SJDC is often hired to perform a digital forensic analysis of a cell phone and/or another type of mobile device that was present during a traffic accident. The goal of the exam may be to determine the possibility of distracted driving, the location of a driver prior to or after the accident, the calls placed before or after the crash, or the travel route and/or approximate speed of a vehicle. In other words, mobile devices have become a rich source of evidence. Oftentimes, locating and producing the Electronically Stored Information (ESI – aka data) of interest is relatively straight-forward. Yet, in some cases the ESI sought, and often known to have existed on the device at one point in time, is not readily present at the time of a digital forensic examination. This creates legal issues for both the client and opposing party (or parties) during the discovery process. The client is often the party seeking cell phone or mobile device ESI because they are interested in user activity at or near the time of the accident. However, clients have also requested forensic analyses of mobile devices because they have received a preservation order, or request, from the opposing party; or they become aware that a party to the case may have been using a device at/near the time of an accident. In either case, prompt preservation of ESI is imperative in accident cases.
**NOTE: THIS IS NOT INTENDED AS LEGAL ADVICE. One should always consult with an attorney before making decisions with potential legal ramifications.**
The following question and answer narrative is intended to provide responses to common questions asked by those involved in traffic crash cases when mobile devices (i.e. cell phones) are present in the vehicle at the time of the crash:
What type of potentially relevant ESI is available on mobile devices?
There are many types of ESI present on cell phones, or other mobile devices, that may be relevant to a traffic accident case. Perhaps the most commonly requested types of ESI in accident cases (and most other cases) are text messages (SMS and/or MMS), call logs, chat/messenger data, GPS waypoints (latitude/longitude recorded at various times, including the drive up to the point of the accident), application data (e.g., Facebook, Twitter, Instagram), and web browsing data. There is an immense amount of potentially relevant ESI present in these forms, and many others, on these devices. To gain an appreciation for the amount of ESI potentially relevant to an accident case you need only consider the various uses of your own device, keeping in mind that each type could, and often does, occur while operating a vehicle.
Can deleted data be recovered?
The short answer is yes. The longer answer is that the likelihood of recovering deleted data is influenced by a number of factors, the most common of which is the continued use (and amount of use) of the device after data deletion. Another factor is whether or not the user “reset” or “restored” the device. With some exceptions, a restore of newer devices will usually result in irreversible data deletion. Reregistering the device to a different user, provider, or number will also cause the irreversible deletion of a small amount of data.
What should I do first?
Regardless of fault, if you or your client was involved in a car accident with injuries, and a device was in the vehicle at the time, you should immediately preserve the ESI. This can be accomplished by simply placing the phone in “airplane mode”, powering off the device, and storing it. Of course, this will result in some expense to a custodian, company, insurance company, or representing attorney because the custodian will want a replacement. However, the cost of a new device compared to the potential liability due to spoliation sanctions should make this a relatively easy decision.
In the same regard, you should promptly make a written request to the opposing party for preservation of any mobile device ESI, including cell phone and GPS devices that may have been present in the other driver’s vehicle. The preservation request should state clearly that the device should be placed into airplane mode and usage should cease immediately, because without doing so data destruction will occur.
I was recently told that in an effort to deal with the potential liability of a spoliation claim, a large commercial carrier started replacing an employee owned cell phone with a new one (at the company’s expense) if the employee was involved in a traffic crash while driving a company vehicle. This decision was based upon consideration that employers may be held liable for spoliation if employees delete potentially relevant ESI. The employer subsequently stores the employee’s previously owned cell phone and produces it with little concern of spoliation when obligated to do so as part of litigation.
Cell phone custodians are often interested in transferring the data to a new device and have asked if this transfer could cause the destruction of data. The short answer is yes. By simply turning on the device, ESI is overwritten. However, reasonable steps taken by a prudent custodian to preserve the ESI would, in my opinion, be viewed favorably by the court. Placing the device in airplane mode blocks most radio signals to the device thereby preventing incoming calls, text messages, etc., that may overwrite older and/or previously deleted, but potentially pertinent, ESI. This should be done; 1) as soon as practical, and 2) before turning off the device because without placing it in airplane mode the device will communicate with the network and data destruction will occur when it is powered back on for a transfer of data.
