Snapchat at 70 MPH: How a Forensic iPhone Examination Exposed Distracted Driving Before a Highway Collision

By Lance Sloves, CCE | Computer Forensic Services, Inc. | Dallas, Texas

When attorneys bring us a motor vehicle accident case, the first question is almost always the same: Was the driver on their phone? The answer rarely comes from witness testimony or cell carrier records alone. It comes from the phone itself.

In a recent case involving a highway collision on SH-114 in the Dallas-Fort Worth Metroplex, our forensic examination of the at-fault driver’s iPhone told a story that no witness could have provided with the same precision. After creating a full file system image using Cellebrite, we analyzed the device using multiple forensic platforms — Magnet Axiom, Cellebrite Physical Analyzer, Oxygen Forensic Detective, and iLEAPP — and the results revealed not just that the driver was using their phone — but exactly which app they were using, at exactly what speed, at the exact moment leading up to the crash. The app was Snapchat. The speed was approximately 65 to 70 miles per hour. And the usage continued right up until the moments before impact.

This blog post walks through how we built that timeline, what the data showed, and why this type of analysis matters for attorneys handling accident litigation.

The Forensic Extraction and Analysis

The driver’s iPhone was forensically imaged using Cellebrite UFED, producing a full file system extraction. This is the most comprehensive level of mobile acquisition available — it captures not just user-facing data like messages and photos, but the underlying system databases, application caches, and log files that are invisible to the phone’s owner but critical for forensic analysis.

The extracted image was then analyzed using four separate forensic platforms: Magnet Axiom, Cellebrite Physical Analyzer, Oxygen Forensic Detective, and iLEAPP (iOS Logs, Events, and Plists Parser). Each tool has different strengths. Axiom excels at timeline reconstruction and artifact correlation. Cellebrite Physical Analyzer provides deep parsing of iOS-specific databases. Oxygen offers powerful analytics and visualization capabilities. And iLEAPP — an open-source tool developed by Alexis Brignoni — is particularly effective at parsing KnowledgeC, Biome, and other Apple system-level databases that contain the usage and activity data most relevant to distracted driving cases. Using multiple tools ensures comprehensive coverage and allows us to cross-validate findings across platforms.

The Axiom Timeline export alone for the relevant time window contained over 15,700 individual records spanning approximately two hours on the day of the accident.

These weren’t 15,700 text messages or call logs. That number reflects the full range of forensic artifacts available on a modern iPhone, including KnowledgeC application focus and usage logs, cached GPS locations recorded every one to two seconds, iOS Maps tile cache data, iMessage and SMS records, call logs, screen backlight on/off states, device lock and unlock events, Apple Wallet transactions, Biome application launch records, FindMy network activity, and push notification events.

By correlating these data sources against a single timeline, we reconstructed a second-by-second narrative of the driver’s activities before, during, and after the collision.

Before the Drive: Establishing Baseline Activity

The timeline begins approximately one hour before the accident, with the phone stationary at a residential location in the mid-cities area of DFW. During this period, the driver — whom we’ll refer to as the subject — was engaged in typical smartphone activity: browsing Instagram, using Snapchat, exchanging text messages with multiple contacts, and making several phone calls via both the Phone app and FaceTime.

This baseline activity is important because it establishes patterns. It shows the subject was an active smartphone user who regularly switched between multiple communication apps. It also confirms the phone was in the subject’s possession and being actively used — not sitting in a bag or glove compartment.

At approximately 1:09 PM, an Apple Pay transaction was recorded at a fast-food drive-thru pickup window. The subject was already in a vehicle and on the move.

Texting While Driving: The First Evidence of Distraction

Between approximately 1:04 PM and 1:15 PM, while the GPS coordinates confirmed the device was in motion, the subject carried on a text message conversation with a contact stored in the phone under a nickname (“Contact A”). The messages were casual and conversational — not emergency communications. The subject sent and received multiple messages during this window, including responses that required reading the incoming message and composing a reply.

Separately, the subject also texted another contact (“Contact B”) during this same window and received an incoming phone call from that contact at 1:07 PM. The subject was juggling multiple communication threads while driving.

This alone would be significant evidence of distracted driving. But it was what happened next — on the highway — that proved most critical for the case.

Snapchat on the Highway: The Critical Pre-Accident Window

By 1:18 PM, the cached GPS locations and iOS Maps tile data confirmed the subject was traveling northbound on SH-360, transitioning to SH-121, and then merging onto SH-114 — a high-speed highway corridor running through Grapevine, Southlake, Westlake, and toward Trophy Club. The GPS coordinates, recorded approximately every second from the iPhone’s routined cache, showed the vehicle covering roughly 0.003 degrees of latitude per second. That translates to approximately 65 to 70 miles per hour — consistent with the posted speed limits on that stretch of highway.

Here is what the KnowledgeC and Biome databases revealed about the subject’s phone activity during the final minutes before the 1:37 PM accident:

1:30:14 PM — Snapchat gains application focus. The KnowledgeC Application Focus database records Snapchat (identified by its bundle ID, com.toyopagroup.picaboo) as the foreground application on the device. GPS shows the vehicle on SH-114, traveling at highway speed. Snapchat focus events cycle on and off multiple times over the next 30 seconds, indicating active engagement with the app — not a single background notification.

1:31:25 PM — Snapchat focus resumes. After a brief cycle, Snapchat regains screen focus. GPS coordinates continue to update every second, confirming the vehicle is still traveling at full highway speed. The device is unlocked and the screen is on.

1:31:44 PM — Screen turns off; device locks. The KnowledgeC Screen Backlight States database records the screen going dark. The Device Lock States database records the phone locking. The Biome Application Launch log confirms the Snapchat session ended due to the idle timer — meaning the screen timed out on its own because the subject stopped interacting with it. This is a critical distinction: the subject did not deliberately close Snapchat or put the phone down. The phone was still displaying Snapchat when it went dark. At this same moment, the KnowledgeC Activity Level changed from 8 (which Apple’s internal schema maps to automotive/vehicle movement) to 1 (stationary).

1:32:30 PM — “AirPods Pro left behind” notification. The phone’s FindMy system generated an alert that the subject’s AirPods Pro had been “left behind.” This notification is triggered when a paired Bluetooth device separates from the iPhone beyond Bluetooth range. In an accident investigation, this type of alert can correspond to items being ejected or displaced during an impact, or it may indicate the AirPods were left at a prior location and the notification was simply delayed. Either way, it is a notable artifact.

1:33:21 PM — Vehicle appears to slow or stop. The cached GPS coordinates show multiple readings at nearly identical coordinates (approximately 32.9977, -97.2078), suggesting the vehicle came to a stop or near-stop in the SH-114 corridor near Westlake/Southlake.

1:33:24 – 1:33:42 PM — Subject unlocks phone and opens multiple apps. The screen turns on, the device unlocks, and Snapchat is briefly active again. Then the subject swipes to the home screen, opens Apple Maps (the Biome log records the launch reason as “homescreen,” meaning it was manually launched, not triggered by a notification), uses it for approximately two seconds, then switches to Apple Music, then returns to Snapchat.

1:34:26 PM — Screen turns off again via idle timer. The Music app session ends, the screen goes dark, and the device locks — all via idle timer, not user action.

1:34:42 PM — Last GPS coordinate recorded. The final cached location fix places the device in the Roanoke/Trophy Club area near the SH-114 and SH-170 interchange.

1:35:20 – 1:35:36 PM — Final app activity. The screen comes on one more time. Music opens briefly, then Snapchat opens from the home screen and has focus for approximately 8 seconds before the session ends and the screen state resolves.

1:37 PM — The accident occurs.

After the Accident: Silence

The post-accident data told an equally important story through its absence. There were zero outgoing calls, zero outgoing text messages, and zero user-initiated app sessions after approximately 1:35 PM. The only activity was incoming: a call from an unrecognized number at 1:54 PM, a toll-free number at 2:04 PM (consistent with a roadside assistance or insurance line), and repeated incoming calls from Contact B at 2:31 and 2:32 PM — likely someone trying to reach the subject after learning of the accident.

The subject was unable to use the phone after the crash.

Why Carrier Records Would Have Missed This

This is the most important takeaway for attorneys reading this post.

If we had relied solely on Call Detail Records obtained from the carrier via subpoena, the most critical evidence in this case — the Snapchat usage at highway speed in the minutes before the collision — would have been completely invisible. Snapchat communicates over data connections. It does not generate voice call records. It does not generate SMS records. It appears in CDR data usage logs only as undifferentiated bytes — indistinguishable from background app refresh, push notifications, system updates, or any other data traffic.

The iPhone’s internal databases — KnowledgeC, Biome, the routined cache, and the iOS Maps tile cache — provided a level of granularity that no carrier record or cell tower analysis could match. We established not just that the phone was in use, but which specific application had screen focus, exactly how long each session lasted, how each session ended (user-initiated vs. idle timer), whether the screen was on or off at each moment, the precise GPS coordinates of the vehicle at each second, and the calculated speed of the vehicle based on coordinate progression.

This is the difference between knowing a phone had “data activity” at 1:30 PM and knowing the driver was looking at Snapchat while traveling 70 miles per hour on SH-114 at 1:30 PM.

What Attorneys Should Take Away From This

Preserve the device as early as possible. iPhone log databases — particularly KnowledgeC and the routined cache — can be overwritten as the phone continues to be used. In this case, the phone was imaged approximately 15 months after the accident and the relevant data was still intact. That will not always be the case. Issue a preservation letter immediately and get the device to a qualified forensic examiner as soon as possible.

Do not rely solely on carrier records to prove or disprove distracted driving. Apps like Snapchat, Instagram, TikTok, Facebook Messenger, WhatsApp, and dozens of others communicate over data connections that are invisible in traditional CDR analysis. A full forensic extraction and examination of the device itself is the only way to identify app-specific activity.

The phone’s GPS data can be more precise than cell tower records. Carrier-based Cell Site Location Information (CSLI) provides general area coverage — often placing a device within a sector spanning hundreds of meters or more. The iPhone’s cached GPS locations in this case provided coordinates accurate to approximately five meters, updated every one to two seconds. That precision allowed us to calculate vehicle speed, confirm direction of travel, and identify the exact roadway the driver was on.

A correlated timeline is more powerful than isolated artifacts. Individual artifacts in isolation — a Snapchat session here, a GPS coordinate there — can be challenged. A fully correlated timeline that weaves application focus data, screen states, lock states, GPS positions, and communication records into a unified second-by-second narrative is far more difficult to dispute and far more compelling to a jury.

Understand what KnowledgeC and Biome actually record. These Apple system databases are not widely understood outside the mobile forensics community, but they are extraordinarily powerful. KnowledgeC records which application had foreground focus (was on-screen), when the screen turned on and off, when the device was locked and unlocked, what the device’s activity level was (stationary, walking, running, automotive), notification receipt events, and media playback history. Biome records application launch events including the reason for the launch (homescreen tap, notification, system gesture). Together, these databases provide a nearly complete picture of how a person was interacting with their device at any given moment.

The Bottom Line

In this case, the forensic timeline analysis of the subject’s iPhone established that the driver was actively using Snapchat while traveling at highway speed on SH-114 in the minutes immediately preceding the collision. The app had screen focus repeatedly between 1:30 PM and 1:35 PM. The sessions ended via idle timer — not user action — indicating the driver’s attention was diverted from the phone only when they stopped touching it long enough for the screen to time out. The GPS data confirmed the vehicle was traveling at approximately 65 to 70 miles per hour during this activity.

None of this would have been visible in carrier records. All of it was preserved in the iPhone’s internal databases, waiting for a qualified examiner to find it.

Computer Forensic Services, Inc. (CFSI) is a veteran-owned digital forensics firm headquartered in Dallas, Texas, serving the legal community since 2002. We provide expert analysis of mobile device forensics, Call Detail Records, computer forensics, and expert witness testimony in state and federal courts. For consultations, visit cfsiusa.com or call 214-306-6470.

Note: Details in this blog post have been anonymized to protect the privacy of all parties involved. The forensic methodology and findings described are representative of the types of analyses CFSI performs in distracted driving cases.

This blog post was AI-assisted in its drafting and is based on actual casework and forensic analysis by Lance Sloves, CCE.