Defendant's Exhibits — Forensic Analysis

knowledgeC.db + Phone Data

Case: IN v. Richard M. Allen 3,732 records iOS knowledgeC (Apple CoreData) 549+ events cataloged 8+ artifact sources
01 Overview

This dashboard consolidates known knowledgeC.db, sms.db, CallHistory.storedata, healthdb_secure.sqlite, CoreRoutine.sqlite, Photos.sqlite, voicemail.db, powerlog data, and other data that can be found here.

Total Records
3,732
App Sessions
346
Foreground app events
Screen Events
690
Screen on/off cycles
Battery Readings
481
Lock/Unlock
267
Active Days
9
With recorded usage
SMS Messages
12
8 received, 4 sent
Phone Calls
28
2 outgoing, 26 incoming
Unanswered Calls
25
After ~4:00 PM on Feb 13
GPS Locations
6
5m–30m precision
Walking Segments
7
~1,605 steps total
Audio Routes
3
Sessions on Feb 13
Instagram Images
2
Bridge & water scenes
Voicemails
5
Received Feb 13 evening
sms.db
CallHistory.storedata
knowledgeC.db
healthdb_secure.sqlite
CoreRoutine.sqlite
Photos/Instagram
voicemail.db
02 Hourly Activity Pattern

When the phone was actively being used, by hour of day (local time, EST/UTC-5). Usage peaks in the early afternoon and late evening — consistent with a school-age user.

03 App Usage

Total time each app spent in the foreground (actively on screen). The app mix — Snapchat, Instagram, Musical.ly, Candy Crush, a school portal (Skyward) Houseparty — is consistent with a teenager's phone circa early 2017.

04

Timeline of Events — Feb. 13, 2017

Timeline based on First Sgt. Christopher Cecil's forensic examination and Digital Forensics Expert Stacy Eldridge's re-analysis. The day divides into three phases: early morning texts, midday active use with movement, and then a wall of unanswered calls beginning around 4 PM.
Critical Anomalies Requiring Human Interaction
5:45:24 PM
🔊
Audio Output Route Start — Wired Aux Cable Inserted
KnowledgeC database logs Z Value Double = 1 (headphones). Eldridge: "Someone took a headphone jack and inserted it into the hole at the bottom... they inserted it into the hole at the bottom at 5:45 p.m. on the 13th."
Q: "Can you think of any explanation for aux port or headphones being plugged in and unplugged that does not involve human interaction?" A: "I cannot think of any explanation that does not involve humans."
10:32:26 PM
🔊
Audio Output Route End — Cable Removed
Headphones/aux cable removed from device after 4 hours 47 minutes. This was the last logged data received by the iPhone before battery depletion.
No movement logged. Phone remained stationary from 2:32 PM onward per Apple Health data.
5:44 PM - 4:33 AM
📡
Complete Loss of Cell Tower Connection
10 hours 49 minutes with no connection to AT&T network. AT&T repeatedly attempted to ping the device during this period with no successful response until 4:33 AM Feb. 14.
Three independent confirmation sources: AT&T HPLI logs, device data usage logs, voicemail delivery records
05 Last Recorded Movement & Activity

Health data (steps, distance) from the accelerometer and GPS fixes from CoreRoutine.sqlite. The phone recorded significant walking activity between 10:55 AM and 2:32 PM, with GPS coordinates showing southwestward movement.

Total Steps
1,605
Across 7 walking segments
Total Distance
1,076m
~0.67 miles
Flights Climbed
2
At 2:31 PM
Longest Segment
593steps
367m in ~9 min (1:51–2:00 PM)
ELDRIDGE TESTIMONY ON APPLE HEALTH ACCURACY:

Research from the Forensic Science Institute in The Hague demonstrates that distance can be off by 30-40% either way, and the type of motion greatly impacts logging. Vigorous motion gets credited with extra steps/distance, while slow/casual walking may not be logged at all. The phone does NOT log movement if traveling in a vehicle (distinguishes driving from walking).

