Data Searching Strategies For Mobile Devices That Can Help Counsel Win Cases

Saturday, December 1, 2007 - 00:00

With complex litigation cases becoming increasingly unwieldy due to cost and the vast amount of data requiring review, counsel is continuously looking for more efficient ways to find the "smoking guns." In that pursuit, critical data that is stored on electronic devices other than computers may be overlooked, potentially threatening the outcome of a case.

Mobile devices, such as cellular phones and PDAs are now vital to how organizations do business. Configured to transmit and receive data as well as log activity, these mobile offices have many of the same functionalities as traditional desktops and laptops.

With businesses relying so heavily on mobile devices, the information that can be gathered from such devices is becoming similar to what can be forensically retrieved from computers. The types of data that can be retrieved from mobile devices include corporate e-mail, personal e-mail, Short Message Service (SMS) text messages, personal notes, calendar entries, photographs, address books, and inbound and outbound call logs. When placed into a timeline of events, this type of information can be invaluable to prove certain facts for a case.

With literally hundreds of devices on the market there is not one single standard of information that can be retrieved from all devices. Because of this, every device related to a dispute needs to be evaluated for the type of information that it may contain. For example, a Motorola RAZR V3 phone will contain more information than a Motorola i415.

Retrieving data from a mobile device is a specialized skill set that requires a professional computer forensic examiner with experience in handling mobile devices. When selecting an examiner to work on such engagements, counsel needs to specifically ask what types of devices they are familiar with and how many times they have successfully analyzed these particular devices in the past. Handling mobile devices requires specialized software, appropriate cabling and, most importantly, the requisite professional experience.

Once an expert is identified, counsel should also ascertain the types of devices that will be forensically examined. Before any work can begin, the expert will need to know the manufacturer and the exact model of the device. When collecting the devices to be analyzed, it is prudent to make sure that both data and power cables are also included.

As with all electronic evidence, it is critical that the chain of custody is properly documented. When devices are being passed from the user to a supervisor, then to a human resources professional who will provide it to counsel and finally to the forensic expert, there is a risk that the integrity of the evidence may be challenged.

Employees often use other methods of communication beyond traditional corporate e-mail, especially if they know that their e-mail is being monitored. "Out-of-band communication," the use of alternative communications, includes web-based e-mail, instant messaging and SMS text messages.

Use of out-of-band communication by employees can provide organizations involved in an investigation with evidence that can prove to be critical. One such example involved several company employees that were working on a major confidential project who resigned and went to work for a direct competitor of their employer. The employees' departure was well orchestrated and came as a shock to everyone at their company. After their departure, their former employer grew concerned that the employees took key data and ordered a forensic analysis to be conducted on their company-issued computers. Every employee involved in the project had access to multiple desktop and laptop computers, resulting in the need for a large investigation. At the conclusion of the investigation, it was determined that there was little evidence of any wrongdoing.

However, at the time of their departure, each employee turned over their company-issued cellular phones to human resources. The human resource staff casually mentioned to counsel that the cellular phones were being secured in a cabinet in case they were needed. At what first appeared to be a seemingly insignificant statement proved to be an invaluable lead in the ongoing internal investigation.

Upon learning that the cellular phones had not been used since the employees' departure, they were immediately provided to a forensic expert for analysis. The analysis revealed that some of the employees had been sending SMS text messages to each other. The messages in question were short, but discussed specific data that they intended to take. These messages led to the discovery that highly confidential company data was copied to an external hard drive prior to the employees' departure. The external hard drive, which was later recovered from the competing company, revealed that the former employees had copied a vast amount of their former employer's data to the competing company's server.

In matters where mobile devices might provide evidence, the preservation of those devices is critical. Counsel should be aware that individuals might intentionally delete relevant data or wipe all user-created data from the entire device. Depending on the device, the destruction may be permanent and unrecoverable. Finding evidence of the intentional destruction of data may not exist. However, finding a device that has been in service for many months that has absolutely no data might be evidence as well.

For example, an individual at the center of an ongoing investigation was ordered to preserve the data contained on their BlackBerry device. When the device was turned over, the only data present were three default new user messages located in the message folder. The date of those messages reflected when the party used the "wipe handheld" option to destroy all of the data.

To further complicate data recovery, many devices have an option to set a password that may prevent data recovery if the password is either not provided or unknown. In addition, some devices automatically wipe the user data after the password has been entered incorrectly a certain number of times. In the case of a BlackBerry, a user may also have "content protection" enabled. This feature encrypts the user's data and the only way to decrypt the data is to use the correct password.

In another matter, involving a cellular phone with a built-in digital camera, the user had taken photographs, which were considered relevant evidence, and stored the photos in a user folder. These photographs were later used to exonerate another company employee of alleged wrongdoing.

The information contained on mobile devices can at times provide a "smoking gun" on their own or when placed in a timeline and used in conjunction with other facts in a case.

In order to effectively take advantage of all available relevant data that may be contained on such devices, it is important for counsel to retain a highly skilled computer forensic expert that is experienced in conducting a complete analysis of these types of devices.

Jerry F. Barbanel is the Executive Vice President in charge of IT Risk and Litigation Consulting for the Financial Advisory and Litigation Consulting Services practice at Aon Consulting. Mr. Barbanel can be reached at (201) 966-3494. Bruce W. Pixley is a Senior Director in charge of the West Coast Computer Forensics group at Aon Consulting. Mr. Pixley can be reached at (805) 298-0031.

Please email the authors atjerry_barbanel@aon.com or bruce_pixley@aon.com with questions about this article.