best practices for addressing smartphones in civil...

© 2015 Litigation Services, LLC All rights reserved.

Best Practices For Addressing Smartphones in Civil Discovery &

Reasonable Attorney-Client Communication Security Measures

Larry Lieb, CCPA, Managing Director – HaystackID Ben Ross, VP – Litigation Services


2

Class Ground Rules

• Class content is for educational purposes only and does not constitute legal advice.

• Questions posed by and opinions offered by class participants are for the sole purpose of improving today’s class’s educational value and do not constitute legal advice.

• Please Participate with the Chat Feature!

• Start and End Codes to prove attendance

• Please mute your audio.


3

Larry Lieb, CCPA, OCE, CBE, LCE, FEXE

• EMAIL: llieb@haystackid / TEL: 312-613-4240

• Michigan P.I. License #3701206704

• Cellebrite Certified Physical Analyst (CCPA)

• Fluent in Japanese

• Worked in Electronic Discovery since 1998

• Qualified as a computer forensic expert in both Federal and State courts


4

Agenda

• Smart Phones as File Cabinets with Locked and Unlocked Drawers

• Mobile backups

• Categories of Recoverable Evidence

• Location Based Evidence

• Building Timelines

• Bring Your Own Application (“BYOA”)

• ESI Liaisons, ESI Protocols & The Evidence Map

• Agreed Order to Address Privacy Concerns

• Reasonable Attorney Client Communication Security Measures


Smartphones are Basically Big File Cabinets


6

6

Smartphones are basically big file cabinets

=


7

Smartphones Contain 10 Basic Cabinet Drawers

1. Contacts 2. Call Records 3. Voice Messages 4. Email and Text Messages 5. Documents 6. Calendar 7. Internet Browsing History 8. Songs, Photographs and Movies 9. WiFi History 10. Social Media (Facebook, Instagram et al)


8

By Default, Some Cabinet Drawers are Locked

Apple and Google sell their phones with inaccessible-to-the-end-user locked drawers as a security measure. Only Google or Apple own and have access to the keys that can unlock your phone’s locked drawers.

Some end-users choose to remove this security measure by “Jail Breaking” or “Rooting” their phones.

Jail Breaking/Rooting is the process of changing all of the locks and keys to your phone which will allow one to access all locked cabinet drawers.


9

Contents of the Locked Drawers

• Sensitive information such as passwords and credit card information.

• Some categories of deleted information.

• System files that support the normal usage of the smartphone.

“Jailbreaking” or “Rooting” a phone can allow a malicious application to access the content of these formerly locked drawers!


10

Some Deleted Evidence Can Be Recovered From The Unlocked Drawers

• iPhones store incoming and outgoing SMS text and iMessage messages in a file called SMS.db.

• The “SMS.db” file is stored in one of the iPhone’s “unlocked” drawers.

• When an end user “deletes” an iMessage, the

“deleted” message is not destroyed, but simply made invisible to the end user. Forensic tools can recover these deleted messages easily.


11

Practice Point

• Laptop and desktop computer hard drives do not come from the factory with locked and inaccessible to the end user drawers. This allows for forensic search and recovery of all possible deleted information.

• Smartphones come with inaccessible locked drawers

as security measures to protect the phone owners. • The amount of evidence, such as some deleted

information, that can be recovered with forensic tools is more limited with smartphones.


Three Locations From Which Smartphone Evidence Can Be Recovered: The Device Itself, Mobile Backups on Personal Computers and

Mobile Backups to The Cloud


13

A Complete Backup of Your iPhone in iTunes or iCloud

Mobile Backups of iDevices (iTunes & iCloud) iTunes file cabinet drawer locations on computers:

• Mac: ~/Library/Application Support/MobileSync/Backup/

• Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\

• Windows Vista, Windows 7, and Windows 8: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\


14

Examples of Evidence Stored in iTunes Backups

• Photos, Contacts, Calendar, Internet Browsing History, Notes, Call history, Messages (iMessage and carrier SMS or MMS pictures and videos), Voice memos, Network settings (saved Wi-Fi hotspots, VPN settings, and network preferences), Email account passwords, Wi-Fi passwords, and passwords you enter into websites and some apps, Map bookmarks, recent searches, and the current location displayed in Maps.

