Editor’s Note: In this insightful transcript of the educational webcast hosted by HaystackID on May 17, 2023, our expert panel discusses targeted remote collections for iOS and Android devices, focusing on the unique challenges and considerations involved in these time-sensitive and complex projects.
Led by John Wilson, a seasoned professional in digital forensics and collections, the expert panel shares on specific mobile collection challenges for iOS and Android devices. While the entire recorded presentation is available for on-demand viewing, dive into the complete webcast transcript below to gain valuable insights from panelists on best practices for sourcing tools and teams and for device and service reporting in the age of mobile technology.
[Webcast Transcript] Targeted Remote Collections for iOS and Android Devices: Challenges and Considerations for Sourcing Tools and Teams
Presenting Experts
John Wilson, ACE, AME, CBE
+ HaystackID – CISO and President of Forensics
Rene Novoa
+ HaystackID – Director of Forensics
Todd Tabor
+ HaystackID – Vice President of Forensics
Presentation Transcript
Moderator
Hello, everybody, and welcome to today’s webinar. We’ve got a great presentation lined up for you today, but before we get started, there are just a few general admin points to cover.
First and foremost, please use the online question tool to post any questions that you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please let us know using that same questions tool and a member of our admin team will be on hand to support you, and finally, just to note, this session is being recorded and we’ll be sharing a copy of that recording with you via email in the coming days.
So, without further ado, I would like to hand it over to our speakers to get us started.
John Wilson
Thank you very much, Lucy [Moderator]. Hello and welcome from HaystackID. I hope you’re having a great week. My name is John Wilson, and on behalf of the entire team here at HaystackID, I would like to thank you for attending today’s presentation and discussion titled Targeted Remote Collections for iOS and Android Devices: Challenges and Considerations for Sourcing Tools and Teams. Today’s webcast is part of HaystackID’s regular series of educational presentations developed to ensure listeners are proactively prepared to achieve their cybersecurity information governance and eDiscovery objectives. This webcast is being recorded for future on-demand viewing. We expect the recording and complete presentation transcript to be available on the HaystackID website soon after we complete today’s live presentation.
Our presenters for today’s webcast include experts with a deep understanding of digital forensics and remote collections with special expertise working with mobile devices. So, as I’ve already said, my name is John Wilson. I’m the CISO (Chief Information Security Officer) and President of Forensics here at HaystackID. I’ve been in the industry for 25-plus years and have done everything from small to the largest projects in the industry. We also have Todd Tabor, the Vice President of Forensics. As the Vice President of Forensics for HaystackID, Todd is charged with developing, deploying, and managing the company’s Discovery Lab and a team of experts to support multinational collections, processing, and review. Approaching three decades of eDiscovery experience, Todd has personally led the collections teams on international investigations and litigation support missions in more than 30 countries for some of the world’s largest corporations. Lastly, we have Rene Novoa, our Director of Forensics. As Director of Forensics, Rene Novoa has more than 20 years of technology experience conducting data recovery, digital forensics, eDiscovery, and account management, as well as sales activities during this time. Rene has performed investigations in both civil and criminal matters and has directly provided litigation support and forensic analysis for seven years. Rene has worked regularly with the ICAC, HTCIA, IACIS, and other regional task forces supporting State Law Enforcement Division accounts and users in his most recent forensic leadership roles.
Next slide. So, today, we’re going to talk about collections and doing targeted collections; when to do them, why to do them, how to do them, and so; in order to set that table, we have to talk about what are the options, what are the different types of collections, what can you do, what methodologies are involved with all of that, when and how do you decide which ones to proceed with, any types of security concerns or issues, challenges, as well as the types of cases that may make sense or may not make sense, and then we’ll go over some general FAQs to help you assess is this is the right solution for your case?
Next slide. So, first, we’re going to talk about us here at HaystackID. We have what we call our Mobile Elite Discovery and Analysis Lab, and it’s called MEDAL. Rene, can you tell us a little bit about the MEDAL team, as you have primary responsibility for that?
Rene Novoa
Yes, John, thanks for that intro. MEDAL was definitely developed internally here at HaystackID when we saw the need for advanced tools and technology that may have not been so prevalent in the industry, or items we’re testing, and more advanced features for specific cases that were push button forensics, and I don’t like to say push button forensics is what examiners do, but in a lot of cases we are just collecting and dumping data and turning that information over, and MEDAL was really a process to take it to the next level and may require additional steps like we have MEDAL Remote, which we’re definitely going to be talking about, as well as MEDAL Targeted where we’re specifically targeting specific information, which is just not the traditional practice, where we’re collecting everything, all the ones, and zeros. We can really focus on specific data depending on that need.
We also have something called MEDAL Full, which is full file system extractions, where it is more intensive, it is more in-depth as to the type of information that we’re going to gather and be able to relay those critical logs, and we’re going to get into the details of what goes into that type of service that is different from traditional collections, and we’ll talk about those cases where it is important to have the ability to unlock devices. This is not for the everyday family dispute, but there’s the distracted driving; there are going to be certain cases that we’re going to go over where there may be someone deceased. We may not have the ability to get into devices where we are going to need that next-level three-letter agency, law enforcement level technology to assist in these civil litigations, these civil matters, but it’s very important to the overall case. But it does require a little bit more than just taking a phone, dumping it, and then reporting on that information. We really need to do more of a deeper analysis of the understanding of how mobile devices work.
