Outsmarting the Smartphone Mobile Discovery...Mobile device ESI is just another type of...

©2020 - 4Discovery

Mobile Discovery: Outsmarting the Smartphone

4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE

What’s On Your Phone?

EVERYTHING!

Mobile devices are “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy”

- Chief Justice Roberts in Riley v. California2


How Do Phones Work?● Modern phones typically run on two

operating systems○ iOS (Apple) ○ Android (Google)

● These operating systems handle all of the low-level hard work

○ Storage and retrieval of files and data○ Interfacing with all the hardware and

sensors○ Handles all the communication with

cellular carriers, WiFi○ Captures photos and videos with

camera, audio with microphone○ Calculates locations for location

services, etc...

3


How Do Phones Work?● Applications simply use the framework from the

mobile OS to access and use features○ Instagram asks to use the camera○ Uber asks for location information

● Applications vary by developer and version○ They have different features and functions○ Data may be stored on the phone or in the

Cloud● App data is primarily contained in databases

○ These databases can be encrypted○ They can be excluded from backups and

collections● Apps can store data in protected storage, and

opt to not backup certain data

4


Where’s the data?Mobile OS

● What WiFi did you connect to, Bluetooth devices used, and when?

● OS related events...

App Data● Just because an app requests your location, it

does not mean it’s stored locally on the phone○ Could be transmitted back to 3rd party or

not kept at all● Mobile apps change a lot

○ Just because LinkedIn v9 didn’t store local chats, doesn’t mean that v10 won’t

● Twitter (app) might have some of your Tweets, but Twitter (web) has them all

5


Case Study: Auto Theft● What Happened: A family came home to find

their house was burglarized and their car was damaged

● Electronic Evidence: Car bluetooth system

● Forensic Artifact Analysis: Car bluetooth records indicated that a new phone had been connected to the car’s bluetooth system and called a phone named “Moms” ...

6


Mobile Device Landscape● A lot has changed in the last few years

○ Older devices had numerous security flaws that could easily be exploited○ Once security concerns were brought up, manufacturers changed strategy

● Mobile phone manufacturers are taking privacy seriously○ Both Apple and Google (Android) are still escalating phone security

● Encryption is now a standard feature on phones○ Without a PIN or passcode there may be no way to access the data○ Security measures have been put in place to prevent unlocking and imaging

phones with biometrics● New Vulnerabilities are being discovered all the time… CheckM8 for iOS

Even though the FBI has gotten better at unlocking phones and has access to sophisticated tools, the FBI is currently still fighting with Apple over unlocking iPhones in cases, especially those involving terrorism.

7

Preservation of Mobile Data

8


Acquiring Mobile Data● Once you’ve identified what kind of data

you are looking for, can you get it?

IT DEPENDS

● Make, model, operating system version, application version, carrier, and phone settings will all play a factor in determining what data can be accessed and extracted in a readable format

● Special forensic tools are used to extract as much data from a device as possible, but things are changing daily

9


Where is the data?● Some data is truly stored on the phone

○ SMS and MMS● Sometimes a phone is just a platform to

view data from the internet○ Some content can be “cached”

● Some data that is stored on the phone may not be accessible

○ Snapchat and iOS Email● Your phone and the cloud are merging…

General rule of thumb: If you can view the content of a mobile device when in “Airplane Mode,” it’s probably accessible

10


Do You Even Need the Phone?

11


Backups Can Linger● Your phone is constantly syncing and updating in the background

○ iOS nightly backups via iCloud○ Backups made when you sync with iTunes○ Android backing up to your Google Account

● Note: Data from discarded phones can be hard to get rid of...

12


Mobile Data is Volatile● Data is constantly syncing with cloud-based platforms

○ i.e. email, documents, photos● Devices can be remotely wiped● Many smartphones will automatically delete and overwrite

information when powered on○ Use caution when dealing with devices as to not

inadvertently destroy data

If you think you need it, isolate the device and preserve the data as soon as possible● Data has a way of

“disappearing”

13


Mobile Device Remote Collections● Mobile devices can now be

collected remotely● The process is simple● Some benefits of remote

collections:○ Swift Preservation○ Convenient Scheduling○ Expert Collection○ Lower Costs○ Safe & Secure

● Discovery protocols and agreements can be modified to allow for confidentiality

14


Mobile Device ManagementTypical on Corporate Devices

● Two Buckets○ 1) Managing the Entire Device○ 2) Managing Containers of Corporate Data

● Each solution varies on what types of bells and whistles it has:○ Restrict Apps, Remote Wiping, Enforce Device Settings, Maintain Corporate

Compliance/Standards

● Can impact forensic collections○ If MDM restricts backups to computers or the cloud, data may be inaccessible

15


Can Provide Access to Accounts● Remember signing into Twitter on your iPhone?

○ How many times?○ Do you need MFA every time?

