Apr 262015
 

SJDC is often hired to perform digital forensic analyses of cell phones or other types of mobile devices that were present during traffic accidents.  The goal of these exams is almost always to determine the possibility of distracted driving and mobile devices have become a rich source of evidence for these types of cases.

The following question and answer narrative is intended to provide responses to common questions asked by those involved in traffic accident cases when mobile devices (i.e. cell phones) are present in the vehicle at the time of the crash:

**NOTE: THIS IS NOT INTENDED AS LEGAL ADVICE.  One should always consult with an attorney before making decisions with potential legal ramifications.**

What type of potentially relevant ESI is available on mobile devices?

There are many types of Electronically Stored Information (ESI – aka stored data) present on cell phones, or other mobile devices, that may be relevant to a traffic accident case.  Perhaps the most commonly requested types of ESI in accident cases (and most other cases) are text messages (SMS and/or MMS), call logs, chat/messenger data, GPS waypoints (latitude/longitude recorded at various times, including the drive up to the point of the accident), application data (e.g., Facebook, Twitter, Instagram), and web browsing data.  There is an immense amount of potentially relevant ESI present in these forms, and many others, on these devices.  To gain an appreciation for the amount of ESI potentially relevant to an accident case you need only consider the various uses of your own device, keeping in mind that each type could, and often does, occur while operating a vehicle.

Can deleted data be recovered?

The short answer is yes.  The longer answer is that the likelihood of recovering deleted data is influenced by a number of factors, the most common of which is the continued use (and amount of use) of the device after data deletion.  Generally, the more the device is used after data deletion the less likely that deleted data will be recovered.  Another factor is whether or not the user “reset” or “restored” the device.  With some exceptions, a restore of newer devices will usually result in irreversible data deletion.    Reregistering the device to a different user, provider, or number will also cause the irreversible deletion of data.   A future blog is forthcoming regarding other sources of ESI that may help to determine if data was deleted and/or how to recover deleted data from these alternative sources.

What should I do first?

Regardless of fault, if you or your client were involved in a car accident with injuries, and a device was in the vehicle at the time, you should immediately preserve the ESI.  This can be accomplished by simply placing the phone in “airplane mode”, powering off the device (depending on the circumstances), and storing it.  Of course, this will result in some expense to a custodian, company, insurance company, or representing attorney because the custodian will want a replacement.  However, the cost of a new device compared to the potential liability due to spoliation sanctions should make this a relatively easy decision.

In the same regard, you should promptly make a written request to a potential opposing party for immediate preservation of any mobile device ESI, including cell phone and GPS devices that may have been present in the other driver’s vehicle. The preservation request should state clearly that the device should be placed into airplane mode and usage should cease immediately because without doing so data destruction will occur.

Turning off or leaving on the device is a case-specific question, but the general rule of thumb is if the device is off, leave it off; if its on, place it in airplane mode, keep it charged and powered on.  However, If the custodian is deceased, this may not be the best course of action.  See below for suggestions on how to handle a deceased custodian’s device.  In the case of a traffic fatality it is very important to preserve the device(s) immediately as some logs only last a few days after they are created.  As an example, WhatsApp keeps highly granular logs that can include exactly what was happening to the millisecond.  However, these logs only document activity for the past few days and it is important to preserve the device immediately to preserve these and other similar types of logs.  The presence of these granular WhatsApp logs proved useful in a recent traffic fatality case.  

Next, potential litigants should send preservation requests to cell phone providers (i.e. AT&T, Sprint, Verizon, etc.) for any and all logs and content (i.e. text messages) available for all vehicle drivers.  The preservation request serves to notify recipients that ESI in their possession is of interest in litigation and a proper subpoena or court order is forthcoming.  At this point, it is the ESI custodian’s (in this case the cell service provider) responsibility to preserve logs and/or content in anticipation of the required legal documents.   The promptness of this request is especially important to secure content (i.e., the message itself) from providers.  Normally, providers do not store content beyond a few days, but the ESI is available if preserved promptly, then followed by a reasonably prompt court order.  However, keep in mind that providers do not store log or transaction ESI relative to chats, web browsing, Facebook, or other web-based activity.  Instead, provider records will only reflect the usage of data (bytes sent/received) during some timeframe that may or may not include the time of the accident.  Providers keep full Call Detail Records (CDRs) that (in addition to other/more transaction logs) include tower/location data.  Like requesting content (the actual SMS messages), a request for CDRs usually requires a court order.

The device custodian is deceased, what should I do?

If the custodian of the device is deceased you should contact a DFE immediately.  Depending on the device, operating system, and/or security settings the device may become useless if not handled correctly.  As an example, iPhones operate in either a Before First Unlock (BFU) or After First Unlock (AFU) modes.  BFU mode occurs when the device is first powered on, but the passcode has not been entered.  AFU mode is when the device has been unlocked.  DFEs are able to get access to more information from locked iPhones operating in AFU mode than devices operating in BFU mode, including information that may help unlock the phone.  The data available via locked devices changes frequently for Apple as well Android devices.  Therefore, prompt action is imperative when the custodian is deceased.   

Am I required to retain the services of a digital forensic examiner (DFE) if I, or a client, has been involved in a vehicle accident and a mobile device is present?

No!  In cases where device usage is questionable, we suggest simply storing the device until such time as it is established as potentially relevant to the traffic crash litigation.  This is primarily because the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident.  In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful.  Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent data in the Antico v. Sindt decision in October of 2014.

What if I determine that the cell phone or GPS device is potentially relevant?

Once you determined that the device is potentially relevant, you should secure the services of a Digital Forensic Examiner (DFE).  A well-trained, experienced, and licensed DFE will follow best practices to ensure that the evidence is admissible in a court of law.  Oftentimes, clients will secure the services of a DFE to get insight regarding the presence of ESI before the opposing party requests access to the device.  And, production of the device may be unnecessary if a DFE acquires the cell phone ESI using well-established best practices.  In this case the previously acquired cell phone data, or a derivative of that data rather than the actual device, is provided to the opposing party as part of the discovery process.

What about the privacy of my, or my client’s, personal data?

As stated above, the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident.  In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful.  Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent ESI in the Antico v. Sindt decision in October of 2014.

Furthermore, if your (or your client’s) cell phone is of interest to an opposing party, you may; 1) ask the court to allow an examination and limited production of cell phone ESI by your own DFE, or one appointed by the court, and/or 2) use the services of your own DFE to determine what data is/not present before the device is turned over to an opposing party’s DFE.  A well-trained, experienced, and licensed DFE will take steps to ensure data security and privacy before, during, and after the exam.

What is the cost of a digital forensic exam of a mobile device and how long does it take?

Unfortunately, all devices/cases are not the same.  Therefore, the amount of time it takes to conduct an examination can greatly.  Some devices take little time, and others take a significant amount of time.  And, the same device may take more time because of the requirements of the case.  For accident cases, a minimum of ten billable hours ($2,500) is expected.  This amount will vary if the acquisition is required to take place at a different location (i.e. at a custodian’s home or office, or at an attorney’s office).  Unless the exam is performed at a different location, SJDC does not charge for machine time, meaning that clients only get charged for hands-on examination time attributed to the case.  More information regarding SJDC rates/terms can be found at our rates/terms page.

Some digital forensic service providers may charge less and produce only forensic tool reports (i.e., Cellebrite, Axiom, Oxygen, etc.) with a limited amount of parsed (properly interpreted) data.  For many types of cases this approach is helpful to get quick answers.  In higher priority cases, such as accident cases, a tool report is akin to a one-dimensional view of a three dimensional object and stakeholders should be leery of DFEs providing these tool reports as the only means to indicate device activity at or near the time of a crash.  Additionally, the output from these tools may be limited or incorrect and should be validated.

A future blog is forthcoming that will provide more detailed information about what may be missing from these tool reports.

For the acquisition of device data at SJDC, custodians should expect the device to be unavailable for about 12-24 hours.  The least impacting way to accomplish this is to provide the device for acquisition later in the afternoon and (barring any unforeseen circumstances) expect it to be returned the next morning.  Although we often try to discourage them, “on-site” (i.e., at the offices of a custodian or attorney) acquisitions can usually be accomplished during a business day.  However, device acquisitions can be challenging take many hours to accomplish, all of it billable if it is an on-site request.  

As noted above, the examination of device data in an accident case can take many hours and varies greatly by device and case. 

In closing, those involved in traffic crashes, or the resulting litigation, should seriously consider mobile devices used by either party as sources of evidence.  If the device is owned by you (or your client), it should be preserved as soon as practical to avoid a future spoliation ruling.  If the device is owned by an opposing party, a request for preservation of cell phone ESI should be promptly sent.  In either case, a request for preservation of provider records should be sent promptly and followed by either a subpoena or court order.

Feel free to comment or post questions below.

Oct 062014
 

 

Three months after the Supreme Court’s Riley v. California decision mandating police to secure a search warrant prior to searching an arrestee’s cell phone, and the world is apparently still turning.  Many, present company included, believed this decision would be detrimental to the effectiveness of law enforcement.  Law enforcement officers know the value of Electronically Stored Information (ESI) in cell phones and oftentimes depend on this ESI as the primary evidence, or lead generator, in many of their cases.  Privacy issues aside, limiting access to this primary source of evidence will certainly inhibit efforts by police to protect the public and put bad guys in jail.

There is good reason for officers to value this ESI.  People use cell phones to store more personal information than is recorded by any other means.  It is unlikely that many users even know the extent to which newer cell phones capture personal information.  Anecdotes abound, but suffice it to say that few clients for whom I have performed analyses are not surprised by the richness of the personal data available, even after the user takes steps to delete data.  Our dependence on cell phones as the primary means to store this information has led to the devices being ubiquitous to modern society.  Delivering the opinion for the Court in Riley, Chief Justice Roberts colorfully described the prevalence of cell phones as, “…such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” (p. 9).  Indeed, one would be hard-pressed to walk down a pedestrian filled city street and not see a majority of people actively using their cell phones.  People store their most intimate personal data regarding even the most mundane aspects of their lives in their cell phones, and that information can become evidence in court.