John Wilson
In my mind, the MEDAL services are much more driven as a service. We’re providing a very high level of expertise in figuring out the right solution for the right matter, and it is very much expertise level services and driven by that expertise to ensure that we’re producing the correct outcome for the clients.
Yes, so Todd, I guess the question for you is, why is it necessary to have a MEDAL lab versus just the run-of-the-mill standard, traditional mobile forensics offerings?
Todd Tabor
Well, there are certain pieces of information you can’t get. So, as Rene said, some phones are locked, and you can’t get to them through traditional pieces of software, through traditional forensics, and so that’s where the MEDAL Unlock comes in. There are certain types of file information you can’t get through traditional mobile phone forensics, and that’s where a full file extraction will get you, and sometimes you need to be able to target particular pieces of data, and that’s where MEDAL Targeted comes in. So, it’s all about refining and targeting exactly what you need for a particular client need.
Going one step further, it’s using a scalpel rather than a hammer.
John Wilson
Yes, so it sounds like it’s being much more precise with achieving the specific outcomes that are needed and making sure that you’re getting, “Hey, I’ve looked at the chart. We’re cutting the left knee, not the right knee today. We only need the left knee. We don’t need both knees”. Being very focused on what needs to be achieved and then what that outcome needs to look like beyond that.
Thanks. Next slide. So, Rene, do you want to talk us through the thought process, what needs to occur?
Rene Novoa
Yes, I think it goes back from the previous slide, as the detailed scoping and triage of the device, but it’s also about the case. What are we trying to solve? I know Todd mentioned using a scalpel instead of a hammer, which is quite dramatic, but that’s absolutely the case here, is what are we trying to solve, and what tool is going to be necessary? What is the expected result from the solution that we’re proposing? What is also best for the organization and the client in a sense is what is that user experience going to be? Because I think with any tool, it’s also important to get what is necessary but to make sure that everyone understands what’s happening and that the expected results from what is being said from the very beginning happen at the end.
So, I think we’re going to go back to this from time and time again, as far as what is the necessary thought process based on what the case is about, and I think we’re going to uncover that as we start peeling back these layers as to why targeting remote collections is going to become important and when it is necessary when it’s not necessary, and we’re going to go through that mindset as depending on not only the case but on the actual device and the type of data set and how we approach it. So, I think it’s going to be a journey in any call and in any situation. We need to know what we’re trying to solve, not only from the beginning but at the very end of what the expectation is so that we do that whole process and don’t have to start from the very beginning, in my opinion.
John Wilson
I think, in my mind, there’s a big difference in a case where you have a civil procedure, a civil lawsuit over a wrongful death or distracted driving case, or a regulatory investigation into communications between traders and a financial institution. I think there’s a wide difference in what information you need to be looking at, what information is required for each of those kinds of cases, and I think that’s where you’re talking about what’s the problem you’re trying to solve, what’s going to provide the solution to the case that you’re faced with.
Rene Novoa
Yes, I think you said that right, and I think you hit it right when you said what are the requirements? What is the expectation overall? What is the court asking for, what needs to be delivered, and is it an SEC investigation? Are we going to have to go back and do deeper analysis? So, I think setting the expectations up front and understanding what is required at the very end is also important for the tools that we do use. So, I think that’s a valid point.
John Wilson
Great. Well, let’s continue to take this journey together and go to the next slide.
Rene Novoa
Fantastic.
John Wilson
So, yes, you brought this up a little bit ago, Rene. We were talking about traditional tools and methodology and what is the right tool or methodology for the job. Can you walk us through a little bit of that?
Rene Novoa
Yes, I think even over the past three years I know a lot has changed over the last three years, but at HaystackID, we’ve always done a lot of things remotely, but I think we need to see the evolution of the traditional tools and methodology best known as in-person, where we go on-site, or a custodian or client comes to us, where we are face to face, where we actually have a process of documentation, traditional chain of custody of paper, photos of devices, extracting the data on-site and being able to record your steps all in one process, and that’s what I would call traditional tools and methodology on standard best practice, is to make sure you have the device. You can not only manipulate the device, but you can also verify things or certain things are happening, certain modes when we’re putting eyes on, we can attest to that. We can testify. We can write, “Hey, this is what we actually saw,” and that always in my mind is the best practice, but it may not always be the right solution based on how the world has changed in some of the circumstances that surround us, and that’s where we come up with remote solutions.
Remote solutions have been huge over the past three years given COVID and remote workers, and people not wanting to have those face-to-face interactions, but with remote solutions come also different pros and cons. So, when our standard best practice is in-person or on-site, you’re bringing your equipment, you have all the tools that you may need or may not need, but you’re controlling that. You’re able to show up, take the data and move quickly. With remote solutions, there are more costs and time that you are trading off with, with shipping costs, but there is a two to three days differential from shipping something overnight at a higher price with hardware, with computers, with software that needs to be installed; being able to have the expertise to not only run that remotely, working with custodians to talk them through setup, or just unpacking whatever that remote solution may require, and sometimes people are just not comfortable, and that’s sometimes not technology friendly, where they don’t have IT support, where when you go on-site, you can have IT support to understand the infrastructure.
