Digital Forensics on Mobile Devices

Episode Notes

Transcript

Digital Detectives

Digital Forensics on Mobile Devices

03/28/2019

[Music]

Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 101st edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity, and information technology firm in Fairfax, Virginia.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, Digital Forensics on Mobile Devices.

Sharon D. Nelson: Before we get started, I would like to thank our sponsor. We would like to thank PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.

John W. Simek: Our guest today is our longtime friend Brett Burney, who is the Principal of Burney Consultants LLC. Brett focuses the bulk of his time on bridging the chasm between the legal and technology frontiers of electronic discovery.

He is also the author of the free download eDiscovery Buyers Guide at www.ediscoverybuyersguide.com. Brett is also very active in the Mac-using lawyer community, working with lawyers who want to integrate Macs, iPhones and iPads into their practice.

As usual, great to have you with us Brett.

Brett Burney: Fantastic to be here. Thank you John and Sharon. Always a pleasure to talk with you guys.

Sharon D. Nelson: Well, it’s great to have you here. And I know you had a really wonderful session at ABA TECHSHOW called Digital Forensics on Mobile Devices. Can you tell us briefly what that session was about?

Brett Burney: Absolutely. We did have a really good time. It was with my good friend John Simek, you may have heard of him before. We had been talking about this for a while and I had the privilege of taking half of this presentation. It’s definitely a topic that I have been hearing more about, I know you guys have been dealing with a lot of clients of your own that have been asking about this more and more, it’s just, if nothing else, I have been getting so many more questions from people from all different firms.

I mean I don’t — in other words, I don’t — it doesn’t even really matter if it’s a small like domestic issue, there are mobile devices involved now. It doesn’t matter if it’s a huge civil litigation issue. All manners and means of any kind of litigation matters today are definitely involving some form of mobile device information off of there.

So it was a very relevant topic I think and a lot of people enjoyed it.

John W. Simek: Yeah, I enjoyed doing a session with you Brett and you popped a slide up during the session, talk a little bit about that for our listeners, because I wasn’t aware of this at all till you brought it up there. But tell us about the significance of Facebook and Google controlling 8 of the top 10 most used apps.

Brett Burney: Yeah, that was a little surprising to myself. In fact, I was looking at a couple of studies as we were preparing for this, and even before you get there into just the small number of companies that are really I guess responsible for the amount of time we spend on mobile devices, I found this statistic that talked about over half of all digital minutes that any individual spends in looking at some kind of electronic information is spent now on mobile devices.

I think at least in the United States it was like 65% of all digital minutes. In other words, any time that we spend in front of a screen somehow it involves a mobile device.

And then more specifically, the slide you are talking about John, that out of the top 10 apps that people mostly use on mobile devices, they are mostly all owned by either Facebook or Google.

For example, number one of the top 10 apps that people use on their mobile devices, Facebook is pretty much the number one, and then of course you have Facebook Messenger, Instagram today, which is all owned by Facebook, but then on the YouTube side, after Facebook being the number one app that most people are using, YouTube is the second app and of course that’s owned by Google. And then of course very close to the top of that list is Google Search, you have Google Maps, you have Google Play, which of course is what Android devices use to get access to apps of course and then Gmail.

I think the only two apps out of that top 10 that are not owned by either Facebook or Google were Snapchat, which who knows, that could change very soon, and Pandora.

So that was just interesting that the amount of time people spend on mobile devices or using mobile devices, it’s no surprise, you look at the society that we have today, right, but it’s just — it was amazing to me as well John to know that that data that people are looking at is owned pretty much by a very small number of companies up there.

Sharon D. Nelson: Well, that is certainly significant and I suspect has attracted the attention of a number of politicians.

(00:05:00)

Brett Burney: I am sure.

Sharon D. Nelson: So Brett, I know attorneys don’t understand what evidence may exist on a mobile device, but explain to them why it’s important that they do understand.

