Introduction

The following scenario is all too common. 

A high-powered employee leaves a company. Months later, the company suspected that the employee stole sensitive data on the way out the door because the CFO noticed a meaningful revenue reduction from the accounts the employee was responsible for.

Unfortunately, that employee's laptop, desktop, and company phone have all been wiped and reissued to new employees.  The evidence of potential wrongdoing is gone, as is the company's recourse against the former employee. 

As a digital forensics expert with years of experience in high-stakes litigation, I've seen firsthand how the evidence landscape has shifted dramatically in our digital age. 

Today, I want to discuss a critical strategy that can make or break a case: pre-emptive collections. This approach is not just about being prepared; it's about safeguarding your client's interests and ensuring the integrity of digital evidence from the outset.

Pre-Emptive Collections

When I say "Pre-emptive Collections," I refer to the proactive gathering and preservation of digital evidence before a specific incident or legal action occurs. Think of it as creating a time capsule of digital information - capturing a snapshot of data in its original, unaltered state.

Why are pre-emptive collections so important? The answer lies in the nature of digital evidence itself. Unlike physical evidence, digital data can be altered, overwritten, or deleted with a single click, often without leaving a trace. Normal business operations, automatic system updates, or even intentional data destruction can compromise critical evidence before you even know you need it.

The benefits of the preemptive collection approach are manifold. First and foremost, it protects against spoliation - the destruction or alteration of evidence. Courts take a dim view of parties who fail to preserve relevant evidence, and the consequences can be severe. Negative inferences, adverse jury instructions, or even case-dispositive sanctions can result from spoliation.

Moreover, pre-emptive collections can save time and resources in the long run. By securing data early, you avoid the frantic scramble to gather evidence after a complaint is filed. This not only ensures a more comprehensive collection but also allows for a more strategic approach to case planning.

But perhaps the most compelling arguments for pre-emptive collections are made by recounting cases where this approach wasn't taken.

Case Example: The Non-Compliant Corporate Client

I was brought into a civil litigation case on the defense side, tasked with collecting electronic data. Unfortunately, we were engaged late in the process, not due to any fault of the attorney, but because the client - a Canadian company facing litigation in U.S. Federal court - had underestimated the need for forensic experts. They believed their IT department could handle all collections in-house.

This misconception, coupled with the client's view that the discovery requests were overbroad, led to a cascade of complications. The company's executives, unfamiliar with U.S. discovery obligations and harboring privacy concerns common in Canadian business culture, were openly hostile to the process. I witnessed this resistance firsthand during conference calls, during which I attempted to explain, alongside the attorney, the importance of complying with court orders.

Initially, we aimed for a targeted collection of specific cloud and server data. However, the client's non-compliance escalated the situation dramatically. The judge, frustrated by the delays and resistance, ordered the most comprehensive data collection possible.

This expanded scope included full forensic acquisitions of all personal and work devices for the custodians, including the recovery of deleted data, as well as complete captures of server and cloud data.

What could have been a straightforward case with a simple data collection taking a few days turned into a multi-month ordeal. The costs skyrocketed, the client's credibility with the court was damaged, and the case strategy had to be completely overhauled in light of the expansive data now available to the opposition.

All of this could have been avoided with a pre-emptive collection approach.  You see, the attorneys for company had consulted with us pre-litigation and understood the need to protect the relevant data in case of future litigation.  They instructed the company's IT department to preserve important backup data. 

However, the IT department failed to do so, and the backup data for the relevant time period "rolled over" and was deleted automatically by the backup system software. All because the IT department did nothing to preserve the data within a year, the amount of time backups were retained before automatic deletion.

Implementing a Pre-Emptive Collection Strategy

Implementing a pre-emptive collection strategy does require some upfront investment in terms of time and resources. However, the long-term benefits far outweigh these initial costs. 

Not only does it protect against spoliation claims and negative inferences, but it can also significantly streamline the discovery process. 

Rather than scrambling to gather relevant data after a lawsuit is filed, attorneys and their clients can focus on building their case strategy, knowing that critical evidence has already been secured. 

Yes, pre-emptive collections works a shield, but is also can be a sword. For example, collecting and protecting the data from a departing employees devices gives you the opportunity and ammunition for go after potential wrongdoers with facts, as well as to combat unsubstantiated claims with actual evidence. 

While the specifics on how to properly do pre-emptive collections depends on the case type and the electronic evidence items involved, the principles are the same.  Here is an example of how it could be done for a departing employee.