(http://support.apple.com/kb/ht4946)


15

Practice Point

Even if your client’s former employee took their personal iPhone and/or iPad with them when they left to work for a competitor, if the employee synchronized their personal iDevice with your client’s computer while working for your client, you have access to that iDevice; no subpoena required! Forensic software can recover deleted voice messages as well as deleted text messages from Mobile Backups.


Examples of Smartphone File Cabinet

Drawer Contents


17

17

Photograph Drawer Details


18

18

Call Records Drawer


19

19

Text Message Drawer


Location Based Evidence


21

21

Photos and Facebook Message Locations


22

22

Map Queries


23

Location Based Evidence War Story

Investigation of client’s former employee’s iPhone revealed multiple meetings at opponent’s headquarters in the months prior to former employee’s resignation.

Signing into a Wifi network creates a time/date/location stamp on a workstation


24

Location Based Evidence Practice Point

Forensic analysis of two apparently unrelated parties’ smartphones and laptop computers could reveal location based evidence that could establish a relationship does in fact exist.

Example: Party A’s smartphone connected to the Starbuck’s WiFi in Party B’s office building on dates both parties were at the same address.


Timelines & Chronological Photography Reports


26

26

Chronological Photography Reports

• In most construction projects, large numbers of photographs are taken of the job site in dispute.

• In construction delay claims, creation of a chronology of events such that analysis can be made as to how well a project did or did not adhere to a “critical path”

• War Story: A forensic tool easily segregated out all photographs from a large construction claim related discovery population of files provided by the plaintiff.

• The forensic tools then extracted out “EXIF” metadata from the Photographs such as the camera make, camera model, and most critically, the “Date (The Photograph Was) Originally Taken”


27

27

Chronological Photography Reports (Cont.)

• The EXIF metadata revealed:

o 27 different camera makes and models

o 3 different smartphone cameras were used to take some of the photos

o The Original Date each Photograph was Taken

• A Chronological Photography report is created by sorting all photographs from the oldest date taken to the newest date taken.

• The Chronological Photography report then revealed:

o The names of people who took the photographs and their roles in the project.

o A story unfolding in Chronological Order:

– C:\My Documents\Pictures\Original Job Site Before Groundbreaking\

– C:\My Documents\Pictures\Photos of The Leaking Sprinklers\

– C:\My Documents\Pictures\Photos of The Repair\


BYOA: Bring Your Own Applications


29

29

The Bring Your Own Application (BYOA) Phenomenon

• Many organizations allow employees to use their own smartphones for work purposes (BYOD).

• BYOD can presents difficulties when content on BYOD phones become subject to legal holds.

• BYOA represents a greater threat than BYOD as most employees will not disclose the use of a non-approved application.

• Some organizations prevent employees from installing non-corporate approved communication applications on company issued smartphones.


30

30

BYOA: Content is Primarily Stored as SQLite Database Files

• Skype chat messages, incoming and outgoing call records, and file transfers made by a Skype account is stored in a file called “main.db”: C:\Users\*Username*\AppData\Roaming\Skype\main.db

• Kik contacts, messages, and contacts:

• For iPhones: /root/var/mobile/Applications/com.kik.chat/Documents/kik.sqlite

• For Android: /data/data/kik.android/databases/kikdatabase.db

• Forensic tools can recover and provide SQLite content for easy review.


31

31

A Combined iPhone Mobile Backup & BYOA War Story

• Anonymous tip accused specific employee of viewing obscene materials at work on a company issued iPhone.

• From a backup of the company issued iPhone found within the iTunes folder of the company issued laptop, I was able to recover Kik (kik.com) messages included photos of a very private nature.

• The employee had installed the free Kik communication application himself

• Using my timeline and location tools, I found six instances of inappropriate pictures being sent during work hours on the company issued iPhone while on company property.

• Employee was reprimanded but not terminated.


Agreed Orders To Address Privacy Concerns


33

Moving to the Offensive: Elements of an Agreed Order

Leveraging evidence recovered from one’s own devices, a Judge may approve a targeted and reasonable search of one’s opponent’s devices. Here are elements to include in such an order:

• Specific devices and accounts to be imaged and examined

• Limiting date range and key word filters

• Privilege review process

• Key word responsive review and production process


ESI Liaisons, The Evidence Map and Litigation Holds


35

When Working With an ESI Liaison: Required Upfront Direction from the Legal Team

• Beginning and ending dates of the dispute

• The current complaint, answers and defenses.

