Burning Teslas & ALPR, Government Encrypted Messages, Ineffective Assistance of Counsel, Forgotten Phone Passcodes & More

Vol. 6, Issue 4

Apr 07, 2025

A green truck sits on a hill of sand with a Mobile Surveillance Capability attached to its bed. — A Mobile Surveillance Capability surveillance device atop a truck in Pima County, AZ by EFF via Wikimedia Commons is licensed under CC BY 3.0

April 7, 2025

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, Greg Herrera explains how alleged Tesla arsonists were identified and discusses efforts to curtail the use of automated license plate readers. Joel Schmidt analyzes government use of encrypted messaging apps like Signal following recent revelations of a high-level group chat. Christine Farolan highlights the importance of investigating digital evidence in light of a recent decision. Finally, Allison Young addresses the unfortunate scenario in which a client cannot remember how to unlock their phone.

The Digital Forensics Unit of The Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal Defense, Juvenile Rights, and Civil Practices of The Legal Aid Society.

In the News

A photo of a damaged graffiti covered car on the street. — Photo by Alexander Grigoryev via Unsplash

Teslas, Alleged Arsons, and Actual ALPRs

Gregory Herrera, Digital Forensics Staff Attorney

On March 20, 2025, Attorney General Pamela Bondi announced federal charges against three individuals for allegedly destroying Telsa properties in South Carolina, Oregon, and Colorado. As detailed by the always-excellent 404 Media, all three individuals were identified using a combination of digital technologies – surveillance cameras, automated license plate readers (ALPRs), and open-source intelligence (OSINT) via social media and mobile payment app.

Daniel Clarke-Pounder (24 years old) is accused of setting charging stations on fire with Molotov cocktails in South Carolina on March 7, 2025. Court documents state that agents tracked him via surveillance video to a mall parking lot, where he fled in a car. The mall’s security consultants gave investigators photos of Clarke-Pounder from surveillance videos and they apparently had access to an ALPR, which federal agents used to obtain the vehicle’s license plate. Eventually, a search of South Carolina Department of Motor Vehicles (DMV) revealed the car was registered to Clarke-Pounder. Investigators also scoured Clarke-Pounder’s publicly available social media, which led them to his phone number, and eventually his address.

In Oregon, Adam Lansky (41 years old) is charged with damaging seven Teslas inside a Tesla dealership with at least one Molotov cocktail while holding an AR-15 style rifle on January 20, 2025. Lansky allegedly went to the same Tesla dealership about a month later and fired multiple rounds (which apparently was not heard by the on-premises security guard or the nearby police patrol allegedly due to a suppressor). Lansky’s address was obtained after a license plate search of a vehicle in a nearby business’s parking lot outside of business hours. Court documents also state that the FBI’s lab matched four latent fingerprints from a glass bottle, duct tape, and paper remnant samples to Lansky. The allegations [PDF] in Colorado accuse 42-year-old Lucy Nelson of spray painting a Tesla dealership, vandalizing several cars, and throwing a Molotov cocktail at a Tesla car in late January and early February. There too investigators used ALPRs to track the car and its registration information.

And that’s not all. Federal investigators stated in court documents that they tracked another alleged Tesla arsonist in Nevada via his car’s Wi-Fi. Paul Hyon Kim is accused of throwing Molotov cocktails at a Tesla Center in Las Vegas last month. Surveillance video and ALPRs allowed investigators to determine the car’s direction of travel. Then they obtained “tower dumps” – a controversial investigative method where a search warrant orders telecommunications companies to provide information about all the devices that connected to certain cell phone towers during a specified time. In this case, the tower dumps showed that the car’s Wi-Fi system had connected to two towers, which investigators believe was the system inside Hyon Kim’s car. A federal judge in Mississippi recently found that tower dumps are unconstitutional and make a “mockery of the Fourth Amendment.”

ALPRs are used by nearly 90% of sheriffs’ offices with 500+ deputies and 100% of police departments in municipalities with more than 1 million residents, according an August 2024 congressional report. They are sold by companies like Flock, who also sells drones, cameras on wheels, and proprietary software to integrate all this surveillance until police know everything, everywhere, all at once.

But some are fighting back. DeFlock, a website started by Will Freeman when he started noticing ALPRs during a road trip, shows the pervasive nature of ALPRs via a national interactive map and discusses the various concerns with ALPRs. Not only are they dragnet surveillance capable of logging all your movements throughout the day, they can be used to stop people at gunpoint because of an erroneous ALPR hit, target immigrants for deportation, or to stalk people. Some states are considering legislation to regulate the use of ALPRs, with some proposals calling for the written policies, restricting where ALPRs can be installed, and setting data retention periods. A pending Missouri bill would ban ALPRs in the name of safety and privacy.

