SlideShare ist ein Scribd-Unternehmen logo

Asking and Answering the Right Questions about Mobile Forensics Methods

‱
‱
Cellebrite
Cellebrite

Smartphones, tablets and other mobile devices are becoming more a part of everyday business—and as a result, more a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted data collection, as computers do; and obtaining data from them can sometimes require different tools. To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent related to sanctions, attorneys must understand the processes their forensic examiners use to obtain mobile device data.

Technologie
1 von 5
Downloaden Sie, um offline zu lesen
Smartphones, tablets and other mobile devices are becoming more a part of everyday business—and as a result, more a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted data collection, as computers do; and obtaining data from them can sometimes require different tools. To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent related to sanctions1 , attorneys must understand the processes their forensic examiners use to obtain mobile device data. Attorneys should be able to ask the right questions both when selecting a forensic examiner, and as the examiner prepares the evidence. 1 Mary Mack, Esq.,“Dueling Opinions: Scheindlin’s Pension Committee vs. Rosenthal’s Rimkus,”Discovery Resources, March 2010: http://www.discoveryre- sources.org/technology-counsel/dueling-opinions-scheindlin%E2%80%99s-pension-committee-vs-rosenthal%E2%80%99s-rimkus/ Asking and Answering the Right Questions about Mobile Forensics Methods Good documentation flows between attorney and mobile forensic examiner – and saves time and costs associated with litigation Many different tools No single forensic acquisition tool can obtain all of the data on a phone, especially if it has been deleted. To get necessary data, an examiner may turn to a variety of tools and processes. And even if the attorney knows what a hex dump, flasher box or password extraction is, knowing the path the examiner took to get them can be important. That path usually involves isolating the phone from the network, may include recovering the password to a device that has been locked, and always comes back to software and hardware tools. A good examiner will document everything he or she did to recover mobile data.“Good documentation of the process will look like a narrative of what was done,”says Douglas Brush, vice president of dispute and legal management consulting at New York-based Duff & Phelps.“Things such as make, model, serial numbers, software versions should be included for evidentiary items, hardware/software tools used, and collection repositories. “Good documentation should also have pictures of the evidence as well as any actions performed that might need to be validated. Video recordings, screen captures and other forms of visual memorialization should be used where appropriate. Chain of custody forms should be used for each piece of evidence.”
Spoliation of mobile data Brush points out that in most cases, logical acquisition will be enough to get all the necessary data from a mobile device. This is because following a litigation hold, organizations are required to preserve all their data (print and electronic); if they don’t, they face sanctions. However, at times, data are not preserved – or are even deliberately deleted – and deeper inspection is needed. Enter physical acquisition tools, which can obtain all data in a device’s memory that has not been overwritten. However, although a number of mainstream tools exist for this purpose, no one tool can recover everything that has been deleted. This can be a particular challenge when it comes to multimedia messaging service (MMS) texts, which can include audio, video or still images, and therefore contain much more data to recover1 . Brush says that higher demand for physical images means that forensic tool manufacturers have done a better job of releasing solutions in conjunction with, or rapid response to, a new device’s release. Still, some popular devices (like Android) still don’t allow for full physical images from some mobile inspection platforms. 1 Kroll Ontrack OnPoint,“Mobile Device Forensics: A Walk on the Wireless Side of E-Discovery,” December 2010: http://www.theediscoveryblog.com/2010/12/30/mobile-device-forensics-a-walk- on-the-wireless-side-of-ediscovery/ Risk management: preventing spoliation A good forensic examiner will always isolate the device from the network. However, Benjamin Wright, an attorney who specializes in digital law and forensic examinations, says the law doesn’t easily lend itself to good practice.“The law requires that when firms have a reason to believe there will be a lawsuit, they must take reasonable steps to preserve their data,”he explains. In a complex organization, this may mean storing more records for longer periods of time. On the other hand, this pits data preservation against data security. Thus attorneys should plan to communicate regularly with information technology (IT) staff, as well as employees, about how to protect data in or outside of a litigation hold. For IT staff, mobile devices may be easy to overlook when the focus is on internal e-mail and other systems, not to mention the cloud. But mobile devices don’t exist in a vacuum, says Wright; they are connected with the larger network. Therefore, stopping remote and automatic wiping processes is key to preserving volatile mobile data. An even better solution: train executives and other employees involved in“substantive activities”to save mobile messages elsewhere.“Each employee needs to have the outlook that important messages must be stored and recorded,”Wright explains.“And they need a core place for that storage.” Logically, this is email. Text messages can be copied to an email account, says Wright,“so that email becomes a diary of employees’business activities.”This fulfills both legal and data security requirements. 2
