, ,

The Importance of Digital Forensics Experts: The Case of the Distracted Pedestrian

Cyber Forensic Services

Introduction:

Recently CyForce had been contracted by a law firm representing the estate of a deceased individual. This person was a well-known resident of a mid-sized city, and they were struck by a motor vehicle while crossing the road. The question in dispute was whether this individual was “distracted” by their mobile phone while crossing the street. The local police department had examined the victim’s phone and “officially determined” that they were actively using a video chat program at the time of the collision. Thus, they were partially at fault for the collision that occurred. This question is so important because, like most states, the state where the collision occurred happens to be a “comparative fault” state, specifically a modified comparative negligence state.

Contributory and Comparative Negligence

States have a couple of approaches when determining and apportioning fault in negligence cases, especially in civil litigation. They can employ a contributory negligence model or a comparative negligence model. Generally speaking, if a state employs a contributory negligence model and you are found to be at fault, even just one percent at fault, you cannot recover damages in a civil suit. On the other hand, if you are in a comparative negligence state, the percentage that each party was at fault will be used to assign damages. For example, if you are found to be 20% at fault, then at most, you can recover 80% of the damages.  There are two types of comparative negligence, either pure comparative negligence or modified comparative negligence; the significant difference between the two is that in a modified comparative negligence model, there is a threshold of fault that you must be below before you can be awarded damages. This threshold usually is around 50%.

Case Background

The collision occurred in the late afternoon, on a winter day, with temperatures near 50°F and clear visibility, light wind, and no rain. The victim had just parked their car and was walking to meet friends for dinner. After walking a short distance down the road from their vehicle, the victim decided to cross the street, at which point they were struck by a truck. A bystander used the victim’s phone to call an individual listed in the victim’s most recent call history.

Police Investigation

As with all fatal automobile collisions, the local police investigated the circumstances surrounding the collision to ascertain the facts of the case. Since a bystander could utilize the victim’s phone, the police theorized that the phone was unlocked and being used by the victim at the time of the collision. For this reason, the phone was analyzed by the police department, which included a full file system (FFS) extraction of the phone’s internal memory. After locating the data pertaining to the date and time in question, the police department’s digital forensic investigator saw indicators that a particular video messaging application was running on the phone at the time of the collision. This led them to conclude that the victim was utilizing a video messaging application when they were struck by the truck.

Civil Case

The victim’s estate filed a civil case against the driver of the truck. The driver’s attorney relied heavily on the police department’s report that stated the victim was actively utilizing their phone at the time of the collision. They argued that the victim was primarily at fault for the collision because they were distracted by their phone and stepped out in front of the truck, and the driver did not have time to stop before striking the victim. As you can imagine, having this critical piece of evidence from the police department’s expert “showing” that the victim was actively using a video messaging application at the time of the collision was a major “plus” for the defense in trying to show that the victim was at least 50% at fault for the collision. If the defense was successful in proving this to the court, and since the state where the collision happened was a modified comparative negligence state, the driver would not have to pay damages to the victim’s estate.

CyForce’s Critical Involvement

The attorney for the victim’s estate contacted CyForce and asked us to perform a second examination of the data from the victim’s phone and try to determine if the police’s conclusions were correct. Though CyForce was not provided with the actual phone, they did receive a copy of the FFS extraction and determined that there were no indicators of compromise to the data. The phone in question was determined to be an iPhone 8 plus running iOS 13.3. Utilizing state-of-the-art technology, CyForce established the “pattern of life” for the iPhone, including detailed usage history covering the collision’s time.

While examining the data, one curious fact stood out to Dr. Lewis, CyForce’s Chief Forensic Officer: the iPhone’s microphone, camera, and speaker were never activated during the time of the collision. The detailed logs and databases that make up the pattern of life on an iPhone shows in immense detail what is being utilized on an iPhone and when. For example, it logs when the microphone is activated, where the output audio is sent (speaker, Bluetooth, headphone jack, etc.), and when the camera is turned on. Yes, these logs did show that the video messaging application was running, but it didn’t show that any of the usual hardware was being utilized while it was running. Dr. Lewis thought it was rather suspect that a video application would be actively utilized, but the audio wasn’t playing or being recorded, and the camera wasn’t being used.

Of course, in forensic sciences, a hunch isn’t considered evidence. After a thorough search of the literature, it was determined that research on this application was non-existent. Still, similar applications did show the camera, microphone, and speaker activation when used to play or record video messages. This led CyForce to conduct a scientific experiment utilizing the same model of iPhone and the same version of iOS to determine with scientific certainty if the activation of the microphone, speaker, and camera was recorded when utilizing the application in question.

Once the research was completed, CyForce proved that when the application was actively being utilized, the iPhone did record the activation of the respective hardware components. Furthermore, it was scientifically proven that when the application is run in the background, it will show up in the pattern of life logs and database as “active” when it “wakes up” to refresh the data (i.e., get on the internet to check to see if new messages have arrived), and thus appears to be running in the foreground when in fact it is still in the background and not actively being used.

Conclusion

By hiring the digital forensic experts at CyForce, the victim’s attorney was able to prove to the court that contrary to the findings of the police department, the victim was not actively using their phone at the time of the collision, and thus was able to refute the defense’s claims that the victim was a “distracted pedestrian.”

As is evident in this case, it is very easy with today’s modern digital forensic tools for mistakes to be made and faulty conclusions to be drawn. This usually happens when individuals who are not forensic scientists are required to interpret data from powerful forensic tools, and that is why it is vital that experts, such as the forensic scientists at CyForce, process digital evidence. Your evidence is truly only as good as the expert who can testify to it.

/by