Brett Burney: We had a couple of different directions that we came with this, John and I, and I sort of put it into three different buckets Sharon, and I am sure there’s different ways people can look at this, but number one is what I call phone specific materials. In other words, information that is only going to exist on that phone. Things like call logs, maybe some text messages, maybe some voicemails for example. In other words, the only place you are going to be able to get access to that information is going to be from the actual mobile device.

And then my second column, I had app-related materials, and these are pieces of information that may only be found inside the actual app. The app may be on the phone, and usually it is, but there could also be ways that you could access maybe some of this information from another area, another server for example.

But these are things that are, for example, in a Notes app, for example, people that write their notes or dictated notes or maybe even dictate something from an audio recording, for example, or maybe some videos that you have recorded into the phone or a music file or maybe even GPS data or even, not just the photos themselves, but maybe information about those photos, that all resides within a specific app.

And in my last column I have, I call it a traditional PC materials. From the sense of typically these are pieces of information maybe on a mobile device that may also be located on a traditional computer, a PC, things like Word documents. Typically we don’t have a Word document that you create on a mobile device, although more and more people are doing that, but that might be a Word document you created on a computer. So it exists on the computer, but then you also have a copy maybe on the mobile device.

Things like PDF files or possibly even email, for example, something we always look at. A lot of times the email that you might find on a mobile device can also be found — also a copy of those messages on a computer or maybe on an email server as well.

So those are sort of the three categories, things that maybe you only can find on the phone, things that may be involved inside of an app on a device, and then of course I call it traditional PC materials that you may also find on a computer somewhere.

John W. Simek: So Brett, can you get a little more specific about the types of data that you are looking for from a mobile device, the device itself, which I think is what one of those columns that you had indicated on your previous questions you had?

Brett Burney: Yeah. I would say John, and you jump in too, because you see a lot of this, just like I do. I would say the number one thing I get people asking about today for mobile devices centers around text messages, whether it’s iMessages or short messages or sometimes you call it SMS messages or the multimedia, MMS, we had all these different names we have had for text messages.

But today it really centers around that, whether it’s the iMessage service, which is specific only to Apple phones, iPhones, or we have some kind of a specific app related messaging service, sometimes like WhatsApp or Snapchat, if any of that can be pulled out of there as well.

The only thing that overlaps here of course is there are many services, like even Facebook that have their own messaging app maybe built into some of those apps as well. But typically a lot of people are asking questions around text messages, because again, that’s something that you may only be able to find on the actual phone itself.

Some people say well, these are messages that maybe go through AT&T or Verizon, well, good luck on trying to go and try to find information from there. Sometimes they will probably give you some of the information, but many times it is text messages that may only reside on the actual phone itself.

So I don’t know if you see anything different John, but I would say that’s what I typically get a lot of questions about these days.

John W. Simek: Yeah, I think, and Sharon can support this as well, I agree with you, text messages is the number one area, no matter what, whether it’s Facebook messaging or any of those types, but it’s a messaging stuff itself. The thing that we get probably three or more phone calls a day on is how do I recover deleted text messages? Apparently that’s what everybody wants to know.

Sharon D. Nelson: And that’s the question that comes in from the website too. So it’s just amazing how that’s what they want to discover is those deleted text messages.

John W. Simek: Well, my question is why did you delete in the first place?

Brett Burney: It’s funny, I just got an email from our good friend Jim Calloway. He had an attorney there in Oklahoma where he was working with exactly this question John. They just came up, they had a client, and apparently she had an old phone and she had to get a new phone, but they didn’t restore from iCloud. And so of course some of those messages or at least the iMessages were sort of lost in there and they were scrambling, frantically trying to find out a way to recover some of that.

In some cases it’s not very easy to do that John. You know this. This is obviously your specialty here and in some cases it could be easy, in other cases if it’s gone, it may be gone, which is a little unfortunate, but it’s just the way that it is, the way — with security concerns and everything today of course, it is the way that it is sometimes.