Attorneys working with mobile forensic examiners must be aware of automatic and remote wiping capabilities, which some firms may employ as a way of protecting data security. “Some devices such as BlackBerrys have auto wipe features for unsuccessful unlock attempts and the ability to remotely‘nuke’the data,”says Brush.“We might see this as a growing concern as more mobile device platforms are incorporated in enterprise networks that will require such a feature [for information security]. I think if an examiner acts in good faith, can demonstrate that all steps were taken to reduce loss of data that if data loss does occur, the repercussions can be minimized. “From the corporate end, however, it has to be addressed as devices are taken out of service. You want to make sure the device is not the last bastion of some data pertinent to a matter and when the user is fired/resigns/leaves and it is not wiped if that custodian is responsive to a litigation matter.” Privacy concerns Personal mobile devices may be used for work; work mobile devices may be used for personal email or social networking1 . Yet unlike targeted e-discovery, mobile phone forensics extract everything from the device — personal or professional data, including emails, documents, images and videos. “Prior to the collection of evidence this should be a discussion2 ,”says Brush. “The examiner is ultimately an agent of the court and should act in the interest of finding responsive evidence, not airing embarrassing details. There should be something signed either by retention letter or confidentiality agreement and protective order; this puts everyone on notice. Examiners should follow best practices of documenting where evidence is stored. Encrypting the drives used for evidence storage and transfer provides a level of security and can be done with free tools.” Get granular: understanding the mobile examiner’s process Knowing what your forensic examiner is doing, or might do, with mobile devices under a litigation hold benefits attorneys in several ways. First, it increases the legal defensibility of the recovered data. Second, it can help keep a lid on costs. 1 Mathew J. Schwartz,“CIOs See Smartphones as Data Breach Time Bomb,”Information Week, Novem- ber 2010: http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleID= 228300244&cid=RSSfeed_IWK_All 2 Mary T. Novacheck,“Proactive ESI Procedures at the Outset of Litigation,”Hennepin Lawyer, Febru- ary 2011: http://hennepin.timberlakepublishing.com/article.asp?article=1510&paper=1&cat=147 A litigation hold may extend to personal devices. In a 2005 case, CIBC World Markets Inc. v. Genuity Capital Markets, a Canadian court issued a hold on “such devices wheresoever located, includ- ing at any office or home (but not restricted to such locations) whether or not said to be owned or used by others including spouses, children or other relatives.” 1 In this case, one of the spouses was a lawyer; the court acknowledged that her electronic files needed to be protected in order to preserve attorney-client privilege. Other forms of private content which a mobile examination may inad- vertently reveal include proprietary information, instances of indiscretion, personally identifiable information of a family member or their contacts, and so on. 1 Canadian Legal Information Institute, February 16, 2005: http://www.canlii.org/en/on/onsc/doc/2005/20 05canlii3944/2005canlii3944.html 3
To these ends, any examiner should be prepared to discuss: ‱ what tools he uses ‱ whether she is certified and/or trained to use the tools ‱ how often he validates and tests the tools1 ‱ how she handles chain of custody ‱ how he documents his processes Wright says one thing that can help during an actual investigation is for the forensic examiner to use software that allows copious note-taking.“Many tools enable the addition of words, which can have legal impact, into the record the examiner creates,”he explains. This can be important when the examiner“touches”data that is irrelevant to the case or carries privacy implications. The products of a forensic examiner’s investigation can be protected under attorney-client privilege or“attorney work product doctrine,”but the attorney must be able to categorize and label the data, or otherwise participate in creating the work product. 2 “A good tool that allows lots of notes and comments can help the attorney work with the examiner to protect the data surgically,”Wright adds.“For example, a device might contain 1,000 units of data, but only 15 are relevant to the investigation.”The right forensic or e-discovery tools will enable the examiner to place disclaimers and warning banners along with notes on the data. Attorneys can do more to familiarize themselves with the forensic process, says Brush.“Attorneys should take some time to read blogs, articles, forums and websites to become familiar with [digital forensics] common tools and procedures. They should be aware that digital evidence is unique because many of the best practice evidentiary and civil procedure rules were born from criminal evidence procedure. Truly understanding a forensic examiner’s mobile examination process, from data protection and collection tools to how she’ll address client- or case- specific issues, takes a foundation of understanding backed up by regular communication. To save time and, potentially, client money, the attorney needs to know the right questions to ask during the interview process, and needs to be comfortable following up throughout the investigation. 1 Josh Brunty,“Validation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Exam- iner,”DFI News, March 2011: http://www.dfinews.com/article/validation-forensic-tools-and-software- quick-guide-digital-forensic-examiner 2 Benjamin Wright,“Attorney-Client Privilege | Work Product,”Electronic Data Records Law blog, March 2010: http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/confidential.html “Lawyers should get a feeling that the exam- iner has a methodology that makes sense and can be accounted for on the stand. [And they] should stay in touch with examiners about where things are on a case. There should be some milestones that both parties agree war- rant phone calls to discuss the next steps.” -- Douglas Brush, Duff & Phelps 4
About UFED Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry¼, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more. The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN IMEI, ICCID and IMSI information and more. About Cellebrite Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry. A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007, with the Universal Forensic Extraction Device (UFED). Cellebrite’s range of mobile forensic products, UFED Series, enable the bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. Cellebrite’s UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporate security and eDiscovery agencies in more than 60 countries. Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ) www.ufedseries.com BlackBerry¼ is a registered trademark of Research in Motion (RIM) Corp. Androidℱ is a trademark of Google Inc. iPhone¼ is a trademark of Apple Inc., registered in the United States and other countries. Cellebrite USA, Inc. 266 Harristown Rd., Suite 105 Glen Rock, NJ 07452 Tel: +1 201 848 8552 Fax: +1 201 848 9982 Facebook.com/CellebriteUFED @CellebriteUSA www.ufedseries.com forensicsales@cellebriteusa.com

