Source: Kaylee Goncalves/Instagram
co-authored by Jared Barnhart, Head of CX Strategy and Customer Advocacy, Cellebrite
You are tasked with parsing through the data on a device that could find the truth in one of the highest profile cases of our time: the gruesome murder of four innocent University of Idaho college students. And when you access the device, imagine realizing there’s little to no data. Panic subtly sets in knowing there is a clear lack of evidence and rich data is missing forever. If you find yourself in the same situation, do not despair. Instead, pivot and start parsing through what shows up and what is not there, and you will find, there indeed is a story to uncover.
Getting the Call to Help in the Case
In March 2023, I got a call from our partners at the FBI and the Latah County Prosecutor. The FBI had lawfully accessed the phone and laptop of the accused murderer, Bryan Kohberger (BK), and after parsing through the data, they were disappointed to learn there wasn’t much there. It was clear files were deleted and with such a big case, they were eager for another set of eyes to understand what BK’s phone could tell them. I heard about the case—knew of the victims and the accused—but not much more and I was grateful for that. I was ready to dive in and help, with the hope of finding the truth, I knew two sets of eyes would be better than one. I was grateful when my fellow DFIR pro, colleague and husband Jared Barnhart agreed to help. Teamwork—often late into the night in a shared home office—would prove essential in getting as many answers as we could.
Hands down, this was one of the most challenging investigations we have ever worked on and it took an incredible amount of time to understand what we were really seeing. For starters, the phone was seized more than six weeks after the murders, DNA on a knife sheath left at the scene had already been matched back to BK. There was so much data that was gone forever—buffer logs, privacy dashboard, battery stats and battery usage—never to be retrieved. But we knew there was more to learn inside the digital witnesses.
We knew why BK was the suspect: the knife sheath left at the scene matched his DNA. Yet, when he powered down his phone, disabled WiFi and cellular connection all in the same timeframe four college students were murdered – it either made him the murderer or it was the world’s greatest coincidence.
Establishing BK’s Pattern of Life
At some point, you will surely run into what we found on BK’s phone: entire dark periods and massive gaps in information. That is where you begin. When did everything go dark? Find the missing pieces by going back to establish what a normal pattern of life was prior to the incident.
For starters, BK’s phone was normally powered on and he typically had WiFi enabled, meaning that he would connect to WiFi wherever he was—whether he was at his teaching assistant role as a PhD student at Washington State University, at home or traveling in the area.
We looked at how his data synched between his devices, which helped us understand some of his digital behavior, and I recently wrote about this for Forensic (this case was my inspiration), writing in part:
"Data synchronization from phones to computers and the cloud is often overlooked and underutilized in digital forensics. It really hit home as I began researching a case where I had to recreate a scenario with an iPhone that is logged into a Chrome browser. Everything done on the mobile phone that is associated with Chrome syncs to Google Cloud and then goes back to a PC."
In addition, we noticed his use of In-Cognito browsing around the time of the murders vs his typical normal browsing behavior. Dissecting patterns of normal behavior on BK’s device allowed us to focus on the abnormal.
We also learned he wasn’t a very social person and was a loner. He didn’t have many contacts in his phone and had minimal messages with others – aside from regular contact with his parents, whom he calls “Mother” and “Father.”
BK’s Pattern Shifts around the Murders
Two days leading up to the murders and on the day of the murders, that typical pattern was no more.
On November 11, two days before the murders, BK disabled WiFi on his mobile, which was out of the ordinary.
On November 13, at 2:54 a.m., BK’s phone was manually powered down even though it had a full battery. Wifi had already been deactivated, and he also disabled cellular data. Two hours later, at 4:48 a.m., the phone was powered back on.
The prosecution told us his alibi was that he typically stargazed at night in that area. That may be true. but it wasn’t typical for him to disable his WiFi and cellular data and power down his device.
