Join Us!

Mobile Phone Forens...
 
Notifications
Clear all

Mobile Phone Forensics in the Corporate Environment  

  RSS
CFEx
 CFEx
(@cfex)
Member

Just curious how many of you working in a corporate environment get to do mobile phone forensics.

The reason I ask is because some legal counsels may have an issue with this type of forensics since their argument might be that the mobile phone may contain employee private data such as contacts, appointments, spouse info, etc.

You can assume that the device is provided by and the service is also paid by the employer - to make this more specific.

Quote
Posted : 26/02/2010 9:59 am
trewmte
(@trewmte)
Community Legend

CFEx I do not presume to know alot about the various national and state laws in the US; I in the UK. I do have some observations in the form of questions though that you may (or then again you might not) find helpful.

The reason I ask is because some legal counsels may have an issue with this type of forensics since their argument might be that the mobile phone may contain employee private data such as contacts, appointments, spouse info, etc.

Do you have access to your law libraries and online case law database? From those sources it should be possible to , and you may get a, gist of the attitudes in court cases towards private information held in company 'property' (file cabinet, computer, mobile phone etc).

There is the US case of employees who used the text messaging system at work to send messages to each other on the system that were unrelated to work. Those messages were deemed to be private.

http//trewmte.blogspot.com/2008/06/us-court-recognises-expectation-text.html

I do find some of the privacy arguments quite strange to some degree because how is it possible to suggest privacy when a company pays the bills for the phones? Clearly the company is seeing non work-related private numbers in the network operator itemised call billing records sent to the company for payment.

So what about a retrieved text message that has no number? How would you put the context of what is written in the text in context to a particular individual where there is no name/number (perhaps text draft in handset)?

Both name/number and text combined may amount to a privacy issue? How relevant though is that point if say after the data extraction and harvesting process the private detail is ignored and not disclosed and only the work related matters pursued. Still breach of privacy there - perhaps, maybe, could be/might be?

How do you define which text messages to be selected at first instance? What about unread text messages?

How do you define phonebook entries on a business phone vis-a-vis with those numbers appearing in the call itemisation billing records?

You can assume that the device is provided by and the service is also paid by the employer - to make this more specific.

Would the company policy state - "Don't use the company issued mobile phone for personal calls or information, for if you are investigated all recovered information will be taken down and may be used against you in any proceedings?"

Looking at this another way, what other motives might a company have of issuing a company mobile phone to an employee without stipulating certain requirements with respect to its use regarding personal calls etc?

Technical definition issue
Technically definition how mobile phones can be defined in rulings, there has recently been an important judgment in an Ohio Supreme court that ruled mobile phones are not covered by the status for the purposes of evidence that mean mobile phones are "closed container" for the purposes of searches, thus they require a "warrant" prior to searching their (mobile phones') contents

A commentary discussing part of the Ohio Supreme Court finding
In the present case, Justice Lanzinger wrote, "The state argues that we should follow Finley and affirm the court of appeals because the trial court was correct in its conclusion that a cell phone is akin to a closed container and is thus subject to search upon a lawful arrest. We do not agree with this comparison, which ignores the unique nature of cell phones. Objects falling under the banner of 'closed container' have traditionally been physical objects capable of holding other physical objects. Indeed, the United States Supreme Court has stated that in this situation, 'container' means 'any object capable of holding another object.' New York v. Belton,/em> (1981)."

http//www.supremecourt.ohio.gov/rod/docs/pdf/0/2009/2009-Ohio-6426.pdf
http//www.supremecourt.ohio.gov/PIO/summaries/2009/1215/081781.asp

You may also find this interesting as to how mobile phone examination is also being viewed in the US
http//trewmte.blogspot.com/2009/02/cellular-phones-warrantless-searches.html

ReplyQuote
Posted : 26/02/2010 1:08 pm
Fab4
 Fab4
(@fab4)
Active Member

Would the company policy state - "Don't use the company issued mobile phone for personal calls or information, for if you are investigated all recovered information will be taken down and may be used against you in any proceedings?"

Here in the UK I would hope (rather than necessarily expect in the majority of cases) that any employer providing mobile phones to employees would incorporate such provision in an Acceptable Usage Policy that articulated that all data thereon was owned by the employer and thus could be accessed arbitrarily.

ReplyQuote
Posted : 26/02/2010 4:00 pm
CFEx
 CFEx
(@cfex)
Member

The policy does include some provision for acceptable use. Even with that, and the fact the employer may be paying for the device and the service, I'm trying to get a sense if anyone outthere is doing mobile phone forensics.

It is obvious that LEO and consultants (who offer this service) are doing it, how about any of you in a corporation?

ReplyQuote
Posted : 26/02/2010 11:30 pm
jhup
 jhup
(@jhup)
Community Legend

There are several provisions for our cells.

Our Info Sec Policy states that any device that is connected to our internal infrastructure, must comply with all of the ISP. This makes any smart phone which gets any access and such fall under various security requirements (malware protection, AV, encryption).

We only allow company owned and reimbursed phones to connect to our networks.

We require sign off annually, and explicitly tell all users that they may be monitored.

We explicitly tell and require sign off by users that we may send a wipe/kill command to their device if we believe the device is a threat to the company.

Otherwise, they are free to do anything they want. D

ReplyQuote
Posted : 27/02/2010 5:41 am
CFEx
 CFEx
(@cfex)
Member

jhup, intersting feedback. I don't think our policy is as robust as what you have in your org. What you say makes sense. Thanks for the feedback.

ReplyQuote
Posted : 28/02/2010 10:59 am
Share: