Cell phones are everywhere. These mobile devices are increasingly used for phone calls, text messages, social media, cameras, calendars, Internet browsers, games, and even monitoring our health. Much of our daily lives take place within the confines of these devices and, in the event of a collision, that means they may contain evidence of distracted driving relevant to civil litigation cases.
While cell phone usage has become ubiquitous, understanding the terminology and the forensic investigation methods and tools necessary to discover and present evidence of distracted driving can seem daunting. Even so, the importance of this evidence to personal injury cases requires attorneys, paralegals, and investigators to become conversant in the kinds of data saved in mobile devices and how those devices may record information that sheds light on what the user was doing before and during an collision.
This article will delve into the types of evidence available in mobile devices (especially iPhones), steps to take early on to locate and preserve that evidence, and pitfalls to avoid when conducting a forensic investigation.
Which mobile devices should examiners discover and collect?
The examiner should consider all possible mobile devices related to the collision. These devices may be identified through interrogatories, document requests, and depositions of potentially distracted drivers, and through police reports from both the collision and any prior criminal matters involving the driver. Remember to serve preservation letters early in the case for all mobile devices related to the collision subject to litigation. It may be necessary to move to compel production of these mobile devices for inspection and forensic examination.
The examiner should independently examine all relevant mobile devices that may hold material evidence, especially those in use by a potentially distracted driver. Smartphones must be visually inspected for factory resets and device settings, in addition to passcode complexity and the layout of mobile apps on the home screen.
Examination of the iPhone will recover text messages such as SMS, MMS, iMessages, and mobile messaging apps like Facebook Messager, Snapchat, and WhatsApp. Examination will also recover GPS device locations, driver activity and health data including steps, distance, stairs climbed, and possibly pulse beats per minute, and energy kilocalories. Examination of fitness trackers like Fitbit and digital watches like those from Apple and Garmin will also recover GPS device locations and similar activity and health data.
When should mobile devices be examined for successful evidence recovery?
The examiner should move swiftly and decisively to take possession and preserve mobile devices related to the collision and distracted driving civil litigation. Why? Because messages, calls, and GPS device locations can be deleted, overwritten, and lost forever. Additionally, continued device usage by the user after the collision results in deletion and overwriting of mobile evidence. Beware the risks of failure to seize and examine the mobile device at the earliest opportunity.
How should mobile devices be examined?
The examiner must use multiple digital forensic tools. As the most experienced leaders and practitioners in the field relentlessly say, “one tool is never enough.”
The best examiners use forensically sound mobile device forensic tools generally accepted in the legal industry and specifically, the community of digital forensic examiners. The examiner must find and produce the most probative evidence to support or refute allegations of distracted driving in civil litigation. It is essential for the examiner to extract a deeply probative iOS full file system from distracted driver’s iPhone. No inferior iTunes backup extraction will be enough; not even an encrypted iTunes backup. The examiner must extract an iOS keychain from the iPhone to be used to decrypt mobile app data recovered in an encrypted state.
It is necessary for the examiner to understand the evidence that can be recovered from mobile devices and the limitations of each tool used. As a result, the examiner must recover evidence from a deeply probative extraction using two or three of the best mobile device forensic tools in the industry. Cross validation, which is a comparison of inventories of iPhone artifacts recovered across all the tools, is central to producing best evidence from the device. For example, the most text messages may come from the examiner’s first tool, while the most contacts may come from the second, and in this example, the most photographs may come from the third tool.
How can examiners protect the mobile device from data loss and preserve the evidence?
Before beginning the acquisition process, it is essential to isolate the mobile device from any signals or incoming data, such as cell towers, Wi-Fi, Bluetooth, NFC (Near Field Communication commonly used for mobile credit payments), and GPS satellites. To do this, the examiner needs to power off the device, remove its SIM card, and place the phone in a Faraday bag. These steps ensure the original data is preserved and that any data loss is avoided. Once the device is sufficiently isolated, the examiner can properly acquire the digital evidence. Often airplane mode, or flight mode, is used when the device is removed from the Faraday bag and powered on for examination.
How can examiners determine when the collision occurred with certainty?
To determine the exact time of a collision, the examiner should request all Enhanced 911 (E-911) call records from the local E-911 center, including those placed by the driver and eyewitnesses. As they show when the collision was reported, these records will provide the latest possible timing for it. Date and timestamps–to the second–for all E-911 reports are critical. The examiner can corroborate the E-911 records by recovering the iPhone’s Application Usage Log and examining it for the driver’s outbound 911 call after the collision.
Before the examiner can determine with certainty when the collision occurred, it is important to collaborate with the accident reconstruction expert. This collaboration can provide an understanding of the timeline of events before and after the collision, based on the black box EDR (Event Data Recorder) evidence from driver’s vehicle. It can also reveal the speed at which the vehicle was traveling.
With this information, the examiner can then use mobile device forensics for more focused evidence recovery and generate an accurate timeline of events. The examiner can also recover GPS device location evidence to confirm or validate the accident reconstruction expert’s black box EDR data.
What initial work product provides context and guides the legal team?
