[Webcast Transcript] Going for the Gold (MEDAL)? Mobile Elite Discovery and Analysis Lab for Android and iOS Mobile Devices

Editor’s Note: On October 20, 2021, HaystackID shared an educational webcast designed to highlight its recently introduced Mobile Elite Discovery and Analysis Lab (MEDAL). This presentation, led by digital forensics experts John Wilson and Rene Novoa also shared detailed considerations for full-file system and physical extractions from both Android and iOS devices, allowing for access into previously restricted areas on mobile devices by digital forensics and eDiscovery professionals.

While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a transcript of the presentation.

[Webcast Transcript] Going for the Gold? Mobile Elite Discovery and Analysis Lab for Mobile Devices

Expert Presenters

+ John Wilson: As CISO and President of Forensics at HaystackID, John is a certified forensic examiner, licensed private investigator, and IT veteran with more than two decades of experience.

+ Rene Novoa: As the Director of Forensics at HaystackID, Rene has more than 20 years of experience ranging from data recovery and digital forensics to eDiscovery. He has performed many investigations in support of both civil and criminal matters.

Presentation Transcript


John Wilson

Hello, my name is John Wilson, and on behalf of the entire team here at HaystackID, I’d like to thank you for attending today’s presentation and discussion titled “Going for the Gold (MEDAL)? Mobile Elite Discovery and Analysis Lab for Android and iOS Mobile Devices.”

Today’s webcast is part of HaystackID’s regular series of educational presentations to ensure listeners are proactively prepared to achieve their cybersecurity, computer forensics, eDiscovery, and legal review objectives.

Our expert presenters for today’s webcast include two individuals deeply involved in the world of eDiscovery as some of the industry’s foremost subject matter experts on digital forensics. They both have extensive and current experience in supporting all types of audits, investigations, and litigation in areas ranging from criminal activity to departing employee challenges.

First, let me introduce myself. I’m the Chief Information Security Officer and President of Forensics for HaystackID. My name is John Wilson. And in my role, I provide expertise and expert witness services to help companies address various digital forensics and electronic discovery matters, including leading investigations, ensuring proper preservation of evidence items and chain of custody. I regularly develop processes, create workflows, and lead implementation projects, and GDPR data mapping services for our clients, including major financial institutions, Fortune 100 companies, and Am Law 100 law firms. My work spans some of the most significant matters on record in the United States, and many of the 46 countries that I’ve worked on.

Secondly, I’d like to introduce Rene Novoa, currently serving as our Director of Forensics at HaystackID. Rene has more than 20 years of experience, ranging from data recovery and digital forensics to eDiscovery. He has performed more than 200 investigations supporting civil and criminal matters. He is also an acknowledged expert in data acquisitions, ESI collection plan support, and supports efforts ranging from forensic analysis to complete remote collections.

We will record today’s presentation for future viewing. A copy of the presentation materials will also be available for all attendees directly from the BrightTALK platform, accessible under the presentation viewing window.

At this time, let me turn this over to myself and Rene and we will begin the presentation.

Rene Novoa

Thank you, John.

Core Presentation

John Wilson

So, today, we’ll talk about challenges in the mobile device discovery world, what’s happening, what’s the current topical issues and challenges. We’ll get into some specifics around the – specific constraints around mobile and… Android devices and iOS devices, and then we’ll talk about our Mobile Elite Discovery and Analysis Lab, our new service offering from HaystackID. And we’ll talk about some of the technical considerations and the challenges and other factors that you need to consider to decide if using the MEDAL service is appropriate for a case. And then we’ll actually talk about some of the use cases, some of the approaches and the impacts all of that can have on your investigations.

So, the challenges of mobile discovery are great and varied. You may have to use multiple tools, multiple processes, multiple workflows on mobile devices. Five, 10 years ago it was I’m going to connect to the one tool, I’m going to make an image of the device, and away you went. You pretty much considered that a complete thing.

Rene, do you want to talk a little bit about mobile device discovery?

Rene Novoa

Yes, absolutely. Thanks, John, and welcome everybody to this webcast. I think this is an important topic, as we’re always finding challenges in our mobile device discovery. The changes have increased over year-to-year, month-to-month, and day-by-day. When we say multiple tools, what we really mean is a multiple approach scenario as to how we’re collecting the data, how we’re being able to preserve information from mobile devices.