GPS Coordinates — Southwestward Movement
DEFENSE EXPERT

Stacy R. Eldridge

Former FBI Digital Forensics Examiner, Silicon Prairie Cyber Services LLC
FBI CART - 10 years IACIS Certified Axiom Certified 110+ forensic courses
KEY FINDING:

The 8-month delay between initial logical extraction (Feb. 15, 2017) and full file system extraction (Oct. 11, 2017) caused critical data loss. The "current power log" file—which would have shown exactly when the phone powered off on Feb. 13—was lost due to this delay and multiple power cycles.

TESTIMONY HIGHLIGHT:

"Every time you turn off a phone and then turn it back on, you're losing information just because of that action of shutting it off, you're losing some of the temporary files. But then, as the phone ages, files get older and some files will start to drop off at 28, 30 days old."

05 Battery Behavior

Battery percentage from knowledgeC over the course of Feb 13. The phone was unplugged at 1:48 PM at 27%, entered Low Power Mode at 10:54 AM (20%), and reached 4% by 2:41 PM. One brief charging session around 1:25 PM brought it from 4% to 28%.

Battery Percentage Over Time (Local EST)

Battery percentage over time for the two periods with dense data. Charging events (plugged in) are shown in green. The February data looks normal. October 11 is where it gets strange.

February 12–13, 2017 (local time)
October 11, 2017 — Dual Battery Streams (local time)
07 Audio Output Routes — Feb 13

iOS tracks when audio output routes are active — this covers phone calls, speaker activation, and media playback. Three audio sessions were recorded on February 13.

Session 1 — Phone Call
1:38:40 PM → 1:39:28 PM
Duration: ~48 seconds
Outgoing call to "Daddy-o". Call connected at 1:38:49 PM for approximately 35 seconds. Audio route started 9 seconds before call connected (dialing), ended 4 seconds after call log shows hangup.
Session 2 — Video Recording
2:14:36 PM → 2:20:04 PM
Duration: ~5 min 28 sec
Coincides with IMG_0095.MOV recording that ended at 2:14:34 PM (Photos.sqlite). Audio route persisted after video stopped — possible playback review. Touch ID event at 2:14:41 PM. This is the last media-creation event in the timeline.
Session 3 — Incoming Call (Phone Idle)
5:45:24 PM → 10:32:26 PM
Duration: 4 hrs 47 min 2 sec
Audio route started when incoming call from Becky Marchand Patty arrived at 5:45:25 PM. Call was not answered. At 5:45:45 PM, cellular state logged WCDMA RRC Disconnected (previous: Connecting). No audio route end was recorded in the Oct. 11, 2017 knowledgeC.db file.
08

Key Forensic Findings Summary

Defense Expert Conclusions (Stacy Eldridge)

1. EXAMINATION DELAY CAUSED DATA LOSS:

The Feb. 15 extraction was only a "logical" extraction—basic user data like texts and photos. Cecil requested but did not obtain the "full file system" extraction until Oct. 11, 2017. This 8-month delay caused permanent loss of the current power log and other temporary system files that would have definitively shown when the phone powered off.

2. HEADPHONE INSERTION REQUIRES HUMAN INTERACTION:

The knowledgeC database definitively shows wired headphones or an aux cable was inserted at 5:45:24 PM, milliseconds after an incoming call. When asked if this could happen without human interaction, Eldridge testified: "I cannot think of any explanation that does not involve humans." This action silenced all audio from the device.

3. PHONE STOPPED LOGGING MOVEMENT THEN LOST SERVICE:

Apple Health data shows no movement after 2:32 PM. Yet at 5:44 PM, the phone lost all cell service for nearly 11 hours. Eldridge could not find evidence on the device explaining this: "I could find no evidence on the phone to suggest what happened, so I can only conclude something external to the phone changed." Possible explanations: phone moved, signal blocked, or metal obstruction.

4. CECIL'S TIMELINE CONTAINS MISLEADING TIMESTAMPS:

Multiple calls, iMessages, and FaceTime entries in Cecil's timeline show timestamps between 5:44 PM Feb. 13 and 4:33 AM Feb. 14. However, forensic analysis of actual device logs proves these were NOT delivered to the phone at those times—they were timestamped by Apple's servers when sent, but not received until service resumed at 4:33 AM.

