Digital Forensics

A Guide for Trucking Attorneys: Unraveling Conflation and Clearing Confusion Between Cell Phone Forensics and Phone Records

25 juli 2024

Cell phone evidence is a crucial component in motor carrier accident investigations. However, this evidence often brings with it a cloud of confusion. As a digital forensics expert who regularly educates legal professionals, I encounter three primary sources of this confusion.

  1. There is a lack of understanding of the differences between Call Detail Records (CDRs) and Phone Bills.
  2. Many struggle to differentiate between what can be determined from phone records versus data extracted directly from a mobile device through a cell phone forensic data extraction and examination.
  3. There's uncertainty surrounding the forensic extraction process, specifically how to preserve cell phone evidence and what data extraction methods are appropriate in trucking accident cases.

Let's dive into these issues and shed some light on the proper use and interpretation of cell phone evidence in motor carrier accident investigations.

The Tale of Two Records: Phone Bills vs. Call Detail Records

Phone records are not created equal. The two main types you will encounter are phone bills and Call Detail Records (CDRs). While both can provide valuable information, they serve different purposes and offer varying levels of detail.

Phone bills are essentially invoices. They summarize charges for a specific phone line or number over a given period. These bills typically include the date and time of calls or messages, the phone numbers involved, call duration, and the type of call (outgoing, incoming, or missed).

They also list charges for calls, texts, and data usage, along with the total charges, including taxes and fees. Customers primarily use phone bills to track their usage and pay for services.

CDRs can contain user activity that will not show up in a phone bill. For example, if you make an outgoing call that lasts less than a minute, it might not show up in a phone bill, but it can show up in the CDRs. This is because the call did not last long enough to be considered a chargeable event (since it was under a minute).

On the other hand, Call Detail Records (CDRs) are more comprehensive. They contain all the information found in phone bills but often include additional details such as the precise call date and time (down to the second), text message details (if provided by the carrier), phone location data (like the cell tower used), call routing information, and data usage details.

The key difference lies in their purpose and accessibility. Phone bills are designed for customer billing and are readily available to customers. CDRs, however, are created for internal use and typically require subpoenas or court orders to access.

It's crucial to remember that neither phone bills nor CDRs were originally designed to track historical locations or provide evidence of driver distraction. They are business records created to document provided services.

The Big Three: Voice Calls, Texts, and Data Records

Three common types of data can be included in CDRs: voice call, text message, and data records.

Voice Call Records

These records show when phone calls were made or received, including the time, duration, and phone numbers involved. They can differentiate between outgoing, incoming, and missed calls.

CDRs will include calls and activities that will not show up on a standard phone bill. 

Text Message Records

These logs show when Short Message Service (SMS) and Multimedia Message Service (MMS) messages were sent or received, including the time and phone numbers involved. They typically don't include the content of the messages, so you only get records of activity. 

SMS and MMS messages are transmitted via the cellular system in such a way that they can create a record in a CDR. However, messages transmitted via data, which includes iMessage, WhatsApp, Snapchat, Facebook, Instagram, Telegram, and every other chat application that is not SMS or MMS, are not included in these records. 

Data Records

These show when the phone was transferring data and how much data was transferred. They don't specify which apps were using the data or the nature of the data transfer. Further, the data sessions indicate the total amount of data sent by the phone in a time period. 

Data records do not differentiate between what application was generating the data and whether the data transmissions were user-generated or automatically generated by the phone with no user interaction involved. They can only be used to show if the phone was powered on or off or without data connection, like being in Airplane Mode.

The Limitations of Call Detail Records

Usable evidence in CDRs is limited to phone calls and SMS/MMS messaging activity. While they can contain data records, the records are limited in their usefulness since you cannot determine what the data transmissions relate to or if they are user-generated or an automatic function performed by the phone, such as an automatic updating of your email inbox or downloading an application update.

The Dangers of Misinterpretation: Data Records

Data record misinterpretation is a common problem in trucking accident cases. Some experts may attempt to draw conclusions about specific app usage based solely on data records. However, this approach is fundamentally flawed.

CDRs often include disclaimers from the cellular provider about their inability to determine user-initiated transactions. If the company facilitating the communication and providing the records can't form an opinion about what application was used or if the user initiated the usage, an independent expert certainly can't do so.

Still, you will find experts who will claim they can determine what a user was doing based on data records. For example, Envista's Digital Forensics team witnessed firsthand opposing experts claim that since a certain amount of data was transmitted at a particular time, it had to be the driver watching an online video. 

To combat these potential misinterpretations, a forensic examination of the actual cell phone can provide more complete evidence and definitive answers. For example, it can show what applications were used at a particular time, how much data the application transmitted, and whether the data was transmitted via the cellular system or using a WiFi connection. 

You Need a Forensic Examination of the Cell Phone

A forensic examination of the mobile device itself can provide a wealth of information that call detail records alone cannot. These examinations can reveal which applications were used at specific times, what interactions a user had with the applications, when the screen was locked or unlocked, and other crucial details about the phone's usage.

By having an expert extract the data from a cell phone and examine it, it is possible to determine what a user was doing down to the second, including switching between applications, how long an application was open, evidence related to messaging applications that transmit via data (which could be all of the messages on a modern smartphone, if, for example, the user exclusively used iMessage) that would be completely absent in CDRs or phone bills, if the driver was using hands-free technology or the speakerphone, and much more. 

