[Webcast Transcript] Now You See It, Now You Don’t: eDiscovery Challenges and Apple’s iOS 16 Release

Editor’s Note: On October 19, 2022, HaystackID shared an educational webcast on the potential impact of Apple’s iOS 16 release on the area of eDiscovery. With iOS 16, new chat manipulation and security features have gone mainstream, giving millions of users access to advanced and contemporary features previously unavailable to iOS users. This access has also created new concerns and challenges for data and legal discovery professionals.

This session was developed and shared by a team of digital forensics and legal discovery experts and highlighted the newest update to iOS, and how that update may impact audits, investigations, and litigation in the world of eDiscovery. The presentation also included descriptions and discussions of new iOS features and their potential impact on mobile device data, from device preparation for mobile collection and preservation to mobile device discovery.

While the entire recorded presentation is available for on-demand viewing, a complete transcript of the presentation is provided for your convenience.

[Webcast Transcript] Now You See It, Now You Don’t: eDiscovery Challenges and Apple’s iOS 16 Release

Presenting Experts

+ John Wilson
ACE, AME, CBE, Chief Information Security Officer and President of Forensics, HaystackID

+ Todd Tabor
Vice President of Forensics, HaystackID

+ Rene Novoa
Director of Forensics, HaystackID

Presentation Transcript


Hello, and welcome to today’s webinar. We have a great presentation lined up for you today, but before we get started, there are just a few general admin points to cover.

First and foremost, please use the online question tool to post any questions that you have and we will share them with our speakers. Second, if you experience any technical difficulties today, please let us know in that same question tool, and we will do our best to resolve them. And finally, just to note, the recording of this session will be shared via email in the coming days.

So, without further ado, I’d like to hand it over to our speakers.

John Wilson

Hello and welcome from HaystackID. I hope you’re having a great week. My name is John Wilson. On behalf of the entire team here at HaystackID, I would like to thank you for attending today’s presentation and discussion titled Now You See It, Now You Don’t: eDiscovery Challenges and Apple’s iOS 16 Release.

Today’s webcast is part of HaystackID’s regular series of educational presentations developed to ensure listeners are proactively prepared to achieve their cybersecurity, information governance, and eDiscovery objectives. This webcast is being recorded for future on-demand viewing. [Audio] recording and complete presentation transcript to be available on the HaystackID website soon after we complete today’s live presentation.

Our presenters for today’s webcast include experts with a deep understanding of digital forensics, mobile device collection, and presentation with particular insight into Apple’s newest and most recent iOS update.

My name, again, is John Wilson. I’m the CISO and President of Forensics here at HaystackID. We also have Todd Tabor and Rene Novoa.

We can advance the slides. There’s Todd.

Todd Tabor

I’m Todd Tabor, I’m the General Manager of Forensics and the Vice President of Project Management at HaystackID.

John Wilson

Yes, and then we’ll go on to Rene.

Rene Novoa

I’m Rene Novoa, Director of Forensics here at Haystack, and work a lot on the R&D and mobile forensics piece at HaystackID.

John Wilson

All right, and there’s me. That’s all we need to know.

So, today, we’re going to talk about the challenges of mobile device discovery that have just been exacerbated by the growth and changes in the industry. We’re going to get into these new technology advancements around not just iOS 16 but a lot of the mobile device things, and then we’ll talk specifically about the iOS 16 messaging features, and some other changes that came with iOS 16, moving into how do you interpret that into an investigation in forensics.

From there, I’m going to turn it over to Rene.

Rene Novoa

Thanks, John. We’ll go to the next slide.

Here’s a little disclaimer. You’ll have that in your downloading enjoyable pleasure. We’ll go to the next slide.

Well, John, thank you for getting us started and for that wonderful intro. We really want to start with the overall challenges of mobile device discovery. And I think that’s where we start because we will get into the iOS, and they will have its own challenges, and we have to add this to our list of additional challenges that we’re already facing, just the sheer number of obstacles and constant evolution here.

So, just to know where we started. We used to be able to dump a phone. We used to plug a phone in, you’d put it into a Faraday bag. As we all remember, you take the SIM card out, you’d image a SIM card, you’d image the phone, and you’d get a report. In many cases, it would be on a CD or a DVD. That is no longer the case. We have a plethora of additional challenges that we’re facing. And in the slide, we’re going to talk about some of these challenges that we’re seeing here on the corporate side, as far as breaking that stereotype of “this phone has to be turned off”. A lot of the times when we’re trying to access phones, and we’re trying to collect mobile data, we’re having to have the SIM card not only put in but turned on and active. We’re having to actually get onto a local Wi-Fi.

What are we doing? We’re changing data. We’re adding information to the phone that we’re manipulating, in the sense, data, but it is necessary to gather the appropriate information that we need to pull off or be able to investigate, to tell a bigger story. Because mobile devices hold so much information now, we must find new and creative ways to access that information.

We also have new messaging communications and applications. It seems like almost every day, I’m talking to all sorts of demographics of people, and they’re finding new and creative ways to communicate. Facebook is for a certain group, and they’re using Messenger, and they’re using it extensively. But I’m talking to my kids, and it’s Snapchat, it’s Telegram. They’re using in-app communications, anyway that a message can be sent. Instagram. All these ways find ways for us to communicate with one another and to large groups of people. But also, we have to find ways of how do we collect that data. How do we access that data? And what is the appropriate way to understand that there is communication in those apps?

