One Tragic Night
Page 48
When Moller analysed the two phones originally sent to him, he was unaware that Oscar owned two phones – one a ‘work’ phone (with a number ending in 4949), the other for ‘personal’ calls (ending in 0020). The device Moller had in his possession was the athlete’s work phone, while the other was unaccounted for.
Under Section 205 of the Criminal Procedure Act, the police may approach a court for an order giving them access to certain information, including a phone company’s call records. The phone company has to hand these records over once the court issues this order. It was once Moller had this data that he discovered that Oscar had a second phone because his particulars were linked to two numbers. Oscar had replaced the two BlackBerries when he had done a SIM swap the previous year, so the data received by Moller was for Reeva’s phone and Oscar’s work and personal handsets. The data also ruled out any need to investigate the BlackBerries seized at the scene as evidence because they were no longer in use.
According to the data retrieved from the phone in the police’s possession – the number ending with 4949 – no calls had been made by the athlete in the wake of the shooting. This was why when Hilton Botha took the stand during the bail application, he confidently told the magistrate that Oscar’s phone showed no record of any calls being made on the morning of 14 February. It appeared that the athlete had not phoned the police or the paramedics. And yet Oscar’s lawyers were adamant that the calls had indeed been made.
But where was the other handset with the second number? This was an issue Nel would have to raise in the bail application. ‘We know that you seized two phones in the house?’ asked Nel, leading Botha through his evidence in the bail application:
Nel: Did you seize any other phones in that house?
Botha: The two BlackBerries that were in the bedroom, yes.
Nel: If the accused phoned; that phone you never received?
Botha: I did not receive a phone, if he phoned. The phones that I received shows nothing that was happening that morning from those two units.
Then Nel made the revelation in court – a phone was missing from the scene and the defence had not handed it over to investigators. The defence responded by insisting that they were never asked for the phone. An arrangement was made for it to be given to the investigating team.
This handset was crucial to the investigation – the 0020 number was Oscar’s personal number and the device he used most. The majority of his communication with Reeva and with his friends was done via this iPhone and if there were any clues as to what had occurred in the early hours of Valentine’s Day, this phone would hold them.
The phone was collected from the defence a full 12 days after Reeva was shot – but little did investigators know they would face months of frustration and difficulty in trying to gain access to the contents of 0020.
Reports emerged in June 2013 that police had still not managed to analyse Oscar’s phone, apparently because he had forgotten the password. His lawyer’s, however, dismissed the reports, stating that they had provided the police with all the required information to access the phone.
Then in the second week of February 2014, just weeks before the trial was to start, we established that the police had still not managed to gain access. It was revealed at the time that red tape had hindered an application for international mutual legal assistance – Moller and his team were trying to get the phone to Apple in California where its manufacturers could analyse it, but had to go through the US authorities based at their embassy in Pretoria. The SAPS had been told to approach Apple directly in order to resolve the problem of access to the phone’s data.
But this is where the process had hit a horrible wobble. The official application lay on someone’s desk, somewhere between the National Prosecuting Authority and the SAPS, for several months. From May 2013 until December that year, the process stalled. It was only towards the end of the year, with the trial just months away, that top police management realised there was a problem and reignited the search for answers.
Why hadn’t they been able to access the phone? Sources claim that the password Oscar had provided did not unlock the device, and the software Moller and his team were using was unable to bypass it.
In January 2014, the cops scrambled to get the paperwork in order and went knocking on the door of Pretoria Chief Magistrate Desmond Nair. The required affidavits were secured and a certificate was finally issued by the National Director of Public Prosecutions. Local representatives of American security institutions were also contacted. The way was finally paved for the trip to Apple in America.
All of this took time, and lots of it. The investigators were running out of this precious commodity with the trial now mere days away. They could not afford to be the reason that the matter be postponed, or even worse, struck off the roll due to lack of preparation.
By this stage the National Commissioner and the Minister of Police Nathi Mthethwa were apparently raging at the lack of answers and were angry that the process had not been done more efficiently.
While this was playing out in February 2014, local television network eNCA reported that it had gained exclusive access to Oscar’s iTunes account using the username and password he had provided to the police. But it wasn’t the iTunes account the police needed – it was much more complex than that. The password the police needed was one that was created when the phone was synced with a computer. It appeared that this particular password had been changed after the shooting when it was last synchronised with a computer. ‘If you set up your iPhone, you have to create an iTunes account. Now on that account, if you log onto your computer, it will ask you in the set-up on your computer where you can decide to encrypt the data on your phone, whether you want to password protect it. That’s the password that gave the problem,’ explains a member of the state’s team.
