Collecting Data from Mobile Devices

What is so different about the iPad or other tablet?

When the first iPod entered the market in 2001, few could envision the impact that this “media player” would have on the business world. Soon the iPod gave way to the iPhone and then the iPad and numerous other devices used in mobile environments with built-in, always-on networking.

Before this mobile work mentality took hold, data were largely created on the hard drives of Windows or Macintosh personal computers (PCs) and stored in Microsoft Outlook files and Exchange servers, or on network shares. Most desktops and laptops were not carried around by their users and connected at all times to the Internet. So when data needed to be collected, it was relatively easy to do so through basic imaging techniques, by forensically moving or copying the data to convenient portable media or by working with an information technology resource to harvest the data from the “computer room” servers.

With tablets and smart phones, we cannot easily crack the cover, as we would on a user’s PC, and have all of the data. We must instead consider how the device was used and develop a clear plan for how to collect and process the data on it. That is because a smart device is not just a replacement for a PC or laptop. Rather, such devices have a whole host of other capabilities, including Global Position System (GPS), 3G/4G wireless, cameras, and voice recording capabilities. Indeed, applications may be running on an iPad at all hours of the day and may be tracking location data or other application usage. And a user may be storing all of his or her business documents in an online repository, in a corporate system, or elsewhere in the cloud.

With all of these enhancements come obstacles. Proprietary cables, the difficulty or even impossibility of connecting a hard drive to an iPad/iPod/iPhone, and the fact that data may be remotely stored or synchronized are just a few reasons some collection vendors cannot deliver results in the same time frame or for the same cost as for traditional collection from a desktop or laptop computer.

What does all of this have to do with my client’s iPad and the data that I need to collect in discovery?

First, the largest iPad currently has only 64 gigabytes of storage, and because the amount of data that people generate and work with today is much more than that, significant amounts of data are likely to be somewhere in the “cloud.”

Second, more and more companies are either deploying iPads or supporting them for business use. In fact, an increasing number of companies are considering or have already implemented “bring your own device” policies allowing personally owned tablet devices to be used in the workplace, thereby increasing the likelihood of finding both personal and business data on the same device. This highlights the importance of considering the types of data available and the methods for preserving, collecting, reviewing, and producing the data. Should you image, how should you have it done, by whom, and what happens after imaging?

Sometimes, in a case where preservation is the only issue, physically replacing the device and preserving the original device and data that it contains may seem the least expensive option. However, you still need to know where any data outside the device may be and what other devices may affect the data. For example, a user with an iPhone, iPad, and a MacBook may have all of these devices synchronized in the cloud, and data such as email could be changed on one device by actions taken on another.

But if the data that we are interested in do not reside on the device, then we may be wasting valuable time and money. On the other hand, if we are collecting electronically stored information from both an iPad and its user’s computer, and the user was using iTunes to back up, we may be collecting the same data multiple times, at additional cost.

And if a company has implemented a strategic “bring your own device” policy, iPads, iPhones, or other smart devices may have deployed an insulating application, such as Good Technologies, which limits company data on the mobile device and may even negate the need for mobile device collection in certain instances.

If we do not consider each of the above items, then we may be left with data that we are unable to review readily, that a hosting vendor cannot process, or that just did not need to be collected.

What types of data are on a typical iPad/iPhone?

A smart device can contain many types of files, including files that are often found on PCs or laptop computers (e.g., typical business documents and attachments) as well as files that are not often found on the typical business computer (e.g., pictures, synced photos, video files). It might also contain communications files (which may be stored as mini-databases or specially structured text files), including an address book, call history, saved and favorite phone numbers, voicemails, text messages, notes, voice memos, and recent email.

Often, useful information can be found in browser data stored as mini-databases or specially structured text files, including bookmarks, browsing history, recent searches, thumbnails, and cookies. Similarly, a smart device can contain items that have GPS data attached, including photos (which also have a treasure trove of data beyond the location of the photo, including shutter speed, flash usage, camera model and serial number, digital picture sequence number, date, and time); maps (including map history, previous directions, last position, and information about applications that can use the map data); third-party navigation applications (such as TomTom or Magellan); and a history of WiFi and cellular locations recognized by the device.

So what should I be thinking about?

The nature of litigation should drive the decision. In a commercial litigation case, you may not be interested in all of the data that an iPad can yield, and you may be able to limit the search to typical business communications and documents. On the other hand, in a criminal, family/domestic investigation, or intellectual property case, you may want to leverage what the iPad or iPhone can tell you that few other resources could.

If you are interested in communications and documents, ask several basic questions:

• Is the device personal or company owned?
• Are any technologies used to manage the business use of the device and back up or isolate business data from the general device storage?
• If the answer is yes, then collection from the device may not be necessary.
• Is a pass code or encryption password used on the device or in iTunes backup?
• Is the device currently locked from too many unsuccessful attempts to unlock it?
• Data can be collected from locked devices; however, this adds complexity and cost to the collections effort while reducing some collectable information.
• What application is used for sending and receiving email?
• If all email is browser based, such as Gmail, MSN, AOL, or Verizon, then there may not be any complete email content available to collect.
• If the iPad or iPhone uses the built-in email application, then collection may need to include either a physical collection or collection from the iCloud service.
• Are documents stored locally, hosted on a company SharePoint-type site or document management system, or are they stored in iCloud/Google Docs?
• Are instant messages, Skype calls, Google chat, or other non-email communications potentially relevant?

In a case involving deeper investigations, the iPad/iPhone, Android tablets, and smart phones can inform us of past behaviors by the user and provide geo-location, time stamp, and network information all in one device.

In all cases, you will need to know whether the device is using any pass codes (the device password) or a backup (encryption) password, and whether the device has been “jailbroken,” which allows users to bypass manufacturer-imposed software limitations. This may affect the types of software or hardware tools available for use, as well as the areas of the device that will be accessible. This information also reduces the time, effort, and costs required by a vendor doing collections. You may also need to have the primary user’s AppleID and password to access iCloud or certain application data. You should always document the device model, memory size, and iOS (operating system) version number. Last, you should confirm whether there are any other synchronized devices that could affect the state of the data on the device and turn off any wireless or cellular connections to maintain the integrity of the device.

How are the data collected?

Collections can be performed in several different manners, both logical and physical.

A logical acquisition involves making a copy of the files using software that preserves the integrity of the files but not the attributes of the physical device. The most common tool for making a logical image of an iPad or iPhone is iTunes backup.

A physical collection is actually a forensic copy of the physical state of the storage memory of the device and requires more advanced software than just iTunes, not only to make the image but also to review it and extract individual data from it. A physical collection is required to capture emails, clipboard data, and certain application information such as snapshots.

Collecting data from mobile devices is much more complex than from stand-alone or networked desktop computers. Nevertheless, once you understand the basic concepts, making sure you have captured all the information you need no longer seems as daunting.