Mobile devices gaining importance in probes

Whether a case centres on employee theft, insurance fraud, intellectual property theft or a range of other matters, cell phones and other mobile devices can contain “relevant information that shouldn’t be ignored,” says Chuck Rothman, director of e-discovery services for Wortzman Professional Corporation.

“Information on phones can be very different than what may be on computers and typical sources of e-discovery exercises,” especially when it comes to apps, says Danny Garwood, senior director of forensic technology and e-discovery for KPMG LLP. That information ranges from the ubiquitous (like call and instant message logs, contact lists) to the esoteric (like fitness tracking and other aspects of the “quantified self ”).

Documents, conversations, geotagging and more

“There are so many channels for voice calls on modern devices. We can use iMessage, Facebook Messenger, Skype, WhatsApp, WeChat,” in addition to embedded phone and text apps, notes Kevin Lo, managing director of Froese Forensic Partners Ltd.

Garwood doesn’t typically find work documents on phones, though people do use tablets to work with them.

Pictures and videos can also interest parties in a legal matter.

“People may take pictures of a whiteboard instead of taking notes,” Garwood offers.

Today’s technology makes intellectual property theft easier than ever before.

“The camera is such a good quasi-scanner, it makes photos look almost like photocopies of documents,” while various apps perform optical character recognition (OCR) on those documents, Lo says.

Geotagging and other types of location data can also prove useful. “Certain phones track which cell phone towers they connect to, and when,” Garwood explains. “If you want to figure out where somebody was at a particular time, the cell phone might be a good place to look.”

Rothman notes many people use smartphones as pedometers. They also pair their phones to wearables that perform that function. He recalls a personal injury case in British Columbia that involved a Fitbit. (Technical note: Fitbit devices wirelessly synchronize activity data to phones or computers, which in turn upload the data to a cloud account.)

A personal trainer who was injured wanted to show she couldn’t work out like she did previously.

“They took her Fitbit data (before and after the injury) to prove that,” he says. “In a personal injury case, if somebody walked ten miles every day and then after an accident they walked much less, and they used phones to track distance, that information could be relevant.”

Preserving mobile device data on the device itself…

Garwood advises people start the preservation process quickly by simply turning the device off and removing the battery if possible.

The next step involves creating one “master” copy of everything on a phone and performing e-discovery on duplicates.

Garwood has used several different methods to create a master copy of the contents of a phone.

“Each type of device differs in terms of what’s possible,” he says.

He finds it easier to perform e-discovery on older, simpler types of phones, like flip phones, while newer phones can prove more challenging. A full capture can take anywhere from ten minutes to three hours.

“It depends on the device, the amount of storage available on the device, whether there’s an additional storage card on the phone,” Garwood explains.

… and in the cloud

Lo adds that “there are secondary storage spaces in the cloud that are tightly associated with that phone,” that complicate things, and he lists services like Dropbox, OneDrive and Evernote.

“Certain platforms don’t keep data locally. The physical storage on a mobile phone is almost meaningless because so much more could be going on elsewhere.”

Dealing with phone withdrawal

This fact works in Rothman’s favour since he likes to get data from other places and not ask for phones. He relates a recent discovery engagement involving about 30 BlackBerries to explain why.

People who had to surrender their phones knew he was there that day, but getting them to line up for their data was “a challenge,” he recalls.

“Several people showed visible withdrawal symptoms. They’d come in after ten minutes and say ‘Are you done?’”

“We always try to return phones as quickly as possible,” Garwood concurs. “People feel naked if they don’t have a phone.”

Privacy and personal data

Regardless, certain types of data, like instant messages, are best acquired from the phone.

“I find that people are not that concerned about their privacy,” Rothman notes. “They never delete their text message history. Usually there’s a good history of text messages on phones going back weeks, months, even years if you’re lucky.”

As with other types of documents, having the original picture or video file matters. For instance, Photoshop could be used to adjust the lighting of a picture.

“You want the original source file from the phone to check the metadata, to see if the picture has been doctored,” Lo explains.

Encryption can be so good out of the box that a phone is impossible to “crack.” Extracting the informa- tion isn’t necessarily difficult if people performing e-discovery know usernames and passwords.

“If everybody turned on their privacy settings, there would be a lot less information to collect,” Rothman wryly notes.

People commonly co-mingle company and personal data, like emails and photos, on a given device. E-discovery processes harvest both.

“There are ways to separate it out,” Rothman says.

He notes some mobile devices enable the creation of two separate spaces “work” and “personal.”

“Most organizations haven’t implemented this type of split,” he adds. Bring-your-on-device (BYOD) policies don’t always address this issue.

Check every device

Lo says merely finding the right device when people carry multiple devices (e.g. company-assigned and personal) can mean “we need to do detective work to find out how many devices are involved.”

Phones may be the most obvious devices to demand during discovery, but ever more types of mobile devices, like tablets and smart watches, may hold relevant data.

Even cars may start to matter. They contain global position system (GPS) logs, engine activity logs, even (in some cases) the ability to download trip logs in spreadsheet format (to enter data in expense reports.)

“When you do e-discovery or digital forensics, it’s no longer enough to get one device,” Lo says. “Sometimes we need multiple devices.”

This article originally published in Lawyers Weekly Magazine. To view the print version, click here.

Leave a Reply