(00:10:05)

Sharon D. Nelson: Well, when you are dealing with mobile devices, I know that as opposed to the old days when we were dealing with just computers and servers, it was one thing, but today it seems like there are so many types of data and problems when dealing with mobile devices. What would you list as the major problems, Brett?

Brett Burney: Well, that’s a very good question. Honestly, I think in many cases Sharon it’s having access to the actual device. Obviously, John will tell you many times it’s impossible to maybe try to recover some of this information without having the device unless it may be something that is more on that other spectrum that I was saying, that it may be information available from another server somewhere or maybe even like the iCloud system that has backups on there.

But I will tell you, even from a broader perspective Sharon, and I know that you see this as well, frankly, and unfortunately, it really comes from just a sense that many attorneys just don’t understand the ramifications of maybe either some of their own actions and looking at devices or they don’t know exactly how to describe to their clients how to preserve some of this information, or maybe to caution them and going through a certain scenario to preserve that information.

For example, when I deal with a lot of iPhones, for example, we were just talking about doing a backup or accessing that information from a backup, the iCloud service from Apple does freely backup information from an iPhone, for example, but a lot of people don’t know this simply because we don’t do this very often, but using the iTunes software on a PC or a Mac computer and plugging your phone into that computer and using iTunes, you can create an additional backup, like a local backup if you will, that’s separate and apart from the iCloud automatic backups that they have.

It’s just not having an awareness like that I think Sharon that I just run into a lot. A lot of the questions that I get are frankly just people trying to understand sort of the scary world of mobile devices and most importantly, from our perspective, on how to adequately and dutifully preserve that information in a way that’s going to make sense later on down.

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Digital Forensics on Mobile Devices. Our guest today is our friend Brett Burney, who is the Principal of Burney Consultants LLC and focuses the bulk of his time on bridging the gap between the legal and technology frontiers of electronic discovery.

So Brett, talk to me a little bit about the mobile data collection spectrum. I confess I don’t know what it is, but does it have a rainbow of colors?

Brett Burney: Well, there’s a reason that you don’t know what it is.

John W. Simek: Great job with that slide too Brett.

Brett Burney: Thank you. Well, the full name that I created on that Sharon is the “non-scientific mobile data collection spectrum”. This really came out of my own brain because —

Sharon D. Nelson: How frightening.

Brett Burney: I know, I know, it is. But I wanted to show a couple of methods to this audience that we had at TECHSHOW, where you can do from the self-collection. That would be one end of that spectrum, where you can do the self-collection or maybe adequately instruct your clients on how to collect some of this information.

And the far other end of the spectrum is where our friend John Simek rules, because that is the full forensic collection of some of these mobile devices. And so I took the easy ones on that side of this non-scientific spectrum that I came up with.

But for example, on the self-collection side, I just made a comment to the room that in some cases, depending on several factors involved with the matter, when you have a client that needs to preserve some text messages, for example, that was the example that we stayed upon, simply because we know that’s what a lot of people were asking about, in some cases simply creating screenshots of those text messages on the phone can be adequate. It’s not what I typically recommend, it’s not the first place to go, and if you have got some other factors that require you to truly authenticate some of this, to an nth degree, this is not the way to go.

(00:15:09)

But if you have a fear that you need to replace the phone or something, you don’t want these messages to be deleted, you can simply go in both the Android and iPhones allow you to basically create screenshots. You pull up the list of text messages that you need to “preserve”. You create a screenshot, scroll up a little bit, create another screenshot, scroll up a little bit, create another screenshot, so that you have several images now, screenshots made of these text messages.

And I showed — one of the slides that I had was an app on the iPhone appropriately called the Stitch It! app that will allow you to stitch together this long string of all of these images that you can basically recreate this conversation, if you will, in text messaging, because really that’s how we use text messaging today, it creates a conversation.

My comments on that to the room to make sure that you simply document who made the screenshots, when the screenshots were made, and whether or not you need to understand that the screenshots included the timestamp on there.

