[Webcast Transcript] Solve the Digital Puzzle: Your Guide to Navigating Mobile Forensics’ Future

Editor’s Note: In this insightful discussion between John Wilson, Chief Information Security Officer and President of Forensics at HaystackID, and Rene Novoa, Director of Forensics at HaystackID, we delve into the intricate landscape of mobile data forensics. Drawing from their extensive experience, Wilson and Novoa provide a comprehensive analysis of the challenges posed by evolving hardware, operating systems, and application updates. The dialogue begins by emphasizing the significant shifts in mobile device hardware, particularly the exponential growth in storage capacity, which necessitates adaptations in forensic methodologies to handle larger datasets efficiently.

The panelists highlight the implications of varying communication port speeds and the impending transition to USB-C connectivity, emphasizing the importance of understanding these factors in data collection processes. The conversation further delves into the realm of application updates, illuminating how the continuous evolution of individual apps presents unique challenges for forensic practitioners. Wilson and Novoa underscore the significance of staying abreast of app updates, particularly regarding encryption protocols and security enhancements, to ensure comprehensive data collection and analysis.

Read the full transcript below and access the presentation’s on-demand version to get valuable insights into the multifaceted landscape of mobile forensics, highlighting the iterative nature of forensic methodologies and the necessity for constant adaptation in response to technological advancements.


Expert Panelists

+ John Wilson, ACE, AME, CBE
Chief Information Security Officer and President of Forensics, HaystackID

+ Rene Novoa
Director of Forensics, HaystackID


By HaystackID Staff

Transcript

Moderator
Hello everyone and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions that you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So without further ado, I’d like to hand it over to our speakers to get us started.

John Wilson

Thank you. Good morning, good afternoon, and good evening to wherever you sit in the world. Hi everyone. Welcome to another HaystackID webcast. I’m John Wilson, your expert, moderator, and lead for today’s presentation and discussion, “Solve the Digital Puzzle: Your Guide to Navigating Mobile Forensics’ Future.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and eDiscovery objectives. We are recording today’s webcast for future on-demand viewing, and we’ll make the recording and a complete presentation transcript available on the HaystackID website.

I’m excited to present today alongside my colleague, Rene Novoa, Director of Forensics at HaystackID. Based on our decades of experience and backgrounds in this field, we’ll discuss how to use innovative forensic methodologies to handle mobile data, which is the pressing topic right now, given the fact that more and more data is becoming encrypted, the various hardware and OS changes, and the numerous apps that are flooding the market and changing on a regular basis. Before getting into it, Rene, why don’t you share a bit about yourself?

Rene Novoa

Hello everyone, and welcome. My name is Rene Novoa. I’m the Director of Forensics. I oversee our digital forensics lab as well as our R&D team, so I’ve had a series of roles over the years. But over the last four years at Haystack, I’ve really, really honed in on the R&D and development of forensic techniques in our lab to handle these challenges. So I see the challenges we experience every day and that is something that we have to overcome. So, I’m very excited to bring that experience and knowledge into this presentation. Thanks, John.

John Wilson

Thanks, Rene. I really appreciate you being here today. A bit about me. I’m the Chief Information Security Officer and President of Forensics. In my roles, I’ve provided consulting and forensic services to help companies address various matters related to eDiscovery and computer forensics, including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody. I developed forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and Am Law 100.

With that, let’s jump right in. Today we’re going to talk through:

  • The evolution of mobile challenges
  • What we’re seeing in the marketplace over the last year
  • What we anticipate seeing coming into this year
  • Expectations and trends

From there we’ll talk about some of the methodologies to deal with all of that and then lastly, we’ll talk through some use cases. Anytime somebody has questions, please feel free to put them in the chat. We’ll try to answer them as we go through, but if not, we’ll make sure we save a few minutes at the end to cover the questions. Rene, why don’t you lead us in?

Rene Novoa

Yeah. Thanks, John. The graphic really showed the areas that we’re going to cover, and a lot of these challenges that we’re facing are changing day to day, week to week, month to month. But what’s pretty consistent is the roadmap that we have of when we go to look to the future; we’re not always having to re-engineer it. We’re always having to reverse engineer a lot of the technology because of all the different changes and all the considerations that we have to take on. We’re going to take these step-by-step, John, and really break them down because we go from hardware to trends to almost policy and how they all work together and how we can stay compliant to make sure that our collection methodologies and processes are sound. So if you want to go to the next slide.

John Wilson

Sounds great. Yeah, let’s just jump right in.