Identify Data Sources

The first step is to identify all potential data sources relevant to the departing employee. Identifying these data points ensures that no critical information is overlooked in the preservation process. Every platform or device the employee uses could hold vital evidence, so comprehensive coverage is key.

• Work computers and external storage devices

• Company-issued mobile devices

• Email accounts, including archives

• Cloud storage accounts like Google Drive or OneDrive

• Collaboration platforms such as Slack or Microsoft Teams

• Network drives and shared folders

• Backup systems 

Create Forensic Images

Once the data sources are identified, the electronic devices should be forensically imaged (copied). Creating forensic images preserves the data in its original form, preventing accidental overwrites or alterations during the examination phase. 

Document the Preservation Process

The entire preservation process should be meticulously documented to ensure legal defensibility. Clear documentation is critical for later validating the authenticity and integrity of the preserved data in court. Ensure that you are:

• Maintaining detailed logs of all preservation actions.

• Recording the chain of custody for all data and devices.

• Noting any issues encountered during the preservation process.

Secure Storage of Preserved Data

Once the data is collected, it must be securely stored to ensure its integrity. Securing the data prevents unauthorized access or accidental loss, preserving its value as evidence. Since we ensured the custodian's data was preserved as forensic images, the evidence was tamper-proof due to the digital DNA the data received as part of the forensic image creation process.

While secure storage might not be needed to prove the data is reliable due to the digital DNA, it does allow you to show that no one accessed the data after the forensic images were created. 

• Storing forensic images and data in a secure, access-controlled environment.

• Creating redundant backups of all preserved data.

• Implementing encryption for sensitive information.

Conclusion

The lesson here is clear: in today's digital landscape, waiting until litigation is imminent to consider data preservation is a risky gambit. Pre-emptive collections, guided by digital forensics experts, are not just a best practice—they're a necessary safeguard against the pitfalls of modern litigation.

Don't get caught with a surprise case only to learn the evidence you need is gone. Spending the time and money to create a preemptive collections plan can save an organization money in the long run on litigation, antacids, and aspirin. 

Note: I am not an attorney. The following article is based upon my fifteen years of experience working cases and leading a team of digital forensics experts.  

Cell phones can contain a wealth of information that can make or break a trucking accident case. When it comes to distracted driving, the electronic data on these devices often holds the key to understanding what happened in the moments leading up to an accident. 

Cell phones are our constant companions in our modern world, serving as digital concierges that manage our personal and professional lives. It’s understandable, then, that clients and their counsel are concerned about turning over cell phone data, which often contains sensitive personal information far beyond the scope of any single case.

It’s not like rifling through a filing cabinet where we can selectively pull out relevant documents. Instead, it’s more like making a complete copy of the filing cabinet's contents before we can start sorting through it.

This all-or-nothing approach often creates friction in the discovery process. Opposing counsel may balk at handing over a complete digital copy of their client’s phone, even if you assure them that only specific information will be analyzed. However, these objections can often be overcome with well-crafted protocols and negotiations.

The Problem: We Have to Collect It All

Data on a cell phone does not exist in isolation. The interdependence of different data types and how they relate to one another is one of the primary reasons why forensic experts and tools cannot selectively collect data during an cell phone forensics examination. 

Doing so is not technically possible in almost all instances, and even if it was, it could compromise the integrity of the evidence and lead to incomplete or misleading conclusions.

Technical Realities

• Relational Databases and App Dependencies: Many cell phone use relational databases to store data, with different tables linked by references. For example, a contact entry in the address book may be linked to call logs, messages, and app data. If only a portion of this interconnected data is collected, these links could be broken, making it challenging or impossible to piece together a coherent picture during forensic analysis.
  

• Cross-Referencing and Data Integrity: On cell phones, text messages, call logs, photos, videos, emails, and app data are often intertwined. For instance, a text message carries a timestamp that can be cross-referenced with location data, call logs, or social media activity to establish a comprehensive timeline of events. If an expert were to collect only the text message without the corresponding location or call log data, the context and significance of that message could be lost.
  

• Contextual Importance of Data: The value of specific pieces of data is frequently derived from their relationship with other data. A single message might seem trivial in isolation but could take on new importance when viewed within the broader context of related communications, app usage, or location history. Forensic experts preserve this context by collecting all data, ensuring that the complete narrative can be accurately reconstructed.
  

• Recovering Hidden Data: Phones often contain hidden files, system logs, and deleted data that can be crucial to a case. These aren’t accessible through the phone’s normal interface. A complete forensic cell phone extraction allows our specialized tools to recover this hidden information.

