An Up-Close Look at Mobile Forensics

Show Notes

In the debut episode of Data Discourse, Pete Mansmann and Jeff Stiegler dive deep into the world of mobile forensics, providing tangible insights on its growing importance in the legal field. 

Throughout this conversation, Pete and Jeff discuss how mobile forensic analysis is increasingly pivotal in legal cases ranging from accidents to employment disputes. With mobile devices becoming central to personal and professional communication, learning the value of mobile forensics from trained analysts is essential for legal professionals seeking to leverage digital evidence effectively.

This episode highlights the critical role digital forensics plays in legal matters, particularly focusing on mobile devices. As digital evidence from smartphones becomes a staple in legal investigations, attorneys need to incorporate electronic data sources early in the legal process to uncover any crucial information. 

Pete and Jeff also stress that a comprehensive understanding of mobile data can make or break a case, whether it's proving texting while driving or unauthorized data transfers in employment disputes.

The episode concludes with practical advice for legal professionals on how to approach mobile forensics. Emphasizing the importance of early involvement and comprehensive data analysis, the hosts encourage attorneys to stay abreast of technological advancements and forensic techniques to strengthen their case strategies.

Key Topics Covered

• Importance of Mobile Forensics: The growing necessity of mobile forensics in legal cases involving accidents and disputes.
• Role of Digital Evidence: How smartphones and other mobile devices contribute critical evidence in modern legal investigations.
• Early Data Consideration: The need for attorneys to incorporate all electronic data sources early in the legal process.
• Typical Forensic Scenarios: Different engagement scenarios, including one-sided and dual-party investigations.
• Crafting Legal Narratives: Using mobile data to build compelling legal arguments in specific cases.
• Practical Forensic Advice: Recommendations for legal professionals on integrating mobile forensics into their case strategies.

Precise is your trusted resource for all things mobile forensics and e-discovery.

Precise is your trusted resource for all things mobile forensics and e-discovery. We look forward to partnering with your firm and helping you win your next case!

Visit our website to learn more and set up a free consultation:
Click here to get started

Or call us at 866-721-5378

Transcript

All right. Well, welcome to Data Discourse episode one where we talk about practical advice and insights about digital forensics and e-discovery. My name is Peter Mansmann of Precise Incorporated and today and joining us is Jeff Stiegler, who is Director of Computer Forensics for Precise Discovery. 

Jeff and I today are going to talk about the digital forensics and in today's episode specifically about mobile forensics. Jeff's got a lot of experience, been with us for many years in dealing with different forensics engagements and devices, computers and phones and all kinds of things. So through multiple episodes, we're going to be talking about, you know, various devices, but today's again is focused on mobile forensics. So welcome, Jeff. Thank you, Pete. Jeff and I've been talking about these episodes and, and the things that we would like to relay to people out there as it relates to computer forensics. And one of the things that we were discussing today was the need to sort of back up and talk about computer forensics in general. Maybe not everybody is familiar with where it's important, why it's important, why it's showing up in all kinds of cases today, and particularly as it relates to mobile devices, which is going to be our topic for today. All right, Jeff. So I think the thing that would make a lot of sense to talk to people who will be listening to this podcast is to sort of take a step back and talk about computer forensics in general. 

And then in particular talk about mobile forensics and how often you're seeing that in engagements that you get involved with. So I guess before we touch anything else, what is computer forensics? What is it that that computer forensics expert like yourself is going to typically be asked to do in a case? So computer forensics is also referred to a lot as digital forensics because nowadays we're dealing with a lot more kinds of devices rather than just computers. It basically encompasses all, you know, forms of electronic evidence, whether they're stored in, you know, cloud servers, computers, cell phones, hard drives, you know, anywhere where electronic evidence may exist. The role of a, you know, digital forensics examiner is typically to 1st collect those data in a, you know, sound manner. Secondly, to be able to analyze and report on that data and to formulate opinions based on the facts that you've seen. 

These days, it is extremely rare to come across any legal matter that, you know, at least a cell phone isn't mentioned. You know, people are carrying around these devices with them all the time. 

They have the functionality of computers more or less these days. So you know anytime a legal matter may be involved. Messaging, location, you know images, what not often the 1st place to look at in the 1st place were requested to look at are mobile phones. 

And if we expand on that a little bit, let's talk about situations where mobile phones, just to give examples, have come into play. Have you had cases where a motor vehicle accident has required the analysis of a phone? Yes, that's becoming more of a common request these days, particularly with commercial, you know, related accidents. You know what was going on at the time of the accident? You know, what was the person, you know, playing on their cell phone, accessing media? Were they connected to their, you know, Bluetooth early warning system in the cab? You know, all things like that are things that can be considered, you know, doing digital forensics, you know, related to, like you said, a car accident. What about an employment dispute? Yes, a lot of requests for employment disputes. Typically it's, you know, accusations that an individual left a company or you know, took another position and may have taken your proprietary data with them or poached clients or have been in the possession of pricing lists. 