Rene Novoa

Jump right into it. And I think one of the biggest ones is hardware changes. We’ve seen an evolution of hardware changes, not only on the type of connections, how we access these devices, and really the large datasets, and that’s really where I want to spend the time. Some of the hardware changes that we’re seeing larger and larger phones. When I got into this field, we were looking at eight gigs, 16 gigs, and that terminology of just dump a phone and keep going. And you’d get a box of old flip phones, or even as the iPhones came out, we would just dump boxes of these mobile devices using the latest technology and software vendors out there.

But when we start talking about one terabyte storage devices, and the amount of pictures and videos and high-res and the size of those videos, it’s very time-consuming. It really changes how we scope out projects, how we handle projects, and how we relay those expectations not only to our clients but to the custodians. And it’s very significant. When we start talking about from eight gigs over to one terabyte, that’s a significant change in how our process is handled.

John Wilson

Yeah, well, I think it’s intriguing, or what you have to really pay attention to is we’re talking about drastic changes in the data sizes and the data capacity of the devices. Most devices are still stuck on older communication ports, which we talk about the communication port changes here in a moment. But you have to realize that you’re still using older communication port speeds to capture this data. You’re getting one terabyte through a USB 2 port speed on a lot of devices still.

Rene Novoa

I believe it’s still a choice, John, just because… I know what you’re saying there, but we have the option to have 3.0 speeds with the iPhone Pro Maxes and the one terabyte speeds, and I’m not sure if that is intentional and to slow things down so data’s not transferring so fast. That is a challenge that we have to look at when we come onsite and we see a large phone, what is that data port size, right? It’s hard to predict ahead of time when we don’t know that information and what we may encounter.

John Wilson

In a lot of organizations where you have company-issued devices, they’re not running out and buying iPhone Pro Maxes-

Rene Novoa

No, they’re not.

John Wilson

Automatically. So you are going to wind up with a lot of devices that are still stuck with that USB-A or micro USB port connection speed, which can have a significant impact. You have to keep that in mind when you’re talking about pulling a terabyte through a USB-A or a traditional flat USB that is way, way slower than a USB-C connectivity or Thunderbolt connectivity to that device. It’s important to understand that Apple has historically kept all of their devices on that USB-A until EU rules changed last year that require them by the end of this year that all devices have to support the USB-C port by the end of this year instead of having proprietary connections or using lots of different various connections. The EU has passed rules that require anybody who’s going to market a device in the EU has to support USB-C in their device connectivity.

 Rene Novoa

We should see what those effects are in the coming months and years as we have the new updates come in September when they have the new releases of phones and software updates, of what those speeds will change and see what new challenges we will have as that’s going to be the main bottleneck of exfiltration of data, not only for collections, but for users as well, as that size of one terabyte should exceed even higher. We are also talking about really focusing the last few minutes on iOS, but with the Android and the ability to add on so many devices, the SD card that may get larger. You may add additional SD cards and micro-SD cards. [The question becomes] how large can we get these mobile devices to store information and what type of data we’ll be able to extract from there? There are going to be some changes and some things to really keep an eye on as we move through the rest of this year, specifically for hardware changes.

 John Wilson

Even talking about Android, the SD cards currently support up to, I think, four terabytes is the largest I’ve seen on an SD card. They’re frighteningly expensive and they’re not very commonplace and not many people have them, but they’re out there, they exist. And as those become the commoditized items, similar to the smaller SD card sizes, are people going to just be like, “Yeah, I’m just going to throw a four terabyte in here”? Off they go.

Rene Novoa

We’ll have to come back to this in our methodologies of collections when we start talking about four terabytes and two terabytes phone devices. That’s something we’ll put a pin into. As we move along, as we talk about hardware changes, we’re also seeing a plethora of different changes in the operating system. Focusing on iOS is something that we really can track a little bit closer, but we are constantly getting unpredictable changes from bug fixes, application updates, enhanced features, and these security-level patches.

As we move into later slides, we’re going to show that it’s unpredictable when these updates are going to come out and what those changes are going to be. They’re not all very highly publicized, and if you’re not watching to know that day after day there are significant changes, even though the version doesn’t change very much, we are seeing significant challenges with collecting information and certain data being pulled off on the forensic side that does change it with these little updates. Sometimes we’re just not aware of what update or what patch version is there. That can cause challenges to collections and the type of data you’re able to deliver.

John Wilson

That even gets more complicated when you start talking about how there’s not always great clarity in the release versions. I know Apple with iOS released 17.4.1 twice, two different versions of it, within a week’s time span, and there is different functionality in the two. There was clearly and specifically a patch-level change to the second 17.4.1 version.