With the constant need for security, both from app developers and manufacturers, both with Apple and Samsung and other Android devices, it has made our job a lot harder to just dump the data, or just have IT just dump the phone. I know that was a common term that a lot of law enforcement would say is, “Just dump the phone and we’ll go through it later”. We no longer can have that approach because of the so many different challenges and apps, and how we approach each mobile device and each investigation.

So, things are becoming a little bit harder, and we’re having a lot more data to deal with. So, when we talk about a multiple approach scenario, we do collect the data, we do like to dump as much data as possible using whatever forensic tool or whatever method that may be there, but do you get all the data? Do you have access to all the data? We’ll get into a lot of messaging apps where whether you collect that database, or you collect those messaging apps from the mobile phone and you’re able to see those chats and those messages on the phone, are you able to process them and look at them at a later time? And in many cases, the answer is no. So, we have to think outside the box, use more than just using dead phone forensics, in the sense, where we’re putting items into airplane mode, which we’ll get into a little bit later.

But certain examples, we get into applications like Signal and Telegram, and WhatsApp, in almost all cases, there is a multi-approach step to that, not only to collect the data on the phone, but also to collect those messages that are in a readable format that can be produced for investigations, that are extremely important as more and more people are concerned with security and encryption and who has access to their data. And encryption is something that is having to be dealt with on a day-to-day basis, as we start getting to security updates and accessibility.

John Wilson

I’ll just add there when you’re talking about encryption, it’s no longer just, “Is the device encrypted or not?” It’s, “Is the device encrypted? Is the data for the device encrypted? Is the data for the application encrypted?” So, there are multiple possible levels of encryption and security efforts.

And then beyond even the encryption, is the data actually stored on the device, or is it stored out on a cloud server? And so, what repercussions does that have? How do you collect?

I’ll let you continue.

Rene Novoa

No, those are absolutely excellent points. We have applications like WhatsApp that put just additional security just to access your own messages, using your thumbprint to almost authenticate twice on the phone. Will that information be accessible if you were able to collect the device? And then does it make a difference how you collect or dump a phone from an Android or an iPhone? How is that data stored?

So, these are some approaches that we have to use multi-approach. We have to look at every investigation. We have to look at every phone and version every time we go through these collections of discovery.

When we look at security and updates – I was looking at my Facebook app on my phone and realized that I’m on version 340. 340 updates. I looked back at some of our capabilities, we started being able to parse and look at information at version 4.1.1. So, from the start of investigations into Facebook applications, we’re at version 340, the bare minimum. There may be a little bit more, depending on when you’ve updated. But 340 different updates and changes to the API, to access, to adding security features, and we’re having to come up with new solutions for these challenges and for these updates.

We talked about two-factor authentication, getting access to these applications, and security. Applications like Telegram, and like I said, Signal, and WhatsApp are actually having in-application security that is making it harder just to look at those devices just by dumping the information using one tool.

So, it’s more than just a PIN code, it’s more than just, “Hey, this user turned over his phone”, and gain access, we have to look at the additional security that we may be missing if we just dump the phone and just did a report.

For example, maybe in the past, we would say, “Dump the phone, send a report into PDF, we’ll do the searches”. Now, that may be a great approach before, but what is not being parsed? What is not being seen based on security that is not in a readable format. We may have the database, we may have some of the information, but it may not tell the whole story.

John Wilson

Especially when you start talking like Telegram as a specific example. Telegram, the data is hosted in the cloud, but then the secret messages are only stored on the mobile device itself and they’re encrypted. So, you’ve got these complicating factors of multiple tiers of authentication, multiple tiers of encryption across the various applications and devices. And it also is heavily dependent on the type of device, and the make, and the model, and the OS on that particular device can have significant impacts as to whether or not you can collect the data from the device, or you’ve got to look at those alternative methods to determine what the real impact is going to be for your collection.

Rene Novoa

And really, that is the struggle as this multi-approach.. that’s going to be the theme to much of this talk is the multi-approach aspect, and understanding what is being collected, and how to actually go about that collection, and to preserve for discovery, whether you’re going to have to upgrade apps, downgrade apps, which we’ll get into, as to what are we trying to obtain? Are we trying to get the message? Are we trying to look at when applications were installed or changed? And how do we tell that story with one set of collections or just using one tool?

