Setting the stage for mobile device e-discovery

Electronically stored information on mobile devices—mobile ESI—is quickly becoming relevant, if not critical, in a wide variety of corporate investigations and litigation including employment, intellectual property and trade secrets, securities, and other areas. Even so, many organizations face a number of challenges in obtaining mobile ESI, not least of which is the blurry and sometimes shifting line between personal and corporate data.

Scott-Giordano-255x300Scott Giordano, Exterro’s Corporate Technology Counsel, applies legal, business, and technical skills to problem-solving in corporate ethics and compliance, information security, and electronic discovery. Together with Cellebrite’s forensic technical director Yuval Ben Moshe, Scott will present during Exterro and Cellebrite’s complimentary webcast, Step Up Your ECA Game Plan with Mobile Device Data Collection.

I took the opportunity to speak with Scott about the need for mobile forensics as part of a holistic e-discovery approach, how privacy laws affect mobile e-discovery globally, and the need for strong policy as a result—no matter the size of an organization.

Christa Miller: Many companies resist collecting mobile device evidence because they see it as redundant, especially when their burden of proof is only preponderance of the evidence, and they must take proportionality and cost into account. What’s the tipping point between collecting enough, and being thorough in building a case?

Scott Giordano: While there is a fair amount of redundancy between what’s already on the network and what’s on mobile devices, much of the information likely to resolve a matter can only be found on the latter—geolocation information, for example.

I can tell you that the first time I saw a Cellebrite presentation, I was made a believer.  The best way to meet the preponderance standard is to identify those few “documents” – pieces of information, really, that succinctly demonstrate to a jury a particular chain of events and merit only one conclusion.

Christa Miller: You’re a Certified Information Privacy Professional (CIPP) in both the US and Europe. How do privacy laws in each region affect mobile devices in the workplace? How do they overlap, and how are they different, especially with regard to BYOD? What might US corporations take away from European corporate compliance, particularly around concepts like “the right to be forgotten”?

Scott Giordano: Employee-owned mobile devices are rapidly being woven into the fabric of U.S. corporate operations via BYOD, but in the EU they’re still considered completely separate and off limits.

As a result, if U.S. multinationals want to use the same model, they’re going to have to take into account regulations at both the EU- and local levels, build policies that adhere to them (including the right to be forgotten to the extent it’s implemented) and deploy if allowable, which is not always a given.

Christa Miller: Some corporate counselors recommend that companies audit mobile devices upon employees’ exits and at other designated intervals. Others shy from collecting BYOD data because they don’t want to be liable for access to deeply private data such as personal health information. Can you give examples of how companies can address the need to protect their own data, vs. the need to protect employees’ privacy?

Scott Giordano: All of this has to be addressed via policy from the introduction of the mobile device into the corporate firewall, otherwise you’ll potentially face different outcomes in every jurisdiction and even then it will likely vary from case to case.  This lack of policy clarity is essentially the reason for the result in the Cotton v. Costco opinion that was handed down this year.

Christa Miller: Smaller companies, including SMBs, may perceive that corporate compliance is only for the Fortune 500. From an infosec and employee privacy standpoint, what steps can these firms take to protect themselves in the event of BYOD-related litigation?

Scott Giordano: SMBs have to take these issues seriously and, again, it goes back to developing policies and setting expectations for both the employer and employee.  Employees often fail to understand that employer data that’s on their devices is still the employer’s property and litigation over privacy and intellectual property can (and often does) get ugly.  Moreover, those devices broaden the corporate attack surface and have to be addressed from that standpoint.  Better to prevent or mitigate it in the first place.

Christa Miller: You are speaking on Exterro and Cellebrite’s upcoming webcast (May 14), Step Up Your ECA Game Plan with Mobile Device Data Collection. What do you hope viewers come away with from the presentation?

Scott Giordano: I hope that they’ll come away with the following:

  1. Mobile devices are rapidly become part of the larger e-discovery universe
  2. Early data- and early case assessment for mobile devices are crucial tasks for litigation success
  3. The time to prepare is now.