Rene Novoa

We saw that [when we collected]. we did get different results. They’re not, obviously, different results, but we were able to get a better image and we did see the difference between the two build dates. So very slight differences, very hard to identify, but there was a difference in that version that you’re specifically talking about. 17.4.1, that just happened this month. No, last month, I’m sorry, last month. But as you can see, historically, iOS has come out with their new iOS generally in September or October. It was I think June and July, and it has moved over recently in the last couple years to September. But we’re having significant updates to those versions within that year. And just on the iOS, you can see it’s not very consistent.

We’re having either one to two, maybe even three updates in a month where there are significant bug changes, and enhancements, which also cause our tools to have to be updated, right? Because these versions aren’t necessarily given ahead of time to professionals like us or even the software vendors that are creating tools that are doing these collections so they can produce different results or produce different outcomes that we have to pay attention to know what is being modified, what additional information we’re able to collect, and what may new security patches may prevent us from seeing certain data and certain logs that may require additional steps in the collection methodology on the iOS.

John Wilson

I think it’s really important. We talk about the main releases being done on an annualish basis with the iOS, and that’s what we’re talking about at the moment. And there usually are very significant changes between the major version releases. Thirteen to 14 introduced lots of different things and different security architecture. Same thing with14 to 15, 15 to 16, 16 to 17. But even in the minor versions, there are sometimes complete breaking updates where databases move and you can no longer access information even in those minor builds. With the build version, the release date can be very, very important to understand, to know what your capabilities are, what can be collected, what can’t be collected, or what may not even be supported. In some instances, these releases that just came out, the 17.5 beta 2, there may be things in it that are changed, and it becomes an unsupported version until we can figure out those changes.

We reverse engineer them; we figure out where they move things or how they change the authentication for something and that sort of stuff. And then similarly with Androids, you have kind of the same problems. Androids are even more difficult in that they’re not very regular with their updates. They tend to run around a year, but you can see that they have updates that happen in six months. They have updates that happen in a year and a half. It really is all over the board. And there’s not a great consistency to the speed of release on the Android releases. But again, we’re talking about major builds. Then there’s constant minor updates similar to the iOS. Within a main version, you have minor version updates.

But you also have to understand on Android devices, not all Android devices can upgrade from say Android 12 to Android 13. That Android 12 is stuck with Android 12, and you only get whatever updates come to that. It becomes even more complicated when you’re dealing with supporting all these Android devices because some devices might be stuck with Android 12L and a specific minor release might be as far back as it goes and maybe as far forward as it can go because there was a breaking change or hardware change or something that prevents you from being able to upgrade to those additional versions. Anything to add on that, Rene?

Rene Novoa

Specifically on the Android, even between the difference between Samsung and LG and some of the other mobile device makers, they have different updates, particularly for their software, for their builds, and for their apps. So those also have different challenges. Not everyone has those vaults and are Secured by Knox, and we have more burner-type phones. They do have security updates that are constantly coming out, but there are also additional updates that are more bent for that maker of the device. And as well as to go back to the iOS, you’re talking about every year that you’re having significant changes. We’re also seeing significant changes in hardware, right? Newer chips, different add-ons, and different schematics of how things are done. So a lot of this with the operating system and the hardware is always very challenging, especially every year we have to reverse engineer this and play this catch-up game. So once we do come ahead, we then have to start all over the next year.

 John Wilson

All right, so now we know the hardware changes, we know the iOS or the Android OS, the OS version of the system changes. Let’s talk about application updates. What kind of impact does that have, Rene? 

Rene Novoa

This has been major because when we talk about applications, we’re talking about individual apps, and they are all very unique and it’s very hard to get a broad spectrum of what applications are updating. For instance, [what’s happening] with WhatsApp is significant when they’ve added end-to-end encryption, it’s something that we can turn on and off. It’s not just standard where that also changes how we do collections. Accessibility, are you able to pull on a standard collection? We’ll get into some collection methodologies later, but just on WhatsApp be able to QR code WhatsApp and do sync. We used to be able to get the entire database. Significant changes have changed that to only give us a partial database, not the full segment. So, we would be missing information and all that information is not so widely available unless you’re really falling along on the important apps.

There are more than a million apps, both Android and iOS. It is very hard to stay current and understand what those application updates are when they occur, and what significant impact will have on your investigation or your collection or analysis. We talk about WhatsApp and Signal and ephemeral messaging and all their security levels are different and how we approach them. And those are all coming through different updates constantly of adding capabilities with AI. I know WhatsApp and Telegram have both added AI capabilities and writing information and changing your photos. And we’re going to get into the communication part of it, but those auto updates, those hand-forced updates are really changing how we approach mobile devices because we can’t add onto the hardware, the operating system. We find these challenges and then we get into the actual applications, and we have to attack it differently. These are all different layered approaches and layered challenges that we see.