So, we’ll explore that later in this talk, but it’s something to think about as how current mobile device discovery has been handled in the past, and can you afford to keep going down with that same methodology of just dumping the phone and having one single export.

John Wilson

So, Rene, can you tell me, does an MDM (mobile device management) platform affect this as well?

Rene Novoa

Oh, absolutely. MDM can be quite a struggle. Many of the corporate clients that I’m dealing with roll out corporate MDM without really understanding what they’re protecting and how they’re protecting it. Many of these MDMs, when they pull full services can prevent the user from creating a backup, could force – let’s talk about iOS – can force iTunes backups passwords, which the user and the company are not aware of. So, this prevents company information from being backed up to the cloud or to the computer, which is fantastic for security, but it does eliminate our ability to collect information in the normal way by using the data port. We may have to think outside the box. We may have to work with corporate IT to turn off certain features or to remove the MDM, but what implications does that have to the data being collected? Is that data being retained on the phone? Are we able to collect it from the company before the MDM is removed?

So, these are all very important questions when we talk about MDM as opposed to just acknowledging it, but to understanding what is being blocked, what is being protected, what is being prevented from the client – protecting the organization’s critical information.

And not to go back on that, John, but that’s where it works on with the BYOD, where people do not want corporate MDMs, or corporate MDMs are put onto personal BYOD devices. There is a lot of concern in making individuals comfortable, and companies comfortable with employees leaving. When they leave with the wrong BYOD device, what company information is still on there? And if they were to remove the MDM, does it wipe the phone? What are the current policies?

John Wilson

And just to be clear, BYOD is bring your own device, so it’s where an individual brings their own device into a corporation, and some of those corporations may require having an MDM to access the corporate data on the devices, some don’t, some do kind of a hybrid. “Yes, you need an MDM to access specific applications, but maybe you can get email without the MDM.” There are varying levels, kind of a hybrid approach as well sometimes.

And then I want to go back to one thing that you said that I think is really important to understand is some of the MDMs are now being used in a way to help prevent data exfiltration from the organization. So, they’re setting the MDM to encrypt the backups of the device, because they know that that’s how the data gets accessed later outside of the constraints of the organization, so they’re setting that encryption to actually generate a random encryption key that nobody knows, and it’s not stored. So, it’s just a way of presenting that backup from being accessible or usable by the individual or anybody that gains access to that data or device.

And so, that’s really interesting security by obfuscation sort of approach that some companies are using with their MDMs now that adds, again, another additional wrinkle and layer to the challenges of all this.

And then just to go a little further with that, you also have the whole BYOD scenario. What happens when you have an employee that works for you, they use that BYOD device at their previous employer, and maybe they still have fragments of data from their previous employer on there, whether intentionally or unintentionally. Gaining access to that data could then be in violation of various legal requirements or constraints on that employee and/or your company relative to the prior employer. And what about HIPAA data? Family members, people chat with their family members. Does the company have a right to collect the data for chats with their children? What legal ramifications when you’re talking about dealing with a minor? What legal ramifications does that present when you want to try to access that data?

There is really a deep, deep pool of issues and challenges around mobile device discovery that really need to be thought through as these devices continue to evolve, the security continues to evolve and get more complicated. Just the challenges are getting deeper and deeper.

Rene Novoa

Those are some fantastic points, John, and it leads to making sure that initial scoping calls and understanding what is on those phones before they are collected, or before discovery happens, and not just, “Let’s see what’s there”. It’s very important to understand who the owner is, both the user and the owner of the device. How do we get access, and how do we separate that? What are those protocols, as we will talk about later?

While we’re talking about – you’ve mentioned Signal, you’ve mentioned Telegram, we’ve mentioned WhatsApp and those seem to be the highly used applications for communication, but there are so many more out there that are being added and changed in ways that are becoming harder to recognize on a phone, and how do we collect that just from using a single tool or using a single methodology.

Examples of TikTok, which has become quite popular in recent times, even for – not just with teens and young adults, but grown adults are using TikTok and using it as a form of communication. Snapchat has always been there. Applications like Houseparty and currently, Clubhouse, where it is all audio. Just being able to spin up different audio groups and have conversations about so many different things that may be relevant to an investigation.

How do we collect from that? How do you parse that information if that was used to have an application like that? What are the implications of how do we go about that one-tier approach? Do we have to pull that from the cloud?

