Smartphones, tablets and other mobile devices are becoming more a part of everyday business—and as a result, more a part of litigation. However like PCs they are in terms of storage capacity and Internet connectivity, though, they are not PCs. Their data is stored differently, so it must be preserved and collected differently; they do not allow for targeted data collection, as computers do; and obtaining data from them can sometimes require different tools.

To comply with the 2006 e-discovery amendments to the Federal Rules of Civil Procedure as well as precedent relatedto sanctions1, attorneys must understand the processes their forensic examiners use to obtain mobile device data.Attorneys should be able to ask the right questions both when selecting a forensic examiner, and as the examinerprepares the evidence.

1 Mary Mack, Esq., “Dueling Opinions: Scheindlin’s Pension Committee vs. Rosenthal’s Rimkus,” Discovery Resources, March 2010: http://www.discoveryre-sources.org/technology-counsel/dueling-opinions-scheindlin%E2%80%99s-pension-committee-vs-rosenthal%E2%80%99s-rimkus/

Asking and Answering the Right Questionsabout Mobile Forensics MethodsGood documentation flows between attorney and mobile forensic examiner – and saves time and costsassociated with litigation

Many different tools

No single forensic acquisition tool can obtain all of the data on a phone,especially if it has been deleted. To get necessary data, an examiner may turn to a variety of tools and processes. And even if the attorney knows what a hex dump, flasher box or password extraction is, knowing the path the examiner took to get them can be important. That path usually involves isolating the phone from the network, may include recovering the password to a device that has been locked, and always comes back to software and hardware tools.

A good examiner will document everything he or she did to recover mobile data. “Good documentation of the process will look like a narrative of what was done,” says Douglas Brush, vice president of dispute and legalmanagement consulting at New York-based Duff & Phelps. “Things suchas make, model, serial numbers, software versions should be included for evidentiary items, hardware/software tools used, and collection repositories.

“Good documentation should also have pictures of the evidence as well as any actions performed that might need to be validated. Video recordings, screen captures and other forms of visual memorialization should be used where appropriate. Chain of custody forms should be used for each pieceof evidence.”

Spoliation of mobile dataBrush points out that in most cases, logical acquisition will be enough to get all the necessary data from a mobile device. This is because following alitigation hold, organizations are required to preserve all their data (printand electronic); if they don’t, they face sanctions.

However, at times, data are not preserved – or are even deliberately deleted – and deeper inspection is needed.

Enter physical acquisition tools, which can obtain all data in a device’s memory that has not been overwritten. However, although a number of mainstream tools exist for this purpose, no one tool can recover everything that has been deleted. This can be a particular challenge when it comes to multimedia messaging service (MMS) texts, which can include audio, video or still images, and therefore contain much more data to recover1.

Brush says that higher demand for physical images means that forensic tool manufacturers have done a better job of releasing solutions in conjunction with, or rapid response to, a new device’s release. Still, some popular devices (like Android) still don’t allow for full physical images from some mobile inspection platforms.

1 Kroll Ontrack OnPoint, “Mobile Device Forensics: A Walk on the Wireless Side of E-Discovery,” December 2010: http://www.theediscoveryblog.com/2010/12/30/mobile-device-forensics-a-walk-on-the-wireless-side-of-ediscovery/

Risk management: preventing spoliationA good forensic examiner will always isolate the device from the network. However, Benjamin Wright, anattorney who specializes in digital law and forensic examinations, says the law doesn’t easily lend itselfto good practice. “The law requires that when firms have a reason to believe there will be a lawsuit, theymust take reasonable steps to preserve their data,” he explains.

In a complex organization, this may mean storing more records for longer periods of time. On the otherhand, this pits data preservation against data security. Thus attorneys should plan to communicate regularly with information technology (IT) staff, as well as employees, about how to protect data in or outsideof a litigation hold.

For IT staff, mobile devices may be easy to overlook when the focus is on internal e-mail and other systems,not to mention the cloud. But mobile devices don’t exist in a vacuum, says Wright; they are connected withthe larger network. Therefore, stopping remote and automatic wiping processes is key to preservingvolatile mobile data.

An even better solution: train executives and other employees involved in “substantive activities” to savemobile messages elsewhere. “Each employee needs to have the outlook that important messages mustbe stored and recorded,” Wright explains. “And they need a core place for that storage.”

Logically, this is email. Text messages can be copied to an email account, says Wright, “so that email becomesa diary of employees’ business activities.” This fulfills both legal and data security requirements. 2

Attorneys working with mobile forensic examiners must be awareof automatic and remote wiping capabilities, which some firms may employ as a way of protecting data security. “Some devices such as BlackBerryshave auto wipe features for unsuccessful unlock attempts and the abilityto remotely ‘nuke’ the data,” says Brush. “We might see this as a growingconcern as more mobile device platforms are incorporated in enterprisenetworks that will require such a feature [for information security]. I thinkif an examiner acts in good faith, can demonstrate that all steps were taken to reduce loss of data that if data loss does occur, the repercussions canbe minimized.

“From the corporate end, however, it has to be addressed as devices are taken out of service. You want to make sure the device is not the last bastion of some data pertinent to a matter and when the user is fired/resigns/leaves and it is not wiped if that custodian is responsive to a litigation matter.”