John Wilson

You tell me, Rene, is this limited to what we talk about like third-party applications or can this be the native applications as well?

Rene Novoa

I think this is for both, but with third-party there are very ineffective release notes. They’re not as well-documented. With the native apps, you see those when you are updating your phone, you can look those up and you may be a little bit more cognizant of those changes and there is more information, but it is really hard to know what the outcome and what the consequences or the repercussions of those updates we’re going to have on the collection and analysis of that phone and the breakdown of those databases. We looked at the same changes with Meta, with the QR code. We’ve seen end-to-end encryption with some of the apps that have made it harder, that required additional collection methodologies, but just the ineffective notes and ability to house all this information together, this is something that you do have to stay on top of. This is something that you have to do constant research on.

John Wilson

Awesome. I think it’s important to, when we talk about third-party apps, we talk about all the applications, whether it’s native or third-party app. I think it’s really important to talk about the communication apps as kind of a separate stream. They have all the same problems as all of the other apps, but then there are additional challenges specifically around communication apps and especially about investigations and eDiscovery and the type of work that we do.

Rene Novoa

There are two major concerns and trends that we’re seeing in communications. One, after the EU passed, the DMA, the Digital Markets Act, where we’re going to have the ability to communicate over cross platforms. I know Meta with WhatsApp is going to be the first application, but that will be able to come out where we will be able as a WhatsApp user be able to communicate with somebody on Telegram or Signal for an example. I believe Threema is another one that will maybe in that marketplace to have that cross-communication. But that brings significant challenges on identification on how two individuals are communicating and what that’s going to look like as far as collection if we are going to see those communications set up differently or we are going to be able to get threads. Not to jump ahead to usernames, but Signal also coming out with the ability to not being able to share or communicate via phone number, but to actually use usernames and be able to provide somebody a username, not a phone number to identify yourself as.

And that’s going to be significantly harder when we have WhatsApp and we can track people with phone numbers and identify this is Rene Novoa to this phone number, but we’re communicating with SpaceDragon21. Who is that individual? How do we identify that person with that phone or how they’re communicating? And there was another release or another note saying that Signal, particularly with the usernames, would have, let’s say conference IDs. So let’s say we go to a conference, you could set up a chat thread, create a username, and you will say MobileGuy21 because I’m at a mobile conference. And I give that username to everybody that I meet so that we can communicate on a group chat or just communicate inside the conference. But once I leave that conference, I could absolutely delete that username. My account is not deleted, but how everybody knew me and communicated with me is no longer available.

And I think that’s going to be a common challenge. It’s going to be an upcoming challenge for all investigators on how we identify people, how we can lock them down to a mobile device and connect a person to a chat thread and to a participant. But that, for me, scares me. That’s what keeps me at night and being able to, hey, who are these two people talking to and being asked that question, how do we prove that? How do we document that? And I think that’s going to be a trend that’s going to be challenging for a lot of vendors and a lot of investigators. What is your thought on that, John?

John Wilson

I totally agree with you. And I think the other thing that I think is really scary just from a process and collection consideration is WhatsApp’s already announced that they’re going to adapt the Signal Protocol as part of that compliance with the Digital Markets Act in order to enable interoperability. And it appears that a lot of the communication apps are considering that Open Source Signal Protocol as the standard that they’re going to all adopt, but we all know that that adds additional complications to the collection process. And we’ll certainly get into that shortly as we talk through the rest of our challenges. But the idea of adopting the Signal Protocol and having an ephemeral end-to-end encrypted direct message platform certainly adds some significant concern around how we’re going to be able to preserve, identify, and produce evidence out of those communications.

Rene Novoa

That’s going to be a big challenge. As we dig into those phones, into the data more say, we’re going to have to see the full scope of those mobile devices to really understand what apps are there and who that individual is. But when it comes into privacy and security, how much freedom are we going to have to dig through somebody’s mobile device in their life to identify them? Which is a big concern is why we have the DMA and the EU and we have all these safeguards with GDPR, but all this privacy and security. We talked about the problems with hardware and larger datasets, larger capacity, which also means more data, more personal data, more personal videos, more communications, more attachments.

And we’re finding a lot of individuals have one phone and they are communicating with multiple businesses, a lot of entrepreneurship, at least here, I’m on the West Coast here at the Bay Area, and we have a lot of individuals that are part of different boards or they’re running two organizations and they’re communicating from the same mobile device, whether they have two Telegram accounts or two WhatsApps, they have dual sims. When we go to collect the device, we are collecting everything.

