[author: Mike Lynch]
Mobile devices are an integral part of our lives. In just over a decade, we went from the venerable flip phone (who didn’t love sending text messages on one of those?) to handheld computers with far more processing power than that of some of the first mainframe computers. We keep up with family and friends, conduct meetings, shop, bank, and surf the internet on our mobile devices. Why should it surprise anyone that mobile device data is becoming more and more of an ask in electronic discovery? In this post, I’ll discuss some of the considerations, challenges, and technical aspects of collecting and analyzing mobile device data. Whether or not the mobile device should be collected in a case is saved for another blog.
Mobile device data is unique in the way it must be collected. Forensic software dedicated to the extraction and analysis of mobile data has been around for years, and tends to work well standing on its own. Still, there are questions as to how best to produce this data for review in an eDiscovery environment. Most mobile forensic platforms aren’t readily compatible with eDiscovery review platforms, but are fully capable of generating reports in a number of different formats. Sometimes, raw data from the mobile devices can be input to processing and review platforms. These factors should be considered on a case-by-case basis.
Another important thing to consider is the manner in which mobile device extractions must be conducted. Modern tools require the physical device to be attached. This requires either an onsite collection with the forensics expert or to send the device to the expert for extraction. The good news is that the extraction process is typically quick, and can be completed in as little as twenty minutes. Thus, most devices can be processed and returned same day. Even twenty minutes can seem like a long time to go without our phones these days.
As in any collection of data, there are questions that should be asked up-front with respect to the extraction and analysis of mobile device data. They are as follows:
What type of device is it? (Apple, Samsung, etc.)
What is the passcode, and if it’s an iPhone, is the backup encrypted? If so, what’s the backup password?
Does the device have MDM (Mobile Device Management) software installed? If so, what kind?
Is this a personal or company device? If it’s a company device, who is the person directly responsible for the administration of these devices?
Most importantly, and I cannot stress this enough, when planning to collect data from mobile devices, make sure you’re specific as to the data you want. Asking for “everything” should be avoided at all costs, lest there be wailing and gnashing of teeth when you receive a report several thousand pages in length with links to thousands of native files to review. Often, the data set generated for review can be reduced by category, i.e. call logs, contacts, and text messages. Keyword searches performed during the forensic analysis can also reduce the amount of data to be reviewed. It is recommended you consult with your mobile forensics expert prior to scheduling a collection to understand their capabilities, as well as what data may or may not be relevant to your case.
There will always be challenges to face and bridges to cross when it comes to the extraction, processing, and analysis of mobile device data. Operating systems, applications, and mobile forensic tools are constantly evolving. We, too, must be prepared in the event mobile device data comes into question in discovery. By understanding these considerations, we can be better prepared when that time comes.