The policemen wanted access to Oscar’s contact lists, call logs, Internet history, photographs, videos and all back-ups that could help with the investigation. While they could scroll through the phone, they could not download any of the information and use it as evidence in court. They also could not install their software to ‘jailbreak’ the phone – an approved and legal method to disable the security feature on the device to install third-party apps in order to download deleted information. They had done this on Reeva’s phone and also on Oscar’s work phone, which had been seized at the crime scene. The SAPS use two different products to analyse data: one is a Swedish product XRY and the other is made by the Israelis, called Cellebrite. Neither of these could access the device.
It was the second-last week of February and the trial was ten days away – due to begin on Monday, 3 March – when Moller, Sales and the police’s head of detectives General Vineshkumar Moonoo received the green light to take the phone to Apple headquarters in California. On Thursday, 20 February, the US officials authorised the warrant and Moller and Sales were instructed to be at a meeting at Apple in San Francisco a week later, on Thursday, 27 February. And so, just a week before the trial was scheduled to start, the team jetted off to the United States.
They arrived at the tech giant’s offices at 1 Infinite Loop in Cupertino with high expectations, but were soon disappointed as their fears were confirmed – the missing password was between the device and the computer it had been synchronised with, not the network. This meant that the Apple technicians could not help them.
The problem was that only one computer had been seized from the crime scene – Reeva’s. None of Oscar’s computers had been taken as evidence and yet crime scene photographs show a workstation in the runner’s upstairs lounge and at least one MacBook laptop in the house. Some on the scene attest to there being as many as three laptops lying around the house, none of which was seized. Without the computer on which the account had been created, it was highly unlikely the police would be able to gain access to the phone.
They returned from the United States empty-handed, except for a back-up of the phone data on a hard-drive. Despite their
best efforts, they could not unlock the secrets held by the iPhone. This meant that all they had going in to court was the data retrieved from Oscar’s work phone and the contents of Reeva’s phone.
So what did the investigating team believe could be on Oscar’s personal phone that they were so determined to access it? And what do they believe was done in an attempt to prevent them from accessing it?
During the course of the investigation, one of the SAPS software providers had, in fact, found a way to get into the iPhone.
Executives from Cyanre, The Computer Forensic Lab, South Africa’s leading private digital and computer forensic company, had heard on the radio that the police were struggling to get into the device. They knew they had the technology the police needed so they called them up, as managing director Danny Myburgh explains. ‘We supplied the software and the hardware to the police to do the forensics. When we heard over the radio that they were unable to decrypt Oscar’s phone, we approached them and said we can make our equipment available to them. We set it all up for them and supplied it to them and we enabled them to access Oscar’s phone. We didn’t have a mandate from the SAPS to assist them with the analysis, so unfortunately we could not get involved or conduct the analysis for them.
‘We know what type of information they could access from similar actions we’ve done in the past. We could typically decrypt about 80 to 90 per cent of the data. What could be extracted was calendar items, chats, contacts, limited amounts of locations and quite a lot of SMS messages. We concluded that the main reason why they went to Apple was to get that other 10 per cent that couldn’t be decrypted. They went to extract that other 10 per cent because they didn’t know what they could get,’ explains Myburgh.
He says the police would have been in a perfect situation to see if any data had been deleted or if content on the phone had been wiped off. ‘They could tell if there were large chunks of emails or messages that were missing. From what is there, it would have been easy for them to determine what is not there and what had been deleted.’
What the police did establish through this exercise was that at some point the cellphone was synchronised with a MacBook – one named ‘Titanium Hulk’.
Only one person close to the accused has a fascination with the lumbering green Marvel Comics hero. It featured in his Twitter feed as quotes from comic strips; he wore green bandanas bearing the eyes of the behemoth; he edited pictures of himself to colour his own skin green; and one friend even remarked on social media, ‘You truly are the Titanium Hulk.’ Carl Pistorius. His Gmail address contains that very name.
So this was what had put a spanner in the works – it was suspected that when the phone was last synchronised a new password had been created, so relying on Oscar’s old password would obviously not have worked. To confirm their suspicions, a source said police were able to track the phone over the time it had been missing and compared it to data linked to Carl’s phone, which showed a potential overlap. Both phones followed the same route over a period of days.
The most intriguing piece of information to be gathered from the partial extraction of data had more to do with what wasn’t on the phone than with what was. Our study of the data, compared to the extraction from the personal phone, shows that the entire call history had been deleted, the entire WhatsApp record and all its messages had been wiped out, and specific text messages had been deleted. Some of these messages were received on the device while Oscar was in the Brooklyn holding cells and while the device was unaccounted for. This would have to have meant that the device had been switched on, and allowed to download messages from the network to the handset, before they were deleted. This appeared to have occurred days after the shooting.
Moller was set to begin his evidence on Monday, 24 March – the third week of the trial. The weekend prior, there was a strong rumour amongst the media that Carl Pistorius was about to be arrested. Some had got wind that the Blade Runner’s brother might be charged with defeating the ends of justice for allegedly removing the phone from the crime scene and tampering with it.
But it wasn’t to be – Carl was not arrested, nor was he charged.
