laurence d. lieb, ccpa, managing director haystackid llieb ... · some deleted evidence can be...
TRANSCRIPT
Discovery Depositions Decisions
HAYSTACKID.com | 877.942.9782
Best Practices For Addressing Smartphones in Civil Discovery &
Reasonable Attorney-Client Communication Security Measures
Larry Lieb, CCPA, Managing Director
HAYSTACKID
Class Ground Rules
• Class content is for educational purposes only and does not constitute legal advice.
• Questions posed by and opinions offered by class participants are for the sole purpose of improving today’s class’s educational value and do not constitute legal advice.
• Please Participate with the Chat Feature!
• Start and End Codes to prove attendance (Ohio)
• Please mute your audio.
Larry Lieb, CCPA
• Michigan P.I. License #3701206704
• Cellebrite Certified Physical Analyst (CCPA)
• Fluent in Japanese. Performed Forensic Collections in Japan.
• Worked in Computer Forensics and Electronic Discovery since 1998
• Qualified as a computer forensic expert in both Federal and State courts
Agenda• Smart Phones as File Cabinets with Locked and Unlocked
Drawers
• Mobile backups of Smartphones
• Categories of Recoverable Evidence
• Location Based Evidence
• Building Timelines
• Bring Your Own Application (“BYOA”)
• ESI Liaisons, ESI Protocols & The Evidence Map
• Agreed Order to Address Privacy Concerns
• Reasonable Attorney Client Communication Security Measures
Smartphones are Basically Big File Cabinets
Smartphones are basically big file cabinets
==
All Smartphones Contain 10 Basic Cabinet Drawers
1. Contacts2. Call Records3. Voice Messages4. Email and Text Messages5. Documents6. Calendar7. Internet Browsing History8. Songs, Photographs and Movies9. WiFi History10. Social Media (Facebook, Instagram et al)
By Default, Some Cabinet Drawers are Locked
Apple and Google sell their phones with inaccessible-to-the-end-user locked drawers as a security measure. Only Google or Apple own and have access to the keys that can unlock your phone’s locked drawers.
Some end-users choose to remove this security measure by “Jail Breaking” or “Rooting” their phones.
Jail Breaking/Rooting is the process of changing all of the locks and keys to your phone which will allow one to access all locked cabinet drawers.
Contents of the Locked Drawers
• Sensitive information such as passwords and credit card information.
• Some categories of deleted information.
• System files that support the normal usage of the smartphone.
“Jailbreaking” or “Rooting” a phone can allow a malicious application to access the content of these formerly locked drawers!
Some Deleted Evidence Can Be Recovered From The Unlocked Drawers
• iPhones store incoming and outgoing SMS text and iMessagemessages in a file called SMS.db.
• The “SMS.db” file is stored in one of the iPhone’s “unlocked” drawers.
• When an end user “deletes” an iMessage, the “deleted” message is not destroyed, but simply made invisible to the end user. Forensic tools can recover these deleted messages easily.
Practice Point
• Laptop and desktop computer hard drives do not come from the factory with locked and inaccessible to the end user drawers. This allows for forensic search and recovery of all possible deleted information.
• Smartphones come with inaccessible locked drawers as security measures to protect the phone owners.
• The amount of evidence, such as some deleted information, that can be recovered with forensic tools is more limited with smartphones.
Three Locations From Which Smartphone Evidence Can Be
Recovered: The Device Itself, Mobile Backups on Personal Computers and
Mobile Backups in The Cloud
A Complete Backup of One’s iPhone in iTunes or Apple’s iCloud
iDevices are backed up to Apple’s iCloud storage by default.
iTunes file cabinet drawer locations on computers:
• Mac: ~/Library/Application Support/MobileSync/Backup/
• Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
• Windows Vista, Windows 7, Windows 8 & Windows 10:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
Examples of Evidence Stored in iTunes and iCloud Mobile Backups
• Photos, Contacts, Calendar, Internet Browsing History, Notes, Call history, Messages (iMessage and carrier SMS or MMS pictures and videos), Voice memos, Network settings (saved Wi-Fi hotspots, VPN settings, and network preferences), Email account passwords, Wi-Fi passwords, and passwords you enter into websites and some apps, Map bookmarks, recent searches, and the current location displayed in Maps.
