The Facts are Calling Out: A Primer on Obtaining Data from Mobile Phones It is no secret that phones carry (and remember) vast amounts of information about the most intimate details of life. For many of us, phones are a constant in our lives. Even the U.S. Supreme Court has acknowledged, in the criminal context, that phones are drastically different from other kinds of personal effects for this reason.[1] Lawyers, too, are well aware of the value that data from phones may have for their case. But, while lawyers and their clients alike are usually familiar with the basics of how phones are used and the kinds of things they store, this consumer perspective does not always translate perfectly in litigation. Consumer familiarity can make the use of phone data in litigation seem deceivingly simple. The reason for this is that “phone data” is designed to exist on a phone; it is designed for that consumer perspective. It is not consistently adaptable for presentation or production in civil discovery. In this article, I will pull back the curtain on the technical processes involved in extracting and producing data from phones and explain some of the technical realities that await litigants either seeking data from phones or are on the receiving end of a request for phone data. I. The Legal Context of Requests for Phone Data Because of the qualities and categories of information on phones, there is almost invariably advocacy and motion practice before obtaining phones is an option. Prior to reaching the point of calling an expert to obtain phone data, there are procedural considerations for lawyers (on both ends of a request). These considerations are at the risk of stating the obvious, case specific. Justification for, and objections to, a request for phone data are arguable and reliant on the underlying facts. In general, though, advocates may seek or obtain phone data in at least three ways:
In cases where phone data is collected for the purposes of responding to a discovery request, lawyers for both parties will often come to an agreement about the specifics how to handle phone data and set up a protocol that balances the production of relevant information with privacy and privilege concerns. You guessed it! The terms of such a protocol are usually fact specific, but usually provide the specifics of where the phone is going, how it will be preserved, what parameters will be applied to the data (based on the area(s) of inquiry), and how such materials are reviewed and communicated. Fortunately, the steps that are outlined in such a stipulation are usually linear—they outline a step-by-step, repeatable process. This is because these kinds of stipulations rely (sometimes tacitly) on the technical/expert procedures that are necessary to obtain phone data. The order of operations is generally: 1) unlock the phone; 2) collect (or “extract”) its data; 3) “unpack” the data; and 4) produce it (where appropriate). II. Passcodes, Passwords, and Pins In order to obtain the data from a phone, it must be accessible.[4] This means that the familiar passcodes, “swipe patterns” or passwords are often necessary to proceed to the subsequent steps (preservation, etc.). In many cases, the producing party will agree to provide the passcode necessary to the expert performing the work. But passcodes are not necessarily always available to the parties or their lawyers. With respect to the unavailability of a passcode, the most common situation is that the owner/custodian of the phone data sought has passed away, and family members do not know the passcode. It is important to recognize that the unavailability of a passcode is not necessarily the end of the line. Security features like passcodes are not impenetrable. However, whether the option exists to access a locked phone depends on a number of factors, including 1) the capabilities of the expert, 2) the condition of the phone, 3) the make and model of the phone, and 4) its operating system. Generally, these techniques work by either bypassing the requirement of entering the passcode altogether, or by trying all possible passcode combinations until the correct passcode is found (e.g., brute force). In addition to technological means, there are also other ways of obtaining information necessary to unlock a phone. It comes down to good old fashioned detective work. When phone data has been written off as a fool’s errand, it has proven possible to obtain the passcode by inventorying the custodian’s other data. For example, passcodes have been obtained by finding a person’s (e.g., a decedent’s) passwords on the Dark Web, to the extent that they were disclosed in a data breach or leveraging data from a person’s other electronic devices. Hypothetically, assume that a case presents a scenario where a decedent’s passcode is unknown. The decedent, though, also regularly used a laptop. While the decedent’s family cannot access the laptop, a forensic analyst can. An analysis of that laptop shows that the decedent kept a list of passwords in a note-taking application, including the passcode to his phone. In other words, just because a phone is locked, does not mean that obtaining its data is impossible. The lawyer (or opposing lawyer) has options and different potential avenues to explore. When it comes to locked phones, one word of caution to practitioners is to be mindful that some phones (by default) have a self-destruct feature. Essentially, this feature factory resets or wipes a phone when a passcode is entered incorrectly too many times. This is