Edit Template
  • Home
  • About
  • Services
  • Contact

Digital Forensics

Cyber Forensic Services
Case Studies, Digital Forensics, Smart Phone Forensics

The Importance of Digital Forensics Experts: The Case of the Distracted Pedestrian

/

Introduction: Recently CyForce had been contracted by a law firm representing the estate of a deceased individual. This person was a well-known resident of a mid-sized city, and they were struck by a motor vehicle while crossing the road. The question in dispute was whether this individual was “distracted” by their mobile phone while crossing the street. The local police department had examined the victim’s phone and “officially determined” that they were actively using a video chat program at the time of the collision. Thus, they were partially at fault for the collision that occurred. This question is so important because, like most states, the state where the collision occurred happens to be a “comparative fault” state, specifically a modified comparative negligence state. Contributory and Comparative Negligence States have a couple of approaches when determining and apportioning fault in negligence cases, especially in civil litigation. They can employ a contributory negligence model or a comparative negligence model. Generally speaking, if a state employs a contributory negligence model and you are found to be at fault, even just one percent at fault, you cannot recover damages in a civil suit. On the other hand, if you are in a comparative negligence state, the percentage that each party was at fault will be used to assign damages. For example, if you are found to be 20% at fault, then at most, you can recover 80% of the damages.  There are two types of comparative negligence, either pure comparative negligence or modified comparative negligence; the significant difference between the two is that in a modified comparative negligence model, there is a threshold of fault that you must be below before you can be awarded damages. This threshold usually is around 50%. Case Background The collision occurred in the late afternoon, on a winter day, with temperatures near 50°F and clear visibility, light wind, and no rain. The victim had just parked their car and was walking to meet friends for dinner. After walking a short distance down the road from their vehicle, the victim decided to cross the street, at which point they were struck by a truck. A bystander used the victim’s phone to call an individual listed in the victim’s most recent call history. Police Investigation As with all fatal automobile collisions, the local police investigated the circumstances surrounding the collision to ascertain the facts of the case. Since a bystander could utilize the victim’s phone, the police theorized that the phone was unlocked and being used by the victim at the time of the collision. For this reason, the phone was analyzed by the police department, which included a full file system (FFS) extraction of the phone’s internal memory. After locating the data pertaining to the date and time in question, the police department’s digital forensic investigator saw indicators that a particular video messaging application was running on the phone at the time of the collision. This led them to conclude that the victim was utilizing a video messaging application when they were struck by the truck. Civil Case The victim’s estate filed a civil case against the driver of the truck. The driver’s attorney relied heavily on the police department’s report that stated the victim was actively utilizing their phone at the time of the collision. They argued that the victim was primarily at fault for the collision because they were distracted by their phone and stepped out in front of the truck, and the driver did not have time to stop before striking the victim. As you can imagine, having this critical piece of evidence from the police department’s expert “showing” that the victim was actively using a video messaging application at the time of the collision was a major “plus” for the defense in trying to show that the victim was at least 50% at fault for the collision. If the defense was successful in proving this to the court, and since the state where the collision happened was a modified comparative negligence state, the driver would not have to pay damages to the victim’s estate. CyForce’s Critical Involvement The attorney for the victim’s estate contacted CyForce and asked us to perform a second examination of the data from the victim’s phone and try to determine if the police’s conclusions were correct. Though CyForce was not provided with the actual phone, they did receive a copy of the FFS extraction and determined that there were no indicators of compromise to the data. The phone in question was determined to be an iPhone 8 plus running iOS 13.3. Utilizing state-of-the-art technology, CyForce established the “pattern of life” for the iPhone, including detailed usage history covering the collision’s time. While examining the data, one curious fact stood out to Dr. Lewis, CyForce’s Chief Forensic Officer: the iPhone’s microphone, camera, and speaker were never activated during the time of the collision. The detailed logs and databases that make up the pattern of life on an iPhone shows in immense detail what is being utilized on an iPhone and when. For example, it logs when the microphone is activated, where the output audio is sent (speaker, Bluetooth, headphone jack, etc.), and when the camera is turned on. Yes, these logs did show that the video messaging application was running, but it didn’t show that any of the usual hardware was being utilized while it was running. Dr. Lewis thought it was rather suspect that a video application would be actively utilized, but the audio wasn’t playing or being recorded, and the camera wasn’t being used. Of course, in forensic sciences, a hunch isn’t considered evidence. After a thorough search of the literature, it was determined that research on this application was non-existent. Still, similar applications did show the camera, microphone, and speaker activation when used to play or record video messages. This led CyForce to conduct a scientific experiment utilizing the same model of iPhone and the same version of iOS to determine with scientific certainty if the activation of

