Age of the Tele-Rat: Trayvon Martin's Missing Cell Phone Data

George Zimmerman's attorneys have filed a motion to delay George Zimmerman's trial until November. The motion to continue is here.There is quite a bit of new information in it.

I think the biggest revelation is about Trayvon Martin’s cell phone and mysteriously missing data. Even if you have no interest in the George Zimmerman case, you should read this to see the extent to which information stored in your phone is capable of being retrieved and provided to law enforcement (or anyone else who gets their hands on your phone and wants to know what’s on it.) It's a new dawn in the age of the Tele-Rat. [More....]

According to the Motion to Continue, the state told O’Mara that when Trayvon’s phone was recovered, the phone was wet and inoperable. On August 8, at a joint meeting, O’Mara asked if a charger could be used to restart it. FDLE analyst Steven Brenton came in and charged up the phone. When the screen came up, it said the phone was “locked out,” meaning someone had tried to unlock it more than the maximum permitted times with the wrong password. Brenton then disclosed he had performed an analysis of the phone, but was only able to access the SIM card and SD card, not the internal memory. (Eventually, O’Mara received some of the material Brenton had downloaded from the phone and Brenton's report.)

Sometime after that, someone at the state’s attorneys office shipped Trayvon's phone to a law enforcement agency in California for analysis. The agency was "seemingly able" to access the internal memory. The state refuses to give the defense any information as to who at the state’s attorney’s office decided to do this, the name of the agency it was sent to, the identity of the analyst who obtained the data, or the results obtained.

After the unnamed agency returned the phone, during the first week of January, 2013, the state sent it to Cellebrite in New Jersey for analysis. Cellebrite also was able to access the internal memory, and the state provided the defense with the results on January 18. The defense says Cellebrite obtained an "enormous" amount of information from the internal memory. But, guess what's missing? All data for Feburary 26, the day/evening of the shooting.

As illustrative example, while the analysis includes GPS locating records for Mr. Martin's phone for all of the time that he was in the Sanford area, specifically absent is any such data for February 26, 2012, the date of the event. Similarly, there seems to be missing entries regarding phone callsor texts made to or from the phone in the evening hours of February 26,2012. (My emphasis.)

Obviously, the defense wants an explanation for the missing data, and the results of the analysis from the unnamed California law enforcement agency that first accessed the phone's internal memory.

I think it’s fair to ask whether there is a legitimate explanation for Cellebrite's ability to provide GPS and other data stored on the phone for every day Trayvon Martin was in Sanford except Feb. 26, the day of the shooting. Why did only the data for Feb. 26 go down the rabbit hole? Was the data for Feb. 26 intentionally removed by the California law enforcement agency, and if so, at whose request? Or is there some innocent technological reason?

Cellebrite is like the ultimate Tele-Rat, providing vast amounts of information about your phone. Its signature product is the Cellebrite UFED Touch Ultimate.

Here’s what I’ve learned in the last 24 hours from material available on Cellebrite’s website. The Cellebrite UFED Touch Ultimate provides both physical extraction and logical extraction services. Many more phones support logical extraction than physical extraction. These are the descriptions provided for each:

1. Physical Extraction- For devices supported in this category, the Cellebrite UFED Touch Ultimate will use advanced methods to extract a physical image of the flash memory or address range of a device, including unallocated space.  Unlike conventional logical extraction processes, the physical extraction method bypasses the phone’s operating system, acquiring the data directly from the phone’s internal flash memory. Unallocated space may contain access to deleted items such as SMS, Call logs, Phonebook entries, Pictures, and Video.  Support for data types automatically decoded are marked for each device. 

2. File System Extraction- For devices supported in this category, the Cellebrite UFED Touch Ultimate will extract the logical file system as a directory structure, which does not include unallocated space and decoding for deleted files. Extracting the file system is an alternative way to get data from phones, including phone models that are not currently supported with physical extraction. UFED Touch Ultimate provides access, and extracts hidden files and databases inaccessible by other file system acquisition tools. From the extracted file system you can get many different types of application files that can be decoded and then searched for information, such as the Contacts or SMS database files. File system extraction can also be used to locate content types such as SMS and Call Logs not yet supported by the normal UFED “extract from phone” option.

** Important note- Many other mobile forensic tools are incorrectly referring to a File System extraction (Logical extraction process) as a true Physical extraction (Physical extraction process).  The Cellebrite Ultimate designations for Physical and File System capability are based on the technically accurate descriptions above.
3. Password Extraction- For devices supported in this category, user lock codes are able to be directly extracted and displayed on the UFED device itself, using the “Extract Password” selection in the menu.  No PC is required for analysis or decoding, the passcode will be displayed directly on the UFED LCD display.

4. File System Reconstruction

In addition to these software programs, Cellebrite has applications. One of the Applications that is available with UFED Ultimate (both Touch and Classic versions) is the Physical Analyzer.

UFED Physical Analyzer

Available with the UFED Touch Ultimate and UFED Classic Ultimate is the UFED Physical Analyzer: the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.

Physical Analyzer will reconstruct the device’s file system directory structure from a physical extraction or extracted container file. The file system tree can then be saved, producing the actual files (for example phone database files, settings files, MMS files) contained in the phone.

With respect to Android phones, the analyzer provides “advanced decoding of all physical extractions performed on devices running any Android versions and advanced decoding of applications and application files.”

The key phrase of distinction seems to be “devices supported in this category.” What features are supported on Trayvon’s phone, a Huawei U8150 Ideos Android phone, sold by T-Mobile as the T-Mobile Comet, or for that matter, your phone?

According to Cellebrite’s December, 2012 release notes, its UFED logical system was already supported on 4,827 mobile devices. Newly added: 363 devices for UFED Physical extraction (one of which is the Huawei U8150 (Android); 249 new devices for UFED File System extraction (including the Huawei 8150 (Android) and 186 new devices that support Password Extraction (none of which are the Huawei 8150 (Android)).

Cellebrite provides a handy Excel spreadsheet (downloadable here) of supported phones for each program, along with a table of the accessible types of data for each supported phone.

The UFED Ultimate features available with the Huawei 8150 (Android) are (by tab letter and feature):

  • C: Physical extraction
  • E: File system extraction
  • l: File system reconstruction
  • m: sms
  • N: contacts
  • O: call log
  • P: MMS
  • Q: bluetooth
  • R: location
  • S: Notes
  • T: Bookmarks
  • U: email
  • V: Accounts
  • W: cookies
  • X: dictionary
  • Y: viber
  • Z: Facebook
  • AA: Facebook Messenger
  • AB: What’s App
  • AC: Google Plus
  • AD: Skype
  • AE: Google Talk
  • AF: Twitter
  • AG: Ping chat
  • AH: Gesture Decoding

Not Available for this phone:

  • D: physical bypassing lock
  • F: Password extract
  • G: Platform

Also Not Available for this phone(from the logical extraction process, listed under T-Mobile Comet):

  • AI: Calendar
  • AJ: BBM
  • AK: Tasks
  • AL: Chat
  • AM: Passwords
  • AN: Web History
  • AO: MotionX
  • AP: Voicemail
  • AQ: Application Usage
  • AR: Wifi
  • AS: Installed Applications
  • AT: Garmin
  • AU: TextNow
  • AV: Tiger Text
  • AW: Fring
  • AX: twitterific
  • AY: TextFree
  • AZ: Yahoo Messenger
  • BA: FourSquare
  • BB: Ping Chat
  • BC: Waze
  • BD: Dropbox
  • BE: UserCode

If you haven’t already thrown your phone out the window at this point, you might want to check the spreadsheet and see what information Tele-Rat is able to provide law enforcement without your knowledge or consent about what's stored on your phone. For example, for devices running iOS like iPhones and iPads, the Physical Analyzer can:

  • Bypass simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6
  • Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords
  • Advanced decoding of applications

The full feature list is here. (According to the spreadsheet, the physical bypassing lock works on the iPhone up to model 4 and on iPad 1, and the password reveal works on the iPhone up to model 3 and the iPad 1.) To find out if your phone supports the physical bypassing lock and password extraction, find your phone and look at columns D and F to see if it has a "Y" in it.

I have a question for any tech gurus (or cops) reading this. What happens if the phone user doesn’t program the phone to back up or store data? Does the phone automatically back up and internally store data at specific intervals? For example, is it possible that Trayvon didn’t program his phone for backups, but the phone automatically backs up once a day, and that when his phone went dead on Feb. 26, it hadn’t yet backed up that day’s data, so that the activity for Feb. 26 was never saved, and thus was lost or unrecoverable by Cellebrite, while the previous days’ data which had been backed up was accessible? In other words, is it possible that Cellebrite can reclaim stored and deleted data, but not data that was never saved to begin with?

Also, what if FDLE Analyst Brenton, who first accessed the phone, did a soft reset when he was trying to access the data on the internal memory without the password or security code? Would that result in non-backed up data being lost while the previous days’ backed up data was retained? (Supposedly, only a hard reset would have erased all data.)

Shorter version: Is there a reasonable and innocent explanation why only the data for Feb. 26 would be missing or unrecoverable from the internal memory of Trayvon Martin’s phone, given that Cellebrite was able to extract the data for the other five days he was in Sanford?

I’m looking forward to reading the state’s response to Mark O'Mara's motion. And finding a phone that is Tele-Rat proof.

< Thursday Night Open Thread | Zimmerman Contributions Rise After Most Recent Request >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft

  • Display: Sort:
    one big problem with this story, it assumes the (5.00 / 2) (#1)
    by cpinva on Fri Feb 01, 2013 at 02:38:59 AM EST
    the physical phone itself isn't the only place the data is stored. any data sent or received, is logged, automatically, in the data files of the phone service provider. it has to be, it's how they bill. all data, for feb. 26, should be easily accessible, from the cell service provider's records, with a subpeona. i
    m surprised that hasn't been done.

    for all i know, each cell tower maintains its own set memory, maintainig a record of all traffic to have gone through it.

    Google Tracks Everything (none / 0) (#37)
    by ScottW714 on Fri Feb 01, 2013 at 04:03:49 PM EST
    Not sure how they store it an if it can be linked to a person, but just like surfing the internet, Google is always running and recording.

    Although I am unfamiliar with Apple, I remember people having real issue with the iPhone recording location information without the owners consent.  It creates some sort of file and constantly tracks the phone.  

    April 2011

    iPhone and iPad customers were spooked Wednesday to find out that their devices have recorded a detailed history of their geographical locations for the past year in an unprotected file. But it turns out that Apple already explained its location-collection practices in a detailed letter -- almost a year ago.

    Android does the same, relatively.

    According to files discovered by Eriksson, Android devices keep a record of the locations and unique IDs of the last 50 mobile masts that it has communicated with, and the last 200 Wi-Fi networks that it has "seen". These are overwritten, oldest first, when the relevant list is full. It is not yet known whether the lists are sent to Google. That differs from Apple, where the data is stored for up to a year.

    You can encrypt an Android phone fairly easy, HERE, but the risk is if you forget your password, the phone becomes a brick and you can't go back.

    Android has used 128-bit AES encryption since its first implementation in 3.0.  HERE is an article discussing how secure it is.  There are 3.4 x 10 (to the 38th power) combinations.

    ...even with a supercomputer, it would take 1 billion billion years to crack the 128-bit AES key using brute force attack.

    Ditto for Apple
    iOS Encryption Is So Good, Not Even the NSA Can Hack It.

    Here is how to do it in iTunes.  Remember, you can't go back and if you forget the password, your phone becomes a paperweight (bricked).

    You can protect yourself if you want.  The claims the company makes seems very suspicious to me, and without a doubt, they aren't accessing an encrypted phone.