Then the next step up, I will stop, because I always like to hear John talk about the truly like hackerish side of the forensics, but the next step up from that is what we call the self-collection is if you have the phone and you plug it into a PC or a Mac, just like we were talking about using the iTunes software to back up a phone, at least an iPhone, you can also use other software.

One of the ones that I came — that I suggested was using something called iExplorer from a company called Macroplant. That will basically allow you to slurp in all of the text messages from a phone and then create a PDF file, for example, of all those text messages and it basically recreates that conversation. It looks very similar to that. It puts a timestamp on there and everything.

There is another one called Decipher Tools and then one of the ones that I have used several times for clients for Android phones is called SMS Backup, and I think it’s Restore, SMS Backup & Restore, the company is SyncTech.

So those are just some of the options that I was throwing out there for the room to say on the far end of one side of that spectrum, if you were looking at self-collection, if this is something that’s appropriate for you to look at, then you could do some screenshots or use some capture software, just as long as you document everything that you did, like who did the screenshots and of course when all of that was made. Obviously those are questions that might come up from the other side later on.

John W. Simek: Yeah. And I know, as you know as well Brett, is that when you start moving to the other side of your spectrum, which I fully expect that you are going to what, service mark that term.

Brett Burney: I am trying.

John W. Simek: Is that when you get to forensics side, the cost goes up significantly as a result of that, the software, the hardware, all that stuff that’s there. So I know a lot of attorneys, they are more interested in hanging down towards that low end of that spectrum that you are talking about in that self-collection, but do you have any tips or advice? You talked about documentation and all that stuff, but anything other for attorneys when they are dealing with the self-collection methods in a DIY environment, what should they be concerned with or any tips or whatever advice that you can give them?

Brett Burney: Yeah. Well, we have friends that are in the eDiscovery space and they will typically always say never look at self-collection. We have people that — the idea of the self-collection; in other words, you are directing the client to do these actions that perhaps might be better done by a forensic professional, like you John, somebody that has the experience of doing this, that if they run into a problem that they can better explain some of the issues that come up.

So anytime obviously that you are involving a client to do something from a technical perspective, there is always going to be, and there should be, a little bit of a red flag or a little bit of a doubt in the sense that you may have to oversee that process a little closer, make sure that they are doing everything appropriate.

I mean frankly, it just comes down to the idea that in some cases it might be a much better process to have a professional, whether it’s just me from a consulting standpoint or you doing hands-on from the forensic side, if you want to make sure that you are preserving all of the information and that there is no issue that could come up with the fact that, oh, I meant to grab that, but I missed the screen, or I didn’t know that I had to have this setting turned on when I connected it to the computer to collect the information that way. It’s just those little things like that that can really trip up a litigation matter, John, at least from my standpoint. That’s what I see many times that that people can kind of get themselves in trouble.

When they have somebody like you on their side, you obviously have been doing this long enough so that you know exactly what to do, if you run into any issues, you can explain this better, not only to the attorney, but also to the court.

(00:20:03)

John W. Simek: Well, I appreciate that Brett. As a follow on, what do you say about attorneys that want to do this for their cases, because we get that too?

Brett Burney: Yeah. You mean doing it internally at their firm, like doing it themselves, doing the collection?

John W. Simek: That or doing the collections from their own clients.

Brett Burney: Yeah. And again, my personal opinions many times are along the lines of, why would you put yourself in that chain of custody, is what we typically call it. I mean in some cases, again, some people are comfortable with that, some people have a comfort level with the technology, but you know more times than not a lot of the attorneys that we engage with many times will just tell us flat out that they are not that tech savvy, they don’t have a comfort level with that.

I am not saying that you have to be an IT administrator or a network administrator of some kind, but there is making sure that you are at comfort level, because frankly, you are the one that’s going to have to explain any issues that may come up to either the court or to the opposing counsel or whatever the case may be on those.

