Mobile Devices in Electronic Discovery



Similar documents
BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE

Frequently Asked Questions & Answers: Bring Your Own Device (BYOD) Policy

ACQUISITION AND ANALYSIS OF IOS DEVICES MATTIA EPIFANI SANS FORENSICS PRAGUE PRAGUE, 10 OCTOBER 2013

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Exactly the Same, but Different

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes

Smart Ideas for Smartphone Security

How to wipe personal data and from a lost or stolen mobile device

Pryvate App User Manual

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Security and Privacy Considerations for BYOD

Case Study: Smart Phone Deleted Data Recovery

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

Case Study: Mobile Device Forensics in Texting and Driving Cases

Deploying iphone and ipad Mobile Device Management

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

White Paper. Data Security. The Top Threat Facing Enterprises Today

2016 Digital Safety Class UNDERSTAND YOUR RISKS AND STAY TOTALLY SECURE JESSE ROBERTSON, TECH 4 LIFE

Your Employee May Be Wearing Their Alibi - Or Your Evidence

BYOD: End-to-End Security

White Paper. Data Security. journeyapps.com

iphone in Business Mobile Device Management

Apple Deployment Programs Apple ID for Students: Parent Guide

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Regular contributor to the IACIS, CDFS, HTCC, DFCB, ISFCE and peer journals such as the JDFSL and Computers & Security.

1. You will have knowledge of all the features of Yosemite and ios 8 that allow employees and business owners to collaborate on their work.

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

LabTech Mobile Device Management Overview

Mobile Security Standard

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

BE SAFE ONLINE: Lesson Plan

ipad in Business Mobile Device Management

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Securely Yours LLC We secure your information world. www. SecurelyYoursllc.com

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile Devices Using Without Losing

Tutorial on Smartphone Security

Protecting your Data, Devices, and Digital Life in a BYOD World: A Security Primer GLENDA ROTVOLD AND SANDY BRAATHEN NBEA APRIL 2, 2015

platforms Android BlackBerry OS ios Windows Phone NOTE: apps But not all apps are safe! malware essential

Information Technologies and Fraud

Tom Schauer TrustCC cell

Chris Boykin VP of Professional Services

Kaspersky Security 10 for Mobile Implementation Guide

AirWatch for Android Devices

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Digital Security. Dr. Gavin W. Manes, Chief Executive Officer

Cell Phone Forensics For Legal Professionals

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Bring Your Own Device Policy

Kaspersky Security for Mobile Administrator's Guide

Students Mobile Messaging Registration & Configuration

When enterprise mobility strategies are discussed, security is usually one of the first topics

Mobile Device Management for CFAES

Comodo Mobile Security for Android Software Version 3.0

Data Storage on Mobile Devices Introduction to Computer Security Final Project

Managing Mobility. 10 top tips for Enterprise Mobility Management

Apple Configurator MDM Site - Review

APPLE & BUSINESS. ios ENTERPRISE SECURITY ENTERPRISE NEEDS CONFIGURATION PROFILES

Guidance End User Devices Security Guidance: Apple ios 7

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Symantec Mobile Management Suite

Health Science Center AirWatch Installation and Enrollment Instructions For Apple ios 8 Devices

Smartphone Forensics Analysis: A Case Study

C. All responses should reflect an inquiry into actual employee practices, and not just the organization s policies.

BDO CONSULTING FORENSIC TECHNOLOGY SERVICES

Codeproof Mobile Security & SaaS MDM Platform

Hard vs. Soft Tokens Making the Right Choice for Security

Guideline on Safe BYOD Management

If you can't beat them - secure them

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics

Mobile Iron User Guide

Deploying iphone and ipad Security Overview

How To Answer A Question About Your Organization'S History Of Esi

Cisco Mobile Collaboration Management Service

A Survey on Mobile Forensic for Android Smartphones

Successful ediscovery in a Bring Your Own Device Environment

Mobile Device Management

Security and Compliance challenges in Mobile environment

Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

Mobile Device Management (MDM) Policies. Best Practices Guide.

Getting to know your ipad For Beginners

Transcription:

Mobile Devices in Electronic Discovery

Mobile Devices in Electronic Discovery Abstract Once upon a time they were used to make phone calls; now they are our mobile offices. Mobile devices are a prolific aspect of modern society. For the majority of people, they serve as a primary means of communication both active and passive as well as management systems for daily activities. Today s smart phones offer a broad variety of capabilities, many of which were once only available on computers. Mobile devices have the ability to store our text messages, e-mails with attachments, photos, videos, and web browsing histories. They support third-party chat applications like Viber or Skype and even hyper-sophisticated calendar applications such as PocketLife, which tracks the date/time and geolocation of the user. Recently, proper preservation and production of SMS messages from mobile devices has become a key issue in ediscovery. In 2013 an Illinois court issued the Defendant sanctions of more than $900,000 USD for, among other things, failing to preserve and produce text messages (in re: Pradaxa 1 ). The volume of mobile device data is increasing, and as business and mobile devices become ever more closely intertwined, the potential responsiveness of mobile device data is equally on the rise. Matters involving mobile devices are far more fluid and dynamic than traditional computer forensic matters (think hard drives) because the technology can be quite volatile. These challenges, coupled with the continuous and rapid evolution of available mobile device technologies, require Digital Forensic Investigators to keep a close eye on best practices for managing forensic acquisition and analysis of mobile device data. OVERVIEW It is rare to conduct an investigation or ESI preservation effort that does not involve a mobile device. A recent survey 2 indicated the following: 90% of American Adults have a cell phone 58% of Americans have a smart phone 32% of Americans own an e-reader 42% of Americans own a tablet computer 29% of American cell phone owners describe their devices as something they cannot imagine living without 2. They cannot live without their devices because everything is there. They can send and receive email, read or edit documents, get directions, check the news, check their Twitter, Instagram, Facebook accounts, calendar their appointments, send text messages to friends, and engage in a host of other personal and work-related activities. What used to require a full-size computer is now handled by a powerful, portable device. TERMINOLOGY Forensic collection of mobile devices: Acquisitions of mobile devices are a snap shot in time. They are so volatile and constantly changing that two separate acquisitions will likely never yield the exact same data. If nothing else, dates and times of items will constantly be altered. Mobile Application Management ( MAM ): Distributing, managing, and tracking mobile applications via software and services. Jailbreak (ios): This is a method of device modification which is applicable to ios devices only. It allows an end-user to have super control over their Apple device. It turns the device from

a read-only system, on which only App Store approved programs can be loaded, into an openended system on which all kinds of third-party software (including malware) can be installed. ios devices that are already jail broken by an end-user can be easier for forensic examiners to acquire, in some instances. In the field of digital forensics, terminology and concepts can evolve rapidly. It s cri cal to remain up-to-date with emerging acronyms and defini ons as well as technologies and methods. vulnerability for certain U.S. celebrities whose accounts were hacked, resulting in theft of their private photographs. Apple has since invoked two-form authentication for Apple ID, which is how users log in to icloud. MOBILE DEVICE MANAGEMENT Mobile Device Management solutions are a growing enterprise in their own right, allowing employers to manage the hordes of varying Android and Apple devices containing their often-confidential ESI. An MDM solution allows administrators to manage aspects of a mobile Android Rooting: Rooting an Android-style tablet or phone is akin to the ios jailbreak method it allows an end-user to manipulate and modify the inner-most parts of the phone. TYPES OF MOBILE PHONE ESI A mobile device can typically contain e-mail, text messages, documents, calendars, contacts, call logs, voice mail (visual voice mail is also stored on the device) graphics and video files. An overwhelming majority of user data and evidence is found within databases (typically SQLlite format). Mobile forensic tools as well as standalone database forensic software are used to parse the contents of these databases for easy-to-read reporting. SQLlite databases may also contain deleted records that have not yet been purged. THE CLOUD: AN IMPORTANT POTENTIAL SOURCE OF MOBILE ESI Cloud backups represent an important source of mobile ESI. For example, icloud can store documents, contacts, pictures, and much more. This area of storage can be useful for examiners and litigators, and was recently an area of Fig 1. icloud configuration options. A wide variety of data types can be backed up in the cloud.

device including, (a) what kind of pin code or password is required for the device itself; (b) if and how e-mail data should be encrypted on the device; (c) the ability to wipe the phone if it is lost or stolen; and even (d) the ability to disable things like the phone s camera when inside sensitive areas of a company. Of these, email encryption is one of the most attractive features of an MDM platform. Administrators can encrypt the phone itself, and also set a separate password to unlock the container housing the company s e-mail (think of it as a password protected ZIP file on your computer an added layer of protection). For preservation purposes, the MDM software isn t going to help, since you cannot collect remotely. (As of this writing there are no options for remote collection of mobile devices.) COMPUTER FORENSICS VS. MOBILE DEVICES: VOLATILITY Tablets and phones contain very small solid-state type chips for memory functions and storage, versus the spinning platter hard drives of formergeneration computers. There are two primary chip types: (1) NAND Flash and (2) NOR chips. The former are by far the most common and are cheapest to manufacture. NOR chips are typically used to store a type of software called firmware, which tells the phone what it is, how to turn on very basic instructions. NAND chips can be broken up into logical divisions called partitions (just like computer hard drives) and often have a few: one for mobile operating system code, one for restoration / fail-safe code, and one for what is normally referred to as a user partition. This area is where applications and user-created items are typically housed, and is an area of keen focus for ESI acquisition and investigations. NAND chip technology is small, cheap and quite fast; however, its volatility comes into play when things like wear leveling and garbage collection are considered. Wear leveling is a process that essentially spreads the writing of data across the tiny NAND chip so that no single area takes all of the abuse involved in said data writes imagine hitting only the 15 wedge on a dartboard over and over throughout your games. The developers of these chips employ this method to improve shelf life of their hardware, but it can create both problems and opportunities for the forensic examiner: in some situations, wear leveling can cause data loss; in others, it can mean that data was arbitrarily moved before a deletion event, therefore leaving behind some traces. Figure 2: Touchdown MDM PIN Code to access e-mail (source: nau.edu)

