with contributing author Makenzie Windfelder, Associate at McCarter & English Attorneys at Law
Now that computers and the Internet are a regular part of our daily lives, the digital world increasingly contains potential evidence for all types of activity ranging from individual criminal actions to activity that may be relevant to a business litigation or investigation. Forensic investigations seek to uncover this evidence and then perform analysis in order to gain a full understanding of an end user’s activity on a given computing device. In recent years, traditional computer forensics, or “dead-box analysis,” has begun transitioning into “live-box analysis,” meaning more analyses are performed on volatile systems, such as live computer work stations and mobile devices like laptops, tablets and smartphones. Given the growing use of these mobile technologies for professional purposes, understanding the nuances of preserving, extracting and analyzing electronically stored information (ESI) from them is paramount to the success of any such investigation. Additionally, the policies established by the organization and its legal team to protect that data will be critical in defending this recovery moving forward.
Preservation
Since 2012, more than 1,600 new mobile device types have been released into the marketplace.1 While this flood of new products provides variety for consumers, it also allows for vast differences in the technologies that are capturing potentially critical data. Thus, the first line of business in a forensic investigation is finding the appropriate hardware and software to use during preservation. Hardware considerations may include types of connection interfaces that each of the various phone models require, while software considerations must be made based on the operating system of the phone. For example, BlackLight software from Blackbag Technologies is excellent for the preservation and analysis of Apple products (iPhones, iPads and even Apple computers) but cannot be used on phones that support non-Apple operating systems, such as Android packages. It’s also important to keep in mind that some mobile devices may require multiple tools in order to maximize data extraction.
ESI Extraction
ESI varies by mobile device, thus the challenge in collecting data is the different levels of security each “smart” device employs. For many smartphones, data collections will produce contacts, call logs, text messages and sometimes voicemails and email. Apple devices, however, do not necessarily yield the same information.
Recently, publications have outlined what forensic practitioners can and cannot extract from the various versions of Apple products. For example, prior to the release of the iPhone 4S and iPad 2, a full forensic image of these devices would have provided resident data from the systems, as well as data that may have been purposefully or inadvertently deleted. For next-generation versions of these products, however, deleted data, which resides within the device’s “free space,” can no longer be recovered due to an encryption applied by Apple. This has proved insurmountable for practitioners and, at this point, only Apple can provide encryption keys or crack passwords to break through. As a result, the company is currently dealing with a backlog of requests from law enforcement agencies to do so.2
Analysis
Given the thousands of makes and models of mobile devices in the marketplace today, proper investigation by experienced forensic examiners employing various software packages is the best bet for maximizing results and producing accurate, reliable analyses. Examiners should be able to identify the key pieces of data that could ultimately prove critical to a case.
For example, location data, such as GPS coordinates and “GeoTags” (geographical metadata within photographs or videos), has become quite important to many investigations. Proper analysis of location information could be essential when investigating where a particular document originated or where a particular event took place. In a recent homicide investigation, GPS coordinates from the victim’s iPhone identified his location just before the time of his death, which was ultimately crucial in identifying the perpetrator.
BYOD Policies
Recently, bring your own device (BYOD) policies, which allow employees to bring their personal mobile devices into the office to access internal data and company information, have gained popularity and are also having a major effect on the analysis of data. While this may allow corporations to initially save money by not having to issue employees company-owned devices, it also provides for a less streamlined computing environment, which can lead to issues, including spoliation, when discovery requirements arise.
Ensuring Defensive Discovery
Corporations must be proactive in addressing the myriad challenges BYOD presents. A corporation that takes a wait-and-see approach to managing and preserving relevant information – including that which resides on mobile devices – may quickly find itself defending against costly spoliation sanctions.
Permitting BYOD does not mean a corporation is required to support every device on the market. When implementing a BYOD policy, a corporation should identify the devices and operating systems it will support in order to understand the preservation and collection challenges each poses. A corporation may consider requiring employees to register their personal devices with a mobile device management (MDM) solution that, in addition to a variety of enhanced security measures, enables remote access for data collection. Regardless of the parameters of BYOD, the policy should require that employees seeking to use a personal device for work consent to collection of any information stored therein.
Legal Hold Notices should also be used to explicitly direct employees to preserve all information on their mobile devices subject to Legal Hold, highlighting the sources of information unique to these devices such as SMS text messages, call logs, pictures, videos, documents and applications beyond those approved by the corporation. In addition, counsel should ensure that custodial interview questionnaires include targeted questions about the scope of the employee’s use of mobile devices for business purposes, as well as identification of information on one’s device that is subject to Legal Hold. This information will help inform decisions regarding preservation and extraction of potentially relevant data.
Given the proliferation of mobile device use both personally and professionally, corporations should expect that discovery requests will include production of mobile device data. Therefore, careful planning on behalf of general counsel, internal legal teams and supporting forensic practitioners to address and manage preservation, collection and analysis of mobile device data is critical to the success of discovery in any investigation or litigation.
