An FBI electronics engineer testified Thursday that a forensic examination of a phone registered by Robert Bowers showed that the phone accessed the website Gab.com in the moments before a person entered the Tree of Life Synagogue and shot and killed 11 Jewish worshipers.
Today was the seventh day of the guilt phase of Bowers’ trial. He is charged with 63 federal crimes, including 11 counts of homicide motivated by hate, in the synagogue shooting on Oct. 27, 2018. Investigators found the phone in Bowers’ jacket after apprehending him after the shooting.
Curtis Thomas, an electronics engineer for the FBI for 19 years who works out of its headquarters in Quantico, Virginia, said he was able to access the phone's data, even though he didn't have its password, through a multistep process. Once he accessed the data, he determined that the user had manually tried to delete most of the content on the phone but pieces of data were recoverable.
Thomas said he found eight pieces of cached data that indicated the phone accessed Gab.com at 9:47 a.m. and 9:48 a.m. on the day of the shooting. Gab.com is a social media website where antisemitic content is common and not removed by moderators, and where Bowers reportedly was an active poster.
That data included what appeared to be a handful of selfies of Bowers himself, including one in which he is making a hand gesture that historically has meant “OK” but in recent years has become associated with white power.
Prosecutors showed other photos from the phone, including a picture with two handguns with ammunition, two pictures with a gun on someone’s holster, a picture of a shotgun and shells, and a picture with a person’s hand holding a gun.
The phone also included a W-9 form with Bowers name on it, a direct deposit banking form with Bowers’ name on it, and several other papers bearing Bowers’ name. The phone also contained a picture of a paper target shaped like a human from a firing range.
How the FBI opened the password-secured phone
The problem Pittsburgh FBI agents ran into when trying to access the phone, Thomas said, is that there were only 15 to 30 opportunities to enter the phone’s code before all of its data would be erased — a security feature built into the LG Android phone and its operating system. So the Pittsburgh FBI field office shipped the phone to Thomas at Quantico for assistance in accessing the data.
Thomas said he found a weakness: The phone must run some of its software in order to prompt users for a passcode at all. This part of the phone’s software exists outside of the password-protected information where user data is stored.
FBI agents were able to access this vulnerable software and install an earlier version of the operating system on the phone — Android 7.0 instead of Android 8.0. It was possible to manipulate the older software to reset the phone's internal counter so that, after 10 guesses, the phone would ”think” there hadn't been any guesses at all, he explained. The FBI then ran an agency-built computer program — not available for purchase — that ran through every possible combination of passcodes until it found the correct one.
The phone didn’t require a numerical password, Thomas said. Instead, its screen was split into four quadrants, and the password required the phone's user to tap the correct quadrant, six times in a row, in order to access the phone. The phone's passcode was: lower right, lower right, upper right, lower right, lower left, lower right.
Once the FBI had access to the phone's passcode, investigators reloaded the original Android 8.0 operating system and copied all data inside the phone, he said. To do so, they used a special software called Cellebrite UFED that enabled agents to search the phone's contents and produce physical copies of the information found on the phone. Some of that information was displayed in court today.