So, when you start talking about remote workers, and where we are now and how things are done that are becoming more traditional with these remote solutions, and which we’re going to get into deeper targeted remote collections, but you’re going to have to understand these pros and cons of what you’re trading off with these remote solutions because things do get lost, things do get broken, software licenses get tied up that are installed, and those can be very costly, and not every organization can have multiple remote solutions to help their clients. I think that’s why we still have the hybrid, which I wouldn’t say got invented during the COVID era, but it did work in our favor where it is in-person, where we are in that surrounding area, but we still did it remotely. People did not want to be without their phones or not have sight on them, but we also didn’t want to have somebody in that same room. So, there was a hybrid with certain cases and certain projects where people wanted to see the phone being worked on but didn’t want to be in the room. How do you accomplish that? There are different variations of hybrid collections using both in-person and remote solutions combined, and I think a lot of us were forced to go that way, but it also got adopted very fast because of the circumstances that we were in during that COVID era, which, thankfully, we’re moving past, but people have accepted those new traditions and those new methodologies as being acceptable.
John Wilson
Yes, so Todd, are you seeing that impact through the downstream and the requests that are coming in, and the efforts that are needed? Have you seen any change as the COVID era has started to ease?
Todd Tabor
Sure, but there’s certainly a downside to remote solutions, especially if you’re shipping equipment because you have to deal with shippers, you have to deal with making sure that there’s somebody at the location to accept equipment, and all those things have to line up, or you may be delayed one, two, three days. It’s not unheard of for a package to get lost, a shipper not to make the delivery at the appointed time, and a custodian to get frustrated and say, well, we’re not going to do it today, and then you have to reschedule, and then you’ve got losses of time, losses of opportunity, and frustrated clients. So, you’ve got to come up with new and better solutions and less reliant solutions on other logistical opportunities.
John Wilson
I think that sounds like a great opportunity for the new software partnership that HaystackID has with ModeOne, and we just announced that that went out earlier this week, but that allows us to do full remote solutions in some circumstances. Again, I think everything we’re talking about has to be applied to that discussion, but making the appropriate decisions for the right types of cases and the right types of needs, but let’s move to the next slide.
Rene Novoa
John, I think this slide very much trails off from the previous slide on a lot of things that Todd said, especially with travel costs, and I think one big note is that a lot of people not only just worked remotely, but they didn’t stay in those major cities where it was easy for transportation, it was easy to use FedEx and some of these other distributors to get to them very quickly. At least from where I’m at in California, we saw a big influx of people going up to Wyoming and into the areas of Idaho, even deep into Nevada, where it was a little bit more scarce. They were more land, more on the reservation where you don’t have the Amazon Primes and the things that can get there super quick, that it became harder to get these travel costs, these travel kits or solutions to the custodians, and accessibility, I think, is one thing to think about when you do those. Even on-site travel to those locations, major cities were no longer a key factor.
John Wilson
So, Todd, the hardware itself, is that a limiting factor when you’re talking about traditional forensics, having enough equipment?
Todd Tabor
It always is, especially when you’ve got large, distributed collections to do, where you’ve got people all over the country and everything needs to be collected the next day or the next week. 200 to 300 phones, mobile devices all over the country, and it becomes a challenge to ship people, to ship equipment, to move those people around, and coordinate the time no matter what you’re doing. It certainly is a challenge.
John Wilson
I can only imagine. I recall doing a client project where we were collecting 300 devices a month, but it was all in one location at a central place and you’re able to have all those devices come in. But I couldn’t even imagine in the COVID era trying to accomplish that feat. You would have to have immense amounts of equipment and hardware and software, and all of the necessary tools to be able to go all over the country and do those same 300 people because they’re all no longer in that singular location.
Todd Tabor
And multiple small towns and are they available?
John Wilson
Yes, the logistics and the scheduling nightmare. One person’s here and one person’s there, and may be all the way across town. And they both want to go at three o’clock this afternoon. I couldn’t even imagine. Craziness.
We did talk a lot about these new offerings and this new level of offering from HaystackID being very service based. What does that provide? What are the advantages to being much more focused on the service side of it, and the expertise level of having really high-level examiners that understand all of the different aspects of things?
Do you want to jump in, Todd? Or do you want to go, Rene?
Rene Novoa
Well, I think that we can utilize our resources better. So, having these experts and having the appropriate knowledge and having these different levels of services allows us to streamline our offerings and being able to reach out to those multi-factor collections, where if we do have multiple collections, we’re utilizing all of our resources.
We may have partial traditional on-sites, we could have some remote, and we could have some of this new stuff that we’re going to be talking about, complete remote collections, and really utilize the internal resources that we have as opposed to acquiring a lot more hardware, a lot more bodies for one project, and be a lot more efficient with all the methods that are in our toolbox. And not just depending on one to solve that problem. This gives a lot more flexibility, a lot more ways to support our customer experience, our custodian experience, and really provide that custodian experience back to the client, so they’re happy. And I think that’s a big plus where we have more of these collection methodologies, more of these outside-the-box traditional styles.