    Wonder if the new Blackberry 10 (none / 0) (#39)
    by shoephone on Fri Feb 01, 2013 at 04:08:43 PM EST
    will do the same tracking?

    Adroids phones have ram (non perminate memory) (5.00 / 1) (#2)
    by redwolf on Fri Feb 01, 2013 at 04:46:02 AM EST
    But anything that's log would have been written into flash memory immediately.  There's no benefit to storing it in non permanent memory and then transferring it later.

    Either the phone wasn't used that day, the flash  memory become corrupted, or it was tampered with.  

    Is there any way to determine.. (none / 0) (#3)
    by Cashmere on Fri Feb 01, 2013 at 08:37:06 AM EST
    which of these occurred?  It is pretty obvious the phone was used that day, so specifically referring to corrupted flash memory or tampering?  Thanks

    I don't think.. (none / 0) (#4)
    by firstfall on Fri Feb 01, 2013 at 08:54:09 AM EST
    The 'recovery', I think, was just bypassing the phone's security. Not recovering corrupted or deleted data.

    Phones have very limited RAM. I seriously doubt there's any phone that wouldn't transfer what's in RAM to the flash memory many times in a single day. Just to free up RAM for more immediate processing.


    I love the graphic! (5.00 / 1) (#6)
    by jbindc on Fri Feb 01, 2013 at 09:30:02 AM EST

    is the (none / 0) (#53)
    by LeaNder on Sun Feb 03, 2013 at 12:16:02 PM EST
    Tele-Rat: Trayvon Martin

    Or is it supposed to portray Travon Martin?

    If not than at least a close association. Does partisanship occasionally show?

    I see the conversation has been neatly stirred back on OT. Only since Jeralyn was caught not adhering it herself? Or for not showing a large non consent on matters, which usually does not show any more. It should be fun to more professionally monitoring the articles including the comment section.


    monitoring seems OT (none / 0) (#54)
    by LeaNder on Sun Feb 03, 2013 at 12:17:19 PM EST
    strictly monitoring seems on topic. ;)

    Rose Mary Woods... (5.00 / 2) (#10)
    by unitron on Fri Feb 01, 2013 at 12:05:44 PM EST
    ...is a cell phone forensics technician now?

    Thread cleaned of comments (5.00 / 0) (#30)
    by Jeralyn on Fri Feb 01, 2013 at 02:22:34 PM EST
    attacking Trayvon Martin's character. Redwolf, if you do it again you will be banned from the site. You are well aware of our commenting rules on this case.

    by the Cali agency could/should be able to be demanded by the defense, no?

    There's gotta be a legitimate ... (none / 0) (#7)
    by Yman on Fri Feb 01, 2013 at 09:45:55 AM EST
    ... explanation for the missing data.  It's not like the defense team is going to miss the fact that the data for the night in question is missing.

    Of course. (none / 0) (#15)
    by NYShooter on Fri Feb 01, 2013 at 01:35:39 PM EST
    even a government agency wouldn't be that dumb, and obvious

    But, my question is, exactly what information is the defense entitled to? I understand that exculpatory info must be turned over, but everything?


    o.k, I think Florida law (5.00 / 1) (#17)
    by NYShooter on Fri Feb 01, 2013 at 01:40:34 PM EST
    says they have to turn over everything as part of discovery, and some kind of "sunshine law."

    Jeralyn replied to this for me yesterday.... (none / 0) (#36)
    by Cashmere on Fri Feb 01, 2013 at 03:52:19 PM EST
    thanks n/t (none / 0) (#52)
    by NYShooter on Sat Feb 02, 2013 at 02:25:14 AM EST
    everything introduced as evidence (1.00 / 1) (#57)
    by LeaNder on Sun Feb 03, 2013 at 01:07:48 PM EST

    I understand that exculpatory info must be turned over, but everything?

