In the intricate landscape of legal investigations, cell phone evidence stands as a pivotal element. However, cell phone evidence is fragile. Most cell phone companies keep the records for a limited time, and evidence in a cell phone’s memory can be deleted intentionally by the user or unintentionally by normal processes of the operating system. We need to identify potential evidence valuable to our cases and take steps to preserve the evidence as early as possible.
How do we find out if there were phones present at the time of the incident, and how do we identify the phones and phone numbers? We could review the crash report to find phone numbers, or we could interview witnesses, law enforcement, or emergency personnel on the scene. Probably the fastest and most efficient way to identify potential evidence devices and phone numbers is through interrogatories. This post will cover interrogatory questions valuable for identifying potential cell phone evidence.
1. Was (plaintiff/defendant) using a mobile device at the time of the incident to include, but not limited to, engaged in a voice phone call, sending or reading a text message, streaming media, using a navigation program, browsing social media, reading or sending email, taking or viewing photos, video, audio, browsing web sites, listening to music, audiobooks, or podcasts, or viewing documents?
Some of the activities listed above require active input from the user, and others are passive. In a motor vehicle crash case, the active activities suggest distraction by the driver. The passive activities may give us some insight when compared to the data section of the phone records. If the subject denies using the phone at the time of the crash and denies using apps like streaming music or navigation, and we find data usage on the phone records, we may be able to show the subject is not telling the truth.
2. List all mobile devices present during the incident including, but not limited to, cell phones, tablets, music players, game devices, drones, GPS devices, and Bluetooth or connected devices including, but not limited to, hands-free devices, smartwatches, and the vehicle infotainment system. This includes mobile devices belonging to people other than the (plaintiff/defendant).
In the intricate landscape of legal investigations, cell phone evidence stands as a pivotal element. However, cell phone evidence is fragile. Most cell phone companies keep the records for a limited time, and evidence in a cell phone’s memory can be deleted intentionally by the user or unintentionally by normal processes of the operating system. We need to identify potential evidence valuable to our cases and take steps to preserve the evidence as early as possible.
How do we find out if there were phones present at the time of the incident, and how do we identify the phones and phone numbers? We could review the crash report to find phone numbers, or we could interview witnesses, law enforcement, or emergency personnel on the scene. Probably the fastest and most efficient way to identify potential evidence devices and phone numbers is through interrogatories. This post will cover interrogatory questions valuable for identifying potential cell phone evidence.
We would like to know all the devices present at the time of the incident. More than likely, there was at least one cell phone present at the incident. But some people have more than one cell phone. From my experience as a police detective, I know that drug dealers usually have at least two phones. They have one for their family and friends and one for “business.” This is common among law-abiding people as well. Many people have personal cell phones and separate phones provided by their employers. Also, other people present at the incident may have cell phones which may have valuable evidence. We want to know about all the devices present during the incident, such devices belonging to passengers in a car involved in a crash.
In addition to cell phones, there may have been other mobile devices present during the incident. This may include tablets, game devices, music players, and drones. For example, an over the road truck driver would likely have his or her iPad in the truck to use when not driving. It is possible the driver was using the iPad at the time of a crash. Another example would be a drone used to take video at the time of the incident. The drone operator may or may not be related to the subject, but a drone taking video at the time of the incident might be valuable.
3. Who are the owners of all the devices not owned by the (plaintiff/defendant)? Provide contact information for all other owners.
Some of the devices present at the incident may belong to other people. The subject may not have possession of the devices and will likely not have the authority to consent to the examination of these devices. The subject may provide information that will help us contact the owners of the other devices.
4. What are the phone numbers and carriers for all cell phones present during the incident, and the International Mobile Equipment Identifiers (IMEI), Mobile Equipment Identifiers (MEID), International Mobile Subscriber Identifiers (IMSI), and carriers for all devices other than cell phones present during the incident that have independent access to mobile data networks.
Some of the devices present at the incident may belong to other people. The subject may not have possession of the devices and will likely not have the authority to consent to the examination of these devices. The subject may provide information that will help us contact the owners of the other devices.
5. Is the (plaintiff/defendant) still in possession of all the devices? If not, which devices does the (plaintiff/defendant) still possess, and when and how did the (plaintiff/defendant) dispossess each device? Where are the devices now?