We can be exposing a lot of sensitive information, not only private information that’s related to their family, but also a lot of business information. And we really have to take into consideration how we collect, store, and review large or any mobile device about the type of data that’s being on there because these are our computers in our hands and they’re storing so much information and so much infrastructure information that it’s something that we have to talk about. It’s something that we have to consider as we approach every single case. Some of the things that we have listed here are health data, financial records, into this digital age of bitcoin, and the craziness of the market, of the cryptocurrency. Everyone is having that on their phone. They want to keep that close to them. So these are all going to be important things that we consider when we are attacking a phone. I mean, from your perspective, from a CISO’s perspective, what would you say on the private security, how that is a challenge in your position?

John Wilson

I think you nailed it pretty on point. I mean, people live their lives through their mobile devices in today’s day and age. I know many, many, many business people who don’t even use their laptops anymore. They do all their communications, all of their documents, everything through their mobile devices, whether that’s an iPad or an iPhone or an Android, Galaxy Note or the foldable phone, all of that. And so then when you have to go collect that information, people get very sensitive about, “Hey, wait a minute. I don’t want you having the messages with my children, with my spouse, with my family. We’re talking about personal things and healthcare things and mental health things, and we don’t want all of that shared.”

And we’ve heard that argument for a while, but now you have to understand how much the health information is intertwined because now you have health devices that are reporting into the phone and they’re tracking your heart rates and everything, just so many different biometric items that are getting stored into the device. And then you start wrapping up all of the financial activity. I mean, how many people could say that they don’t use a mobile banking app at all? It has to be pretty low because there are a lot of banks out there now that will only interact or they charge you additional money to go actually see a teller and not use your mobile app to do it.

That really raises the bar. I think you’re going to wind up in this weird situation where you’re going to have to be able to be very targeted at the communications relative to a specific matter to meet the privacy and security needs. But then you also have to look at the flip side of that coin where you have WhatsApp maybe that’s adopting Signal as the communication protocol, which is also going to have significant impacts on privacy and security because it’s got the end-to-end encryption and the additional challenges that all of that raises.

I think all of these things are going to make a significant requirement and decision for the business as to how and what they’re going to allow for communications and what they’re going to require that comes back. Traditionally, the US has been pretty privacy noncentric, whatever you did to the company, belonged to the company, was accessible to the company, and acceptable use policies always said, everything you did on the computer was accessible to the company. They could see where you were browsing, and what you were doing. I don’t know if that’s going to work in 2024 or 2025. That’s really starting to change where you’re going to have to be, “Hey, I only want the communications related to the business. I only want the documents related to the business and the activity related to the business. I don’t want to know the geolocations of activities that were non-related to your work activity because that’s going to raise those additional privacy risks for the organization.”

Rene Novoa

A lot of liability around that too, for you to house that and who has access to it, and what can and cannot accidentally go into a view platform or actually be sent to the wrong side. It can get a lot of exposure and it’s not a lot of risks that a lot of providers want to carry or the opposing party. A lot to consider there. A lot to unpack when we talk about private security after we’ve already talked about hardware, software, challenges, communications, and trends. This is going to be a big topic towards the end of 2024 and 2025 as it already is.

John Wilson

Yeah, well, I mean, we actually had a real case where we were collecting from board members for an organization and inadvertently unveiled a medical condition for one of those board members through having collected communications with a medical service provider who happened to have the same name as one of the lawyers involved in the matter. And so that information wound up getting inadvertently disclosed and created significant ripples for that business and that individual.

Rene Novoa

I can only imagine. That’s just one of the things that we have to tackle and understand having the same name that’s doing keywords, that’s a tough route. And this is where it comes back to, you mentioned a case where you just mentioned that someone had, an individual had part of a board was part of different boards and information was exposed. But as we set up these devices and talked about having multiple phones or BYOD or a corporate phone, we also had to take responsibility and acknowledge that how are those phones set up even on a corporate device. Are those given corporate IDs for let’s say an iCloud backup, are individuals able to back those up? If I bring BYOD, am I able to run my own cloud account or Google account? How do I back up that information and have access to my data, I want to protect my personal photos and I want to sync to OneDrive or to Box or whatever it may be because I want to store those photos.

If my phone gets destroyed, I will lose those photos forever. And if I’m combining both personal and work-related information, I still have to have it backed up. But how do I separate those on a single device? And those come down to policies, MDM, but also how the execution of that data is going to be managed. Is the company going to own my personal photos? Am I going to have to ask for that information at a different time? Will the MDM even allow me to back up my mobile device? I mean, I know you know that there are several organizations that don’t even allow it to connect via a USB except for the power unable to back up information or to restore without their permission. It can actually be set up to only be backed up and restored on a specific computer.

