SJDC is often hired to perform digital forensic analyses of cell phones or other types of mobile devices that were present during traffic accidents. The goal of these exams is almost always to determine the possibility of distracted driving and mobile devices have become a rich source of evidence for these types of cases.
The following question and answer narrative is intended to provide responses to common questions asked by those involved in traffic accident cases when mobile devices (i.e. cell phones) are present in the vehicle at the time of the crash:
**NOTE: THIS IS NOT INTENDED AS LEGAL ADVICE. One should always consult with an attorney before making decisions with potential legal ramifications.**
What type of potentially relevant ESI is available on mobile devices?
There are many types of Electronically Stored Information (ESI – aka stored data) present on cell phones, or other mobile devices, that may be relevant to a traffic accident case. Perhaps the most commonly requested types of ESI in accident cases (and most other cases) are text messages (SMS and/or MMS), call logs, chat/messenger data, GPS waypoints (latitude/longitude recorded at various times, including the drive up to the point of the accident), application data (e.g., Facebook, Twitter, Instagram), and web browsing data. There is an immense amount of potentially relevant ESI present in these forms, and many others, on these devices. To gain an appreciation for the amount of ESI potentially relevant to an accident case you need only consider the various uses of your own device, keeping in mind that each type could, and often does, occur while operating a vehicle.
Can deleted data be recovered?
The short answer is yes. The longer answer is that the likelihood of recovering deleted data is influenced by a number of factors, the most common of which is the continued use (and amount of use) of the device after data deletion. Generally, the more the device is used after data deletion the less likely that deleted data will be recovered. Another factor is whether or not the user “reset” or “restored” the device. With some exceptions, a restore of newer devices will usually result in irreversible data deletion. Reregistering the device to a different user, provider, or number will also cause the irreversible deletion of data. A future blog is forthcoming regarding other sources of ESI that may help to determine if data was deleted and/or how to recover deleted data from these alternative sources.
What should I do first?
Regardless of fault, if you or your client were involved in a car accident with injuries, and a device was in the vehicle at the time, you should immediately preserve the ESI. This can be accomplished by simply placing the phone in “airplane mode”, powering off the device (depending on the circumstances), and storing it. Of course, this will result in some expense to a custodian, company, insurance company, or representing attorney because the custodian will want a replacement. However, the cost of a new device compared to the potential liability due to spoliation sanctions should make this a relatively easy decision.
In the same regard, you should promptly make a written request to a potential opposing party for immediate preservation of any mobile device ESI, including cell phone and GPS devices that may have been present in the other driver’s vehicle. The preservation request should state clearly that the device should be placed into airplane mode and usage should cease immediately because without doing so data destruction will occur.
Turning off or leaving on the device is a case-specific question, but the general rule of thumb is if the device is off, leave it off; if its on, place it in airplane mode, keep it charged and powered on. However, If the custodian is deceased, this may not be the best course of action. See below for suggestions on how to handle a deceased custodian’s device. In the case of a traffic fatality it is very important to preserve the device(s) immediately as some logs only last a few days after they are created. As an example, WhatsApp keeps highly granular logs that can include exactly what was happening to the millisecond. However, these logs only document activity for the past few days and it is important to preserve the device immediately to preserve these and other similar types of logs. The presence of these granular WhatsApp logs proved useful in a recent traffic fatality case.
Next, potential litigants should send preservation requests to cell phone providers (i.e. AT&T, Sprint, Verizon, etc.) for any and all logs and content (i.e. text messages) available for all vehicle drivers. The preservation request serves to notify recipients that ESI in their possession is of interest in litigation and a proper subpoena or court order is forthcoming. At this point, it is the ESI custodian’s (in this case the cell service provider) responsibility to preserve logs and/or content in anticipation of the required legal documents. The promptness of this request is especially important to secure content (i.e., the message itself) from providers. Normally, providers do not store content beyond a few days, but the ESI is available if preserved promptly, then followed by a reasonably prompt court order. However, keep in mind that providers do not store log or transaction ESI relative to chats, web browsing, Facebook, or other web-based activity. Instead, provider records will only reflect the usage of data (bytes sent/received) during some timeframe that may or may not include the time of the accident. Providers keep full Call Detail Records (CDRs) that (in addition to other/more transaction logs) include tower/location data. Like requesting content (the actual SMS messages), a request for CDRs usually requires a court order.