We would like to know if the subject still has possession of the devices. If the subject no longer has the device, we would like to know when and how he or she got rid of the device. If the subject recently traded a phone in for a new one, we may be able to obtain the old phone from the phone store. Other possibilities are that the phone was broken and thrown away or sold on eBay. This information should save us time in knowing which devices aren’t worth the time and resources it would take to pursue.
6. Are the devices still in use by the (plaintiff/defendant)? If any aren’t when did the (plaintiff/defendant) stop using them and why? Is someone else using them? If so, provide the contact information for the new users.
If the subject is still using the device many months or a few years after the incident, the likelihood of recovering evidence from the time of the incident is slim. Of course, it will depend on the type of device, the level of usage, and whether or not the evidence has been deleted. The best scenario would be if the subject got a new phone shortly after the incident and put the old phone away in a drawer or closet. Some people never get rid of their old phones for fear of someone getting their data, so there’s a chance the old phone will be available.
If the subject is not using the phone anymore, we would like to know why. Was the phone broken? It would work in our favor if the phone were broken shortly after the incident. There wouldn’t be much time for the phone to irradicate evidence, and we could send the phone to a digital forensic laboratory for data recovery. If the subject got a new phone and gave the old phone to a child, and if the child put his or her profile on the old phone, the likelihood of recovering evidence is almost non-existent.
7. What is the condition of the device(s)?
If the phone is in working order, an expert would likely be able to extract data. If the phone is damaged to the point it won’t work, it can either be repaired or sent to a lab, as mentioned in the previous section.
8. Has the device been restored to factory settings between the time of the incident and now?
If the phone has been factory reset since the incident, the likelihood of recovering evidence is almost non-existent unless the original account was restored. All iPhones and most higher-end Androids are encrypted by default. Your expert can bypass the encryption with the passcode or password. Though the data may still technically be there after a factory reset of the phone, the data can’t be decrypted. If the phone was restored to the account at the time of the incident there would be valuable data on the phone, just not as much as if the phone had not undergone a factory reset.
9. If the (plaintiff/defendant) has a new phone, was the data transferred from the old phone to the new phone?
If the new phone was restored from the old phone, the likelihood of recovering evidence goes up. I used to have an iPhone 12, but then upgraded to an iPhone 15. I backed the iPhone 12 up to the iCloud, and when I got the iPhone 15, I restored my new phone from the iCloud. Most of the information from my old phone was restored on my new phone, including old text messages that weren’t previously deleted. Android phones can be restored from the cloud or a backup, as well.
10. Has the (plaintiff/defendant) sent any communication, including but not limited to, text messages, email messages, or social media posts regarding the incident from the mobile device.
Many devices other than cell phones can have accounts with mobile networks to access data. The most obvious example is a tablet. Cell phone companies offer plans for tablets like iPads to connect to the mobile data network when not in range of a known WiFi network. Other devices, like smart-watches, can have plans as well. We can send a subpoena to the carrier for the logs for the device. We can replace the phone number with the IMEI, MEID, or IMSI in the subpoena to obtain the records. The records we receive will be similar to the Call Detail Records (CDR) for the phone but won’t contain any voice call or text message information. With some carriers, we may be able to obtain cell-site location information.
Bonus Question. Did anyone else have access to the phone at the time of the incident?
A common defense is that someone else was using the phone. If the subject was alone in a car, obviously this won’t work. But, if someone else were present, we’d like to lock the subject into whether or not someone else had access to the phone. If someone else did have access to the phone, it’s important to ask how that person accessed the phone. Did he or she have the password, or did the subject unlock the phone?
These questions will help us identify the devices and phone numbers so we can send preservation letters. I recommend sending these questions as early as possible. We need to move fast to preserve the evidence we want. The more time that passes between the incident and the preservation or examination, the more likely evidence will be irretrievably lost.
This list of suggested questions is not all-inclusive. These are things I, as the phone examiner, would like to know. I am not an attorney, and some of these questions may not be appropriate in some jurisdictions or cases. Every case is unique and there will likely be unique circumstances that these questions don’t cover. If you have any questions, please feel free to contact me by phone or email. You can find my contact information at www.braveinvestigations.com.