CASE STUDY

Building the Timeline of The Mall in Columbia Shooter

BlackLight Used to Analyze SQLite Databases

On January 25, 2014, 19-year-old Darion Aguilar exited a dressing room armed with a shotgun and began shooting at The Mall in Columbia located in the Baltimore, Maryland suburbs. Before ultimately killing himself, he killed two young victims and injured five other innocent people.

After the incident, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackLight. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

Now Director of Digital Forensics at IntelliGenesis LLC, Dave Proulx was the lead Digital Forensic Examiner Detective on the case at the time. “The process of not only extracting SQLite databases, in a forensically sound way, then separately analyzing each using a third-party tool, is an extremely exhausting process,” explains Former Detective Dave Proulx. “If you’re relying solely on the parsed information supported by the tool, you’re potentially missing key information and evidence of the unsupported apps,” Proulx added.

Using BlackLight, Mr. Proulx located and analyzed application data that even today would have fallen into the category of thousands of unsupported apps which are not parsed by any tool. Using the (BlackLight) SQLite viewer and query features built into BlackLight, Detective Proulx determined the shooter used apps on his iPhone to plot his journey to the Columbia Mall mixing public and private transportation.

“In an age where a smartphone can have 60, or more dB files (database), the ability to analyze and query these databases without using third-party software or running scripts is, unfortunately, a rare find. It’s still hard to find these features (since Jan. 2014) in some of the more popular forensic and eDiscovery products,” former Detective Proulx explained.

BlackLight is also a great tool to identify apps and other online services possibly not known to the investigation. Usernames, profile IDs are right there in the plists and databases of many mobile app such as Snapchat, WhatsApp, Facebook, Twitter, Dropbox, and even Tumblr.

In December of 2013, the month before the shooting, the shooter’s iPhone received the first iOS release which introduced the iCloud backup option. Previously, this feature was only available on iTunes. Detective Proulx explained that it was extremely beneficial being able to use BlackLight to analyze an iCloud backup which had been created the night before the shooting. Combining the iPhone acquisition and backups from the cloud and his laptop, BlackLight assisted in building the timeline which ultimately pieced together months of the shooter’s online activities and research.

In The Mall in Columbia shooting, like so many other cases, BlackBag’s BlackLight software helped Howard County Police in Maryland provide closure for the community and the families of the victims: 21-year-old Brianna Benlolo and 25-year-old Tyler Johnson.

In an age where a smartphone can have 60, or more dB files (database), the ability to analyze and query these databases without using third-party software or running scripts is, unfortunately, a rare find.

Dave Proulx, Director of Digital Forensics at IntelliGenesisLLC

Main Takeaways:

  • In the tragic aftermath of the Columbia Mall shooting, the families involved had many questions about why this tragic event happened.
  • The shooter’s iPhone, computer, and iCloud backups all contained information that could answer question about the shooter’s research, planning and mental state.
  • Data associated with iPhone Apps is stored in SQLite databases. Many tools parse the databases for some Apps, but BlackLight provides an interface to view any SQLite database.
  • Combining the iPhone acquisition and backups from the cloud and his laptop, BlackLight assisted in building the timeline which ultimately pieced together months of the shooter’s online activities and research.

Quick Facts

Features: 

BlackLight analyzes iOS devices and backups, specifically the SQLite databases and plist files associated with iPhone Apps.

Problem Solved:

BlackLight allowed the analyst to view and find critical information stored in the databases associated with iPhone Apps that are not parsed in other tools.

Solution Provided:

The internal SQLite viewer with query feature extracted data from the iPhone, iCloud backups, and backups on the computer pertinent to the timeline of events leading up to the shooting.

Overall Results:

The data revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state

Add BlackBag To Your Toolkit

See how easy it is to make BlackBag part of your everyday carry with a free trial or quote.