10 lectures. Mo 3 pm Mon 3 pm Tue 3 pm Wed 3 pm ( 2 x 45 ) Wed 3 pm ( 2 x 45) Thu 3 pm Fri 3 pm.
3:00 PM - 3:45 PM...Thursday, May 21 Litigation Track 3:00 PM - 3:45 PM Forensic Discovery/Extrac on...
Transcript of 3:00 PM - 3:45 PM...Thursday, May 21 Litigation Track 3:00 PM - 3:45 PM Forensic Discovery/Extrac on...
Thursday, May 21 Litigation Track
3:00 PM - 3:45 PM
Forensic Discovery/Extrac on of Data from Electronic Devices and Effec ve Use in Trial
Presented by
Kendra Simmons Fredrikson & Byron, P.A.
505 E. Grand Ave, Suite 200 Des Moines, IA 50309
Christine Chalstrom President and CEO
Shepherd Data Services 650 Third Avenue South, Suite 460
Minneapolis, MN 55402
5/19/2020
Copyright 2020 Shepherd Data Services 1
What’s on that Device?Why Attorneys Should Care?
Forensic Discovery of Evidence
Kendra Simmons, Fredrikson & ByronChris Chalstrom, Shepherd Data Services
May 21, 2020
Copyright © 2020 Shepherd Data ServicesNo part of this presentation may be used without the express written consent of
Shepherd Data Services
Technology & Law
Our technological powers increase, but the side effects and potential hazards also escalate.
Alvin Toffler, Futurist, Journalist, Writer
Technology is outpacing the law.
Barry Steinhardt, Retired Director ACLU’s Program on Technology and Liberty
Technology ... is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other.
Carrie Snow, Stand‐up Comedian
1
2
3
5/19/2020
Copyright 2020 Shepherd Data Services 2
Why a Forensic Expert
Data Collection Assessment (Who, What, Where & How)
Device Data in Discovery & Trial
Why a Forensics Expert?Rule 1.1“A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”
Comment 8Includes duty to stay “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Why a Forensics Expert?
4
5
6
5/19/2020
Copyright 2020 Shepherd Data Services 3
Why a Forensics Expert?
• Collect, preserve and manage evidence for discovery from clients and opposing parties
• Investigate potential wrongdoing
• Scope ‐ discovery and/or trial
• Ability to testify (in deposition or potentially at trial) regarding collection, production, and/or deletion
Why a Forensic Expert
Data Collection Assessment (Who, What, Where & How)
Device Data in Discovery & Trial
Discovery (Who, What, Where)
7
8
9
5/19/2020
Copyright 2020 Shepherd Data Services 4
Discovery (Who, What, Where)
• Identify volume, importance, and form of ESI as early as possible—on both sides
– Emails, text messages, electronic documents
– Volume compared to other discovery
– What could ESI establish that other discovery cannot?
– What is the risk of deletion by custodians?
• Both sides/all parties
Discovery (Who, What, Where)
• Prioritize• Plan order of discovery• Consider cost‐sharing proposal
with opponent• Seek through various types of
requests– Traditional written requests– Request for inspection
• Depositions to learn and authenticate
• When you’re the recipient of such request(s)
Why a Forensic Expert
Data Collection Assessment (Who, What, Where & How)
Device Data in Discovery & Trial
10
11
12
5/19/2020
Copyright 2020 Shepherd Data Services 5
Why a Forensic Expert
Data Collection Assessment (Who, What, Where & How)
Device Data in Discovery & Trial
Forensic Collection Options
• Manual – Examiner manually operates keypad and handset to document data.
• Logical ‐ Examiner connects a data cable to the device and acquisition platform and extracts active information on the device. Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files may be “locked” and so cannot be copied.
• File System – Examiner connects a data cable to the device and acquisition platform and extracts a portion of the file system.
• Physical (Non‐Invasive) – Examiner connects a data cable to the device and acquisition platform to provide physical acquisition of a device’s data without requiring opening the case of the device. The software will inject a custom boot loader into the device’s RAM and interact with the startup process to prevent the operating system from launching. Physical acquisition creates a bit‐by‐bit images of the partition, including unallocated space.
• Physical (JTAG) – Examiner connects acquisition device to Standard Test Access Port (TAPs) and instructs the processor to transfer raw data stored on connected memory chips.