So, there are so many great questions and applications out there that we need to ask and understand before we can just say, “Dump the phone”.

John Wilson

Yes, definitely, I agree. You’ve definitely got to make sure you have the right consent in place. You’ve got to make sure that you have an understanding of what the needs are for a case or investigation, whatever it may be because having an understanding of what chat platforms, communication platforms were in use on the device can be very important to have a successful outcome, because some of the applications may not show up at all as far as within the tools, because these applications come and go and change so rapidly.

And then I just want to kind of loopback, Rene, talk a little bit more about working outside airplane mode means and having to do live connected to the network, or to the Wi-If, or to the cell signal. Talk me through that a little bit.

Rene Novoa

I think outside of airplane mode is very important. When I was helping with some law enforcement investigations and doing some initial training for mobile forensics, the first thing you do is put a phone into airplane mode, so that remote wipes cannot happen, no phone calls are coming in, and we’re collecting a phone that’s not going to be altered on-the-fly.

That was the old way of doing things, and that’s still currently done in a lot of fashions, and is good best practices. But we’ve mentioned so many things here like WhatsApp, like Telegram, like Clubhouse where it requires additional authentication, and you can’t do that from airplane mode. It has to connect to the network. It has to be validated in some form.

So, we are now asking or informing clients that we are going to turn this phone on, and if there has been a kill switch, we’re taking that risk, and we have to make sure that our clients understand that risk that in order to get that data, we have to be able to authenticate. We may actually have to get the two-factor authentication code sent to the phone to gain access to email, to gain access to other applications on the mobile device, and we can’t do that by putting everything into a faraday bag and working in airplane mode. We’re just dumping – again, dumping the phone of what’s on the phone. We are going to have to turn it off airplane mode, get it into a network, get it onto Wi-If, so that maybe – not maybe, with Android phones, to collect that WhatsApp, we may have to use some QR sync or another type of synchronization that requires Wi-Fi to be able to pull that data from the mobile device, from that database in an unencrypted format.

So, applications like Telegram, when we’re looking at secrets, are we able to see that within airplane mode? Do we have to be able to take photos or use another type of tool to do digital screenshots? Can you get just in airplane mode? Do you have access to all those messages? Is it being stored in the phone or is it being stored in the cloud?

And if that answer is being stored in the cloud, the only way to authenticate is to be connected to a network. Having that SIM card is activated, put that SIM card back into the phone, so that we get connectivity and we can make that determination.

So, no airplane mode is one of the multi-approaches if necessary, depending on what the case is involved. If we’re just looking for basic messages, then yes, we can keep this in airplane mode, we can do our investigation, and we can use best practices. But in a lot of cases, a lot of these corporate investigations or data exfiltration, they’re not using the company text messaging, and the company communication service that it has on the phone. They’re using these other apps that are hard to track, Signal, Telegram, Wickr just to name a few, so we have to think outside the box. How do these apps hide information? And we’re going to have to work within those parameters.

So, getting on the network is a very important part of any investigation to mobile devices to understand what’s there originally, and how do we gain access, especially for online communication.

John Wilson

And I think kind of the last comment really around that is if you do have to do some sort of collection outside of the airplane, it’s really important to understand the impact of the settings on the device, and what may occur. Because there can be wiped instructions, there can be MDM that – if it syncs up the employee has been terminated, the MDM is going to suddenly remove all the corporate applications off the device and all the corporate data off the device. So, you really have to make sure you have a sound understanding of all of the settings and applications that may have impact on going back live on the network.

Rene Novoa

And that might be part of the protocol is collecting the phone once, turning it back on, and doing what you need to do while it’s connected to the network or Wi-If, and then collecting it again at the end. Because during that time, more messages can be received, more information can be deleted. Changes to applications as updates are being pushed or forced, depending on the settings. So, having a baseline, and then having an image afterward or a collection afterward and being able to see the changes may be part of that process. Again, more than just a single collection, more than just a one approach methodology here.

John Wilson

That leads us right into the next slide and talking about that – we always recommend when we’re dealing with these sorts of cases and mobile devices in today’s environment, you have to do that first collection. You take your baseline and then you move to the next level, and then you move to the next level. As things get more invasive, newer security measures are impacted, so you want to have that airplane mode, baseline, logical extraction first, and then you move into the file system, you move into full file systems, and you just keep going down the tree into the more advanced things.

