How Magnet Axiom can enhance a vehicle accident investigation
While digital evidence is commonly linked to crimes like child exploitation, violent offenses, and cybercrimes, its significance extends to almost every crime, including understanding the complexities of vehicle accidents.
A traditional vehicle accident investigation focuses on reconstructing the physical scene and Magnet Axiom adds a crucial new dimension: the digital traffic crash scene.
Consider the frequent issue of drivers being distracted by their phones and leading to traffic crashes, or those causing accidents by flagrantly ignoring traffic laws. Axiom is a vital tool in these investigations. When combined with Magnet Graykey, it can unlock data from iOS and Android devices, allowing forensic examiners to extract, process, analyze, and report digital evidence from various sources such as smartphones, vehicle infotainment systems, and cloud storage.
By working in tandem with crash investigators, Axiom enhances the investigative process. It processes Berla’s iVE vehicle infotainment extractions, supports direct extractions from popular cloud accounts (pending legal authority), and efficiently handles cloud data obtained through search warrant returns.
Axiom empowers your investigations with comprehensive support for evidence from various sources, including computers, mobile devices, cloud services, and vehicles.
Axiom seamlessly acquires cloud data directly from leading cloud services.
Axiom excels in processing search warrant returns from leading cloud service providers.
Digital evidence sources
These digital evidence sources can record valuable data that can help reconstruct an accident, providing a digital reconstruction of events:
Mobile devices
Smartphones are a treasure trove of information that can be invaluable in a vehicle accident investigation:
- Geolocation data: Tracks vehicle movements before and after a crash, aiding in determining speed, route, and stops. Location data can be significant in all vehicle accident investigations, including hit-and-run cases.
- Communication: Call logs, text messages, and emails help establish timelines and determine if distracted driving was a factor in the crash.
- Application usage: Artifacts from mobile devices can reveal signs of distracted driving or other behaviors influencing the crash.
Vehicle infotainment systems
These are an often-overlooked evidence source in a vehicle accident investigation:
- Geolocation data: Infotainment systems log trackpoints that help understand vehicle movements like mobile phones.
- Communication: Logs of calls and text messages initiated through a connected phone potentially indicating distracted driving.
- Events: Logs include various vehicle actions such as hard braking, rapid acceleration, seatbelt reminders, connected mobile devices, and the disabling of distraction prevention features.
Cloud data
Cloud storage provides additional sources of digital evidence:
- Geolocation data: Crucial when other devices are missing, damaged in the crash, or fail to record locations.
- File access and uploads: Service providers maintain logs of user access and activity that might reveal evidence of distracted driving.
- Backup data: The cloud retains messages, contacts, application data, and call logs, which can be accessed even if the mobile device is damaged.
Geolocation data: The digital breadcrumbs
Geolocation data is essential in a vehicle accident investigation. Trackpoints offer more than latitude, longitude, date, and time; they also provide speed, altitude, and accuracy levels. For example, the iPhone 12 data listed below records a trackpoint every second, showing the phone slowing from 23.2 meters per second (about 51 MPH) to a slow, complete stop in just over 28 seconds. Analyzing geolocation data provides crucial insights into vehicle behavior leading up to the crash, including changes in speed and braking patterns.
While geolocation data can provide decisive evidence, it must be thoroughly validated to ensure its accuracy and reliability. It is important to understand both the strengths and limitations of geolocation data to make informed conclusions. This involves cross-referencing the data with other sources such as eyewitness accounts, physical evidence from the crash site and conducting validation tests. Understanding both the strengths and limitations can’t be overlooked. Despite geolocation data’s potential to offer critical insights, it can be affected by various factors such as signal interference, device settings, and environmental conditions. Comprehensive validation ensures the data’s integrity and helps avoid misinterpretation.
World Map View is Axiom’s built-in analysis viewer for geolocation data. In the example below, World Map View highlights the accuracy and consistency of the iPhone 12’s cached locations. In this validated test data, the vehicle starts in the middle lane and moves to the far-right emergency lane before coming to a complete stop.