Computers – PCs
• User Files – Active
• User Files – Deleted
• USB History
• Jump Lists
• LNK Files
• Shellbags
• Prefetch Files
• Web History
13
14
15
5/19/2020
Copyright 2020 Shepherd Data Services 6
Mobile Devices
By Smartmo ‐ Own work, CC BY‐SA 3.0, https://commons.wikimedia.org/w/index.php?curid=22720596
Mobile Devices
iPhone Forensic Collection Options
• For the A5 chipset or later (iPhone 4s), only logical or file system extraction available. The decoding of this chip has not been developed yet.
• iOS version may limit extraction• Assumes examiner has passcode
https://cellephones.cellebrite.com/client/#itemPage
16
17
18
5/19/2020
Copyright 2020 Shepherd Data Services 7
iPhone Forensic Collection Options
iPhone Forensic Collection Options
https://www.cellebrite.com/en/unlock‐sales‐inquiry/https://www.cyberscoop.com/cellebrite‐iphone‐6‐ufed‐samsung‐galaxy‐facebook‐messenger‐snapchat/
19
20
21
5/19/2020
Copyright 2020 Shepherd Data Services 8
Partitions, Basic Folder Structure and Key Files
• Two disk partitions: system and user• File System based upon UNIX file
system• Uses a directory structure• Property Lists (Plists)
store, organize and access various data types
XML format or binary Data types include strings,
numbers, binary data, dates, and Boolean values
• SQLite database files Structured relational data storage Compact, high‐quality and open
source
Plists Define Look of iPhone
The Library Folder
AddressBook, Calendar, Call History, Notes, SMS, and Voicemail data are all stored in a SQLite database.
22
23
24
5/19/2020
Copyright 2020 Shepherd Data Services 9
The Address Book in SQLite
Parsed View of Contact
Parsed View of Conversations
25
26
27
5/19/2020
Copyright 2020 Shepherd Data Services 10
Looking for Deleted Data in SQLite
User Dictionary/Keyboard
If a user manually types a word into the iPhone, the device generates a dynamic dictionary file that stores words unique to that user. Includes information from text message, email, note, etc.
Location: var/mobile/library/keyword/
dynamic‐text.dat
Media Folder
28
29
30
5/19/2020
Copyright 2020 Shepherd Data Services 11
Photos Taken by Device
Photos taken from the device itself. All photos are incremented by 1.
Number is not reused.
Using EXIF InformationExchangeable Image File Format
31
32
33
5/19/2020
Copyright 2020 Shepherd Data Services 12
Apps and More AppsMuch more data in a large variety of applications
http://ipod.about.com/od/iphonesoftwareterms/qt/apps‐in‐app‐store.htm
34
35
36
5/19/2020
Copyright 2020 Shepherd Data Services 13
https://en.wikipedia.org/wiki/Android_version_historyhttps://www.quora.com/Why-did-Android-Q-become-Android-10
https://trickkas.com/android-10-release-date-features/
37
38
39
5/19/2020
Copyright 2020 Shepherd Data Services 14
“Google says we exert more control than they do, that we are closed and they are open. . . . Well, look the results – Android’s
a mess. It has different screen sizes and versions, over a hundred permutations. . . . I like being responsible for the whole
user experience. We do it not to make money. We do it because we want to make great products,
not crap like Android.”
