Smart Phone Forensics

Introduction: Recently CyForce had been contracted by a law firm representing the estate of a deceased individual. This person was a well-known resident of a mid-sized city, and they were struck by a motor vehicle while crossing the road. The question in dispute was whether this individual was “distracted” by their mobile phone while crossing the street. The local police department had examined the victim’s phone and “officially determined” that they were actively using a video chat program at the time of the collision. Thus, they were partially at fault for the collision that occurred. This question is so important because, like most states, the state where the collision occurred happens to be a “comparative fault” state, specifically a modified comparative negligence state. Contributory and Comparative Negligence States have a couple of approaches when determining and apportioning fault in negligence cases, especially in civil litigation. They can employ a contributory negligence model or a comparative negligence model. Generally speaking, if a state employs a contributory negligence model and you are found to be at fault, even just one percent at fault, you cannot recover damages in a civil suit. On the other hand, if you are in a comparative negligence state, the percentage that each party was at fault will be used to assign damages. For example, if you are found to be 20% at fault, then at most, you can recover 80% of the damages.  There are two types of comparative negligence, either pure comparative negligence or modified comparative negligence; the significant difference between the two is that in a modified comparative negligence model, there is a threshold of fault that you must be below before you can be awarded damages. This threshold usually is around 50%. Case Background The collision occurred in the late afternoon, on a winter day, with temperatures near 50°F and clear visibility, light wind, and no rain. The victim had just parked their car and was walking to meet friends for dinner. After walking a short distance down the road from their vehicle, the victim decided to cross the street, at which point they were struck by a truck. A bystander used the victim’s phone to call an individual listed in the victim’s most recent call history. Police Investigation As with all fatal automobile collisions, the local police investigated the circumstances surrounding the collision to ascertain the facts of the case. Since a bystander could utilize the victim’s phone, the police theorized that the phone was unlocked and being used by the victim at the time of the collision. For this reason, the phone was analyzed by the police department, which included a full file system (FFS) extraction of the phone’s internal memory. After locating the data pertaining to the date and time in question, the police department’s digital forensic investigator saw indicators that a particular video messaging application was running on the phone at the time of the collision. This led them to conclude that the victim was utilizing a video messaging application when they were struck by the truck. Civil Case The victim’s estate filed a civil case against the driver of the truck. The driver’s attorney relied heavily on the police department’s report that stated the victim was actively utilizing their phone at the time of the collision. They argued that the victim was primarily at fault for the collision because they were distracted by their phone and stepped out in front of the truck, and the driver did not have time to stop before striking the victim. As you can imagine, having this critical piece of evidence from the police department’s expert “showing” that the victim was actively using a video messaging application at the time of the collision was a major “plus” for the defense in trying to show that the victim was at least 50% at fault for the collision. If the defense was successful in proving this to the court, and since the state where the collision happened was a modified comparative negligence state, the driver would not have to pay damages to the victim’s estate. CyForce’s Critical Involvement The attorney for the victim’s estate contacted CyForce and asked us to perform a second examination of the data from the victim’s phone and try to determine if the police’s conclusions were correct. Though CyForce was not provided with the actual phone, they did receive a copy of the FFS extraction and determined that there were no indicators of compromise to the data. The phone in question was determined to be an iPhone 8 plus running iOS 13.3. Utilizing state-of-the-art technology, CyForce established the “pattern of life” for the iPhone, including detailed usage history covering the collision’s time. While examining the data, one curious fact stood out to Dr. Lewis, CyForce’s Chief Forensic Officer: the iPhone’s microphone, camera, and speaker were never activated during the time of the collision. The detailed logs and databases that make up the pattern of life on an iPhone shows in immense detail what is being utilized on an iPhone and when. For example, it logs when the microphone is activated, where the output audio is sent (speaker, Bluetooth, headphone jack, etc.), and when the camera is turned on. Yes, these logs did show that the video messaging application was running, but it didn’t show that any of the usual hardware was being utilized while it was running. Dr. Lewis thought it was rather suspect that a video application would be actively utilized, but the audio wasn’t playing or being recorded, and the camera wasn’t being used. Of course, in forensic sciences, a hunch isn’t considered evidence. After a thorough search of the literature, it was determined that research on this application was non-existent. Still, similar applications did show the camera, microphone, and speaker activation when used to play or record video messages. This led CyForce to conduct a scientific experiment utilizing the same model of iPhone and the same version of iOS to determine with scientific certainty if the activation of

