Outsmarting Google: An SEO Workshop for SEO Pros with Nicole Munoz
Outsmarting the Smartphone Mobile Discovery...Mobile device ESI is just another type of...
Transcript of Outsmarting the Smartphone Mobile Discovery...Mobile device ESI is just another type of...
©2020 - 4Discovery
Mobile Discovery: Outsmarting the Smartphone
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
What’s On Your Phone?
EVERYTHING!
Mobile devices are “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy”
- Chief Justice Roberts in Riley v. California2
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
How Do Phones Work?● Modern phones typically run on two
operating systems○ iOS (Apple) ○ Android (Google)
● These operating systems handle all of the low-level hard work
○ Storage and retrieval of files and data○ Interfacing with all the hardware and
sensors○ Handles all the communication with
cellular carriers, WiFi○ Captures photos and videos with
camera, audio with microphone○ Calculates locations for location
services, etc...
3
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
How Do Phones Work?● Applications simply use the framework from the
mobile OS to access and use features○ Instagram asks to use the camera○ Uber asks for location information
● Applications vary by developer and version○ They have different features and functions○ Data may be stored on the phone or in the
Cloud● App data is primarily contained in databases
○ These databases can be encrypted○ They can be excluded from backups and
collections● Apps can store data in protected storage, and
opt to not backup certain data
4
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Where’s the data?Mobile OS
● What WiFi did you connect to, Bluetooth devices used, and when?
● OS related events...
App Data● Just because an app requests your location, it
does not mean it’s stored locally on the phone○ Could be transmitted back to 3rd party or
not kept at all● Mobile apps change a lot
○ Just because LinkedIn v9 didn’t store local chats, doesn’t mean that v10 won’t
● Twitter (app) might have some of your Tweets, but Twitter (web) has them all
5
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Case Study: Auto Theft● What Happened: A family came home to find
their house was burglarized and their car was damaged
● Electronic Evidence: Car bluetooth system
● Forensic Artifact Analysis: Car bluetooth records indicated that a new phone had been connected to the car’s bluetooth system and called a phone named “Moms” ...
6
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Mobile Device Landscape● A lot has changed in the last few years
○ Older devices had numerous security flaws that could easily be exploited○ Once security concerns were brought up, manufacturers changed strategy
● Mobile phone manufacturers are taking privacy seriously○ Both Apple and Google (Android) are still escalating phone security
● Encryption is now a standard feature on phones○ Without a PIN or passcode there may be no way to access the data○ Security measures have been put in place to prevent unlocking and imaging
phones with biometrics● New Vulnerabilities are being discovered all the time… CheckM8 for iOS
Even though the FBI has gotten better at unlocking phones and has access to sophisticated tools, the FBI is currently still fighting with Apple over unlocking iPhones in cases, especially those involving terrorism.
7
Preservation of Mobile Data
8
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Acquiring Mobile Data● Once you’ve identified what kind of data
you are looking for, can you get it?
IT DEPENDS
● Make, model, operating system version, application version, carrier, and phone settings will all play a factor in determining what data can be accessed and extracted in a readable format
● Special forensic tools are used to extract as much data from a device as possible, but things are changing daily
9
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Where is the data?● Some data is truly stored on the phone
○ SMS and MMS● Sometimes a phone is just a platform to
view data from the internet○ Some content can be “cached”
● Some data that is stored on the phone may not be accessible
○ Snapchat and iOS Email● Your phone and the cloud are merging…
General rule of thumb: If you can view the content of a mobile device when in “Airplane Mode,” it’s probably accessible
10
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Do You Even Need the Phone?
11
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Backups Can Linger● Your phone is constantly syncing and updating in the background
○ iOS nightly backups via iCloud○ Backups made when you sync with iTunes○ Android backing up to your Google Account
● Note: Data from discarded phones can be hard to get rid of...
12
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Mobile Data is Volatile● Data is constantly syncing with cloud-based platforms
○ i.e. email, documents, photos● Devices can be remotely wiped● Many smartphones will automatically delete and overwrite
information when powered on○ Use caution when dealing with devices as to not
inadvertently destroy data
If you think you need it, isolate the device and preserve the data as soon as possible● Data has a way of
“disappearing”
13
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Mobile Device Remote Collections● Mobile devices can now be
collected remotely● The process is simple● Some benefits of remote
collections:○ Swift Preservation○ Convenient Scheduling○ Expert Collection○ Lower Costs○ Safe & Secure
● Discovery protocols and agreements can be modified to allow for confidentiality
14
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Mobile Device ManagementTypical on Corporate Devices
● Two Buckets○ 1) Managing the Entire Device○ 2) Managing Containers of Corporate Data
● Each solution varies on what types of bells and whistles it has:○ Restrict Apps, Remote Wiping, Enforce Device Settings, Maintain Corporate
Compliance/Standards
● Can impact forensic collections○ If MDM restricts backups to computers or the cloud, data may be inaccessible
15
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Can Provide Access to Accounts● Remember signing into Twitter on your iPhone?