You know, these are things that are requested from us very commonly and text messaging or other types of messaging may be related to the exit of employment. Is that often what you're asked to look for on mobile devices as well? I mean, I think any case could merit, you know, looking through mobile messaging for potential evidence, you know, knowing that conversations take place, knowing that the conversations may be a little more informal than they would be over a phone call or, you know, a formal email sent on a business account. So yeah, definitely mobile messaging should be taken into consideration for most matters. Family law cases, absolutely. How about criminals? Short been there, done that, yes. And I guess the point making on all this is have you really found that? Oh, there's these types of cases where digital forensics may not potentially be relevant and or a phone is important, potentially important to that case. 

I think these days it's almost every type of matter. And, and so as we explore this, we talk about this a little bit further, knowing that, you know, a wide variety of cases, essentially any type of case for the most part can involve digital forensics and it can involve mobile forensics in particular. 

It becomes very important that attorneys think about these data sources early on in the process to make sure they're covering their bases, both from discovery obligations and also from uncovering evidence that may be important to their case, whether it's somebody else's devices or their clients own. And I, I thought it would be helpful also for us to talk about the types of engagements that you're typically asked to, to be involved in. And, and we sat down over lunch today and, sort of laid out five different engagement scenarios. And I'm going to list these off quickly. Then we're going to come back to them and talk a little more detail about them. So I, I think there are times where you're often called in to be an investigator for one side. You know, one side of the, the versus sign is asking you to, to, to make a determination and figure out what's out there. 

There are times where you're asked to do an investigation and some reporting where both sides are involved in that process. Even though you're engaged by one side. There's other times when you are asked to offer an opinion. So it's more than just reporting on what's out there. You're offering an interpretive, asked to offer an interpretive opinion about what it is that you have seen or uncovered on the device. There's times when you're asked to interpret other people's reports, other experts, and there's times where you're engaged solely as a neutral, both parties engaging you at the same time. So we think that covers the bases of typically how you're engaged. But let's walk through those a little bit because they're important for people to understand how an attorney would typically engage with an expert like you. So let's go back to the first one where you're asked to do an investigation by one side. 

Give us some examples or or talk about that a little bit about what that typically entails. So this type of engagement, you know, normally, you know, a party would reach out to me and say, hey, we believe we have an area or some sources of electronic evidence. We don't necessarily know what may be in there, but here's the background of the case. Maybe you can tell us, you know, what we may find and what we may need to consider. So at that point, we're kind of doing an inventory, you know, what kind of data do we need to collect? You know, tell me the story about your matter. What may be relevant, what data sources, you know, maybe applicable, what can we do, what can't we do? That's typically the beginning of one of those, you know, one party engagement. Is it also important to know a little bit about the owner of these devices when you're going in? Does that help you at least get some idea of how they may interact with their, their mobile device in particular, to some extent, I don't want to say, you know, there's stereotyping that can be done, but usually I asked, you know, hey, what you know, what field of practice are we working with? A truck driver is going to have a completely different data set than someone that works in office. 

9:00 to 5:00, the age of the user comes into play. You know, younger people are more likely to be you use third party applications for messaging things like that where you know, order less experienced individuals or just inexperienced individuals in general may have a lot less sources of data rather than someone that you know, installs all kinds of applications and accounts and syncs on their phone. 

So that's when you're asked to investigate something where one side engages you and says I want to understand primarily what's on my client's devices so we know what we're dealing with. So the second area we came up with that we thought was a typical engagement for you is where both sides are involved, multiple sides are involved. We're still engaged by one party, but what they've agreed upon, whether through a court order agreement or otherwise is that they want you to do an investigation on you're the client, heard the attorneys who hired you, their clients devices to investigate what's potentially on there and report these in some way to everybody. So they can decide what they do with that information moving forward. So I want to talk a little bit about how that works, but then also talk about the importance of protocol surrounding rules of engagement about what you're supposed to do in that process, why that's important, what information you share, etcetera. Can you talk about that a little bit? Yeah. So these types of, you know, dual party engagements I see come into play more if both parties might be a little more inexperienced with E discovery, you know, they may not know the right questions to be asking the other side and vice versa. 

So by me offering to act as a kind of a. You know, a neutral, you know, go between, between the two. You know, I'm going to be performing my, you know, digital forensics work, but I will be reporting my findings to both parties. 

Where that comes, where the protocol comes into play there. It's very important to have in place because I need stipulations on what I'm supposed to report to what parties, you know, parties should have the ability to perform a, your privilege review, a relevancy review, things like that. So having a protocol in place ahead of time, you know, really prevents a lot of those battles down the line of, hey, we should have done XY and Z. Why didn't we do that? Why is our report different from our expectations? So being that neutral party, you know, kind of engagement, a lot of time is spent, you know, drafting that protocol and making sure, making sure that both sides get the information that they need not, not information that they don't need. And you know, that expectations are met among all parties. 

And, and I would imagine in our experience in dealing with these protocols as well, that the, the importance of having things written out and agreed upon by the parties ahead of time really cleans up any issues of are we getting into areas that we weren't asked to look, look at, You know, these are people's personal phones. 

They're going to have personal photos and other information in there that may be sensitive and private that they don't want to be shared. It puts some parameters around that and gives comfort to them that no, we're only targeting areas that have been agreed upon. And oftentimes it's that both parties aren't getting the same information. It may be that an initial report goes to the party whose client owns the devices to see what's on there to again, do a privilege assertion or relevancy assertion before anything's turned over to the other side. And while this may not be true discovery at this point, it's at least giving them insight into, you know, everybody's anticipating that there's evidence on these devices that are supportive of their case. And you know, this may help get something resolved sooner than later by walking through this process. So it is very valuable to do this when appropriate, when you have reasonable parties on both sides. Protocol, again, it's important, everybody's on the same page. 

It's written out. We help craft those all the time to make sure that the technical stages and steps are outlined in there to match up with what the intention is of the parties. So the third area that we talked about of a typical engagement is, and it may flow from one of these first two where you're asked to do an investigation one sided or with both sides involved is to then offer an opinion. So how is this different from doing an investigation when you're offering an opinion and, and either verbal or written form giving opinion, expert opinions is that, you know, another step beyond, you know, just general analysis and reporting. You know, it's putting together some pieces of, you know, what evidence have we found? What based on my technical experience and expertise, what, what does this likely mean? You know, for example, I can recall a case where we were given the cell phone activity of a truck driver. I'm going back to the accident, you know, scenario where there was a massive amount of data being transferred, you know, to the point where the data had to be video sized. 

The transfers were occurring to IP addresses related to Netflix and other streaming movie sites. You know, the opinion formed based on all this information was that, you know, the driver was actively watching, you know, movies at the time of this accident. How we came to that opinion was, you know, based on all the various data points. And there were many that you kind of put together and, you know, explained, hey, this is what you would expect to see if someone was performing this action. You know, if they were downloading the movies to watch ahead of time, you would expect to see XYZ. 

We didn't see XYZ. So an engagement like that is kind of going beyond the scope of just reporting on data and you're almost telling, you know, to the expert level that you can, you know, telling the story of what you think occurred. And then sort of along those lines, but slightly different is we're oftentimes asked to engage in a scenario where an expert report has been written by another party and they haven't basically have needed an interpretation of what that report means. So maybe you got the two sides, one side's already hired an expert. They've issued a report saying, here's what I found on this mobile device. And then we're asked to come in and say, well, what's this report mean? Because there's often very technical information contained within and how you match that up to practicalities of this. Is this something I need to be worried about? If it is, how am I going to counter it? Are there counter opinions to be made here? Talk about that a little bit about scenarios where we've been asked to to get involved after somebody else has already offered an opinion. 

Yes. So those types of engagements again, just can be, you know, caused by an, an experience with, you know, e-discovery and forensics and, you know, not being able to understand what's, you know, been presented to you. I always say, sometimes I feel like 50% of my job is just acting as a translator between technical and, you know, real world or even, you know, legal scenarios. 

So in those scenarios, you know, it's helpful to, you know, it's not sometimes it's not even a case of, hey, we don't trust this other expert. 

We want you to double check their work. Sometimes it is a case of that. More often than not, it's hey, what you know, what did you get from reading this report? Are there questions, additional questions we should be asking? Are there opinions made that you feel are, you know, a little more than you know, expert opinions, things like that. You know, it's very important to catch up, you know, the single party to what the other side's already been engaged in and gotten from their digital expert. And again, because this is a very technical area, you know, I think you often come across attorneys who don't necessarily understand what even the reporting is saying. And so being able to explain that I think does become a very important part of our engagement. 

Now, the last area we talked about where we're typically brought in or the way we're engaged, this is a neutral party. And this is where both parties have come to us and say we don't want to duplicate the work on both sides. We're interested in finding out information, whatever it may be, and sharing it typically with both sides at the same time. Maybe there's an agreement that it flows like we talked about before, where one party gets the chance to review it first for privilege or relevancy before it's sent to the other. But in this situation, we truly are being neutral and oftentimes this is driven by court order or or some other means, a discovery order of forcing the parties to engage in this way. But can you talk a little bit about when you're brought in as a neutral and some important factors to keep in mind when that is the case? So I, I think I see these, you know, types of requests more in employment law, you know, where it's a court order out there that, you know, two parties need to come to some sort of solution to these allegations. 