Next, potential litigants should send preservation requests to cell phone providers (i.e. AT&T, Sprint, Verizon, etc.) for any and all logs and content (i.e. text messages) available for all vehicle drivers. The preservation request serves to notify recipients that ESI in their possession is of interest in litigation and a proper subpoena or court order is forthcoming. At this point, it is the ESI custodian’s (in this case the cell service provider) responsibility to preserve logs and/or content in anticipation of the required legal documents. The promptness of this request is especially important to secure content (i.e., the message itself) from providers. Normally, providers do not store content beyond a few days, but the ESI is available if preserved promptly, then followed by a reasonably prompt court order. Taking such a step may circumvent the need for an examination of the device itself. However, keep in mind that providers do not store log or transaction ESI relative to chats, web browsing, Facebook, or other web-based activity. Instead, provider records will only reflect the usage of data during some timeframe that may or may not include the time of the accident.
How can cell phone data (contacts, text messages, call logs, etc.) be transferred from one phone, with potentially relevant ESI, to another?
Most providers will transfer data from one phone to another (new) phone as a service to their customers if a custodian must have his/her data transferred prior to storage of the relevant device. Should a custodian insist on this transfer, it is important for him/her to inform the technician making the transfer that data should not be deleted from the relevant device. In most cases, irreversible deletion will occur if the technician “resets”, or “restores”, the phone subsequent to a transfer of data. Keep in mind that this is not a suggestion to make this transfer of data. The best approach would be to keep the phone in the possession of the custodian, or custodian’s representative, without giving it to another person, including a technician, for any reason.
Am I required to retain the services of a digital forensic examiner (DFE) if I, or a client, has been involved in a vehicle accident and a mobile device is present?
No! In cases where device usage is questionable, I suggest simply storing the device until such time as it is established as potentially relevant to the traffic crash litigation. This is primarily because the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident. In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful. Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent data in the Antico v. Sindt decision in October of 2014.
What if I determine that the cell phone or GPS device is potentially relevant?
Once you determined that the device is potentially relevant, you should secure the services of a digital forensic examiner (DFE). A well-trained, experienced, and licensed DFE will follow best practices to ensure that the evidence is admissible in a court of law. Oftentimes, clients will secure the services of a DFE to get insight regarding the presence of ESI before the opposing party requests access to the device. And, production of the device may be unnecessary if a DFE acquires the cell phone ESI using well-established best practices. In this case the previously acquired cell phone data, rather than the actual device, is provided to the opposing party as part of the discovery process.
What about the privacy of my, or my client’s, personal data?
As stated above, the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident. In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful. Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent ESI in the Antico v. Sindt decision in October of 2014.
Furthermore, if your (or your client’s) cell phone is of interest to an opposing party, you may ask the court to allow an examination and limited production of cell phone ESI by your own DFE, or one appointed by the court.
A well-trained, experienced, and licensed DFE will take steps to ensure data security and privacy before, during, and after the exam.
What is the cost of a digital forensic exam of a mobile device and how long does it take?
Unfortunately, all devices are not the same. Therefore, the amount of time it takes to examine a device varies. Some devices take little time, and others take a significant amount of time. SJDC can usually examine the device and produce “technical reports” that provide clients most of the information needed for their case in about 4 billable hours. This amount will vary if the exam is required to take place at a different location (i.e. at a custodian’s home or office). Although the exam is expected to take 4 billable hours, custodians should expect the device to be unavailable for about 24 hours. Unless the exam is performed at a different location, SJDC does not charge for machine time, meaning that clients only get charged for hands-on examination time attributed to the case. Additional time is expected if SJDC is required to filter, additionally or iteratively produce, interpret, or testify about the data. More information regarding SJDC rates/terms can be found at our rates/terms page.
In closing, those involved in traffic crashes, or the resulting litigation, should seriously consider mobile devices used by either party as sources of evidence. If the device is owned by you (or your client), it should be preserved as soon as practical to avoid a future spoliation ruling. If the device is owned by an opposing party, a request for preservation of cell phone ESI should be promptly sent. In either case, a request for preservation of provider records should be sent promptly and followed by either a subpoena or court order.
Feel free to comment or post questions below.