So I have worked with some attorneys, just like you guys, that there is maybe a paralegal in their office that does have a very high comfort level with the technology side. They have done this before. In some cases, after I have talked with them, I have a confidence that they are able to go in and do that collection. And other times, after talking with a couple of the attorneys or their assistants, I tell them you are going to have to go to your client and you need to pay some bigger bucks to have a professional do this, because it’s just not worth it going down the line. There are too many factors sometimes that can get in the way.

And we haven’t even started talking about some of the encryption capabilities there. Sometimes the lawyers will get a device in, but the client is not around. Well, unless you have access to the passcode or something else to be able to get into that device, then you are stuck.

Sharon D. Nelson: You are. I think very often attorneys are penny-wise and pound-foolish when it comes to this. DIY generally is not the way to go.

Brett Burney: Yeah, yeah. And just quickly, Sharon, I feel for them sometimes, because I know if they had a comfort level with being able to explain what’s involved with the technology or being able to explain to the client why it’s necessary to pay a few hundred, a few thousand dollars sometimes to get this fully preserved from a forensic side, if they had that comfort level, then there probably wouldn’t be that many issues on this.

But I understand many times they don’t explain that from the outset and so they don’t want to go back to the client later on and say oh, by the way, we have got to spend another $2,000 to get these computer’s image, I understand that, and I wish we could change that from the standpoint of having them address that maybe early on in the case. Some cases they may not know about it until later on, but in many cases it’s more of just an education aspect I find many times.

Sharon D. Nelson: Yeah, that’s why we tell folks, buy an hour or two of the time of a digital forensics technologist and learn a little bit about the issues and then you are better prepared to go to the client and budget for the case.

Brett Burney: Absolutely.

Sharon D. Nelson: Let’s move over to the cloud, which is associated these days with just about everything, our refrigerator, the Internet of Things generally, Alexa, Smart TVs, I mean you name it, all these thermometers that now appear to have voice recorders in them. So is data from the cloud an option for evidence preservation?

Brett Burney: I would say yes. I definitely want to hear John’s comment on this. I think maybe even as soon as a few years ago it was not the best option or it was a more difficult option, how about I put it that way. Today, for example, most of the time I am dealing with a lot of iPhones today and the access to iCloud is really an amazing benefit from this perspective that we are talking about. In some cases it can be a stop measure, but the idea is iCloud is basically Apple’s umbrella for many different services.

For example, you have an iPhone, you take a picture on your iPhone, immediately it gets copied up to your pictures in iCloud. They also have data backup. They allow you to synchronize your calendar and your contacts. There are many, many different layers and features involved within the iCloud system or the iCloud service available from Apple. It’s free. You have additional space where you can do automatic backups of your phone;

And in fact, I was just talking with Jim and this attorney he is talking with, for that client we know that she had an iCloud backup of one of the older phones and when she got a new phone, she did not restore the information from iCloud and so of course it was like a brand-new phone. In other words, it didn’t have all of the information that she had used on the old phone.

So in some cases the cloud could absolutely be a bona fide location where you could go to maybe grab some of that information. In fact, you could even go to icloud.com, for example, outside of the realm of the mobile device and you can get access to things like your calendar and some of your documents and your photos, for example, even through a web browser on a regular computer. So there are quite a number of options there that you can do.

(00:24:57)

Again, not the least of which, if you have a phone and you know that information is in the iCloud that you want to get back onto your mobile device, like deleted — not necessarily deleted text messages, but older text messages, you can get a phone, login with your iCloud account and all of that information will be restored and converted back on to that new iPhone device to where you can get access to some of that information at times.

John W. Simek: Brett, you mentioned earlier about encryption, can you talk a little bit about the impact that encryption has on the preservation process?

Brett Burney: Well, yeah, I mean you did a great job in starting that presentation off, talking about what a lot of people know the FBI case with the tragedy in San Bernardino and the rigmarole with the FBI trying to access information off of the mobile device that the perpetrator had used at the time. They felt like there was some information that was on there, but some people will remember some of the headlines during that sad time, because we couldn’t get access to it. There was a passcode on that device and there was no way to get access into the device unless you had that passcode.