● Devices can store authentication tokens that can be used to access other accounts (with permission of course)

16


Data Access Gotchas● Data exists in numerous locations

○ Not always in sync● However, these data sources are often owned by different parties

○ User, Employer, Service Provider● This impacts how data can be accessed and collected

○ Personal device vs. Corporate accounts● Other items impacting access to data

○ Passwords, Two-Factor Authentication, MDM, Encryption, Timeliness● Some examples

○ User’s phone is employer-owned, but the iCloud account belongs to User○ User is arrested and has phone confiscated, but it is thumbprint locked○ User is communicating using the native mail app on an iPhone via a Gmail account

17

The Power of a Protocol

18


Is It Relevant?Mobile device ESI is just another type of Electronically Stored Information. There is no difference between a recovered deleted email and a recovered deleted text or photo.

● Data on mobile devices is discoverable● Text messages and chats are “communication”● ESI recovered from mobile devices is relevant, unique, and extremely compelling

○ It can change the course of your entire litigation/investigation● Federal Rules for discovery apply

○ Litigation holds / Preservation

● Christou vs Beatport - Judge orders an adverse inference sanction for failure to preserve text messages.

19


Mobile Examinations are Invasive● Cell phone examinations are invasive● We store everything on these devices, including

nudes, social security numbers, photos of family, garage door codes, location data, financial information, passwords, etc...

● This is the main reason there is a fight over the imaging and analysis of mobile devices

● A well crafted protocol will help alleviate these concerns

○ It’s a win for everyone

Imaging a mobile device typically collects everything, pre-filtering a collection is usually not possible. Filtering for dates and relevant information is done post collection.

20


The Power of a Protocol...● Have a compelling story about why mobile device ESI

is relevant and likely to be discovered on your opponent’s devices

● An NDA / confidentiality agreement to counter opponent’s objections related to security or privacy and non-related mobile phone data

● Ensure non-relevant and personal information will not be produced or reviewed

● An In Camera review and a Special Master. Handling security & privacy issues

● Many smartphones and accounts are in use outside the reach of corporate security controls

21


Rule 902(13) & 902(14)902(13) covers records “generated by an electronic process or system that produces an accurate result,” such as a system registry report showing that a device was connected to a computer, or showing how smartphone software obtains GPS coordinates.

902(14) establishes that electronic data recovered “by a process of identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person” that complies with the certification requirements of Rule 902(11) or (12).

Trust, then Verify - Not everything works as it should and can produce incorrect results

22

Analysis & Production of Data

23


Analyzing Mobile Data● Most analysis that could be done on “traditional ESI” can also be conducted on mobile

devices○ However, data is stored in a different format

● For example, data on a computer can be unstructured, such as emails○ However, data is stored on a phone in a database format○ This is not something that can easily be reviewed without additional work

● Mobile data can often be extracted and analyzed using views of structured data○ Typically exported in some sort of spreadsheet or visual format

● Most forensic tools parse and search a limited subset of applications○ There are millions of applications for phones, and not all are supported○ The database of interest may be something that needs to be extracted using

additional forensic analysis■ i.e. Facebook Messenger v Evernote

○ This takes time and effort

24


Analyzing Mobile Data● You made an image of a phone … what’s available?● “Give Me Everything!”

○ Do you really want someone’s Angry Birds high score?

○ You wouldn’t do this for a computer hard drive● What you look for should have already been specified

in the carefully crafted protocol● If you are not careful during the protocol stage, you

could be missing potentially relevant data

Just like other ESI, deleted information may be recovered, timelines may be generated, user activity can be reconstructed, searching can be conducted ...

25


Geolocation● Phones by definition are mobile devices

… they love to store location data● Many apps require location services to

be turned on to work properly (Maps)● Companies want this for

usage/marketing purposes● Application data, photos, videos, WiFi

access points, cell towers all provide timestamped location information

26


Android Location on Google Maps

Examples of Location Data:

● Google Maps

● Waze

● Fitness Trackers

27


Case Study: Suspected Homicide● What Happened: Accused was

suspected of a murder arising from a shooting

● Electronic Evidence: Phone and Facebook Account

● Forensic Artifact Analysis: Geolocation and text message data was located in his phone that demonstrated he was not at the location involved in the shooting

28


Communications Are Important

I’m totally ready to leave this company and start my own competing firm ;)

OMG take me with you. I can get us that super secret customer list!

Don’t forget to include all of the new clients you were onboarding. We can take them with us instead.

I have a meeting with John today, and I can let him know we should hold off signing that new deal until i join you.

Totally!

29


Link Analysis

30


Case Study: Misquoted Statement● What Happened: Defendant’s mother

gave a statement to police and maintained that the officer misquoted her in his official report

● Electronic Evidence: Tablet

● Forensic Artifact Analysis: She recorded her statement on her tablet and was able to authenticate and produce it to support her claim

31


Timelining

32

● We don’t use phones like other devices. We switch between apps… a lot.