Read more about Cellebrite’s perspective in Exterro’s interview with Yuval. To learn more from Scott and Yuval about the necessary policies to defensibly collect mobile data and best practices for speeding up the mobile data collection process, register for Exterro and Cellebrite’s complimentary webcast, Step Up Your ECA Game Plan with Mobile Device Data Collection, airing on May 14.

Takeaways from “Mobile Evidence in Modern E-Discovery”

Tuesday, SANS instructors Paul Henry and Benjamin Wright joined Cellebrite’s forensic technical director, Yuval Ben-Moshe, for our joint webinar: Mobile Evidence in Modern E-Discovery. Ben discussed the need for policy that protects both employer and employee during collections, especially in BYOD organizations. Paul talked about the technical aspects of obtaining all necessary responsive data. And Yuval went over mobile forensics requirements, as well as the potential for alternative mobile forensics roles such as audits.

Questions and answers

Participants asked Ben, Paul and Yuval a number of good questions:

Q. Have the courts upheld the right of an employee to forcibly take hold of an employee’s personal device?

A. Ben noted that most precedent around mobile devices involves laptops. While no case stands out as the definitive precedent, he said it was likely that courts have upheld the employer’s right to seize any device deemed to hold evidence important to that employer.

Paul added that according to a December ZDNet article, an employee sued and won a sizable settlement after the employer wiped their personal device.

Q. If an employer/university is monitoring their own systems, can they get in trouble for seeing and/or collecting in logs Facebook or other personal site passwords that traverse their network?

A. Ben said that in situations where monitoring is an unavoidable part of security policy, it is wise for employers to be completely transparent about what they are doing, why they are doing it, and the risks it poses to their employees.

Q. Wouldn’t it be wise to do both a logical analysis–quick and easy to find data–and then pursue the physical data with a more intrusive analysis if necessary after the logical analysis?

A. Paul agreed with this assessment, saying that as often as he can, he starts with a basic logical extraction. This helps him define search terms and other examination goals so that his physical extractions are more efficient. In addition, logical extractions can validate existing data found during physical extractions, while using a tool such as a hex editor can validate logical extractions as well.

Q. MPE+ recently added support to port collections to Summation and the like. Is that coming down the pipeline for Cellebrite? If so, what is the anticipated launch date?

A. Yuval told listeners that UFED XML reports can already be ingested in tools such as Exterro Fusion, Nuix, Palantir and others. Moving forward, we plan to increase the number of systems with which we integrate.

Q. When will Cellebrite support BlackBerry 10?

A. Although Yuval could not provide a specific date, we will support logical extractions from BlackBerry 10 in an upcoming release.

Finally, we saw one question we didn’t get a chance to respond to: “Are you saying that because a tool is available to audit mobile devices, it should be done, regardless of the cost of implementing such systems/agents to the data?

No. Not all businesses have a need to audit their employees’ mobile devices. Rather, what we were saying is that mobile forensics tools like Cellebrite UFED make it easier to perform audits when they are called for. A basic logical or even limited file system extraction can be done in minimal time, can ensure compliance with any internal policy or industry regulation, and finally, provides existing data in the event of litigation.

Webinar poll questions

We asked three questions during the webinar:

  1. Does your employer/clients have a policy governing audits and collections?
  2. How often have you encountered mobile devices in your e-discovery in the past year?
  3. How do you manage forensics and/or collections?

In response to the first question, whether employer or clients had a policy governing audits and collections, 7% of our 54 respondents said their employer or client had a policy that covered both issued and BYO devices. Eight percent said BYOD was not permitted but that policy covered issued devices. Another 8% said their employer or client had no policy at all. Meanwhile, 15% said their employer or client both issue devices and permit BYOD, but do not have a policy for BYOD collections.


In response to the second question, how often they had encountered mobile devices in e-discovery in the past year, one-quarter of the 54 respondents said they had never encountered mobile evidence. Nine percent said they had encountered them between 1 and 5 times, while just 2% said they had seen mobile devices in their e-discovery more than six times in the past year.