Rene Novoa

Absolutely, and just with all these… we mentioned so many things that are coming out and changing, and we’re being asked to provide solutions for the newest Clubhouse, the newest version of Facebook. And when those requests come in, it may not always be available, the solutions are having to be reverse engineered, we are having to play catchup constantly. It is very rare that we are ahead of an update that may come and how do we parse that, or we do know exactly how to collect that.

So, some of these solutions and multi-step processes, a lot of times want to be done at lunch where people are extremely busy. Dump my phone, and let me have my phone back, I need it back in 40 minutes. And with these solutions and this approach and the amount of data that’s being stored on devices, it’s taking us longer and longer, and being more realistic with built-in timelines with our clients and the custodians.

When we look at companies that have only, historically, dealt with iOS, it’s as simple as just dump the phone, create the iTunes backup, and that’s no longer there. And we look at Android, when you make the image, is WhatsApp part of there like it is in iOS. Are we able to get that – a lot of the information from just a collection?

With Android, we are actually having to use other methodologies, QR codes from the cloud. There are different steps for different phones, and for different versions. Many of our tools have skipped versions where we have accessibility. Part of the application data and part of the solution is understanding the application version and being able to explain that we may have to upgrade, we may have to downgrade applications. What are those implications? What new security features will be added if we upgrade, but will we be able to collect that information? Will we be able to collect those text messages that are so important, that are going to tell a good story? But knowing that we’ve had to update the phone, that we’ve had to make changes, which nobody likes to discuss and nobody likes to talk about to understand, but to understand mobile forensics, mobile collections, some of these things are necessary to produce the information that is important.

John Wilson

Like Rene was just talking about, you have cases where an application release may come out, and that new release may be a complete refactoring of the code, the data system may completely change, and so the process to collect that data completely changes. And so, things do break, and then we discover, “Hey, last week’s update to WhatsApp just completely broke the collection methodologies’, now we have to go back out and re-reverse engineer it”. We’ve got to go back out and put it back into the R&D lab and actually study it, figure out what’s going on, what the interactions are that have changed. Is it the handshake protocols, the security protocols? Is it encryption? Or is it database structure? What items have changed that you have to then go rethink and modify and operate?

Rene Novoa

And that brings up to kind of staging what are the expectations, what are the timelines involved of producing this information. I see too many times that we look further down the road. How do we get this into our review platform? How do we get this in Concordance? How do we get this into Relativity? We just need this XML file. We just need this type of file.

But with these approaches, with these applications, sometimes the only way to get secret messages or partially access to the messaging systems is screenshots, it’s video, being able to document this information. But how do we get that into – make it nice and neat into Relativity, into Concordance, into these other platforms that… once they’re being reviewed. What are these deliverables and exports that are being requested from examiners?

I just need a TAR file and we’ll be able to see everything. That’s not going to be true. Getting the TAR file, or the DAT file, or the UFDR file, the XML file, because it neats down to the clients, may be nice and good for simple cases, but when we start looking at all these other things that we’re talking about, the multi-step approach, the multi-tool approach, multi-capabilities approach, it’s not always going to look neat, and we have to be prepared for this changing environment with mobile discovery that how do we pack this up so that it’s in a readable format that makes sense, that tells a story.

So, expectations and understanding what is being asked and what is being delivered are so important, and it’s why timelines and communication from the front, the middle, and to the end of these investigations with the clients are extremely important to understand what we’re dealing with and how we’re going to produce it.

John Wilson

Thanks, Rene. Really, just to reinforce what Rene said, it is a multi-process solution. Again we, here at HaystackID, we approach mobile devices as a service level offering, because it’s no longer just, “Hey, I’ve got one device, I’m going to connect it, I’m going to dump the data, move onto the next device”. You have to understand the case, what tools are of interest, what information is of interest from the mobile device to then determine how many different approaches may be needed based on what applications you find. And sometimes it’s, “Hey, we need to do that first pass just kind of logical collection of the device, let’s identify what applications are on the device”. And then we can assess those applications, and then we have to determine what needs to be collected through other methodologies.