The next one for the biggest challenge for mobile discovery is corporate MDM. A lot of times, we don’t even know if there’s MDM. Our clients and custodians don’t even understand what MDM is or the effects that it can have on an investigation based on policies. Everyone just wants to roll it out and say, “Hey, I have MDM, I’m compliant, we’re secure”, but they don’t understand the policies that may come with it as far as preventing us to create a backup on an iOS device. Or being able to unlock a phone, which may make it easier for us, but they don’t understand that that’s turned on. So, not only are we trying to work with a phone that won’t allow us to, it’s also educating our clients and custodians, what is on this phone, and having that overall big picture.

And I know we’ve run into challenges. Todd, I believe you had some experiences onsite with some corporate MDM that was very challenging. Would you care to elaborate?

Todd Tabor

We had two recent experiences. One recent experience was the client didn’t have an understanding of what was going to happen if they took MDM off the phone. So, they wanted us to go image the phone or attempt to image the phone with MDM on it. And of course, we couldn’t, but they really didn’t know what the effect would be if they tried to take it off. So, they didn’t know if it would wipe the phone entirely or just wipe certain data, they really didn’t understand it.

So, we made the attempt, obviously, couldn’t complete the image. So, then we had to have them take the MDM off, and as it turned out, it took some certain data off, which it should have. It took the managed data off. And then we were able to do the image of the phone. But it took off certain data that they wanted. Fortunately, it was backed up and we could get it in a different way.

In another instance, we had a phone that they didn’t think they had MDM on the phone at all. The end user didn’t think there was MDM on the phone at all. It turned out there was. The phone was halfway across the country. It couldn’t be removed remotely. I was stuck in Miami for four days while we figured out how to get the MDM off the phone. When it did, it took data off the phone. The client was surprised that it took it off the phone. We had to get the phone back to the corporate office for it to be put back on. So, it created quite a bit of challenge for that individual and for the IT team on that company, and for the attorneys involved.

Rene Novoa

Yes, but it also comes with cost. So, even though there was a solution and it was seemingly, a happy ending where we did figure that out through the right appropriate conversations and scoping, you were there four days. And it does add costs, and it aggravates the custodian, as they’re out uses of their phone while we try to figure this out. So, thanks, Todd.

Which brings us right into BYOD. We don’t have corporate MDM and users are allowed to bring their own phone and have their personal phone used as corporate devices. And working at home, COVID has forced a lot of individuals to work remotely and have their own devices, but that can add a whole level of other additional problems.

Just recently, we had a mobile device that had the Ring app. I know it’s very popular, everyone got security, everyone upgraded their homes. But the Ring app, just for an example, stores an excessive amount of logs, an excessive amount of information. And when you’re doing a collection and you need to extract information, we’re now pulling private information. It’s now taking us twice as long to image devices. So, all these things need to be considered as to when we allow users to have BYOD when they are adding any apps to their devices. What are the implications with so many apps storing so much information? And in that instance, that took us roughly 12 hours to image a 100-gig iPhone, which the custodian was not too happy with.

So, these are these other challenges that we’re trying to educate individuals and giving them real expectations as to how long a process is and why. And this is just adding to that complexity.

And we’ll keep moving along. I don’t want to spend too much time on this, and we can follow up with additional questions, because I really want to get into the iOS 16.

Just more than just a PIN code; just unlocking the phone is not really going to give you everything. There are so many more apps like crypto and crypto wallets, and blockchain wallets that require 2FA. Again, you’re going to have to have the phone turned on, you’re going to have to have email connected. You’re going to have to still be connected to your carrier to be able to do 2FA with your phone to unlock additional information that might be housed by encryption.

So, other things to think about before shutting off a phone or taking out that SIM card so that the user could put it into another phone, we may need access to that phone number.

Moving along to security and updates. What we’re able to collect today, we may not be able to do tomorrow. And items that we weren’t collecting yesterday, we are doing it today. It really changes with the wind. Just like John’s background, just in the winds of the palm trees, the security landscape is constantly changing. So, we’re constantly having to be up-to-date and being careful on what we are promising and what we can deliver.

Which brings me back to multiple tools. There’s no more of just “We’re just this type of shop”. No matter what that tool is, “Oh, we only use this one tool”. Well, that’s really going to limit your ability to pull all the information as we get into the different applications, the different way we collect information, no one tool is going to work depending on what the investigation is about.

So, things to keep in mind as we go through this journey that all these challenges are still going to be moving forward in our investigations, in our education into challenges in mobile device discovery.

Todd Tabor

And Rene, isn’t it true that a tool that worked yesterday may not work today on the same phone if there’s an update?

Rene Novoa

100% and that’s the thing is that you need to have a big toolbox. All these tools are always trying to play catch up. We get the beta versions and they understand what’s coming, but the final version, they may not support it.

As we talk about iOS 16, when it first came out, there were two tools, very popular tools that did not support it because they used their own drivers and really had not released the fix. Where some other tools were using native iTunes application DLL files, they were very easily able to collect and preserve iOS 16 data. So, that’s very much true and alive that you have to – one tool is great one day, but it may not so be the next until they can get caught up. Okay, let’s go to the next slide, please.