• Legal tests and/or standards on which the case may be decided.

• Current list of named, known litigants or custodians of electronic evidence.


36

Categories to Identify, Place on Litigation Hold and Request from Other Parties

• Personal and work provided:

o Laptop, desktop and tablet computers

o Smartphones

o Loose media (flash drives, external USB hard drives, DVD)

o Social media accounts

o Cloud storage (iCloud, Google Drive, DropBox)

o Archive media (Tapes, hard drives, disks)

o Paper files

• Work provided:

o Personal or “home” directories on company file servers (My “J” drive)

o Departmental shared folders on company file servers (“Sales Department Folder”)


37

The “Evidence Map” Deliverable Contents

• A list of all physical sources of potentially relevant evidence that exist or existed during the relevant time period of the dispute.

• Designation of reasonably accessible sources of potentially relevant evidence

• Designation of sources of evidence that are inaccessible due to unreasonable costs

• Identification of sources of potentially relevant evidence that are literally no longer accessible

• Steps taken to affirmatively enact a litigation hold process


ESI Protocol


39

The ESI Protocol

• Typically takes the form of an agreement. Some courts have a Protocol Standing Order

• Entered as an “ESI Preservation Order” in Shipes v. Amurcon Corporation 2:10-cv-14943, Eastern District of Michigan, Southern Division.

• Each section is designed to minimize wasted expense in discovery and maximize dollars available for actual substantive legal work.

• Example = Language governing production of color photographs “JPG” files with EXIF metadata intact so that analysis such as the “Chronological Photography Report” can be conducted.


Reasonable Attorney-Client Communication Security Measures


41

Three Easy Ways to Spy on One Another

• Email Forwarding

o Accounts can easily be configured to auto-forward all emails sent and received to the opponent’s email account.

• Track my iPhone

o Setting up an iPhone to forward physical location tracking information to the opponent’s email account

• Spyware / Key Logging Software

o Tools such as “MSPY” once installed on a phone or computer, will send all key strokes to the opponent’s computer. A license of MSPY costs only $60.00/year.


42

Physical Access Questionnaire Identify compromised computer sources using the handout

“Physical Access Questionnaire”.

A. Time Period of Access

Determine the time period during which the other party or parties had access to your client’s accounts and/or devices.

B. Potentially Compromised Accounts and Devices

Help your client determine which accounts and devices he or she had during the time period the “unfriendly” party also had physical access.


43

Three Communication Privacy Preservation Measures

To cure potentially compromised accounts and/or devices:

• Preserve Attorney Client Email Privacy

From a computer or phone that the opponents have never had physical access to, create a new email account for use with attorney-client communication

• Clean Smartphones of Infection

Once appropriately preserved, performing a “factory reset” on iPhones and Android phones will remove all spyware.

Assume that one’s laptops and desktops contain key logging software and thus are unsafe for privileged communication.


44

Possible Scenarios For Your Own Practice

Shareholder Disputes, Dissolution of Partnerships and Cases Involving Family Owned Businesses

Oftentimes theses cases involve an “emotional” or “personal” element and perhaps could benefit from talk therapy as much as legal counsel. Certainly most cases involve prior physical access by now warring parties.

Please consider what other types of situations might benefit from a “Physical Access” analysis by you with your client early on so that your opponent cannot be privy to your privileged communications.


Techniques for Unmasking Blocked Caller IDs and Spoofed Calls


46

Techniques for Unmasking Blocked Caller IDs

• Trapcall.com

In U.S., toll free numbers are prohibited from blocking their caller ID.

After Trapcall.com application is installed on an iPhone or Android phone, Trapcall.com routes blocked caller ID calls to a Trapcall.com controlled 1-800 number, which is then forwarded to the Trapcall.com’s customer’s phone thus revealing the calling party’s true number.


47

Techniques for Unmasking Blocked Caller IDs –Cont.

• WhitePages.com Pro Service

Once TrapCall.com unmasks the true phone number, WhitePages.com Pro Service can provide:

Full name of owner(s)

Prepaid status: Indication of whether a mobile number is part of a prepaid service plan.

Carrier: The company providing service to the associated number, including carriers such as Bandwidth.com, Boost, Metro PCS and TracFone

Line type: Indicates whether the phone is a landline, mobile, fixed or non-fixed VoIP, premium, toll-free, or voicemail-only service.

