chevron-down Created with Sketch Beta.
    April 10, 2012

    Collecting and Analyzing iPads: What You Need to Know

    Cuyler Robinson – April 10, 2012

    A corporate chief operating officer (COO) is on an evening flight, coming home after a long day of board meetings. She decides to get some work done. Instead of firing up a laptop, she slides out an iPad. For the next hour, bathed in a soft LED glow, she taps away, drafting memos and sending email.

    Two days later, an attorney is dispatched to interview the COO. A legal hold notice is about to be issued. The attorney receives instructions to work with a forensic expert to obtain a copy of the data on the COO’s electronic devices. The attorney’s instructions state: “collect and preserve data on any device used to draft or transmit documents to prevent a claim for spoliation.”

    During the interview, the attorney learns that the COO has a laptop, which is no big deal, but the iPad can turn a routine custodian interview into a challenging assignment.

    Tablets Are the New Laptop
    iPads may contain unique and potentially discovery-relevant business documents. They are lightweight and mobile, turn on fast, and provide a range of document-drafting options. Business travelers on a flight or employees headed to a meeting may prefer to grab their iPad and leave the company laptop behind for these reasons. If a company is one of the increasing number that has a BYOD (Bring Your Own Device) IT policy, it might not even know which employees have iPads.

    Because of their potential for storing relevant documents and emails, iPads can end up in the crosshairs of document collections. Despite their sleek appearance and easy-to-use interface, however, an iPad is challenging to forensically preserve and analyze.

    iPad Versions and Forensic Support
    The tablet computer market is new, and the iPad is the most successful tablet computer of all time. The first iPad was sold in March 2010. The iPad 2 was released in April 2011, and the iPad 3 was released in March 2012. Apple and its shareholders enjoy the impact that an annual release pattern has on sales figures, but keeping up with each new device can be challenging for those tasked with collecting iPad data.

    iPads are complex devices that differ from traditional desktop or laptop computers, which are easily disassembled for forensic preservation. Apple has secured the device in ways that complicate the forensic imaging process. The iPad itself is sealed shut, preventing access to its internal storage media. The only way to connect to the device without damaging it is via the proprietary cable supplied by Apple. Specialized software and carefully followed procedures must be used to forensically capture as much of the iPad’s data as possible.

    Apple tends to build hype for new product releases by creating an aura of mystery and maintaining as much secrecy about those new releases as possible. Consumers, analysts, and vendors are kept in the dark about specifics on the new device or software updates. As the release date approaches, rumors will swirl, but few people actually have access to a prototype to examine and test, which only aggravates the forensic collection issue. Each new release brings new settings and features, and forensic software vendors must scramble to add support. Because of this, it’s a constant race to catch up, and the lag in support can span many months. The iPad 2, for example, has been out for nearly a year, and most forensic software vendors still do not support a complete physical (bit-for-bit) forensic capture of data from the device; only select data can be captured.

    Also, because the iPad is a mobile device that could be lost in a cab, an airport, or a hotel, Apple engineers have appropriately secured the device to prevent unauthorized access. Further, as iPads are designed to store copyrighted music or video, Apple intentionally prevents wholesale copying of data in an unauthorized fashion. All of these security efforts, however, are at odds with a forensic expert’s goal of capturing all data stored on the device.

    Passcodes and Backup Passcodes
    The most common security setting is the iPad passcode, which unlocks the device. One should expect all iPads to have a passcode, especially if the iPad is used to connect to a company email system. The forensic expert will need the current passcode to image the iPad; therefore, if you believe iPads will need to be collected by your forensic consultant, request that all users also provide their passcodes.

    What if you do not have the passcode? For the original iPad, a forensic examiner can still recover data, but the process is complex. The only way to unlock the current iPad, other than entering the passcode, is to reset the iPad to its original factory settings, and then restore documents from a backup if such a backup is available and was properly made using Apple’s iTunes software. It’s important to note that even with this process, you will never know exactly what was on the iPad before it was reset and restored. Therefore—without a doubt—it’s best to obtain the iPad’s current passcode, and if the passcode isn’t available, talk to an expert about alternative options.

    There are other iPad settings that can inhibit the forensic capture of potentially relevant data. For example, an employee may be encouraged to back up his or her iPad data using Apple’s iTunes software. Because these backups may contain sensitive data, the company may require that all iPad backups be encrypted. When the encrypted backup setting is enabled on the iPad, it forces the employee to create a new backup password (different from the passcode). Current forensic software requires disabling the encrypted backup setting, which cannot be removed without the backup password. So, for some iPads, forensic experts may need both the passcode and the backup password before they can capture data stored on the device.xpect to jump through security hoops if you do not have access to the iPad’s passcode and the backup password.

    Apps, Apps, and More Apps
    iPad functionality is driven by the applications, or “apps,” that have been installed on it. There are a number of popular business and productivity apps for the iPad. These apps allow for document editing, note-taking, and email communications, and each one may store documents in a different manner. The installed apps must be evaluated to determine if they contain documents of interest. For instance, there are many different apps that can be used to view, edit, and create business documents, and the documents stored within these apps may need to be reviewed separately. Also, while certain entertainment-related apps—such as Amazon’s Kindle app or Netflix’s movie-streaming app—are easily identified and most likely free of documents of interest, there are hundreds of apps that could be installed that may store business data in some fashion. Be sure to talk with your forensic consultant about the types of data for which you’re looking so that they can examine the apps on the iPad and determine whether data of interest could have been generated by these applications.

    The “Magic” iCloud
    The iCloud is a recent feature addition to the Apple line of products that also complicates the document-collection process. When enabled, the iCloud automatically synchronizes documents—including email, contacts, music, and photos—to all other linked Apple devices. To an iPad owner, the iCloud may seem like magic—an image that Apple has worked hard to create. It may not be clear to employees where this iCloud feature has transferred their documents.

    In reality, the data is also stored on Apple’s servers “in the cloud,” which currently provides 5 GB of storage for free. If an employee uses this feature, then the number of devices that must be preserved may be multiplied. If additional data stores are a concern for your matter, you may want an expert to examine the iCloud settings to identify any other locations in play and assist with collecting those additional documents.

    Recommendations for iPad Discovery

    • Compile a list of all devices that may contain relevant documents sooner rather than later. The middle of a litigation crisis is not the time to run around trying to find out who got an iPad for the holidays that is now being used to read and create business documents.
    • Speak with a forensic expert to understand the options available for capturing data from the various iPad models that may be encountered.
    • Be sure to obtain the employee’s iPad passcode and backup password, especially when an employee returns a company-issued iPad before leaving the company, as these are needed to image the device.
    • Understand that it may be necessary to review the individual apps installed on the iPad to evaluate whether an app contains relevant documents.
    • Be sure to check if iCloud is enabled on the iPad and seek assistance as needed to determine if documents have been synchronized to other Apple devices.

    While we cannot cover every situation in this article—especially because the iPad and its apps are continually evolving—with some advanced planning in hand, your company will be on the way to meeting the challenges posed by the need to preserve and collect data from iPads.

    Keywords: litigation, technology, iPad, e-discovery, forensics, passcode, tablet, iCloud

    Cuyler Robinson – April 10, 2012