Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2012-06-19 05:00:12Format, images and links may no longer function correctly. 

When headlines, press briefings and client requests on the same topic all hit at once, you have to pay attention. I recently wrote Mobile Discovery – Are You Ready For It? in reaction to a story about how Michigan and three other states may be capturing cell phone images during traffic stops. Then a sharp client asked for a market perspective on mobile preservation obligations in the wake of the BP criminal charges. The final straw was a briefing request from Cellebrite’s CEO James Grady on the release of their new UFED Touch product line. That was enough motivation to steal the time for a fast briefing.


The primary goal was to determine how easily a corporation could acquire, train and integrate a mobile extraction device into their legal hold process. Mr. Grady indicated that although government and security customers still dominate their sales revenue, corporate eDiscovery sales took off last year and is one of the fastest growing market segments. Every corporate decision maker is effectively chained to their iPhone, Blackberry or Android smart phone.  Moreover, iPads have become the executive toy-du-jour for meetings and travel with apps that allow them to edit presentations, email and MS Office documents (all discovery request targets).  So what does it take to preserve and process cell phones?



UFED with phone

The first thing to explore is whether or not you really HAVE to do it?  Is there any way to capture everything relevant to civil discovery at the server level so that you can make the physical device irrelevant? The Blackberry server can capture the PIN to PIN texts, but there are few options for capturing text, photos, videos, voicemail, internet history or deleted data from smart phones. Here is a chart that gives you some insight into how long some cell providers keep information. You could require users to perform periodic full back ups to pre-defined network locations, but policy without monitoring and compliance only says that you knew what you SHOULD have done. The storage and business impact of performing and managing enterprise wide mobile device back ups seems like a high price to cover your custodians under legal hold. You still need to be able to collect and extract the information from those back ups, which is a challenge all in its own right.


If a Michigan State trooper can extract data from any cell phone on the side of the road in 2-3 minutes, surely a lit support or IT person could do the same during a custodian interview. The preservation copy does not solve your potential ongoing preservation requirements, but that should be managed with clear custodial instructions, training and policy once custodians are placed on hold. So what does a mobile device extraction kit like the UFED Touch cost? Initial purchase of full featured kits such as the UFED will range from $3,500-10,000 each depending on the target mobile devices covered, whether the kit is ruggedized for field collections, portability and whether it will do a full forensic capture (think deleted items) or just the active content. You will need a maintenance contract to keep up with the constant updates for new OS versions and devices.


That gets you the hardware, but what does it take to use it? Cellebrite’s foundation in retail cell phone POS devices (think about your local Verizon/AT&T dealer) means that they stress usability and ease of adoption, even in their forensic products. Mr. Grady felt that most users could properly extract logical data after a one day training course, though executing a physical extraction (deleted data) and analysis would require additional days. My law enforcement background means that I tend to treat every matter as a potential criminal investigation and I prefer that collection personnel have a basic forensic certification like the CCE. Realistically, that should not be required for civil discovery collections as long as you have a documented collection process and a location to securely store your collection media (hard drives or thumb drives).


Now you have the hardware, personnel and process in place. What do you do with the preservation images when you have to inspect or extract content? The UFED Physical Analyzer is a desktop application that is used to decode, decrypt, search, and analyze logical, physical, and file system data.  Cellebrite also has a Reader application to share extracted content. I am using Cellebrite to show how some forensic applications have matured from old school command line tools that required certified specialists into practical solutions appropriate for corporate eDiscovery business process.


If a consulting client asked me to guesstimate a budget to equip their discovery team to handle mobile device preservation and processing, I would ball park it at $10-15,000 per site or team for hardware and training. If your typical matters have 10-15 key custodians that could cost you $600-800/phone for a provider to do forensic collections, you would cover your investment by the second matter. The point of this exercise was to see whether cell phone eDiscovery was practical for corporations with a moderate to high litigation profile. You can judge for yourself, but I think it is time to stop pretending that mobile devices are ‘inaccessible’.


Have you used a mobile device acquisition tool in civil discovery? Write a comment or send me a note at Greg@eDJGroupInc.com.

Are you ready to start collecting iPhones?

0 0 votes
Article Rating