Todd Tabor
From a management and logistics perspective, especially in distributed collections, if I’ve got a person that’s doing multiple remote collections, they can sit and do a collection in New York, in Washington State, Chicago, in LA, all in one day as opposed to doing it over the course of four days.
John Wilson
I think that’s a perfect lead-in to our next slide here. While we’re changing slides that we do see that questions have been submitted. We will make sure to save time for questions at the end of the presentation, so we will tackle as many of those questions as we can at the end of the presentation.
So, talking about now you’ve got the ability – more remote workers – the ability to go out and collect people in four or five different places by one examiner because they’re doing this remote work. What kind of security impact does that have? What’s changed in the mobile environment around the security over the last three years as we’ve hit this COVID area?
Rene, can you share some of that with us?
Rene Novoa
Thanks, John. I think it’s been more complicated because of the BYOD and as we started intermingling our personal data with security data, and people that are supposed to be turning over phones still want to keep their privacy. They do not want personal data, personal photos, personal communication being turned over when we say we’re going to collect the whole device. We’re going to come on-site and we’re going to collect this whole device, and we’ll go through it. I think that threw a lot of red flags and put up a lot of challenges as we approach custodians and clients and trying to come up with solutions to consult based on these security issues, personal data versus company-owned data.
But also, the MDM. We had a lot of situations where MDMs were rolled out because we need to have this on the devices, and we have to protect the organization, not necessarily in how it was rolled out, not understanding what security features were turned on, and what that impact would be for collections, not only on site but in remote. Can you remove the MDM? Can you add in new policies? Can an individual with his own device back up to the cloud and their personal cloud?
Now that they’re backing up to their personal cloud, what company data goes with it? And can we retrieve that? How do we talk somebody into giving their 2FA and their credentials to do their personal cloud for company-owned information that we’re trying to acquire?
So, there’s a lot of conversations as to not only MDM, especially when you’re doing that remotely, as to what configurations are going to allow you to do what you need to do, not only on-site, but also remote, because you do not have eyes on those devices. You can’t help turn things on and off and being able to have the expertise to know what was rolled out and how to do undo that.
And you also have these third-party applications. Not only just communications, but in all third parties of how are those protected.
John Wilson
My question to you, Todd, is it seems to me that the world has become more security and privacy aware, and especially in the US, there’s a big privacy movement. A lot of states are starting to add privacy regulations. Are you seeing an impact from that?
Todd Tabor
We do, and we see it at every level. And so, there’s a big desire to be able to collect the very minimum off of every device. Can you collect just the text messages? Can you collect just this text message? Can you collect a tiny, tiny bit of the data that’s on a mobile device?
Not only that, but the operating systems are getting tighter and tighter, so what’s available to collect is getting tighter and tighter. So, between the security for the company, the security in the operating systems, and the security concerns around all the data entirely, it’s really putting everybody in a box as to what’s available and what can be collected and stored.
John Wilson
That sounds like quite the challenge. Next slide, please.
Rene, you briefly mentioned third-party applications. People talk a lot about the communication apps and those sorts of things. Can you talk a little bit about that for us, what the impacts of that are on these mobile device collections?
Rene Novoa
I think third-party applications, in particular, third-party communication applications have really directed us on how we’re going to collect information, while targeted or remote collections may be fantastic, it may save some time and money and convenience for the user experience for that custodian, but it may not be possible for what we’re trying to collect. Multiple passes. Understanding how to get data that’s not traditionally pulled off devices by just collecting a mobile device. Understanding how the third-party applications are going to be important to the case. And ultimately, how are they going to be reviewed? Is this going to be in a report? Is it going into Relativity or some sort of concordance review platform? It may change the way on how you collect that information, how it’s displayed, and how it’s searched. And ultimately, how does that play into the case? There are new tools out there for exporting to RSMF, and there are some custom solutions with some of these third-party applications, because we have to deal with the encryptions, not part of traditional iTunes backups, or traditional tools of what’s being collected, or the ADB backups for Androids.
So, custom solutions and convergence of data have to occur, but we’ve got to know what we’re up against and which third-party applications are going to be relevant for this case. So, I think they play a major role not only in the case, but how they’re collected, the methodology they’re being collected, and how they are handled throughout the entire process for review or analysis.
And I think those updates, being so fast, that we can consult with a custodian or a client and say, “Hey, we can do this today”, and that user updates their phone and now we’re not able to do that. Just a lot of the changes with some of the services with the iOS, things that we can get full file system extractions, but when we get a new update with iOS, that may take us a little while to catch up and to understand how that affects our collection ability, and what collection methodologies that are going to be available for this new operating system, this new update for this third-party application.
So, I think it’s a moving target and things that we can’t sleep on.
John Wilson
Does it require additional efforts? Do you have to do different things to collect some of that data?
Rene Novoa
Yes, let me say, it depends. It’s going to depend on that third-party application and that artifact. In some cases, whether it is iOS or Android, secondary collections, different collections from the cloud. A different method or tool may be required to go specifically for that chat application.
Signal, and particularly that we have on the screen has always been challenging on how to collect that effectively. There are very many methodologies depending on the process and what we’re allowed to do, which will make it very easy to review, and ones that have a lot of custom solutions required.
So, yes, multiple passes is definitely a – and multiple tools is definitely a possible requirement in dealing with third-party applications.
