Monday, June 29, 2015

The SpyEye Trojan, Abuse.ch and the Motion to Suppress

This post examines an opinion a U.S. District Court Judge who sits in the Northern District of Georgia issued recently in a criminal case:  U.S. v. Bendelladj, 2015 WL 3650219 (U.S. District Court for the Northern District of Georgia 2015). The issue the judge addresses in the opinion involves a motion to suppress evidence; if you are interested in the charges, and the facts that gave rise to those charges, check out the news stories you can find here and here. And you can find the indictment here
The District Court Judge assigned Hamza Bendelladj’s motion to suppress to a U.S. Magistrate Judge. U.S. v. Bendelladj, supra.  Pursuant to Rule 59 of the Federal Rules of Criminal Procedure, the Magistrate Judge was to review the motion, analyze the arguments it made and the relevant law, and write a Report and Recommendation (“R&R”) reporting to the U.S. District Court Judge whether the motion should be granted or denied.  U.S. v. Bendelladj, supra.
In his motion to suppress, Bendelladj “challenge[d]” the
February 25, 2011 search warrant which authorized a search for

`Information associated with IP Address 75.127.109.16 and the domain name 100myr.com that is stored at premises owned, maintained, controlled, or operated by Global Net Access, LLC, a company headquartered at 1100 White St. S.W. Atlanta, Georgia, 20210.’
R&R - U.S. v. Bendelladj, supra.  
The Magistrate Judge began his analysis of Bendelladj’s motion by explaining what the FBI Agent who obtained the warrant, Special Agent Mark C. Ray, did to establish the probable cause on which the warrant had to be based.  U.S. v. Bendelladj, supra.  Under Federal Rules of Criminal Procedure Rule 41(d)(1), a District Court Judge must issue a search warrant if a federal agent submits an application for the warrant and an affidavit that establishes probable cause for issuing the warrant. You can, if you interested, find an example of a search warrant application and supporting affidavit here. In this case, the search warrant was issued by another U.S. Magistrate Judge, i.e., not by the one who is reviewing Bendelladj’s motion to suppress here.
The Magistrate Judge in this case explained that Agent Ray submitted an affidavit, in support of his request for a search warrant, in which he
recounted his training and experience in the computer crimes area, including both law enforcement training and experience and private industry. . . . He defined technical terms such as `server,’ `IP address,’ `domain name,’ `hot [sic] and botnet,’ `Banking Trojan,’ `keynote logging [sic],’ `form grabbing,’ and `malware.’ . . .He then alleged that in December 2009, a new malware toolkit called SpyEye v1.0 appeared for sale on Russian underground online forums. . . . Investigation revealed `Gribodemon’ to be SpyEye's creator. . . . The affiant concluded that Spy Eye was similar to another malware called Zeus Banking Trojan, in that each used keystroke logging and form grabbing techniques designed to steal financial and personally identifying information from unsuspecting computer users. . . .

The affidavit then recounted that the creator of Zeus Banking Trojan announced that he intended to hand over the source code for Zeus to Gribodemon, who indicated on online criminal forums that he intended to combine Zeus and SpyEye into a larger more malicious malware toolkit. . . .The affidavit then explained that thereafter a combined malware, SpyEye v1.3.05, was released. . . .

The affidavit continued that a SpyEye Command and Control (`C & C’) server is a computer system administered by one or more individuals that is used remotely to send commands to the victim computers (bots) under its control. . . . The affidavit related that several SpyEye C & C servers had been identified worldwide by their IP addresses, including one previously operating in this District and another which was currently active in this District and the subject of the search warrant application. . . .The affiant stated . . . that there are several websites available in the malware research industry designed to locate computers or servers connected to the Internet that are infected with or operating malware and botnets.