Mobile device forensics offers a unique opportunity for civil litigators to uncover key evidence related to distracted driving collisions. By taking the initiative to start a project correctly, examiners can provide context and direction to the legal team. Initial work product should include 1) recovering iPhone evidence, and 2) producing a timeline an hour before and after the collision, and 3) producing maps from forensic tools for the same time period of recovered GPS device locations. The examiner can supplement the device locations with GPS metadata to include location accuracy, elevation, velocity, and bearing.
What mobile app evidence can be recovered from the driver’s iPhone to prove distraction?
The deeply probative extraction of the iPhone enables the recovery of an important iOS SQLite database called KnowledgeC. It is a unique source of critical timeline evidence that records a day in the life of the iPhone. Examiners rely on the KnowledgeC database to recover start and stop timestamps for the mobile apps the driver may use. We also check it for mobile app launch timestamps to confirm the driver’s app usage.
Most important, we access KnowledgeC to recover app focus start and stop timestamps for the driver’s apps leading up to and during the time period of the collision. The iPhone app focus data reveals the time each mobile app has exclusive control of iPhone. It records when the app displays content on iPhone screen, when the app captures the driver’s input, and when the app controls the iPhone’s vibration, speaker, microphone, etc.
To confirm the mobile app usage and app focus data derived from the KnowledgeC database, the examiner will recover log entries for network data movement between the iPhone and the cell towers. The incoming and outgoing cell tower network data traffic feeds mobile app activity. The cell tower log entries identify which mobile apps are being feed the data and when. Given this, the network data traffic should line up with the mobile app usage and the app focus start and stop timestamps to identify conclusively the mobile app being used by the driver.
The examiner also has tools to recover evidence from the mobile apps that identify multimedia artifacts, visual and audio side effects, from the driver’s use of the iPhone during the collision period. For example, they may identify graphics from Instagram or Snapchat, or from a game like Pokémon Go, or other vivid artifacts from the driver’s mobile apps accessed before or during the collision.
What is pattern of life evidence?
Pattern of life evidence is defined as insights into a person’s digital behaviors and user habits such as the frequency and location of routines in normal day to day life. It is often revealed by mobile evidence.
Understanding the pattern of life evidence of a driver can be illuminating in distracted driving cases. Through analysis of the driver’s iPhone, information such as locations visited, frequently used apps, and other digital activities can be recovered. It can show specific patterns and behaviors present during distraction and can provide an accurate timeline of activities. Pattern of life evidence can also indicate how often the driver engages in certain activities such as texting, or if the iPhone was used for navigation or entertainment purposes.
Specific examples of pattern of life evidence include timelines for the iPhone’s power on and off events, its battery usage, phone screen locks and unlocks, and phone spatial orientation from horizonal to vertical. Pattern of life inferences can be drawn from phone connections to the driver’s vehicles, watches, and fitness trackers using Bluetooth and Wi-Fi networks. Additionally, the phone’s data consumption from Wi-Fi and over-the-air sources like 4G LTE and 5G cell towers can contribute to meaningful pattern of life observations.
What pattern of life distraction evidence can be recovered from the driver’s iPhone?
An examiner has many tools to recover pattern of life evidence to show whether or not a driver was distracted by their mobile device, including:
- Device locks: The examiner must recover iPhone device lock states from the KnowledgeC database for timestamps of the driver’s device unlock activity. This evidence places the iPhone in the driver’s hands with eyes on its display screen for the time required to unlock the iPhone with six or more digits.
- Device Orientation: The examiner must recover iPhone device orientation states, also from KnowledgeC, for timestamps of the driver’s handling of the iPhone and any movement from sideways (horizontal) to upright (vertical) and vice versa.
- Device Events: The examiner must recover iPhone device events showing the status of the iPhone screen display and its speaker and microphone. These sources of visual and auditory distraction, when enabled, and at the service of an identified mobile messaging app or interactive game app, may prove distracted driving.
- Power Logs: The examiner must recover iPhone power logs to show which features of the device may have been in use and when. Examples of these features include the camera, the battery, and the user lock screen. Power logs offer a second opinion which can confirm the truthfulness of critical iPhone data provided by the KnowledgeC database such as mobile app usage and user locks and unlocks.
Altogether, this abundant iPhone evidence reveals insights into how often the driver was engaging in certain activities, how long each activity was, and where they occurred. Its analysis can then determine if the driver was inattentive, and possibly distracted, at the time of the collision.
When presented with a distracted driving case, attorneys, paralegals, and investigators must act swiftly to locate and secure all relevant devices. Once this is achieved, the investigation of the mobile devices should be thorough and probe all sources of evidence related to distracted driving.
Technology is always evolving. It is imperative to stay up to date if you intend to present evidence of mobile device usage in a distracted driving case. Using the methods and tools outlined above, it is possible to recover and utilize digital forensic evidence to achieve the desired outcome in your civil litigation.
However, these methods and tools are not the only ways and means of available sources of evidence. Next month’s article will examine alternate resources outside the mobile device that may expand upon or corroborate evidence obtained in this initial phase of the investigation.
John J. Carney, Esq., is chief technology officer of Carney Forensics, https://www.carneyforensics.com/