Smartphones, tablets and other mobile devices are becoming more a part of everyday businessâand as a result, more a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted data collection, as computers do; and obtaining data from them can sometimes require different tools. To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent related to sanctions, attorneys must understand the processes their forensic examiners use to obtain mobile device data.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Â
Asking and Answering the Right Questions about Mobile Forensics Methods
1. Smartphones, tablets and other mobile devices are becoming more a part of everyday businessâand as a result, more
a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are
not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted
data collection, as computers do; and obtaining data from them can sometimes require different tools.
To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent related
to sanctions1
, attorneys must understand the processes their forensic examiners use to obtain mobile device data.
Attorneys should be able to ask the right questions both when selecting a forensic examiner, and as the examiner
prepares the evidence.
1 Mary Mack, Esq.,âDueling Opinions: Scheindlinâs Pension Committee vs. Rosenthalâs Rimkus,âDiscovery Resources, March 2010: http://www.discoveryre-
sources.org/technology-counsel/dueling-opinions-scheindlin%E2%80%99s-pension-committee-vs-rosenthal%E2%80%99s-rimkus/
Asking and Answering the Right Questions
about Mobile Forensics Methods
Good documentation flows between attorney and mobile forensic examiner â and saves time and costs
associated with litigation
Many different tools
No single forensic acquisition tool can obtain all of the data on a phone,
especially if it has been deleted. To get necessary data, an examiner may
turn to a variety of tools and processes. And even if the attorney knows
what a hex dump, flasher box or password extraction is, knowing the path
the examiner took to get them can be important. That path usually involves
isolating the phone from the network, may include recovering the password
to a device that has been locked, and always comes back to software and
hardware tools.
A good examiner will document everything he or she did to recover mobile
data.âGood documentation of the process will look like a narrative of what
was done,âsays Douglas Brush, vice president of dispute and legal
management consulting at New York-based Duff & Phelps.âThings such
as make, model, serial numbers, software versions should be included for
evidentiary items, hardware/software tools used, and collection repositories.
âGood documentation should also have pictures of the evidence as well as
any actions performed that might need to be validated. Video recordings,
screen captures and other forms of visual memorialization should be used
where appropriate. Chain of custody forms should be used for each piece
of evidence.â
2. Spoliation of mobile data
Brush points out that in most cases, logical acquisition will be enough to get
all the necessary data from a mobile device. This is because following a
litigation hold, organizations are required to preserve all their data (print
and electronic); if they donât, they face sanctions.
However, at times, data are not preserved â or are even deliberately deleted â
and deeper inspection is needed.
Enter physical acquisition tools, which can obtain all data in a deviceâs
memory that has not been overwritten. However, although a number of
mainstream tools exist for this purpose, no one tool can recover everything
that has been deleted. This can be a particular challenge when it comes to
multimedia messaging service (MMS) texts, which can include audio, video
or still images, and therefore contain much more data to recover1
.
Brush says that higher demand for physical images means that forensic tool
manufacturers have done a better job of releasing solutions in conjunction
with, or rapid response to, a new deviceâs release. Still, some popular devices
(like Android) still donât allow for full physical images from some mobile
inspection platforms.
1 Kroll Ontrack OnPoint,âMobile Device Forensics: A Walk on the Wireless Side of E-Discovery,â
December 2010: http://www.theediscoveryblog.com/2010/12/30/mobile-device-forensics-a-walk-
on-the-wireless-side-of-ediscovery/
Risk management: preventing spoliation
A good forensic examiner will always isolate the device from the network. However, Benjamin Wright, an
attorney who specializes in digital law and forensic examinations, says the law doesnât easily lend itself
to good practice.âThe law requires that when firms have a reason to believe there will be a lawsuit, they
must take reasonable steps to preserve their data,âhe explains.
In a complex organization, this may mean storing more records for longer periods of time. On the other
hand, this pits data preservation against data security. Thus attorneys should plan to communicate regularly
with information technology (IT) staff, as well as employees, about how to protect data in or outside
of a litigation hold.
For IT staff, mobile devices may be easy to overlook when the focus is on internal e-mail and other systems,
not to mention the cloud. But mobile devices donât exist in a vacuum, says Wright; they are connected with
the larger network. Therefore, stopping remote and automatic wiping processes is key to preserving
volatile mobile data.
An even better solution: train executives and other employees involved inâsubstantive activitiesâto save
mobile messages elsewhere.âEach employee needs to have the outlook that important messages must
be stored and recorded,âWright explains.âAnd they need a core place for that storage.â
Logically, this is email. Text messages can be copied to an email account, says Wright,âso that email becomes
a diary of employeesâbusiness activities.âThis fulfills both legal and data security requirements. 2
3. Attorneys working with mobile forensic examiners must be aware
of automatic and remote wiping capabilities, which some firms may employ
as a way of protecting data security. âSome devices such as BlackBerrys
have auto wipe features for unsuccessful unlock attempts and the ability
to remotelyânukeâthe data,âsays Brush.âWe might see this as a growing
concern as more mobile device platforms are incorporated in enterprise
networks that will require such a feature [for information security]. I think
if an examiner acts in good faith, can demonstrate that all steps were taken
to reduce loss of data that if data loss does occur, the repercussions can
be minimized.
âFrom the corporate end, however, it has to be addressed as devices are
taken out of service. You want to make sure the device is not the last bastion
of some data pertinent to a matter and when the user is fired/resigns/leaves
and it is not wiped if that custodian is responsive to a litigation matter.â
Privacy concerns
Personal mobile devices may be used for work; work mobile devices may
be used for personal email or social networking1
. Yet unlike targeted
e-discovery, mobile phone forensics extract everything from the device â
personal or professional data, including emails, documents, images
and videos.