Case Studies, Digital Forensics, Smart Phone Forensics

The Case of the Busy Truck Driver

/

Introduction: At CyForce, clients frequently ask us if we determine what a user is doing on their smartphone at a particular time. Most of the time, the client is looking for who the user was texting, calling, or video-chatting with or what websites they were accessing, all of which are relatively straightforward data points to capture from the mobile device. But in a recent case, the answer was not as clear; in fact, it involved conducting a deep dive into the “pattern of life” of a particular iPhone and finding that the device management software the employer installed on their employee’s mobile device wasn’t preventing them from using the iPhone as they drove a loaded semi-truck down a busy interstate. Case Background This case involves the estate of a victim involved in a vehicular collision on a major metropolitan interstate in the middle of the day. The victim was driving a private automobile, and the suspect was driving a semi-truck. According to the statement the truck driver gave the police, they were traveling on the interstate when the vehicle in front of them changed lanes abruptly. As the vehicle went to the adjacent lane, they saw another vehicle stopped in the middle of the roadway. The truck driver said they could not move to another lane because of traffic. They further said that they “stood on [their] brakes in attempts to stop … [and] doing this caused [their] brakes to lock and the vehicle to continue to slide forward and collide with the stopped vehicle.” Furthermore, the trucking company installed a dash cam that recorded the interior of the truck’s cab, and it showed the truck driver proclaiming that the victim’s vehicle was stopped in the roadway, and he just simply couldn’t stop in time. Investigation During the preliminary investigation by the law firm representing the victim’s estate, the attorney noticed that this video that showed the truck driver proclaiming his innocence also revealed that he was interacting with his mobile phone before the collision. Still, the driver refused to say what he was doing on the phone. The lawyers representing the trucking company claimed that the truck driver couldn’t have been using his mobile device because they had installed software that prevented it from being used while the vehicle was in motion. An inspection of the phone showed that a device management application was installed on the mobile device. A review of phone records shows that the driver wasn’t on a phone call or actively sending SMS text messages at the time of the collision, so what was he doing on the phone? CyForce’s Critical Involvement A significant part of the driver’s and company’s defense was that the device management software prevented the truck driver from using their phone during the time of the collision. CyForce performed a full-file system extraction of the iPhone and, after reviewing the detailed call and SMS logs, confirmed that the driver was not calling (via cellular service) or texting (via SMS) at the time of the collision. But we still had the video showing the driver interacting with his phone. What were they doing? Reviewing the device logs, we saw that the phone was connected to two Bluetooth devices. One of the devices was a Bluetooth headset that the driver was wearing in the video, and after looking up the MAC address of the second device, we determined it was the in-cab radio. Was the truck driver listening to music, and was the interaction we saw simply them changing songs (or something similarly mundane)? This is where the iPhone’s “pattern of live” databases and logs became vital. The iPhone continually records every action the user takes on their device, including what applications are running and whether they are in the foreground or background. One exciting feature of the iPhone is its “App Switcher,” which allows the user to swipe up on the screen and switch between running applications. When the user does this action, the device takes a screenshot of the current foreground application before displaying the other applications. This screenshot is used in the App Switcher to show the user what application is running and what its last “state” looked like. These screenshots are stored on the iPhone, even after the application is shut down, and the phone restarted. Luckily forensic examiners, such as the experts at CyForce, can recover these images. After examining these screenshots from the time of the collision, we determined that the truck driver was switching between their calendar and text messaging applications. In the text messaging application, they appeared to be writing a new text message. This message wasn’t sent before the collision, so it did not show up on the records received from the cellular provider. For most forensic services companies, this would be the end of the investigation since we did determine what the truck driver was doing with their phone at the time of the collision, but not for CyForce. At CyForce, we try to anticipate the questioning that the opposing counsel might take related to our forensic analysis, and one line of inquiry we could see being presented with was concerning the device management application and wouldn’t it prevent the driver from using his calendar and messaging applications. Thanks to the full-file system extraction we performed, we were able to locate the device management application. We saw that it was designed to prevent this very activity by the truck driver while the vehicle was in motion. But, we also discovered that the trucking company had failed to update the application to the newest version, and the version installed on the truck driver’s iPhone did not support the version of iOS that was running. The trucking company was under the impression that they were preventing its drivers from accessing their mobile devices while driving the company’s semi-trucks. Still, they were not protected from this behavior due to their failure to keep the application up-to-date. Conclusion Without the thorough examination and analysis by the

