5 Things You Should Know About Remote Mobile Device Collections
The skyrocketing demand for litigation-related remote cell phone collections (or remote mobile device collections) is easy to understand when considering the explosion in remote work since 2020 and even prior. More and more data (evidence) lives on smart phones, tablets, and other mobile devices in addition to—or instead of—the traditional desktop or laptop setups of yore.
While the reason for the demand may be obvious, details of the remote cell phone collection process itself are less so—how long, how much, how targeted? We sat down with our Digital Forensics expert Wes Johnson and asked him to give us the skinny.
1. What is a remote cell phone collection?
A remote cell phone collection involves preserving the data on a device remotely—that is, without being in the same physical location as the device. To be clear, what gets preserved is the data on the device. This is not the same as a full forensic image of the device itself which houses that data. Beware of the terms “mirror a device” or “image a device”; while you may hear some people use those terms, there is a difference between a full forensic image and a more focused data preservation of the data on that mobile device.
2. Who needs a remote cell phone collection and why?
Most of the time, attorneys and corporate legal departments request mobile device data collections to preserve user-created data residing on the device that may be relevant to a given legal, regulatory or investigatory matter. It used to be that this data got largely ignored by parties on both sides of a dispute because the data on the devices was either duplicative or not considered relevant. However, in today’s mobile-first world, and with younger workers doing much more of their work only on mobile devices, those devices are much more often a primary focus of data identification, preservation and collection efforts.
As to why, it’s largely a convenience consideration. Remote mobile device collections do not require in-person meetings or direct physical contact by the forensic technician with the device itself. This modern data collection method vastly reduces the time and inconvenience factors of traditional mobile device collections.
3. What data sources can be gathered with remote cell phone collections?
The most common sources of potential evidence stored on mobile devices are text and chat messages, call logs, and voicemails. More in-depth investigations might include collection of internet search data, geolocation data, cell phone tower location logs, car or home security camera data, or even biometric data. There are millions of mobile device apps, some of which replicate data found on traditional resources (like M365), while others store data on the device itself. Given the fast pace of the mobile device industry, every case requires a custom approach tailored to the legal issues at hand and the types of apps and data on each custodian’s device.
4. How long does it take to do a remote mobile device collection?
The answer to this varies greatly depending on whether we’re collecting an Apple device or an Android one. Apple mobile devices (most commonly iPad and iPhone collections) operate the same way across the board, so the collection process is essentially the same every time. It begins with a full backup of the entire device using Apple’s own program iTunes. Apple controls the hardware, software, backup tool, and the speed at which those operate. A typical remote iPhone collection takes about 1-2 hours.
PRO TIPDon’t try to use iTunes backups on your own if you’re trying to preserve data for legal or regulatory purposes. While the process seems straightforward, to avoid missing important data types, it’s important to get a little expert advice on how to do the backup properly.
Android mobile device collection is a different beast. Each Android hardware manufacturer (LG, Google, Samsung, etc.) creates their own customized version of the Android operating system. Depending on the device’s OS version, forensic technicians may or may not be able to extract information from it. The process starts with researching and recording the make, model, and Android OS version installed. A list of the apps installed helps to identify what data can and needs to be extracted and preserved. Because Android has so many different OS versions, including different storage methods, the remote Android collection process is usually much more complicated and time-consuming than an iPhone collection. Device settings often must be changed to enable data collection, which is best done by someone with technical expertise to ensure the proper adjustments are made. As for timing, collecting an Android phone with thousands of pictures and videos could easily take 6 hours or more.
5. Can you extract specific data, such as text messages only?
Understandably, many mobile device owners express concern about handing over their private, personal information and activities. We often get asked whether we can collect only specific data rather than sweeping up the whole device.
Here again, the answer depends on the device type.
Apple devices require a full backup (using iTunes) of all user data before any specific data can be targeted and surgically extracted. Once that encrypted iTunes backup exists on a local computer, we then transfer that data remotely and securely (or copy it to an external hard drive). Once we have the data in our forensic labs, we use a variety of purpose-built, forensically sound and defensible tools and methods to extract the needed data.
It is not new to the process or to professionals that personal, private, sensitive data will likely be swept up in any given data collection process. That said, the tools we use to extract necessary data can target specific and required data, such as text or chat messages by phone number or person, data within a certain date range, data only from certain apps, etc. In other words, professional and reputable companies and technicians won’t just go rummaging through everything collected from mobile devices, unless it is a broad scope investigation. Typically, we’d focus on certain data and leave the rest encrypted and untouched.
Android devices, on the other hand, do allow for isolating and extracting only certain categories of data, which can help curb many of the privacy and confidentiality concerns mentioned above. In the case of text messages, for example, so long as the proper settings are in place, a technician can extract only the texts (along with basic device info) without having to broadly collect all the other information on the device.
However, because that scenario requires interfacing with the device owner to examine the device model and OS version, or adjust various settings, it’s more difficult and time-consuming to do that work remotely. For the more technology-adverse device owners, the remote Android phone collection process may feel overwhelming. For that reason, when a client needs data collected from an Android device, it’s not unusual for such collections to still be done in-person.
A Note on Privacy for Remote iPhone Collections
While it is true that a forensics technician generally will have access to any data that was on the iOS device collected, there are ways to address device owners’ concerns through tight security controls, privacy protections, and non-disclosure agreements. In addition, confidential financial and health information, passwords, and other sensitive PII data are subject to regulatory protections in more and more jurisdictions. (This is especially the case for data clearly irrelevant to the instant legal or regulatory need but that gets swept up by the process nonetheless.)
PRO TIPWhile there are some consumer-focused apps that purport to provide more targeted approaches to data collection (usually focused on users migrating their own data between their own devices), most, if not all, of those tools lack forensic soundness and defensibility.
Let the eDiscovery experts guide your next remote cell phone collection.
Data resides everywhere—in every nook and cranny of our daily routines, computers, clouds, devices and more. Many would be shocked to learn how much personal information we routinely create in our daily lives, often in the form of data we didn’t even know existed. Collecting data from these devices that are increasingly central to our lives (as opposed to just a duplicative data source) can be challenging and even disconcerting. Nonetheless, mobile device data has become an essential element of any effective data identification, preservation and collection effort. The good news is that including these resources is easier and less costly now than ever before.
Questions or concerns about what you’ve read above? Realize that you need to include data from an iPhone or Android phone in your current or upcoming litigation, regulatory, investigatory, or similar matter? We’re here to assist, whether it’s answering general questions about remote cell phone collections, or helping you collect all that mobile data you’ve been ignoring. We invite you to reach out today.