John Wilson
Fantastic. Next slide.
Rene Novoa
If you don’t mind, John, as we were talking about those third-party applications, although technology is constantly changing and so are the updates, and we’re constantly having to change with those updates, we always have to be ahead of the curve. So, when we’re all trying some of these new ground-breaking technologies and methodologies, they may work in one case, but the almost very similar case at another project, it may not work. There are a lot of variables when we start talking about internet connections, we start talking about users’ phones, how users use their mobile devices, and the configurations that are set that we’re allowed to change. And I think we always go back to just because something can be done does not mean it should be done.
And I mean that in a sense that – not in an ethics way – but in the sense that does that do the trick. Just because we have the ability to do target remote collection, should it be done? I think later in the slides and later in the presentation, we’re going to talk just about the size of the data. Does it make sense to do this? Will it be more effective to be on-site? And I think we can dive into that. But I think we still have to look at the user experience. What is best for the project? And understanding what needs to be pulled.
Do you need additional logs? Do you just need those text messages?
I think, especially in consulting, just because we have the ability to do it this way doesn’t mean it should be – that is the right tool or the best first step forward.
John Wilson
Yes, I think that’s a great statement. A lot of people totally miss that thought. Just because something can be done doesn’t mean it should be done. It doesn’t necessarily suit a particular matter, a particular outcome or the need of the case. Next slide, please.
Rene Novoa
And I think that leads us right into what type of project this is. I think we have all sorts of scenarios and cases that ask for different things.
I think you said it before, what are the requirements? What needs to happen? We have, let’s just say, two categories, investigations, and eDiscovery. And I think they have different requirements, and to be successful and to be able to tell that story. Because I think, if anything, in forensics, we are telling a story, in my opinion. That’s how I look at what is this phone telling us. What is the evidence there? And what is the overall goal during that timeframe that’s in scope?
So, when you’re doing an investigation, targeted or even remote collections – solutions may not be what is needed. We do need full file system extraction. We need that KnowledgeC for iOS. We need those third-party applications that cannot be parsed by traditional tools, that may need custom solutions. How do we tear those apart? How do we read those SQLite bases? And how do we make sense of that into a readable format?
With all investigations, a detailed forensic report is always needed because it outlines “This is what has happened. This is what we’ve done. This is what we articulate. And this is the conclusion based on these facts”. And you’re not going to get that with certain types of collections.
So, being able to have those advanced analytics for investigations should dictate on the type of collection process and methodology that you’re going to do.
Back to, again, just because you can do a targeted remote collection does not mean it’s the right tool.
John Wilson
So, I guess a quick question for Todd. So, we’re talking about investigation versus eDiscovery. What if a case is preservation-only? Is that different also?
Todd Tabor
Well, it is, but you’ve got to figure out why it’s being preserved. So, you might want to preserve the larger data set in a preservation-only in case it becomes an investigation.
So, I’m of the school that you want to preserve as much data as possible, and then process and review as little data as possible.
John Wilson
I think that’s a great mindset. Next slide, please.
So, Rene, you want to go ahead?
Rene Novoa
And I think just to counter something that Todd said of the mindset of getting all data. But again, it goes back to that scoping. What is required? What is that end result? That is the ultimate question. And I think that’s the traditional way we’ve always done it. Collect everything.
But as these mobile devices are getting larger, it does become complicated. It does also become complicated when we start talking about personal data. We start talking about PII, PHI, and other protected types that a full investigation of the full system is not the right process because we have all that risk and liability. And maybe the core is you don’t have the right to look at those third-party applications. You don’t have the right to look at their health data which would be part of the full file system, or a full collection.
So, you do not have the right to search in a review platform for all that information through your custom solutions.
So, I think understanding—
Todd Tabor
Well, that’s why it is important to start with the end in mind, Rene.
Rene Novoa
100%. Go ahead.
Todd Tabor
So, if you know where you need to wind up, then it’s easier to understand what you need to collect. But if you don’t know where this case is going, then you do definitely need to collect the broader data set, because you only get one shot at it most of the time.
Rene Novoa
I think that’s right, but I think it’s understanding the rules. What are the rules to this game? We’re on the playground. What are the rules and the requirements needed? So, I think all that goes into consideration as to the tools being used. I think that’s a great back-and-forth point.
John Wilson
Next slide, please.
I think that is all great points, and it jumps right into so how do you approach that data. How do you figure it out? How do you know what you need to do to deliver the desired outcome?
Rene Novoa
I think that goes in the scoping, and from the very beginning, understanding what the end result is, is how do we approach the data.
Knowing the device, it makes a difference on how you’re going to approach the methodologies, the type of device, the operating system, the versioning all goes into “Can full file system extraction be available? Can targeted collections be done? Can you unlock a device?”
All those matter when you’re looking at the data, not just saying “Collect everything”, because what if it is a one-terabyte phone? What if it’s one of these new devices? It’s going to take a long time.
And actually, breaking down where is the data set? Is it in the messages? 90 gigs of personal photos and videos that have no part of this case, can we just target the messages in third-party applications?