(http://support.apple.com/kb/ht4946)
Practice Point
Even if your client’s former employee took their personal iPhone and/or iPad with them when they left to work for a competitor, if the employee synchronized their personal iDevice with your client’s computer while working for your client, you have access to that iDevice; no subpoena required! Forensic software can recover deleted voice messages as well as deleted text messages from Mobile Backups.
Examples of Smartphone File Cabinet
Drawer Contents
Photograph Drawer Details
Call Records Drawer
Text Message Drawer
Location Based Evidence
Photos and Facebook Message Locations
Map Queries
Location Based Evidence War Story
Investigation of client’s former employee’s iPhone revealed multiple meetings at opponent’s headquarters in the months prior to former employee’s resignation.
Signing into a Wifi network creates a time/date/location stamp on a workstation
Location Based Evidence Practice Point
Forensic analysis of two apparently unrelated parties’ smartphones and laptop computers could reveal location based evidence that could establish a relationship does in fact exist.
Example: Party A’s smartphone connected to the Starbuck’s WiFi in Party B’s office building on dates both parties were at the same address.
Timelines & Chronological Photography Reports
Chronological Photography Reports
• In most construction projects, large numbers of photographs are taken of the job site in dispute.
• In construction delay claims, creation of a chronology of events such that analysis can be made as to how well a project did or did not adhere to a “critical path”
• War Story: A forensic tool easily segregated out all photographs from a large construction claim related discovery population of files provided by the plaintiff.
• The forensic tools then extracted out “EXIF” metadata from the Photographs such as the camera make, camera model, and most critically, the “Date (The Photograph Was) Originally Taken”
Chronological Photography Reports (Cont.)• The EXIF metadata revealed:
• 27 different camera makes and models
• 3 different smartphone cameras were used to take some of the photos
• The Original Date each Photograph was Taken
• A Chronological Photography report is created by sorting all photographs from the oldest date taken to the newest date taken.
• The Chronological Photography report then revealed:
• The names of people who took the photographs and their roles in the project.
• A story unfolding in Chronological Order:
• C:\My Documents\Pictures\Original Job Site Before Groundbreaking\
• C:\My Documents\Pictures\Photos of The Leaking Sprinklers\
• C:\My Documents\Pictures\Photos of The Repair\
BYOA: Bring Your Own Applications
The Bring Your Own Application (BYOA) Phenomenon
• Many organizations allow employees to use their own smartphones for work purposes (BYOD).
• BYOD can presents difficulties when content on BYOD phones become subject to legal holds.
• BYOA represents a greater threat than BYOD as most employees will not disclose the use of a non-approved application.
• Some organizations prevent employees from installing non-corporate approved communication applications on company issued smartphones.
BYOA: Content is Primarily Stored as SQLite Database Files
• Skype chat messages, incoming and outgoing call records, and file transfers made by a Skype account is stored in a file called “main.db”: C:\Users\*Username*\AppData\Roaming\Skype\main.db
• Kik contacts, messages, and contacts:
• For iPhones: /root/var/mobile/Applications/com.kik.chat/Documents/kik.sqlite
• For Android: /data/data/kik.android/databases/kikdatabase.db
• Forensic tools can recover and provide SQLite content for easy review.
A Combined iPhone Mobile Backup & BYOA War Story
• Anonymous tip accused specific employee of viewing obscene materials at work on a company issued iPhone.
• From a backup of the company issued iPhone found within the iTunes folder of the company issued laptop, I was able to recover Kik (kik.com) messages included photos of a very private nature.
• The employee had installed the free Kik communication application himself
• Using my timeline and location tools, I found six instances of inappropriate pictures being sent during work hours on the company issued iPhone while on company property.
• Employee was reprimanded but not terminated.