You also have a consideration that we haven’t talked a lot about is the devices that have the secret vaults, the secret sections, specifically Android devices, where the user logs in with a PIN to the device to use it normally, they log in with a different PIN and it opens up, basically, a completely different environment where it’s all encrypted and segregated and hidden from the rest of the device. It’s almost like having two devices in one device. That can create a lot of challenges in understanding is that secret space in use, or does the custodian, the owner, and user of the device actually utilize the secret spaces or the secret vaults, and those sorts of things.

Rene Novoa

Yes, I think that was well said when it was mentioned as a service level interaction because that service level interaction is not only with the data but with the device. And what exploits are other organizations are using, like rooting phones and common ones that are out in the news like CheckM8 or Checkra1n, they get a deeper level, but it’s only for selected phones, and you take the risk of hurting those devices and hurting that data. So, this multi-step approach that Haystack has implemented and uses is definitely a service-level interaction, because it is definitely a conversation that goes back and forth of understanding data and devices.

John Wilson

You also have to understand, in a litigation, you propose a protocol, this is how the collections are going to get done. It’s no longer a one-size-fits-all kind of scenario where, “Hey, we’re going to make an image and we’re going to look at that image and produce the data”. It’s, “In mobile devices, I’ve got to have a different process for iOS versus Android”. Even more so, maybe I have a different process for iOS pre-iOS 6 or post-iOS 12, you’re going to have different processes or even Samsung’s might have one process and another brand, Huawei or whatever may have a different process. And so, that creates a lot of diversification in that space.

So, let’s talk a little bit about what the Mobile Elite Discovery and Analysis Lab is. So, again, it’s a service level offering, we’re supporting everything from your basic logical collections all the way through full file system and physical extractions for both Android and iOS devices, depending on requirements and case needs and making sure that the scenario is appropriate.

Some cases, you may just be interested in SMS messages and contacts from a device. In some cases, you need to know any communication platforms in use. So, it really comes down to really having an understanding of what type of case it is, what type of data is needed for that case, for the defense of that case in order to understand what you need to actually accomplish. We’ll get a little bit into what a full file system extraction is versus like a logical extraction is. And physical extractions, we’ll kind of get into that in just a minute.

But again, it’s really quite varied depending on the specific device that you have, and what your needs are, what your case needs are. Do you need to get into the secure folder, the private space, the KeyChain, we just talked a lot about all that? Do you need to get into the specific third-party application data?

Also, something we haven’t really talked about yet is, do you need to get into the system logs? Do you need to understand what the user interaction was with the device? Were they typing at a certain time? Were they at a certain location? Looking at geodata, geotagged information. Are you looking to recover deleted content? That sort of thing starts to get into the much deeper dives, a much further level of access. There is a lot more data that’s available when you start doing this. This has typically not been available in the private sector. It has typically only been available in the law enforcement and Government sectors. So, this is a new thing. It’s really intriguing and, I think, really important to a lot of cases when you start talking about the capabilities that it expands into.

Rene, do you want to get into kind of the full file system, physical extractions, and talking about all of that?

Rene Novoa

Thanks, John. I think when everyone looks at logical versus file system, and full physical extraction of what is possible, with a file system and logical, we’re really talking about what is seen on the phone. What does a backup give you? What does an iTunes backup give you? What does an ADB backup give you? As far as what does that backup want to present to you as user-created data, so that you have the most about your user experience? So, if you get a new phone, you’re creating these backups, you’re getting these logical backups or collections that you can restore, that is what people understand as logical collections and file system collections. You’re getting more than just the DCIM folder, just your pictures. You’re getting all your text messages, and your security, and your credit card information, and you can restore that information over to a new phone.

But what we’re talking about is full physical images on many Android devices that are not encrypted – already put on. We’re also talking about full file system that gives you more information about the system data, more about the logging elements on iOS. We would be able to get information from the KnowledgeC database that really tracks so much more that is not available to the user, because that’s not part of Apple’s user experience for a user, to understand when applications were installed when they were opened, what spotlight searches were performed. Can it be used to reconstruct a user’s timelines and determine when messages were viewed? That information is not part of an iTunes backup, it’s not part of an ADB backup. This additional logging information that we’re able to now gather and now make sense of it tells a bigger story.

So, will it be important to know when the user unlocked his phone, when he opened and viewed a message, when he then looked at some geolocation on Google Maps? If you’re able to identify that level of logging, that level of system data, you’re going to be able to definitively say, “This user had the phone in his hand at this specific time and he was in this location”, because now we have additional geolocation data that we’re going to be able to gather from multiple apps, because we’re getting a much deeper collection of the phone that’s going to give us more of the system data, and more of the logging information.

