As mobile devices have become ubiquitous, so has the need for lawyers to collect information from them to use in litigation. Due to the unique data collection challenges posed by these devices, “mobile device forensics” has developed into its own field with many forensic practitioners developing expertise in this area.

Mobile Device 101: Security and Storage

Since mobile devices are just that — mobile — and because they can be expensive and in high demand, they are susceptible to loss or theft, resulting in heightened security concerns. With this heightened concern comes a greater need for security and, thus, more difficult data collections. 

As data volumes increase, so does the difficulty of storing such a large amount of data on a small and portable device. This has led to the development of mobile devices with exponentially larger storage strategies. This is one of the reasons it is now common to store data in the cloud and only access that data as needed from a mobile device. The cloud represents nearly unlimited storage capacity and is less susceptible to data loss, so we don’t need to store everything on our mobile device; we just need the mobile device to display that information when we want to see it.

This has made it very difficult for lawyers to understand where key data resides and to know how to collect that data in the most timely and cost-efficient ways.

For this reason, lawyers should understand that not everything you see on a mobile device is actually stored on it. Even for data that resides on a mobile device, it may be more efficient to collect it from a cloud source than from the device. Lastly, some applications are “security-first oriented,” so the options for collecting such data are limited when compared to similar applications. Collecting from these applications is more difficult, time-consuming, and expensive than a lawyer might initially expect.

The following sections describe common strategies for collecting data from different application types.

Apps That Store Their Data on the Mobile Device — Mostly

For iPhones, the most straightforward way of getting data that exists on the device itself is through a tool that collects and processes an iPhone backup. On the surface, this process appears easy, but in practice, it comes with several obstacles. 

First, the data needs to exist on the iPhone, but that’s not always the case. As an example, iMessages reside on the iPhone when the custodian is not syncing their messages to iCloud. Some people sync their messages to iCloud so that they can see those messages on every device they use and can respond to messages on any of their devices. The messages remain in sync, meaning that if a message is created or answered on one device, it shows as created or answered on all devices. However, when a custodian configures devices in this way, their messages and attachments to those messages reside in iCloud, and not on the iPhone, iPad, or Mac they are using. So, if we try to collect messages from one device, some data may be missing. 

To collect such messages from a single device, we need to force all messages to that device and then download them. However, in some circumstances, Apple may retain some attachments in iCloud and not download them. In these instances, the collection would capture the message, but the attachment may be “missing” because it was not on the phone or in the backup. Another “gotcha” for lawyers is that if a custodian has a lot of messages, it may take a long time to download the messages from iCloud to the iPhone for collection. So, if we don’t wait long enough for the download to occur, we may only get a partial collection. In short, when dealing with Apple’s message sync, multiple collections of both the iCloud message data as well as the local phone and iCloud backup may be necessary. 

Apps That Store Their Data in the Cloud

Some apps exist on a device and look like any other app but always store their data in the cloud. In effect, the app is essentially a fancy web browser that displays cloud-based data in the app on the device, but does not store it locally, or may only store some cached content temporarily. Good examples of this include banking apps, webmail apps (e.g., Gmail), and enterprise apps like Teams and Slack. For apps like these, the best collection is from the cloud source (e.g., Microsoft 365, Gmail, etc.) and not from the mobile device. 

Apps That Store Their Data Encrypted on the Device, and Won’t Allow It To Be Backed Up

While many apps store their data on the iPhone, some apps won’t allow their data to be backed up by iTunes or to iCloud. Additionally, the app data is typically encrypted, and the keys needed to decrypt the data are stored in the user’s keychain on an Apple device or in the keystore for an Android device. Ephemeral messaging apps such as Signal and Telegram are examples. For these apps, a forensic examiner must use special tools to collect the entire file system (including the keychain or keystore) rather than relying on parsing data from a backup. This can get communications from apps like Signal. Cellebrite and Magnet Forensics have tools that collect the entire file system and the keychain or keystore for Signal. Telegram data, however, may be partially cached in an encrypted container, while its full data set would be in the cloud. For Telegram, as with other apps that store the data in the cloud, the best collection is directly from their online account instead of the mobile device.

Apps That Don’t Backup Locally

Standard forensic tools typically rely on the backup application programming interface of the manufacturer. In the case of Android Backup, third-party app developers can write their code to not include the application data. Many Android app developers exclude their data from backups, which is why most standard forensic collection tools cannot collect and parse data from third-party apps. Even Google excludes a majority of their standard apps, such as Drive and Messages, from Android backups. In these Android cases, the forensic examiner must pivot to other validated methods, such as a full-file system collection, to collect third-party app data. 

Apps That Sync Data to Computers

Some messaging apps allow a user to register a computer application or web browser to “sync” their data, enabling use of the messaging app on their computer or browser. While a user is able to access their data on a computer and their mobile device, there is no “central server” hosting this data. Their mobile device is the primary source for the app data, with the authorized computers playing “second fiddle” and receiving only what the mobile device forwards to them. In the case of WhatsApp, a user may register their computer using a QR code which will allow them to see their recent message history on the registered computer and send or receive messages. Messages and threads that exist prior to registering the computer will not be synced, so if we are searching for older messages, we need to keep this fact in mind. Some forensic tools use this feature with WhatsApp to collect data remotely, which will store recent message data. However, this likely will not include their entire WhatsApp message history. Only the phone would have the complete set of messaging data, making the phone the best source for WhatsApp data. 

Conclusion

These are just a few examples of data collection issues that arise with some of the more common apps in use today. As with everything in the emerging technologies race to increase usability and security, what is true today may not be true tomorrow, as each advancement in technology seeks to improve one or the other.
Lawyers who miss important data can face downstream consequences in their investigations and litigations. Mistakes can lead to negative outcomes such as the need to re-collect (sometimes in a foreign country), wasted time and money, non-compliance with discovery stipulations and orders, and negative case impacts like dismissals, summary judgments, adverse inference jury instructions, and, of course, overall client dissatisfaction.

When you need important data for your investigation or litigation and you aren’t sure where it resides or how it is best collected, consult and strategize with your forensic data collection specialist.


Jason Paroff, Senior Director, Forensics Practice Lead, Epiq  
Jason Paroff is a senior director of forensics and collections for Epiq and leads the U.S. forensics and data collections practice. Paroff has examined numerous computers and computer systems for evidence of fraud, theft of trade secrets, harassment, and other improper civil and criminal conduct. He has testified in federal district court as an expert witness and has been a conference presenter, and a guest lecturer at Columbia University’s School of Business. Paroff has also taught computer forensics to Fortune 500 corporations, attorneys and members of foreign police and intelligence agencies.


Andrew Crouse, Director, Forensics, eDiscovery Solutions, Epiq
Andrew Crouse is the Director of Digital Forensics for Epiq, where he leads digital forensic examinations, consulting engagements, service delivery, and forensic practice requirements. Crouse manages a team of consultants, analysts, and lab operations personnel for Epiq U.S. operations. He has extensive experience leading complex digital forensic and eDiscovery projects for Fortune 500 companies across the globe, as well as developing, implementing, and auditing quality control procedures in digital forensics labs. He is a recognized SME in DOMEX, computer forensics, mobile forensics, and eDiscovery data risk management, and held a Top-Secret Clearance with DHS. Crouse has testified as an expert witness in federal and state courts.