From Smartphones to Smart Watches: A Primer on Mobile Device Discovery

Smartphones and tablets have radically transformed the practice of law, yet for too many litigators mobile device discovery remains an unexplored frontier. People are using their mobile devices more frequently both for business and in their personal lives, with game-changing implications for parties’ electronic discovery obligations.

In addition, mobile device data can provide critical evidence in certain practice areas, like employment law and personal injury cases.

Which Devices to Include?

A mobile device in the e-discovery context is any small, personal digital device that stores potentially discoverable data. This article will focus on the three most common sources in civil discovery: basic mobile phones, smartphones and the smartphone’s first cousin, the tablet.

However, the principles extend to other familiar personal devices like cameras, iPods and GPS units. The list of possibilities will only continue to grow as electronics manufacturers incorporate “smart” technology into an even wider range of consumer products.

It is essential to preface any discussion of mobile device discovery with the caution that generalizations have limited value. One computer is much like the next. One mobile phone is not, unless the next happens to be the same phone.

Mobile phones and tablets vary significantly by manufacturer, model and even by revision to a model. And there are literally thousands of models.

Should You Collect a Mobile Device?

The starting point in determining whether to collect a mobile device is assessing the potential relevance of mobile device data in light of the facts of the case. To do that, it is necessary to know what kind of information may be available from a mobile device.

In general, mobile phones can store the following data types:

• a. Short Message Service (SMS) and Multimedia Messaging Service (MMS) (text messages);
• b. contacts/phonebook;
• c. call history;
• d. memos/notes;
• e. calendars/datebooks;
• f. task lists;
• g. voice mail;
• h. e-mail;
• i. pictures;
• j. video and audio files; and
• k. application data.

A particular phone may store all or only a few of these data types depending on the phone’s features and the custodian’s practices.

For example, for a text message to exist, (1) the phone must support texting, (2) the user’s data plan must include texting and (3) the user must have sent or received at least one text message (and not subsequently deleted it).

Media Cards.

Additional data can be stored on a Secure Digital (SD) or microSD media card. For phones that have one, the media card is found on the back of the phone under the battery or in a slot on the side of the phone.

Media cards are typically used as overflow storage for photos, but can also save documents, audio/video and other types of files.

The highest volume of mobile phone data collection is generated by routine corporate discovery of SMS/MMS; this is an inevitable consequence of messaging supplanting e-mail as a primary means of business communication for many smartphone users.

Mobile devices are an especially high value data source in employment cases involving allegations of employee misconduct or misappropriation of confidential information, where all the possible data types are potentially relevant to the factual issues.

Another example of a specific scenario where mobile device discovery would be especially important is evidence of illegal downloads in the files and app data on a smartphone or tablet.

Is Deleted Data Recoverable
From a Particular Device?

Generally, it is not possible to recover SMS and call history from a basic mobile phone. Older phones store text messages and call records in slots. A set number of slots are available, and when all the slots are filled, the oldest entry is overwritten to free up a slot for the newest entry. This process will continue unless slots are freed up another way, such as by the user deleting entries or moving SMS into “saved messages” (which has its own set of allocated slots).

In contrast, SMS, call history and notes can often be recovered from iPhone and Android phones because the entries are stored in Structured Query Language (SQL) databases. When an entry is “deleted” from an SQL database, it is marked deleted and is no longer visible to the user. However, it is not overwritten until space is needed. A forensic analyst can parse the SQL database to recover deleted entries that have not yet been overwritten.

SD and microSD media cards can be imaged and data carved for deleted photos and other files. This is a function of the card technology and thus applies whether the media card is being used in a phone, digital camera or as loose storage.

What Does the Delivery Look Like?

The different forensic collection programs vary somewhat in their reporting capabilities. However, two common delivery formats are (1) a comprehensive .PDF or .HTML report and (2) a .CSV or .XLS spreadsheet per data type (e.g., SMS, contacts, call history).

Depending on the program, it may also be possible to export files in native file format, including photos.

Technical Limitations on Mobile Device Collection.