Specifically, the website called Spy Eye Tracker (https:// spyeyetracker.abuse.ch) identified SpyEye C & C servers worldwide, by searching for and locating files on computer systems that are uniquely associated with SpyEye. SpyEye Tracker was developed by the Swiss internet security research firm Abuse.eh. Abuse.ch developed the well known Zeus Tracker website (https:// zeustracker.abuse.ch). I have learned through discussions with members of the internet security industry and law enforcement that the Zeus Tracker website is utilized by corporations and law enforcement agencies worldwide for identifying Zeus C & C servers. In addition, I have learned from these discussions that many information security organizations and law enforcement agencies around the world recognize SpyEye Tracker as a reliable source of identifying SpyEye C & C servers. I am not aware of any instances in which SpyEye Tracker has misidentified a particular IP address as hosting a SpyEye C & C server.

18. On December 16, 2010, I obtained a similar search warrant for another suspected SpyEye C & C server hosted by a company in Omaha, Nebraska. The affidavit I submitted in support of the search warrant application relied, in part, on the fact that the suspected SpyEye C & C server had been identified as such on SpyEye Tracker.[ ] On January 26, 2011, I obtained three other search warrants for suspected SpyEye C & C servers hosted by companies in Orlando, Florida, Kansas City, Missouri, and New York, New York. The affidavits I submitted in support of those search warrant applications also relied, in part, on the fact that the suspected SpyEye C & C servers had been identified as such on SpyEye Tracker.[ ] The information obtained pursuant to all four search warrants confirmed that the suspected SpyEye C & C servers were, in fact, SpyEye C & C servers; thus, supporting the reliability of SpyEye Tracker in identifying SpyEye C & C servers.

19. Based on my training and experience, I know that malware research websites such as SpyEye Tracker use various methods for identifying and labeling servers connected to the internet as SpyEye C & C servers. For example, one common method is setting up a computer as a “honey pot.” A honey pot in the malware research field is a computer that is connected to the internet with the intention of becoming infected with malware such as SpyEye. The computer is intentionally left in a vulnerable state (that is, no anti-virus protection) so that the person who establishes the honey pot can identify the source of the vims such as a SpyEye C & C server once the computer becomes infected. This is done by capturing the IP Addresses associated with distributing and operating the malware. While I do not know the specific method SpyEye Tracker uses to identify any specific server as a SpyEye C & C server, based on my training and experience, I believe that the various methods of which I am aware are reliable.

20. On February 17, 2011, at 11:23 p.m., I reviewed the SpyEye Tracker website. The following information was observed:
SpyEye C & C
IP address
Level
Status
Files Online
Country
AS numb er
100myr.com
75.127.109.16
4
online
2
USA
AS16626
This information indicates that the server with IP address 75.127.109.16, utilizing the domain name 100myr.com, is being utilized as a SpyEye C & C server. . . . This IP address is owned, maintained, controlled, or operated by Global Net Access LLC, a web hosting company headquartered at 1100 White St, SW, Atlanta, Georgia 30310. SpyEye Tracker is updated on a daily basis, thus I have reason to believe that malicious code is still on this server.
R&R - U.S. v. Bendelladj, supra. (Unfortunately, Blogger truncates the full version of the information from the SpyEye Tracker site, which is given as a set of columns of figures, and I cannot find it anywhere online.) 
The Magistrate Judge noted that the affidavit
also related that the suspected Omaha SpyEye C & C server had been identified as such on another website, malwaredomainlist.com (http://www.malwaredomainlist.com), while the servers in this case and the ones in Orlando, Kansas City and New York had not been identified as such on malwaredomainlist.com. . . .

Finally . . .the affidavit provided that Global Net Access LLC is a business that maintains servers connected to the Internet and offers those servers for customers to use to operate websites, store and process information and perform other web-based activities. It also stated that a provider such as Global Net Access gives customers, for a fee, access to its servers and often offers related services such as domain name registration and e-mail service. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then noted that Bendelladj alleged, in support of his motion, that
the primary source of the information in the warrant application is from a website called Abuse.ch, which Bendelladj likens to a confidential informant. He argues that in effect Abuse.ch is just a blog, that is, an unfiltered personal internet account, with no identifiable contributor. Bendelladj submits that the unknown contributor associated with Abuse.ch lists IP addresses asserted to be malware, however, this information has not been shown to have been vetted, cannot be verified nor can it be recreated since Abuse.ch does not maintain an archive.