So, when we’re talking about these challenges and we’re talking about mobile devices, we’re also talking about these third-party applications. Third-party applications really came out of nowhere, in a sense, that they’re not created equal. A lot of them are created from other countries. We have WhatsApp and Signal and Telegram, WeChat.

WeChat is more used in China. In Chinese culture, we’re finding a lot of these individuals are using WeChat. We have LINE, which has really blossomed out of Japan. Telegram, even though it’s based out of Dubai in the United Arab Emirates, we do have some Russian founders, but they all have different ways of developing end-to-end encryption. They have all different ways of how they store data and how it’s going to be preserved on each phone.

And it also gives us challenges on how we’re going to back up this data, how we’re going to collect this data, how we are going to actually deliver this information.

And this is where, on the previous slide, we talked about multiple tools. For example, I just took three popular applications. WhatsApp, it is part of the iTunes backup. We can collect WhatsApp in entirety by doing an iTunes backup. Great. Not so much on the Android side. The ADB backup, which is the standard backup process for many Android devices, you’re not able to get WhatsApp, because to be part of the ADB backup, you have to opt-in as a developer so that your data is then backed up. And if you are a developer from MDM encryption talking about security, you’re not going to just opt in to have your data be backed up and being able to parse. So, it’s requiring a secondary collection, secondary tool, additional tools to collect apps on Android devices.

So, these are not created equal, even though the same application.

The same with Signal which has been a really big nuisance, as in a lot of cases we’re doing screenshots. We’re going back to the day of almost paper, in a sense, because we’re having to then take those screenshots. We are able to collect the database, but in a lot of times, they are encrypted. So, there are some advanced features that we’ll get into like jailbreaking, rooting devices. Checkmate. There are some very popular online terms that are going to give us full access to a mobile OS environment and ecosystem that it does allow us to decrypt, but it does require an extensive amount of effort.

Telegram is another one that we’re able to use QR codes, syncing, collecting the device from the phone. But again, that is constantly changing, and we can’t go into a situation and say we’re going to have all the tools, just give us whatever phone, whatever applications, and we’ll figure it out. It really does require an understanding of what’s on the device, how people are communicating, and what those messages may look like.

John Wilson

Rene, does that effort require that hybrid approach of you’re going to have to be online to do the QR code method, taking the device out of the Faraday and have online access, and sometimes even using a whole nother platform in order to do those collections.

Rene Novoa

Yes, the hybrid method is almost used exclusively on the majority of these third-party apps when necessary. For a long time, we did use a QR code method where we were able to scan it and use a sync methodology. But WhatsApp put a stop to that. And internally, they built it where you could no longer – you could do the QR code, but it would not give you 100% of the files. Now, whether that was great that you were able to collect some data, we would not be able to attest that we have all the data. And it could be easily said that “Well, the important messages is what you did not collect”.

There was no way to control what we were able to pull with QR just recently. That was all up to WhatsApp to determine how recent and how far back those messages go. So, it’s not a great method when you’re talking about forensics and full preservations of a third-party app, because you cannot say 100% that you had every single message. So, we do have to develop our tools and validate them that we are getting all the information. Because on the surface, it does look like a lot of messages, but if you’re in the realm of 10,000 messages that we’ve seen before, and you’re maybe missing a thousand, they can be easily missed. They can be easily failed in QC. So, we have to understand the methodology that we’re using, not just collect everything.

Todd Tabor

And the not collecting everything and not getting all the messages, to that end, the Igor Danchenko trial that just ended, the John Durham investigation trial may have swung on the fact that the defense was able to raise the idea that, well, there may have been Signal messages that weren’t produced. And they may have exculpatory information in them that wasn’t produced and wasn’t available to review.

So, it likely created doubt in the jury’s mind.

Rene Novoa

Yes, and that’s a great sentiment there, Todd. Just because we also are able to – I mentioned screenshots as a way of a methodology of collecting the information. But if we are going to do screenshots and the amount of effort to do, let’s say, 10,000 Signal messages. How do you search that?

Now, not only do we have screenshots, we then need to OCR it, then we need to make it searchable. How are you getting it into review platforms like Relativity or Ringtail or whatever the ones that are out there, I may have said one that’s already out of business? How do you display that? Just because we collect it and just because it’s there, are you able to find it? Do you print out those messages? And could you have missed critical messages in that process? But were we able to collect the Signal messages? Yes.

So, with Signal, some of the secret sauce is to be able to get full access. That’s always the objective is to get a root without destroying the phone or Checkmate or a full file system where we’re able to get those databases unencrypted that it does allow us to parse.

So, there are some methodologies. It just requires a bigger effort and higher technology to be able to access a third-party app like Signal. We’ll go to the next slide, please.

Third-party apps are not going anywhere, and I know Todd brought up a case that was used, but it seems that almost everyone has access to third-party apps. It’s commonly used in everyday life. Kids are using this. Adults are using it. This is not just for deep web type of conversations or out of the country – communist countries that are trying to get communications out. It’s being used in everyday life, in everyday communication of how we communicate.

And as you can see, WhatsApp by far is still the most popular messaging app.