Examining a cell phone can also uncover intentional deletion or obfuscation of relevant evidence, tampering or modification of messages, and whether recent calls and texts were deleted.

You Need The Right Cell Phone Extraction In Trucking Cases

Different levels of forensic extractions can be performed on cell phones. In other words, there are more and less complete methods of extracting data from mobile devices. 

Sometimes, you do not need or want to collect everything possible from a cell phone. For example, in a large e-discovery case, you may not need to recover deleted data or determine specific user activities, or you may be limited by a court order to only existing data. 

However, in a trucking case, you need the most comprehensive form of forensic extraction that can be performed against a cell phone because this is the only way to ensure you are recovering the data on the cell phone that can show "fingers touching the screen," recover comprehensive evidence of intentional deletions and alterations and even speed and velocity as recorded by the phone. 

The most comprehensive form of extraction possible on modern smartphones is called a full file system extraction. Any lower-level extraction (logical or file system extraction) will contain less data than the full file system extraction.

You may wonder, "If this is the most comprehensive form of extraction, why don't all experts use it?"

The reason is access to the technology to perform full file system extractions. For some experts, the cost of this technology is prohibitively expensive. At one time, the ability to perform full file system extractions was limited to law enforcement and military use.

Keep in mind that if you do not perform a full file system extraction, you open yourself up to spoliation claims, especially if a lower level of extraction is performed on the driver's phone and the phone is then returned to the driver. In this scenario, an expert is prevented from having the most comprehensive data set from a "perfect snapshot in time" as using the phone can change or delete data through normal use. 

If you encounter a situation where the opposing side's expert intends to perform an extraction other than a full file system extraction, I would advise you to retain your own expert who can perform the full file system extraction on the device, as well as develop a protocol for you to ensure the other side does not alter or change the original evidence contained on the phone by using inferior tools and technology or methods not in accordance with digital forensics best practices. 

The Best Approach is Holistic: CDRs and Cell Phones

The best option is to obtain both the CDRs and the data from the physical cell phone through forensic extraction. Envista's Digital Forensics team has worked on numerous cases where the comparison of data between these two sources of evidence has been invaluable. 

For example, in a case where we examined the plaintiff's cell phone, text messages and calls existed in the CDRs. The plaintiff also provided pictures of the messages during the timeframe of interest in discovery.

The CDRs contained calls and texts that were not depicted in the pictures of the messages taken by the plaintiff. We explained this to the defense attorney, who used this information to successfully argue that they needed access to the plaintiff's cell phone for extraction and examination. 

When we examined the data from the cell phone itself, we proved that the plaintiff intentionally deleted calls and texts leading up to the accident. We also recovered the deleted content, allowing us to review what was actually being said in the messages. 

Further, a full file system extraction provided evidence that the plaintiff was not only sending messages and making calls but also went into their settings application to connect a portable Bluetooth speaker and pressed play and pause multiple times on their music app in the moments leading up to the crash. 

From Confusion to Clarity

In the complex landscape of motor carrier accident investigations, cell phone evidence plays a pivotal role. However, as we've explored, this evidence comes with its own set of challenges and potential pitfalls. The key to navigating these challenges lies in understanding the distinctions between different types of evidence and employing a comprehensive approach to data collection and analysis.

Call Detail Records (CDRs) and phone bills, while valuable, tell only part of the story. They provide a broad overview of phone activity but lack the granular detail to draw definitive conclusions about a driver's actions compared to a forensic examination of the physical cell phone. The misinterpretation of data records, in particular, can lead to unfounded claims and flawed arguments in legal proceedings.

The best option emerges when we combine CDRs with a forensic examination of the physical device. For modern smartphones, a full file system extraction offers the most comprehensive view of a phone's activity. This method can reveal crucial details about app usage, user interactions, and even intentional deletions or alterations of data, information that CDRs alone cannot provide.

With digital evidence increasingly central to motor carrier accident cases, staying informed about the capabilities and limitations of different types of cell phone evidence is not only beneficial—it's essential.

Har din virksomhed været udsat for skade?

Vores eksperter kan hjælpe dig!

Om forfatteren
Lars Daniel
Lars Daniel, EnCE, CCO, CCPA, CIPTS, CWA, CTNS, CTA
Practice Leader
Digital Forensics

Mr. Lars Daniel is the Practice Leader of the Digital Forensics Division. Mr. Daniel has qualified as an expert witness and testified in both state and federal courts, qualifying as a digital forensics expert, computer forensics expert, cell phone forensics expert, video forensics expert, and photo forensics expert. He has testified for both the defense and prosecution in criminal cases and the plaintiff and defense in civil cases.

Hvordan kan vi hjælpe dig?

Vi har eksperter i mange tekniske discipliner fordelt over hele verden. Kontakt os, så vi kan finde den rigtige ekspert til opgaven.

 Envista Forensics Logo
Udforsk vores hjemmeside

Vores job er at løse komplekse udfordringer for vores kunder ved skadehændelser. Vi servicerer virksomhedsejere, små som store og uanset, hvor det er henne i verden og uagtet af, hvilket problem de står overfor.