If you are a savvy technology user, you probably understand that every time you use your mobile device, you leave a digital trail. These data footprints may track every email, text, call, geolocation, website, and search executed on your device, and much of this data on the device is recoverable by a digital forensic expert.
However, an average user may not understand that mobile device data trails might be lurking in locations separate from the device itself. The data footprints you create on your phone may be available on computers or servers, sometimes long after your device is gone.
For attorneys and legal professionals, mobile devices are rich with potential evidence. Understanding the myriad locations where mobile data can live is critical. When collecting data in a legal matter or investigation, know that mobile device information may be accessible from alternative locations, even if the device is unavailable or no longer exists.
Mining Mobile Backup Data Sources
Cell phones are no longer only for placing phone calls. Instead, smart mobile devices are mini-computers, which makes much of the same important data that is stored on a desktop or laptop also accessible on a mobile device.
As such, it is increasingly important for users to back up, or synchronize, their mobile devices, to ensure nothing is lost if the device is damaged or misplaced. Almost everything that happens on the phone is available for backup, including: text messages, phone logs, contact lists, pictures, videos, and GPS map information. However, it is important to understand that for email messages, even if the user accessed email on a mobile device, it is usually most effective to access email from an email server.
Mobile device data can be backed up to a computer or the cloud, and both locations should be considered when looking for alternative mobile data sources. For example, when a mobile device is plugged in to a computer, there is some synchronization that may automatically take place, along with updating the data or software programs stored in the phone. Furthermore, a wireless synchronization eliminates the need for the device to be physically connected to the computer to back up data.
A mobile device backup is of critical importance when the device is no longer available. For example, you are using an iPhone 6, backed up to iCloud. You decide to upgrade to an iPhone X, trading in the iPhone 6. If data on your old phone was subject to an investigation, data from the iPhone 6 could still be backed up to iCloud. The same holds true for an Android, where you can back up to Google or other third-party apps.
Consider The Carriers’ Data Stores
The wireless carrier is another location to consider when conducting a mobile device investigation. Each cell phone carrier has its own data retention periods and policies. As such, the available information from a carrier will vary from provider to provider.
As a legal professional or investigator, learn each carrier’s policy so you know if it is a worthwhile effort to obtain data from a carrier in a specific case. If you need to get user data from a carrier, work directly with the user to request retained data or get the user’s consent so you can request the data from the carrier. If the user is not cooperating and an active litigation is pending, consider serving the carrier with a subpoena for the data sources.
It is important to note that in most civil litigation situations, a mobile device is being investigated with the user’s consent. To begin most mobile device data collections, the examiner will need the user to provide the screen lock code and any secondary level passwords for other apps on the device, such as an encrypted iTunes backup password.
Getting access to password information is easier if the organization has a robust mobile device management system in place, controlling the credentials issued to a mobile device user. Take extra caution in situations where an employee has already left the organization and turned in his or her device without the password. If the user controls the password or the password is not available to the organization, the digital forensic expert may not be able to access the device without additional steps and costs.
iDiscovery Solutions is a strategic consulting, technology, and expert services firm – providing customized eDiscovery solutions from digital forensics to expert testimony for law firms and corporations across the United States and Europe.