    A legal expert whose name I better don't mention, since there is evidence it triggers deletion, suggests this additionally, all evidence the prosecution intends to introduce at trial has to be disclosed, no matter if  exculpatory and incriminating.

    Now we have three options:
    the data for the day is;

    a) exculpatory
    b) incriminating
    c) not available due to technical reasons,

     I am hesitant about deliberate destruction, but belong to the camp that would be sorry if it is missing due to whatever reason. Notice the calls between DeeDee and Trayvon were often interrupted, could that be relevant concerning GPS? ...

    But obviously given the present media strategy by defense the last could be used as a gold mine. No data: conspiracy!

    In this context the above expert offered a lovely theory, I am not holding my breath, but it would be nice:

    BDLR will enter the data as case evidence on the next date with O'Mara/West/Zimmerman and judge Nelson present since it conforms with option b) above.

    If I may add something freely fantasying: BDLR already intended to introduce it at the last date with Nelson, which unfortunately was postponed by defense.


    Not having read much (none / 0) (#58)
    by NYShooter on Sun Feb 03, 2013 at 05:59:19 PM EST
    about this case, I have one question:

    Has the prosecution oferred an explanation as to the missing data? And/or is there a proper time for them to answer which hasn't been reached yet?

    I'm not asking this right, I know, but legal cases have very strict schedules when certain documents, evidence, arguments are to be performed. I guess what I'm asking, legally, should the prosecution have answered this question by this time?


    NYShooter (none / 0) (#59)
    by LeaNder on Mon Feb 04, 2013 at 02:28:06 AM EST
    Strictly you are asking the wrong person, but from watching the hearings, yes you seem to have a chance to hand in/submit files/evidence during the hearings. I  remember O'Mara doing this early concerning Zimmerman's medical files, or am I wrong? Wasn't that during the first or second bond hearing?

    I would guess concerning the stage we are in-- pretrial hearings to address problems between defense and prosecution--the deadlines judge Nelson set are only relevant for the questions she has to decide on. She doesn't need to decide on evidence generally entered by one of the parties during the hearing, but she wants to see whatever she has to decide on before and not be confronted with it during trial. Evidence on the phone records would not need her decision if MOM/West get one at the same time. Quite the opposite that would be one point less she has to rule on.

    But as I wrote, I am not holding my breath. Although BDLR "had to swallow" (you say had to buy in the US) quite a bit lately, so it would be human to also use whatever legal tricks are open to him. It definitively would be a stroke of genius, since obviously O'Mara now uses even partial transcripts from depositions or hearings to shape public opinion. So why not do it too?


    would you please stop posting (none / 0) (#60)
    by Jeralyn on Mon Feb 04, 2013 at 02:29:49 AM EST
    off topic comments? The topic is the cell phone data.

    Jeralyn - speculation (none / 0) (#62)
    by LeaNder on Mon Feb 04, 2013 at 02:36:16 AM EST
    It concerns the missing cell phone records of 2/26/2012.

    so it is not on topic, maybe hypothetical a speculation? the hypthesis being. BDLR will introduce them as evidence at the hearing on 02/05/2013.


    sorry hearing not trial (none / 0) (#61)
    by LeaNder on Mon Feb 04, 2013 at 02:31:12 AM EST
    That's not want I wanted in this context:

    and not be confronted with it during trial.

    trial = hearing


    Since you ask about an iPhone (none / 0) (#8)
    by ruffian on Fri Feb 01, 2013 at 10:44:00 AM EST
    I'm going to assume that is what Trayvon had even though it does not state as far as I can tell. Last February was pre-iCloud backups, so his backups, if he did them, would be located on his hard drive on his computer. I doubt may 17 yr olds back up regularly. Even if he did, I'm pretty sure backups do not save text messages, phone call times, and location data, unless he had an app that was specifically storing. That is the kind of stuff you have to get from his provider or the memory on the physical phone.

    I'm sure someone will correct me if I am wrong on any of the above. I may be hazy on when iCloud backups started. But they do only happen when the phone is plugged into power and on the wifi, so it would make sense that Trayvon did not backup yet that day. I usually do it at night. But, as I said, the backups would not contain location data.  