Privacy concerns

Personal mobile devices may be used for work; work mobile devices maybe used for personal email or social networking1. Yet unlike targetede-discovery, mobile phone forensics extract everything from the device — personal or professional data, including emails, documents, imagesand videos.

“Prior to the collection of evidence this should be a discussion2 ,” says Brush. “The examiner is ultimately an agent of the court and should act in theinterest of finding responsive evidence, not airing embarrassing details. There should be something signed either by retention letter orconfidentiality agreement and protective order; this puts everyone onnotice. Examiners should follow best practices of documenting whereevidence is stored. Encrypting the drives used for evidence storage and transfer provides a level of security and can be done with free tools.”

Get granular: understanding the mobile examiner’s process

Knowing what your forensic examiner is doing, or might do, with mobile devices under a litigation hold benefits attorneys in several ways. First, itincreases the legal defensibility of the recovered data. Second, it can help keep a lid on costs.

1 Mathew J. Schwartz, “CIOs See Smartphones as Data Breach Time Bomb,” Information Week, Novem-ber 2010: http://www.informationweek.com/news/hardware/handheld/showArticle.jhtml?articleID=228300244&cid=RSSfeed_IWK_All

2 Mary T. Novacheck, “Proactive ESI Procedures at the Outset of Litigation,” Hennepin Lawyer, Febru-ary 2011: http://hennepin.timberlakepublishing.com/article.asp?article=1510&paper=1&cat=147

A litigation hold may extend to personal devices.

In a 2005 case, CIBC World Markets Inc. v. Genuity

Capital Markets, a Canadian court issued a hold

on “such devices wheresoever located, includ-

ing at any office or home (but not restricted to

such locations) whether or not said to be owned

or used by others including spouses, children or

other relatives.” 1

In this case, one of the spouses was a lawyer;

the court acknowledged that her electronic

files needed to be protected in order to preserve

attorney-client privilege. Other forms of private

content which a mobile examination may inad-

vertently reveal include proprietary information,

instances of indiscretion, personally identifiable

information of a family member or their contacts,

and so on.

1 Canadian Legal Information Institute, February 16, 2005: http://www.canlii.org/en/on/onsc/doc/2005/2005canlii3944/2005canlii3944.html

3

To these ends, any examiner should be prepared to discuss:

• what tools he uses• whether she is certified and/or trained to use the tools• how often he validates and tests the tools1 • how she handles chain of custody• how he documents his processes

Wright says one thing that can help during an actual investigation is for the forensic examiner to use software that allows copious note-taking. “Many tools enable the addition of words, which can have legal impact, into the record the examiner creates,” he explains.

This can be important when the examiner “touches” data that is irrelevant to the case or carries privacy implications. The products of a forensic examiner’s investigation can be protected under attorney-client privilege or “attorney work product doctrine,” but the attorney must be able to categorize andlabel the data, or otherwise participate in creating the work product. 2

“A good tool that allows lots of notes and comments can help the attorney work with the examiner to protect the data surgically,” Wright adds. “For example, a device might contain 1,000 units of data, but only 15 are relevant to the investigation.” The right forensic or e-discovery tools will enable the examiner to place disclaimers and warning banners along with notes onthe data.

Attorneys can do more to familiarize themselves with the forensic process, says Brush. “Attorneys should take some time to read blogs, articles, forums and websites to become familiar with [digital forensics] common tools and procedures. They should be aware that digital evidence is unique because many of the best practice evidentiary and civil procedure rules were born from criminal evidence procedure.

Truly understanding a forensic examiner’s mobile examination process, from data protection and collection tools to how she’ll address client- or case-specific issues, takes a foundation of understanding backed up by regular communication. To save time and, potentially, client money, the attorney needs to know the right questions to ask during the interview process,and needs to be comfortable following up throughout the investigation.

1 Josh Brunty, “Validation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Exam-iner,” DFI News, March 2011: http://www.dfinews.com/article/validation-forensic-tools-and-software-quick-guide-digital-forensic-examiner

2 Benjamin Wright, “Attorney-Client Privilege | Work Product,” Electronic Data Records Law blog, March 2010: http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/confidential.html

“Lawyers should get a feeling that the exam-

iner has a methodology that makes sense and

can be accounted for on the stand. [And they]

should stay in touch with examiners about

where things are on a case. There should be

some milestones that both parties agree war-

rant phone calls to discuss the next steps.”

-- Douglas Brush, Duff & Phelps

4

About UFED

Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more.

The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files,ESN IMEI, ICCID and IMSI information and more.

About Cellebrite

Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007,with the Universal Forensic Extraction Device (UFED). Cellebrite’s range of mobile forensic products, UFED Series, enable the bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.

Cellebrite’s UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporatesecurity and eDiscovery agencies in more than 60 countries.

Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ)www.ufedseries.com

BlackBerry® is a registered trademark of Research in Motion (RIM) Corp. Android™ is a trademark of Google Inc.iPhone® is a trademark of Apple Inc., registered in the United States and other countries.

Cellebrite USA, Inc.266 Harristown Rd., Suite 105Glen Rock, NJ 07452

Tel: +1 201 848 8552Fax: +1 201 848 9982 Facebook.com/CellebriteUFED @CellebriteUSA

www.ufedseries.comforensicsales@cellebriteusa.com