Crash. Detect. Reveal.

A Joint Publication by Marsela Onuzi (Deep Dive Cyber Forensic Experts – Albania), Michael Nelson (CYBIR – US), and Steve Bunting (Bunting Digital Forensics – US) – 30 July 2025

Reconstructing Distraction with Mobile Forensics

The rise in distracted driving, aka “texting while driving”, incidents tied to mobile phone use continues to challenge accident reconstruction teams, prosecutors, and defense experts. Determining what happened in the critical seconds before a crash requires access not just to mechanical evidence or eyewitness accounts, but to digital intent—what the driver was doing on their device in real time.

This article explores how digital forensics, particularly mobile phone data, can reveal distraction patterns that traditional methods miss. It also addresses how forensic methodologies have evolved to preserve volatile digital evidence, and how collaboration across borders is changing the way this work is done.

Figure 1: Driver actively using WhatsApp while in transit — this image corresponds to the forensic timeline shown later in Figure 2.

The Challenge: Distraction Without Witnesses

Modern crashes often lack reliable eyewitnesses or involve conflicting accounts. In cases where the driver denies texting or social media use, and there are no external witnesses, the only remaining witness may be the mobile phone itself.

But smartphones are not black boxes by default. Without immediate forensic preservation, they can be wiped, auto-purged, or overwritten by system processes. Texting apps often allow message deletion. Social media posts can be set to auto-expire. And Android’s modern logging systems often destroy valuable logs after 30 days—sometimes much sooner depending on battery optimization settings.

The Forensic Solution: Digital Breadcrumbs

Mobile forensics has developed specialized tools and workflows to uncover distraction. These include:

• System logs: Android and iOS log files that show app launches, screen state changes, and power events.
• UsageStats: On Android, this database records app usage by timestamp with millisecond resolution.
• Notification logs: Reveal when texts or alerts were received or dismissed.
• Keyboard logs (where available): Indicate active typing sessions.
• Third-party app data: WhatsApp, Messenger, Instagram, TikTok—all log behavior differently.
• Cloud artifacts: If the device syncs to cloud services, key evidence may survive even if local logs are purged.
  Digital Wellbeing Events Log (Android)One particularly revealing source is Android’s Digital Wellbeing Events log. Despite its benign name, this log tracks:
  • Exact timestamps of app openings and closings
  • App usage categories (e.g., messaging, video, maps)
  • User interactions, including screen time, unlock frequency, and even app launch counts
  These logs can expose patterns like compulsive app switching, frequent unlocking while in transit, or messaging activity seconds before a crash—all within a framework meant to promote “well-being.”Although access to this log can depend on device model and OS version, when available, it offers highly structured and timestamped data that supports or contradicts user claims with clarity.
  Figure 2: Integrated Timeline of User Activity and Crash Detection, including passive crash detection triggers and emergency response events.Integrating Crash Detection into the Timeline of User ActivityWhile previous sections focus on user-initiated activity—such as messages sent, apps launched, and screen interactions—modern smartphones now contribute a new dimension: sensor-triggered crash detection.Beginning with iPhone 14 and Android 12+, onboard crash detection systems use accelerometers, gyroscopes, GPS, and audio sensors to identify sudden collisions. These events leave behind distinct digital signatures in logs and system files.On iPhones, forensic tools can uncover unified log entries like CrashDetected or SOSInitiatedAutomatically. On Android devices, logcat entries such as CAR_CRASH_DETECTED or EmergencyCallInitiated help timestamp key moments.These events serve as passive, system-level anchors in the timeline—complementing user activity data to confirm or refute device use at impact time. The updated Figure 2 visualizes this integration of passive sensor triggers alongside active user interactions.
  Figure 3: Motorcyclist holding phone while driving with other hand — a high-risk, real- world scenario.The New Workflow: Remote PreservationRecognizing this urgency, the Cybir / Deep Dive / Bunting team has developed a joint workflow to begin immediate preservation of mobile data—even across continents.We use remote forensic tools that allow lawful, consent-based preservation of mobile devices when physical access isn’t possible. This includes:
• Shipping Mobile Ultra or VeraKey kits to the phone’s location
• Remote session control via secure screen-sharing
• Walkthrough of user-assisted connection
• Live chain-of-custody documentation and metadata hashing

The result is a fast, defensible acquisition of the most volatile digital evidence before it’s lost to time, power cycles, or app updates.