    Have the prosecutors gone after any of the location data from Zimmerman's phone?

    Trayvon had a T-Mobile Comet (none / 0) (#11)
    by Jeralyn on Fri Feb 01, 2013 at 12:29:04 PM EST
    which is the Huawei U8150, an Android phone. I  mentioned the iPhone as an example of what the software can do with other phones since a lot of readers have iPhones (including me.)

    Zimmerman had a Blackberry and it was returned to him on Feb. 26. On March 22, at the request of the FDLE, he signed a consent to search and gave them his phone so they could download whatever they wanted from it. They also obtained his cell phone records from his carrier for the period 2/20/12 - 2/28/12. They obtained Trayvon's records from T-Mobile for the period 1/1/12 to 3/1/12. This shows what cell phone records they got early on in the case.


    OK, thanks Jeralyn! (none / 0) (#13)
    by ruffian on Fri Feb 01, 2013 at 01:03:11 PM EST
    I don't know as much about Android, but I've never heard that it backs up stuff like location data to the users off-phone storage. That would be a big deal and a feature I would actually like.

    It must backup location details to the (none / 0) (#38)
    by Cashmere on Fri Feb 01, 2013 at 04:05:52 PM EST
    flash memory storage from the temporary RAM as they seem to have location data for days before the 26th.

    Were Zimmerman's Movements Tracked (none / 0) (#44)
    by RickyJim on Fri Feb 01, 2013 at 06:34:09 PM EST
    during the NEN call on 2/26?  Certainly the combination of the movements determined from the GPS data from both phones would be very important for checking Zimmerman's account of his movements as well as the prosecution "chase" theory.  Has the prosecution delivered what they found on Zimmerman's phone to the defense?

    yes (none / 0) (#45)
    by Jeralyn on Fri Feb 01, 2013 at 07:44:20 PM EST
    in the first discovery batch on May 15. See page 7

    Was There GPS Data? (none / 0) (#48)
    by RickyJim on Fri Feb 01, 2013 at 08:18:49 PM EST
    It wasn't mentioned explicitly in the discovery list pdf.  If there was and it backs up Zimmerman's account of where he was during the call, one would think the defense would have posted in on their website.

    Only one day's data missing? (none / 0) (#9)
    by Mr Natural on Fri Feb 01, 2013 at 11:48:07 AM EST
    lol.  Anybody remember the Rose Mary stretch?

    innocent explanation (none / 0) (#12)
    by Philly on Fri Feb 01, 2013 at 12:50:48 PM EST
    I don't know the specifics for this model of phone, but flash is more brittle than RAM - there is a limit on how many times each block of flash can be overwritten before it "goes bad."

    For this reason, it's expected that embedded software will take care not to aggressively store data to flash.  For low-priority logging data, I would expect it to be archived only periodically (perhaps once a day), or during a graceful shutdown of the device.

    Could you explain how... (none / 0) (#21)
    by redwolf on Fri Feb 01, 2013 at 01:49:24 PM EST
    writing a log once a day instead once you had enough data to fill up a flash memory block would result in less writes? Log files by their nature don't get updated.

    Need more info (none / 0) (#31)
    by ruffian on Fri Feb 01, 2013 at 02:26:40 PM EST
    But if one day's average amount of log data can fit in one block of flash memory, you are writing to the same block every time you add to the log. You  would have fewer writes to that block by adding to the log file less often. Log files don't get 'updated' in the sense that the data already there gets changed, but they do get added to. That's what makes them log files.

    Would need to know the size of the data and the size of the blocks to say for sure.


    Of course you can distribute the log across (none / 0) (#33)
    by ruffian on Fri Feb 01, 2013 at 02:29:48 PM EST
    blocks of memory to save hits on one block, but even so you would try to minimize the amount of writing.

    You seem to be assuming there is only one block of memory on the phone.