Legal Considerations

• Limited Access to the Device: Your expert may have limited access to the phone. For example, a driver’s phone might only be available for forensic data extraction on a specified date and then returned following the extraction. This is the only opportunity to ensure everything is collected as a "perfect snapshot in time" since the driver's continued use of the phone will change the data.

• Future-Proofing the Investigation: In some cases, new evidence or technologies may emerge after the initial investigation that can reveal previously hidden or inaccessible data. By collecting everything initially, forensic experts ensure that all data is preserved and can be re-examined, if necessary, even years later. This future-proofing can be essential in complex or long-running cases.

The Solution: Protocols and Negotiations

Protocols

Protocols serve as the essential foundation for negotiations in digital forensics. They provide a structured, transparent framework that guides how data will be handled, helping establish trust and setting the stage for productive negotiations between opposing parties. 

Establishing Clear Expectations

Protocols outline the exact steps to collect, preserve, and analyze data from a cell phone. By clearly defining these procedures, protocols help set realistic expectations for both parties. 

When both sides understand the process and the safeguards in place, it becomes easier to negotiate on specific aspects, such as the scope of data collection or the parameters for data analysis. This clarity reduces misunderstandings and provides a common ground from which to start negotiations.

Knowing this, opposing counsel is more likely to engage in negotiations about the scope of data extraction, as the protocol already limits potential overreach.

Building Trust Through Transparency

Trust is often a significant negotiation barrier, especially when accessing potentially sensitive digital evidence. Protocols build trust by demonstrating a standardized, impartial approach to handling the data. 

For instance, a protocol might include using a third-party forensic expert who follows established procedures for creating a forensic image of the cell phone. This impartiality helps opposing counsel feel more secure in the process, making them more willing to negotiate the terms of data access and review.

Even when both sides have their own forensic experts, protocols ensure that a standardized approach is taken to collecting and analyzing data. This standardization helps to align the methodologies used by both experts, reducing the risk of discrepancies or conflicts arising from differing practices. 

Providing a Basis for Compromise

Negotiations often require compromise, and protocols provide a structured basis for finding a compromise. By outlining what is technically necessary and what steps will be taken to protect both parties’ interests, protocols create a framework for concessions without compromising the integrity of the evidence.

For example, a protocol might state that all data will be collected initially to preserve its integrity, but only specific, relevant data will be reviewed or produced in discovery. This allows both parties to negotiate on what data will be disclosed, knowing that the underlying protocol ensures all data remains intact and available if needed later.

Reducing Areas of Dispute

Protocols can significantly reduce areas of dispute that might otherwise derail negotiations by addressing common concerns upfront. Issues such as how data will be stored, who will have access, and how the data’s integrity will be ensured are often the focus of disputes. When these issues are addressed in a protocol, there is less to argue about, allowing negotiations to focus on more substantive matters.

For instance, if the protocol includes strict guidelines for maintaining a chain of custody and using industry-standard forensic tools, opposing counsel may be less concerned about potential data tampering and more willing to negotiate on the specific terms of data access.

Facilitating a Collaborative Approach

Protocols can also encourage a more collaborative negotiation approach by involving both parties in their creation. When opposing counsel is given a role in shaping the protocol, they are more likely to view it as fair and reasonable. This collaborative process can ease tensions and lead to more productive negotiations, as both sides feel their concerns have been heard and addressed.

For example, in negotiations, the defense and plaintiff counsel could agree to produce only fifteen minutes of data before and after the accident. They could further agree to include all of the data from this timeframe, like messages, emails, and application usage, but the actual contents of the data are redacted. 

This would result in a comprehensive timeline of activity, with no personal or private data revealed, only user activity. Your expert could then assist in drafting a protocol that fulfills the requirements determined by the negotiations. 

Creating a Roadmap for Future Negotiations

Attorneys often have cases with the same opposing counsel regularly. Protocols act as a roadmap for future negotiations by establishing a precedent for handling digital evidence. Once a protocol has been agreed upon in one case, it can serve as a template for future cases, making subsequent negotiations more straightforward. 

For example, if a protocol used in a previous case effectively addressed both sides' concerns, it can be reused or adapted for new cases, reducing the time and effort needed to negotiate similar issues again.

Convincing the Court

Protocols and negotiations are useful for convincing a judge that accessing the opposing side's phone data is relevant and respectful of privacy concerns. 