This was taken in January 2022, but we did – Me and John, and Todd did a couple of searches and found that Viber has moved up, like we talked about before. LINE has moved up. That are all in the conversation – Signal, Signal was in the news, it’s not even on this graph as the most popular, but it is probably most used in certain situations that are going to be part of litigation. They’re going to be part of these investigations because it is in the news for ultra-secure, making it harder for investigators to pull the information and produce it. And this is a pure example from Todd’s case on the millions of apps that are out there.

WhatsApp is very popular in Latin American countries. Down in Mexico, LatAm, Brazil, we’re seeing a high amount of these applications being used as everyday communications, because it’s end-to-end encryption, they feel secure. They’re able to make calls and phone calls that are not being stored or logged by the carrier. So, there’s all these other great features that they add. Snapchat disappearing messages, they’re not being stored. We can go on and on. We’ll go to the next slide.

So, this was just an overall general business application downloads on the number of applications that are being downloaded. And why this is important is because we have to also figure out how to parse this information if these applications are important to your investigation and part of the litigation. If they are very one-off applications used for certain functionality, but if your tool does not parse or does not show it in that “Hey, print me out a report”, what do you do? How do you work with your vendor? How do you work with the investigator to then collect that information, understand, tear it apart and understand where the important communication is, or important artifacts? And then how do you display it?

What is the deliverable? We can’t put everything into Relativity so cleanly. I know that’s popular, and I’m very tool-centric here, but we need to look at how we not only – what applications we’re downloading, but from which store. We talked about WhatsApp being very easy, very simple from iOS, but very hard with Android.

And we start looking at the number of Apple downloads. When we’re talking about US custodians and Japanese in Japan, it’s very high on Apple’s Apple store. Number of millions are way more than in the Android Play Store. So, you’re going to see a lot of that information, possibly, in the iTunes backup or iTunes collection and preservation. But when we start looking at countries like Brazil, Mexico, Indonesia, Egypt, India, by far, heavy Android users. Your Google store is going to be just millions and millions of more downloads.

So, now, we have to understand these applications on both platforms and they’re not created equal.

John Wilson

I just want to throw in there that looking at these numbers, understanding that that’s a billion. So, we’re talking about the last three years, the average is around 8 billion downloads a quarter. That’s a lot of apps. That’s a lot of data. And a lot of variation. So, understanding that is really important in the global scope of an investigation that needs to happen on a mobile device.

Rene Novoa

Yes, and I think that’s why we’re trying to bring it home, the billions of downloads. And somehow, we must figure out how to parse out a good portion of them.

I think I read that the average person uses nine apps daily between productivity and play. But over the course of a month, they will have accessed at least 30 apps. And we’re talking about 30 individual apps from everybody, but which 30 apps out of millions and millions of unique applications, both productivity, games, and communications as being very, very important?

John Wilson

And communications are happening in all of those, so the business apps have communications in them. The communication apps, obviously, have communications in them. And so do the games, though. A lot of the games are being utilized for chat and communication capability as well.

Rene Novoa

Absolutely good point. The in-game communication has always been a challenge, especially with teens and young adults on all the games. I know all the games I play, and there’s chats, and there’s groups, and there’s teams, and they’re able to be able to communicate cross-border. So, all stuff that needs to be thought about and looked at. Can we go to the next slide?

With all these applications, with these different devices, we’ve had to come up with new techniques. We talked about we can no longer push a button, using our favorite tool just to produce an image. We’ve had to become very creative. How do we get the WhatsApp?

We have things like OTG where we’re able to plug into Android and run our own application, which is kind of a little bit of a secret sauce of how we’re getting some of that WhatsApp, how are we getting some of that encrypted Signal data. Because we need to get it in an unencrypted state. So, attacking the phone live, and possibly adding an application that can then collect that raw data and rebuild that database for us to be able to extract it out and put it into a deliverable platform.

So, with Androids, we are using OTG devices where we’re plugging in, collecting selective data. We don’t have to collect the whole phone, in that case. We’re able to target selective apps, selected information if they are supported. And we’re constantly adding support. I think we’re all adding support. This is not just a Haystack thing. But I think all investigators are finding new ways to collect additional applications in communication.

We have new syncing capabilities. There are a few vendors that with the right credentials, with 2FA, with a good working phone, we’re able to pull it off from the cloud, whether it’s email, whether it’s repositories like Dropbox, like OneDrive, where it’s all on the phone, or it’s an individual user and they don’t have an enterprise – we are able to use the phone to authenticate and then pull from these repositories. Again, not just plugging it into one tool and dumping a certain type of report.

We are moving forward because of the conversation that we had with Todd and the MDM, and I talked about Ring apps and Nest apps storing so much information, and it’s taking us 12, 13 hours to image a phone because of the number of files. There is technology, there are techniques to target messaging from the iOS with data filtering.

And this may be very new to a lot of you because this is really coming out is that we’re able to now target just the messaging apps and target certain information on an iOS device. Well, we don’t have to collect everything. We do not have to collect their health data. We do not have to collect their Ring data. We do not have to collect all their photos. But what we need is their contacts or call logs, their WhatsApp, and their iOS messaging, and their native messaging. And we just want to collect that. How much faster will that collection piece work? If we’re able to target that, pull it up into the cloud, run some searches, and export only what we need, how much time would that save us?