Digital Forensics, Smart Phone Forensics

The Role of Digital Forensics in Distracted Driving Litigation

/

As distracted driving continues to be a leading cause of motor vehicle collisions, questions surrounding mobile phone use are becoming increasingly relevant in civil litigation. For attorneys handling personal injury or wrongful death claims, understanding how digital forensics can be used to verify—or refute— allegations of distraction is essential. TURNING ALLEGATIONS INTO EVIDENCE In the courtroom, distraction claims can’t rest on speculation. Digital forensics provides the means to establish a factual timeline of mobile activity before and during a crash. Using specialized tools, forensic examiners can extract and analyze data from smartphones to determine whether a device was being used at the time of the collision. For example, outgoing messages, social media activity, or navigation app interactions seconds before a collision can directly contradict a driver’s sworn testimony. Alternatively, evidence showing the phone was locked and inactive can help defend against unfounded accusations. TYPES OF DATA FORENSIC EXPERTS RECOVER A comprehensive mobile forensic analysis may include SMS and messaging app records, call logs and contact data, app usage and screen interaction, GPS location and travel paths, device lock status and screen-on/off timestamps, recovery of deleted or obscured data, and cloud-synced activity logs (where available). This data is compiled into detailed timelines that can support claims or uncover inconsistencies in opposing testimony. THE VALUE OF OBJECTIVE ANALYSIS It’s important to remember that a phone’s presence at the scene does not imply usage. Digital forensics helps distinguish between actual distraction and assumed behavior. For instance, a phone may have been in a cupholder or connected to a car’s Bluetooth system—resulting in no active engagement by the driver. Digital forensics cuts through assumptions and provides concrete, verifiable answers. LEGAL IMPACT IN CIVIL CASES Courts rely on evidence—not inference. A properly conducted forensic analysis can reinforce or challenge claims of negligence, inform expert witness testimony, support motions or discovery strategies, and influence mediation, arbitration, and trial outcomes. For attorneys on both sides, integrating digital forensics early in the case strategy can be crucial. PRESERVING THE EVIDENCE When phone use is a potential issue, timing is critical. Devices should be preserved immediately, ideally in turing the device off and disconnecting it from power. Delay can lead to data loss, automatic overwrites, or remote access tampering. Engaging a digital forensic expert early helps secure vital evidence before it becomes unrecoverable. FINAL THOUGHTS As smartphones become more embedded in everyday life, they also become central to understanding liability and intent in distracted driving cases. Digital forensics offers attorneys a way to move from assumption to analysis—providing clear, defensible evidence that can support their litigation goals.