Some of these MDM requirements are very, very strict, but only if they’re set up correctly. And I’ve just seen it too many times where they’ve given a corporate device with no safeguards. It’s been quite open, not able to unlock the device, not able to track the device. They just wanted to have their applications pushed on there and a password, but the ability to back it up under their personal cloud is a huge liability. When you say that, just because if I back up and I leave the company, I can then restore to a different phone, and I still have all that corporate information.

John Wilson

Yeah, absolutely. It’s a huge data exfiltration risk. It’s a huge privacy violation risk because if the company is requiring [you] to use your corporate email to set up an Apple ID and sync with that device and they have control of that Apple ID or through the MDM processes and things of that nature, and then you depart the company, now they still have all your privacy info that if you had a personal device and you happen to only use that corporate ID as your only Apple ID. Let’s face it, most people don’t want to use multiple IDs when they’re configuring their devices, whether it’s a Google device or an Apple device because they want all their apps available from both accounts. They don’t want to have to buy them twice.

It  just raises that level of risk and you have to really understand and have the right policies in place, whether it’s a personal-owned device or corporate-owned device, and personally-owned Apple ID or Google Play ID or a corporate-owned using your corporate email or the Google Workspace from the organization to set up that ID for the device. It can go either way, but there are risks that you really have to work through and think through to make sure you’re protecting your organization and meeting your organizational needs, your litigation needs, and other legal and regulatory requirements.

Rene Novoa

I’ve seen a variety of things of that people did, whether that’s they kept the phone or they imaged them, and then recycled the phone. And it’s all about the approach and the policies and really the execution of those policies that are really going to make the difference. And as we’re getting into these policies and considerations, that is something how you handle that phone because we have personal data. If it’s their BYOD, you can actually confiscate that phone store it in a locker, and come back to it when the investigation resurfaces. So there’s definitely a workflow that’s going to have to be handled for personal data, intellectual property because the company is going to want that data back and they don’t want it just out in the wild. They want to be able to review it, they want to be able to have access to it, and they just don’t want it in a locker or in a backup on someone’s personal computer.

We’ve talked a lot about some of this information already, the personal usage, the data retention, and preservation considerations. And there is a difference between the preservation and retention. And that’s what I talked about whether do we… I know we have clients out there that take all the phones for retention and they store them and they have hundreds of phones and eventually will go back and image them. By the time they know they have that retained, it’s preserved. But as time goes by, did we have the pin numbers for that? Was there a MDM profile removed from those devices or are they still active? And what happens is that we have all these MDM profiles, but we’re paying for it. A lot of times a company will just cancel them and then move on to the new active devices. But what happens to all those old phones that now have been removed?

We no longer have the pins. We need to get that intellectual property. We have to return the mobile device. So there’s just a lot of considerations when you go to either retain the information whether we’re imaging and storing it offsite or we’re actually preserving the entire phone. So all those little steps I think sometimes are misguided or they’re not considered as important as far as dumping all the profiles or storing the phones. We’ll keep onto them, but they’re the consequences of, on certain MDMs, removing the profile and the effects of getting access to those devices because we may not be able to re-put that profile in order, unlock the phone, be able to pull the information off because it may have just broken that device. And that’s what I’ve seen. I don’t know about your experience.

John Wilson

Yeah. Well, I mean, again, another case that we had last year where the corporation had allowed the individuals to use their own Apple IDs for their devices, terminated, and reset the pin so that they had access to the pin and access to the device, but it was connected to that personal Apple ID. And you know what happened as soon as you tried to get into the device, it triggered 2FA and you had to authenticate against that Apple ID, went out to the original user of the device and they just said no. So now, again, you’re stuck. So really you have to think through all of the repercussions of these things. They’re definitely things you have to talk about, you have to plan for, and it’s not a static plan as you go, you have the discussion today and you forget about it.

These things change on a monthly, sometimes even more frequent basis. So you really have to stay on top of that plan. It’s really one of the policies that in my role as a CISO that I wind up having to make very regular changes to. So Rene, why don’t you dive into why we need a full file system and logs if we’re just talking about, “Hey, we can’t really get access to everything, we’ve got all these personal and privacy concerns.” Talk me through this.

Rene Novoa

A full file system and logs go beyond the traditional collections like show methodologies with a lot of backups, whether they’re iTunes backups or they’re collections. A lot of that information is information that the service provider or say Apple wants you to have for that user experience. So, you can move your personal data from one device to the other or be able to back that up. But when we start talking about full file systems, and tractional logs, we’re really getting root down of any file system on the mobile device. Because of the encryption, we need to get all those additional logs.