Adding another dimension to the World Map View is Axiom’s Animated Maps feature, which enhances the visualization and analysis of movement patterns. The feature allows users to visualize hundreds or thousands of trackpoints via a video player within Axiom’s user interface. Animated Maps enables users to ‘play’ routes in real-time, at 10X speed or at 100X speed. Visualizing trackpoints being ‘replayed’ to show movement on a map is significant for several reasons:
- Clarity and comprehension: By displaying trackpoints in a visual format with movement, the Animated Maps tool helps investigators, legal professionals, and jurors better understand the sequence of events leading up to a crash.
- Contextual analysis: Visualizing the movement of a vehicle in relation to its surroundings can provide context that might not be evident from the data alone. This includes understanding the vehicles path, any deviations from the expected route, and its interactions with obstacles.
- Identifying patterns: AxiomAnimated Maps can reveal patterns in the vehicles speed and movements, identifying actions such as abrupt stops, acceleration or erratic driving behavior. For example, a sudden deceleration might indicate a reaction to an unexpected obstacle or another vehicle.
- Supporting evidence: The tool can serve as compelling visual evidence in court, demonstrating the vehicle’s behavior in an easily digestible format, which can enhance collaboration among investigators, experts and legal teams.
Overall, Axiom’s Animated Map tool transforms points on a map into a dynamic visual narrative, providing a powerful means to analyze and present evidence. The example below shows the vehicle from the previous example slowing from 78 MPH to a complete stop.
Infotainment systems also provide essential geolocation information which can be especially valuable when mobile devices are absent or damaged in a crash. Below are routes, trackpoints, velocity points, and waypoints from a Ford Sync Gen3 Infotainment System, extracted with Berla iVE software and processed with Axiom.
Cloud data is another valuable source of geolocation information. Applications like Snapchat, Life360, Google, Facebook, Garmin, and Instagram often contain extensive geolocation details. Rideshare companies also provide substantial geolocation data from their drivers’ connected devices.
Communication and distracted driving
Many traffic crashes and fatalities could be prevented if drivers used hand-free devices correctly or avoided communication altogether while driving. Axiom analyzes all types of mobile device communication and can help determine if the driver was actively using a device before the crash. The platform organizes communication types, such as call logs and text messages, into a clear, easy-to-understand format.
Axiom’s Timeline feature provides a powerful and thorough review of all phone activity, allowing for an easy understanding of the sequence of events and interactions on the device. This is valuable for understanding the context leading up to a crash. Timeline consolidates all phone activity including calls, messages, app usage, geolocation data, web browsing, and much more into a single chronological view. This comprehensive overview allows investigators to view the full spectrum of interactions and activities that occurred on the device, helping pinpoint key events that may have contributed to the crash.
The chronological timeline can be cross-referenced with other data sources, such as vehicle telematics, eyewitness accounts, and surveillance footage to build a more complete picture of the events leading up to the crash. This multi-faceted approach can help validate findings or identify inconsistencies. Listed below is an example of Axiom Timeline and how events are displayed.
Logs bringing it all together
Mobile devices log extensive user activity that can provide valuable insights into the user’s actions before a crash. Concerning an iOS devices, much of this data is stored in KnowledgeC, Biome, and other databases. This information can be crucial in identifying contributing factors in traffic crashes. An example of iOS logs:
- Application Usage
- Lock States
- Charger Connections
- Incoming Notifications
- Backlight States
- Media History
- Orientation States
Let’s assume a crash occurred and texting while driving is suspected. Analyzing the sequence of phone events triggered by an incoming message from a texting app can provide critical details about the user’s actions during the crash. If a driver received an incoming message, grabbed their phone, and began typing a reply, these actions could have contributed to the crash. The digital breadcrumbs created by these logs can provide valuable evidence. The expected sequence of log files in this scenario would include:
- KnowledgeC Notification Usage: Notification comes into the phone
- KnowledgeC Screen Backlight States: Backlight activates when the notification arrives
- KnowledgeC Lock States: User unlocks the phone
- KnowledgeC Application Focus/Usage: Indicates the user opened the texting application
Other logs provide further insight. The KnowledgeC Media History lists all content played through the iOS media player, including recording an Apple Voice Note and music played from applications such as Spotify and Apple Music. A driver could have been distracted by recording a voice note, searching for a specific song or changing playlists, all actions to consider if this activity was logged leading up to a crash. The PowerLog Camera State log reveals that the camera was activated, and a photo or video could have been taken. This could be confirmed by analyzing the multimedia files to determine if any were created in the timeframe of the crash. The following sample from Axiom illustrates some of the log categories.