That Monday morning court started 11 minutes late and prosecutor Nel made an unexpected announcement to the court. Nel apologised to the court for starting a little late because the state had been ‘engaging with the defence in terms of certain admissions’. Once Masipa was in her chair, Nel read the admissions into the record from a handwritten note, which he said had been drafted earlier that morning. It had clearly been done in haste and at the last minute:
Admission in terms of section 220 of the Criminal Procedure Act
1. That the two iPhones seized in the bathroom … the two Blackberry phones, as well as two iPads seized from the bedroom on 14 February 2013 were handed to Captain Moller.
2. That Colonel Sales and Captain Moller downloaded the data on the iPhones and iPads and investigated these devices.
3. That the data received from Vodacom is correct and a true reflection of the data pertaining to the devices.
4. That on 25 February 2013, the accused handed over his personal iPhone to the South African Police Service. This phone was removed from the scene on 14 February 2013. This phone was also analysed and the data downloaded by Captain Moller.
That will be the admissions, M’Lady, in terms of section 220. I beg leave to hand that up.
Included in these admissions was the authenticity of the cellphone data from the service providers – this would mean that the prosecution would not have to call a representative from Vodacom to confirm the data, which is a run-of-the-mill occurrence in criminal trials. The second admission was that the defence would not dispute the chain of evidence around the phones – they would not dispute that the phones and iPads were seized on the crime scene, bagged and tagged, put in evidence bags and taken by Hilton Botha to Captain Moller who carried out the extractions and analysis.
What had led to this unanticipated announcement of admissions being made by the defence related to the phones? One might have expected that Oscar’s counsel would have fought tooth and nail against the contents of the phone being admitted to a trial court with such ease. It was also expected that the defence team would challenge each and every step taken by the police investigators in securing information and maintaining the integrity of the ‘chain of evidence’, as is so often the case in criminal courts in the country. This was even more pressing in this trial, where the defence had blatantly accused the police of tampering and contaminating the crime scene. It all seemed too easy.
Did anything happen behind the scenes while the prosecution ‘engaged with the defence’ on the admissions?
It also appeared that the defence may have made a strategic error. What they did not realise was that by making the admissions the prosecution would not have to call former investigating officer Hilton Botha to testify. The only reason the state needed Botha on the witness stand was to confirm the chain of evidence regarding the phones and iPads – and that had now been mutually ‘resolved’. Putting Botha on the stand would be high risk for the state as Roux would repeat what happened at the bail hearing and tear him apart over his handling of the crime scene, allegations that the scene was contaminated and his initial interactions with witnesses. It would have been a field day for the senior defence counsel.
However, a source close to the defence legal team said there was no oversight and they did not miss a trick. Rather, the situation was far more complex.
These questions around the unexpected admissions were echoed by experts in the industry watching the trial unfold. The way both the prosecution and the defence dealt with the digital evidence raised serious concerns for Myburgh and his team from Cyanre. As experienced forensic investigators, they found the conduct of the legal teams very strange.
‘It is normal for them to challenge the chain of evidence. We didn’t see that the defence tested the expert or the evidence. There was no question regarding the authenticity of the m
essages. It was watered down. We were expecting a lot more in terms of this. We were hoping that the forensics would open up this case and prove it beyond reasonable doubt. We expected the state to make a lot more of the digital evidence and for the defence to test it more vigorously. We’re sitting in cases where we are under cross-examination for up to two years over this kind of evidence. So in a case of this nature, to have a person under cross-examination so fast, it was a bit weird,’ explains Myburgh.
He also doesn’t understand why the prosecution didn’t make a big noise about deletions on the handset if any. ‘There was no evidence to say, “We saw that he deleted this.” Why not? Why not? If we had this situation in OJ Simpson, if this was in America, they would have stayed on this point for four days, showing exactly what was not on the phone. In this case, the phone was mentioned briefly and then nothing else. This points to why are you cleaning out this phone? What attempts did the police do to find backups? Did they go to the cloud? They would have been able to see if it was synchronised to his brother’s computer – did they get a search warrant for his brother’s computer? If not, what led them to decide not to do that?’
Later that Monday, once Oscar’s neighbour Annette Stipp had completed her testimony, Moller took the stand armed with a litany of explosive and emotionally laden WhatsApp messages. The courtroom and the world were afforded rare insight into the reality of the relationship between Oscar and Reeva. At times it was uneasy and awkward but the prosecution believed it a necessary discomfort for this was the only way they could ‘hear’ Reeva’s voice. Her words were being heard from the grave through the messages she had typed.
The calling of Captain Moller to the witness box came with significant expectations from the media and the public over the lingering question of Oscar’s iPhone and the missing password. In the weeks leading up to the trial, Eyewitness News radio reports had revealed the battle investigators were having to access data on the phone because the athlete had claimed that he’d forgotten his password.