We want to get all those operating system artifacts that really are going to tell a story but with the ability to understand what was open on a device at a certain time, whether we can timeline some information and really do a deep analysis. It does expose a lot of information like health data because those are encrypted or those are in secure locations in the applications. We also have ephemeral messaging services like Signal that are not attainable by standard collection methods or backing up the mobile device. It does require extra effort. And with full file systems extraction, we’re able to get access to those very sensitive areas and being able to parse that in a very readable format.

It is very much part of a full analysis and understanding really what’s going on with the phone when certain things do happen, when it’s beyond just what text messages were sent where or who called whom, it goes way beyond as to what was happening on this date. Additional GPS locations can become available from certain apps. Like there are ways and just as an example, some of the other Google applications that inadvertently do save geolocations and tower information, and we’re able to get all those goodies to tell a story of what happened with that mobile device and the lifespan during that specific time. So it is very important when we start talking about texting and driving, employee misconduct, and secure communications, it does give us the ability to tell a bigger story.

John Wilson

Agreed completely. I mean, not even just GPS location. There’s location information that can be gleaned from multiple other applications just through Wi-Fi signals and Bluetooth readers and things can be tied to identifiable locations.

Rene Novoa

The Nike app. I mean, for your running, I mean the Nike, all the different apps like Under Armour app I think tracks all that as information as well, so they can know where you are and run that circuit. And this is where we come into lock devices, John, and this is something that we get from time to time. We were talking about texting and driving. We do unfortunately have mobile devices that come up with someone who’s deceased. To bring up a case, a truck driver had an accident with a motorcyclist. We’re trying to look at the motorcyclist and said, “Who’s at fault?” Right? This is not a criminal case anymore. This is coming down to civil litigation and we’re talking about insurance, but we want to know what’s on that device. Can we get a full file system extraction? Can we see what the last actions were?

And in that part, we don’t have the PIN code. It’s not a corporate device. There’s no MDM. How do we get into these devices? It becomes a very sensitive issue because there is a lot of security and permissions around it. After all, we’re not just unlocking anyone’s device or you don’t want any type of private entity just to unlock devices for no reason. There really has to be a process involved in getting consent and making sure who owns the phone and has the legal right to that mobile device.

But it does allow us the tools, the ability to tell a story and be able to give closure to a case or a family depending on the situation. But we do see that also with departed employees where no MDM was set up on corporate-owned devices. They departed maybe not on the best of terms, and they turned in their phone, they said, “Hey, go ahead, have at it,” and we need to get some intellectual property on there. These are the types of cases that we are seeing on the private side where we can unlock devices with specialized technology and tools.

John Wilson

Another great use case example around this really, it was the case we worked on last year where we had a decedent, and his estate had no access to crypto investments that the individual had made. And we had to get into the phone and identify the crypto assets first because they really had no idea what was out there and where he had the money. They just knew that it went into crypto, and we had to then recover access to those crypto wallets to be able to regain control of those assets for the estate and was not insignificant amounts of money. It was a very significant matter.

I think that leads us to why we have our MEDAL  Suite of Services. We won’t really get into this, but knowing that we have MEDAL Vanguard ™, which allows us to triage a device, and figure out what’s there. Our MEDAL Precision ™, our targeted collection. MEDAL Recon ™, which allows us to do the full file system extractions and MEDAL Clear. I set this table so that we can actually talk through the collection process and the trends that we’re seeing and then get into the use cases.

Rene Novoa

John, you want me to take it from here?

John Wilson

Yeah, please do.

Rene Novoa

We covered a lot of challenges and a lot of things that we are seeing out in the field and we talked about trends. And to understand, John, we listed those level services that we built up because of these challenges, because of these trends. And it really comes down to understanding what you have and really what the end goal is. So it really comes down to scoping, understanding the make, model, and size, understanding the location, where are they at. And when we talked about Vanguard, we talked about triage, right? Understanding, and being able to get some very critical information, especially when you have a lot of devices that are 250 gigs to maybe one terabyte. You don’t have the luxury of being able to image everything and really understanding what the best tool is to approach this device. Do I need a standard collection?

Do I need to do a full file system extraction with Recon? A scoping call and understanding what you have for your case and the end goal with your deadlines and with your timelines helps you to make better business decisions and better technical decisions for your client. And I think that’s the space that we all need to approach this with—how do we service our clients? How do we accomplish the goal and provide them exactly what they need and what they don’t need, right? We don’t want to image five or 10 one-terabyte phones or 500 gig phones. Do we really only need one chat thread? We only needed a couple threads from it and we could have gathered that information by doing some sort of triage, understanding the installed applications, understanding that there is Signal, well, there’s not Signal, there is WhatsApp or Telegram or there’s not because if those applications and third-party applications are not present, we can do a standard collection, target just the communication threads, and just extract those chat threads out and not have to image the entire mobile device.