Mobile device forensic collection programs like Cellebrite, Mobile Phone Examiner and Oxygen Forensic have to “support” a phone or tablet in order to copy data from it. The software manufacturers support devices by, essentially, reverse engineering them. This process creates three potential situations where your vendor will be unable to collect from a device.

The first is for new models that are not supported yet, but will be when the necessary software update is released. Accordingly, if the user is an early adopter of a new smartphone model, it may be necessary to wait a few weeks or months to perform the collection.

The second situation is for devices that are typically old, unpopular or both that are not and will not be supported. Some devices are simply so seldom encountered in the field that the software manufacturers have determined that it would be unfeasible or unprofitable to invest the time and expense required for the reverse engineering.

The third situation covers devices for which the collection program is able to copy some, but not all, available data types. The most significant example of this is the iPhone.

The Apple iOS has built-in file system encryption that limits what data types can be copied; most notably, the inaccessible data include e-mail and deleted photos.

The problem of partial access has also occurred with supported models; a later model revision had the side effect of interrupting the copying process for some data types.

Practical Aspects of the Collection Process

To copy data from a mobile phone handset or tablet, a vendor must physically connect the mobile device, using the appropriate data cable, to the hardware unit or PC running the collection software. The vendor will probably have the right data cable in its cable kit; however, occasionally a cable has to be ordered for a phone with an unusual connector type.

The mobile device must be turned on and charged, so it must have a battery. Mobile phones that use a subscriber identity module (SIM) card must have the original SIM in order to access the data on the handset. If the device is pass-code-protected, the custodian will need to temporarily disable the pass code lock, give the vendor the pass code or be present during the collection to unlock the device.

Finally, it is sometimes necessary to change certain device settings (most prominently on Android phones) for the collection software to successfully communicate with the device.

Even assuming the device is a supported model and all of these other requirements are also met, the handset collection still could be unsuccessful. For example, a phone’s data cable port can be damaged or disabled (e.g., many prepaid phones come with a disabled port).

Alternatively, the collection PC may be unable to establish a connection with the phone. There is no fix for hardware problems, and troubleshooting does not always resolve software issues.

When all else fails, the old-school workaround is to copy down the relevant entries or take photos of the device screen. This method is foolproof but time-consuming and should be carefully documented.

Media cards and SIM cards are collected by taking them out of their slots on the phone handset and connecting them directly to a collection PC using a hardware card reader. There are forensic collection software programs that can copy data from both card types.

Unique Challenges of Mobile Device Discovery

Mobile devices function differently and are used differently than computers, and those differences have given rise to unique e-discovery challenges.

Risk of Spoliation.

One e-discovery challenge is averting the incidence of inadvertent spoliation. Older model mobile phones have a small storage capacity. As a result, data are routinely overwritten with normal usage.

For example, moderate text messaging can fill up all the SMS slots in just a few weeks, and even less storage space is allocated to other data types like call history. The risk of spoliation is lower with a smartphone, but even the latest model smartphone has far less storage capacity than a computer.

BYOD Challenges.

Another challenge is the issue of ownership and control in a bring your own device (BYOD) to work world. Many companies allow employees to use their personal devices for business communications without addressing the ramifications for e-discovery in a BYOD policy or without having a BYOD policy in place at all.

Co-Mingled Data.

Finally, the unprecedented intermingling of personal and business communications and other data on a mobile device also poses a significant challenge in corporate e-discovery. Mobile devices used at work will, almost without exception, contain both business and personal information. This is true whether the employer or employee owns the device.

Forensic copying programs can in many cases restrict collection to designated data types, but they cannot copy less than all the items in a given category (e.g., only SMS but not less than all SMS).

One unwanted consequence is that personal data must be copied along with the desired business data. It is critical that BYOD policies address the privacy issues intrinsic to mobile device discovery.

Conclusion

Data collected from phones and tablets are already critical in many cases and are only going to continue to grow in importance as people use their devices more and more both for business and in their personal lives. It is important for all e-discovery practitioners to understand the legal and technical underpinnings of mobile device discovery.