07 Anomalies & Findings

Every database artifact examined for inconsistencies. Findings from cross-referencing all artifact sources. Includes anomalies from the knowledgeC.db analysis plus new observations from the full forensic timeline.

Critical
25 Unanswered Calls/Messages After ~4 PM
Starting at 3:59 PM, the phone received a continuous stream of incoming calls and messages from family members
2:20 PMLast user-initiated activity
4:47 PMText from "Gramps": "Answer me before i call police to help search"
Critical
Audio Route #3 — No End Logged + Cellular Disconnect
At 5:45:24 PM, an audio output route started (incoming call from Becky Marchand Patty). No corresponding end event was ever logged. At 5:45:45 PM, the cellular radio logged WCDMA RRC State: Disconnected (previous state: Connecting). This could indicate the phone lost cellular signal, was powered off, or its battery died at this point.
17:45:24Audio Output Route Start
17:45:25Incoming call: Becky Marchand Patty (not answered)
17:45:31Call Backgrounded (logged in 6 powerlog files)
17:45:45WCDMA RRC: Disconnected ← Connecting
17:45:45Call Type: PS DATA | Service: TDS,GSM,WCDMA,LTE
[No audio route end ever recorded]
Significant
Powerlog Duplication Across 6 Files
The "Call Backgrounded" and WCDMA disconnect events at 5:45 PM are each duplicated across 6 separate powerlog files (CurrentPowerlog.PLSQL and 5 date-stamped powerlogs from Oct 2017). This is structurally expected — iOS maintains rolling powerlog archives — but it confirms these powerlogs persisted through October 2017, meaning the phone was operational months later.
Significant
Dual Battery Streams (Oct 11, 2017)
From the knowledgeC.db analysis: on Oct 11, the database records two simultaneous battery percentage streams at identical timestamps. Stream A: 34% → 42%. Stream B: 3% → 23%. A single device cannot report two battery levels at once. Likely backup/restore merge or iOS upgrade artifact.
Notable
Feb 15 — iPhone Boot After 2-Day Silence
containermanagerd.log.0 records "iPhone Booting Up" at 3:06 PM on Feb 15 — over 48 hours after the last activity on Feb 13. The phone booted unplugged at 5% battery, was plugged in 8 seconds later, and a user opened the Settings app. This is consistent with the phone having been powered off or dead for ~2 days.
05:06:03iPhone Booting Up (containermanagerd)
15:06:04Unplugged and Not Charging
15:06:04Screen On
15:06:05Mobile activation startup
15:06:11Stopped Walking/Running: 1 step
15:06:12Phone Locked → Unlocked (20s later)
15:06:41"Power level really becomes bad"
15:06:45Settings app opened
15:10:12Battery: 5% → Plugged in and Charging
Observation
Instagram Bridge/Water Images at 1:44 PM
Two Instagram cache images were logged at 1:44:14 PM: one depicting "part of what appears to be a wooden bridge and a body of water" (photographed from on the bridge), and another showing a "fallen tree limb lying on the ground covered with some sticks and leaves" with water in the background. GPS at 1:44:23 PM places the phone at 40.6056, -86.6120 (5m precision).
Observation
Last Outgoing Communication: 1:18 PM
The last SMS sent was to Holly O'Neil at 1:18:43 PM. The last outgoing call was to "Daddy-o" at 1:38 PM (35 seconds). After ~2:20 PM, there is no evidence of user-initiated activity — only passive events (incoming calls, screen-on from notifications, battery readings).
Structural — No Issues
Database Integrity Verified
No duplicate primary keys, no negative-duration sessions, no overlapping app sessions, no backward timestamp jumps, no orphaned records. Data is structurally sound across all artifact sources.
High — Significant Anomaly
Dual Simultaneous Battery Streams
On October 11, the database records two parallel battery percentage readings running at the same timestamps. Stream A climbs from 34% → 42%. Stream B climbs from 3% → 23%. A single phone cannot report two battery levels at once. This likely indicates data merged from two devices (backup/restore), an iOS upgrade artifact, or an extraction error.
17:46 UTCStream A: 35%Stream B: 3%
17:49 UTCStream A: 36%Stream B: 6%
17:52 UTCStream A: 38%Stream B: 9%
17:55 UTCStream A: 40%Stream B: 12%
17:59 UTCStream A: 42%Stream B: 16%
Medium — Notable
194-Day Data Gap
No data exists between Feb 23 and Sep 5, 2017 — a gap of nearly 194 days. This could mean the phone was powered off, factory reset, the database was pruned by iOS, or the forensic extraction only captured partial data. Two additional gaps of 1.7 and 2.8 days exist within the February window.
Medium — Notable
14 Zero-Duration App Sessions
14 app events were logged as "in focus" for exactly 0 seconds. Most are iMessage (notification taps). Three occur in rapid succession on Feb 20 at 2:37 PM local time — PhotoMath, Subway Surfers, Color Switch — consistent with quickly swiping through the app switcher. Not necessarily suspicious, but unusual to see this many.
Low — Expected Behavior
Screen On While Locked (5 events)
Five instances where the screen was illuminated while the device was locked, lasting 30–68 seconds each. This is normal — lock screen notifications, incoming calls, and Siri activation all cause this.
Low — Expected Behavior
Small Battery Gain Without Charging
On Feb 15, battery rose from 53% → 56% over 28 minutes while reportedly unplugged. This is within normal battery calibration drift and is not meaningful.
Clear — No Issues
No Overlapping App Sessions
No instances of two different apps reported as "in focus" at the same time. App transitions are clean and sequential.
Clear — No Issues
No Negative Durations
No events where the end timestamp precedes the start timestamp. All duration calculations are valid.
Clear — No Issues
No Duplicate Primary Keys
Database structural integrity is intact. No duplicate records, no orphaned child entries without parents, no evidence of manual row insertion or editing.
02