In fact, by default, if you turn a passcode on in most iPhones, there is an option down there that will say it will automatically delete all the data on the phone if you have 10 failed attempts at the passcode. In other words, if you try to put in 10 failed attempts, then everything gets deleted, which frankly, it made a lot of parents upset, because the kids try to get into the phone and so they mess it up and it erases. But it can be used.

I mean this is Apple’s stance from the security. They take very strong stance on privacy and security and they have that option, along with the fact that they were not “cooperating” with the FBI, because there were some information in iCloud, for example, for that particular device that Apple was not — again, it depends on who you talk to, they were not cooperating with the FBI to get access to that information.

Other devices work a little bit differently, the way that I have seen, but it can get a little hairy, right? I mean encryption is pretty much part and parcel of the devices that we use today. It should be. I feel like that that’s a better way to go, but it can certainly be a hang-up when you are trying to get access to the information.

I mean in a sad last quick note here, I see this come up a lot of times that it’s a passcode on an encrypted phone that somebody passed away, either through an accident or through age or so and the family wants to get access to the information on those phones. I know it’s a little bit different than the litigation side we are talking about, but it just kind of is another example of where that information is protected there, and unless they have some way to get to know what that passcode was or that password on that device, then there is really no way people can get on to it.

And again, so back to the litigation side, it doesn’t matter if you have a court order or what, if you don’t have the actual password or the credentials to get into that phone, in many cases you are stopped there.

Sharon D. Nelson: Well, I want to say that I had the pleasure of being at that session and it was terrific and I know the rest of the audience thought so too, but what would you identify Brett as the top takeaways from that presentation?

Brett Burney: I would say a lot of people Sharon appreciated the fact that we did show my nonscientific spectrum. A lot of them had that exact question with taking screenshots. I think we even had a question John, where people were asking, is this admissible, is there anything we have to do, if we are taking some of the screenshots, and again, of course, the famous infamous lawyer answer, it depends, it all depends on several factors that’s involved with the matter of whether screenshots are going to be adequate.

I mean they are better than nothing many times, but of course you just have to have that confidence level of who did the information and when was it done and if it can be.

But I know a lot of people also appreciated the fact that we did spend some time on the forensic side. Again, that’s just becoming, almost, I would say within the next couple of years, you guys already see this because I know the work that you do, but within the next few years this has to be almost every litigation matter is going to involve some form of a mobile device, simply just because this is the way that people work today, it’s where we live, it’s where we communicate today, and I think people just appreciated the fact that we covered sort of a broad range of different things.

I mean I was geeking out on John talking about Grayshift and some of the other encryptions and all this other stuff that we could really get down some rabbit holes and stuff. But I think the vast majority of the audience there were legal practitioners and so they were really just looking for some prime takeaways from the sense of here are my different options that I can look at, and hopefully, just like we talked about Sharon, some of them walked out with this idea like yeah, I do need to make sure that I build in a little bit of additional expenses now for something that’s more important that maybe I didn’t have to think about five years ago, but it is absolutely going to be part and parcel of almost every litigation today to know that we may have to preserve information for mobile devices.

Sharon D. Nelson: Well, you are quite right, times have changed a lot and I will tell you that our Digital Forensics Lab looks like smartphone city these days, because that’s what we are all using to do everything on. And so that’s in there these days, and it never used to be like that, but now there are phones and different chargers and adapters and everything else just to deal with all the various models of phones. So it’s crazy.

We want to thank you Brett, as we always do, for being our guest. You not only are a wonderful friend, but you have a great way of communicating technical knowledge in a nontechnical way so that audiences can understand you and I know our audience appreciates that. So thanks for being with us today.

Brett Burney: Thank you. I am blushing; you can’t see me, but thank you so much.

Sharon D. Nelson: You should have had your Skype camera on.

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology, and cybersecurity services at senseient.com.

We will see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]

Continue Reading