Empfohlen

Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingPreparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Cellebrite
 
Cellebrite Predictions Survey 2015
Cellebrite Predictions Survey 2015Cellebrite Predictions Survey 2015
Cellebrite Predictions Survey 2015
Cellebrite
 
With UFED Physical Analyzer, investigative team helps prove a case for capita...
With UFED Physical Analyzer, investigative team helps prove a case for capita...With UFED Physical Analyzer, investigative team helps prove a case for capita...
With UFED Physical Analyzer, investigative team helps prove a case for capita...
Cellebrite
 
Interview Techniques for a Mobile Crime World
Interview Techniques for a Mobile Crime WorldInterview Techniques for a Mobile Crime World
Interview Techniques for a Mobile Crime World
Cellebrite
 
Preparing to Testify About Mobile Device Evidence
Preparing to Testify About Mobile Device EvidencePreparing to Testify About Mobile Device Evidence
Preparing to Testify About Mobile Device Evidence
Cellebrite
 
Reduce Lab Backlog with Mobile Data Forensic Previews
Reduce Lab Backlog with Mobile Data Forensic PreviewsReduce Lab Backlog with Mobile Data Forensic Previews
Reduce Lab Backlog with Mobile Data Forensic Previews
Cellebrite
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and Artifacts
Cellebrite
 
