Digital Forensics in the NFL: A Look at DeflateGate
By now, you have probably read about the Wells Report released this past week concerning deflated footballs used in the AFC Championship game between the New England Patriots and the Indianapolis Colts this past season. Monday afternoon, the NFL announced it would suspend New England Patriots Quarterback Tom Brady for the first four (4) games of the 2015-2016 season for violating the NFL policy on the integrity of the game. The NFL will also fine the New England Patriots $1M and the Patriots will forfeit 2016 first round and 2017 fourth round draft choices. Different forensic science disciplines came into play during the "DeflateGate" investigation. This article focuses on how digital forensics played an integral role in what has been commonly known as "DeflateGate". This blog post references the 243-page report that has been commonly referred to as the "Wells Report". The objective is to simply provide some insight from the digital forensics viewpoint on this highly publicized report. In any investigation and aside from witness interviews, there generally are other sources of information that are reviewed to either provide context or retain for evidence. Investigators reviewed the following:
- Air Pressure Data
- Footballs, Gauges and Other Equipment
- Security and Game Footage
- Text Messages and Call Logs
- League Rules and Policies
- Weather Data
- Internal Temperature Data
- Emails Received from the Public
- Other Materials
- John Jastremski, Equipment Assistant
- Brenden Murphy, Equipment Assistant and Ball Boy
- Zach Struck, Equipment Assistant
- Dave Schoenfeld, Head Equipment Manager
- Berj Najarian, Director of Football/Head Coach Administration
The forensic consulting firm likely created a forensic image of each phone that was submitted for analysis. The objective of creating a forensic image is to preserve data on the phone. Forensic analysis occurs against the forensic image that way the original evidence (i.e. phone) is not altered during the analysis phase of the forensic examination. The goal of this forensic examination was to analyze data concerning electronic communication initiated or received using these mobile devices (An important note, this report does not mention the make or models of the cellular phones that were forensically analyzed. It is also important to note that the report states "forensic images of the phones", which may be indicative of a full image of the phone. However, only text messages, contact information, and call logs were present in the report, which means there is a lot of data that could've been analyzed, but wasn't included in the published report for whatever reason). The final report may have been presented to the NFL, but it was not included in the final investigative report made available to the public. Based upon this report, there are assumptions that have to be made to draw upon any conclusion.
Based upon the fact that there were deleted text messages recovered from Jastremski's cell phone, the forensic examiner recovered those text messages from a database (e.g. SQLite which is very well-documented). Page 77 of the report outlines allocated and unallocated (deleted) text message conversations in October of 2014 between McNally (Note: Patriots provided copies of select text messages and call log from McNally's cell phone, and it was not submitted for forensic analysis) and Jastremski. The content of those text messages involve complaints about game balls by Tom Brady. You'll notice "[recovered-19]" referenced on Sender and Recipient columns in some of the text messages, because those text messages recovered were deleted and the "[recovered-19]" entry is populated since some of that data is non-recoverable, or not identified by the forensic tool that the examiner utilized.
Furthermore, on page 77 of the report it states, ".., but were still partially recoverable by the forensic tools used to image Jastremski's cell phone. Although Renaissance was able to retrieve limited information about certain deleted messages from Jastremski's phone, the contact information could not be fully recovered. In addition, Renaissance was unable to determine with certainty when the recovered messages were deleted or whether there were other relevant deleted messages (i.e., deleted messages that left no recoverable information at all)..." From a forensic examiner's perspective, what was the make, model, and operating system of each phone? What forensic or non-forensic tools were used to extract this data? More likely than not, it was either Android or iOS mobile operating system, which would indicate the database was stored in a SQLite format and is well-documented. As a result of this documentation, there are numerous methods and techniques that can be used to recover deleted data from a SQLite database. More than likely, there is an internal executive summary report that may reflect tools, techniques, and procedures utilized during the digital forensic examination of these cellular phones that the NFL has reviewed.
As stated earlier, the objective of the forensic examination of the five (5) cell phones was for "electronic communications made or received using those phones". The report does not make mention if other messaging applications may have been analyzed. Facebook, Twitter, WhatsApp, Kik Messenger, Google Hangouts, and many other instant messaging applications are commonly found on smartphones. Text-based electronic communication isn't just Short Message Service (SMS) or Multimedia Messaging Service (MMS) alone. There are many ways in which people communicate through cellular phones. Social media and instant messaging applications are another data source the investigators should have reviewed. Based upon the fact that item #4 states, "Text Messages and Call Logs", there may have been restrictions imposed as to what data could be forensically analyzed on the phones. If there was a limitation and scope of the forensic examination imposed, it would've been prohibitive to a thorough, detailed forensic analysis.
Overall, the thoroughness of any investigation has much to do with the cooperation with the parties involved and the data sources that are made available to investigators. If an investigator was limited to certain data on one of the "phones", then that examiner can only analyze and formalize his/her findings based on the data that is made available to him/her. According to the NFL, Tom Brady's unwillingness to cooperate with the NFL investigation is a violation of league rules. Tom Brady did speak to investigators but did not allow a forensic examination of his phone for electronic communications. Select text messages were provided by Jim McNally to investigators, not the phone itself for forensic analysis, which may or may not be relevant to the investigation. There is overwhelming circumstantial evidence identified during this investigation. Also, there is clearly data that could have been forensically examined that may have been the "smoking gun" in this investigation, but for whatever reason it was not permitted. Whether that data was analyzed and not allowed to be publicly disclosed is a side note.
Mobile device forensics continues to play a very important role in providing answers in corporate or legal investigations. Smartphones and mobile devices are often considered an extension of one's mind. Organizations must have a plan in place to manage mobile devices and cloud-based services.For information on our Digital Forensic Services, please visit our Services page.
- Paul, Weiss, Rifkind, Wharton & Garrison LLP (2015). Investigative Report Concerning Footballs Used During The AFC Championship Game on January 18, 2015. Retrieved May 11, 2015 from https://nfllabor.files.wordpress.com/2015/05/investigative-and-expert-reports-re-footballs-used-during-afc-championsh.pdf