● You get a text from a friend asking if you want to see a movie…

● You check your calendar to see if you have anything else going on● You search on Google to see what’s new and check reviews● You check Fandango for showtimes● You text your friend back and confirm the movie, time, and location● You call a sitter● You buy tickets in Fandango● You use IMDB to check out the stars ● Yelp to look for a restaurant before the show● Opentable to book a reservation


Timelining - Bob & SusieDate/Time Artifact Value

02-24-2019 11:30 AM SMS Susie ⇨ Bob: Hey, do you want to get together and work on that project proposal?

02-24-2019 11:33 AM SMS Bob ⇨ Susie: I’m swamped. Let’s do it over dinner.

02-25-2019 7:18 AM SMS Bob ⇨ Susie: Thanks for last night… had a great time. Hope I didn’t drink too much.

02-25-2019 7:36 AM SMS Susie ⇨ Bob: Yeah, we’re fine… Thanks

33


Timelining - Bob & SusieDate/Time Artifact Value

02-24-2019 11:30 AM SMS Susie ⇨ Bob: Hey, do you want to get together and work on that project proposal?

02-24-2019 11:32 AM WhatsApp Bob ⇨ Jack: Hey Susie asked me to get together. I’m gonna make my move 😈

02-24-2019 11:33 AM SMS Bob ⇨ Susie: I’m swamped. Let’s do it over dinner.

02-24-2019 2:00 PM Yelp https://www.yelp.com/search?find_desc=Romantic+Restaurant

02-24-2019 8:59 PM WhatsApp Bob ⇨ Jack: Dinner is great! I’m on my 5th glass of wine… I’m going to go back to her place to “finish” the proposal.. 🍷😻

02-25-2019 7:17 AM Internet https://www.google.com/search?q=sexual+harassment+scenarios

02-25-2019 7:18 AM SMS Bob ⇨ Susie: Thanks for last night… had a great time. Hope I didn’t drink too much

02-25-2019 7:36 AM SMS Susie ⇨ Bob: Yeah, we’re fine… Thanks

02-25-2019 8:47 AM Teams Bob ⇨ Alex: Had dinner with Susie last night, might have crossed a line. Can you see if she’s mad at me?

34


Reviewing and Producing Mobile ESI

● Mobile data can be produced in a portable application for searching and review

● Messages and chat can be produced in conversation views

○ Do you need to redact?● Timelines● Spreadsheets● Load files for review in Relativity

○ Note that field data will be much different than “typical” productions

● Data can be restored to a burner phone for trial presentations

Note: Single records from mobile devices are often useless on their own without context

35

Data Security

36


Mobile Devices & Security● Mobile devices can be a huge security issue● Many companies issue laptops but not phones● Devices can often be connected to the network

without additional security or oversight○ MDM solutions are rarely installed○ Employees typically use apps and networks

without IT oversight● Social media and data breaches can expose

company events and data● If the device is BYOD, companies lose a lot of

rights regarding the data○ Collection requires consent○ Can’t prevent device recycling/replacement○ Can’t prevent a Cloud backup with sensitive

data from being used in the future

37


Agreements / Policies● Confidentiality Agreements / NDAs

○ Establish definitions of confidential and/or proprietary data● Employee Handbooks

○ Establish employee’s fiduciary duties to the company● Acceptable Use Policies

○ Establish users’ responsibilities with IT assets○ Need to be updated and acknowledged regularly to keep up with changes in the

technological environment● Non-Competes

○ Help protect client data & trade secrets from third-parties● BYOD Policies

○ Outline mobile device management policies and procedures, including security requirements, monitoring/routine inspections, and what happens when employees depart

38


Takeaways● The mobile device landscape changes fast

○ Constant influx of new devices, mobile operating systems, and Apps● Mobile forensics evolves right behind it

○ What was impossible a few months ago might be easy now● Know what you’re looking for

○ Is the data stored on a device or an account?● Develop a compelling story and protocol

○ How will it help your case and how do you protect privileged/private/non-responsive data?

● Think about review and production early○ Remember, data on phones is stored differently; how are you going to review,

redact, and produce?● Ask for help

○ Don’t rely on old protocols and templates; you may not get what you ask for

39

Chad Gough’s Contact Info

(312) 924-5761

[email protected]

40


About 4Discovery● B2B digital forensics firm that provides organizations and attorneys with digital

forensic, information security, and electronic discovery services.

● Our forensic experts have decades of experience helping attorneys and organizations gain valuable insight from electronic data.

● We have worked on projects of all sizes from imaging and analyzing one phone to imaging and analyzing hundreds of devices across five continents. Our client roster includes government organizations, companies and law firms of every size, and forensic and eDiscovery vendors.

● Clients appreciate our innovative customized solutions as well as our timely response. As a result, most of our new business comes from repeat clients and client referrals.

● Follow our company page on LinkedIn for the lastest advisories, updates, and insights.

41

Outsmarting the Smartphone Mobile Discovery...Mobile device ESI is just another type of...

Documents

Transcript of Outsmarting the Smartphone Mobile Discovery...Mobile device ESI is just another type of...