As cell phones get more and more sophisticated, so does the data stored on the devices. While service providers and phone manufacturer goals include providing a better user experience by estimating how long it may take to get to a frequent location or present a particular notification, the related data offers a gold mine for forensic review. We are continuously exploring ways to decode and make use of the data to provide relevant information in litigation or investigation.
Here are some of our recent capabilities:
Speed of phone at particular time
A personal injury attorney told me a couple years ago that if we could ever determine how fast a phone was going at the time of a vehicle collision, we would have more work than we could handle. We can now parse information from an iPhone and the apps on it to determine the speed of the phone (ie, the car it was in) at a particular time. Sometimes this speed is recorded several times per minute. The capabilities vary by iPhone model and the method used to extract the phone data, but in a recent case, we were able to combine this with other artifacts to show a speeding driver who was handling her phone and interacting with apps prior to a double fatal collision.
User interaction with a phone
A text has been displayed to the user, but did they open it or read it? While some examiners may draw a conclusion based on the system accessing app program files, it is important to distinguish between user interaction with a phone and file access that happens just because the app is running. Our examiners know where to look for the difference.
Was the phone plugged into the USB? Connected to Bluetooth?
Of course there are lots of things we can do with our phones “handsfree” that would be ill-advised or illegal handheld. Both iPhones and Androids log information about the connections to Bluetooth or USB devices and we can parse that information from the phone to determine the state of connection at a particular time. We can also extract information about whether the phone was charging at a particular time.
Best of all, we can (and have) put all of the location, speed and app data together in a timeline or demonstrative. Below is a redacted version of a recent demonstrative we created in a case illustrating speed, use of Snapchat (yes, we can recover Snapchat activity and photos!) and location: