These days, digital forensics is the tip of the spear for any legal investigation. The decisions you make at this stage determine how costly, time-consuming, and effective downstream processes could be, so it’s important to get it right. One of the most crucial decisions you’ll make at this stage is what technology to use for a forensic collection. How do you make sure you have all the data you need in the most cost-effective way? That’s what we’re here to discuss.
What do I have access to already?
There are of course many tools specifically for forensics purposes, but you might also be surprised at what data can be preserved with tools you’re already paying for. Microsoft Purview for example gives employers the ability to preserve communications within Microsoft apps with just a few clicks, no additional tool needed.
Not only is this an opportunity to save money in a forensically sound way, but it can also inform what other data is worth chasing down. Maybe you do need more than Microsoft Teams chats, but if you can look at the Teams chats first, it might illuminate whose devices require further investigation.
Is it “forensically sound”?
The term “forensically sound” gets thrown around a lot, and it’s so basic, we rarely stop and ask ourselves what it actually means. “Forensically sound” means that the data collected truly represents a pure, unadulterated picture of the data. If there was tampering, a forensically sound image can show evidence of such tampering.
Plenty of consumer-facing “data recovery” solutions such as iMobie and iMazing use the same underlying technology as digital forensics tools, so it’s tempting to use them for a cell phone collection and save a buck.
However, since these programs are not explicitly designed for forensics uses, they give the user a lot of latitude to pick and choose what data actually gets collected. After all, if someone needs to recover data off their own device and that data has no real implications for anyone else, it makes sense to give the user as much control as possible over their own data management. In a forensic investigation, this additional control means a well-intentioned custodian can leave important data behind without even realizing it.
“Forensically sound” is important because even if you trust your custodians not to hide data on purpose, leaving too much of the data transfer process in inexperienced hands can significantly compromise the data’s reliability.
Even in a perfect world where none of your custodians make any mistakes, the mere possibility that they could lose data without anyone noticing is a chance you can’t afford to take in high stakes legal matters. Unfortunately, the drive to cut costs means many attorneys take this risk unknowingly.
In a forensics context, this can spell disaster. How do you prove that the data from someone’s phone was truly all the data? If the other side has a savvy forensics team behind them, they can point out how flimsy such collection methodology is.
When you’re looking for collection tools, look for words like “forensically defensible” in their marketing. Ask these companies how data is preserved, and more importantly, who gets a say in those decisions.
Do I need “User Behavior”?
It’s one thing to present an image of someone’s phone, it’s another thing to be able to tell the story that lead to that image. Forensic analysis goes beyond simple forensic collection and attempts to tell that story.
For example, let’s say that one custodian used Teams for the overwhelming majority of their communication with co-workers. However, they had hundreds of WhatsApp messages with one particular co-worker. Do those WhatsApp messages speak to these two co-workers just having a robust friendship outside of work, or more nefarious conversations that left out other parties for a reason?
Forensic analysis attempts to spot these anomalies and triangulate what kinds of relationships and conversations custodians had, all without reading any messages. In order to provide forensic analysis, investigators don’t just need a snapshot of what was on a phone the day you collected it, but a history of how that data changed over time. What was created when? What was deleted when? What was automatically deleted by a phone and what was deleted by a user?
If you’re attempting to answer these questions about not only the data, but what choices a user made regarding their data, make sure your forensic technician knows so they can guide you towards the appropriate tech.
What is the likelihood I need “Nontexting” data?
Nowadays, it’s commonplace for anyone with a mobile phone to use multiple platforms for conversations. Personally, I have friends who at any given moment are part of an iChat, an Instagram thread, a Facebook chat, several Facebook group chats apart from the 1-on-1 chat, and maybe a Discord server or two. I migrate between these apps without thinking much about it. If your mobile data collection strategy only accounts for native text formats (SMS/MMS/iChat), you’re likely leaving a lot of important data on the table.
For example, recently I found myself discussing a topic with one friend on iChat, and that same topic with another friend on Facebook messenger. I eventually got tired of sharing Friend A’s insights with Friend B, so I threw all three of us into a new Facebook Messenger Group Thread. If you only looked at my iChat with friend A, you might think this conversation abruptly ended; you would only be able to see the conversation in its entirety if you had access to both my iChat and my Facebook Messenger chats.
Do I need “ephemeral” messaging apps?
“Ephemeral” messaging apps automatically delete messages after they’re delivered, such as SnapChat, Signal, Threema, or WeChat. Sometimes bad actors use these apps precisely because they believe any shady conversations will be deleted.
However not all deleted messages are actually deleted. Oftentimes, these messages are only deleted from the servers of that app, but there is still a record of them within the device. In this instance, certain types of forensic collections would find the deleted messages, but others wouldn’t.
If conversations from an ephemeral, self-deleting app is NOT in play, you may be able to get away with an iTunes backup, which is often the cheapest/most convenient method for custodians. However, if you have any reason to believe that relevant conversations happened within ephemeral messaging apps it’s important to tell your forensics team so they can build a more robust strategy with those messages in scope.
Will it work with my review platform?
In the early stages of an investigation, it’s easy to get caught up in what data is actually available and preserving it while you still can. Sometimes, it’s easy to forget that forensics is only the first step of a much larger process. Preserving and collecting data doesn’t automatically mean that the data is going to be available in a format that is actually useful for reviewing purposes, but if your forensics team knows your plans as far as processing, hosting, and reviewing, they can make sure they’re using tools that help these downstream steps run smoothly.
For example the Relativity Short Message Format (RSMF) helps reviewers make sense of mobile chat data. If your plan is to eventually review data in Relativity, your forensics team can make sure they’re picking tools that export data to this format. If your team isn’t using Relativity, this is of little significance.
Still have questions? We’re happy to help!
Reach out today to speak to a forensics expert!
