The aftermath of a motor carrier accident can be a harrowing experience. It is common knowledge that photos; witness statements; alcohol and drug testing; electronic logs; and electronic control module (ECM) data must be collected and preserved amid this chaotic scene. However, mobile device evidence is often an afterthought (if a thought at all). This confusion is partly due to the misunderstanding between evidentiary data on a mobile device versus what is contained in call detail records.
Depending on the cellular provider, call detail records may contain the calls, text messages, and data transmissions from a mobile device. These records will only have the transmission date and time of a text message, not the actual content of what was sent. You can also forget about recovering data from messaging applications like Facebook Messenger, Instagram, Kik Messenger, WhatsApp, and Telegram. These applications and others use data to transmit messages, meaning they would create no record of ever existing in a call detail report.
Further, the data records returned from call detail reports are nearly useless for anything other than showing that the phone was powered on at the time of an incident. Investigators cannot determine what activity or application the data transmission is related to just from call detail records alone. Further, it is impossible to tell if a data transmission was caused by an automated function of the cell phone or was generated by user activity.
The most inclusive source of evidence for what transpired is contained in the internal storage of the mobile device, which needs to be examined using digital forensic software and hardware. With the data contained on the mobile device, it is possible to determine what was occurring at the time of the accident. By examining the mobile device’s internal memory, experts can determine what happened on the phone at the time of the accident, including evidence from applications that only create data records in a call detail record, like third-party messaging apps, social media, games, or movie and music streaming services.
Making First Contact
The data contained on a mobile device is both volatile and fragile. It is volatile in that it is easily altered by mishandling the evidence, and it is fragile because critical data can be destroyed if best practices are not implemented when collecting data from a mobile device. If the mobile device is not handled following digital forensics best practices, it can be impossible to determine in some instances what data was changed and if those changes were intentional or unintentional.
According to the Federal Motor Carrier Safety Administration (FMCSA), “No driver may use a hand-held mobile telephone or engage in texting while driving a commercial motor vehicle,” according to 49 CFR 392, Subpart H. The only occasion where either is permissible is when drivers “are communicating with law enforcement officials or other emergency services.”
Keeping the words of the FMCSA in mind, let’s consider a catastrophic truck accident scenario. The first to respond to the scene—be that law enforcement, a company representative, or counsel—performs what is called “thumb forensics” on the mobile device to see if any text messages were sent or read contemporaneous to when the accident occurred.
In this scenario, the driver of the truck received five text messages in the timeframe of interest, but never looked at the messages. By thumbing through the phone, the first responder changes the status of the five messages from unread to read. Now, the knowledge of the content of those messages, as well as having seemingly looked at those messages, would be attributed to the driver. If the phone had been handled properly, those messages could not be used as evidence of driver distraction, because there was no evidence of distraction.
In other words, the first responder’s actions caused all of the evidence on the phone to become suspect. If gone unchecked, this mishandling of the evidence could have led a judge and jury to a false conclusion. As triers of fact, the judge and jury could have wrongly attributed knowledge of the mobile device’s message contents, state, and time stamps to the defendant.
Protecting the Evidence
The initial handling of digital evidence can be divided into four phases composed of identification, collection, acquisition, and preservation. Any deviation by an examiner from these phases can be challenged.
The purpose and scope of the identification phase is to identify sources of digital evidence relevant to the case. This evidence can span multiple devices, systems, servers, and cloud accounts. For mobile devices, relevant data can be located on the internal storage of the phone, in call detail records, cloud accounts like the Apple iCloud or Google Drive, and other synced devices. For example, since messages sync between devices, even if the phone goes missing, records of those messages could exist on a user’s tablet or laptop computer.
The primary goal of the collection process, other than ensuring all relevant electronic items are collected, is to protect digital evidence from contamination. One way this is done is by isolating the devices from their respective users until a forensic acquisition of the mobile device can be performed. While in their custody, the user or first responder could delete, create, or change data before the forensic acquisition is performed. They could also factory reset or wipe the device, permanently destroying data or potentially everything on the mobile device.
Along with isolating it from the user, the mobile device should also be isolated from itself. By design, mobile devices are intended for communication, so they are continually sending and receiving data even when they are on the bedside table charging overnight. If data transmission occurs—even with no person physically touching the phone—data can be lost, changed, or destroyed.