And these allegations may rely on a lot of electronic evidence. So in these scenarios, you know, I'm acting as, you know, the expert for both parties, where I'm collecting both parties' data, I'm filtering reporting, you know, two specific parties, each side gets their privilege and relevancy review and whatnot. I'm also implementing like a, a Chinese wall in between myself and both parties, you know, segregating the data, but you know, keeping up with the requests on both sides. I, I've seen this to be a bit more efficient than, you know, some scenarios, obviously, you know, warrant having two experts, you know, one on each side performing the work. But I've seen instances where we can act as a neutral party to both sides. You know, obviously the workflow is much more streamlined and efficient. 

It's, you know, everything is laid out in a protocol ahead of time, who gets to see what and when. So there's no questions, you know, through the engagement. 

I find that workflow, when applicable, seems to work pretty well and, you know, resolving the issues both parties have. And again, it ends up saving potentially a lot of money by not engaging two different people to do exactly the same work. Now, it doesn't mean that you may have information that comes up out of this initial analysis that says, all right, we now have evidence that could be interpreted multiple ways. 

You may need to seek opinions. But in that neutral role, it's uncovering that stuff. So everybody's clear that this is done in a forensically sound manner by somebody who doesn't have a, you know, a dog in the fight either way. And we're just reporting what the facts are. 

Yeah. I mean, I, I, I think I've seen engagements that have one time or other probably touched on all five. You know, the case starts off as a single party, single device. And before you know it, you have multiple parties, devices, companies involved now. So we can go back and forth from single party experts providing opinions to dual party neutral to you know, the scenarios you know are always evolving. All right, so I, I think the next area to get into is again, assuming that, you know, not assuming, excuse me, that people are going to be completely aware of how this whole process works is to talk about the process of collecting a phone. Since we're talking about mobile forensics today, I want to talk about collecting a phone and what goes into that and the practicalities and, and what has to happen in order to make this work. You know, I don't think it's a surprise to anybody that people do not want to be without their phones for any longer than necessary. So the collection methodology of getting a phone has some nuances and, and, and scheduling issues, if you will, that are more unique than compared to say a computer or server or something like that. 

So let's talk 1st about a couple different ways that, you know, phones are typically collected. We have on site and we have remote. Can you talk about the, the, the, the wording of each is fairly obvious to talk about the steps that go into performing either one of those. So the two sets of devices, computers and mobile devices now are very different as far as extracting data. You know, mobile phones are designed to behave in a very specific way to relinquish their data and very specific and, you know, protected, locked down, secure manners. Computers are catching up, you know, with disk encryption and whatnot. But you know that we used to be able to take a computer, pull the hard drive out and make a friend a copy short of needing any passwords, things like that, that's changing a bit. But going back to mobile forensics, you know, the cell phones, there's still a level of interaction that needs to be done to extract data from the cell phone for, for digital forensics, it's changing a few settings, unlocking the device. 

That's an important one. We'll touch on that later. We know some one of the capabilities that law enforcement may have that people like us, you know, do not is the ability to unlock certain devices. So with regards to, you know, mobile devices, what you're looking at is always telling people, hey, they're built on a bunch of databases. 

These databases need to talk to each other. What we're doing is connecting your phone to a computer that has forensic software on it. We're going to extract those databases. The software is going to help us put everything back together and make everything nice and searchable, filterable to allow us to do our analysis. 

That's the extent of a a mobile phone collection these days and, and how does doing it remotely versus on site differ? So remotes are a little different and that specifically with Android devices, you know, a number of settings need to be changed to just allow the phone to communicate with the software. iPhones are a little more straightforward, but again, it's not just connecting A USB cord to a computer and hitting a button and you know, there is some interaction with it. Like said, the passcode is required normally multiple times, you know, settings need to be changed. Do you know, once the extraction is finished and you see it needs to be verified, you know, make sure you got everything correctly. And, and so going to a point you just made or a comment you made, you need, you need a passcode to access a phone. Is that correct? I, I, I'd say for 99.9% of devices out there these days and the percent that I'm not hitting on are basically those older devices that haven't been updated in years. 

You know, Apple's at some point stopped updating the iPhone 6. There's now vulnerabilities in some of that software that, you know, we can get access to those devices better than we can, you know, one brand new out-of-the-box today. 

So if somebody comes to us and says, hey, I have a client who's got a phone or phones, or I got a company that has multiple phones at various places. You can go to the phone, plug it in and with passcode access, do the necessary setting changes if required or plug it in. And this forensic software can then access the phone, copy data off to make a forensic image of the phone remotely by essentially doing the same thing but sending a computer to someone that they plug in and you remotely do the changes yourself as much as you can. Sometimes I got it to your point, on an Android phone, they may have to go into the settings and change things that you couldn't do without physically being there. 