So, information that we were getting before that was just pinpointed, we’re now able to get what the system recorded, but is not showing to the user.

John Wilson

Sorry, Rene, not to cut you off, I think it’s really important to understand, it’s not even just what location they were at, it’s also what applications are open. Did they actually touch the screen? Did they click on something? There’s also a lot of sensor data information that can be accessed as well.

So, when you start getting into these deeper dives, when you’re dealing with a wrongful death suit, a distracted driving case, insider threat actions within an organization, a lot of this information can become very important and useful.

Rene Novoa

Absolutely. We need to also perform this in a safe way. I know there’s a lot of over-the-counters or walkthroughs on YouTube or these other sites that show you how to root a device, and when those are not done correctly, those can permanently brick Android devices. They can – personally not being able to remove that rooted device if it’s a hard root.

So, now, you have the ability to damage the phone. You may have the possibility of – bricking the phone, so you no longer have accessibility to it. There’s also ways to jailbreak an iOS phone, but if it’s not done correctly, can those steps – by using different methodologies – brick that iPhone. Does it go into a mode that’s just looping around and are you able to get out of that mode?

There are things like Checkra1n and CheckM8 that do give you some level of full file system, but they’re only for a selected amount of phones. We’re talking about a larger expansion of mobile devices that give you something similar, that gives you a full file system, but we’re able to do this in a forensically sound manner, without the risk of hurting the information or hurting the device.

John Wilson

Just to kind of carry this home. Doing full file system and physical extractions all the way through device unlocks, where the corporation has lost access to a device, because an employee departed or a decedent case where an individual has passed, and the family needs to gain access to the device.

So, let’s get into… Rene, can you talk us through the technical considerations and the challenges and things that need to be thought about when you’re wanting to engage with a deeper dive on a device through the MEDAL services lab.

Rene Novoa

Absolutely, John. As we mentioned a little bit before, there are some capabilities out there, but this – our MEDAL service does take a larger range of mobile devices, getting higher supported devices that are most popular out in the wild and to the corporate environments.

Some of the changes to consider is for one, with that multi-approach step, we may have to remove PIN codes, we may have to work with inside the MDM to have it be removed. We may have to have it connected to the network. But that’s on a lot of the older devices. As our technology has developed, and this service has developed, we’re getting more and more access to these phones in a forensically sound manner that’s documented. Understanding how much more information we can get does require a higher level of consideration of getting user and owner consent, additional legal documentation to make sure that these are legal cases. This program is not meant for personal use of domestic cases. We are really focusing – because it is such a high-level service, and the things that we can do, that we’re having very specific use cases for consideration of performing the service that MEDAL can do.

So, as you see, we have a list of mobile devices that we can do, from 4S all the way up to – a lot of the latest iOS-es. What it also does provide you is – I’m not going to get too far into it – but certain applications that were not accessible, only by screenshots, and we’ve mentioned some of them today, we will be able to start parsing some of these applications out through this program so that we will be able to decode messages, we will be able to have better deliverables on certain messaging applications that were previously thought to be encrypted or inaccessible. MEDAL is able to bypass a lot of the security parameters. So, it also gives us better insight to bypass security or to work within the mobile security and gain access to those inaccessible areas that were before.

So, it’s not just about helping those locked phones, it’s not only about getting a full file system, but it’s also working with internal encryption and security features inside the phone that we’re now able to bypass.

John Wilson

That’s correct, and I do want to reiterate again, in order to engage with the MEDAL services team, we do require that it fits our use cases that we have, appropriate documentation, the devices owned by the corporation. We have consent from the company. We have consent from the user. All those sorts of things. So, there is a much higher level of requirements. And it’s duly warranted because it’s a much higher level of access to the device, you’re getting much deeper dives into the device information. There’s health information, there’s HIPAA, there are all sorts of information in there. People live their lives on their mobile devices. So, we need to ensure that we have proper legal standing for taking these actions.

Rene Novoa

And this is just the start of the technical considerations. As more phones and more operating systems are released, this is a constant development and a constant moving target to be adding more and more each day. So, having those conversations as to what is being supported can happen, so that we can keep our clients up to date of what now is possible, what is now supported, and what additional information can be provided on a case by case basis. So, this is just not a one-time deal that we have up to this point, but this is a constant service that we’ll be moving forward and evolving with the evolution of mobile devices and applications.

