Vehicle and iPhone Speed Comparison

Posted byScott_koenigPosted inUncategorizedTags:, , ,

As I stated in the future considerations section of the original research write-up, I contacted a few vehicle forensics experts and asked if they would like to assist me with some research and testing, they responded “Absolutely.” During a training event, the experts and I conducted a small test.

Forensic Question

During the test, I wanted to determine if certain data recorded in the vehicle infotainment system would be similar or match the data recorded in iPhones. The experts operated the vehicle, and I began using the two iPhones listed below. During the testing, I used different applications and turned navigation on and off. In the write-up and example videos, I will point out artifacts of interest and important things to be aware of.

Test Devices

  • Apple iPhone 7 [A1660] iOS 15.1 (19B74) – No Sim Card and no Mobile data
  • Apple iPhone X [A1865] iOS 14.7 (18G69) – Has SIM card and mobile data
  • Ford Explorer Ford Sync Gen3

Artifact Location

  • \private\var\mobile\Library\Caches\com.apple.routined\Cache.sqlite
    • ZRTCLLOCATIONMO table

Device Settings

This is just a reminder that the locations being recorded in Cache.sqlite ZRTCLLOCATIONMO table are dependent upon the device settings and having Signification Locations turned ON. Additional information can be found here. Please take some time and review the posting if you are interested in learning how to determine if Location Services, System Services, and Significant Locations were ON or OFF when iPhone data was acquired.

Testing and Research

On 4/5/2022, at approximately 12:10 PM (UTC -7), we entered the vehicle and headed to lunch. When we got into the vehicle, I notice the time on the infotainment unit was incorrect. It was off by an hour and set to UTC-8. At approximately 12:10:50 PM (UTC-7), I connected Scooters iPhone X (14.7) to the vehicle. We can see in Berla iVe tool the time recorded was 11:10:50 AM (UTC-8).

Figure #1 Scooters iPhone X connected to vehicle
Figure #2 Time zone offset incorrect

Notice in the Berla iVe tool, the timestamps are listed as “Local.” This is an indication the timestamps could be coming from the acquired infotainment device settings. Let’s review and compare the recorded locations for all the devices being used in this test at 12:10:50 PM:

Location #1 12:10:50 PM:

  • Ford Sync Gen3: Latitude: 36.175651000 Longitude: -115.139818000
    • (Blue Flag/Marker)    
  • Apple iPhone X: Latitude: 36.1756936088541 Longitude: -115.139462063196
    • (Green Flag/Marker)
  • Apple iPhone 7: Latitude: 36.1756228655914 Longitude: -115.139194596666
    • (Yellow Flag/Marker)
Figure #3 at 12:10:50 PM Device locations

All three devices had location coordinates Latitude: 36.1756 Longitude: -115.139. The iPhone X had the most accurate location in relation to the physical location for all three devices, but all were in the same general area.

Figure #4 at 12:10:50 PM Tool data

Prior to conducting any further testing, I wanted to ensure the time was set correctly on the infotainment system. You will notice within the Berla iVe Events timeline, the timestamp jumps ahead one hour from 11:12:40 AM to 12:12:40 PM. This is due to manually changing the system settings to reflect the proper time zone offset of UTC-7.

Figure #5 Time correction on vehicle

Throughout this test, locations were recorded by all three devices and all three devices recorded locations that were very close in proximity to one another and were reasonably accurate to my physical location.

I will review a few timestamps and discuss the locations of the devices and highlight the differences. I will also review the Berla iVe derived speed and the ZSPEED being recorded in the Cache.db ZRTCLLOCATIONMO table for the iPhones and highlight the differences.

NOTE: The ZSPEED listed within this write-up will be listed in Miles per hour (MPH). The original values are recorded in Meters Per Second (MPS), but I have converted the speeds to use one measurement type. The formula used in my queries is: ZSPEED (MPS) x 2.23694 = ZSPEED (MPH)

Location #2 at 12:15:54 PM:

  • Ford Sync Gen3: Latitude: 36.17497 Longitude: -115.158654
    • Berla Derived Speed: 65.9 MPH
  • Apple iPhone X: Latitude: 36.1748446477914 Longitude: -115.157883390892
    • Cache.db ZRTCLLOCATIONMO ZSPEED (converted): 68.0029751466751 MPH
  • Apple iPhone 7: Latitude: 36.1748045403847 Longitude: -115.157962683696
    • Cache.db ZRTCLLOCATIONMO ZSPEED (converted): 69.524095029335 MPH

As we can see within Figure #6, #7, and #8, these locations are again near each other and are reasonably accurate to my physical location.

Figure #6 at 12:15:54 PM
Figure #7 at 12:15:54 PM inside the vehicle
Figure #8 at 12:15:54 PM Tool Data
Figure #9 at 12:15:54 PM Device Speeds

Location #3 at 12:16:37 PM:

  • Ford Sync Gen3: Latitude: 36.175336 Longitude: -115.174253
    • Berla Derived Speed: 89.9 MPH
  • Apple iPhone X: Latitude: 36.175575801205 Longitude: -115.17325907025
    • Cache.db ZRTCLLOCATIONMO ZSPEED (converted): 77.6889251760101 MPH
  • Apple iPhone 7: Latitude: 36.175471153144 Longitude: -115.173401562604
    • Cache.db ZRTCLLOCATIONMO ZSPEED (converted): 86.2340352933502 MPH
Figure #10 at 12:16:37 PM

As we can observe in AXIOM, all recorded locations are in the similar area, but the vehicle location is slightly different than what was recorded by the two cell phones. Additionally, notice the speeds are drastically different. Why did this happen?