Again, it goes back to scope. It goes back to understanding the project. Is it investigation? Is it eDiscovery? Again, if third-party applications are not important, we can bypass all this regardless of the type of investigation, because it’s very narrow. There’s a lot of data and, quite frankly, they don’t want to either process it or it’s really not in scope on their personal vacation pictures.
John Wilson
And I think that’s a great lead into our next slide. The growth of mobile devices, the girth of usage, and we can see that mobile devices – most people are using… the top way that people get on the internet is with their phones. And not only is it the top way they’re getting on the internet and doing internet things, that’s how they’re conducting business.
And the devices, the mobile devices themselves are getting significantly larger and that leads to many challenges. Next slide, please.
So, let’s actually start breaking down. Now, we’re talking about whether we want to do some targeted collections, or we want to do what we need to do.
So, are there differences between Android and iOS?
Rene Novoa
Yes, absolutely. So, you’re approaching the data. Once you understand what you have in the collection process, what kind of data we’re going to be handling? Now, we have iOS.
You’ve got to start asking very specific questions. Again, back to OS and version model. What type of third-party communications are part of the iTunes backup process? What will not require a secondary effort? How are some of these configurations set up? Do they have the text messages set to three months or forever? All that is going to play into how you’re going to approach it, how you’re going to set up that methodology as to say this person or this individual has his messages deleting after three months. What day are we at and how far back do we need to go? We may need to do something a little bit more robust. We may need to document all this. Do we just need the current messages, or if he has it forever, we can go back quite a bit?
So, it gives us the ability to ask these questions, but it does require some communication with a custodian before we advise on those next processes. And I think having these additional steps besides just on-site or in person, because that data port has been talked about for, I think, almost two years and it’s going to be disappearing.
We’ve got to have these advanced solutions. We have to be able to attack the data when changes are going to occur.
So, I think understanding the device. You’ve got to understand what’s coming, what’s there, and everything that surrounds how data is stored, and backed up.
John Wilson
And so, let’s look at the – there’s kind of two main sets of mobile devices. You have iOS, what we just talked about. Let’s talk about Android now. Next slide, please.
Rene Novoa
And I think Android is very similar, in a sense. We still have encryption on both. I didn’t necessarily mention it. You still have encryption. You have MDM considerations. But the MDM on the Android does require some additional steps of USB debugging, stay awake that you don’t have in the iOS. So, those are things that you’re going to have to manipulate the phone. You are going to have to have hands-on. And a lot of the third-party applications are not part of ADB backups anymore, because you have to request that data to be backed up. It’s not on automatic rights.
So, in many cases in Android that you need to consider is that it’s going to take multiple passes to collect the data, or other methodologies either from the cloud, scanning of a QR code, or whatever the current method is at the time, that you are going to have multiple passes that have a different set up when you’re attacking Androids compared to iOS. So, there are different considerations and challenges.
We can’t just say, “Let’s get on the phone and just talk to the custodian, and we’ll figure it out on-the-fly”. I think that’s very much not a good approach on how to handle a critical situation.
What Todd had mentioned, you may only have one shot at this. And if you’re going to do a collection method, you’re going to want to do it one time, because that data is going to change the moment that you start collecting it.
John Wilson
And just the secure personal storage, like the Knox Vault, does that affect—
Rene Novoa
That’s not going to be part of an ADB backup or part of traditional collection methods. You’re going to have to do some sort of rooting or full file system extractions from Androids, or another type of method to – I think Huawei has a different name for it. But with the Samsungs, how do we get that information? Is it possible to unlock that? And the answer is yes depending on the versioning and on the type of device, we can get into those with the right collection method. But we need to know, is that important? Is that part of it?
You don’t want to have to go back and say, “Hey, I forgot that, because I didn’t ask that question, and I didn’t realize it was on the Android”. When you show up on site, just collect whatever it is, you’re not going to get the expected result that you had thought you were going to get.
John Wilson
So, next slide, please.
Rene Novoa
And I think this is where we go into more about a relationship with our announcements with ModeOne and how we advance remote solutions.
I think we started with remote solutions as sending a kit (hardware), and I know Todd has talked about the very expensive endeavor of software and hardware and shipping costs. I think the focus moving forward is how do we get around that with full remote targeting where we do not need to send a remote kit or have any type of shipping costs.
This is where we are going when this may be the right tool for the solution, when they meet all these criteria based on data size, based on the type of data we’re working with. There’s all those factors that we’ve been talking about and really stressing the understanding – approaching the data, understanding the data, the type of device, and really the impact of this case, of the data surrounding the case.
Next slide.
John Wilson
And this is pretty much what you were just talking about. It does reduce the delays. I think the thing that jumps out off the page to me is same-day turnarounds are possible. That’s really interesting. Todd, can you talk about that bit?
Todd Tabor
Sure, you can get on a scoping call with a custodian and have that collection start on that call. And that’s not something you can do in the traditional collection scenario. And like I said earlier, you can make back-to-back calls with the same examiner, the same attorney team, and multiple custodians across the country.
Rene Novoa
But Todd, this is after we’ve already pre-scoped it, pre-understood the type of case that this is the right method. By the time we get to the custodian, this is something that we can walk them through, either utilizing their own personal hardware or, in some cases, the actual phone where we don’t even need a computer and sending just a text with a link or some sort of email that will help us that new technology, or advanced technology to be able to collect from that phone relatively quickly, though.
