By Freddie Dyroff, CASA, CCO, CCPA, CBE, CMO
In the last year, we have observed a rush (one could say scramble) to find remote solutions to traditionally in-person tasks in nearly every commercial sector. In the eDiscovery and digital forensics space, the need to find workarounds to collect data remotely while remaining forensically sound was, and still is, a pivotal requirement for many investigations and litigation demands. Methods to remotely preserve standard desktop computers have been around for years. But, due to limitations in hardware and software, smartphones have mostly remained a task requiring a forensic examiner to have hands-on access to the device, with few exceptions. With a push from the COVID 19 pandemic, methods to accomplish this task are starting to take hold, albeit with some critical considerations.
It may add a layer of complexity to the collection process when a custodian balks at separating from his or her smartphone for the few hours it normally takes to image such a device. Work responsibilities (such as the work demands on an executive, field service representative or salesperson) or other logistical challenges may inhibit the possibility of shipping the custodian’s device to a forensic firm. And if an organization confronts the need to collect numerous devices, having an examiner travel to multiple locations may cost prohibitive. Whatever the reason, if an in-person collection is not an option and the custodian cannot justifiably depart with the device, remote collections can be a viable solution.
The smartphone landscape can be broadly separated into two camps: camp Android and camp iPhone. Each camp demands its own workflow and scrutiny. Androids are the more complex of the two to collect remotely because, unlike iPhones, Androids can come from any one of a dozen manufacturers. A Samsung phone is not the same as an HTC phone, and the differences between them often drives which collection methods are available. Because of this variety, in-person or in-lab collections of Androids should always be considered as the primary method. If an in-person collection is deemed implausible and the device cannot be sent in for collection, a remote collection may be an option. Generally, the best approach for this would involve sending forensic equipment (a laptop, and a license USB-dongle) to the custodian. Once the equipment reaches the custodian, an examiner can then walk through the steps needed to complete the collection, while simultaneously controlling the collection application. The complexity of the device-specific steps required on the part of the custodian, however, should be considered on a case-by-case basis. If recovery of deleted content is a concern, then a push for physical access to the device is almost always required to capture the relevant data.
On the other end of the spectrum are iPhones. Like Androids, forensic equipment could be sent to a custodian, and an examiner can walk the custodian through the collection process while the examiner maintains control over the collection application. However, thanks to Apple’s commitment to “user experience,” utilities like iTunes and iCloud may offer additional collection alternatives. Using these tools, an examiner can remotely guide the custodian through backing the device up via iTunes or iCloud. With iTunes, the backup would then be copied to a hard drive sent by the examiner. With iCloud, the backup can be pulled down from the cloud by the examiner, with the custodian’s consent and assistance, of course. With the guidance of a qualified examiner, these options can be as sound as an in-person collection.
Because the custodian’s device settings can vary and technology evolves continuously, technical collection options that exist today may not be the best option tomorrow. bit-x-bit can help you to navigate this space and advise on the best path forward. We are regularly involved, not only with smartphone preservation, but with forensic examination, attorney review, and production of smartphone data. Feel free to contact us at 412.325.4033 or email@example.com.