Axiom Timeline can bring all this together. Consider a traffic crash scenario where a driver struck a pedestrian in a neighborhood, resulting in critical injuries. The collision occurred at 7:57:35 PM, with the vehicle traveling a short distance before stopping. By analyzing the iPhone’s cached locations, it can be determined that the vehicle was traveling at just over 10 MPH (4.52 m/s) when it struck the pedestrian and came to a complete stop seven seconds later at 7:57:42 PM.
Switching to Timeline View provides additional advantages for this investigation, offering deeper insights into what else might have occurred during this critical time frame. At approximately the same time the pedestrian was hit, 7:57:35 PM, the driver made an outgoing phone call, as indicated by the first red box. Shortly after, the vehicle came to a complete stop, marked by the second red box. This analysis, leveraging digital forensics and Axiom, uncovers significant evidence that strengthens the overall case and provides a clearer picture of the events surrounding the crash.
Determining if the driver used a hands-free device, such as Apple CarPlay, Android Auto or a Bluetooth connection, is important. Although hands-free devices may not entirely eliminate distractions, identifying their use can help assess whether distraction played a role in the crash. Studies have shown that using hands-free technology can significantly reduce potential distractions, and its us may potentially exonerate the driver from distraction concerns by investigators.
Connecting a phone to a hands-free device typically generates log files, which Axiom can process effectively. While these usage logs may not be as comprehensive as other types of logs, they can be important in the vehicle accident investigation. Various logs can help establish whether a hands-free action occurred. For example, analyzing Apple’s Biome CarPlay artifact can reveal when the phone was connected, while reviewing logs created by Siri could determine if a voice execution was completed. By combining various logs, investigators may be able to piece together a detailed picture of hands-free usage, such as whether the driver was using voice commands or interacting with the device through a connected system. Training courses such as AX300 Magnet Axiom Advanced Mobile Forensics provide detailed insights into identifying hands-free usage, with practical guidance on analyzing logs related to Siri, Bluetooth Connections, Apple CarPlay, and Google Auto. Below are a few examples of hands-free artifacts Axiom recovers, including Siri, Bluetooth Connections, and CarPlay.
Another valuable source of evidence are vehicle events logs recorded by an infotainment system. These logs capture various aspects of vehicle operations, such as hard braking, rapid acceleration, seatbelt usage, or the activation or deactivation of distraction prevention features. This information is critical as it provides objective data on the vehicle’s performance and driver actions, helping to build a more comprehensive understanding of events leading up to a crash.
Consider a hit-and-run scenario where a vehicle traveling at a high rate of speed was thought to have struck and killed a pedestrian. The investigation provided a general description of the car and a partial plate number, leading to the identification of a potential vehicle and suspect. The infotainment system was extracted with Berla iVE, and although it didn’t record geolocation data, the suspect’s iPhone was seized and contained cached locations. The trackpoints revealed the vehicle was at the exact location when the pedestrian was struck. Reviewing the event logs from the infotainment system identified that the passenger door was opened at nearly the exact the time of the trackpoint.
After a further criminal investigation, this crucial detail revealed that it was not a hit-and-run but rather a homicide, with suspects pushing the victim from the car with it running over him. This is a powerful example of Axiom’s ability to process data from multiple sources, assisting in solving a homicide that might have otherwise been considered a hit-and-run.
Axiom stands out as the premier tool for digital investigations due to its powerful capabilities and intuitive interface. It offers forensic examiners unmatched efficiency in processing and reporting digital evidence from diverse sources, ensuring thorough analysis of complex cases. Its seamless integration with Berla’s I’ve extractions, and ability to process many sources of cloud evidence, further highlight Axiom’s capacity to enhance a vehicle accident investigation. With Axiom, digital forensic investigators can collaborate effectively with crash investigators to uncover evidence from the digital crash scene, bringing clarity to cases that might otherwise go unsolved.
Get Magnet Axiom today!
To learn more about Axiom and how to quickly integrate the platform into your vehicle accident investigation workflow, request a free trial.