In addition, he alleges that although this website is associated with the `Swiss Information Security Research Association’ and `Bernet Monika,’ the only cross-reference to this information is the website itself. . . . Bendelladj also points out that the affiant conceded he was unaware of the methodology Abuse.ch used to obtain the IP addresses it puts on the suspected malware list, and argues therefore that the website's reliability or accuracy cannot be checked. He also argues that the bald statement that Abuse.ch is relied upon by security organizations and law enforcement agencies around the world is not sufficient, since these entities are not identified. . . .

Bendelladj next argues that the supporting affidavit's acknowledgment that the suspected malware in this case, SpyEye C & C, did not show up on another respected cyber-security website, www.malwaredomainlist.com, is another reason to suspect Abuse.ch's reliability. . . . Finally, he argues that the Abuse.ch webpage screenshot attached to the affidavit shows `no results’ for linking 100myr.com to the Atlanta-based IP address. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then addressed Bendelladj’s arguments, starting with Abuse.ch:
[t]he issuing magistrate judge was justified in concluding that the information from Abuse.ch was reliable and thus probable cause existed to issue the search warrant.

First, the affiant related that Abuse.ch was relied upon by other law enforcement officers (and private security organizations) in their efforts in detecting both Zeus Banking Trojan and SpyEye malware. Observations of fellow officers engaged in a common investigation are a reliable source for a warrant. . . .U.S. v. Kirk, 781 F.2d 1498 (U.S. Court of Appeals for the 11th Circuit 1986). . . . The fact that the law enforcement agencies were not identified does not render the information unreliable; after all, search warrants may be based upon information from anonymous lay informants. . . . See U.S. v. Brundidge, 170 F.3d 1350 (U.S. Court of Appeals for the 11th Circuit 1999). What is critical is that the confidential information be reliable. In this case, it was.
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then pointed out that the affiant whose statement supported issuing the warrant
asserted facts that corroborated the reliability of both Abuse.ch and the opinion of Abuse.ch's reliability held by the anonymous law enforcement agencies and private security organizations. First, the fact that Abuse.ch accurately identified IP addresses associated with the Zeus Banking Trojan makes it more likely that Abuse.ch's listing of the subject IP address as SpyEye malware also was accurate. See U.S. v. Morales, 238 F.3d 952 (U.S. Court of Appeals for the 8th Circuit 2001) (`Information may be sufficiently reliable to support a probable cause finding if the person providing the information has a track record of supplying reliable information, or if it is corroborated by independent evidence’); U.S. v. Ridolf 76 F.Supp.2d 1305 (U.S. District Court of Appeals for the Middle District of Alabama 1999) (recognizing that one way to test reliability and veracity is to examine the informant's `track record’ of providing reliable information in the past).
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then explained that Bendelladj’s arguments failed because,
[s]econd, Agent Ray utilized Abuse.ch's information in support of search warrants for suspected SpyEye C & C servers in Omaha, Orlando, Kansas City and New York, and the information was shown to be reliable as these IP addresses were discovered to be SpyEye.
R&R - U.S. v. Bendelladj, supra.
He also pointed out two more reasons why Bendelladj’s arguments did not succeed:
Third, it appears from the affidavit that Abuse.ch's SpyEye Tracker is just as reliable as another malware research tool, malwaredomainlist.com, that Bendelladj holds up as accurate. While he claims that the subject IP address appeared on Abuse.ch's list but did not appear on malwaredomainlist.com, the affidavit also recounted that the SpyEye C & C servers in Orlando, Kansas City and New York similarly did not appear on malwaredomainlist.com but were found to be malware. Thus, that the instant IP address did not appear on the other tracking list does not render SpyEye Tracker unreliable.