Current Address: Includes the full address associated with this number.

Personal or commercial line: If phone number is associated to a business


48

Techniques for Unmasking Caller’s Identity

• SlyDial.com

SlyDial.com application allows for calls to be placed directly to a target’s voicemail, bypassing the target’s phone. The target’s recorded voice message may reveal the identity of the phone number owner: “This Michael Smith, please leave me a message”. Recorded voice message may reveal clues such as Metallica playing in the background indicating a white male in their 50s.


49

Techniques for Unmasking Spoofed Calls

• SpoofCard.com SpoofCard.com service allows for “spoofed” calling numbers. Spoofing masks the caller’s number by having a number other than the caller’s true number show up in the recipient’s caller ID. SpoofCard will respond to a subpoena specifying the Spoofed Phone Number and Approximate time called: https://www.spoofcard.com/legal# If suspect used a credit card number to engage SpoofCard.com service, SpoofCard will provide the identify if the credit card owner. SpoofCard.com and TrapCall.com are made by the same company TelTech SpoofTel.com is a SpoofCard.com competitor which allows for spoofed calls to be made directly from a desktop computer

https://www.spoofcard.com/legal


Civil Subpoena for Carrier Call and Text Message Records


51

Subpoena to Acquire Key Information About Respondent

Once a caller’s phone number and carrier are identified, a civil subpoena form and related “Generic Record Request Description” sheet, once responded to, will provide to the requesting attorney: • Any and all records of incoming and outgoing phone calls and text messages, including the IMEI, ESN, MEID and the IMSI numbers of all calls and text messages made and received, the contents of text messages, and call durations for the telephone numbers ###-###-#### and ###-###-#### from (DATE RANGE START) to the (DATE RANGE END). • Any and all records of any member accounts held fully or in part under the name RESPONDENT NAME or connected to the phone numbers ###-###-#### and/or ###-###-####, including but not limited to the purchase of new SIM cards, transferring of any numbers associated with the account to new devices, and/or attempts to remove numbers from the account from (DATE RANGE START) to the (DATE RANGE END).


52

Cell Phones Have Multiple Types of Unique Identifying Serial Numbers to Request

and Be Aware Of

IMEI Numbers: “International Mobile Equipment Identity” number which is a unique-to-individual-GSM network phones 15 digit number.

MEID Numbers: “Mobile Equipment Identifier” is 14 digits long and is unique-to-individual CDMA network phones.

ESN Numbers: “Electronic Serial Number” are unique numbers, which are slowly being phased out in favor of MEID numbers for CDMA network phones.


53

Cell Phones Have Multiple Types of Unique Identifying Serial Numbers to Request

and Be Aware Of -Cont

MSISDN: “Mobile Station International Subscriber Directory Number”, is a unique number used to identify a mobile phone number internationally.

IMSI: “International Mobile Subscriber Identity” is a unique number assigned to SIM cards.

ICCID: “Integrated Circuit Card Identifier” is unique number assigned to SIM cards and used to identify SIM cards internationally.


54

A War Story Involving IMEI and IMSI Numbers

3rd party in a Domestic Violence case received text messages stating “Let’s kill John Jones” and appearing to have been sent by Tom Smith, but Tom Smith did not send the threatening text messages.

Tom Smith had recently ended a relationship with Frank Williams. However, Frank Williams still had ownership of Tom Smith’s old phone number. A subpoena to Frank William’s carrier revealed that Frank Williams’ was placing calls and texts on the same day from one single phone but using two different SIM cards. The subpoena response allowed us to connect the unique IMEI number of Frank’s single phone to the two different SIM cards and their related unique IMSI numbers.

Attorney was able to deduce that Frank Williams was in possession of a sim card to which he had ported Tom Smith’s phone number, and was using that phone number to make calls and the threatening text messages from Frank Williams’ phone. The 3rd party recipient thought the threatening text messages were coming from Tom Smith, but were in fact coming from Frank Williams’ phone using the SIM card Frank Smith ported Tom Smith’s legacy number to.


Conclusion


56

Litigation Services

• Internal investigations

• Forensic collection, analysis, reporting and testimony

• Electronic discovery hosted review services

• Managed review

• International court reporting

• Trial support experts


57

Ben Ross, VP

[email protected]

702-358-6977

Larry Lieb, CCPA, OCE, CBE

[email protected]

312-613-4240

Thank You