John Wilson
Next slide.
So, what are the risks or the drawbacks? And you said making sure you have the right – you’re doing it for the right type of cases. What are the risks or drawbacks to keep in mind as you’re deciding, hey, is my case right for this?
Rene Novoa
Yes, and I think it’s something, again, we’re going to go back to it time and time again is you only get the one shot. Todd mentioned it, you get one shot at it. So, understanding that a full file system or advanced logs won’t be part of that. There is some limited troubleshooting because you don’t have your hardware there, you don’t know what type of possible computer device or network setup that they may have.
When we are doing full targeted remote, there are connection issues. How do we deal with that? How do we troubleshoot those? So, having a clear understanding of the device, approaching the data correctly, understanding what those problems can be ahead of time will make the experience a lot more pleasurable for the custodian. And it’s also less interaction with the custodian.
Once we get this up and running, it’s very much in the background again, and very much possible. But remember even though the phone may not be in airplane mode, traditional methodology, we still have a lack of communication with the custodian, because we can’t be making phone calls, we can’t be sending excessive texts. That does interrupt with the inventory processes that can occur while information is being gathered on those mobile devices, whether on the actual device itself, or using some sort of tether to a personal computer.
There’s still chain of custody, but there’s less documentation in the sense of photographs and some of the traditional things that you would think of as appropriate documentation.
John Wilson
I think that leads right into the next slide, which is talking about the requirements, the technology thoughts around that.
Rene Novoa
I kind of just blended these two pieces of information, but there are going to be some system requirements, and that all comes up from the front end. Can we tether it from their personal PC or Mac? So, they understand that their data is not going to fly across the screen. There are not going to be remnants behind.
While we’re doing that, we’re not checking email and understanding some of the rules that go along with this fast, instant response of being able to collect targeted information.
It does make a difference on the connection speed. From where I’m at, I have Xfinity, the top 1,200 megabits, and 40 megabits upload, that’s going to be a really good experience for me. But if we have somebody out there in Idaho or Wyoming, they’re on some sort of DSL or satellite internet that may not be the best, you’re going to have a different experience. So, again, is this the right tool?
Just because we can do the targeted remote collection, is it right because of all these system requirements?
John Wilson
So, next slide.
So, I think that’s a perfect lead-in, so now we’ve decided that it’s the right thing to do, we’re going to do the advanced remote collections, we’re going to get targeted with it. Talk us through that.
Rene Novoa
So, the targeted collections is when we have specific date ranges, we have specific contacts, specific chat threads are the only ones of the conversations. But for this example, just conversations between Todd and John, and Rene, Todd, and John. But I have 30, 40 other chats that were personal family members, or friends and families from high school and college. Those do not need to be collected. And this allows us to inventory a database which would be their messages database or specific data, and then pick and choose what we would like to then export, or to be able to produce the other side.
When we approach the data, we have to understand that we are going to inventory the entire database, we are going to look at some information. But what is ultimately produced is very limited so that we can move across and bypass those personal photos. We’re not even looking at the videos. We’re not looking at all those third-party applications or their TikTok or their Google Maps. We don’t even have to look at their internet search. We’re specifically just targeting specific data, and understanding that information from the phone, we’ll actually be able to get better timelines, and something we’re going to talk in the FAQs.
But a friend analysis it not needed, and it’s really just “Hey, we need to preserve this chat string for whatever this case may be”. And maybe we can go into the details on the types of cases where just for the preservation of those chat strings and those contacts is the only thing that really needs to be focused on at this point.
John Wilson
So, let’s move into the FAQs. Next slide, please.
Rene Novoa
There we go. How long will this take is the ultimate question. It depends. I think we have to go back to the previous slides, don’t do it, please, Lucy. But it’s approaching the data.
Is the messages database two gigs or is it 26 gigs? We’ve seen both. How many attachments do they have? Where are they located? What is their internet speed? And those are all the great questions on the detailed scoping and conversations that we gather so that we can set those expectations.
One of the other ones is “Can you see my data?” The answer is no. Even in our targeted collections. We do not look, or no one sees the data until that data is processed. And in certain cases, we may just collect the data and not process it for just privacy and system requirements.
Again, system requirements, case requirements, understanding what’s at stake.
So, there are things where we’re not going to leave fragments behind, but you have to know that there will be something put on the phone, it will be removed, it does not leave artifacts behind.
John Wilson
I’m going to start running through some of the questions from the audience now. We can certainly get more into that.
So, the first question we received is “By push-button forensics, do you mean a Cellebrite extraction?”
Rene Novoa
I mean in any tool that’s going to collect the information. I’m very tool agnostic in this case, so it could be any of the tools where you’re just plugging it in and saying, “Collect”. You mentioned Cellebrite, in Advanced Logical, you’re hitting next, next, next. I’m not saying that that’s push-button forensics, but what do you do after that, you dive into the data. But you’re just collecting whatever the phone will give you. In many cases, with the iOS, it is more of an established iTunes backup. And the same with the Android, it requires maybe multiple collections. Depending on which tool you’re going to use, you may have to approach it multiple ways.
John Wilson
And then the next question is “How do the experts recommend dealing with privacy laws when mobile devices and phones need to be shipped to different states to be collected?”
