SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere Nutzervereinbarung und die Datenschutzrichtlinie.
SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere unsere Datenschutzrichtlinie und die Nutzervereinbarung.
Smartphones, tablets and other mobile devices are becoming more a part of everyday business—and as a result, more a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted data collection, as computers do; and obtaining data from them can sometimes require different tools. To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent related to sanctions, attorneys must understand the processes their forensic examiners use to obtain mobile device data.
Asking and Answering the Right Questions about Mobile Forensics Methods
Smartphones, tablets and other mobile devices are becoming more a part of everyday business—and as a result, morea part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they arenot PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeteddata collection, as computers do; and obtaining data from them can sometimes require different tools.To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent relatedto sanctions1, attorneys must understand the processes their forensic examiners use to obtain mobile device data.Attorneys should be able to ask the right questions both when selecting a forensic examiner, and as the examinerprepares the evidence.1 Mary Mack, Esq.,“Dueling Opinions: Scheindlin’s Pension Committee vs. Rosenthal’s Rimkus,”Discovery Resources, March 2010: http://www.discoveryre-sources.org/technology-counsel/dueling-opinions-scheindlin%E2%80%99s-pension-committee-vs-rosenthal%E2%80%99s-rimkus/Asking and Answering the Right Questionsabout Mobile Forensics MethodsGood documentation flows between attorney and mobile forensic examiner – and saves time and costsassociated with litigationMany different toolsNo single forensic acquisition tool can obtain all of the data on a phone,especially if it has been deleted. To get necessary data, an examiner mayturn to a variety of tools and processes. And even if the attorney knowswhat a hex dump, flasher box or password extraction is, knowing the paththe examiner took to get them can be important. That path usually involvesisolating the phone from the network, may include recovering the passwordto a device that has been locked, and always comes back to software andhardware tools.A good examiner will document everything he or she did to recover mobiledata.“Good documentation of the process will look like a narrative of whatwas done,”says Douglas Brush, vice president of dispute and legalmanagement consulting at New York-based Duff & Phelps.“Things suchas make, model, serial numbers, software versions should be included forevidentiary items, hardware/software tools used, and collection repositories.“Good documentation should also have pictures of the evidence as well asany actions performed that might need to be validated. Video recordings,screen captures and other forms of visual memorialization should be usedwhere appropriate. Chain of custody forms should be used for each pieceof evidence.”
Spoliation of mobile dataBrush points out that in most cases, logical acquisition will be enough to getall the necessary data from a mobile device. This is because following alitigation hold, organizations are required to preserve all their data (printand electronic); if they don’t, they face sanctions.However, at times, data are not preserved – or are even deliberately deleted –and deeper inspection is needed.Enter physical acquisition tools, which can obtain all data in a device’smemory that has not been overwritten. However, although a number ofmainstream tools exist for this purpose, no one tool can recover everythingthat has been deleted. This can be a particular challenge when it comes tomultimedia messaging service (MMS) texts, which can include audio, videoor still images, and therefore contain much more data to recover1.Brush says that higher demand for physical images means that forensic toolmanufacturers have done a better job of releasing solutions in conjunctionwith, or rapid response to, a new device’s release. Still, some popular devices(like Android) still don’t allow for full physical images from some mobileinspection platforms.1 Kroll Ontrack OnPoint,“Mobile Device Forensics: A Walk on the Wireless Side of E-Discovery,”December 2010: http://www.theediscoveryblog.com/2010/12/30/mobile-device-forensics-a-walk-on-the-wireless-side-of-ediscovery/Risk management: preventing spoliationA good forensic examiner will always isolate the device from the network. However, Benjamin Wright, anattorney who specializes in digital law and forensic examinations, says the law doesn’t easily lend itselfto good practice.“The law requires that when firms have a reason to believe there will be a lawsuit, theymust take reasonable steps to preserve their data,”he explains.In a complex organization, this may mean storing more records for longer periods of time. On the otherhand, this pits data preservation against data security. Thus attorneys should plan to communicate regularlywith information technology (IT) staff, as well as employees, about how to protect data in or outsideof a litigation hold.For IT staff, mobile devices may be easy to overlook when the focus is on internal e-mail and other systems,not to mention the cloud. But mobile devices don’t exist in a vacuum, says Wright; they are connected withthe larger network. Therefore, stopping remote and automatic wiping processes is key to preservingvolatile mobile data.An even better solution: train executives and other employees involved in“substantive activities”to savemobile messages elsewhere.“Each employee needs to have the outlook that important messages mustbe stored and recorded,”Wright explains.“And they need a core place for that storage.”Logically, this is email. Text messages can be copied to an email account, says Wright,“so that email becomesa diary of employees’business activities.”This fulfills both legal and data security requirements. 2