○ How many times?○ Do you need MFA every time?
● Devices can store authentication tokens that can be used to access other accounts (with permission of course)
16
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Data Access Gotchas● Data exists in numerous locations
○ Not always in sync● However, these data sources are often owned by different parties
○ User, Employer, Service Provider● This impacts how data can be accessed and collected
○ Personal device vs. Corporate accounts● Other items impacting access to data
○ Passwords, Two-Factor Authentication, MDM, Encryption, Timeliness● Some examples
○ User’s phone is employer-owned, but the iCloud account belongs to User○ User is arrested and has phone confiscated, but it is thumbprint locked○ User is communicating using the native mail app on an iPhone via a Gmail account
17
The Power of a Protocol
18
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Is It Relevant?Mobile device ESI is just another type of Electronically Stored Information. There is no difference between a recovered deleted email and a recovered deleted text or photo.
● Data on mobile devices is discoverable● Text messages and chats are “communication”● ESI recovered from mobile devices is relevant, unique, and extremely compelling
○ It can change the course of your entire litigation/investigation● Federal Rules for discovery apply
○ Litigation holds / Preservation
● Christou vs Beatport - Judge orders an adverse inference sanction for failure to preserve text messages.
19
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Mobile Examinations are Invasive● Cell phone examinations are invasive● We store everything on these devices, including
nudes, social security numbers, photos of family, garage door codes, location data, financial information, passwords, etc...
● This is the main reason there is a fight over the imaging and analysis of mobile devices
● A well crafted protocol will help alleviate these concerns
○ It’s a win for everyone
Imaging a mobile device typically collects everything, pre-filtering a collection is usually not possible. Filtering for dates and relevant information is done post collection.
20
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
The Power of a Protocol...● Have a compelling story about why mobile device ESI
is relevant and likely to be discovered on your opponent’s devices
● An NDA / confidentiality agreement to counter opponent’s objections related to security or privacy and non-related mobile phone data
● Ensure non-relevant and personal information will not be produced or reviewed
● An In Camera review and a Special Master. Handling security & privacy issues
● Many smartphones and accounts are in use outside the reach of corporate security controls
21
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Rule 902(13) & 902(14)902(13) covers records “generated by an electronic process or system that produces an accurate result,” such as a system registry report showing that a device was connected to a computer, or showing how smartphone software obtains GPS coordinates.
902(14) establishes that electronic data recovered “by a process of identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person” that complies with the certification requirements of Rule 902(11) or (12).
Trust, then Verify - Not everything works as it should and can produce incorrect results
22
Analysis & Production of Data
23
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Analyzing Mobile Data● Most analysis that could be done on “traditional ESI” can also be conducted on mobile
devices○ However, data is stored in a different format
● For example, data on a computer can be unstructured, such as emails○ However, data is stored on a phone in a database format○ This is not something that can easily be reviewed without additional work
● Mobile data can often be extracted and analyzed using views of structured data○ Typically exported in some sort of spreadsheet or visual format
● Most forensic tools parse and search a limited subset of applications○ There are millions of applications for phones, and not all are supported○ The database of interest may be something that needs to be extracted using
additional forensic analysis■ i.e. Facebook Messenger v Evernote
○ This takes time and effort
24
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Analyzing Mobile Data● You made an image of a phone … what’s available?● “Give Me Everything!”
○ Do you really want someone’s Angry Birds high score?
○ You wouldn’t do this for a computer hard drive● What you look for should have already been specified
in the carefully crafted protocol● If you are not careful during the protocol stage, you
could be missing potentially relevant data
Just like other ESI, deleted information may be recovered, timelines may be generated, user activity can be reconstructed, searching can be conducted ...
25
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Geolocation● Phones by definition are mobile devices
… they love to store location data● Many apps require location services to
be turned on to work properly (Maps)● Companies want this for
usage/marketing purposes● Application data, photos, videos, WiFi
access points, cell towers all provide timestamped location information
26
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Android Location on Google Maps
Examples of Location Data:
● Google Maps
● Waze
● Fitness Trackers
27
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Case Study: Suspected Homicide● What Happened: Accused was
suspected of a murder arising from a shooting
● Electronic Evidence: Phone and Facebook Account
● Forensic Artifact Analysis: Geolocation and text message data was located in his phone that demonstrated he was not at the location involved in the shooting
28
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Communications Are Important
I’m totally ready to leave this company and start my own competing firm ;)
OMG take me with you. I can get us that super secret customer list!
Don’t forget to include all of the new clients you were onboarding. We can take them with us instead.
I have a meeting with John today, and I can let him know we should hold off signing that new deal until i join you.
Totally!
29
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Link Analysis
30
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Case Study: Misquoted Statement● What Happened: Defendant’s mother
gave a statement to police and maintained that the officer misquoted her in his official report
● Electronic Evidence: Tablet
● Forensic Artifact Analysis: She recorded her statement on her tablet and was able to authenticate and produce it to support her claim
31
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Timelining
32
● We don’t use phones like other devices. We switch between apps… a lot.