By developing a clear and structured protocol with their expert, an attorney can demonstrate that the data request is narrowly tailored to specific, relevant information, such as device usage or communications during a specific time frame. This approach shows the court that the attorney is not overreaching but is instead focused on critical evidence directly related to the case.

Moreover, by negotiating the protocol with the opposing side, the attorney can highlight the collaborative effort to protect privacy while still allowing necessary evidence to be gathered. This includes safeguards to verify data integrity and prevent data alteration. The involvement of a qualified expert to oversee the process further reassures the judge that the data will be handled responsibly. 

These steps help strike a balance between the need for evidence and the right to privacy, making it more likely that the judge will approve the data request.

Conclusion

Negotiations, guided by these protocols, allow us to find a middle ground where the integrity of the evidence is maintained without unnecessarily exposing unrelated personal data. They serve as the bedrock of successful negotiations in digital forensics by setting clear expectations, building trust, providing a basis for compromise, reducing disputes, facilitating collaboration, and creating a roadmap for future cases.

Feel free to contact me if you need a protocol for handling cell phone evidence in trucking accident cases or anything else related to digital evidence. 

Cell phone evidence is a crucial component in motor carrier accident investigations. However, this evidence often brings with it a cloud of confusion. As a digital forensics expert who regularly educates legal professionals, I encounter three primary sources of this confusion.

• First, there is a lack of understanding of the differences between Call Detail Records (CDRs) and Phone Bills.
  

• Second, many struggle to differentiate between what can be determined from phone records versus data extracted directly from a mobile device through a cell phone forensic data extraction and examination.
  

• Third, there's uncertainty surrounding the forensic extraction process, specifically how to preserve cell phone evidence and what data extraction methods are appropriate in trucking accident cases.
  

Let's dive into these issues and shed some light on the proper use and interpretation of cell phone evidence in motor carrier accident investigations.

The Tale of Two Records: Phone Bills vs. Call Detail Records

Phone records are not created equal. The two main types you will encounter are phone bills and Call Detail Records (CDRs). While both can provide valuable information, they serve different purposes and offer varying levels of detail.

Phone bills are essentially invoices. They summarize charges for a specific phone line or number over a given period. These bills typically include the date and time of calls or messages, the phone numbers involved, call duration, and the type of call (outgoing, incoming, or missed).

They also list charges for calls, texts, and data usage, along with the total charges, including taxes and fees. Customers primarily use phone bills to track their usage and pay for services.

On the other hand, Call Detail Records (CDRs) are more comprehensive. They contain all the information found in phone bills but often include additional details such as the precise call date and time (down to the second), text message details (if provided by the carrier), phone location data (like the cell tower used), call routing information, and data usage details.

The key difference lies in their purpose and accessibility. Phone bills are designed for customer billing and are readily available to customers. CDRs, however, are created for internal use and typically require subpoenas or court orders to access.

It's crucial to remember that neither phone bills nor CDRs were originally designed to track historical locations or provide evidence of driver distraction. They are business records created to document provided services.

The Big Three: Voice Calls, Texts, and Data Records

There are three common types of data that can be included in CDRs.

• Voice Call Records: These records show when phone calls were made or received, including the time, duration, and phone numbers involved. They can differentiate between outgoing, incoming, and missed calls.

• Text Message Records: These logs show when Short Message Service (SMS) and Multimedia Message Service (MMS) messages were sent or received, including the time and phone numbers involved. They typically don't include the content of the messages, so you only get records of activity.

• Data Records: These show when the phone was transferring data and how much data was transferred. They don't specify which apps were using the data or the nature of the data transfer. Further, the data sessions indicate the total amount of data sent by the phone in a time period.

The Limitations of Call Detail Records

Usable evidence in CDRs is limited to phone calls and SMS/MMS messaging activity. While they can contain data records, these records are limited in their usefulness since you cannot determine what the data transmissions relate to or if they are user-generated or an automatic function performed by the phone, such as an automatic updating of your email inbox or downloading an application update.

The Dangers of Misinterpretation: Data Records

Data record misinterpretation is a common problem in trucking accident cases. Some experts may attempt to draw conclusions about specific app usage based solely on data records. However, this approach is fundamentally flawed.

CDRs often include disclaimers from the cellular provider about their inability to determine user-initiated transactions. If the company facilitating the communication and providing the records can't form an opinion about what application was used or if the user initiated the usage, an independent expert certainly can't do so.

Still, You will find experts who will claim they can determine what a user was doing based on data records. For example, my team and I have witnessed firsthand opposing experts claim that since a certain amount of data was transmitted at a particular time, it had to be the driver watching an online video.