especially important when a client provides a phone to an attorney for safekeeping but does not remember the correct passcode. The attorney may have an impulse to try and unlock the phone immediately to see what is there (akin to how my kids are on Christmas morning) and try multiple combinations that the client provides. In this (real life) scenario, the lawyer may enter the passcode incorrectly over a preset limit and inadvertently destroy evidence. My advice is that if a lawyer receives a phone for safekeeping, do not enter any passcodes. If a phone is provided and it is powered off, leave it off. If it’s powered on: turn on airplane mode (to disconnect it from the network), and if the passcode is unknown, leave it charged and powered on until you provide it to an expert. The reason for leaving it charged is that, depending on the phone model, the unlocking process may only be possible if the device’s passcode has been typed in at least once since the last time it was powered off. Additionally, it may allow for an examiner to extract data immediately from the device without the need for a potentially lengthy brute force attack on the passcode. III. This Copy of the Phone is Everything, Right? Wrong. After my office receives a phone and its passcode, the first step is to create a forensic copy of its content. For phones, the term of art used to describe the resultant copy is an “extraction.” While in principle, it may seem that there is nothing complicated about copying a phone’s data, it actually is more nuanced than meets the eye. These details can and have had material impacts on the trajectory of cases. There is a prevalent misconception that a copy is copy, and that it is always complete. However, not all phone extraction (copying) methods are equal in terms of their completeness and qualities. It is critical for attorneys on both sides of the “v” to understand that some extractions are (sometimes drastically) less complete than others. If a lawyer mistakes a less complete extraction for a complete extraction, or vice versa, there can be significant facts missed and overlooked. For the purposes of this article, there are two kinds of mobile device extractions that lawyers should be generally familiar with: logical extractions and full file system extractions. While there are others on the spectrum of completeness, these two categories capture the general types of extractions that attorneys will encounter in practice. A logical extraction relies on the phone’s operating system to generate the extraction. It provides data that would be included in a standard consumer-generated backup of the phone (standard text messages, call history, contacts, photos). On the other hand, a full file system extraction is more complete. A full file system extraction is capable of providing all the same information as a logical extraction, but also has the added benefit of capturing system logs and databases[5], email, and data from third-party applications, including messaging applications (like Signal, Snapchat, Messenger, etc.). The difference between the two kinds of extractions is further contrasted depending on what type of phone is subject to collection. Collecting data from iPhones is more uniform than their Android counterparts. This is because their software and hardware are developed and manufactured by the same company, in contrast to Android phones. For example, an Android phone may have hardware that is developed by numerous vendors and run software that is developed by yet another (e.g., Google). In other words, iPhones are more predictable with what categories of data will be included in a logical or full file system extraction. With an Android phone, a logical image is not predictable, and the quality and completeness of a logical extraction of an Android phone is inconsistent. Despite the differences between extraction qualities, it is important for all practitioners to understand the limits of what a phone extraction may disclose, and what may be evading the eyes of litigants. For this reason, it is important for lawyers to establish what kinds of extraction a vendor plans to obtain (and whether a more complete, full file system extraction is feasible). Moreover, if phone data has already been provided for review, pay attention to the kinds of data in the extraction to determine whether it is complete or not. It is generally preferable to obtain the most complete forensic extraction possible. But it may not be absolutely necessary or even possible in all situations. For example, if you receive a discovery request for text messages, a logical extraction will provide the same basis for you to identify them as a full file system would. But if a question is whether the phone was actively being used a particular time, a full file system extraction is necessary. It is important to note further that depending on the circumstance, a full file system (more complete) extraction may not be possible due to various factors (make/model of the phone, its operating system, etc.) One regular question that I am asked is how long the process to collect data from a phone takes. This is because (as noted above) litigants rely on their phones as much as anybody else and are not always thrilled about the idea of being without their phone for an extended period. In order to obtain a full file system extraction, an expert needs physical access to a phone. That is, the expert either needs to travel to where the phone is, or the phone has to be shipped to the expert’s office. It is hard to