● You get a text from a friend asking if you want to see a movie…
● You check your calendar to see if you have anything else going on● You search on Google to see what’s new and check reviews● You check Fandango for showtimes● You text your friend back and confirm the movie, time, and location● You call a sitter● You buy tickets in Fandango● You use IMDB to check out the stars ● Yelp to look for a restaurant before the show● Opentable to book a reservation
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Timelining - Bob & SusieDate/Time Artifact Value
02-24-2019 11:30 AM SMS Susie ⇨ Bob: Hey, do you want to get together and work on that project proposal?
02-24-2019 11:33 AM SMS Bob ⇨ Susie: I’m swamped. Let’s do it over dinner.
02-25-2019 7:18 AM SMS Bob ⇨ Susie: Thanks for last night… had a great time. Hope I didn’t drink too much.
02-25-2019 7:36 AM SMS Susie ⇨ Bob: Yeah, we’re fine… Thanks
33
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Timelining - Bob & SusieDate/Time Artifact Value
02-24-2019 11:30 AM SMS Susie ⇨ Bob: Hey, do you want to get together and work on that project proposal?
02-24-2019 11:32 AM WhatsApp Bob ⇨ Jack: Hey Susie asked me to get together. I’m gonna make my move 😈
02-24-2019 11:33 AM SMS Bob ⇨ Susie: I’m swamped. Let’s do it over dinner.
02-24-2019 2:00 PM Yelp https://www.yelp.com/search?find_desc=Romantic+Restaurant
02-24-2019 8:59 PM WhatsApp Bob ⇨ Jack: Dinner is great! I’m on my 5th glass of wine… I’m going to go back to her place to “finish” the proposal.. 🍷😻
02-25-2019 7:17 AM Internet https://www.google.com/search?q=sexual+harassment+scenarios
02-25-2019 7:18 AM SMS Bob ⇨ Susie: Thanks for last night… had a great time. Hope I didn’t drink too much
02-25-2019 7:36 AM SMS Susie ⇨ Bob: Yeah, we’re fine… Thanks
02-25-2019 8:47 AM Teams Bob ⇨ Alex: Had dinner with Susie last night, might have crossed a line. Can you see if she’s mad at me?
34
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Reviewing and Producing Mobile ESI
● Mobile data can be produced in a portable application for searching and review
● Messages and chat can be produced in conversation views
○ Do you need to redact?● Timelines● Spreadsheets● Load files for review in Relativity
○ Note that field data will be much different than “typical” productions
● Data can be restored to a burner phone for trial presentations
Note: Single records from mobile devices are often useless on their own without context
35
Data Security
36
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Mobile Devices & Security● Mobile devices can be a huge security issue● Many companies issue laptops but not phones● Devices can often be connected to the network
without additional security or oversight○ MDM solutions are rarely installed○ Employees typically use apps and networks
without IT oversight● Social media and data breaches can expose
company events and data● If the device is BYOD, companies lose a lot of
rights regarding the data○ Collection requires consent○ Can’t prevent device recycling/replacement○ Can’t prevent a Cloud backup with sensitive
data from being used in the future
37
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Agreements / Policies● Confidentiality Agreements / NDAs
○ Establish definitions of confidential and/or proprietary data● Employee Handbooks
○ Establish employee’s fiduciary duties to the company● Acceptable Use Policies
○ Establish users’ responsibilities with IT assets○ Need to be updated and acknowledged regularly to keep up with changes in the
technological environment● Non-Competes
○ Help protect client data & trade secrets from third-parties● BYOD Policies
○ Outline mobile device management policies and procedures, including security requirements, monitoring/routine inspections, and what happens when employees depart
38
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
Takeaways● The mobile device landscape changes fast
○ Constant influx of new devices, mobile operating systems, and Apps● Mobile forensics evolves right behind it
○ What was impossible a few months ago might be easy now● Know what you’re looking for
○ Is the data stored on a device or an account?● Develop a compelling story and protocol
○ How will it help your case and how do you protect privileged/private/non-responsive data?
● Think about review and production early○ Remember, data on phones is stored differently; how are you going to review,
redact, and produce?● Ask for help
○ Don’t rely on old protocols and templates; you may not get what you ask for
39
4DISCOVERY MOBILE DISCOVERY: OUTSMARTING THE SMARTPHONE
About 4Discovery● B2B digital forensics firm that provides organizations and attorneys with digital
forensic, information security, and electronic discovery services.
● Our forensic experts have decades of experience helping attorneys and organizations gain valuable insight from electronic data.
● We have worked on projects of all sizes from imaging and analyzing one phone to imaging and analyzing hundreds of devices across five continents. Our client roster includes government organizations, companies and law firms of every size, and forensic and eDiscovery vendors.
● Clients appreciate our innovative customized solutions as well as our timely response. As a result, most of our new business comes from repeat clients and client referrals.
● Follow our company page on LinkedIn for the lastest advisories, updates, and insights.
41