What Happens When You Press that Button?
What Happens When You Press that Button?What Happens When You Press that Button?
What Happens When You Press that Button?
Cellebrite
 

Empfohlen

Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingPreparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Cellebrite
 
Cellebrite Predictions Survey 2015
Cellebrite Predictions Survey 2015Cellebrite Predictions Survey 2015
Cellebrite Predictions Survey 2015
Cellebrite
 
With UFED Physical Analyzer, investigative team helps prove a case for capita...
With UFED Physical Analyzer, investigative team helps prove a case for capita...With UFED Physical Analyzer, investigative team helps prove a case for capita...
With UFED Physical Analyzer, investigative team helps prove a case for capita...
Cellebrite
 
Interview Techniques for a Mobile Crime World
Interview Techniques for a Mobile Crime WorldInterview Techniques for a Mobile Crime World
Interview Techniques for a Mobile Crime World
Cellebrite
 
Preparing to Testify About Mobile Device Evidence
Preparing to Testify About Mobile Device EvidencePreparing to Testify About Mobile Device Evidence
Preparing to Testify About Mobile Device Evidence
Cellebrite
 
Reduce Lab Backlog with Mobile Data Forensic Previews
Reduce Lab Backlog with Mobile Data Forensic PreviewsReduce Lab Backlog with Mobile Data Forensic Previews
Reduce Lab Backlog with Mobile Data Forensic Previews
Cellebrite
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and Artifacts
Cellebrite
 
What Happens When You Press that Button?
What Happens When You Press that Button?What Happens When You Press that Button?
What Happens When You Press that Button?
Cellebrite
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Weitere Àhnliche Inhalte

KĂŒrzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

KĂŒrzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Asking and Answering the Right Questions about Mobile Forensics Methods