And just the convenience. Even with Apple, and even for us, we want that user experience. We want that client experience to feel secure and understand what we’re doing, and we’re not being intrusive. When we have BYOD, how do we avoid all that non-privileged data and only target what we’re looking for? Well, we now have new techniques that can do that. We’ll show you a little sample of that later on in this presentation.

But I do want everyone to know, the 61 people here, that that technology is available. We can go into an iOS and target just the messaging, and extract that.

There are some ways that we’re going to have to discuss on how we defend it, and how we store it. But if you do not have access to look at the other data, there are some possibilities now. And I know there are a few other tools that are doing it, not remotely like us, but being able to target certain iOS models and select only the data they want. And I think that’s becoming an important transition, an important theme as all the vendors are trying to find ways not to have 12, 13-hour imaging.

I think the longest I’ve done was 23 hours on an Android device that had 53,000 MMS messages. If I could have targeted selective users and selected conversations, I would have saved myself a lot of time, I would have saved the client some money, and I would have saved the headache of me having to sit in a boardroom for 22 hours and checking on it. So, there’s a lot of convenience with some of this new technology that is being rolled out, effectively, now.

So, I’m very excited to know that we’re moving beyond just dumping phones and giving prosecutors and examiners CDs with just 60,000 pages of PDFs to do searches on. I think it’s an exciting time as we get into the new iOS, some of these new features, some of these new techniques that we’re developing in the industry. I think we can go to the next slide.

Wow, so we’re finally getting to the iOS 16 of this presentation. We’ve talked nothing but challenges, we’ve talked about nothing but problems, and we’ve come up with a lot of solutions to tackle these unique apps and chat communications.

And all the good things with Microsoft and Apple, they solve one problem, but it creates whole nother catastrophe in other areas, especially when you start talking about forensics.

With iOS 16 and the release of the iPhone 14 up in September, there was a lot of great features that were added, a lot to do with the user experience, suggested photos, photos shuffles, lock screen editing, just some – really things that make your user experience a little bit more enhanced. There wasn’t a whole lot of upgrades, but it does make it look nice.

But one of the things that did get enhanced was the messaging app. Now, this is where we can have problems. Being able to edit a message, which is fantastic, if we’re able to edit a message, I’m fat-fingering all the time, I have predictive texting and it writes the wrong thing. And we’ve seen the Twitter accounts and the blogs of when autocorrect and Siri goes wrong of just what you typed to your mom or to your coworker. And it was, “Oh my god, that’s the suggested pretext. I’m really sorry”. Now, we have the ability to fix that. That’s awesome.

For up to 15 minutes, I wrote the wrong thing. I’m not coming into work. What I really meant to say, “I’m going to be late to work”. And those two things can change the conversation of what you may receive back.

But it also does add a whole level of complexity when we start talking about workplace harassment; we start talking about inappropriate images, sending intellectual data, intellectual messages to somebody else, and then being able to edit it later.

Now, it was great in its use for good, it was meant to solve a problem, but it’s also created another issue. What about those edits? What was in the original text message? Did it have proprietary information? Did it have intellectual property of keywords and passwords that they transmitted and they were able to edit?

On the forensics side, that is not good, especially when you talk about harassment, and just workplace, corporate espionage. It can be very much an issue.

The other one is the “undo send” (clawback), where we’re actually able to pull back messages. So, the undo clawback feature, these features are not new to everybody. We’ve had them in Signal, we’ve had them in Telegram, we’ve had destroying messages. That is not new, but it is now part of the everyday messaging. It’s built into an operating system. It has gone mainstream. Most of the corporate phones I deal with are iOS, and that’s the way a lot of C-suites are communicating or have the latest phones.

But now, we have the ability to, in the corporate world, to change this, and we’re not using third-party apps. When we’re talking about a lot of businesses are using third-party apps or people are using it, they’re doing a list of stuff. They’re exchanging information outside of work. That’s for private.

But now, we’re talking about normal corporate messaging being able to edit messages and to claw those back. How do we get the original conversation? And what are the rules to that? How do investigators be able to tell the story when clients and litigators come “What really happened? What was that conversation?” What are we going to be able to say? We can just tell them what’s currently there or what was originally said?

Some of the other features is kind of – I don’t know how well it goes into the forensics, but being able to mark a conversation as unread so that you can come back to it later. I think that one – you look at image a phone or you come onsite to a phone, and you’re looking at the last conversations and it looks like they haven’t read it. They have the ability to change that, to look at it, to go back and edit it. So, if you are doing a live visual inspection of the phone, that may be not true. You need to understand, “Oh, I haven’t checked my phone, I haven’t looked at any of my messages, I haven’t seen anything there”. And you look at their phone and the last 10 conversations are unread, it doesn’t mean it’s the true story. They could have looked at it and then undid it at the conversation level, not the message level. So, just make sure that we’re clear on that.

Todd, John, any insight on this?

So, the other great feature is that if you are part of a preservation or you just got notice, “Hey, you need to preserve everything for the last 30 days, or the last six months”. Everybody has a little bit of clean up, they clean up their phones, and they’re going through conversations and you deleted something that was supposed to be on preservation, on legal hold within the last 30 days, you can go back and restore that information.

So, what does that tell us that even though you deleted a message, there are fragments of that message being available for the next 30 days? And I’ve been telling everybody, you can’t get deleted messages, you can’t do this. Once we image it, there’s just fragments. So, what was true yesterday may not be true today. They have to be able to pull those messages from somewhere. Messages have to be stored somewhere.

