Remote work has forced employees to become even more reliant on their mobile devices. While mobile devices are extremely easy to use, the storage on them can be highly complex. Consequently, collecting data from mobile devices can be extremely challenging, especially with current social distancing practices mandating that data collections be completed remotely. Here’s how Epiq can help.

Mobile Device Collection Solutions By Operating System

Apple Products (iDevices)

Epiq has multiple solutions to conduct remote collections from Apple mobile devices. Using Apple’s existing iCloud backup environment is a simple but effective way to gain access to a user’s data. Similar to this, Apple provides a local backup method for iDevices using iTunes. Both methods provide a backup of the user content from the device, which can then be parsed by our mobile forensic software for reporting and analysis purposes.

The next section provides several of the remote collection options for Apple iDevices:

Option 1: iTunes Backup

• Epiq ships a remote collection drive to the custodian and assists with collecting an encrypted iTunes backup of their device using the custodian’s computer.

Note: Epiq may need to install iTunes if it is either not already present or authorize updates if iTunes is one or more versions behind current versions.  Additionally, the custodian’s computer needs to have enough space on the main hard drive for the backup.

Option 2: iCloud Backup

Epiq will assist the custodian in making an iCloud backup if the setting is not already enabled.  Epiq also must temporarily disable the iCloud Message Sync setting if it is enabled.

Note: Epiq needs the custodian’s iCloud account credentials and 2-factor authentication code to access their backup(s), and the custodian may need to pay for additional iCloud storage if they are not already paying for this service.   The monthly costs are minimal (see below) and can be downgraded after the collection if the custodian does not want to continue to pay monthly for iCloud storage.

Epiq’s first approach to collecting iCloud backups is to use a forensic tool to access a user’s iCloud account and collect the iCloud backup directly from Apple.  However, due to Apple’s security architecture and frequent iCloud security updates, forensic tool support is not always possbile.

In cases where an iCloud backup cannot be collected using a forensic tool, there are several other potential apporaches.  One such approach involves Epiq restoring iOS backups to separate Epiq-owned collection phones and then imaging those phones in order to collect the data.  Caution should be exercised before using this method because this process will replace all of the identifying information from the original device with the info (IMEI, SN, ICCID, MSISDN (phone number), iOS version, etc.) from the Epiq-owned collection device.

Additionally, the created and last modified dates on databases will be changed across the board, and there may be some unintended data overwrites. For example, a program could take the phone number of the host device and store it in a database which could possibly overwrite previous data.  Also, the iOS version on the restored phone may not be the same as the version that was on the original phone.

While this method is currently the best method to collect certain data if a forensic tool collection of the backup is not possible, certain data/metadata may change unexpectedly during the process.  While this may raise questions from an opposing expert concerning defensibility, at present time it is the best way to accomplish a collection of an iPhone without having to handle the device. 

Counsel must weigh these issues against the need to physically handle the device and the time the custodian will spend away from the device should physical handling be desired. The collection time will vary based on the time required to download the backup. This method does not impede the custodian from using their device during the collection. Epiq does not recommend this approach for cases of an investigative nature.     

Option 3: Device shipped to Epiq for imaging

If the device must be handled (e.g., forensic investigation, device requires an advanced collection method like Checkm8, or photos of app data are required), the device can be shipped to an Epiq forensic lab for imaging. The turnaround is typically one business day.

Android

Android devices are generally more technically challenging to collect because of the security implemented by Google and the phone’s manufacturer. Android devices do not have a centralized backup format or structure similar to Apple’s iCloud.  In addition, Android devices cannot be collected in a similar fashion to Apple devices from Cloud backups or restores. Because of these technical challenges, Android devices need to be handled and submitted to a forensic lab for collection. 

It is also important to note that Android security features often prevent the collection of third-party application data like WhatsApp, WeChat, etc. Third-party data would need to be collected separately from the service provider as it generally cannot be collected directly from the mobile device. There can also be other secure messaging applications that need to be collected manually by taking photos of the phone’s screen, as there are no currently known methods that decrypt the locally stored data. These solutions can be discussed further with an Epiq Forensic consultant.  As with Apple devices, Android devices may be shipped to Epiq for imaging with a typical turnaround of one business day, depending on the data being sought.

Mobile Device Management (MDM)

As part of any mobile device collection exercise, it is critical to keep in mind that if the devices have had a MDM policy applied to the device. The MDM can be configured to restrict the ability to collect the device, prevent an app from backing up, or for the device to backup to the Cloud. Where MDM is in use, it is a best practice to have an Epiq forensic consultant speak with the client’s IT leadership on their MDM policy prior to collecting so that we can determine the best course of action if there are restrictions are in place.

Conclusion

The popularity of mobile devices for personal and business communications is ever-growing. During the COVID-19 crisis, it is imperative for end-users to be able to continue to use their devices while at the same time have those device collected for eDicovery purposes.  Apple devices, where the iCloud and iTunes backup services can be leveraged,  have an easier time executing this process. On the other hand, Google’s Android is far more challenging because of the security restrictions implemented on the devices and the lack of a centralized Cloud backup process.

In the end, both of these systems must be navigated in order to insure collection of all discoverable or otherwise necessary data.  Navigating these unfamiliar waters can be challenging, but with an Epiq expert guiding the process, the collection will be as quick, painless and defensible as possible.

Jack Grimes, Regional Director of Forensics for Epiq, leads the West Region within North America.