How our forensic R&D makes the previously impossible, possible

Before we launched our HTC and Motorola user lock bypass, our forensic customers had to go to through a painstaking process to recover data from these Android devices: obtain a search warrant to serve on Google, either to recover backup data or to obtain or reset the device user lock. In some cases, such as with a phone that was turned off, they may even have had to serve paper on the carrier as well.

This process could lead to delays because it could take days or even weeks to secure the paperwork and reach a law enforcement liaison. The providers’ success was limited by the type and complexity of the user lock—if they agreed to comply at all. This could slow down or altogether halt investigations’ progress.

Thanks to our work on this bypass, a number of happy customers have been able to access critical evidence which they previously could not. Said Deputy Steven Mueller of the Defiance County (Ohio) Sheriff’s Office and the Northwest Ohio Technology Crimes Unit: “I was given a HTC PD15100 in December with a pattern lock. I was unable to acquire it then. Today with the updates it is being acquired as I write this.” Mueller later updated us that he and his team were able to successfully carve graphics files from the image.

To learn more about how to perform user lock bypass and file system or physical extraction on HTC Android devices, see our new video:

Takeaways from “Mobile Evidence in Modern E-Discovery”

Tuesday, SANS instructors Paul Henry and Benjamin Wright joined Cellebrite’s forensic technical director, Yuval Ben-Moshe, for our joint webinar: Mobile Evidence in Modern E-Discovery. Ben discussed the need for policy that protects both employer and employee during collections, especially in BYOD organizations. Paul talked about the technical aspects of obtaining all necessary responsive data. And Yuval went over mobile forensics requirements, as well as the potential for alternative mobile forensics roles such as audits.

Questions and answers

Participants asked Ben, Paul and Yuval a number of good questions:

Q. Have the courts upheld the right of an employee to forcibly take hold of an employee’s personal device?

A. Ben noted that most precedent around mobile devices involves laptops. While no case stands out as the definitive precedent, he said it was likely that courts have upheld the employer’s right to seize any device deemed to hold evidence important to that employer.

Paul added that according to a December ZDNet article, an employee sued and won a sizable settlement after the employer wiped their personal device.

Q. If an employer/university is monitoring their own systems, can they get in trouble for seeing and/or collecting in logs Facebook or other personal site passwords that traverse their network?

A. Ben said that in situations where monitoring is an unavoidable part of security policy, it is wise for employers to be completely transparent about what they are doing, why they are doing it, and the risks it poses to their employees.

Q. Wouldn’t it be wise to do both a logical analysis–quick and easy to find data–and then pursue the physical data with a more intrusive analysis if necessary after the logical analysis?

A. Paul agreed with this assessment, saying that as often as he can, he starts with a basic logical extraction. This helps him define search terms and other examination goals so that his physical extractions are more efficient. In addition, logical extractions can validate existing data found during physical extractions, while using a tool such as a hex editor can validate logical extractions as well.

Q. MPE+ recently added support to port collections to Summation and the like. Is that coming down the pipeline for Cellebrite? If so, what is the anticipated launch date?

A. Yuval told listeners that UFED XML reports can already be ingested in tools such as Exterro Fusion, Nuix, Palantir and others. Moving forward, we plan to increase the number of systems with which we integrate.

Q. When will Cellebrite support BlackBerry 10?

A. Although Yuval could not provide a specific date, we will support logical extractions from BlackBerry 10 in an upcoming release.

Finally, we saw one question we didn’t get a chance to respond to: “Are you saying that because a tool is available to audit mobile devices, it should be done, regardless of the cost of implementing such systems/agents to the data?

No. Not all businesses have a need to audit their employees’ mobile devices. Rather, what we were saying is that mobile forensics tools like Cellebrite UFED make it easier to perform audits when they are called for. A basic logical or even limited file system extraction can be done in minimal time, can ensure compliance with any internal policy or industry regulation, and finally, provides existing data in the event of litigation.

Webinar poll questions

We asked three questions during the webinar:

  1. Does your employer/clients have a policy governing audits and collections?
  2. How often have you encountered mobile devices in your e-discovery in the past year?
  3. How do you manage forensics and/or collections?

In response to the first question, whether employer or clients had a policy governing audits and collections, 7% of our 54 respondents said their employer or client had a policy that covered both issued and BYO devices. Eight percent said BYOD was not permitted but that policy covered issued devices. Another 8% said their employer or client had no policy at all. Meanwhile, 15% said their employer or client both issue devices and permit BYOD, but do not have a policy for BYOD collections.

policy

In response to the second question, how often they had encountered mobile devices in e-discovery in the past year, one-quarter of the 54 respondents said they had never encountered mobile evidence. Nine percent said they had encountered them between 1 and 5 times, while just 2% said they had seen mobile devices in their e-discovery more than six times in the past year.

ediscovery

Finally, asked how they manage mobile forensics and/or collections, 24% said they did so in-house. Only 3% each said they outsource directly, or belonged to a firm that performed forensics and/or collections for enterprise and law firm clients. One respondent each said they outsourced to a lawyer who employs a forensic examiner, or outsourced to a lawyer who in turn outsourced to a third party.

collections

Additional resources

The webinar archive is available now from SANS. If you previously registered, you can view it at the webinar link. If you did not previously register, login with your SANS account to view and hear the archive.

We’re also making available a white paper. “Asking and Answering the Right Questions About Mobile Forensics Methods” is for attorneys employing or outsourcing to a digital forensic examiner, or consulting forensic examiners seeking to help attorneys better understand what you do. Download it here to learn more about effectively communicating with one another via proper documentation and other channels.