Finally, asked how they manage mobile forensics and/or collections, 24% said they did so in-house. Only 3% each said they outsource directly, or belonged to a firm that performed forensics and/or collections for enterprise and law firm clients. One respondent each said they outsourced to a lawyer who employs a forensic examiner, or outsourced to a lawyer who in turn outsourced to a third party.


Additional resources

The webinar archive is available now from SANS. If you previously registered, you can view it at the webinar link. If you did not previously register, login with your SANS account to view and hear the archive.

We’re also making available a white paper. “Asking and Answering the Right Questions About Mobile Forensics Methods” is for attorneys employing or outsourcing to a digital forensic examiner, or consulting forensic examiners seeking to help attorneys better understand what you do. Download it here to learn more about effectively communicating with one another via proper documentation and other channels.

Next Tuesday! SANS’ Mobile Evidence in Modern E-Discovery Webcast

SANSlogoMany of the conversations we had at LegalTech last month indicate that mobile devices are increasingly being seen as sources of electronically stored information (ESI) in their own right. While the email and files often found on them can be stored elsewhere, other records such as images, text messages, chat transcripts and travel routes – along with logs and metadata about those records – are often not.

It’s this ESI which is becoming critical to audits, civil lawsuits, criminal prosecutions and internal investigations. And so, as Law & Forensics’ Daniel Garrie recently pointed out:

Litigants appearing before a court seeking mobile discovery must clearly define and identify the relevant e-discovery and then address the cost and burden of the mobile electronic discovery compliance…. corporations and individuals have been ordered to produce, sometimes at considerable expense, computerized information, including e-mail messages, telephone records, and SMS records.

Next Tuesday, SANS instructors Paul Henry and Benjamin Wright will join Cellebrite Senior Forensic Technical Director Yuval Ben-Moshe to discuss these issues. Included will be what happens when deleted data are considered responsive evidence, proactively addressing preservation and collection requirements, and how mobile forensics fits an entire spectrum of e-discovery activities.

Join us on Tuesday, February 19 at 1 p.m. ET for Mobile Evidence in Modern E-Discovery!

Join us at LegalTech East this week

Booth 1305 at LegalTech

Booth 1305 at LegalTech

Tuesday, January 29 through Thursday, January 31 we’ll be exhibiting at LegalTech East, the New York-based conference that helps attorneys and their consultants to stay in step with rapidly changing technology.

In the not so distant past, mobile devices were viewed as a “redundant” source of electronically stored information. Emails, documents and even text messaging were stored largely on the BlackBerry® Enterprise Server, rendering mobile forensics unnecessary.

However, BlackBerry has lost ground to more versatile platforms such as iPhone® and Android™. Last October, the US Immigration and Customs Enforcement agency announced that it was ending its BlackBerry contract in favor of issuing iPhones to more than 17,600 employees. The week previously, consulting firm Booz Allen Hamilton made a similar announcement, adding Android devices to its mix.

That’s in addition to the many corporations worldwide which have adopted the “bring your own device” (BYOD) philosophy—opening their doors to iPhone, Android, Windows Phone, and other platforms besides BlackBerry. Like those issuing iPhones and Androids, these companies are responding to employees’ desire for greater versatility.

More versatility, however, means more complications for attorneys and litigation support professionals:

  • Responsive email is no longer guaranteed to be backed up to a server or a company-issued PC.
  • Communications, likewise, are not guaranteed to be taking place where the company can monitor them. (Think text- and instant-messaging or chat apps, which bypass carrier SMS and any email backups that may be set up.)
  • Especially when it comes to BYOD, personal data may become interspersed with company data, opening companies to privacy and liability issues.

And so, in the past year or so, some of our clients have spoken with us about the need for tools that can support thorough, legally defensible e-discovery from mobile devices.

We hope you’ll stop by Booth 1305 to visit with us and discuss these issues, as well as learn how our tools support ESI collection. If you can’t make it, however, please join us in three weeks as we sponsor a SANS webcast, “Mobile Evidence in Modern E-Discovery: Risks, Techniques and Opportunities,” which will cover these issues and more!