predict how long the process takes, because it depends on how much data is stored on a phone, and thus experts are at the mercy of physics and how fast data can transfer. In most cases, a phone’s data can be collected anywhere from three to eight hours. It is possible to “remotely” collect phone data, where the expert neither travels nor the subject mails their phone to the expert. The resulting copy will be a less complete logical extraction, but the circumstances and objectives of the parties will dictate whether a remote collection is feasible. IV. How to Make Sense of the Collected Data and Phone Data Productions Once the data is collected, the parties’ objectives (and/or their stipulation) will dictate what is done with it. Sometimes, the data must be analyzed by the expert to make factual determinations about the phone’s usage, and whether there are factors that affect the availability of the data (e.g., deletions). In those cases, the expert may perform a technical analysis, to determine whether there is contextual, system-type data that shows whether a particular fact or allegation is supported by the phone evidence. For example, a technical analysis may disclose whether a phone was actively used at a particular time (like the time of a vehicle collision). These kinds of data do not usually speak for themselves and more often require expert testimony to explain. In other cases, the inquiry may be solely substantive. That is, the phone collection was performed as a basis to produce certain text messages, or other data. In those cases, the expert can limit the data in the collection by defined parameters. For example, the parameters may define that only texts between two parties between two times are to be produced. When it comes to phone data productions, this is where the familiar consumer experience makes its exit for lawyers tasked with reviewing the data. When phone data is produced in discovery, it is no longer being accessed directly from the phone where it was originally recorded. It looks different, and there are many options for how it can be presented (as a spreadsheet, PDF files, etc.). My advice is to take advantage of a very handy review tool that is designed for organizing, reviewing, and searching phone data- Cellebrite Reader Reports. Cellebrite Reader Reports have become a preferred option by many lawyers and their staff. Cellebrite is a commercially available tool that may be used for many steps in the technical processes of extracting and reviewing phone data. It also provides “Reader Reports” that combine the phone’s data with the benefits of a review tool. Reader Reports are shareable files that present phone data within a program (a user interface). This interface makes it easier for reviewers to find, read, and mark the phone data for review. It also has built-in functionality that allows a reviewer to search the data and organize it by categories and time. V. Conclusion Phone data in litigation is not new, but it is also not about to depart from the courtroom either. Lawyers must be familiar with the technological basics and limitations of the phone data in order to advocate effectively for their clients. Lawyers need to know, with respect to phone data, what is (and what is not) possible, and the nature of what they are asking for or have been provided. Without an understanding of the technology that underlies phone data in litigation, lawyers are prone to not ask the right questions. Author Biography: Drawing on more than a decade of experience, Sean Lanterman, Esq., focuses on complex matters involving electronic evidence, including civil and criminal litigation, as well as information security events. Sean is considered a trusted advisor by his clients, and has successfully, and efficiently, identified actionable facts from digital sources in a variety of situations. Sean’s clients appreciate his ability to concisely, and understandably, communicate often technical, complex findings. As it relates to his practice, Sean provides continuity throughout the course of a project, from initial investigation through reporting and testimony. Sean has been invited by organizations to speak about numerous topics, including smartphone evidence, working with experts, and cyber incidents. Sean has also provided his expertise to national and local news outlets. Sean earned his bachelor’s degree, with honors, from the University of St. Thomas in Minnesota, and then continued his studies at the University of St. Thomas School of Law. Sean is licensed to practice law in Minnesota state courts. Sean receives ongoing training in digital forensics and incident response from the SANS Institute and is a member of the GIAC (Global Information Assurance Certification) Advisory Board. Sean is also a member of the International Association of Computer Investigative Specialists (IACIS), and InfraGard (an intelligence partnership between the FBI and the private sector). [1] Riley v. California, 573 U.S. 373 (2014). [2] See Wis. Stat. § 805.07. [3] See, inter alia, Wis. Stat. § 804.08 and § 804.09. [4] Phones that are physically damages may also pose problems for obtaining their data. In many cases, though, a damaged phone may be repaired to permit its data to be extracted. [5] These kinds of logs may provide insight into whether a phone was used at a particular time, including but not limited to records about when 1) the phone was unlocked (passcode was entered), 2) whether the phone’s screen was turned on, and 3) what application was open and on the screen. |