Fourth, the warrant is not fatal because Abuse.ch's methodology in creating its SpyEye Tracker list is unknown. There is no precedent or authority demanding that the reliability standard of Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579 (1993), be applied to investigative procedures used by law enforcement in order for the search warrant to contain probable cause for the search, nor does Daubert hold that this standard must be applied to the probable cause analysis. United States v. Pirosko, 2013 WL 5595224 (U.S.District Court for the Northern District of Ohio 2013).

Here the Court has found that the information from Abuse.ch was reliable, and thus the issuing magistrate judge was entitled to rely upon it in his consideration of whether probable cause to search existed. The same holds true for Bendelladj's argument that he cannot recreate Abuse.ch's results, since `probable cause must exist when the magistrate judge issues the search warrant,’ U.S. v. Santa, 236 F.3d 662 (U.S. Court of Appeals for the 11th Circuit 2000) (quoting U.S. v. Harris, 20 F.3d 445 (U.S. Court of Appeals for the 11th Circuit 1994)). The fact that the information cannot be duplicated or recreated does not mean it was not reliable at the time the warrant issued.      
R&R - U.S. v. Bendelladj, supra.
And, finally, the Magistrate Judge explained that the fact that Bendelladj
could not find sufficient information on the entity and person associated with Abuse.ch does not detract from the reliability of Abuse.ch's SpyEye Tracker list as demonstrated in the affidavit for the search warrant. The list is used by law enforcement and private security organizations to detect the SpyEye malware, and in using IP addresses listed on SpyEye Tracker, in addition to other information, the affiant was able to discover SpyEye malware in at least four other IP addresses. That is sufficient to demonstrate reliability.

Thus, the information from Abuse.ch was reliable and, under the totality of circumstances, that the subject IP address was listed on Abuse.ch's SpyEye Tracker list properly contributed to the issuing magistrate judge's conclusion that probable cause existed to issue the warrant.

Finally, the Court takes note of Bendelladj's argument that Exhibit A to the search warrant affidavit shows `no results’ for three of the URL searches performed by the affiant. However, it is Bendelladj's burden to show that the warrant was invalid, and the bare statement in his motion about these `no result’ entries, given that the same exhibit shows that there was a `hit’ for SpyEye malware on the IP address, is not sufficient to undermine the finding of probable cause in this case.
R&R - U.S. v. Bendelladj, supra.
For these and other reasons, the Magistrate Judge recommended that Bendelladj’s motion to suppress be denied.  R&R - U.S. v. Bendelladj, supra.
Then, as Rule 59(b)(3) of the Federal Rules of Criminal Procedure and 28 U.S. Code § 636(b)(1) require, the U.S. District Court Judge reviewed the Magistrate Judge’s recommendations and accepted them. U.S. v. Bendelladj, supra. He then denied Bendelladj’s motion to suppress.  U.S. v. Bendelladj, supra.


Friday, June 26, 2015

The Thief, the iPhone and the Phone Tracking Program

After a jury convicted Tracy T. Rowe of one count of burglary, in violation of Ohio Revised Code § 2911.12, and the judge sentenced him to “eight years in prison for the conviction”, he appealed.  State v. Rowe, 2015 WL 3757301 (Ohio Court of Appeals – Franklin County 2015). 
The Court of Appeals begins its opinion by explaining that Rowe was indicted for burglary on April 30, 2015, after which the case was "`tried to a jury in November 2014."  State v. Rowe, supra. 
The court goes on to outline the evidence that was presented at Rowe's trial: 
On April 21, 2014, Cassondra Denniston, returned to her residence at 385 East 16th Avenue, Columbus, Ohio, after attending classes at The Ohio State University (`OSU’). Denniston arrived at the house shortly before 4:00 p.m., and entered through the back door near the kitchen.’