This is all good information, but it’s all about timing. There is a log time. We can’t let this go eight months down the road and then say, “Hey, we need to undo this, we need to undelete, we need to find deletion, we need to find the original edits, what did they clawback”, and then ask questions.

So, again, when a case is brewing and we have anticipation of discovery, we really need to start asking these questions. Do they have an iPhone? Is it iOS 16? What are the implications moving forward?

John Wilson

Just to throw in, I think Todd and Rene, we were just talking this morning and one of the new discoveries around the new iOS 16 changes is also how drafts are managed and seeing a draft. So, an unsent message that somebody was working on and said they will go back to later, and then decide to do something with it later.

Can you talk a little bit about that, Todd, Rene?

Todd Tabor

It timestamps it, but if you go back to it, it timestamps it. So, it will put the timestamp that you’ve gone back to it, for sure.

Rene Novoa

If you go back to it, it will actually change the name. So, the name of that message will be altered. So, we’ll be able to tell based – it’s not necessarily the message timestamp, but it’s going to be the actual plist, or the actual – I don’t have the word for it now. But the plist modification date is going to be the modification date of the changed draft. So, if they are editing draft and they have added changes, you will be able to track it, but it’s not historically how we’ve seen a message is associated with certain metadata. We have to look at the actual – the metadata list file to be able to tell that story, to be able to put it together. So, there’s been some really good research by examiners in the industry that are constantly publishing on Twitter and on their individual blogs about this, about how information is stored, and how it is changing with iOS 16. And what we knew to be true is a little bit different on our interpretation of where that information resides at.

Thank you, John.

But like I said, the good news there is a time lock when changes can be made. So, that brings us to these new challenges. And I talked a good amount about challenges and how we access information, and how we target information. The different tools we have. But now we need to understand the preservation concerns.

Was it spoilation or was it conversation edits? Was it just being polite? Was it just trying to say the right thing? Visual inspections of the mobile devices are going to be extremely important. I know we do a lot – the industry, on a whole, do a lot of remote. They don’t want people coming onsite. It’s inconvenient. It’s expensive. But we are going to have to take a look at those phones. We are going to have to see if there’s been edits. Because when we do send an edit, it is tracked visually on the phone, you can see those edits. But it’s not so much – as we’ll get into – not so much recorded in the database or in the phone dump of the device.

One important aspect about these important new features that can give us problems is that both devices have to be on iOS 16 or above. Right now is a critical time where many people don’t update. So, if one individual has an iPhone, say, 12 that is on iOS version 15.6, communicating with an iOS 16 device, regardless if they want to edit or recall those messages, they’re not going to be able to do it because the phone does not support it. The iOS version will not allow that edit to occur. It will give you another entry and show that they are trying to edit it, and it will give you that edit, but it will keep the conversation together. It will not clawback, it will not remove it.

So, this changes a lot. Now, when we’re collecting one phone, it may be important to understand who they were communicating with and imaging both phones, and being able to then put the conversation together, because we’re going to have the clear text, it’s going to be readable, and it’s going to be able to be ingested into almost any platform, however, you’re doing your investigations.

So, now, we need to ask better questions. Who were you communicating with? Can we get their phone? But they’re not really part of the case, they just have this one text message. Why should they give up their whole phone? This is why targeting just the messaging is going to be important, because we don’t need that other individual’s personal information, their photos, their other conversations with their friends or their spouses or their partners, we just need to target that one conversation. And now, we have the ability to do that. That technology is out there. We do that.

So, this gives you more tools to not be so invasive, to collect more information, tell the story without having to send somebody always onsite, always having to collect full images. And now, we’re dealing with 250 gigs of iPhone data when we really just need three conversations. So, again, asking better questions, understanding what we have, understanding more than just “Oh, it’s just an iPhone, just collect it”. I hear that all the time, and it’s going to be – well, we’re going to need to push back as investigators, as litigators. “No, no, I need to know what iOS version you are, what phone you have, and what size it is.” Because it’s going to be important on the expectations and what we are able to deliver.

Do you want Rene Novoa at your house for 12 hours imaging this phone when we need two conversations? The answer is going to be no, but it’s not going to be appropriate.

John Wilson

And just to chime into that, we have a question from the audience and they’re asking, “Is it possible, at this point in time, to perform remote collections of iPhones?”

Rene Novoa

It is. We are able to do remote collections, whether we send a kit or we can remote target iOS messaging communication. As far as third-party apps, it’s just WhatsApp as of now, but it is possible, yes, with very little lift. We will have to have a certain bit of software on another computer not part of an investigation but, yes, we can do that.

Todd Tabor

If some of those edited messages are material, or could be material to a particular case, it might be worth looking into the hex for the person or for the team that’s looking at those edited messages to understand what was edited so that there’s no surprises.

Rene Novoa

That is a great comment, Todd, because that kind of leads me up into my next slide. The next slide, please.

So, what does it look like? What does it look like when we do edits and we do clawbacks?

Unfortunately, we’re not able to tell the difference between either one. This right here in the middle is an actual database from the SMS database that all tools parse from. We’re seeing empty entries, but there is an entry. We know that something happened. At this point, we cannot determine whether it is a clawback or unsent, or if it’s an edit, but we do know something transpired because we have a record of it which was not removed or deleted. The content was, so the metadata may have been altered, but we know that there is an entry at a certain point of a conversation in order that something did happen.