1. Modern Forensic Methods (2025+)Advancements in forensic tools have enhanced our ability to extract and interpret data from mobile devices. Tools like Magnet Forensics GrayKey/VeraKey/Axiom, Cellebrite Inseyets (formerly UFED)/Physical Analyzer, and MSAB XRY/XAMN allow for comprehensive data extraction & analysis, including deleted content and encrypted data. Open-source tools such as iLEAPP and ALEAPP provide additional capabilities for analyzing app data and system logs. At Cybir, Deep Dive, and Bunting, we follow a two- tool methodology for critical mobile examinations—intentionally validating each extraction and analysis with a second platform. This approach ensures forensic integrity, helps detect tool-specific blind spots, and strengthens the evidentiary chain in court- admissible investigations.These tools enable us to:
   • Determine the exact time of screen interactions.
   • Identify which apps were in use at specific times.
   • Analyze user interaction patterns to assess potential distraction.The Clock Is Ticking: Why Timely Acquisition MattersForensic success depends on timing. Many of the most revealing logs and app-level artifacts have TTLs (Time-To-Live) that expire within 30 days — and often much sooner. Examples include:
   • Screen unlocks and notifications (cleared quickly)
   • System logs (rotate every few days on many devices)
   • App usage summaries (daily/weekly rolling windows)Delays in acquisition — whether due to legal hurdles, slow collection, or device mismanagement — can cause key evidence to vanish permanently. When a crash occurs, device preservation must be treated as urgent as physical evidence.
2. Collaboration Across BordersOur partnership between Cybir, Deep Dive Cyber Forensics Experts, and Bunting Digital Forensics, exemplifies the power of international collaboration in digital forensics, not to mention the extraordinary depth and breadth of expertise and experience. Deep Dive focuses on primary device acquisition and initial analysis, while Cybir and Bunting Digital Forensics provide peer review and expert validation for court-facing reports. This cross-border approach ensures comprehensive and accurate forensic investigations, regardless of where the incident occurred.
   Figure 4: A distracted camel jockey — a reminder that mobile distraction transcends borders and transportation modes!
3. Case Study (Hypothetical)Consider a scenario where a driver is involved in a fatal crash. The driver claims they were not using their phone at the time. However, forensic analysis reveals that the device was unlocked, and a messaging app was active at the exact moment of the crash.Simultaneously, the device logs a CrashDetected event in Apple’s unified logs (orCAR_CRASH_DETECTED in Android’s logcat), alongside an automated SOS initiation. These crash detection artifacts serve as passive, system-level anchors in the forensic timeline—independently verifying the time of impact and correlating (or contradicting) with user behavior. Their presence strengthens the evidentiary chain by bridging physical sensor data with on-device activity logs. Figure 2, above, visualizes this integration, showing how sensor-based triggers and user-driven interactions together provide a more complete reconstruction of the event timeline.
4. Legal and Ethical ConsiderationsDigital forensic investigations must adhere to legal standards, including obtaining proper consent or warrants for data extraction. Maintaining the chain of custody and ensuring data integrity are paramount. Additionally, protecting unrelated personal data and respecting privacy rights are essential ethical considerations.
5. Conclusion: Forensics Can Cut Through the Noise

As distracted driving continues to pose a major threat to public safety, digital forensics has become a vital instrument in uncovering the truth behind crashes. It gives us the tools to determine not just what happened, but why—and whether distraction played a role.

With the advent of crash detection systems on modern smartphones, forensic examiners now have access to sensor-triggered artifacts such as CrashDetected logs (iOS) and CAR_CRASH_DETECTED broadcasts (Android). These system-level events— captured without user input—provide powerful anchors in the timeline that validate or challenge user claims. When combined with app usage data, screen interactions, and unlock histories, they create a comprehensive picture of behavior in the moments that matter most.

Remember: “Not” is not your friend.

“I was not using my phone.” “There’s not enough evidence.” “It was not my fault.”

And just as important—time is not your friend. Logs expire. Volatile data disappears. With every passing hour, your ability to reconstruct events accurately begins to fade.

Call us immediately. Whether you’re an investigator, prosecutor, defense counsel, or family member—our team can act fast to preserve digital evidence before it’s lost.