Isolation of the device itself is achieved by eliminating all forms of data transmission, including the cellular network, Bluetooth, wireless networks, and infrared connections. This prevents it from receiving any new data that would cause other data to be deleted or overwritten. This can be accomplished by using Faraday technology. A Faraday bag blocks signals that a cell phone might pick up by isolating it from electrical fields and radio frequencies. A cell phone can also be isolated from networks by placing it into airplane mode with wireless network connectivity turned off. A first responder should do this if they do not have immediate access to Faraday technology.
The forensic acquisition process encompasses all of the methods and procedures utilized to collect digital evidence in digital forensics. With mobile devices, the acquisition methods used are determined by multiple factors, including the cell phone’s make, model, operating system, and physical damage.
Regardless of the method used, when a mobile device is forensically copied, all contents go inside a special forensic file type. The contents recovered from the phone are encapsulated in this forensic file and are tamperproof. If any manipulation did occur, the hash algorithm, or digital DNA, would report a different number. This is a clear indication to an examiner that the evidence is not as it purports to be.
Forensic acquisition puts a bow on the whole process. At this point, an investigator has a perfect snapshot in time of the data that exists on a mobile device, and it’s also now tamperproof. However, as we have already discussed, it’s important to get to a scene as quickly as possible. If a first responder mishandles a mobile device before the data is forensically extracted, the data could already be compromised.
Evidence preservation protects digital evidence from modification. Protection begins by ensuring that anyone who touches the device handles it correctly. A chain of custody must be maintained throughout the lifecycle of a case. It should identify the name of the person who collected the mobile device, including title, organization, and contact information. Whenever the evidence is transferred from a person and location, it should be documented. Dates and times should accompany all activities.
The forensic data collection process from the mobile device is commonly called a forensic extraction or forensic acquisition. Following forensic copying comes hashing, where a mathematical algorithm is run against the copied data producing a unique hash value. This hash value can be thought of as a digital DNA, uniquely identifying the copied evidence exactly as it exists at a certain point in time.
According to Pew Research, in the United States, 96% of the population owns a cell phone, up from only 35% in 2011. So, it is no wonder that the most common objection we encounter to gaining access to a driver’s or plaintiff’s phone is that they require it for their daily lives.
Therefore, simply taking a driver’s phone is not always an option, but it does not mean that the evidence on the phone is out of reach. The solution is to transfer data from the driver’s current phone to a new phone so that the evidentiary value is preserved, while also providing the driver their data so these road warriors can function unimpeded. Protocols designed by digital forensic experts for laypersons exist for precisely this purpose.
The Stakes Have Never Been Higher
According to a CNBC report from March 2021 entitled, “Rise in ‘Nuclear Verdicts’ in Lawsuits Threatens Trucking Industry,” from 2010 to 2018, the average verdict size for lawsuits above $1 million in motor carrier accident cases has increased nearly 1,000%, rising from $2.3 million to $22.3 million.
Joe Fried, a renowned plaintiffs’ attorney who specializes in trucking accident cases, wrote in his firm’s book “Understanding Motor Carrier Claims, Sixth Edition,” that “the two main driver distractions that have received most of the publicity in the news is the use of cellphones and on-board computer messaging systems. The FMCSA prohibits any texting while driving. Texting is defined as ‘any electronic text retrieval or entry, short message service, emailing, instant messaging, accessing the internet, or pressing more than a single button to make a or receive a call.’ Regulations also require a truck driver to use a hands-free cellphone while driving. Most CDL manuals warn against using cellphones in any manner while driving a commercial vehicle.”
Plaintiffs’ attorneys know the value of the evidence contained on mobile devices in trucking accident cases. Mishandling a phone opens the door to question the integrity of the mobile device’s data and compromises the ability to introduce exculpatory evidence in the case.
Fried notes that drivers should be using hands-free technology and, in doing so, he illustrates our point. We can often tell if a driver used voice commands or hands-free technology to compose or listen to messages using digital forensics. However, using only call detail records, it cannot be determined if the messages were created or viewed with voice commands or with eyeballs and thumbs on the screen.
Properly preserving and handling mobile devices following a collision not only protects the evidence, but also safeguards potential defenses in the case and saves motor carriers and their insurers on litigation spend, settlements, and verdict awards.