Mobile Phone Forensics: The 360-Degree Management Approach


Photo courtesy of Spline Splinson.

by Michael D. Sarlo, EnCE, RCA, CBE, CCLO, CCPA

There is no denying that mobile phone collections and forensics are becoming more common centerpieces of modern litigation. There is also no denying that many corporations, in-house legal departments, and law firms are simply not prepared for the eDiscovery implications of this trend.

With eDiscovery costs rising across the board and the complexity of mobile collections and forensics intensifying, the time is now to get a better handle on these matters. We can break proper management down into three categories based upon the types of actions that will need to be taken:

  • Routine, proactive, everyday management.
  • Measures taken when collection and forensics become necessary.
  • Steps taken when devices are being decommissioned (think exiting employee).

If you can master governance and management in these three categories, you will be far more likely to enjoy optimal responsiveness to collection demands, keep forensics costs down, and minimize the full spectrum of risk that accompany mobile phones in general.


Photo courtesy of Faramarz Hashemi.

Everyday governance

Intelligent information and device governance practices are the vital first piece of the mobile phone collections and forensics puzzle. A sound combination of exhaustive policies with proven management solutions is what all businesses and law firms should be looking to achieve.

Here is a breakdown of the key elements involved:

  • Mobile Device Management software: This is the technology that gives your IT teams and managers teeth in the fight against mobile phone misuse. Every single business and law firm should already be using MDM, but this is not the case. Without these solutions in place, the chances of experiencing a mobile phone forensics nightmare are going to be inherently higher.
  • User policies: All employees must be aware of and compliant with corporate policies related to their mobile phone utilization. These policies should cover both BYOD and COPE phones, while clearly communicating expectations and ensuring staff members know how to use their phones in the context of general IT. For example, which apps are employees allowed to use on their business phones? On that note, make sure you restrict any and all apps that your MDM solution cannot manage.
  • Archival considerations: You will need strong archiving-related device policies powered through the MDM solution, while also having the ability to restrict phones to typical communication protocols that can be captured through enterprise archive solutions. These policies and solutions must also give you the ability to capture at either the point of carrier or through the MDM that is backing up the data. Finally, make sure you can either wipe a lost device remotely, or remotely inhibit a rogue wipe when necessary.

Other information governance best practices will also come into play when it comes to everyday risk mitigation for mobile phone collections and forensics, but the above will cover the pure mobility angles involved.


Photo courtesy of Kyle Geib.

Forensics: The nitty gritty

When the corporation or law firm requires mobile phone collections and forensics, the techniques, tools, and practices used to complete projects will play a key role in litigation outcomes. I have to argue that mobile phone forensics are best left to the professionals, as the technical and legal implications of these highly sensitive activities are often outside of the average attorney’s wheelhouse.

Mobile phone forensics might actually be the most exciting – and risk-laden – battleground in the scope of digital litigation, and it is only going to get more complex in the coming years given device diversity and continued exponential growth of data.

Already, forensics techniques vary widely between different operating systems, such as iOS, Android, and Windows Phone. At the same time, because mobile device makers are truly beginning to position the security features of their devices as the greatest selling point, collections and forensics are getting more difficult on a daily basis.

For this reason, you will need to have a strong working relationship with the right vendor – which would be defined by immense experience in mobile phone forensics projects and the ability to work within any type of operating system.

On the forensics technology side of the coin, the vendor should be completely neutral, boasting a familiarity with many different technologies and offering proprietary tools when there is a need to be filled that cannot be remedied by existing solutions on the marketplace. These characteristics generally prove two exceedingly important qualities: (1) A thorough understanding of popular mobile phone forensics tools and techniques, and (2) An innovation-minded edge.

Now, if you would like to get a better idea of some of the more technical aspects of mobile phone forensics today, and see how complex they truly are, check out the National Institute of Standards and Technology’s Guidelines on Mobile Device Forensics. At the very least, this guide can help to inform your policies related to mobile phone governance, collections, and forensics.


Photo courtesy of Rafael Castillo.

Decommissioning considerations

It almost seems like every major, nationally televised lawsuit in the past few years has had at least one instance of a party destroying a mobile phone. Now, while those cases have not always been broken by the device’s destruction – potentially because the examiners involved did not know how to properly recover data – this is not the type of decommissioning to which I am referring. Do not destroy your corporate devices in hopes of covering anything up – it’s just not going to work.

Instead, you should implement a policy that comprehensively covers any and all device decommissioning activities in accordance with various scenarios.

Here are a few examples:

  • Departing employee: Review activity on devices spanning back at least 30 days prior to the employee’s departure. Be particularly meticulous when seeking and identifying downloads, file transfers, and other data transport-related actions. Any data that could be relevant down the road should be archived. Before wiping the device, you will also want to ensure that forensic images are taken to preserve the chain of custody.
  • Pure decommissioning: Let’s say you are ready to get rid of a device to upgrade to the newest model. In these situations, the same types of forensic procedures should be taken similar to the departing employee example, but the wipe needs to be extremely thorough, decisive, and properly recorded. The last thing you want is a device containing sensitive information ending up in the wrong hands.
  • Destruction: In the rare case that you need to completely destroy a device, make sure that your policies align with ethical and legal standards, while also actually getting the job done. Remember, data on a device that is burnt, drowned, or smashed can still be recovered by exceptionally savvy forensics professionals.

All of these procedures and more will necessitate the involvement of experienced forensics professionals. As such, when building relevant policies, law firms and corporate legal departments might find a wealth of value in working with a professional service provider.

Take mobile phone forensics – and your responsibilities in these matters – as seriously as possible, utilizing a 360-degree approach to management, and you will mitigate a tremendous amount of risk today and in the future.

Michael D. Sarlo is HAYSTACKID’s Vice President of eDiscovery & Digital Forensics

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: