Digital Forensics In Real Life Blog: Digital Footprints
This episode of Digital Forensics in Real Life – DFIR Blog, based off of DFIRL ep.02 podcast, we spoke with Detective Chad Gish, a 22-year veteran of the Metro Nashville Police Department, about his role in solving the tragic case of Tiffany Ferguson.
On February 28th, 2017, Nashville police received a call that there had been a person stabbed inside a condo in the Wedgewood Houston neighbourhood of South Nashville, where detectives found a woman lying in her bed stabbed 9 times. The Digital Forensics team was brought on when they found video surveillance outside of her building. It was a rainy day and the crime happened at night, which significantly limited the usefulness of video evidence available, but investigators were able to see a man pulling handles on car doors and breaking into vehicles to steal from them. Eventually, this individual switched to checking the door knobs on houses. Tiffany Ferguson’s front door was unlocked, so the individual entered her home; a homeless man named Christopher McLawhorn.
McLawhorn’s intent was to burglarize the home. Camera footage showed him going in and out of the house stacking things like a laptop, we assume he knew she was inside sleeping.
The video surveillance captured McLawhorn going into the condo and leaving, fleeting the scene after the murder. The video evidence was grainy, the suspect was far away only able to make out his clothing.
Following the direction McLawhorn fled by foot, investigators went a block away to train tracks that were parallel to Tiffany’s condo. Homeless people would use these tracks to cut through, a hat was found on the tracks. It was so unique with an old school Nintendo controller on it maybe linked to the case.
Near the crime scene a kitchen knife was found in what was believed to be the murder weapon. Through the investigation a suspect was being developed enough evidence was made to bring McLawhorn in for questioning and to recover his phone for digital evidence.
RECOVERING THE DATA FROM THE PHONE
In 2017, the technology wasn’t as developed as it is now. Standard data that was used for evidence was text messages, internet history and third-party applications. The phone was an old LG, the password was unknown, an ISP or a chip off was done to retrieve the data off the phone.
Before phone companies started encrypting data on the microchips, chip offs and ISP were used to get access to data on the phone if it was locked. The passcode on a phone is a wall protecting the data. The passcode is software firmware based. By removing the actual physical E MMC chip from the phone you can access the data. To remove the chip from the phone this can be done with heat, grinding methods, and milling methods. Today’s phones are encrypted so the data that is retrieved after a chip off or ISP is not eligible. ISP is the same as a chip off but resistors and different components are used, you do not physically remove the chip from the phone with an ISP. Chip off is always a last resort process as you can damage the phone and lose the data.
Once the data is extracted using Magnet AXIOM to go through the data to see if evidence can be found related to the case.
INTERNET HISTORY EVIDENCE
When investigating internet history, making a timeline and looking at common patterns in the McLawhorn’s life. Looking back four weeks before the murder, a pattern was formed of: “dope drugs, dope drugs, drugs, drugs. Bus fare. How do I get here? Stolen merchandise, drugs drugs.”
And then right after Tiffany was murdered. McLawhorn searched Nashville murder stabbing. This search is not a pattern in his previous search history.
McLawhorn was homeless with a phone, but he does not have cell service. He needs to connect to Wi-Fi to use his phone. He was thought to be connected to Wi-Fi at a U-Haul place that was close to the murder scene.
It was raining the night of the murder, the next searches McLawhorn did was will rain, wash, away fingerprints? He goes to several different sites Latent print examination, Yahoo answers, and a criminal law question form. On Wikipedia he searches, how do police find fingerprints to catch criminals? What happens after police get a fingerprint? These searches took place a few hours after the murder, this is not just happenstance right where this could be somebody else. No, this is this is our guy.
One of his last searches in this little search run was how long after fingerprints are lifted do police make an arrest. He’s trying to find a timeline of if he left his fingerprints there and when they could catch him.
Using these searches as evidence, capturing the web pages using Magnet AXIOM to put in a format that could be used an expert witness.
THE SEARCH TERM THAT CHANGED IT ALL
The last search term that was critical was for pawn shops. McLawhorn was stealing items the night of the crime. He searched pawn shop about four hours after Tiffany’s murdered. Looking up the closest pawn shop to Tiffany’s house, off Franklin Rd called Cash America pawn to start the investigation.
The lead detective agreed to send someone to interview the pawn shops that came up in the google search to see if they recognize McLawhorn and if they have video evidence from that day.
The investigators ended up finding a pawn ticket from McLawhorn four hours after murdering Tiffany, he took one of the roommate’s rings and it was this ring that he pawned.
Cash America Pawn also had video surveillance from that day and showed a clear image of McLawhorn matching the exact clothing that was on the video surveillance outside of Tiffany’s house. McLawhorn was the man who killed Tiffany.
What has digital forensics done for us in this case? Absolutely everything.
Using the evidence in court, Christopher McLawhorn was sentenced to life in prison plus extra years.
For those who may want more information, a scholarship fund has been set up in in memory for those who may want more information. A scholarship fund has been set up in memory of Tiffany page, Ferguson. It’s awarded each year to a High School graduate and Tiffany’s hometown of Laredo, Tennessee, to quote the Scholarship Fund website. The recipient would not only achieve but possessed the nurturing, selfless qualities as Tiffany did.
Interested and listening to the entire story? Listen Now!