The story about Michigan State Police officers collecting forensic snapshots of mobile phones during traffic stops back in April kicked off my long research journey into whether corporate mobile discovery was really feasible. After lengthy interviews with leading experts in mobile phone forensics, I can assure you that a full physical acquisition of your iPhone, iPad, BlackBerry or Android device is just not going to happen during a typical 30 minute custodian interview or a traffic stop. The connectors and communication protocols of mobile devices were not designed for the high speed data exports that we have come to expect from enterprise backup systems and disk imaging devices like Logicube. The ‘pipe’ is just too small to copy 8+ GB without taking custody of the device. You can grab the active call log, text messages and other phone elements quickly, but that kind of logical extraction may not suffice to ‘preserve’ your custodian’s ESI in some matters, especially if that device may be the only source of deleted items that are critical to proving your case.
I kept trying to pin down the exact differences in what was kept in the device’s logical operating system vs. what could be recovered from a physical copy of the actual NAND storage. Every time I thought that I had it figured out, one of my helpful experts would say, “Yes, but only for device X or versions Y.” I created the slide to the right for an excellent webinar with Lee Reiber, AccessData’s Director of Mobile Forensics. He gently clarified that what we can retrieve from every different device will be determined by the extraction method, locked/unlocked status, apps used, acquisition technology and more. With almost 600 registrants, this webinar clearly demonstrated the market interest in mobile forensics.
Does that mean that you can never make a truthful declaration of what might be extracted from a custodian’s mobile device? You will need to know the variables, manage business usage and qualify any disclosures so that you do not paint yourself into a corner with a judge who does not care how easily mobile ESI can be lost. The good news is that the mature corporate scenario with a limited number of approved devices, IM clients, document editing apps and other tools can greatly simplify your life. Instead of trying to chase your user’s latest toy or app, some companies are implementing mobile device management systems to prevent your ESI from hitchhiking out of your reach. These systems will not help you extract content from iPhones or tablets, but they can force users to register devices and apps so that the discovery team can test your chosen extraction solution ahead of time.
I took a second shot at that slide in an attempt to convey the types of content based on whether it is unique to the device or whether you could possibly synchronize that content with a network system to render it duplicative. In other words, what could be on that device that is not easy to replicate in an enterprise system for collection. Two unique iOS items that bear special note is the iPhone’s spell checker log that keeps up to 6 months of your keystrokes and the screenshots that it keeps every time that you launch or resume an app to give you that ‘zoom’ screen effect. Craig Ball mentioned these unintended digital breadcrumbs in his keynote at the recent Carmel Valley eDiscovery Retreat.
Although Apple iOS devices currently dominate the corporate BYOD market, Andrew Hoog – CIO of viaForensics has an interesting take on why Google’s open platform Android devices may be more attractive to educated enterprise IT buyers in the long run. Although Android devices have taken a beating with some well publicized security gaps and the inability to wipe phone data, Hoog believes that this is a natural open source security evolution that continuously and rapidly improves the operating system. In contrast to the legions of Android hackers across the world who get to test the open code and share their tricks with Google, Apple hackers have to spend a lot more time reverse engineering every new iOS release. Essentially, the Android community benefits from the open platform while the Apple community struggles in the dark. That results in Android exploits hitting the tech press, but the bright light of publicity also drives mitigation solutions into new version releases much faster. Now Hoog is a self-admitted open source fan and ViaForensics’ viaExtract software only handles Android devices, but his book on iPhone and iOS forensics is a good resource.
Paraben’s CEO Amber Schroader says that you do not have to be a super geek to do mobile forensics today, but you do need to know your limits. Paraben offers a variety of training courses and software certification levels that start with a one day digital forensic triage class for $395. My favorite quote from Schroader was, “No device this small should have a camera on it.” She also helped me realize that any corporation wanting to equip their discovery team with mobile collection software should factor in a dedicated low cost laptop that can be easily wiped and reloaded as needed. Lee Reiber (AccessData) had already tried to warn me about the perils of multiple manufacturers’ drivers, but I seem to like learning lessons the hard way.
The deeper I delve into the world of mobile device discovery, the more parallels I see between these devices and Cloud sources/services. Every week we speak with corporations and law firms whose ESI is increasingly fleeing the corporate IT castle to live in the Cloud and be accessed by a global, remote workforce. Discovery teams are struggling to catch up with simple email servers, network shares, IM chat and other in-house ESI sources while that ESI is migrating to ‘mini computers’ in user pockets and ‘mega computers’ distributed across the globe. I am afraid that business IT is evolving faster than the legal business. Corporate legal must collaborate and integrate with IT to keep informed of changing technologies and user demands before they become nightmare realities. These challenges can be met, but only by proactive team effort with executive mandates.