And that’s also based on the type of case it is, what you’ve been able to work out with your client as well as the opposing side. So I think you have to review the whole case as a whole, understand the concepts there, and really use the right tool for that case because a full file system extraction is not always the right tool on every case on every mobile device. A precision collection that targets just certain chat threads is not going to be useful if you need Signal or you need another ephemeral messaging application. So it’s really understanding what you have in front of you and using a basis of different tools, really having an eclectic toolbox that’s really going to use the right tool for the job.

John Wilson

I think it’s important to talk about understanding, talking about, really looking at this intelligently at the beginning of the case, before you even go onto your meet and confer and set your eDiscovery protocol, because you need to understand the needs of the matter. Hey, are we only interested in messages? Then we can be targeted, we can be precise with what we’re doing. We can extract just the messages related to the business matter or just the information related to the business matter and be very precise and limiting and not having to collect and process and review a lot of extraneous information that’s not going to be useful for the matter. But on the same note, again, that’s where you really have to understand the case.

If you’ve got a distracted driving case and you need to understand, hey, was the individual touching the screen at the time of the incident or streaming a video at the time of the incident, or on a phone call at the time of the incident or playing a game? All of those things become really important to helping you decide, hey, what kind of collection is going to be necessary in addition to the constraints of the device itself and doing that Vanguard or triage, look at the device to understand here’s the version as we spoke about a lot, the version of the device, the version of the OS, the specific version of the OS can have significant impacts on how you can collect, what information you can collect or if you can collect it at all through traditional collection methods.

Rene Novoa

Yeah, I think that’s absolutely right because not every phone, especially the newer devices, especially when they come out full file system extractions is not even available. It takes some time for us to reverse engineer, and that’s across the industry of gain access. So understand what you have, and what needs to be done, and go through a process of why you need certain tools.

It is important to know that we do have challenges, we have upcoming challenges, and we have to find new approaches to how we collect it, how we process it, and how we review it. Going into it with just doing full file system extraction, everyone’s not going to work. Doing a targeted collection is not always going to be the process because you’re going to need full preservation in some cases. What is the case about and what is the right tool? What is the right approach? And it’s very difficult when we’re just guessing and we’re kind of just fake it till you make it.

And I think you’re really going to do a disservice to your clients, to all of our clients, right? We really want to really take the time to understand the case, scope the project effectively, and really use the right methodology and toolset to accomplish the job, to get everything done, and be able to tell that story that needs to be done as opposed to just, “Hey, we’re going to do everything and we’re going to charge you X amount.” We really want to be consultative and really guide people down the right approach. But I think we’re also coming up time so we want to make sure we have time for questions. John, unless you had anything to add to that.

John Wilson

Yeah, that’s it. We’ve gone through all the slides in general terms. What I do want to talk through is does anybody has any questions about anything we talked about or we can just go move on with our day and thank everyone for being here today.

Rene Novoa

Well, I think also everybody should know that we do have some more information on some of the reasons why we use the tools that we do in the slide deck. We may not have gotten to all of them, but that will be presented to you guys. If you guys have further questions or concerns, happy to engage or respond to any of you guys. If you have any information, definitely please reach out using this link.


Expert Panelists’ Bios

+ John Wilson, ACE, AME, CBE

Chief Information Security Officer and President of Forensics, HaystackID

As Chief Information Security Officer and President of Forensics at HaystackID, John provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody. He regularly develops forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and Am Law 100 law firms.


+ Rene Novoa

Director of Forensics, HaystackID

As Director of Forensics for HaystackID, Rene Novoa has more than 20 years of technology experience conducting data recovery, digital forensics, eDiscovery, and account management and sales activities. During this time, Rene has performed investigations in both civil and criminal matters and has directly provided litigation support and forensic analysis for seven years. Rene has regularly worked with ICAC, HTCIA IACIS, and other regional task forces supporting State Law Enforcement Division accounts and users in his most recent forensic leadership roles.


About HaystackID®

HaystackID solves complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by its proprietary platform, ReviewRight®. Repeatedly recognized as one of the world’s most trusted legal industry providers by prestigious publishers such as Chambers, Gartner, IDC, and Legaltech News, HaystackID implements innovative cyber discovery, enterprise solutions, and legal and compliance offerings to leading companies and legal practices around the world. HaystackID offers highly curated and customized offerings while prioritizing security, privacy, and integrity. For more information about how HaystackID can help solve unique legal enterprise needs, please visit HaystackID.com.


Assisted by GAI and LLM technologies.

Source: HaystackID