Embed Size (px)
Citation preview
Mobile DevicesConcerns with Forensic Capture and Analysis of Portable Data
Today’s Speakers
Helen Marsh of Keker & Van Nest, LLP
Robert Powell of Gallivan, Gallivan & O’Melia, LLC
Dave Rogers of Ernst & Young
Presentation Roadmap
Legal Considerations Practice Tips Technical Considerations
Audience Profile
Corporate – Attorney Corporate – IT or Legal Technology Law Firm – Attorney Law Firm – Litigation Support Paralegal Vendor / Consultant Other
Legal Considerations
Considering Law & Technology when Handling Mobile Devices
Legal Considerations
Recent Case Law Training necessary around preservation and
analysis of electronic data Preservation - Must be Defensible …Have a documented
tracking / acquisition procedure. Analysis - Subjective or Objective? … Just another technical
skill set … but investigation is not same as processing Platform variations can make substantial difference
Practice tips Tip - Preservation may be prudent or required … Analysis
may be unnecessary Tip - Notes Notes Notes and a written report or memo to file
always Tip - Magnum Force “A man’s got to know his limitations …”
Harry Callahan.
The Current Landscape
Mobile device data is the new email Yet it is often still possible for parties to
agree to ignore mobile device data Prior to reaching agreement, preservation
obligation must be considered Privacy considerations are commonly
raised Stored Communications Act may be
asserted as bar
Quon v. Arch Wireless, 9th Cir, 2008
Sherriff’s department contracted with third party for text message service
Department reviewed text messages obtained from provider to determine reason for overages
Found sexually explicit material and attempted to discipline employee
Court held that Stored Communications Act applied
Employee had reasonable expectation of privacy Supreme Court has granted cert
Flagg v. City of Detroit, ED MI, 2008
Allegedly botched murder investigation Relevant text messages to/from city
employees including mayor Court held that Stored Communications
Act could not be used to prevent discovery of relevant text messages via subpoena to carrier
Text messages were effectively in “control” of City even though they had to be obtained from carrier
Southwestern Mechanical Services, Inc. v. Brody, MD FL, 2009
Sanctions were imposed for failure to preserve data on Blackberries
For key time period, devices were not synched with server
Court focused on email, but also text messages, contacts, calendar items, telephone usage records
Southwestern – The Backstory
Theft of trade secrets by employees who left to join competitor
Court issued TRO requiring return of all information and property to former employer
Forensic exam showed that data had been wiped from Blackberries used by two former employees
What’s next
Device technology undergoing rapid improvement
Device usage is increasing and supplanting use of traditional computers
Counsel and courts are becoming more aware of the availability of this data
Forensics tools are improving and costs are coming down
How do we predict trends?
Courts will borrow from experience in law enforcement related matter
Courts will be influenced by frequent use of mobile device data in family law disputes
A few prominently reported decisions will result in rapidly changing expectations
Think the unthinkable
Practice Tips
Real World Challenges with Mobile Devices
Practice Tips
Examples of cases where mobile devices are necessary. (regulatory matters, transferring IP to devices)
Regulatory Investigation - Blackberry E-Mail, IM and SMS Messages validate a pattern and specific instances of ‘leakage’
FCPA Internal Investigation - Overnight Blitz 48 computers and 50 Cell Phones Forensically preserved
ITAR - Multi-Platform Mess during compliance audit Identify relevant information through custodian
interviews Analyze the information you have collected to
determine if there are “gaps”
Know When to Say “When”
Risks of DIY Mobile Device Capture Forensic Tool Spiral - Versions / Functions / Validation
/ New Platforms Reference Materials (Data Sets / Measurement … not
just reference as in Manuals) Sample Size - results and reporting inconsistent on
different platforms and tools Budget and Time Boundaries Cost Recovery of DIY You may not like what you find …
Know When to Say “When”
Risks of DIY Mobile Device Capture Cell Phones are like Ogres … Parfait / Onions / Layers
… (Live Data / Deleted Data / Data Fragments / Unallocated Data / Flash Data / Raw Bytes and oh gosh Device Redundancy)
Economist time … on the other hand, if SMS and JPG / DOC / XLS / PPT / ETC Files are all you seek, this may be easy.
Work directly with technical investigators and communicate the issues of the case
Understand the client’s infrastructure and messaging systems and determine the relevancy of the data on the mobile device (cost benefit analysis)
Understand limits of current technology to preserve and analyze data from these devices
Technical Considerations
Leveraging Available Tools & Identifying Limitations
Audience Survey
Devices Encountered on Cases Blackberry iPhone Windows Mobile Palm Other Smart Phone / PDA Other Phone (Non-PDA)
Technical Considerations
General Methods to handle capture of mobile devices?
Known tool sets for handling mobile devices Options, risks and benefits of mobile devices? How effective is the technology for forensic
capture? How far behind is it? For example, how do you
handle a Droid vs. a mobile device How much residual data, such as deleted data
or internet activity is on a device and how much can be captured and analyzed?
“Isn’t it all on the server?”
Technical Considerations
Most difficult PDAs to capture from Use of social networking tools from PDAs
and developing strategy Cost vs. value of analysis
Questions & Answers