`She put down her phone and other items, and then she noticed a stranger standing in the living room of the house, which she shares with nine roommates. Suspecting that the man was not supposed to be there, Denniston began to say something. But when the man started to `shuffle’ his feet, Denniston knew he was an intruder. . . . The man ran to the kitchen, picked up Denniston's iPhone, and exited the house. The man ran through an alley toward the OSU campus.’      
State v. Rowe, supra.
The court then explains that Denniston
immediately left the house, got in her car, and went to a café a few blocks away. From the café, she called the police and opened a phone tracking program on her laptop computer. Such a program enables the owner of a GPS equipped phone to identify or track the location of the phone. Denniston returned to her house where she met Officer Jenna Arthur of the Columbus Division of Police. Denniston provided a description of the intruder to Officer Arthur. Denniston described the intruder as an African–American male, wearing a black `hoodie,’ a hat turned backwards, yellow tinted sunglasses, `cardigan’ shorts, and sneakers. . . .

Denniston provided the laptop, with its phone tracking program running, to Officer Arthur. Arthur relayed information out by radio relating to the description provided by Denniston and the location of the phone. When Arthur began tracking the phone on Denniston's laptop, the phone was at 13th Avenue and High Street. Arthur observed that the phone was moving south on High Street.
State v. Rowe, supra.
The opinion then explains how the officers found, and arrested, Rowe:
Officers Steven Baird and Shannon Dearwester of the Columbus Division of Police were dispatched to attempt to locate Denniston's phone. Baird determined that each update regarding the phone's location was at a Central Ohio Transit Authority bus stop, likely indicating the phone was on a bus. Based on the tracking information provided by Arthur, Officers Baird and Dearwester stopped a bus traveling south on High Street. Baird testified that the bus had already been stopped and boarded by two other Columbus police officers approximately four or five minutes before Baird and Dearwester stopped and boarded the bus.

After Baird and Dearwester boarded the bus, they located a man in the back of the bus generally matching the description provided by Denniston. The officers asked the man, who was later identified as Rowe, to exit the bus with them. When Rowe was removed from the bus, he was not wearing a dark `hoodie’ as reported by Denniston. Rowe was carrying a backpack, which the police searched. The officers found several phone charging cords, among other items such as clothes and headphones.

According to Officer Baird's testimony, once the officers began removing Rowe from the bus, they noticed a phone under the seat where Rowe had been sitting. The phone was being `pinged’ by another source, that is, it was `vibrat[ing] and flash[ing] and kind of mak[ing] a funny noise.’ . . . Dearwester testified that he did not locate the phone until the officers and Rowe exited the bus. Dearwester further testified he again boarded the bus to look for the phone and found it under the seat where Rowe had been sitting. The phone was emitting a sound but it was not ringing.

Daniel Jensen was on the bus when the police removed Rowe. Jensen was taking the bus downtown to attend a Columbus Blue Jackets game. According to Jensen's testimony, at a stop just south of the OSU campus, a police officer boarded the bus, walked up and down the aisle, and then exited the bus. When this occurred, Rowe was on the bus, sitting near Jensen. After the first police officer boarded the bus, Rowe was `ruffling around with the [book]bag’ he was carrying. . . . At the next bus stop, two police officers boarded the front of the bus and two boarded at the rear of the bus. At that time, the police removed Rowe from the bus, and the bus continued southbound.