So, whether you’re getting your Excel reports from a certain tool and you’re seeing these blank no entries, it’s not necessarily past deletion, or it’s just staggering information, it really could be an edit or it could be a clawback. But now we have to understand, is it an iPhone 16? What OS? What’s the phone?

So, again, you have to have all that information.

So, here’s an example of a test that we had. As you can see that there’s empty log entries. Next slide, please.

Another example on the tool where you may get an Excel report, you’re going to see these empty slots.

Now, on the right-hand side, we see that grayed-out area, that is an edit. And then when we see what is currently there. There is actually one more message that was deleted. I know because we deleted it. So, there are three entries and three missing entries on our chart on the left, which is an actual dump from a tool, from a mobile forensics tool, and it’s showing three entries that are missing.

Now, if I look live at the phone, I know there’s an edit and there’s a deletion, but there is an edit in clear text. So, that information has to be stored somewhere.

Where is it because we just parsed the phone out and it’s not there. So, we’ll get to that point. Can we go to the next slide?

So, this is just – not a teaser, but we talked about iOS targeting, somebody had asked that question, “Hey, can you do remote collections of iOS?” Here’s an example of one of our techniques where we’re actually pulling just targeted iOS information from a specific user. And even in this new technique, we are seeing that the entry is missing. It shows as blue, but there’s no text there; there’s no content there because it was edited or deleted. So, all of our new techniques that we’re having, we know that something is happening. We know how to identify a change, something of concern, something to question that something had to have happened within either 15 minutes, or within two minutes of whatever the previous conversation is about.

So, if you’re looking at previous conversations, you can kind of see the tone of certain things, and then you start seeing missing log entries. Next slide, please.

John Wilson

Just to jump in as you’re talking about all that is the information there, but the tools are not necessarily parsing it. You’re having to do this manual digging at present. Is that kind of what you’re saying?

Rene Novoa

That’s absolutely right, John. That kind of leads me to this slide is that although the three popular forensic tools did not see it, they just told me that there was no log entry, one of our advanced tools that does remote iOS messaging application told me that something was missing, but it didn’t give me any of those results. I then had to get in and really get my hands dirty and really look at the embedded plist and really look at the hex like Todd had suggested.

And this is an example on the left-hand side of me having a conversation where someone is saying “Going to edit this message, 1, 2, 3”. I’m looking at the database and it’s blank because there are just no entries, but if I look into the hex, there they are. I’m not sure how big your screen is, but you can actually look at what I’ve highlighted. “Going to edit this message, edit 2, and the last one is edit 3” which means that the edits are on the phone, but the tools have not caught up to parse that information.

So, when we, as consultants or litigators say, “Hey, what’s on the phone? Can you get me the edits?” And they say no, that means they don’t know how to go in there and manually craft it out.

But the thing is, is that visual inspection is going to be important, because we’re going to need to know those keywords. It’s not so easily just to line it up that it parses it out in a nice spreadsheet where you can read all these edits. It is going to take some conversations. “What was part of those edits did you see before? We know you changed something; what are those keywords?” We will be able to then dive deep, find those fragments, and rebuild it, but it is going to require some work and some conversation. You can’t just say, “I need all the messages and all the edits”. That’s just not going to be feasible. It’s going to require, “What were some of the keywords?” We can search for this. We’re going to carve it out. Let’s try to see if we can rebuild this. And it’s going to take some hours. It’s going to take another lift, another set of tools, and some more expertise to be able to do this. And hopefully, the tools will catch up, and that’s what the goal is. They know it’s there, we know it’s there, and it’s only going to take us to push them, push those vendors to say, “We need to be able to parse this information out of the embedded plists and in the embedded logs, you guys have got to do better jobs because we need to tell that story”. Because in Todd’s case of Signal, there was a reaction, there was something that happened because they could not have all the data from Signal, they knew they were missing something.

We know we’re missing something. If you’re just doing that one tool and you’re dumping it, and you’re looking through that Excel file and trying to make sense of it, you’re going to miss something within iOS 16 with these edits. And if you’re not understanding the iOS – that is iOS 16 to iOS 16, you’re going to miss something if you’re not doing a better job. Next slide.

I know we’re getting there towards the end, so I’ll keep moving this along.

A lot of the things with iOS 16 that was very nice is that we have log files that told a story, so we had KnowledgeC. We had Biome that was really meant for suggestions and indexing and how things work in Spotlight that you’re going to find on the iOS ecosystem.

But now, we’re starting to find fragments because Siri can now also send messages, and Siri can also recall messages, which I’ve tested. But how we track those edits, how we track those changes has been now scattered through several log files that we have found ourselves with research. But there’s a lot of research out online that is doing a lot of great work from some of the vendors and some of the people that I follow on Twitter that are trying to understand that there are fragments, and we need to do a better job. And I think that’s where we are.

Everyone is really digging in to try to look at these log files, to see what fragments, can we get the full edits, and how we are going to parse this thing and give back to the community. So, as far what to ask for, not only do you want the messages, you need to look at the hex, you need to look at the logs and see what fragments to tell that story that you’re, ultimately, looking for, the truth. Next slide.