Introduction: At CyForce, clients frequently ask us if we determine what a user is doing on their smartphone at a particular time. Most of the time, the client is looking for who the user was texting, calling, or video-chatting with or what websites they were accessing, all of which are relatively straightforward data points to capture from the mobile device. But in a recent case, the answer was not as clear; in fact, it involved conducting a deep dive into the “pattern of life” of a particular iPhone and finding that the device management software the employer installed on their employee’s mobile device wasn’t preventing them from using the iPhone as they drove a loaded semi-truck down a busy interstate. Case Background This case involves the estate of a victim involved in a vehicular collision on a major metropolitan interstate in the middle of the day. The victim was driving a private automobile, and the suspect was driving a semi-truck. According to the statement the truck driver gave the police, they were traveling on the interstate when the vehicle in front of them changed lanes abruptly. As the vehicle went to the adjacent lane, they saw another vehicle stopped in the middle of the roadway. The truck driver said they could not move to another lane because of traffic. They further said that they “stood on [their] brakes in attempts to stop … [and] doing this caused [their] brakes to lock and the vehicle to continue to slide forward and collide with the stopped vehicle.” Furthermore, the trucking company installed a dash cam that recorded the interior of the truck’s cab, and it showed the truck driver proclaiming that the victim’s vehicle was stopped in the roadway, and he just simply couldn’t stop in time. Investigation During the preliminary investigation by the law firm representing the victim’s estate, the attorney noticed that this video that showed the truck driver proclaiming his innocence also revealed that he was interacting with his mobile phone before the collision. Still, the driver refused to say what he was doing on the phone. The lawyers representing the trucking company claimed that the truck driver couldn’t have been using his mobile device because they had installed software that prevented it from being used while the vehicle was in motion. An inspection of the phone showed that a device management application was installed on the mobile device. A review of phone records shows that the driver wasn’t on a phone call or actively sending SMS text messages at the time of the collision, so what was he doing on the phone? CyForce’s Critical Involvement A significant part of the driver’s and company’s defense was that the device management software prevented the truck driver from using their phone during the time of the collision. CyForce performed a full-file system extraction of the iPhone and, after reviewing the detailed call and SMS logs, confirmed that the driver was not calling (via cellular service) or texting (via SMS) at the time of the collision. But we still had the video showing the driver interacting with his phone. What were they doing? Reviewing the device logs, we saw that the phone was connected to two Bluetooth devices. One of the devices was a Bluetooth headset that the driver was wearing in the video, and after looking up the MAC address of the second device, we determined it was the in-cab radio. Was the truck driver listening to music, and was the interaction we saw simply them changing songs (or something similarly mundane)? This is where the iPhone’s “pattern of live” databases and logs became vital. The iPhone continually records every action the user takes on their device, including what applications are running and whether they are in the foreground or background. One exciting feature of the iPhone is its “App Switcher,” which allows the user to swipe up on the screen and switch between running applications. When the user does this action, the device takes a screenshot of the current foreground application before displaying the other applications. This screenshot is used in the App Switcher to show the user what application is running and what its last “state” looked like. These screenshots are stored on the iPhone, even after the application is shut down, and the phone restarted. Luckily forensic examiners, such as the experts at CyForce, can recover these images. After examining these screenshots from the time of the collision, we determined that the truck driver was switching between their calendar and text messaging applications. In the text messaging application, they appeared to be writing a new text message. This message wasn’t sent before the collision, so it did not show up on the records received from the cellular provider. For most forensic services companies, this would be the end of the investigation since we did determine what the truck driver was doing with their phone at the time of the collision, but not for CyForce. At CyForce, we try to anticipate the questioning that the opposing counsel might take related to our forensic analysis, and one line of inquiry we could see being presented with was concerning the device management application and wouldn’t it prevent the driver from using his calendar and messaging applications. Thanks to the full-file system extraction we performed, we were able to locate the device management application. We saw that it was designed to prevent this very activity by the truck driver while the vehicle was in motion. But, we also discovered that the trucking company had failed to update the application to the newest version, and the version installed on the truck driver’s iPhone did not support the version of iOS that was running. The trucking company was under the impression that they were preventing its drivers from accessing their mobile devices while driving the company’s semi-trucks. Still, they were not protected from this behavior due to their failure to keep the application up-to-date. Conclusion Without the thorough examination and analysis by the