Remaining Questions

Three major anomalies discovered through defense expert analysis of the knowledgeC database and cell tower records
🔊
Aux Cable Insertion
Feb. 13, 5:45:24 PM
Wired headphones or aux cable inserted into phone at 5:45 PM, removed at 10:32 PM. This action silenced all audio output from the device. Eldridge testified: "By plugging in the cable, you would stop sound from coming out of the phone." Occurred milliseconds after an incoming call.
Source: knowledgeC Database → Z_PK19600, Audio Output Route Start (Value: 1 = Headphones)
📡
Loss of Cell Tower Connection
5:44 PM Feb. 13 → 4:33 AM Feb. 14
Phone lost all connection to AT&T cell towers for 10 hours 49 minutes. Three independent data sources confirm: (1) AT&T Historical Precision Location logs show no pings, (2) No data usage logged on device, (3) Voicemails not received until Feb. 17.
Source: AT&T HPLI Records + Device Logs. Eldridge: "I could find no evidence on the phone to suggest what happened, so I can only conclude something external to the phone changed."
⚠️
Delayed Message Delivery
iMessages timestamped but not delivered
Multiple iMessages and FaceTime calls appear on Cecil's timeline between 5:44 PM and 4:33 AM, but forensic analysis shows they were not actually delivered to the phone until after 4:33 AM when cell service resumed. Apple's iMessage servers timestamp when sent, not when received.
Source: Cecil Timeline vs. Device Logs. Eldridge: "There is evidence that it did not receive those messages at those times... it was intermittent throughout the day, so some iMessages were coming in on time and some weren't."
07 What Is This Database?

knowledgeC.db is a Core Data–backed SQLite database maintained by Apple's "Knowledge" system daemon on iOS and macOS. It silently records device usage events — which app is in the foreground, screen on/off state, battery level, charging status, lock state, audio routing, Siri usage, and media playback. The data is stored with Apple Core Data timestamps (seconds since January 1, 2001 00:00:00 UTC). This database is commonly extracted during forensic examinations of Apple devices and is a standard artifact in mobile forensics toolkits. All times in this analysis have been converted to local time (UTC-5 / Eastern Standard Time) unless otherwise noted.

Analysis generated from knowledgeC.db · 3,732 records · Feb–Oct 2017