Prior to the Riley decision, as a matter of practice, law enforcement officers in most jurisdictions lawfully seized and subsequently searched arrestee’s cell phones for evidence of criminal activity without obtaining search warrants.  ESI is highly valued in criminal cases and its discovery is often prioritized over other types of evidence (as an example, see this recent case).  I am personally aware of a number of cases in which cell phone ESI is either the first significant evidence discovered in the case, or the only evidence connecting arrestees to the crime, yet there was no authorization by a court for the search.  That’s not to say these were illegal searches; just that the law and practice of the respective jurisdiction did not require court authorization prior to the search.  That all changes with the Riley decision.   Now, absent exigent circumstances, a search warrant is required before the police can search the cell phone of an arrestee.

Understandably, police are concerned that the extra time it takes to secure a search warrant will jeopardize the investigation or, more importantly, public safety.  Search warrants have become a more time-intensive process for investigators over the years. I recall years ago drafting my first search warrant and bringing it to the local courthouse where I shuffled between judges chambers looking for the first judge who had time and was willing to review/sign the warrant.  I used to call this the courthouse shuffle.  Back then search warrant affidavits were short and thus reviewed in little time.  Of course, some officers had their favorite judges who took the least amount of time reviewing search warrants.  One judge was known for his swiftness in turning to the signature page.   Many avoided him for this reason, but when he was the on-call judge I made many after-hours visits to his residence knowing that I would only be asked the following two questions as he turned to the signature page: 1) It’s not my house, is it?; and 2) Do you swear this is the truth?  Even then, the steps it took to get authorization for a search were considered cumbersome (as they should be).

Nowadays things are a bit different.  Absent exigent circumstances, police are oftentimes required to send search warrants for review and/or set appointments with prosecutors and judges.  And, due to advances in technology and the law, search warrant affidavits have become much lengthier.  However, these technological advances have also helped law enforcement become more efficient with this process; a point not missed by the majority in Riley v. California.  Some jurisdictions have even enabled completely electronic review/filing services for their legal processes (e.g. court orders, search warrants, subpoenas, etc). In these jurisdictions warrants can be sent/reviewed/signed electronically thereby allowing for authorization to occur in minutes instead of hours or days.  In this light one can see the double-edged sword that is technology.  Technology makes us more efficient, yet over time adds layers of requirement; technology allows us to store more data, yet can limit our access to this data (e.g., encryption, cloud computing); technology makes life more convenient, yet this convenience can lead to apathy and requires us to store immense amounts of accessible personal data. 

Over the years I have seen many legal and technological Y2K (end of the world) moments in policing.  These include Miranda (limiting police interviews), Gant (limiting police searches of vehicles), Encryption (limiting access to data), and cloud computing (limiting venue authority or access to local data) that, at their time, were all seen as being immediately and severely detrimental to the continued effectiveness of the police.  I see the Riley decision as another Y2K moment.  Prior to Riley law enforcement officers enjoyed the benefit of timely access to an arrestee’s cell phone ESI.  Now, the Court has limited that access to protect our individual right to privacy.  We will never know the extent to which this decision inhibits justice or jeopardizes public safety, but we do know that the Court is working in our favor by protecting our individual right to privacy in our persons, places, and effects.  Hopefully the decision will push a greater portion of the criminal justice system further into the 21st century.  As with Y2K, Miranda, Gant, Encryption, and Cloud Computing, the Riley decision will not stop police from enforcing the law.  Law enforcement will adapt and will continue to make the best possible cases within the right-protecting restrictions imposed……and the world will still turn.

What do you think?

 

Jul 132014
 

Located in Jacksonville, Florida, St. Johns Data Consulting, LLC (SJDC) provides digital forensic analysis, consulting, training, and expert testimony in support of litigation. We strive to bring our clients the most secure, professional, confidential, and competent assistance to support various types of litigation.

  • Computer Forensics
  • eDiscovery
  • Data Theft
  • Intellectual Property Theft
  • Employer/Employee Disputes
  • Digital Forensic Imaging
  • Targeted Collections
  • Drone Data Extraction and Analysis
  • E-mail Recovery/Analysis
  • Web History Analysis
  • Document Analysis
  • Timeline Analysis
  • User History/Access Analysis
  • Image Analysis
  • Keyword/Phrase Searching
  • Data Recovery
  • Data/Evidence Preservation and Storage
  • Trial/Litigation Support
  • Evidence/Chain-of-Custody Documentation
  • On-Site and Lab Acquisitions
  • Cross-Validation of Litigant/Defense Findings
Call Now Button