It took years before the Supreme Court agreed with Fourth Amendment challenges to other digital surveillance technologies like thermal imaging (in Kyllo v. U.S., 533 U.S. 27 (2001)), vehicle GPS tracking devices (in U.S. v. Jones, 565 U.S. 400 (2012)), and historical cell site location information (in Carpenter v. U.S., 585 US 296 (2018)). Thus far, courts have not agreed with Fourth Amendment challenges to ALPRs. The Ninth Circuit, in U.S. v. Yang, 958 F.3d 851 (2020), found that the defendant did not have standing to challenge because he kept a rental car eight days past the return date. More recently in U.S. v. Mapson, 96 F.4th 1323 (2024), the Eleventh Circuit ruled against a defendant who argued that an ALPR search was akin to cell site location information, which required a warrant under Carpenter. The Court held that the good-faith exception to the exclusionary rule applied to the government’s warrantless ALPR database search because the ALPR search occurred literally one day before the Carpenter ruling was decided.

It seems almost inevitable that the Supreme Court will one day grapple with a Fourth Amendment challenge to the ALPR dragnet. But, if history is any indication, it may take some time.

Photo by appshunter.io via Unsplash

Government Messaging Gone Too Far

Joel Schmidt, Digital Forensics Staff Attorney

Back in January we reported that federal officials were urging Americans to use encrypted messaging apps. We were told “encryption is your friend” and were strongly urged to “use your encrypted communications where you have it.” In written guidance issued to “highly targeted individuals” but “applicable to all audiences,” the Cybersecurity and Infrastructure Security Agency (CISA) urged Americans to “[a]dopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps.”

It seems some have taken this advice a little too far. On March 24, 2025 the editor-in-chief of The Atlantic magazine Jeffrey Goldberg reported that National Security Advisor Mike Waltz added him to a Signal group chat in which Secretary of Defense Peter Hegseth discussed sensitive military plans about an impending American attack on Houthi targets in Yemen and disclosed the name of a Central Intelligence Agency (CIA) officer. Also present in the group chat were Vice President JD Vance, Secretary of State Marco Rubio, CIA Director John Radcliffe, Director of National Intelligence Tulsi Gabbard, Treasury Secretary Scott Bessent, and at least eight other officials in senior federal leadership positions.

It should go without saying that high ranking government officials with access to the federal government’s sophisticated encrypted messaging abilities should use those platforms to transmit sensitive information, whether classified or not. After all, using Signal doesn’t prevent all possible security issues. The encrypted communication abilities available to high ranking official in the federal government are disconnected from the wider internet and have greater protections from America’s adversaries. It should come as no surprise [PDF] that Department of Defense (DoD) personnel “are NOT authorized to access, transmit, or process non-public DoD information” on commercially available messaging apps such as Signal.

The issues with using Signal to communicate classified information are both human and technical in nature. The human problem is obvious. All the encryption in the world is useless if you grant the wrong person access to the communications, as when an unauthorized person is inadvertently added to a sensitive group chat. Encryption is also useless if you accept an incoming message request from and start chatting with someone you think you trust but who is actually masquerading as someone else – a very real possibility given that personal cellphone numbers of top officials are sometimes available online.

From a technical perspective, using Signal may also be a bad idea because if the phone itself is compromised by an adversary – either remotely or by physically taking possession of the device – then they’ll be able to view all the messages on the phone, encrypted or otherwise. The weakness is not with Signal itself, but in the devices Signal is being used on; commercially available devices are not designed to have the same protections as devices that are meant to be used for classified intelligence. This is another reason why forcing companies to create a backdoor into their device encryption would likely open those devices up further to attacks by bad actors.

Earlier this year the Google Threat Intelligence Group warned it “has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia’s intelligence services,” a warning amplified by the Pentagon. Group chats are especially risky because an adversary only has to compromise one participant’s phone to see everyone’s messages. However, again, the issue has less to do with the security of the Signal app itself and relates more to people falling for a phishing scheme and linking devices with the wrong device.

In addition to these issues, the use of Signal by high ranking government officials also violates federal record keeping laws where, as here, messages are set to disappear after a predetermined amount of time has passed.

Hopefully, going forward those in leadership positions in the federal government will make use of the government-approved sophisticated encryption abilities available to them. Anything else can “signal” America’s intentions to its adversaries and jeopardize national security.

In the Courts

A photo of the U.S. Supreme Court building. — Photo by Claire Anderson on Unsplash

Appellate Division Finds Counsel Ineffective for Failing to Review Digital Evidence

Christine Farolan, Digital Forensics Staff Attorney

Last month, the Fourth Department ruled that a defense attorney’s failure to review the results of extractions of his client’s cell phones constituted ineffective assistance of counsel. The record indicated that defense counsel hadn’t reviewed his client’s cell phone records at any stage of litigation—from the Mapp and Molineux hearings to trial itself.