What's the typical length of time that you tell people they're going to be without their phone in order to collect it? I'd say I usually tell people these days expect an average of, you know, two to four hours. But a phone can very likely finish in half an hour. But I've also had one push 18-20 hours. It depends on, you know, a few variables #1 being the size, the capacity of the phone, Second of all, how much of that data is actually being used. 

And the third is the speed of the device. So as these devices are getting newer and unfortunately they're getting larger, they're also getting faster. So there is a kind of a trade off between, you know, these large, I think the largest iPhone you can buy now has a TB in size. 

6-7 years ago, I think 128, you know, was the size. And the more space you give people, the more they'll use it. That's what I'm, you know, noticing across, you know, some of these devices is, yeah, you know, I have 10 years of pictures on this device because I can't, the space is there, so why should I be concerned about it? So you're starting to see the length of the amount of, not necessarily the length of time required for extractions, but more maybe the length of time required for analysis because there's all this extra data. So those are some of the scenarios we're running into now, but it would be rare. And even the instance where you mentioned where someone had a one terabyte phone, which is one of the largest, you can get largely filled with probably videos and photos and whatnot that somebody would be without their phone for longer than the day. Yeah, that was an extreme circumstance. You know, in scenarios where I tell people, hey, you know, if you want to send the phone to our lab, I can more often than not get this, the extraction done the same day so I can send it back to you. 

You know, we're talking about in a scenario like that, you someone may be without their device for 48 hours, you know, otherwise, you know, it may be quickly done over, you know, lunch or a cup of coffee or, you know, half of the day. We try to get as much information ahead of time, knowing that people don't always know, you know, what model phone they have, how much storage they have, all that kind of stuff. 

Best guess is all I can do in some scenarios now. And when you're asked to forensically image a phone like we're just describing, whether it's remote or on site, do you get people who initially inquire about only targeting certain things on the phone? Even though, let's say, for instance, somebody says, look, what we're worried about is text messages on this phone. So just get the text messages. What's your response to them? Typically when, when that's the kind of request you're getting. So in some scenarios, targeted collection is possible. And even in scenarios where it's possible, it's not always recommended. You know, first of all, like I mentioned before, you know, these, these phones are built on, you know, dozens of databases that kind of, you know, communicate and interact with each other by trying to target, you know, specific messages, you know, specific data, you know, maybe just a subset of messages or phone logs. You know, you're, you're really limiting yourself and you know, the software's capability to, you know, show you the whole picture of what the data looks like. 

Second of all, the biggest thing is that at any point you need to go back and alter, you know, the original scope of that collection. Hey, you know, oh, we wanted messages and videos or we wanted, you know, messages from April and March, not just April. At that point, you have to go back and basically start from scratch. It's always best practice to, you know, whenever you the parties agree to it or the court orders it, that we're capturing every bit of data that that phone is willing to relinquish in order to get a whole picture of, you know, what's actually happening. And another question that I think comes up fairly often is, and you and I looked today to see what, what some statistics are on this, but there's still a majority of people are iPhone users over Android and, and between an Android and an iPhone, I think that accounts for, you know, the vast, vast 95 plus percent of devices that are in use out there. And almost everything you see today is some version of a smartphone. And I think we saw that statistically, 60% of people are using iPhones and the other 40% are using Androids. 

Is that close to what you see or do you see it even tweaked closer to more iPhones and Androids? Yeah. So that 6040 split is American usage. And I'd say it's about accurate. I was going to guess you know maybe 2/3 of the phones I come across are of iPhone branding. 

Not seeing too many non smartphones or proprietary or even a third party, you know Taiwanese or Chinese, you know knock off brand phones anymore. More often than not, people have a legitimate Android or iPhone these days. All right, so now we're going to get into some specifics about mobile forensics and just get into giving some people things questions that we commonly see popped up or issues that typically arise in cases so that we can explain to people what to expect when engaging in mobile forensics. So the first question to you is just generally speaking, what, what can a forensics examiner actually access on a phone nowadays? So, you know, you're left with a lot of logic, a lot of logic, you know, I'm going to call it low hanging fruit, but you know, obvious categories, messaging data, call data, voicemails, pictures taken, you know, videos taken, things like that. You know, that data in general is able to be extracted, you know, pretty thoroughly. 

You know, if it exists on the phone, we'll get a copy of it in the extraction. And then you kind of move into some more limited data categories. 

Locations would be a good example. You know, it's quite what you might see on TV or movies. You know, these phones aren't tracking where you are every single second of the day. It's more spotty, you know, artifacts of, hey, the user was in this location and connected to a Wi-Fi or, you know, performed a Google Maps search to go to this location. So your location data is, more or less, limited to what the user decides to enter into the device or interact with. 