    Not sure I understand this (none / 0) (#34)
    by leftwig on Fri Feb 01, 2013 at 02:38:18 PM EST
    RAM acts as a cache for faster access, not storage of data.  All data that is stored for posterity is stored on the flash drive, not in RAM.  RAM is volatile and gets cleared out when a device is rebooted (powered off).  Data is not "scheduled" to be written from RAM to a hard drive, or in the case of a phone, the flash drive.  IT gets written out when its buffers are full or an application is closed.  

    I would expect that RAM would be empty once the phone got powered up and I don't know of software that could recover what was in RAM before the device was turned off, but just because I don't know of it, doesn't mean it doesn't exist.  My main point would be that I can believe that some data was lost that was in RAM when the phone lost power, but I can't conceive of any way that GPS data would exist in flash for every day that TM was in Sanford, but that there would be no data for 2/26.


    does it help to know (none / 0) (#35)
    by Jeralyn on Fri Feb 01, 2013 at 03:30:37 PM EST
    the phone's capabilities? His phone:

    • System chip: Qualcomm Snapdragon S1 MSM7225
    • Processor:  Single core, 528 MHz
    • System memory:  256 MB RAM / 512 MB ROM
    • Storage expansion: microSD, microSDHC up to 32 GB

    The site says the phone's processor is slow and the amount of ram memory is low. (blue symbols next to the description.)

    Helps in general, but doesn't really add to (none / 0) (#43)
    by leftwig on Fri Feb 01, 2013 at 06:14:25 PM EST
    this aspect.

    ROM is system memory.  It contains the bios which enables the device (computer or phone in this case) to boot up and contains static information on how the operating system is to be loaded and run.  This memory can be changed, but remains stored when the device is off.  Applications do not write anything to this memory.

    RAM is random memory which is where programs run from and data passes through.  RAM does not store any data, its a cache that attached to the motherboard and is faster than accessing storage such as a hard drive or flash drive.  Once a computer or phone is turned off, anything that was in RAM goes away and is not there at start up.  If you do not power off the phone or computer, you can see what is in this memory, but once the device is powered off, this memory is wiped out.

    Flash "memory" is not memory at all, its a storage device like an external hard drive.  The device stores programs and data.  Data and programs can be deleted, but unless the device is "cleaned", deleted files can generally be accessed unless a cleaning utility has been run. Some cleaning utilities do not format all bytes within a data block, so they still can leave data, but other utilities can remove all traces of data.  

    Best example I can give of the three is this.  You start up your computer and the power kicks on, but you don't see anything on the screen.  The bios (stored in ROM) is firing up the operating system.  Once the operating system program begins to run, you see your Windows or Apple startup screen indicating that its starting up.  This takes time because the operating system is loading the software from your hard drive (or flash drive) and into memory (RAM).  Once the core components are loaded into memory, you may run other programs.  If your computer goes into sleep mode, the OS program remains in memory and coming out of sleep mode is much faster than a cold start because you don't have to load it from the hard drive.  Once you turn off the computer, anything that was in memory (RAM) is gone.  Another example for memory and storage is if you open a document and start editing it.  As you make changes, they are kept in memory (RAM) because its faster for the program to operate by reading/writing to/from memory than disk.  If you click the save button, the contents in memory are saved onto the hard drive.  IF your system crashes while you are in the middle of editing, you lose those changes since your last edit because they were not written from RAM to disk and are no longer in RAM once you start up your device.

    What we'd need to know for this discussion is what version of Android he was using to see what autosave features it may have had and how it stored call and GPS information.  I would guess that this would be based on the operating system version and not the phone model.  THis is similar to your home computer.  You could be on a Dell, another person on an HP another on Lenovo, etc. yet all running the same OS.  Its not the hardware that dictates your system featurs, its the version of the operating system/programs that dictates how your computer operates.  Hardware affects the speed at which they run.


    his phone had (none / 0) (#46)
    by Jeralyn on Fri Feb 01, 2013 at 07:46:46 PM EST
    Android (2.2)

    If Trayvon had a second phone, (none / 0) (#23)
    by sarcastic unnamed one on Fri Feb 01, 2013 at 01:58:16 PM EST
    would it not have been discovered by now?