digital forensics
Digital Forensics

Data Recovery in Legal Cases: The Role of Digital Forensics

/

In the digital information age, data has become one of the most valuable assets for individuals, organizations, and even societies. Yet, it’s often subjected to the risks of loss, corruption, and unauthorized access. This is where data recovery and digital forensics disciplines come to the fore. DEFINING DATA RECOVERY Data recovery is a specialized process of retrieving inaccessible, lost, or corrupted data from digital media when it cannot be accessed by traditional means. This process can be essential in various scenarios, from accidental deletion and system crashes to more severe instances like disasters or criminal activity. For organizations like CyForce, the goal of data recovery is not merely retrieving lost information but also ensuring the data is recovered in a forensically sound manner while maintaining the integrity and confidentiality of the recovered data. EXPLORING DIGITAL FORENSICS Digital forensics, on the other hand, is a branch of forensic science that focuses on investigating and recovering material found in digital devices, often in relation to criminal or civil litigation or administrative processes. This field involves the collection, analysis, and reporting of digital data in such a way that the data can be used as evidence in a court of law. CyForce, a digital forensics company, employs industry-leading tools and techniques to retrieve digital evidence in a forensically sound manner while ensuring its authenticity and credibility. CONNECTING DATA RECOVERY AND DIGITAL FORENSICS While distinct, data recovery and digital forensics share common ground in digital data handling. For example, digital forensics often depends on data recovery techniques to retrieve deleted or damaged data that may serve as crucial evidence. Conversely, data recovery benefits from digital forensic principles to ensure that the recovered data remains reliable and admissible if needed for legal purposes. SIGNIFICANCE OF DATA IN THE LEGAL REALM As the digital landscape continues to expand, so too does the relevance and significance of data in the legal realm. Data today plays a crucial role in shaping outcomes of legal proceedings, providing a source of truth that can affirm claims or refute allegations. DATA AS EVIDENCE Data, in many forms, can serve as decisive evidence in legal cases. Emails, text messages, call logs, financial transactions, social media interactions – these digital footprints can all offer invaluable insights into the behaviors, actions, and intentions of individuals or entities involved in a case. As a digital forensics company, CyForce recognizes the importance of data as evidence and is committed to unearthing these digital truths to aid in administering justice. IMPACT OF DATA LOSS IN LEGAL CASES Whether intentional or accidental, data loss can have far-reaching implications in legal scenarios. For example, the absence of critical data can obstruct the process of establishing facts, delay legal proceedings, or even lead to wrongful judgments. In these instances, the data recovery capabilities of digital forensics companies become instrumental; by recovering lost data, they can restore the potential for accurate and fair legal outcomes. IMPORTANCE OF RECOVERING LOST DATA Recovering lost data is not just a technical exercise but also a matter of upholding justice. In many cases, recovering lost or deleted data can tip the scales in a legal dispute, revealing hidden evidence or corroborating existing narratives. Hence, the role of data recovery extends beyond technical boundaries, stepping into the realm of ensuring equity and justice in legal proceedings. DATA RECOVERY IN DIGITAL FORENSICS Integrating data recovery practices within digital forensics provides a comprehensive approach to addressing the complex challenges that arise in legal contexts. This fusion allows for a thorough investigation of digital environments while ensuring critical data is preserved and accessible. THE PROCESS OF DATA RECOVERY IN DIGITAL FORENSICS Data recovery in the context of digital forensics begins with identifying and isolating the digital device in question. That is followed by imaging or copying the device in a forensically sound manner to protect the original data, after which data recovery techniques are employed., These can include recovering deleted files, retrieving data from damaged sectors of the device, or even extracting encrypted information. At CyForce, each step is handled meticulously, employing the most advanced tools and adhering to the highest forensic standards and industry best practices. TYPES OF DATA RECOVERED Digital forensics can recover virtually any data as long as it hasn’t been overwritten. For this reason, the data recovery process is one where time is of the essence. This can include text messages, emails, documents, photos, videos, internet history, log files, metadata, and more. More importantly, data recovery in digital forensics can reveal not just the explicit content but also the contextual details such as timestamps, location information, and sender/receiver details, all of which can be critical in legal proceedings. TOOLS AND TECHNIQUES USED FOR DIGITAL FORENSICS Digital forensics leverages various software and hardware tools to facilitate data recovery. These tools can perform multiple tasks, from simple data retrieval to complex functions like file carving and cryptographic hash comparisons. CyForce utilizes industry-leading tools and continually evaluates and adopts innovative technologies to enhance its data recovery capabilities. The combination of data recovery and digital forensics creates a robust framework for addressing the growing complexities of digital evidence in today’s legal landscape. THE ROLE OF DIGITAL FORENSICS IN LEGAL CASES Digital forensics has become an indispensable ally in the legal realm. As the lines between the physical and digital world continue to blur, digital forensics provides a crucial bridge, ensuring digital evidence can be effectively utilized within our legal system. FORENSICS FOR LEGAL COMPLIANCE First and foremost, digital forensics plays a crucial role in ensuring legal compliance. Corporations often need to adhere to numerous regulations that stipulate proper data management, including the ability to produce specific records on demand. A digital forensics company will aid businesses in meeting these requirements, providing digital forensic services to ensure that all relevant digital data is recoverable and accessible. FORENSICS IN CRIMINAL INVESTIGATION Digital forensics has emerged as a formidable tool for law enforcement agencies in criminal investigations. From uncovering digital evidence of illicit activities to tracking offenders using digital footprints, digital forensics