ACQUISITION TYPES FOR MOBILE DEVICES In order of least thorough to most complete: Logical: Active data only: from call log databases, SMS messages etc., File System: Same as logical, but will also contain all contents of the file system(s), the databases themselves and other items better for analysis. Physical: Both active and deleted data are acquired. Acquires file systems in their entirety as well as free space on the flash chips. Is akin to a computer hard drive image, but not verifiable in the same way. Is not available on all devices. Manual: scroll and photograph / video record MOBILE PHONE FORENSIC TOOL EXAMPLES a. Cellebrite UFED and Physical Analyzer b. Oxygen Forensic Analyst Suite c. Blacklight for ios Devices d. Lantern e. XRY These tools can all acquire and analyze a broad array of mobile devices but often times much to the dismay of examiners two different tools assessing the same mobile device can yield entirely different results (as seen in Figure 3.) Some tools do not parse databases correctly and miss various call detail records, or get the right records but misrepresent the associated dates and times. It takes a trained examiner with a variety of tools to adequately extract and assess mobile phone data. It is important to not let a single tool have the final say. ios DEVICES ios devices have an equally large market share compared to their Android counterparts and come with their own unique challenges. A few key things to know: a. To date examiners are unable to acquire e-mail data from iphone 4S, 5, 5c, 5s, ipad 2, 3 and Air devices. Email can be extracted from the original ipad, as well as from the iphone 4 and older devices, as the early generation technologies could not yet encrypt email. Figure 3: Different tools can report findings in different ways.

b. Examiners must have passwords or PIN codes for the home screen of ios devices, as there is no way to circumvent the PIN code in most cases (unless the phone is a 4 or below and/or the device was jail broken ahead of time by an end-user). c. If a backup password was set this is different form an itunes/apple ID and PIN code this will be required to extract file system or logical data (this can possibly be circumvented in some instances, by way of something called an Advanced Logical Extraction). d. itunes sometimes creates backups of ios automatically, when the device is attached to the computer. Examiners can parse these backups with forensic tools (see examples on the facing page.) These same types of backups can be gathered from icloud if the user had this option enabled. There are very few reliable methods to acquire data from these repositories, but Altep s examiners are equipped to do so completely and correctly. ANDROID EXAMPLES Within the Android arena, applications are much more open-ended and generally less secure. Applications come and go, and need not be signed or proven to be safe, unlike apps which are available in the ios Appstore. Android applications come in the form of.apk files, and are often manipulated by hackers to gain control of the device and steal personal information. However, Forensic Examiners can assess Android applications for signs of infection or data egress. Regarding backups of Android data, a few thirdparty backup tools are available, but these are not widely used and are rarely encountered by Examiners. Most user-created data on an Android device is backed up to the phone s registered Google account. CERTIFICATION EXAMPLES Cellebrite Certified Logical Operator (CCLO) Cellebrite Certified Physical Analyst (CCPA) AccessData Mobile Phone Examiner (AME) Blackbag Tech Mac and ios Certified Forensic Examiner (MiCFE) Figure 4: If enabled, the passcode will be required before acquisition can occur.

Figure 5: Parsing a backup of SMS messages Figure 6: Various types of data can be collected.

Seattle San Francisco Palo Alto San Diego Phoenix El Paso Dallas Houston Bentonville Chicago Atlanta Red Bank About Our Experts Warren G. Kruse II, CISSP, CFCE, EnCE, DFCP Vice President, Digital Forensics, Altep, Inc. wkruse@altep.com With more than 30 years experience in law enforcement and forensic science, Warren is the author of Computer Forensics: Incident Response Essentials. The diverse range of matters Warren has assisted with includes theft of trade secrets, Wikileaks investigations, misappropriation of intellectual property, breach of contract, internal employment disputes, fraud investigations, and wage and hour class actions, among others. Warren currently serves as the President of the Digital Forensics Certification Board. London Dublin Timothy LaTulippe, CCE, EnCE, MiCFE, NECS, DFCP Senior Computer Forensic Manager, Altep, Inc. tlatulippe@altep.com Timothy has served as an expert witness in a variety of State, Federal and military proceedings. His broad experience includes matters involving trade secret theft, medical malpractice, intellectual property theft, unfair business practice, fraud and internal investigations. Additionally, Timothy is the author of Working Inside the Box: Real Life Example of GDS ina Forensic Examination, which was published in The Journal of Digital Forensics Security & Law, and The Need for Targeted Collections in a Diminished Economy. 1 In re Pradaxa (Dabigatran Etexilate) Prods. Liability Li g., No. 12- md-2385, 2013 WL 6486921, at *17, *20 (S.D. Ill. Dec. 9, 2013) 800.263.0940 www.altep.com 2 www.pewternet.org/fact-sheets/mobile-technology-fact-sheets 2014 Altep, Inc. All Rights Reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information