    I mean, he and "DeeDee" (I think that's her name) were talking off and on all during the incident up to just about the final minute or two. Don't you think the police, prosecution and defense would have checked by now to see if the phone number on DeeDee's phone matched the phone Trayvon was carrying?

    That is a good point. (none / 0) (#29)
    by redwolf on Fri Feb 01, 2013 at 02:13:20 PM EST
    Have we seen an accounting of all the phone records to see if they match up?

    I'm just not willing to buy the idea that the prosecution deleted the day in question or the phone was damaged in such a way that only deleted one days worth of data.  Computers just don't work that way.


    the phone records have been (none / 0) (#32)
    by Jeralyn on Fri Feb 01, 2013 at 02:26:45 PM EST
    disclosed to the defense. They are not going to be made public by court order. The discovery publicly released by the state includes both Trayvon's and Witness 8's phone numbers, but that was likely an inadvertent failure to redact.

    What I Don't Understand.... (none / 0) (#40)
    by ScottW714 on Fri Feb 01, 2013 at 04:43:27 PM EST
    ...is why they aren't contacting Google.  Phone records are like the finger prints compared to Google's DNA like data.  

    There was a post about all the requests to Google earlier this week.  It didn't detail what was being requested, but I find it very odd that it's not even been mentioned.

    If he has a Snapdragon Processor the phone was fairly new and had all the amenities any smart phone has.


    they did a court order for google (none / 0) (#42)
    by Jeralyn on Fri Feb 01, 2013 at 05:29:13 PM EST
    on May 1 for stored data and password access assistance. Nothing was returned. It also got a court order on May 14 directing TMobile to re-establish service to the phone.

    See here:

  • On March 27, they got a court order for T-Mobile to provide call detail records and cell site location for Trayvon's phone. On March 28, they received call detail records, subscriber and billing information and historical location data for the phone for the period 1/1/12 to 3/1/12. The results were analyzed by Crime Intelligence Analyst Amanda Stephens. From earlier discovery, here is the page showing this is Trayvon's phone.
  • On April 20, they got a search warrant for T-mobile to provide call detail records and location data for a phone. On May 3, T-Mobile responded it had none for the time period requested. This seems to me to also be for Trayvon's phone.
  • On May 1, they got a court order for Google to provide them with the stored data in Trayvon Martin's Google account and password access to it. On May 14, they got a court order directing T-Mobile to reactivate voice and data service to the account. Affidavits were filed for both orders. No results were obtained from either company. Which seems to me to indicate they still don't have any stored text messages, photos or videos from Travyon's phone.

    See Diwataman for more on the difficulties with accessing data on Trayvon's phone.

  • Parent
    Is any of this useful for determining (none / 0) (#41)
    by MyLeftMind on Fri Feb 01, 2013 at 05:26:42 PM EST
    what happened in the critical 4-5 minutes after Zimmerman's call to the non-emergency police? Those minutes seem to be the most in dispute. Inquiring minds want to know if Martin made it to his father's house and then decided to backtrack toward Zimmerman's car, or if he hid after losing Zimmerman but was seen again when he came out of hiding. Conversely, did Zimmerman keep following Martin after Zimmerman replied with an OK to the police saying they didn't need him to follow the suspect? Or did he actually reverse his course and head back, only to be accosted by Martin on the way to the car?

    Cell tower records would probably only be useful if triangulation can be done via cell phone contact with multiple towers. Maybe phones do continuously check to see if another tower is closer than the one it's currently connected to, but if so, is record made of the phone's connection request, and does that  record contain info on the strength of the signal, which could indicate distance from the tower?

    Did either phone have GPS running in the background that evening? If so, are GPS locations recorded in cell phone flash memory while a GPS app is running?