Steve Jobs, Walter Isaacson, p. 514
���������� ����������������������
40
41
42
5/19/2020
Copyright 2020 Shepherd Data Services 15
SIM Card
SD Card
Battery
External Card – Apps Can Store AnywhereInternal on the Device – Android APIs Control
Common Subdirectories• lib – custom library files an application needs• files – files the developer saves to internal
storage• cache – application cache• databases – SQL Lite• shared_prefs – saved values that power the
application
43
44
45
5/19/2020
Copyright 2020 Shepherd Data Services 16
46
47
48
5/19/2020
Copyright 2020 Shepherd Data Services 17
/boot/cache/data/misc/recovery/system
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
49
50
51
5/19/2020
Copyright 2020 Shepherd Data Services 18
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxx
xxxxxxxxxxxxx
xxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
[email protected]@dfood.com+17631234567
52
53
54
5/19/2020
Copyright 2020 Shepherd Data Services 19
xxxxxxxxxxxxxxxxxxxx
55
56
57
5/19/2020
Copyright 2020 Shepherd Data Services 20
Voice 001.m4a Voice 002.m4a
58
59
60
5/19/2020
Copyright 2020 Shepherd Data Services 21
._speech_nav_20.wav
._speech_nav_19.wav
._speech_nav_18.wav
._speech_nav_17.wav
._speech_nav_16.wav
._speech_nav_15.wav
._speech_nav_14.wav
._speech_nav_13.wav
._speech_nav_12.wav
._speech_nav_11.wav
._speech_nav_10.wav
._speech_nav_9.wav
._speech_nav_8.wav
._speech_nav_7.wav
._speech_nav_6.wav
._speech_nav_5.wav
._speech_nav_4.wav
._speech_nav_3.wav
._speech_nav_2.wav
._speech_nav_1.wav
The Cloud
61
62
63
5/19/2020
Copyright 2020 Shepherd Data Services 22
Why a Forensic Expert
Data Collection Assessment (Who, What, Where & How)
Device Data in Discovery & Trial
GuidesBOLCH JUDICIAL INSTITUTE, DUKE
LAW SCHOOL:Revised Guidelines and Suggested Practices for Implementing the 2015 Discovery Amendments to Achieve
Proportionality(Second Edition)
Six Factors to ConsiderImportance of Issues at Stake
Amount in ControversyRelative Access to Information
Parties’ ResourcesImportance of Discovery
Whether the Burden or Expense Outweighs Its Likely Benefit
https://judicialstudies.duke.edu/wp‐content/uploads/2018/11/Annotated‐Proportionality‐Guidelines‐and‐Best‐Practices‐2nd‐edition.pdf
The Sedona Conference Principles, Third Edition:Best Practices, Recommendations & Principles for
Addressing Electronic Document Production
19 Sedona Conf. J. 1 (2018)https://thesedonaconference.org/publication/The%20Sedona
%20Principles
Guides
“Costs and risks may increase if the technology makes it more difficult to preserve or collect relevant ESI for litigation. For example, mobile devices that are not synchronized with the organization’s servers may require physical collection of the mobile device to meet preservation or discovery obligations if there is unique, relevant ESI on the devicethat the IT or legal group cannot collect from the organization’s servers. This may be even more of a problem for texts, which can “roll off” the phone as memory is used up. Review cost for texts can also be exponentially higher because the texts are more difficult to sort by subject or author, and because of the shorthand that is frequently used in text messages. Notwithstanding the presence of such ESI on the device, it may not be necessary to image the device if the costs, burdens, and other issues associated with imaging the device outweigh the benefits of retrieving unique, relevant ESI from the device. Indeed, wholesale text message retention is regularly disproportionate for both sides of the litigation, e.g., in a wage and hour class action where employees use text messaging on their personal devices for work.” Contained within Comment 1.b., p. 63
64
65
66
5/19/2020
Copyright 2020 Shepherd Data Services 23
Wheels of Justice Turn Slowly
Asset Funding Group L.L.C. v. Adams & Reese, L.L.P., 2008 U.S. Dist. LEXIS 30348 (E.D. La. 2008)
https://mrf.co.za/a‐prince‐by‐any‐other‐name/
Wiped and Discarded iPhones Show Intent to DeprivePaisley Park Enterprises, Inc. v. Boxill, 330 F.R.D. 226 (D. Minn. 2019)
Defendant failed to stop auto‐delete and then wiped and discarded iPhones. Using a Rule 37 analysis, Court granted monetary sanctions but deferred on adverse
inference sanctions.
Rule 37 Case Law
Reports & Online
67
68
69
5/19/2020
Copyright 2020 Shepherd Data Services 24
70
71
72
5/19/2020
Copyright 2020 Shepherd Data Services 25
73
74
75
5/19/2020
Copyright 2020 Shepherd Data Services 26
Trial
Proposed exhibits
Consider and address authentication
Envision how ESI will aid in presenting of evidence and telling of your story
Consider most effective method of presentation
Trial
Testimony by forensic expert
– Collection
– Investigation and findings
Presentation as a witness and ability to explain to judge and jury
Why a Forensic Expert
Data Collection Assessment (Who, What, Where & How)
Device Data in Discovery & Trial
76
77
78
5/19/2020
Copyright 2020 Shepherd Data Services 27
“Right, my phone. When these things first appeared, they were so cool.
Only when it was too late did people realize they are as cool as electronic tags on remand prisoners.”
David Mitchell, Ghostwritten
Questions?
Kendra [email protected]
515‐242‐8919
Chris [email protected]
612‐659‐1234
Copyright © 2020 Shepherd Data Services, Inc.No part of this presentation may be used without the express written consent of
Shepherd Data Services
79
80