnet Forensics. (2022). Axiom Examine (v5.10.0.30634) [Software].

https://www.magnetforensics.com/

CONFIDENTIAL