Yesterday was a day that tech enthusiasts and ordinary people alike had circled on their calendar since it was confirmed as the date of Apple’s press event to unveil the iPhone5. Apple proudly boasted that it had sold 400 million iOS devices by the end of June of this year, which can in part be attributed to the smoothly operating software running on their devices. Advances in mobile high tech have made these portable computers accessible and their presence inescapable even among late adopters. What is simple and intuitive from a user standpoint, however, can prove challenging and fickle to a computer forensics expert.
Richard Lutkus of Law Technology News writes that there are many factors that must be considered when investigating an iOS device, such as “device model, generation, storage capacity, iOS version, iCloud activation status, and passcode protection status. One example of the importance of these identification questions is iCloud, which is Apple's information syncing service. The presence and status of this service may be important because information found on an iOS device could be automatically synced to one or several computers or other iOS devices.”
Lutkus points out that mobile device forensics requires skills that not all computer forensic professionals possess. For example, an important part of the preservation of a mobile device is isolation from all data networks to ensure no changes occur on the device, such as a remote wipe. A few ways of isolating the hardware include a signal blocking “Faraday” bag, removing the SIM card, or enabling airplane mode. From there, the two methods of imaging an iOS device are logical capture and physical imaging. Lutkus explains, “Logical capture is the preservation of all active (no file fragments or other ephemera) files on a device. This method is similar to an iTunes backup in that it saves the same types of data as iTunes backups. In contrast, physical imaging captures everything that a logical capture does, but includes deleted file fragments, temporary cache files, and other ephemera. Generally, physical imaging is more desirable if it is technically possible. Though slower, this approach is widely accepted, is compatible with most forensic tools, and preserves all data on a device.”
There are other challenges in preserving the data in an iOS device, especially hardware newer than the iPhone 4S and Ipad 3, which include encryption of even unallocated space of memory when a passcode has been used. The quality of data one might expect to find after imaging and decrypting could include: “contacts, call logs, speed dials, voicemail, Bluetooth devices, screenshots, bookmarks, web clips, calendars, messages, email, attachments, internet history, internet cookies, photos, audio recordings, notes, videos, music, app list, keystroke information, GPS coordinates, wi-fi network memberships, user names and passwords, map searches, app-specific data, cell tower information, serial number, device name, device IMEI (international mobile equipment identify number), device serial number, version, and generation, etc.” This type of information can be crucial in the first 7 to 10 days after litigation hits, as we have previously covered here. These devices seem to know so much about us that companies like Apple have had to release statements to state they are not recording and storing your location in response to allegations of privacy invasion. With the number of expected sales of the iPhone5 potentially adding between a quarter and a half percent to America’s GDP, there will be millions more iPhone’s will making their ways into the hands of consumers and eventually, no doubt, into the hands of mobile forensic experts.
So, what do you think? Have mobile computing devices, such as smartphones and tablets, been material to your eDiscovery work? Have other mobile operating systems, such as Blackberry or Android, presented challenges that differ from iOS? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.