I think that ties right into being able to do the remote collection maybe means you don’t have to ship it. But we always do engage with privacy counsel, whether it’s our own internal DPO, and our consultancy group, or the law firm that’s engaged with the matter with us, whoever it may be.
But the privacy laws are definitely getting more complicated. They’re definitely growing and definitely have to be taken into account. You have to be very cautious around that.
So, the next question is “I’m a corporate attorney, we are a large company trying to control costs but have a BYOD policy that has been a nightmare for mobile collections. If we provided phones, could we eliminate our BYOD policy? Can we lock phones down so people can’t put personal data on them? Are other companies facing these issues?”
Todd.
Todd Tabor
Well, you would likely have to do it by policy. Most companies that provide mobile phones have some type of policy around that. What we find is that even companies that provide mobile phones allow some level of personal use, either photographs or videos or some type of deal, but they also have an internet use policy around that.
I know of one particular company that we’ve collected several hundred devices from that had the CEO had thousands and thousands of videos and pictures, personal videos and pictures on their phone. It basically didn’t matter whether it was a company phone or a personal phone.
John Wilson
Definitely, I agree with you there. Can those phones be locked down so people can’t put personal data on them? It’s very difficult. They can, you can do things on a corporate-issued device if you have the right policies in place and you require a lot of different things, like they have to have a company set up iCloud account, not a personal iCloud account. There’s a lot of those things.
And then you still have to drive user behavior. Just because corporate policy is you can’t do personal things on it, did somebody send a personal text message to a family member from their corporate device? All those things that have to be controlled or figured out.
So, next question. We’re going to take one more question after this and then we’ve got to wrap up. “Can you speak to how targeted collection is done? We’ve always been told a full image needs to take place and culling needs to take place afterwards”.
Rene, do you want to tackle that?
I will caveat it to say that’s why we talk about the need to understand your case and understand your case and understand what your case requirements are, what your outcome is that you need to have that’s going to have significant impact on whether or not you need to have that full preservation image or not. But Rene, please jump in.
Rene Novoa
Since we don’t have a lot of time, targeted collections work in a sense that some sort of servlet is – we have to communicate with the phone somehow. So, whether we’re doing it tethered or it’s plugged into a personal computer and we’re unloading a piece of servlet software on the computer, and accessing the phone through the internet, or we’re able to get something onto the mobile device and then be able to communicate with our software at a different location. But it’s again being able to get onto the mobile device and then take over a lot of the permissions.
So, certain things aren’t going to necessarily allow a piece of technology to have full access to as much as it can, so that’s why a full file system is not going to be possible if you’re not putting it into any type of pre-boot mode or recovery mode, or DFU mode. You’re talking about live data and inventorying a database and recreating it and moving that data off the mobile device of what you’re asking to do.
But it is very much possible, even with apps and being able to get control and being able to extract that information, a full file system extraction is not always necessary now. That was the traditional way of doing it. We had to grab everything, that was the only way to do it and parse it out later. So, things are changing, and this is why we need to be ahead of the curve.
It comes with a lot of risk, not with a lot of risk, but you have to understand the risk when we’re doing that type of a collection.
John Wilson
Yes, I think you have to understand the outcome that you’re looking for and then work your way backwards.
So, last question is – well, there’s two questions that I’ll combine. So, regarding remote collection, is the only way to remotely connect a device going to involve sending a collection kit of some kind, or is there some other method?”
Rene, if you can take 30 seconds then we’ve got to wrap up.
Rene Novoa
That was the traditional way where we would actually send remote kits, and hardware, and software, and walk an individual through that, either using some sort of remote software to take control over our devices and having them plug in and do those collections as if we were there, but there was quite a bit of interaction with the custodian to set that phone up and the computer up.
What we’re moving towards, especially with our new partnership, is to be able to collect devices with using their hardware, their phone, or maybe their personal Mac or PC computer by sending a file to them. They are able to quickly install, that’s not very intrusive, and it allows us to gain access to those mobile devices.
So, definitely, new methods are being advanced and accepted.
John Wilson
And then I guess I’ll squeeze one last one in. “Can you run complex searches on any device and export the results?”
The searching we do through the targeted and remote is fairly limited. There are possibilities there. Again, it’s finding the right case and applying the right solution. We do leverage our partnership with ModeOne for part of that. We do a lot of other things as well. And there’s a lot of complexity to figuring out how complex you can get, what data you’re trying to actually search, and what is searchable. A lot of work around that.
Any final thoughts, Todd?
Todd Tabor
It’s important to understand where you need to wind up before you start selecting tools and methodology.
John Wilson
Perfect. Rene.
Rene Novoa
I think Todd said it right there. I think understanding the case, approach the data, and work your way through it will get you into the best outcome.
John Wilson
Fantastic. Well, thank you to the entire team for the information and insight. We also thank everyone who took time out of their schedule to attend today’s webcast. We know your time is valuable and appreciate you sharing it with us today.
You can learn more about and register for HaystackID’s upcoming webcasts, including our June 28 presentation featuring a discussion led by Mike Sarlo of HaystackID, on artificial intelligence in eDiscovery at haystackid.com.
Thank you and this concludes today’s presentation. I hope you all have a wonderful day.