  • 1. Smartphones, tablets and other mobile devices are becoming more a part of everyday business—and as a result, more a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted data collection, as computers do; and obtaining data from them can sometimes require different tools. To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent related to sanctions1 , attorneys must understand the processes their forensic examiners use to obtain mobile device data. Attorneys should be able to ask the right questions both when selecting a forensic examiner, and as the examiner prepares the evidence. 1 Mary Mack, Esq.,“Dueling Opinions: Scheindlin’s Pension Committee vs. Rosenthal’s Rimkus,”Discovery Resources, March 2010: http://www.discoveryre- sources.org/technology-counsel/dueling-opinions-scheindlin%E2%80%99s-pension-committee-vs-rosenthal%E2%80%99s-rimkus/ Asking and Answering the Right Questions about Mobile Forensics Methods Good documentation flows between attorney and mobile forensic examiner – and saves time and costs associated with litigation Many different tools No single forensic acquisition tool can obtain all of the data on a phone, especially if it has been deleted. To get necessary data, an examiner may turn to a variety of tools and processes. And even if the attorney knows what a hex dump, flasher box or password extraction is, knowing the path the examiner took to get them can be important. That path usually involves isolating the phone from the network, may include recovering the password to a device that has been locked, and always comes back to software and hardware tools. A good examiner will document everything he or she did to recover mobile data.“Good documentation of the process will look like a narrative of what was done,”says Douglas Brush, vice president of dispute and legal management consulting at New York-based Duff & Phelps.“Things such as make, model, serial numbers, software versions should be included for evidentiary items, hardware/software tools used, and collection repositories. “Good documentation should also have pictures of the evidence as well as any actions performed that might need to be validated. Video recordings, screen captures and other forms of visual memorialization should be used where appropriate. Chain of custody forms should be used for each piece of evidence.”
  • 2. Spoliation of mobile data Brush points out that in most cases, logical acquisition will be enough to get all the necessary data from a mobile device. This is because following a litigation hold, organizations are required to preserve all their data (print and electronic); if they don’t, they face sanctions. However, at times, data are not preserved – or are even deliberately deleted – and deeper inspection is needed. Enter physical acquisition tools, which can obtain all data in a device’s memory that has not been overwritten. However, although a number of mainstream tools exist for this purpose, no one tool can recover everything that has been deleted. This can be a particular challenge when it comes to multimedia messaging service (MMS) texts, which can include audio, video or still images, and therefore contain much more data to recover1 . Brush says that higher demand for physical images means that forensic tool manufacturers have done a better job of releasing solutions in conjunction with, or rapid response to, a new device’s release. Still, some popular devices (like Android) still don’t allow for full physical images from some mobile inspection platforms. 1 Kroll Ontrack OnPoint,“Mobile Device Forensics: A Walk on the Wireless Side of E-Discovery,” December 2010: http://www.theediscoveryblog.com/2010/12/30/mobile-device-forensics-a-walk- on-the-wireless-side-of-ediscovery/ Risk management: preventing spoliation A good forensic examiner will always isolate the device from the network. However, Benjamin Wright, an attorney who specializes in digital law and forensic examinations, says the law doesn’t easily lend itself to good practice.“The law requires that when firms have a reason to believe there will be a lawsuit, they must take reasonable steps to preserve their data,”he explains. In a complex organization, this may mean storing more records for longer periods of time. On the other hand, this pits data preservation against data security. Thus attorneys should plan to communicate regularly with information technology (IT) staff, as well as employees, about how to protect data in or outside of a litigation hold. For IT staff, mobile devices may be easy to overlook when the focus is on internal e-mail and other systems, not to mention the cloud. But mobile devices don’t exist in a vacuum, says Wright; they are connected with the larger network. Therefore, stopping remote and automatic wiping processes is key to preserving volatile mobile data. An even better solution: train executives and other employees involved in“substantive activities”to save mobile messages elsewhere.“Each employee needs to have the outlook that important messages must be stored and recorded,”Wright explains.“And they need a core place for that storage.” Logically, this is email. Text messages can be copied to an email account, says Wright,“so that email becomes a diary of employees’business activities.”This fulfills both legal and data security requirements. 2
  • 3. Attorneys working with mobile forensic examiners must be aware of automatic and remote wiping capabilities, which some firms may employ as a way of protecting data security. “Some devices such as BlackBerrys have auto wipe features for unsuccessful unlock attempts and the ability to remotely‘nuke’the data,”says Brush.