cybersecurity
Digital Forensics

The Role of Digital Forensics in Modern Legal Practice: A Primer

/

In an era dominated by digital data, the importance of digital forensics in the modern legal landscape is undeniable. CyForce, a leading provider of digital forensic services, is at the forefront of this evolving discipline. This guide seeks to illuminate the role and implications of digital forensics within contemporary legal practice. Digital forensics, at its core, involves the identification, preservation, extraction, and documentation of electronic evidence. It emerged as a response to the increasing proliferation of technology and its inevitable integration into legal matters. While originally associated primarily with criminal investigations, today digital forensics extends far beyond this realm, intersecting with civil law, corporate disputes, and more. With the rise of digitization, nearly every individual leaves a digital footprint, from browsing the internet and sending emails to carrying out transactions online. Consequently, digital evidence has become increasingly pertinent in many legal cases, necessitating an understanding of digital forensics among all those engaged in the legal profession. This primer offers a comprehensive overview of digital forensics, exploring its evolution, application, challenges, and future prospects. We will also delve into its ethical dimensions, present compelling case studies, and discuss the requisite skills needed by legal practitioners to navigate this digital landscape effectively. The Evolution of Digital Forensics The journey of digital forensics has been a remarkable one. This discipline, which barely existed a few decades ago, has become an integral part of the legal and investigative processes today. Its evolution can be traced alongside the trajectory of technological advancements that have shaped our digital age. In the early days, digital forensics was primarily linked with computer crime, especially related to hacking and fraud. As personal computers became more common in the 1980s, it became clear that they could also serve as sources of evidence. However, the discipline remained relatively niche, with few standards or formal methodologies available. The 1990s saw the first significant growth of digital forensics, largely driven by law enforcement and the emergence of the internet. More sophisticated cybercrimes necessitated the development of new techniques and tools. In response, the first professional digital forensics tools started to appear. Furthermore, law enforcement agencies began to establish dedicated cybercrime units, raising the profile of the discipline. As we moved into the 21st century, the scope of digital forensics expanded significantly. The explosion of smartphones, social media, cloud computing, and Internet of Things (IoT) devices meant that digital evidence was no longer confined to personal computers. These advancements ushered in new sub-disciplines, such as mobile device forensics and network forensics. Today, digital forensics encompasses a wide array of applications, from investigating corporate malfeasance to combating international crime networks. It plays a critical role not only in criminal investigations but also in civil litigation and corporate audits. It’s important to note that the evolution of digital forensics is still ongoing. Emerging technologies like artificial intelligence, machine learning, blockchain, and quantum computing present both challenges and opportunities for the future of digital forensics. The discipline must continually adapt and evolve to stay abreast of these advancements, reinforcing its pivotal role in the modern legal landscape. The history of digital forensics reveals a clear trend: as our world becomes increasingly digital, the importance and application of digital forensics within legal practice continue to grow. The Broad Spectrum of Digital Forensics The field of digital forensics is extensive and multifaceted. It spans various categories, each focusing on different types of digital media or networks and their associated investigative processes. To appreciate the breadth and depth of this discipline, let’s explore some of these main categories: Categories of Digital Forensics Computer Forensics Computer forensics, often considered the genesis of digital forensics, is the practice of collecting, analyzing, and reporting on digital data from computers in a way that is legally admissible. It can be used to uncover evidence of fraud, cybercrime, or other illicit activities. Computer forensics also extends to the retrieval of lost or accidentally deleted data. Network Forensics Network forensics involves the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. This branch of digital forensics deals with volatile and dynamic information. Network forensics often includes packet capture, traffic analysis, and even wireless forensics. Mobile Device Forensics With the widespread use of smartphones, tablets, and other portable devices, mobile device forensics has become increasingly important. This sub-discipline involves the recovery of digital evidence or data from a mobile device under forensically sound conditions. It can provide valuable evidence in cases ranging from corporate disputes to criminal investigations. Forensic Data Analysis Forensic Data Analysis (FDA) is a branch of digital forensics that examines structured data with the aim of discovering and analyzing patterns of fraudulent activities or anomalies. It’s commonly used in investigations involving financial fraud, such as embezzlement or financial statement fraud. Emerging Trends in Digital Forensics While these established categories form the backbone of digital forensics, the field is continuously evolving. Emerging trends include cloud forensics, dealing with the challenges of acquiring and analyzing data stored remotely on cloud services; and IoT forensics, which focuses on the myriad of smart devices connected to the internet. The growth of cryptocurrency has also led to the development of blockchain forensics, which aims to trace, track, and analyze transactions on the blockchain. The Intersection of Digital Forensics and Legal Practice The increasingly digital nature of our lives has led to a convergence of digital forensics and legal practice. As we move further into the digital age, the demand for digital forensic services in legal cases continues to grow. Here, we’ll discuss the significant applications of digital forensics in various legal areas and the acceptance and validity of digital evidence in court. Application of Digital Forensics in Different Legal Areas Criminal Law In the realm of criminal law, digital forensics plays a vital role in unveiling digital evidence. From computer forensics in cybercrime cases to mobile forensics in tracking illicit activities, digital forensics provides crucial support in solving crimes and securing convictions. This evidence may include browser history, emails,

About

CyForce is your trusted digital forensics partner. Our certified experts provide tailored solutions to ensure data security, confidentiality, and case success. Contact us to learn more.

FL PI Agency Lic. No.: A3500021

CyForce

Office:

(863) 345-1300

Email:

info@CyForceConsulting.com

Address:

400 North Ashley Drive
Suite 1900
Tampa, FL 33602

Menu

© Cyforce, All Rights Reserved.
Scroll to Top