“[D]efense counsel initially failed to object to the admission of a flash drive containing the entire contents of defendant’s cell phones, but, when the People later isolated a portion of the cell phone contents as a separate exhibit for the jury, defense counsel objected—although the contents had already been admitted—and acknowledged that he had not had a chance to review ‘the exact exhibit.’ Defense counsel also failed to object to the portion of those contents containing voice notes, which constituted improper hearsay (citation omitted). Additionally, defense counsel’s failure to review the contents of defendant’s cell phones had the result that he could not appreciate how important certain text messages and other communications were to the People’s case.”

People v. Cousins, 2025 NY Slip Op 01535 (2025).

The Cousins court found that there was no legitimate explanation for defense counsel’s failure to investigate the phone records, and the defendant was granted a new trial.

In a previous newsletter, we covered a New York County Supreme Court case where defense counsel was also found ineffective, in part for failing to meaningfully engage with digital evidence in a homicide case. People v. Johnson, 2023 NY Slip Op 51015(U) (2023). In Johnson, there were multiple failures on defense counsel’s part regarding digital evidence: (1) not challenging cell site location info, (2) not investigating and using phone records, (3) not submitting a motion to controvert the search warrant for the defendant’s phone, and (4) not challenging color-coded arrows used to annotate video surveillance that constituted identifications. We wrote that counsel likely would have been found ineffective based on other, separate failures, but the Johnson court’s ruling made it clear that failures related to investigating digital evidence alone can constitute ineffectiveness.

Cousins is significant because the Court found defense counsel ineffective strictly due to the failure to investigate digital evidence. The Court declined to address the rest of the defendant’s contentions.

All this to say—the wealth of digital evidence that defense attorneys see in their cases today cannot be ignored. Defense attorneys are certainly not expected to have a complete understanding of every form of tech they come across. However, they need to know when it’s time to seek outside expertise to help them analyze it.

Ask an Analyst

Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.

Q: My client has some pretty crucial text messages on their phone that we need to negotiate with the DA. This is an older phone they were keeping at their house. When they go to unlock it with their fingerprint, the phone is asking for a password. My client says they never used a password. Is there any way to get the data off?

A: When smart phones are restarted, they generally require users to enter the passcode to open the phone instead of using biometrics like face ID or fingerprints. This workflow can prevent law enforcement from compelling you to hand over your data, but it also reduces the number of times a user reinforces their passcode in their memory – and increases the likelihood that they will forget it. It is uncommon, although not unheard of, for someone to not even remember entering a passcode because they have not restarted their phone in so long.

For defense and civil investigations, our ability to bypass passcodes in newer phones is limited by time and technology. We have fewer tools available to us. When it is possible, it can take anywhere from minutes to years to crack depending on the strength of phone and passcode security. If I am given a locked phone as evidence, my next step is usually to secure it in a storage locker and then ask the client about other sources of data (like backups in the cloud). Not knowing a passcode can be a dead end for all practical purposes.

Once upon a time, it was a little easier to get into a locked phone. On some handsets, you could find and delete the password settings file(s) and the phone would work as though a password was never set. Clever hacks would allow you to enter as many password attempts as you’d like without wiping data, enabling the use of special “brute force” devices to automate guessing. Analysts could also do a chip-off extraction, opening the physical phone and reading information directly from the memory without worrying about the passcode at all.

A disassembled Samsung SGH-U800 feature phone — A technician might disassemble a phone and remove the storage chip from a phone’s PCB (the green part shown above) to avoid entering a passcode on less secure phones. Medvedev, CC BY-SA 3.0, via Wikimedia Commons

However, if we tried a chip-off extraction on a modern iPhone, the data we would copy would still be ciphertext (encrypted) and we would not be able to see usable data. Security is handled more elegantly, and “old school” lockpicking tricks at best will do... nothing at all.

So can we get into a locked phone? The chances are slim. I won’t rule every option out, as I still see the occasional wild flip phone in use. A summary of methods I might try is listed below:

Brute force guessing the passcode with software (more successful with less secure devices, and with “law enforcement only” tools)

Bypassing the password by deleting password files or using ancient phone-specific hacks, like the one shown in this video (if the phone does not use modern encryption)

Cloud recovery options if set up by the user (these may no longer be offered due to security issues)

Default passcodes (if the user does not remember setting one, something simple like 0000 or 1234 or their birthday may be worth trying once, but typing random passwords can inadvertently destroy evidence)

Popeye the Sailor attempts to unlock a phone by trying a common password, deleting the password.key file, and finally attempting a bruteforce method. — “Unlock Sesame”. Image derived from source material *Popeye the Sailor Meets Ali Baba's Forty Thieves (1937)*, available on the Internet Archive.

As I mentioned before, when faced with a locked phone, you will have a better chance of success looking outside the phone towards other sources of digital data, like cloud backups. While unlimited time, genius, and budget may render even the most secure phones insecure, we generally do not have these resources in legal investigations. I certainly don’t want to live in a world where “this one weird trick” can allow someone to access my private communications. That protection, unfortunately, may sometimes leave an alibi “in bits.”

Allison Young, Digital Forensics Analyst