Starting at 6:13 a.m., he called Mother and when she didn’t answer, he called Father at 6:14 a.m. Then when Mother answered, they spoke for a total of 36 minutes. At 8:03 a.m., Kohberger called Mother again and they spoke for 54 minutes. At 9 a.m., he spent 9 minutes on the phone with Mother, around this time his phone was pinged in the area of King Road—near the scene of the yet undiscovered murders. They would speak a total of more than three hours that day— more than a typical day.
We located the infamous selfie taken on his phone, at 10:33 a.m., after his phone was pinged in the area of the crime scene, where he’s smirking in the bathroom mirror giving a thumbs up. Zooming in on the high-resolution image, you can see a Band-Aid on his ring finger while his hands and knuckles appear reddish and white at the tips, from apparent scrubbing. Selfies were common in his phone, especially taking them after researching serial killers.
BK’s Mistakes and Fascination with Serial Killers
Unearthed searches for serial killers on BK's computer/phone.
He did his best to cover his tracks and succeeded in burying a lot of the information in the months leading up to the crimes. He cleared data from his computer and phone—deleting search history and messages. But he wasn’t so careful following the murders.
BK was still careful to clear his browser history and/or use incognito browsing, yet he downloaded files including the official homicide updates from Moscow Police and his searches on serial killers. This was a key mistake because his searches, when shared with a jury, would not help support his claim of innocence:
- Nov 14: Fingerprintrecognition.pdf (FBI informational document)
- Nov 19: Google Chrome download URL with Danny Rollings (a serial killer who killed five college students – known as the “Gainesville Ripper”)
- Nov 26: Moscowhomicideupdate.pdf
- Dec 10: Moscowhomicideupdate.pdf
- Dec 14: Moscowhomicideupdate.pdf
- Dec 16: Moscowhomicideupdate.pdf
- Dec 19: Moscowhomicideupdate.pdf
On Christmas night, into the early morning hours of December 26, BK searched for more than two dozen serial killers, including: Betty Lou Beets, Randy Kraft, William Lee Cody Neal, Danny Rolling, Joel Rifkin, Ted Bundy, Altemio Sanchez, Glen Rogers, Cary Stayner, John Wayne Gacy, Harvey Glatman, Paul Bernardo, Rodney Alcala, Robert Hansen, Gary Ridgeway, David Parker Ray, Cleophus Prince, Danny Rolling (same file a second time), Ed Kemper and Dennis Rader.
His searches intensified on December 28 and when the Moscow Police update indicated they were searching for a white Hyundai Elantra, he searched for an auto detail shop and began shopping online for a new vehicle.
He tried to be perfect in covering his tracks but failed.
Digital Evidence Builds a Strong Case Against BK
When data is missing in an investigation, find what you can locate and build out what isn’t there. Establish a pattern of life and timeline before, during and after the crime. In this case, the knife sheath left at the scene placed Kohberger at the home on King Road. Yet his digital trail, what we found post-crime and what was missing in those dark periods of time when combined with the DNA, built a strong case that clearly convinced him he would never get away with the murders of four innocent people.
We want to forget his name, which is why after the first mention, he is referred to as BK. Instead, we want to remember the names of those who had their promising lives prematurely taken—Maddie Mogen, Kaylee Goncalves, Xana Kernodle and Ethan Chapin.
About the Authors
Heather Barnhart is the Senior Director of Forensic Research at Cellebrite and a SANS Institute fellow. She advises on strategic digital intelligence operations and educates both the public and industry professionals on the latest challenges in the space and how Cellebrite helps address them. For more than 23 years, Heather has worked on high-profile cases, investigating everything from child exploitation to Osama Bin Laden’s digital media. She has helped law enforcement, eDiscovery firms and the federal government extract and manually decode artifacts used in solving investigations around the world.
Jared Barnhart is the Head of CX Strategy and Customer Advocacy at Cellebrite, a global leader in premier Digital Investigative solutions for the public and private sectors. A former detective and mobile forensics engineer, Jared is highly specialized in digital forensics, regularly training law enforcement and lending his expertise to help them solve cases and accelerate justice.