John Wilson

Yes, so we’ve already talked a good bit about kind of the use cases, but let’s talk a little bit more about that where the standard use cases that we have, and we’re open to discussing a use case if you have something you think’s a valid use case, we’re open to discussing it. Present your information and we can make a determination as to whether we think it’s viable for us.

Cases presented by next of kin in the case of a deceased individual where you have the actual trustee or beneficiaries, appropriate due authority and death certificates, the appropriate legal paperwork. Corporate investigations where you have employee misconduct, the theft, the fraud, the various things, a threat actor within the organization, it’s an internal employee, an employee leaving and going to a competitor, those sorts of things. Again, where we can establish that the device was owned by the corporation, they have rights to the data on the device, then the process can move forward.

Civil litigations where you have a court order or you have a protocol, an agreement, and you have again legal rights and access to the data. All those sorts of things can become really important, again, there are distracted driving investigations, those are frequent flyers in our lab, as well as general commercial litigation where you have legal disputes that may involve communications on mobile devices.

The big change here, and as we say at the bottom, this will be a game-changer. There’s a lot more data, there’s a lot more of the story that can come together, and a lot of information that can be pieced around the story as supporting information. But you also need to understand, that takes more time, it takes more review effort, it’s just a lot more data and a lot more information, so that needs to be planned for when you’re dealing with a case.

From there, any closing notes, Rene? Anything else that you wanted to share or comment on?

Rene Novoa

No, I just appreciate everyone’s time and consideration and understand that this is a constantly changing target, but we’re doing our best to be ahead of the game. We’re staying right up with the changes as the challenges are being presented to us because I think the challenges are only going to get harder, we’re going to have more data, and we have to have solutions that are also changing and being provided to clients for these litigation discovery requests.

John Wilson

And just to wrap that up, if you do have a case, you think it’s a good fit, keep in mind that this is a service, it requires multiple passes, it requires multiple… so plan for that in your timeline. This isn’t a “Hey, I need to get information out of the device, it’s Friday at noon, and I need to have it by five today”. It’s not going to happen if you’re talking about doing a deeper dive. These processes take time, they take a lot of machine time, they take a lot of effort, time, they’re complicated. You have to sometimes get in, assess, evaluate, verify, determine appropriate approaches, what elements may need to be connected, collected in different ways. Again, it’s that multi-pass approach that does take substantially more time.


John Wilson

Thank you, Rene, for your help with this today, and for the excellent information and essential insight. We also want to thank all of today’s attendees who took the time out of their schedule to participate in today’s webcast. We know how valuable your time is and appreciate you sharing it with us.

We also hope you’ll have an opportunity to attend our next monthly webcast currently scheduled for December 1st, 2021. The important topic for this upcoming webcast will be Understanding Information Governance: Data Privacy and Data Breach Exposure. The webcast will feature a panel of cybersecurity information governance and eDiscovery experts presenting and describing a framework for deploying and enhancing organizational information governance. You can find information on this upcoming webcast, as well as on-demand versions of our past webcasts at HaystackID.com.

Again, this presentation today has been recorded and will be available both on the BrightTALK network and on HaystackID.com.

Thank you again for attending, have a great day, this concludes today’s webcast.

About HaystackID®

HaystackID is a specialized eDiscovery services firm that helps corporations and law firms securely find, understand, and learn from data when facing complex, data-intensive investigations and litigation. HaystackID mobilizes industry-leading cyber discovery services, enterprise solutions, and legal discovery offerings to serve more than 500 of the world’s leading corporations and law firms in North America and Europe. Serving nearly half of the Fortune 100, HaystackID is an alternative cyber and legal services provider that combines expertise and technical excellence with a culture of white-glove customer service. In addition to consistently being ranked by Chambers USA, the company was recently named a worldwide leader in eDiscovery services by IDC MarketScape and a representative vendor in the 2021 Gartner Market Guide for E-Discovery Solutions. Further, HaystackID has achieved SOC 2 Type II attestation in the five trust service areas of security, availability, processing integrity, confidentiality, and privacy. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, go to HaystackID.com.

Details of HaystackID MEDAL Service