At the next stop, another police officer boarded the bus and asked Jensen where Rowe had been sitting. Jensen informed the police officer, who then searched under the seats in that area. The police officer found a phone under the seat adjacent to where Rowe had been sitting. During Jensen's time on the bus, he did not see anyone else sit in the area where Rowe had been sitting. Additionally, Jensen did not see Rowe in possession of the phone that was discovered under the seat.
State v. Rowe, supra.
The next thing that happened was that after the officers removed Rowe from
the bus, Arthur took Denniston to the apprehension location to make an identification. At that location, Denniston identified Rowe as the man who had been in her house. Denniston was `very confident’ of her identification. . . . Once Denniston made the identification, Rowe was handcuffed and placed in a police vehicle. At trial, Denniston again identified Rowe as the man who had been in her house.
State v. Rowe, supra.
At some point later, Denniston
confirmed with her roommates that none of them had given anyone permission to be at the house on the afternoon of April 21, 2014.
Additionally, Denniston learned that one of her roommates was missing a phone charger after the burglary, which the police recovered and returned to Denniston's roommate. Lastly, a couple days after the burglary, one of Denniston's roommates discovered that a basement window to the house was shattered.
State v. Rowe, supra.
On appeal, Rowe argued that “his conviction for burglary was not supported by sufficient evidence and was against the manifest weight of the evidence.”  State v. Rowe, supra.
In a criminal prosecution, of course, the prosecution has the burden to prove all the elements of the crime charged beyond a reasonable doubt.  The Court of Appeals began its analysis of his argument with the issue of whether the evidence presented at trial was sufficient to prove Rowe’s guilty beyond a reasonable doubt, explaining that whether
there is legally sufficient evidence to sustain a verdict is a question of law. State v. Thompkins, 78 Ohio St.3d 380 (Ohio Supreme Court 1997). Sufficiency is a test of adequacy. State v. Thompkins, supra. The relevant inquiry for an appellate court is whether the evidence presented, when viewed in a light most favorable to the state, would allow any rational trier of fact to find the essential elements of the crime proven beyond a reasonable doubt. State v. Mahone, 2014 WL 1350969 (Ohio Court of Appeals  2014). `[I]n a sufficiency of the evidence review, an appellate court does not engage in a determination of witness credibility; rather, it essentially assumes the state's witnesses testified truthfully and determines if that testimony satisfies each element of the crime.’ State v. Bankston, 2009–Ohio–754 (Ohio Court of Appeals 2009).
State v. Rowe, supra.
It went on to explain that in order to prove that Rowe
committed burglary as charged in the indictment, the state was required to show that Rowe, by force, stealth, or deception, trespassed in an occupied structure `that is a permanent or temporary habitation of any person when any person other than an accomplice of the offender is present or likely to be present, with purpose to commit in the habitation any criminal offense.’ Ohio Revised Code § 2911.12(A)(2).

Viewed in a light most favorable to the state, the evidence at trial demonstrated Rowe committed burglary, as charged in the indictment. When Denniston returned home from classes at OSU, she encountered Rowe standing in her living room. Denniston shares her house with nine roommates, but none of them authorized Rowe to be in the house. When Rowe saw Denniston, he quickly exited the house stealing Denniston's phone on his way out. Rowe then fled on foot to the OSU campus and boarded a bus travelling south on High Street. Later, it was discovered that a basement window to Denniston's house had been smashed, providing Rowe a means of entrance into the house. In view of the foregoing evidence, the state established the essential elements of the crime of burglary as charged in the indictment.
State v. Rowe, supra.
The Court of Appeals then took up the other issue Rowe raised on appeal – whether his conviction was “against the manifest weight of the evidence.”  State v. Rowe, supra. It began its analysis of the argument by noting that when a court is presented with a
manifest weight argument, an appellate court engages in a limited weighing of the evidence to determine whether sufficient competent, credible evidence supports the jury's verdict. State v. Salinas, 2010–Ohio–4738 (Ohio Court of Appeals 2010). . . . When a court of appeals reverses a judgment of a trial court on the basis that the verdict is against the weight of the evidence, the appellate court sits as a “`thirteenth juror’” and disagrees with the factfinder's resolution of the conflicting testimony.’ State v. Thompkins, supra, quoting Tibbs v. Florida, 457 U.S. 31 (1982). Determinations of credibility and weight of the testimony are primarily for the trier of fact. State v. DeHass, 10 Ohio St.2d 230 (Ohio Supreme Court 1967). . . .

The jury, or the trial court in a bench trial, “`is best able to view the witnesses and observe their demeanor, gestures and voice inflections, and use these observations in weighing the credibility of the proffered testimony.’”   State v. Cattledge, 2010–Ohio–4953 (Ohio Court of Appeals 2010), quoting Seasons Coal Co. v. Cleveland, 10 Ohio St.3d 77 (Ohio Supreme Court 1984). Thus, the jury may take note of the inconsistencies and resolve them accordingly, `believ[ing] all, part, or none of a witness's testimony.’ State v. Raver, 2003–Ohio–958 (Ohio Court of Appeals 2003).