The device custodian is deceased, what should I do?
If the custodian of the device is deceased you should contact a DFE immediately. Depending on the device, operating system, and/or security settings the device may become useless if not handled correctly. As an example, iPhones operate in either a Before First Unlock (BFU) or After First Unlock (AFU) modes. BFU mode occurs when the device is first powered on, but the passcode has not been entered. AFU mode is when the device has been unlocked. DFEs are able to get access to more information from locked iPhones operating in AFU mode than devices operating in BFU mode, including information that may help unlock the phone. The data available via locked devices changes frequently for Apple as well Android devices. Therefore, prompt action is imperative when the custodian is deceased.
Am I required to retain the services of a digital forensic examiner (DFE) if I, or a client, has been involved in a vehicle accident and a mobile device is present?
No! In cases where device usage is questionable, we suggest simply storing the device until such time as it is established as potentially relevant to the traffic crash litigation. This is primarily because the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident. In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful. Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent data in the Antico v. Sindt decision in October of 2014.
What if I determine that the cell phone or GPS device is potentially relevant?
Once you determined that the device is potentially relevant, you should secure the services of a Digital Forensic Examiner (DFE). A well-trained, experienced, and licensed DFE will follow best practices to ensure that the evidence is admissible in a court of law. Oftentimes, clients will secure the services of a DFE to get insight regarding the presence of ESI before the opposing party requests access to the device. And, production of the device may be unnecessary if a DFE acquires the cell phone ESI using well-established best practices. In this case the previously acquired cell phone data, or a derivative of that data rather than the actual device, is provided to the opposing party as part of the discovery process.
What about the privacy of my, or my client’s, personal data?
As stated above, the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident. In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful. Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent ESI in the Antico v. Sindt decision in October of 2014.
Furthermore, if your (or your client’s) cell phone is of interest to an opposing party, you may; 1) ask the court to allow an examination and limited production of cell phone ESI by your own DFE, or one appointed by the court, and/or 2) use the services of your own DFE to determine what data is/not present before the device is turned over to an opposing party’s DFE. A well-trained, experienced, and licensed DFE will take steps to ensure data security and privacy before, during, and after the exam.
What is the cost of a digital forensic exam of a mobile device and how long does it take?
Unfortunately, all devices/cases are not the same. Therefore, the amount of time it takes to conduct an examination can greatly. Some devices take little time, and others take a significant amount of time. And, the same device may take more time because of the requirements of the case. For accident cases, a minimum of ten billable hours ($2,500) is expected. This amount will vary if the acquisition is required to take place at a different location (i.e. at a custodian’s home or office, or at an attorney’s office). Unless the exam is performed at a different location, SJDC does not charge for machine time, meaning that clients only get charged for hands-on examination time attributed to the case. More information regarding SJDC rates/terms can be found at our rates/terms page.
Some digital forensic service providers may charge less and produce only forensic tool reports (i.e., Cellebrite, Axiom, Oxygen, etc.) with a limited amount of parsed (properly interpreted) data. For many types of cases this approach is helpful to get quick answers. In higher priority cases, such as accident cases, a tool report is akin to a one-dimensional view of a three dimensional object and stakeholders should be leery of DFEs providing these tool reports as the only means to indicate device activity at or near the time of a crash. Additionally, the output from these tools may be limited or incorrect and should be validated.
A future blog is forthcoming that will provide more detailed information about what may be missing from these tool reports.
For the acquisition of device data at SJDC, custodians should expect the device to be unavailable for about 12-24 hours. The least impacting way to accomplish this is to provide the device for acquisition later in the afternoon and (barring any unforeseen circumstances) expect it to be returned the next morning. Although we often try to discourage them, “on-site” (i.e., at the offices of a custodian or attorney) acquisitions can usually be accomplished during a business day. However, device acquisitions can be challenging take many hours to accomplish, all of it billable if it is an on-site request.
As noted above, the examination of device data in an accident case can take many hours and varies greatly by device and case.
In closing, those involved in traffic crashes, or the resulting litigation, should seriously consider mobile devices used by either party as sources of evidence. If the device is owned by you (or your client), it should be preserved as soon as practical to avoid a future spoliation ruling. If the device is owned by an opposing party, a request for preservation of cell phone ESI should be promptly sent. In either case, a request for preservation of provider records should be sent promptly and followed by either a subpoena or court order.
Feel free to comment or post questions below.