“We might see this as a growing concern as more mobile device platforms are incorporated in enterprise networks that will require such a feature [for information security]. I think if an examiner acts in good faith, can demonstrate that all steps were taken to reduce loss of data that if data loss does occur, the repercussions can be minimized. “From the corporate end, however, it has to be addressed as devices are taken out of service. You want to make sure the device is not the last bastion of some data pertinent to a matter and when the user is fired/resigns/leaves and it is not wiped if that custodian is responsive to a litigation matter.” Privacy concerns Personal mobile devices may be used for work; work mobile devices may be used for personal email or social networking1 . Yet unlike targeted e-discovery, mobile phone forensics extract everything from the device — personal or professional data, including emails, documents, images and videos. “Prior to the collection of evidence this should be a discussion2 ,”says Brush. “The examiner is ultimately an agent of the court and should act in the interest of finding responsive evidence, not airing embarrassing details. There should be something signed either by retention letter or confidentiality agreement and protective order; this puts everyone on notice. Examiners should follow best practices of documenting where evidence is stored. Encrypting the drives used for evidence storage and transfer provides a level of security and can be done with free tools.” Get granular: understanding the mobile examiner’s process Knowing what your forensic examiner is doing, or might do, with mobile devices under a litigation hold benefits attorneys in several ways. First, it increases the legal defensibility of the recovered data. Second, it can help keep a lid on costs. 1 Mathew J. Schwartz,“CIOs See Smartphones as Data Breach Time Bomb,”Information Week, Novem- ber 2010: http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleID= 228300244&cid=RSSfeed_IWK_All 2 Mary T. Novacheck,“Proactive ESI Procedures at the Outset of Litigation,”Hennepin Lawyer, Febru- ary 2011: http://hennepin.timberlakepublishing.com/article.asp?article=1510&paper=1&cat=147 A litigation hold may extend to personal devices. In a 2005 case, CIBC World Markets Inc. v. Genuity Capital Markets, a Canadian court issued a hold on “such devices wheresoever located, includ- ing at any office or home (but not restricted to such locations) whether or not said to be owned or used by others including spouses, children or other relatives.” 1 In this case, one of the spouses was a lawyer; the court acknowledged that her electronic files needed to be protected in order to preserve attorney-client privilege. Other forms of private content which a mobile examination may inad- vertently reveal include proprietary information, instances of indiscretion, personally identifiable information of a family member or their contacts, and so on. 1 Canadian Legal Information Institute, February 16, 2005: http://www.canlii.org/en/on/onsc/doc/2005/20 05canlii3944/2005canlii3944.html 3
  • 4. To these ends, any examiner should be prepared to discuss: ‱ what tools he uses ‱ whether she is certified and/or trained to use the tools ‱ how often he validates and tests the tools1 ‱ how she handles chain of custody ‱ how he documents his processes Wright says one thing that can help during an actual investigation is for the forensic examiner to use software that allows copious note-taking.“Many tools enable the addition of words, which can have legal impact, into the record the examiner creates,”he explains. This can be important when the examiner“touches”data that is irrelevant to the case or carries privacy implications. The products of a forensic examiner’s investigation can be protected under attorney-client privilege or“attorney work product doctrine,”but the attorney must be able to categorize and label the data, or otherwise participate in creating the work product. 2 “A good tool that allows lots of notes and comments can help the attorney work with the examiner to protect the data surgically,”Wright adds.“For example, a device might contain 1,000 units of data, but only 15 are relevant to the investigation.”The right forensic or e-discovery tools will enable the examiner to place disclaimers and warning banners along with notes on the data. Attorneys can do more to familiarize themselves with the forensic process, says Brush.“Attorneys should take some time to read blogs, articles, forums and websites to become familiar with [digital forensics] common tools and procedures. They should be aware that digital evidence is unique because many of the best practice evidentiary and civil procedure rules were born from criminal evidence procedure. Truly understanding a forensic examiner’s mobile examination process, from data protection and collection tools to how she’ll address client- or case- specific issues, takes a foundation of understanding backed up by regular communication. To save time and, potentially, client money, the attorney needs to know the right questions to ask during the interview process, and needs to be comfortable following up throughout the investigation. 1 Josh Brunty,“Validation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Exam- iner,”DFI News, March 2011: http://www.dfinews.com/article/validation-forensic-tools-and-software- quick-guide-digital-forensic-examiner 2 Benjamin Wright,“Attorney-Client Privilege | Work Product,”Electronic Data Records Law blog, March 2010: http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/confidential.html “Lawyers should get a feeling that the exam- iner has a methodology that makes sense and can be accounted for on the stand. [And they] should stay in touch with examiners about where things are on a case. There should be some milestones that both parties agree war- rant phone calls to discuss the next steps.” -- Douglas Brush, Duff & Phelps 4
  • 5. About UFED Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerryÂź, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more. The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN IMEI, ICCID and IMSI information and more. About Cellebrite Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry. A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007, with the Universal Forensic Extraction Device (UFED). Cellebrite’s range of mobile forensic products, UFED Series, enable the bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. Cellebrite’s UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporate security and eDiscovery agencies in more than 60 countries. Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ) www.ufedseries.com BlackBerryÂź is a registered trademark of Research in Motion (RIM) Corp. Androidℱ is a trademark of Google Inc. iPhoneÂź is a trademark of Apple Inc., registered in the United States and other countries. Cellebrite USA, Inc. 266 Harristown Rd., Suite 105 Glen Rock, NJ 07452 Tel: +1 201 848 8552 Fax: +1 201 848 9982 Facebook.com/CellebriteUFED @CellebriteUSA www.ufedseries.com forensicsales@cellebriteusa.com