To combat these potential misinterpretations, a forensic examination of the actual cell phone can provide more complete evidence and definitive answers. For example, it can show what applications were used at a particular time, how much data the application transmitted, and whether the data was transmitted via the cellular system or using a WiFi connection.

You Need to A Forensic Examination of the Cell Phone

A forensic examination of the mobile device itself can provide a wealth of information that call detail records alone cannot. These examinations can reveal which applications were used at specific times, what interactions a user had with the applications, when the screen was locked or unlocked, and other crucial details about the phone's usage.

By having an expert extract the data from a cell phone and examine it, it is possible to determine what a user was doing down to the second, including switching between applications, how long an application was open, evidence related to messaging applications that transmit via data (which could be all of the messages on a modern smartphone, if, for example, the user exclusively used iMessage) that would be completely absent in CDRs or phone bills, if the driver was using hands-free technology or the speakerphone, and much more.

Examining a cell phone can also uncover intentional deletion or obfuscation of relevant evidence, tampering or modification of messages, and whether recent calls and texts were deleted.

You Need The Right Cell Phone Extraction In Trucking Cases

There are different levels of forensic extractions that can be performed on cell phones. In other words, there are more and less complete methods of extracting data from mobile devices.

Sometimes, you do not need or want to collect everything possible from a cell phone.

For example, in a large e-discovery case, you may not need to recover deleted data or determine specific user activities, or you may be limited by a court order to only existing data.

However, in a trucking case, you need the most comprehensive form of forensic extraction that can be performed against a cell phone because this is the only way to ensure you are recovering the data on the cell phone that can show "fingers touching the screen," recover comprehensive evidence of intentional deletions and alterations and even speed and velocity as recorded by the phone.

The most comprehensive form of extraction possible on modern smartphones is called a full file system extraction. Any lower-level extraction (logical or file system extraction) will contain less data than the full file system extraction.

The reason is access to the technology to perform full file system extractions. For some experts, the cost of this technology is prohibitively expensive. At one time, the ability to perform full file system extractions was limited to law enforcement and military use.

If you encounter a situation where the opposing side's expert intends to perform an extraction other than a full file system extraction, I would advise you to retain your own expert who can perform the full file system extraction on the device, as well as develop a protocol for you to ensure the other side does not alter or change the original evidence contained on the phone by using inferior tools and technology or methods not in accordance with digital forensics best practices.

The Best Approach is Holistic: CDRs and Cell Phones

The best option is to obtain both the CDRs and the data from the physical cell phone through forensic extraction. My experts and I have worked on numerous cases where the comparison of data between these two sources of evidence has been invaluable.

For example, in a case where we examined the plaintiff's cell phone, text messages and calls existed in the CDRs. The plaintiff also provided pictures of the messages during the timeframe of interest in discovery.

The CDRs contained calls and texts that were not depicted in the pictures of the messages taken by the plaintiff. We explained this to the defense attorney, who used this information to successfully argue that they needed access to the plaintiff's cell phone for extraction and examination.

When we examined the data from the cell phone itself, we proved that the plaintiff intentionally deleted calls and texts leading up to the accident. We also recovered the deleted content, allowing us to review what was actually being said in the messages.

Further, a full file system extraction provided evidence that the plaintiff was not only sending messages and making calls but also went into their settings application to connect a portable Bluetooth speaker and pressed play and pause multiple times on their music app in the moments leading up to the crash.

Conclusion: From Confusion to Clarity

In the complex landscape of motor carrier accident investigations, cell phone evidence plays a pivotal role. However, as we've explored, this evidence comes with its own set of challenges and potential pitfalls. The key to navigating these challenges lies in understanding the distinctions between different types of evidence and employing a comprehensive approach to data collection and analysis.

• Call Detail Records (CDRs) and phone bills, while valuable, tell only part of the story. They provide a broad overview of phone activity but lack the granular detail to draw definitive conclusions about a driver's actions as compared to a forensic examination of the physical cell phone. The misinterpretation of data records, in particular, can lead to unfounded claims and flawed arguments in legal proceedings.
  

• The best option emerges when we combine CDRs with a forensic examination of the physical device. For modern smartphones, a full file system extraction offers the most comprehensive view of a phone's activity. This method can reveal crucial details about app usage, user interactions, and even intentional deletions or alterations of data, information that CDRs alone cannot provide.
  

With digital evidence increasingly central to motor carrier accident cases, staying informed about the capabilities and limitations of different types of cell phone evidence is not only beneficial—it's essential.