A multi-part series on the logistical, technical, and legal challenges posed by the proliferation and popularity of smartphones and tablets
In the first Part of this series, we reviewed the ubiquity, usage, and business realities of mobile devices. In the second Part, we reviewed what is encompassed by “mobile devices” and what data is potentially contained on them. In this Part, we continue our discussion of mobile devices in eDiscovery with a review of acquiring that data from them.
Because of the huge diversity in smartphone and tablet hardware and software, collecting from these sources poses special challenges and requires special tools. These tools are collection kits akin to those used for forensic acquisitions from traditional computer sources, but they feature connection options for all of the common mobile standards and more specialized software for interfacing with the wide range of potential data formats, file systems, etc.
The time required to execute these collections can also be much greater, with a 64GB iPhone potentially taking longer to capture than a 640GB hard drive. All collections must also currently be done in person, with the physical device and the custodian’s password(s). Although Mobile Device Management software can facilitate remote deletions of company data, none can yet facilitate remote collections. Additionally, the ever-expanding use of stronger and stronger encryption techniques can create more delays and challenges, with some data being functionally unobtainable without the necessary passwords.
There are now many specialized tools available for mobile acquisitions, with the most powerful costing thousands of dollars per kit/license. The most widely used tools come from Cellebrite. Other options, with various strengths, weaknesses, and specialties, are available from MSAB, Katana Forensics, Magnet Forensics, Paraben, Oxygen Forensics, BlackBag Technologies, and Elcomsoft.
When executing mobile device acquisitions, there are a range of options similar to those available when conducting traditional computer drive acquisitions. The precise options available to you will depend on the specific source device, the operating system and security settings active on it, and the acquisition tool you are employing. Generally, though, you will have a choice between a full physical acquisition, a file system acquisition, and a logical acquisition.
Full physical acquisitions are attempts to image every bit of stored data from the device’s memory, including both active files and any files or fragments in unallocated space (i.e., deleted files). This type of acquisition “is the most complete, [but] it is also the slowest and hardest to obtain.” A device may need to be rooted or jailbroken to facilitate a full physical image.
A file system acquisition is a step down in completeness but also somewhat easier to accomplish. It will capture everything stored and documented within the device’s file system, including system files and hidden files, without proceeding beyond that (i.e., everything but the deleted files and fragments in the unallocated space).
Finally, a logical acquisition is another step down in completeness but also another step up in ease. This will capture files and directories that are available through applicable application programming interfaces (e.g., message databases, contacts files, etc.).
Regardless of approach chosen, it’s important to remember that unlike laptop and desktop acquisitions, which have become very standardized, mobile acquisitions are quite variable and frequently require some amount of custom puzzle solving from technicians.
Mobile device data presents additional challenges after its acquisition. First, for physical or file system acquisitions, the captured data will need to be decoded from one big block of binary data into individual files and records of discernible, readable types. (For logical acquisitions, the data is captured with that original structure still intact.) Much of this work is done by the software component of your acquisition tool, but some materials may require manual analysis by a forensic technician (especially anything recovered from unallocated space).
Next, the decoded files captured from the device must be exported from the acquisition software so that they can be incorporated into the overall eDiscovery project workflow for assessment, review, and production. Unfortunately, these tools do not generally export these materials – potentially thousands of discrete records per device – in a way optimized for later review. Instead, it is common for them to output all the decoded files as a single exported document. This long multi-page PDF or large multi-tab spreadsheet is cumbersome to work with and not suitable for loading into a document review platform. Additional work is needed to break those concatenated records out into individual files for integration into the project.
Upcoming in this Series
In the next Part of this series, A New Mobile Devices Case Every Few Months, we will continue our discussion of mobile devices in eDiscovery by beginning a review of relevant case law.