Digital Forensics Aids Road Traffic Investigations
CCL have advanced capabilities at their disposal in terms of Road Traffic Collision (RTC) digital investigations. Where the industry standard is to examine communication data only using commercial tools, CCL’s research and development has uncovered new artefacts previously unchecked using bespoke scripts.
There was a requirement for CCL to investigate whether a suspect was distracted by their mobile phone when a fatal road traffic collision (RTC) occurred. The time and date of the RTC was communicated to the analyst upon receipt of the case; who was then tasked with finding instances of user activity on the phone, in and around the time of the journey.
A full extraction of the device was obtained so CCL’s tools could be used to decode that data. Initially communication data in the form of calls and text messages were recovered and presented for the OIC to review. This yielded no relevant information, so the officer requested that further in-depth research was conducted.
All messaging applications were analysed using CCL’s bespoke scripts to confirm incoming and outgoing messages. This was to include live and deleted data, times that messages were sent/received/opened and whether messages were opened on another device.
Finally, the analyst reviewed event logs, which were recovered in an encoded form, requiring tests to accurately decode the raw data. It was discovered the event logs contained times the screen was unlocked, times applications were opened and further user activity within those applications. Important information was relayed to the investigating officer, regarding the interpretation of the time and date; due to the transition into British Summer Time, as the officer needed to make allowances for this in their interpretation of the results recovered.
The results were presented to the Officer in Charge (OIC) showing that the user had unlocked the phone and accessed the Maps application. They had entered a location and reviewed a suggested journey; then locked the phone for a period of inactivity. They unlocked their phone again minutes before the RTC occurred and made a telephone call. The phone was not unlocked again until after the time of the RTC. The suspect wasn’t charged, as the forensic evidence indicated they were not on their phone at the exact point of collision. They were however cautioned, due to the supporting evidence CCL provided as the phone was used earlier on in the journey.