An appellate court considering a manifest weight challenge `may not merely substitute its view for that of the trier of fact, but must review the entire record, weigh the evidence and all reasonable inferences, consider the credibility of witnesses, and determine whether, in resolving conflicts in the evidence, the trier of fact clearly lost its way and created such a manifest miscarriage of justice that the conviction must be reversed and a new trial ordered.’ State v. Harris, 2014–Ohio–2501 (Ohio Court of Appeals 2014). . . . Appellate courts should reverse a conviction as being against the manifest weight of the evidence in only the most `”exceptional case in which the evidence weighs heavily against the conviction.”’ State v. Thompkins, supra, quoting State v. Martin, 20 Ohio App.3d 172 (Ohio Court of Appeals1983).
State v. Rowe, supra.
The court then began the process of applying these standards to Rowe’s arguments on appeal, noting, first, that he
challenges Denniston's identification of him because she only saw the intruder in her house for a few seconds. Rowe also argues the evidence was conflicting regarding when he boarded the bus and the circumstances surrounding the recovery of Denniston's phone. These arguments are unavailing.

As the trier of fact, the jury was charged with evaluating the strength of Denniston's identification of Rowe as the person who stole her phone, based on such factors as her capacity and opportunity to observe the intruder and the interval of time between the event and the identification. To reverse on manifest weight grounds on the issue of Denniston's identification of Rowe, we would need to find that a reasonable juror could not find Denniston's testimony credible. See State v. Brown, 2002–Ohio–5345 (Ohio Court of Appeals 2002) (`it is inappropriate for a reviewing court to interfere with factual findings of the trier of fact which accepted the testimony of such witness unless the reviewing court finds that a reasonable juror could not find the testimony of the witness to be credible’).

The evidence did not, however, discredit Denniston's identification of Rowe. Denniston observed Rowe in her living room, at a relatively close distance, and she provided a confident in-person identification of him shortly after the burglary. Additionally, Denniston's identification of Rowe was strongly corroborated by the evidence indicating the discovery of Denniston's phone under the seat of a bus on which Rowe had boarded shortly after the burglary. Thus, it was reasonable for the jury to believe Denniston.
State v. Rowe, supra.
And, finally, the Court of Appeals noted that Rowe
correctly observes the testimony at trial was inconsistent as to the circumstances relating to the discovery of the phone on the bus. The testimony of the officers indicated the phone was discovered almost immediately after Rowe was removed from the bus. But Jensen's testimony indicated after Rowe was removed from the bus, the bus continued southbound to the next stop, and the police discovered the phone at that stop.

Rowe argues the evidence regarding when he boarded the bus was also inconsistent. Rowe cites the evidence indicating an officer boarded the bus, walked up and down the aisle, and then exited without locating Rowe. Rowe argues this evidence is inconsistent with other evidence indicating Rowe's presence on the bus at the time the first officer boarded the bus. These apparent inconsistencies do not, however, demonstrate the conviction was against the manifest weight of the evidence.
State v. Rowe, supra.
The court went on to find that,
[f]irst, regardless of whether Denniston's phone was discovered immediately after Rowe was removed from the bus, or at the next bus stop, undisputed evidence indicated that the police found the phone in close proximity to where Rowe had been sitting on the bus.

Second, the officer or officers who initially boarded the bus did not testify. The jury could have reasonably determined that the police officer or officers who first boarded the bus did not see anyone matching the description of the burglar due to the number of people on the bus and because Rowe's appearance had somewhat changed. Finally, it was within the province of the jury to resolve or discount any inconsistences in the testimony at trial, including the discrepancy regarding the discovery of the phone and why the police did not initially see Rowe on the bus. . . . In sum, Rowe fails to show the trier of fact clearly lost its way and created such a manifest miscarriage of justice that the conviction must be reversed and a new trial ordered.

Because Rowe's conviction for burglary was supported by sufficient evidence and was not against the manifest weight of the evidence, his sole assignment of error is overruled.
State v. Rowe, supra.
The Court of Appeals therefore affirmed Rowe’s conviction and sentence.  State v. Rowe, supra.