A significant proportion of the road traffic collisions (RTC) reported in the UK, are believed to be caused as a result of motorists illegally using their mobile phones whilst driving. An investigator will want to determine if a mobile phone was being used in the moments leading up to an incident. Industry standard digital forensic tools can be used to recover evidence of actions completed by the owner of a device, such as, communication records, websites visited or photographs taken. These are typically evaluated against the time of the road traffic collision, but this is only a small piece of the puzzle.
What if the person wasn’t communicating, but was looking at the phone and was therefore distracted?
CCL have invested in research to develop tools geared towards answering this question. As a result, our researchers have uncovered hidden artefacts stored by modern mobile phones which relate to user activities, beyond just communication records. This has helped CCL reconstruct, in vivid detail, exactly what a user was doing right up to the point when an RTC occurred.
The following are examples of user activities CCL can identify, along with the times they occurred:
- Unlocking and locking the phone
- Opening and closing applications (e.g. messages, camera, photo gallery, maps)
- Opening message threads
All of the above are interactions with a mobile phone, which do not result in the creation of a new communication record or other normally accessible artefacts (such as a new call, message or photograph). Therefore, an investigator using only standard off-the-shelf digital forensic tools, would not normally report on these activities.
Our research has unearthed records of user activities in several locations:
Volatile data: Unlike in other instances where the typical advice is to turn the phone off immediately, bag it and send it to a digital forensics facility; in an RTC investigation, the best approach to preserve evidence of user activity would be to perform a forensic extraction, before it is switched off. This is because many operating systems logs are lost when a device is powered off. CCL have designed a forensically sound, specialised technique for extracting these volatile artefacts; ensuring the integrity of both the device and the data recovered.
Applications: Even if the phone has been switched off, CCL can utilise advanced and bespoke analysis techniques on specific applications. Evidence stored in static memory will remain intact, even if the device is powered off. However, due to lack of support, many of these artefacts are not examined as standard by commercial forensic tools. They are now known to contain opening times of the application, items within, and more in-depth information as to what the driver was doing in the time leading up to a collision. CCL’s custom-built script library is ever expanding, to ensure optimum data recovery from all areas of potential relevance, maintaining pace with the ever-changing landscape of mobile device forensics.
Every RTC case has the potential to be a threat to life. By allowing CCL to assist with the supply of digital forensic evidence, the officer in charge will have more proof to support the investigation.
Mobile Device Lab and Cell Site Manager
Sign up to receive the latest news and insight from CCL Group.