Attorneys working with mobile forensic examiners must be awareof automatic and remote wiping capabilities, which some firms may employas a way of protecting data security. “Some devices such as BlackBerryshave auto wipe features for unsuccessful unlock attempts and the abilityto remotely‘nuke’the data,”says Brush.“We might see this as a growingconcern as more mobile device platforms are incorporated in enterprisenetworks that will require such a feature [for information security]. I thinkif an examiner acts in good faith, can demonstrate that all steps were takento reduce loss of data that if data loss does occur, the repercussions canbe minimized.“From the corporate end, however, it has to be addressed as devices aretaken out of service. You want to make sure the device is not the last bastionof some data pertinent to a matter and when the user is fired/resigns/leavesand it is not wiped if that custodian is responsive to a litigation matter.”Privacy concernsPersonal mobile devices may be used for work; work mobile devices maybe used for personal email or social networking1. Yet unlike targetede-discovery, mobile phone forensics extract everything from the device —personal or professional data, including emails, documents, imagesand videos.“Prior to the collection of evidence this should be a discussion2,”says Brush.“The examiner is ultimately an agent of the court and should act in theinterest of finding responsive evidence, not airing embarrassing details.There should be something signed either by retention letter orconfidentiality agreement and protective order; this puts everyone onnotice. Examiners should follow best practices of documenting whereevidence is stored. Encrypting the drives used for evidence storage andtransfer provides a level of security and can be done with free tools.”Get granular: understanding the mobile examiner’sprocessKnowing what your forensic examiner is doing, or might do, with mobiledevices under a litigation hold benefits attorneys in several ways. First, itincreases the legal defensibility of the recovered data. Second, it can helpkeep a lid on costs.1 Mathew J. Schwartz,“CIOs See Smartphones as Data Breach Time Bomb,”Information Week, Novem-ber 2010: http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleID=228300244&cid=RSSfeed_IWK_All2 Mary T. Novacheck,“Proactive ESI Procedures at the Outset of Litigation,”Hennepin Lawyer, Febru-ary 2011: http://hennepin.timberlakepublishing.com/article.asp?article=1510&paper=1&cat=147A litigation hold may extend to personal devices.In a 2005 case, CIBC World Markets Inc. v. GenuityCapital Markets, a Canadian court issued a holdon “such devices wheresoever located, includ-ing at any office or home (but not restricted tosuch locations) whether or not said to be ownedor used by others including spouses, children orother relatives.” 1In this case, one of the spouses was a lawyer;the court acknowledged that her electronicfiles needed to be protected in order to preserveattorney-client privilege. Other forms of privatecontent which a mobile examination may inad-vertently reveal include proprietary information,instances of indiscretion, personally identifiableinformation of a family member or their contacts,and so on.1 Canadian Legal Information Institute, February 16,2005: http://www.canlii.org/en/on/onsc/doc/2005/2005canlii3944/2005canlii3944.html3
To these ends, any examiner should be prepared to discuss:• what tools he uses• whether she is certified and/or trained to use the tools• how often he validates and tests the tools1• how she handles chain of custody• how he documents his processesWright says one thing that can help during an actual investigation is for theforensic examiner to use software that allows copious note-taking.“Manytools enable the addition of words, which can have legal impact, into therecord the examiner creates,”he explains.This can be important when the examiner“touches”data that is irrelevant tothe case or carries privacy implications. The products of a forensic examiner’sinvestigation can be protected under attorney-client privilege or“attorneywork product doctrine,”but the attorney must be able to categorize andlabel the data, or otherwise participate in creating the work product. 2“A good tool that allows lots of notes and comments can help the attorneywork with the examiner to protect the data surgically,”Wright adds.“Forexample, a device might contain 1,000 units of data, but only 15 are relevantto the investigation.”The right forensic or e-discovery tools will enable theexaminer to place disclaimers and warning banners along with notes onthe data.Attorneys can do more to familiarize themselves with the forensic process,says Brush.“Attorneys should take some time to read blogs, articles, forumsand websites to become familiar with [digital forensics] common tools andprocedures. They should be aware that digital evidence is unique becausemany of the best practice evidentiary and civil procedure rules were bornfrom criminal evidence procedure.Truly understanding a forensic examiner’s mobile examination process, fromdata protection and collection tools to how she’ll address client- or case-specific issues, takes a foundation of understanding backed up by regularcommunication. To save time and, potentially, client money, the attorneyneeds to know the right questions to ask during the interview process,and needs to be comfortable following up throughout the investigation.1 Josh Brunty,“Validation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Exam-iner,”DFI News, March 2011: http://www.dfinews.com/article/validation-forensic-tools-and-software-quick-guide-digital-forensic-examiner2 Benjamin Wright,“Attorney-Client Privilege | Work Product,”Electronic Data Records Law blog,March 2010: http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/confidential.html“Lawyers should get a feeling that the exam-iner has a methodology that makes sense andcan be accounted for on the stand. [And they]should stay in touch with examiners aboutwhere things are on a case. There should besome milestones that both parties agree war-rant phone calls to discuss the next steps.”-- Douglas Brush, Duff & Phelps4
About UFEDCellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwordsfrom thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breakingphysical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile,Symbian and Palm and more.The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files,ESN IMEI, ICCID and IMSI information and more.About CellebriteFounded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007,with the Universal Forensic Extraction Device (UFED). Cellebrite’s range of mobile forensic products, UFED Series, enablethe bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including featurephones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.Cellebrite’s UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporatesecurity and eDiscovery agencies in more than 60 countries.Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ)www.ufedseries.comBlackBerry® is a registered trademark of Research in Motion (RIM) Corp. Android™ is a trademark of Google Inc.iPhone® is a trademark of Apple Inc., registered in the United States and other countries.Cellebrite USA, Inc.266 Harristown Rd., Suite 105Glen Rock, NJ 07452Tel: +1 201 848 8552Fax: +1 201 848 9982Facebook.com/CellebriteUFED@CellebriteUSAwww.email@example.com