You know, I've had devices where the user was running AGPS software to, you know, track their significant other. This was, you know, a mutual thing. And you know, we were able to go into that software and basically next show where they were at any given moment on any given day and time because they were running the software. Now people that aren't running the software that don't expect the same amount of location data, another set of, you know, restricted or limited data these days is Internet history. You're seeing a lot of browsers, you know, even the Safari built in to all iPhones these days, the default browser history is only being stored for 3060 days. 

The user can always go in and change that. But you know, by default, these are the new settings. So, you know, it has to be known to people. Hey, if we're, we're dealing with a matter from a year ago and you're concerned about an Internet search, Tepper your expectations because, you know, based on timelines, we aren't expecting to be able to go back and see data from that long ago. And then there's kind of the last third subsection, which is stuff that's near impossible to get these days, a lot of that. In modern devices is deleted data. The devices function so differently than they did years ago. The ability for an examiner like me to recover deleted text messages, photos, Internet history, as you know, anything like that is severely limited. Now it's a matter of hours and days where it used to be weeks, months or years. So, yeah, there's a lot of data sources that can be extracted to varying levels of success, I'd say. 

Now we get the question all the time. Can you get the emails off the phone? Because you can see them on your phone. So you say they're there, I see them. Is that accurate because you see them on your phone that they're there and therefore they can be collected? Yeah, this is a frustrating one to explain to people. I mean, particularly with, you know, how an iPhone works. 

It stores your email data in AI. Wouldn't say super encrypted area of the device and also the iPhone itself is not designed to relinquish any data from that encrypted area. Now it doesn't make sense to someone that it, when I explain, oh, if we want to get email off of a phone, we need to go to the email account itself because you can just pull up the phone and look at the e-mail. That data I explained is not extractable. 

Even if it was, to the extent it's so encrypted that we can't make sense of the software, we can't make any sense of it. So those are kind of some things you run into that may, may, may not make a logical sense, but because of tech, you know, the technological limitations that that's the real world scenario we're working with. 

And, and these limitations you just described in some of these areas deleted data, you know, your ability to, to look at location data and things like that. Has that changed significantly on phones of today than say phones of five or ten years ago when, when computer forensics on level devices is really starting to come to be? Yes, The the two factors of, you know, what's pushing these changes are the, you know, that the manufacturers themselves are pushing a lot of these security, you know, implementations, which which is great for the end user, you know, protecting the user's data as much as possible and acting encryption whenever possible. 

The other thing is that the technology itself has changed. You know, the chips used to store data these days where it used to be spinning rotors and whatnot are now stand alone chips which behave with how they handle, you know, deletion requests much different than the old school hard drives. So, you know, you're kind of seeing a multi-fast, multi facet, you know, change in the abilities of examiners like myself to, you know, recover some of this deleted data because of these. Now, oftentimes we'll, we'll get involved in the matter and, and the relevant time period that we're asked to analyze can be, can be, you know, fairly large. 

Let's say it's over the course of a year or two years. And in this time frame someone may have upgraded a device which phones or things like that. Can you talk a little bit about what happens to people's data, device data and things like that when they upgrade a device or what happens if they switch device devices? You know, what, what, what kind of things do you need to take into account for that? So, the days of getting a new phone and, you know, going to the store and buying a new phone, saying, hey, port over, you know, everything from one to the other. 

It's gone to the extent that what we're seeing now is you now have accounts that are tied to all your information. I, if I have an iPhone, I'm going to have, you know, an Apple ID. This Apple ID is going to be the account that retains, you know, the messages I want to transfer to my new device, the, the images, you know, contacts, things like that. So now you're looking at accounts, not necessarily devices. So it's if someone goes out and gets a new device, a lot of that data from previous devices is, is going to get carried over, but a lot of it isn't What isn't is going to be a lot of the, you know, the activity logs on the device, you know, what was the phone actually doing? You know, what Wi-Fi was it connected to at this time, You know, location data that's not going to go from, you know, new device to new device. 

So, you know, a lot of times it's, it's important to just get out of, you know, a litigation hold out, you know, notice out there, hey, keep this device or go get a new number, set up a new device, but you know, leave this other one untouched and we until we can get it forensically analyzed, things like that. All right, so we're going to work on moving on to a different area here for a minute. You mentioned earlier in our discussions or touch base on the fact that law enforcement may have different access to tools or capabilities then you do or we do as private investigators and or forensic digital investigators on the civil side of things. So can you just talk a little bit about what some of those differences are to let people know where our limitations lie in terms of the softwares we have access to? Yes. So law enforcement, government agencies, their software is capable of things that the versions that we're working in the, you know, civilian sector do not have access to. 

