Software Engineering Expert Performs Forensic Examination on Smartphone

Software Engineering Expert WitnessThis case takes place in Ohio and involves a man who was involved in a serious accident. The defendant was driving an 18 wheeler for defendant company and was involved in crash with plaintiffs car. The defendant was allegedly using his phone (Galaxy Android) to post to call, text and post to social media site (Facebook). After the wreck, he attempted to delete the phone and all its data. The wreck resulted in the death of 2 occupants in the vehicle that the truck driver hit while allegedly distracted by his phone.

Question(s) For Expert Witness

  • 1. Please explain your knowledge of android phone technology?
  • 2. Do you have a detailed level of expertise in the programming underlying the android platform?
  • 3. Please explain your experience working on similar cases?

Expert Witness Response E-027279

We specialize is cellular device forensics and the vast majority of devices we analyze are Android based. We have a thorough understanding of the file-systems employed by Android devices, common repositories of operating system artifacts, and most common user app artifacts . Additionally, we employ specialized digital forensic tools and knowledge for the analysis of SQLlite databases. SQLlite is the underlying database technology used by the Android OS and third-party applications. Data realized from this low-level analysis can be very valuable and is commonly overlooked by most forensic consultants relying on only traditional forensic software and equipment. As digital forensic examiners we may occasionally reference available source code but this not common (case specific basis). Control testing is much more commonly required and this is especially true in distracted driving cases such as you describe. For example, if we find that a user is interacting with a specific app near the time of accident, it may be necessary to run test case scenarios on a control device and observe how data is stored and/or affected.

Expert Witness Response E-027321

Expert-ID: E-027321

The Android operating system is built from a Linux platform. The applications are mostly built on Sqlite databases, and Java platforms will run on the Android system. The physical file system resides in the root directory in which to access these files the phone has to either be rooted, or connect via a custom bootloader. In the root directory is where the deleted data resides. I have conducted over a Thousand forensic examinations on different Android phones. I am familiar with Python scripting in which I use scripts to parse out data that the forensic software’s may not support.


Post Tags