Agreed Orders To Address Privacy Concerns
Moving to the Offensive: Elements of an Agreed Order
Leveraging evidence recovered from one’s own devices, a Judge may approve a targeted and reasonable search of one’s opponent’s devices. Here are elements to include in such an order:
• Specific devices and accounts to be imaged and examined
• Limiting date range and key word filters
• Privilege review process
• Key word responsive review and production process
ESI Liaisons, The Evidence Map and Litigation Holds
When Working With an ESI Liaison: Required Upfront Direction from the Legal Team
• Beginning and ending dates of the dispute
• The current complaint, answers and defenses.
• Legal tests and/or standards on which the case may be decided.
• Current list of named, known litigants or custodians of electronic evidence.
Categories to Identify, Place on Litigation Hold and Request from Other Parties
• Personal and work provided:
• Laptop, desktop and tablet computers
• Smartphones
• Loose media (flash drives, external USB hard drives, DVD)
• Social media accounts
• Cloud storage (iCloud, Google Drive, DropBox)
• Archive media (Tapes, hard drives, disks)
• Paper files
• Work provided:
• Personal or “home” directories on company file servers (My “J” drive)
• Departmental shared folders on company file servers (“Sales Department Folder”)
The “Evidence Map” Deliverable Contents
• A list of all physical sources of potentially relevant evidence that exist or existed during the relevant time period of the dispute.
• Designation of reasonably accessible sources of potentially relevant evidence
• Designation of sources of evidence that are inaccessible due to unreasonable costs
• Identification of sources of potentially relevant evidence that are literally no longer accessible
• Steps taken to affirmatively enact a litigation hold process
ESI Protocol
The ESI Protocol• Typically takes the form of an agreement. Some courts
have a Protocol Standing Order
• Entered as an “ESI Preservation Order” in Shipes v. Amurcon Corporation 2:10-cv-14943, Eastern District of Michigan, Southern Division.
• Each section is designed to minimize wasted expense in discovery and maximize dollars available for actual substantive legal work.
• Example = Language governing production of color photographs “JPG” files with EXIF metadata intact so that analysis such as the “Chronological Photography Report” can be conducted.
Reasonable Attorney-Client Communication Security Measures
Three Easy Ways to Spy on One Another
• Email Forwarding
• Accounts can easily be configured to auto-forward all emails sent and received to the opponent’s email account.
• Track my iPhone
• Setting up an iPhone to forward physical location tracking information to the opponent’s email account
• Spyware / Key Logging Software
• Tools such as “MSPY” once installed on a phone or computer, will send all key strokes to the opponent’s computer. A license of MSPY costs only $60.00/year.
Physical Access Questionnaire
Identify compromised computer sources using the handout “Physical Access Questionnaire”.
A. Time Period of Access
Determine the time period during which the other party or parties had access to your client’s accounts and/or devices.
B. Potentially Compromised Accounts and Devices
Help your client determine which accounts and devices he or she had during the time period the “unfriendly” party also had physical access.
Three Communication Privacy Preservation Measures
To cure potentially compromised accounts and/or devices:
• Preserve Attorney Client Email Privacy
From a computer or phone that the opponents have never had physical access to, create a new email account for use with attorney-client communication
• Clean Smartphones of Infection
Once appropriately preserved, performing a “factory reset” on iPhones and Android phones will remove all spyware.
Assume that one’s laptops and desktops contain key logging software and thus are unsafe for privileged communication.
Possible Scenarios For Your Own Practice
Shareholder Disputes, Dissolution of Partnerships and Cases Involving Family Owned Businesses
Oftentimes theses cases involve an “emotional” or “personal” element and perhaps could benefit from talk therapy as much as legal counsel. Certainly most cases involve prior physical access by now warring parties.
Please consider what other types of situations might benefit from a “Physical Access” analysis by you with your client early on so that your opponent cannot be privy to your privileged communications.
Conclusion
HAYSTACKID SERVICES
• Internal investigations
• Forensic collection, analysis, reporting and testimony
• Electronic discovery hosted review services
• Managed review
• International court reporting
• Trial support experts