âPrior to the collection of evidence this should be a discussion2
,âsays Brush.
âThe examiner is ultimately an agent of the court and should act in the
interest of finding responsive evidence, not airing embarrassing details.
There should be something signed either by retention letter or
confidentiality agreement and protective order; this puts everyone on
notice. Examiners should follow best practices of documenting where
evidence is stored. Encrypting the drives used for evidence storage and
transfer provides a level of security and can be done with free tools.â
Get granular: understanding the mobile examinerâs
process
Knowing what your forensic examiner is doing, or might do, with mobile
devices under a litigation hold benefits attorneys in several ways. First, it
increases the legal defensibility of the recovered data. Second, it can help
keep a lid on costs.
1 Mathew J. Schwartz,âCIOs See Smartphones as Data Breach Time Bomb,âInformation Week, Novem-
ber 2010: http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleID=
228300244&cid=RSSfeed_IWK_All
2 Mary T. Novacheck,âProactive ESI Procedures at the Outset of Litigation,âHennepin Lawyer, Febru-
ary 2011: http://hennepin.timberlakepublishing.com/article.asp?article=1510&paper=1&cat=147
A litigation hold may extend to personal devices.
In a 2005 case, CIBC World Markets Inc. v. Genuity
Capital Markets, a Canadian court issued a hold
on âsuch devices wheresoever located, includ-
ing at any office or home (but not restricted to
such locations) whether or not said to be owned
or used by others including spouses, children or
other relatives.â 1
In this case, one of the spouses was a lawyer;
the court acknowledged that her electronic
files needed to be protected in order to preserve
attorney-client privilege. Other forms of private
content which a mobile examination may inad-
vertently reveal include proprietary information,
instances of indiscretion, personally identifiable
information of a family member or their contacts,
and so on.
1 Canadian Legal Information Institute, February 16,
2005: http://www.canlii.org/en/on/onsc/doc/2005/20
05canlii3944/2005canlii3944.html
3
4. To these ends, any examiner should be prepared to discuss:
âą what tools he uses
âą whether she is certified and/or trained to use the tools
âą how often he validates and tests the tools1
âą how she handles chain of custody
âą how he documents his processes
Wright says one thing that can help during an actual investigation is for the
forensic examiner to use software that allows copious note-taking.âMany
tools enable the addition of words, which can have legal impact, into the
record the examiner creates,âhe explains.
This can be important when the examinerâtouchesâdata that is irrelevant to
the case or carries privacy implications. The products of a forensic examinerâs
investigation can be protected under attorney-client privilege orâattorney
work product doctrine,âbut the attorney must be able to categorize and
label the data, or otherwise participate in creating the work product. 2
âA good tool that allows lots of notes and comments can help the attorney
work with the examiner to protect the data surgically,âWright adds.âFor
example, a device might contain 1,000 units of data, but only 15 are relevant
to the investigation.âThe right forensic or e-discovery tools will enable the
examiner to place disclaimers and warning banners along with notes on
the data.
Attorneys can do more to familiarize themselves with the forensic process,
says Brush.âAttorneys should take some time to read blogs, articles, forums
and websites to become familiar with [digital forensics] common tools and
procedures. They should be aware that digital evidence is unique because
many of the best practice evidentiary and civil procedure rules were born
from criminal evidence procedure.
Truly understanding a forensic examinerâs mobile examination process, from
data protection and collection tools to how sheâll address client- or case-
specific issues, takes a foundation of understanding backed up by regular
communication. To save time and, potentially, client money, the attorney
needs to know the right questions to ask during the interview process,
and needs to be comfortable following up throughout the investigation.
1 Josh Brunty,âValidation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Exam-
iner,âDFI News, March 2011: http://www.dfinews.com/article/validation-forensic-tools-and-software-
quick-guide-digital-forensic-examiner
2 Benjamin Wright,âAttorney-Client Privilege | Work Product,âElectronic Data Records Law blog,
March 2010: http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/confidential.html
âLawyers should get a feeling that the exam-
iner has a methodology that makes sense and
can be accounted for on the stand. [And they]
should stay in touch with examiners about
where things are on a case. There should be
some milestones that both parties agree war-
rant phone calls to discuss the next steps.â
-- Douglas Brush, Duff & Phelps
4
5. About UFED
Cellebriteâs UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords
from thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breaking
physical extraction capabilities for the worldâs most popular platforms â BlackBerryÂź, iOS, Android, Nokia, Windows Mobile,
Symbian and Palm and more.
The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files,
ESN IMEI, ICCID and IMSI information and more.
About Cellebrite
Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.
A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007,
with the Universal Forensic Extraction Device (UFED). Cellebriteâs range of mobile forensic products, UFED Series, enable
the bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including feature
phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.
Cellebriteâs UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporate
security and eDiscovery agencies in more than 60 countries.
Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ)
www.ufedseries.com
BlackBerryÂź is a registered trademark of Research in Motion (RIM) Corp. Androidâą is a trademark of Google Inc.
iPhoneÂź is a trademark of Apple Inc., registered in the United States and other countries.
Cellebrite USA, Inc.
266 Harristown Rd., Suite 105
Glen Rock, NJ 07452
Tel: +1 201 848 8552
Fax: +1 201 848 9982
Facebook.com/CellebriteUFED
@CellebriteUSA
www.ufedseries.com
forensicsales@cellebriteusa.com