Takeaways from “Mobile Evidence in Modern E-Discovery”

Tuesday, SANS instructors Paul Henry and Benjamin Wright joined Cellebrite’s forensic technical director, Yuval Ben-Moshe, for our joint webinar: Mobile Evidence in Modern E-Discovery. Ben discussed the need for policy that protects both employer and employee during collections, especially in BYOD organizations. Paul talked about the technical aspects of obtaining all necessary responsive data. And Yuval went over mobile forensics requirements, as well as the potential for alternative mobile forensics roles such as audits.

Questions and answers

Participants asked Ben, Paul and Yuval a number of good questions:

Q. Have the courts upheld the right of an employee to forcibly take hold of an employee’s personal device?

A. Ben noted that most precedent around mobile devices involves laptops. While no case stands out as the definitive precedent, he said it was likely that courts have upheld the employer’s right to seize any device deemed to hold evidence important to that employer.

Paul added that according to a December ZDNet article, an employee sued and won a sizable settlement after the employer wiped their personal device.

Q. If an employer/university is monitoring their own systems, can they get in trouble for seeing and/or collecting in logs Facebook or other personal site passwords that traverse their network?

A. Ben said that in situations where monitoring is an unavoidable part of security policy, it is wise for employers to be completely transparent about what they are doing, why they are doing it, and the risks it poses to their employees.

Q. Wouldn’t it be wise to do both a logical analysis–quick and easy to find data–and then pursue the physical data with a more intrusive analysis if necessary after the logical analysis?

A. Paul agreed with this assessment, saying that as often as he can, he starts with a basic logical extraction. This helps him define search terms and other examination goals so that his physical extractions are more efficient. In addition, logical extractions can validate existing data found during physical extractions, while using a tool such as a hex editor can validate logical extractions as well.

Q. MPE+ recently added support to port collections to Summation and the like. Is that coming down the pipeline for Cellebrite? If so, what is the anticipated launch date?

A. Yuval told listeners that UFED XML reports can already be ingested in tools such as Exterro Fusion, Nuix, Palantir and others. Moving forward, we plan to increase the number of systems with which we integrate.

Q. When will Cellebrite support BlackBerry 10?

A. Although Yuval could not provide a specific date, we will support logical extractions from BlackBerry 10 in an upcoming release.

Finally, we saw one question we didn’t get a chance to respond to: “Are you saying that because a tool is available to audit mobile devices, it should be done, regardless of the cost of implementing such systems/agents to the data?

No. Not all businesses have a need to audit their employees’ mobile devices. Rather, what we were saying is that mobile forensics tools like Cellebrite UFED make it easier to perform audits when they are called for. A basic logical or even limited file system extraction can be done in minimal time, can ensure compliance with any internal policy or industry regulation, and finally, provides existing data in the event of litigation.

Webinar poll questions

We asked three questions during the webinar:

  1. Does your employer/clients have a policy governing audits and collections?
  2. How often have you encountered mobile devices in your e-discovery in the past year?
  3. How do you manage forensics and/or collections?

In response to the first question, whether employer or clients had a policy governing audits and collections, 7% of our 54 respondents said their employer or client had a policy that covered both issued and BYO devices. Eight percent said BYOD was not permitted but that policy covered issued devices. Another 8% said their employer or client had no policy at all. Meanwhile, 15% said their employer or client both issue devices and permit BYOD, but do not have a policy for BYOD collections.


In response to the second question, how often they had encountered mobile devices in e-discovery in the past year, one-quarter of the 54 respondents said they had never encountered mobile evidence. Nine percent said they had encountered them between 1 and 5 times, while just 2% said they had seen mobile devices in their e-discovery more than six times in the past year.


Finally, asked how they manage mobile forensics and/or collections, 24% said they did so in-house. Only 3% each said they outsource directly, or belonged to a firm that performed forensics and/or collections for enterprise and law firm clients. One respondent each said they outsourced to a lawyer who employs a forensic examiner, or outsourced to a lawyer who in turn outsourced to a third party.


Additional resources

The webinar archive is available now from SANS. If you previously registered, you can view it at the webinar link. If you did not previously register, login with your SANS account to view and hear the archive.

We’re also making available a white paper. “Asking and Answering the Right Questions About Mobile Forensics Methods” is for attorneys employing or outsourcing to a digital forensic examiner, or consulting forensic examiners seeking to help attorneys better understand what you do. Download it here to learn more about effectively communicating with one another via proper documentation and other channels.