I want to give some time for questions. Again, to kind of bring everything into a full circle, it’s not just a phone dump anymore, just collect and send us what you have, you’re going to miss something if we’re not asking the right questions. Don’t rush the collections to save time and convenience. I think multiple passes, multiple tools will be needed, which does add cost. But I think appropriate scoping, appropriate questioning will – and using the correct technology, and not necessarily imaging the whole phone and understanding that we just need to target messages. And I know that you’re not able to go back to the well and pull other additional information, but you may not need to.

We need to start really thinking outside the box, and how we are going to help our clients, how we’re going to present data in court, and how we’re going to validate our findings. I think these are all very important ideas as we – what I want to leave you with is that make sure that we’re asking those important questions. What OS version? What is the bigger picture?

There are too many cases, and I’m sure Todd and John will know, is that they don’t – litigators and attorneys don’t want to give us all that information. We can’t tell you about the case. But if we don’t have the full picture, it’s very hard to consult and ask those questions. Well, you’re going to need to go get that other. Well, we can do it this way. We can just target their messages and just collect it so it’s not as invasive. Those tools and techniques may give you the resources and the flexibility to get all the information that is needed and to make sense of it.

And my biggest piece at the end is don’t be afraid to go old school. Get that Canon camera, that Sony camera, and start taking photos when you’re looking at edits because you’re going to want those keywords. You’re going to want that conversation that we can give to investigators and say, “I know this edit is here, I need you to prove it that it’s all on the phone currently, I need you to be able to show this to the attorney, I need you to be able to show this in court”. They’re going to take their phone back, we’re going to image it, but I need you to find these edits. Go old school. Get a camera. Get an SD card. Because we can preserve that. It’s again evidence that can be part of the case. You don’t want to use another phone, because you don’t want to use the investigator’s phone that may have other information or get mixed in.

Go old school. Get a phone. Write these notes down. If you’re going onsite or if you’re an attorney looking at a device, write down these keywords. Click on the button and understand the edits. And I think that will give you more information to help investigators help you.

John Wilson

And so, we do have a question from the audience. Todd, how do you determine when to advise for an onsite collection versus remote collection?

Todd Tabor

Well, the number of phones, the types of applications on the phones, and whether it’s iOS or it’s [Android], primarily.

Rene Novoa

I think there are just too many caveats with the different applications that are not being backed up in the ADB backup. Being able to collect from the cloud easier, I feel, with the Androids is going to be important.

So, again, great question. It’s making sure we understand the devices on scene and the time that it’s going to take. If you know that you have to get a full preservation and you have that conversation with the custodian. They have Ring, they have this app, they have a walking app, they have a health app that records every heartbeat, every monitor, they’re going to have millions of files, you’re going to need two days of collections, you’re going to need that to run every night. You’re going to have to have a conference room, a hotel room, a business area where that phone can be locked up and left overnight because it’s not going to happen in a nine-to-five.

If we can target it even onsite and just target those messages with this technology, then you’re going to be done in several hours, you’ll be done a lot sooner, and you’re going to leave with just what you need, so that individual does not feel violated that you took their health data, you took their credit card information, whatever it may be. Just the insecurities that we all have when somebody else has our phone, regardless if we’ve done nothing wrong or stored any information.

John Wilson

All right, so parting thoughts, 30 seconds each. Rene, what do you want to convey in regard to iOS 16 and eDiscovery?

Rene Novoa

I think scoping it from the very front and understanding the case at large, the details are going to matter in the end. The eDiscovery term is garbage in, garbage out. And I think providing all the appropriate information, taking the time to make custodians comfortable to get that information may be necessary.

John Wilson


Todd Tabor

Phones change every day, mobile devices change every day, applications change every day, and they grow every day. So, you have to be willing to grow with them and understand them or find somebody that understands them.

John Wilson

Perfect. Well, thank you, guys. Any last comments?

So, in closing out here today, we really thank everyone for their time. If you’re interested, please reach out to us, we have a mobile triage checklist, and we’re happy to consult on a matter if you have a matter that you need assistance with.

On behalf of the entire team here, thank you for the information and the insight. We also thank everyone who took time out of their schedules to attend today’s webcast. We know your time is valuable, and appreciate your sharing it with us today.

We also hope you have the opportunity to attend our November monthly webcast currently scheduled for November 16th. This webcast will highlight and share eDiscovery insight for managing enterprise messaging data with a specific focus on Microsoft Teams and Slack. You can learn more about registering for this upcoming webcast and review our extensive library of on-demand webcasts on our website at haystackid.com.

Thank you, again, for attending, and have a great day. This concludes today’s webcast.

About HaystackID®

HaystackID is a specialized eDiscovery services firm that supports law firms and corporate legal departments through its HaystackID Discovery Intelligence, HaystackID Core, and HaystackID Global Advisory offerings. In addition to increased offerings, HaystackID has expanded with five investments since 2018. Repeatedly recognized as a trusted service provider by prestigious publishers such as Chambers, Gartner, IDC MarketScape, and The National Law Journal, HaystackID implements innovative cyber discovery services, enterprise solutions, and legal discovery offerings to leading companies across North America and Europe, all while providing best-in-class customer service and prioritizing security, privacy, and integrity. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, please visit HaystackID.com.

Source: HaystackID