The Case of the Busy Truck Driver

Introduction:

At CyForce, clients frequently ask us if we determine what a user is doing on their smartphone at a particular time. Most of the time, the client is looking for who the user was texting, calling, or video-chatting with or what websites they were accessing, all of which are relatively straightforward data points to capture from the mobile device. But in a recent case, the answer was not as clear; in fact, it involved conducting a deep dive into the “pattern of life” of a particular iPhone and finding that the device management software the employer installed on their employee’s mobile device wasn’t preventing them from using the iPhone as they drove a loaded semi-truck down a busy interstate.

Case Background

This case involves the estate of a victim involved in a vehicular collision on a major metropolitan interstate in the middle of the day. The victim was driving a private automobile, and the suspect was driving a semi-truck. According to the statement the truck driver gave the police, they were traveling on the interstate when the vehicle in front of them changed lanes abruptly. As the vehicle went to the adjacent lane, they saw another vehicle stopped in the middle of the roadway. The truck driver said they could not move to another lane because of traffic. They further said that they “stood on [their] brakes in attempts to stop … [and] doing this caused [their] brakes to lock and the vehicle to continue to slide forward and collide with the stopped vehicle.” Furthermore, the trucking company installed a dash cam that recorded the interior of the truck’s cab, and it showed the truck driver proclaiming that the victim’s vehicle was stopped in the roadway, and he just simply couldn’t stop in time.

Investigation

During the preliminary investigation by the law firm representing the victim’s estate, the attorney noticed that this video that showed the truck driver proclaiming his innocence also revealed that he was interacting with his mobile phone before the collision. Still, the driver refused to say what he was doing on the phone. The lawyers representing the trucking company claimed that the truck driver couldn’t have been using his mobile device because they had installed software that prevented it from being used while the vehicle was in motion. An inspection of the phone showed that a device management application was installed on the mobile device. A review of phone records shows that the driver wasn’t on a phone call or actively sending SMS text messages at the time of the collision, so what was he doing on the phone?

CyForce’s Critical Involvement

A significant part of the driver’s and company’s defense was that the device management software prevented the truck driver from using their phone during the time of the collision. CyForce performed a full-file system extraction of the iPhone and, after reviewing the detailed call and SMS logs, confirmed that the driver was not calling (via cellular service) or texting (via SMS) at the time of the collision. But we still had the video showing the driver interacting with his phone. What were they doing? Reviewing the device logs, we saw that the phone was connected to two Bluetooth devices. One of the devices was a Bluetooth headset that the driver was wearing in the video, and after looking up the MAC address of the second device, we determined it was the in-cab radio. Was the truck driver listening to music, and was the interaction we saw simply them changing songs (or something similarly mundane)?

This is where the iPhone’s “pattern of live” databases and logs became vital. The iPhone continually records every action the user takes on their device, including what applications are running and whether they are in the foreground or background. One exciting feature of the iPhone is its “App Switcher,” which allows the user to swipe up on the screen and switch between running applications. When the user does this action, the device takes a screenshot of the current foreground application before displaying the other applications. This screenshot is used in the App Switcher to show the user what application is running and what its last “state” looked like. These screenshots are stored on the iPhone, even after the application is shut down, and the phone restarted. Luckily forensic examiners, such as the experts at CyForce, can recover these images.

After examining these screenshots from the time of the collision, we determined that the truck driver was switching between their calendar and text messaging applications. In the text messaging application, they appeared to be writing a new text message. This message wasn’t sent before the collision, so it did not show up on the records received from the cellular provider.

For most forensic services companies, this would be the end of the investigation since we did determine what the truck driver was doing with their phone at the time of the collision, but not for CyForce. At CyForce, we try to anticipate the questioning that the opposing counsel might take related to our forensic analysis, and one line of inquiry we could see being presented with was concerning the device management application and wouldn’t it prevent the driver from using his calendar and messaging applications. Thanks to the full-file system extraction we performed, we were able to locate the device management application. We saw that it was designed to prevent this very activity by the truck driver while the vehicle was in motion. But, we also discovered that the trucking company had failed to update the application to the newest version, and the version installed on the truck driver’s iPhone did not support the version of iOS that was running. The trucking company was under the impression that they were preventing its drivers from accessing their mobile devices while driving the company’s semi-trucks. Still, they were not protected from this behavior due to their failure to keep the application up-to-date.

Conclusion

Without the thorough examination and analysis by the digital forensic experts at CyForce, the defendants, in this case, had two very plausible defenses that were refuted by the evidence: (1) either that the driver was simply changing their music or some other mundane activity on their phone, and (2) the trucking company was running software on the driver’s phone that prevented him from actually using applications that required their prolonged attention, such as messaging applications. As a reminder, these computers that we carry around daily keep detailed records of our movements and actions, and all it takes is a trained digital forensic expert to gather the evidence and rebuild the timeline of activities from these records. This case settled with an award for the plaintiff in the amount of $45,000,000, which we are confident would not have happened without the vital digital evidence uncovered by CyForce.