Most of that retain pertains to getting access to locked devices. There are services available to law enforcement, government authorities where they can send devices to labs that will unlock the phone for thousands of dollars, requiring a court order. I cannot even initiate that process. I cannot even be involved in that process. As far as, you know, civilians like us are concerned, it doesn't exist. 

So in the cases where, you know, some of these matters might be, you know, criminal related, law enforcement may be able to provide services that that we just simply cannot do these days. 

So when someone sees something in the news that they cracked the phone or they did XYZ, they should be keeping in mind that, you know, government agencies may have tools, certainly have tools that we can't and don't have access to. What's available to me will lag behind what's available to law enforcement by a multitude of years. I mean, now we as a civilian can get into something like an iPhone 5, iPhone 6. Those haven't been made in 1012 years, very few and far between. Do you see them out there? It's specifically UN updated. So a real world scenario. A modern phone without a passcode, you know, someone like me probably can't do anything with it. 

Law enforcement may have more luck. All right, so we're going to touch base on phone communication data. I think, you know, people understand texting phone logs, you know they are showing when calls are going back and forth. 

That's pretty self-explanatory. But there are a couple nuances in here that I want to touch base on. And one of them's apps. I think we've all seen an incredible rise in the number of apps that are both available and being used on phones. And a lot of these apps, our communication applications. So it might be something like Snapchat or Instagram or you know, any could be TikTok as an example. 

All these apps that are installed on phones potentially become communication devices. And can you just talk a little bit about first, when you look at a phone, how do you determine? How active somebody is on this phone, what is it that they're doing because that leads you to determine where you should be spending some time and looking at their use on this phone. Is that correct? Yes. So I mean, more often than not, I'm, I'm, you know, interviewing the user of the phone, you know, asking them, hey, what do you use on a daily basis to kind of get an idea of, of usage, you know, potential apps and everything. But then after the extraction is complete, you know, we're going through the list of installed applications to identify any, any of them that may be potential communications. You know, some of these third party apps that we're referring to, you know, Signal, WhatsApp are becoming more popular, especially I'm seeing is in business realm, especially in international business, because these messaging protocols themselves lend themselves to be, you know, kind of easier and more secure than your standard text messaging. 

But what you're seeing is all these apps behave differently and, and sometimes even messages within the same app behaving differently. For example, using Snapchat, for example, I could send a standard message that never expires that we can recover from someone's phone. Or I can choose to send an expiring message that you know, after 24 hours, that message you know, more or less gets deleted. 

We may have records that that message existed at some point, but we wouldn't have the content of that message. Now other apps like Signal, which feature end to end encryption, we're not going to have anything. We may be able to get the username of it, the account that was associated with it, but all that data is stored in the cloud somewhere or it's encrypted so much that, you know, it's not even possible to determine that, you know, messages were being sent or used. So there really are so many variables. And also to throw in that, you know, every time an app gets updated, it may behave a little differently every, an app may behave differently on an iPhone versus an Android. Too many variables to even say at the beginning of a case that, Oh yes, I'm sure we can, we can do this. If you know, a lot of times it's a case of we'll have to see what we're working with first. 

So along the lines of communication, text messaging still a very prevalent and probably in a lot of cases the, the preferred way of communicating, even on company time, you, you see text messages of sort of supplanted emails in terms of instant communications and sort of more reflective of what's happening at any point in time. But there are some nuances with text messages that you have to be aware of that that you can come across. And, two areas I'd like to sort of tie together at the same time are when you have text messaging between Apple to Apple devices, so iPhone to iPhone, iPhone to Android. And how is this also reflective on cell phone carrier logs? And, and we'll need to explain what those are, but this is an area that we've seen several times. It gets very confusing. 

Did you talk about that general topic and texting and between devices and cell phone carrier logs. So in the universe where two types of cell phones exist, iPhones and Androids, iPhones message using a protocol called iMessage, and iMessage is only capable of working between two iPhones. So therefore when an iPhone user sends a message to another user, by default that would occur under an iMessage. 

All of that activity is occurring through Apple servers, not Verizon, not a cell tower, not anything like that. 

On the other hand, if an iPhone's interacting with an Android or an Android's interacting with another Android, it's using a standard text messaging protocol called RCS. 

These days. Those activities do occur through the cell phone carrier. You know where this is important is if it comes time to subpoena, you know, the carrier for messaging data. You know, a lot of times it's, hey, we didn't see any of these messages we were expecting to see. We've Verizon send us all the mess, all the messaging data. Well, you didn't consider that iMessages won't show up in a Verizon report. You need to specifically subpoena Apple for that iMessage. You know, data. 