At this time during testing, the driver of the vehicle made a drastic change in the vehicle’s acceleration. For the purposes of testing, I wanted the vehicle speed to reach 90 MPH and the driver performed a hard acceleration to force the vehicle to reach 90 MPH.

NOTE: I have noticed during testing, if there is a drastic change to the device speed within a short amount of time, the device speeds recorded could be unreliable. This should be considered if you have knowledge of a vehicle / device that might have had a hard acceleration or hard deceleration prior to or at the time of a vehicle collision.

Between 12:16:35 PM through 12:16:41 PM:

After reviewing all three device datasets, we can see the vehicle recorded the hard acceleration prior to the cell phone devices. The vehicle data indicated at 12:16:37 PM, the vehicle reached a speed of approximately 89.9 MPH and the cell phone data indicated at 12:16:39 PM, the devices reached an approximate speed of 40 MPS / 90 MPH. The test vehicle did in fact reach 90 MPH during the test at approximately 12:16 PM. Even though this was only a difference of a few seconds, and all three devices reached an approximate speed of 90 MPH, I felt it was worth noting they did not record the speed at the exact same time.

Figure #11 at 12:16:37 PM Data comparison
Figure #12 at 12:16:37 PM Tool data
Figure #13 at 12:16:37 PM Device speeds

Location #3 at 12:24:04 PM:

  • Ford Sync Gen3: Latitude: 36.196129 Longitude: -115.253471
    • Berla Derived Speed: 35.2 MPH
  • Apple iPhone X: Latitude: 36.1961690057406 Longitude: -115.253257379043
    • Cache.db ZRTCLLOCATIONMO ZSPEED (converted): 36.8647701760101 MPH
  • Apple iPhone 7: Latitude: 36.1961333826521 Longitude: -115.253260983262
    • Cache.db ZRTCLLOCATIONMO ZSPEED (converted): 37.1555747653198 MPH

As we have seen in other tests, these locations are again near each other and are reasonably accurate to my physical location.

Figure #14 at 12:24:04 PM
Figure #15 at 12:24:04 PM Tool data
Figure #16 at 12:24:04 PM Device speeds

Figure #17 is a video of how to create a flipbook video via ArtEx. ArtEx can be downloaded from here and is free! Figure #18 is the finished product which contains the iPhone X (iOS 14.7) location data for the test from start to finish. I would like to point out the video contains the following data that could be useful when presenting location data as an exhibit:

  • Timestamp
  • Location Coordinates
  • Accuracy Radius
  • Device Speed
Figure #17 Making an ArtEx location flipbook
Figure #18 ArtEx location flipbook (2min 55 sec vehicle / flag starts moving)

As we can see in Figure #19 via the Berla iVe tool, at approximately 12:37:46 PM (UTC-7), I exited the vehicle and Scooters iPhone X (14.7) disconnected from the vehicle.

NOTE: I would like to highlight an artifact and how time zone offsets could affect our ability to analyze Bluetooth connections within a timeline. Notice, within Cellebrite Physical Analyzer, the last recorded timestamp for Scooters iPhone was connected to the vehicle was at 12:37:46 PM (UTC-7). Looking at Scooters iPhone X data within Magnet AXIOM, we can see when the time zone offset is set to UTC-0, the “Last Seen Date/Time” timestamp has been decoded as 4/5/2022 at 12:37:48 PM.

Which one is correct? Does the timestamp need a UTC conversion?

Let’s convert the artifacts in AXIOM to local time (UTC-7). Using a UTC offset conversion, it now indicates the “Last Seen Date/Time” as 5:37:48 AM (UTC-7). Rest assured, I was not conducting any tests at 5:30 in the morning, so this is not the correct time.

Let’s review original values in the plist.

Based on when I was conducting the testing, this plist is recording the “LastSeenTime” in local device time. The original timestamp is not in UTC-0 and shouldn’t be converted when placed into a timeline for analysis. This is just another example why we must validate artifacts being parsed by our tools and why, at times, it might be necessary to review the original values.

Figure #19 Bluetooth connection offset

Conclusion

I believe based on this additional research and testing we can continue to use the ZSPEED in the ZRTCLLLOCATIONMO table as reliable data of an approximate device speed at a particular time and place. I continue to believe the more accurate the ZHORIZONTALACCURACY is, the more reliable the ZSPEED data will be.

I believe this should be used in conjunction with vehicle collision reconstruction reports, crash data recorder reports and/or vehicle forensics data acquisition reports. You might not always have those types of reports, and this might be the only evidence you have as to a possible speed.

The majority of the mobile device data I have analyzed as the result of a vehicle collision investigation has indicated the vehicle / device was traveling at a steady pace or had very little variation prior to the crash. Routinely, at the time of the vehicle collision, there was a drastic change in the device speed. I have found there was other device data that could be used to show indicators that a vehicle collision occurred. Some of those examples could be that an application activity stopped, the device became unplugged, the backlight turned on, Bluetooth was disconnected, assisted 911 call was made and others. These indicators should be used in conjunction with the drastic device speed stoppage indicating when a vehicle collision occurred.

Future Considerations:

There have been preliminary discussions with vehicle forensics experts who may have access to advance GPS location tools and vehicle testing equipment about conducting some additional testing and research in this area. I am hoping we can meet up and conduct additional tests using specialized equipment.

I would like to thank everyone for taking the time to review these tests and write-ups. I hope they have been useful for you and your investigators. Please feel free to contact me if you have any questions.

One thought on “Vehicle and iPhone Speed Comparison

  1. Pingback: Week 27 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: