With the ever-increasing proliferation of cellular devices and the many nuances and various ways for people to generate data on their phones, they are becoming an ever-growing cog in the machine of digital investigations while causing some disruption in the world of eDiscovery and mobile collection. From encryption to ephemeral content, there’s a lot for attorneys to consider before recommending, and eventually performing, mobile collection. When it comes to investigating data within a mobile device, we’ve performed a few retrospectives and highlighted a few important processes that our clients and partners should be aware of.
Table of Contents
By far, encryption is always the number one issue when it comes to mobile investigations. Mobile devices now contain more personal and sensitive information than our laptops such as location, credit card information, and so on. It’s only logical for these devices to have encryption to protect users, but it also makes it difficult for eDiscovery because passwords and algorithms have evolved, and they’re so much more complex to recover.
Interestingly, full device encryption happens by default on new iOS devices with chipsets devoted entirely to locking down the system. Encryption can even be as simple as setting a lock screen passcode. Upon reboot, two factors are usually needed to “unlock” the data: a passcode and/or a biometric input. Androids are increasingly shipping with full device encryption as well. On top of that, the sectioning of devices with utilities like Samsung Knox, that encrypt partitions can be an obstacle. App providers like Signal, WhatsApp, and Telegram, are increasingly incorporating application/database specific encryption, so it is getting increasingly more complicated to access data, even with having access to the device itself.
Warrants for Mobile Collection
In eDiscovery, it’s a lot easier presently to deal with company cell phones as opposed to personal devices. This is simply because private companies typically have employees sign a device policy that covers how company devices should be used as well as the ownership of that data.
For comparison, when it comes to seizing personal cell phones for an investigation, our clients generally seek a warrant before the electronic device can be seized and processed. The warrant will state and describe. The warrant also requests to search and seize the information in whatever form it may be stored on the devices. It’s extremely important for investigators to be specific on the search warrant about the particular, distinct information they’re looking for on the device to avoid leaving anything out of the search scope. Additionally, some states require the exact locations and/or users of mobile devices to be named in the warrants themselves. With the ability to create multiple users or user partitions on mobile devices, this task can be difficult to adhere to. Also, a proper chain of custody is critical so the process can be defended and properly admissible in court. Proper identification of devices by make/model, Serial Number and IMEI number are necessary to clearly define which device is being tracked, analyzed and reported on.
However, obtaining a warrant may not even be necessary when a company suspects that an employee is breaking the company’s data policy agreement and wants to investigate their device. This can be true when employees use their device for any business function and proper policies are included in onboarding documentation. By leaking information using a company device, the fourth amendment would not protect the employee – essentially meaning that no warrant is needed to obtain it.
Explaining the Data
In eDiscovery investigations – particularly mobile collection – being able to produce messages in a format that counsel/juries will understand is essential. And eDiscovery platforms, such as Relativity that we utilize at LightSpeed, can process and render the messages as it would be seen on the device. This is crucial to help display accurate information that leaves nothing to question. In order to properly produce this data, it is important the mobile device itself is collected in a forensic manner using established tools. Reviewing mobile messaging can be the most difficult part of eDiscovery investigations and requires guidance from a legal consulting team like LightSpeed.
Another hindrance may come at the hands of ephemeral content: content that disappears from platforms/devices after a certain amount of time. Take apps, like Snapchat, for example – If messages between a suspected employee and another party are taking place on the app, their messages – along with any photos, videos, or audio – will expire after they view it or within 24 hours. There is a growing trend among applications with such features built into Instagram, Facebook and now even Twitter. Fortunately, applications and platforms like these will typically archive data, meaning it may not entirely be gone. Local mobile databases may also preserve data from these ephemeral applications or, at the very least, keep a record of such correspondence.
This is why it’s important to perform due diligence on what platforms are being scoured during the investigation. Advising companies to avoid the use of programs such as these can also prevent future litigation, and oftentimes can be integrated into company policies.
The Right Resources
Finding technical resources that can dig into file systems, extract databases, and parse and reconstruct message/application databases is also crucial. Many forensic analysts rely on tools to parse out the data for them, but when data doesn’t show up as expected, they assume it doesn’t exist or that it cannot be accessed! This is not always true, because almost all types of mobile devices rely on databases for any application data storage, chat storage, or even photos. Analysts can easily export these databases and bypass security parameters. By normalizing the database fields, an analyst or database expert can easily export the data that may be extremely pivotal in the case. Even protected or encrypted databases can be defeated with forensic utilities and methods which would render them unviewable to technicians relying on conventional parsing tools.
Bring Your Own Device
BYOD policies have led to some very precarious legal situations where custodians will not consent to collection experts accessing their device. Why? Because while they use it for work events, functions, and tasks, it’s technically “personal” equipment. This is why employers need to be very clear about consent and their company’s proper-use policies. Helping employees fully understand the necessity to turn over “personal” devices for litigation and similar purposes can make all the difference.
On the same side of the coin, custodians or counsel wanting to do very targeted collections from mobile devices can be an issue. Forensically this can be very difficult because the collection can be burdened by how the devices’ specific operating system works and how data transfers occur. Some vendors rely on Apple drivers and iTunes system files to run their collections. Due to this, and the fact that data is stored in databases, targeting specific files or data sources is not possible. And it presents privacy issues for certain clients that will have to be calmed by backend searching, filtering, and reporting.
Working With LightSpeed
We deliver a full range of forensic evidence preservation and extensive collection capabilities. Our scope includes mobile devices, social media, websites, cloud/server-based email, and file storage, as well as laptops, desktops, and physical storage. And our digital forensics services include in-depth reporting and consulting. Want help with your mobile investigations? Contact us to schedule a conversation with our team of experts.