And not only that, but you may have the iPhone messaging data that doesn't show up in the carrier report. But what is it that you actually get from the carrier report? Is it a complete listing of all the content of text messages if Androids are involved? So using Verizon as an example, these days Verizon stores text messaging details, you know the actual content of it for a period of seven to 10 days. I've never been engaged in the matter of seven to 10 days, specifically in civil matters. 

After that seven to 10 days. You're left with maybe a year, maybe two now of details that a message took place. You know the number that was from the number that it was two, maybe the size of the message, but you're going to lose all content. These reports are kind of useful in determining if messages were deleted because I mentioned before that you don't even get a message, you don't even get a notification that you know something's deleted on some of these devices these days. So by comparing the, you know, cell carrier report to the device, that's a good way to show that your messages were effectively deleted from the device. All right, so another area you touched upon is location analysis. It used to be, and I would teach Cle classes on this, that you could go into a device and you could kind of see. I described it as the family circus map where you can see where little Billy went all day when he was running around his yard. And, and, and what would happen is under the location services on an iPhone, for instance, if, if you had this stuff turned on, it would sort of tag every time you went to, you know, certain locations throughout the day and you could really see where people were at different points in time. 

That kind of stuff has largely been shut off unless someone's using an app for it. But there are other ways you can tell where someone has been over time since we were talking about it. Cell phone tower data is still a possibility of triangulating positions between cell phone towers if you get cell phone records, but talking specifically about mobile devices. And what you can find on a device itself, what are some areas again, that just expanding upon it a little bit that you can find potentially location information that can be useful and, and modern devices. The biggest ones that jump out are the specific Google searches, you know, using the maps, either the Apple Maps app or Google Maps. There's things stamped in there, Wi-Fi connections, you know, did that connect to Starbucks down the street? Those kinds of location artifacts are still showing up. But all the background data of, you know, specifically even the cell tower data, I mean, that used to be extractable from the device itself. 

Now if you need that information, you're going to subpoena the carriers for that because the phone doesn't want to relinquish that data anymore. What about photographs? Do they ever contain GPS data or, or some type of reference to where they were taken? So photos and media are a great source of location data by default. These devices, you know, when you take a picture, it's also snapping when the picture was taken. What was the resolution? Maybe what was the brightness? All this additional metadata you don't think about. 

Some of the most common in photographs is, you know, GPS location data. I've seen devices before where we don't have any sort of location information available because of GPS usage or searches or anything like that. But we have a series of, you know, photographs throughout the day or at a specific location that can pinpoint a user to a specific spot at a specific date and time. And our last topic for today's episode is talking a little more about distracted drivers because I, I think, you know, in any major accident, the possibility that there's distractions happening on a cell phone is something to consider. And certainly, you know, we've all seen people out there texting or watching things on their phones or doing whatever with their phones when they should be focused on their driving. So it's not an uncommon thing. 

Can you just talk a little bit? And you touched base on this earlier, but talk a little bit about how you've seen cell phone usage. You mentioned the Netflix streaming, you know, with the truck driver and determining what was happening at the time of his accident. Have you seen other data along those lines that has come into play determining whether or not somebody was actively involved with their phone at the time of an act? that yes, because, you know, this is becoming a more common requests, you know, sometimes it's just, you know, I'm able to go in and determine that it doesn't even look like the phone was on or the phone had, you know, no activity for an hour before the accident until, you know, the the user called 911 after after the accident occurred. But, you know, there's scenarios where you know, we've definitely, you know, gotten some really good usable data. You know, one example, which also ties into what we can do with older phones that we can't, you know, necessarily do with modern devices. 

A recent case worked on recently was a fatal accident that occurred years ago. The IT was an iPhone 6, which was already 8 years old at the time, had not been updated in years because the phone was so old and so not updated. We were able to extract, you know, way more information than we would typically see. Information including, you know, some of the regularly visited, you know, GPS locations, information like which application was actually being shown on the screen at the time, things you would almost never expect to see in a modern investigation. I think in this device, you know, we were able to determine that the user was very likely drafting an email at the time of the accident. 

You know, there's also considerations on, you know, how far of an investigation do you want to go and you may be concerned with an hour before the accident or do you maybe want to see, you know, driving or lifestyle patterns a month before? You know, was this user visiting, you know, places frequently? Were they watching videos? You know, kind of a more common occurrence before this accident. You know, things like that. It can really expand the investigation. All right, Jeff, well, we covered a lot of areas today and I'm sure there are lots of other things we can talk about, but that's plenty of material to give people for episode one of our Data Discourse podcast. So I want to thank you for your time today. We look forward to talking about additional forensics items in the future and future podcasts, including our next episode where we'll be discussing computers, social media and the Internet of Things. 

I hope everybody can join us. Thank you for listening today. And if you ever have any questions, please reach out to us. Jeff and I are happy to discuss any questions or your cases with you. 

Thanks everybody. Thank you.