Cellebrite’s Monica Harris on Achieving Balance in Corporate Investigations and E-Discovery

Christa: Digital forensics in enterprises increasingly overlaps corporate investigations, e-discovery and incident response, with the result that enterprises themselves must balance data acquisition and retention with employee privacy and cyber security.

This week on the Forensic Focus podcast we’re joined by Monica Harris, who is Cellebrite’s Enterprise Solutions product business manager. I’m your podcast host, Christa Miller. Welcome, Monica.

Monica: Thank you, Christa. Thank you so much for having me here.

Christa: Yeah. All right. So, Cellebrite Enterprise Solutions integrate, as I said, e-discovery, corporate investigation, incident response, all in one platform which I was interested to see. It’s striking because historically I think they’ve been siloed at least going back to what I recall from when I was in more of a marketing role. So my first question to you is, are you indeed seeing more overlap between the skills and technology needed for these three functions?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Monica: Yes, I would say that we are definitely seeing some overlap there.

So first and foremost, I think what e-discovery corporate investigations and incident response all have in common is data collection. That’s whether it’s for litigation, for litigation readiness, investigation, or even a response to say nefarious activity that’s happening behind a company’s firewall.

Once that data is collected, there’s a need to quickly drill down to the relevant data and understand the strategies, say for next steps or downstream processes. Because the data is an upstream technical tactic, for example, there’s an overlap between, let’s say, the information governance expertise, the forensics expertise, and AI.

All of the things that you think would happen upstream to support activities like data mapping, data identification, data collection, and providing early insights into the data itself. So along with that expertise comes the technologies that foster information governance, forensics or collections, and early data insights.

Christa: So the next question that I have is kind of a follow on: how does the technology actually work? Is it like the same agent that preserves and logs the data, either for litigation holds or in the event of a breach, or is it something different than an agent model?

Monica: It is an agent model. So at the 50,000 foot view, we can say that it’s the same agent that can collect and preserve data for legal holds, data breach, investigations, and a host of other events that require data preservation.

Christa: Okay. So with that in mind, remote and hybrid work environments obviously introduce more potential vulnerabilities between non-employees in a home or other non-office environment, family members or others who could access company data and property, so that the security of technology that employees themselves might be using to access company data was.

Granted, this is always a concern with “bring your own device.” So I have three questions here. The first is how does Cellebrite Enterprise Solutions currently address privacy concerns, especially with regard to BYOD and remote work?

Monica: Okay. So for BYOD, for remote, and for hybrid work environments that’s always at the front of the mind of the product team.

So we’ve developed new remote collection tools to that end and we have also placed into those remote collection tools the ability to do targeted collection with the thought that we want to be able to maintain employee privacy and also be able to reach out to that remote or even that hybrid workforce.

We understand that the data, whether it’s protecting the data of the employee or the custodian or the person of interest by making sure it’s a targeted collection, or whether it’s protecting the data by having it encrypted, whether it at rest or in transit as it moves from the custodian’s phone or from the endpoint, shall we say, back to the examiner or to the analyst.

So when we are thinking about privacy, particularly as it pertains to BYOD or the hybrid workforce or remote work, we’re thinking about it from all of those angles. We’re thinking about it as privacy for the data, for the company, and for the person who’s being collected from.

Christa: Okay. So my next question actually was around volume, and you mentioned targeted collections, so I feel like that probably cuts down a fair amount on volume. And yet there’s still going to be this variety of data, right? How are companies addressing a thorough versus proportional e-discovery in reaching a preponderance of evidence?

Monica: Yeah, I think the big data question for e-discovery really compounded at the start of the pandemic. I was putting together a presentation yesterday and I saw a quote from JD Supra that said between February and December of 2020, there was a usage increase in just Teams, cause it was at the top, right? But the usage increase in teams was 3,800%+.

Christa: Oh, wow.

Monica: Just in that amount of time, right? Because we had all gone home, we were the remote workforce at that point, and so that’s how we collaborated, and so that’s how we saw that spike.

So, you know, just an interesting stat, when you talk about how much data there is to collect, of course there are rules that govern proportionality; there’s FRCP, for example, and then Rule 26(b)(2)(B) specifically, which placed some limits on e-discovery. I think last week I spoke to a Fortune 50 company and they told me that they were doing full file system extractions. And when I asked them what they were looking for in those extractions, they told me call logs, right?

Christa: Interesting.

Monica: Yes, yes. Because let’s say an advanced logical extraction, which would be faster than a full file system and would also negate some risk because now you’re not collecting more data than you need, could also yield call logs.

So this kind of all goes back to proportionality and are we over collecting, and things of that nature. I think at Cellebrite we address that in two ways. One that I shared before, which is our targeted remote collection, so that you can collect just what you need. And also changing the focus of the collection workflow from the number of collections performed to the number of devices collected from, right?

So with the way that the workflow for our remote technology is set up, it’s meant to have minimal engagement with the custodian. So it’s minimal business disruption, so that rather than collect everything, preserve it, and then even take the risk that when you come back to the data, you might have to collect again, cause how much time went by, right?

So, collect what you need, go back as many times as you want, without having to take in or worry about things like, am I disrupting this employee’s day that is happening with as minimal of engagement as we could possibly design in a product. So that’s how we are looking to help with that, with that idea or with that overall concept of proportionality in e-discovery.

Christa: Are there challenges either technical or I guess organizational with collecting only targeted data for litigation?

Monica: Well, I guess it depends on what you’re looking for. There are certain artifacts that you could pull from if you want targeted data. But targeted data is a certain type of extraction, right? So there’s only going to be a certain type of data that shall give that.

So let’s say for instance, going back to call logs, if you’re looking for call logs, that targeted collection is going to be great, it’s going to be quick, you know, that should work well.

But for example, if you are looking for, let’s say, chat data, not workplace app data, but chat data that we use personally, that would be best if you had a different type of collection, to have a different type of collection, like say a full file system, right? Which you may not have that targeted capability there.

I like to say, you know, Apple has an ecosystem and so I have an iPhone and I use my iPhone for calls, I use it to search the Internet, that’s really it.

Then I have an iPad and I can make calls on it, but I don’t. I do use it to search the Internet, but I primarily use it for movies. That’s what I use it for.

And then I have an Apple Watch and I can search the internet on it, but those 38 inches or those 38 millimeters might not get me far, but what I really use it for is for messaging and so I can receive notifications in real time when I’m not close to my phone.

So that same ecosystem, that is what Cellebrite has. So we have talked about it from the standpoint of targeted remote collection, because we understand that there’s a need for that, but we also understand that sometimes you need that full file system collection, or sometimes you don’t need full file system collection and that the folks or the devices, the endpoints that you’re collecting from are local.

So between our Mobile Elite SaaS product, which really gives you the most data from the phone, or if you have the remote or the hybrid workforce, which would be our Endpoint Inspector or our flagship UFED, I think it’s that same ecosystem that you see with Apple, right? There’s a little bit of overlap on there, but what is the main pain point that you need to address? And we have a solution for that.

Christa: Okay. Yeah. I’m going to take that question and broaden it a little bit. What are some of the biggest technological challenges with remote cloud collection and creating a 360 degree view of data, I think from all of these different data sources, how do you at Cellebrite Enterprise Solutions make that process smoother?

Monica: That’s a great question. So cloud collection in and of itself presents a challenge. I think 68-70% of employee data is in Office 365, just Office 365, which kind of goes back to that quote that I shared earlier about the increase in usage of Teams in 2020.

So with cloud collection, you see the big data problem. And so I think that having the ability to be able to cull the data, having the ability to be able to cull in place so that you’re not bringing down all of the email that I have for the year of 2020, you’re bringing down all of the email that I had for the year of 2020 that talks about FRCP specifically, you know, that type of thing.

I think having those tools in place, I think that’s very important and that is a way to address the challenges that we see for cloud collection.

But I think overall, having the ability to be able to collect from all endpoints that are available to custodians, employees, persons of interest, whether that’s your phone, your iPad, your laptop, and then any workplace apps that you might have on them, having that full perspective of what a day in the life of that employee looks like through the applications and the devices that they’re using to work and communicate through, I think that that is really the solution for that challenge.

Christa: Okay. I’m going to switch it up a little bit for my final question here. Just switching over to a more of a career-oriented focus, something I read recently is that all of these issues that you’re talking about make for e-discovery professionals and even maybe some corporate investigators who need job skills in information governance, you were talking about that earlier in our conversation, data privacy and data security. Would you agree with that and how might Cellebrite Enterprise Solutions be in a position to support those career goals?

Monica: Hmm. I do. I think we talked about that a little bit at the beginning of our discussion in terms of what skills are needed. When you are looking at both e-discovery corporate investigations and then incident response, I think that for those who are familiar with the EDRM it definitely points to the left side of the EDRM; where you see the information governance, where you see forensics and even, you know, for AI tools of that nature, because once you have all that data, you have to quickly quickly get through it and get to your relevant documents.

So I think that the way that Cellebrite can help with that, if I may put in a plug is we are hiring, that is one way. We are definitely hiring. And then in addition to that with certifications to help for anyone who just may be looking for a way to expand into say, the area of forensics as well.

And then we also have some strong partnerships with others who are in areas where we may not be present. And so the ability to connect those in our community with our network is something that we also can assist with, as well.

So for anyone who is looking to move around, I would say on the left side of the EDRM, or for anyone who’s looking to transition further to the right or from the right to the left, we definitely have pathways for both.

Christa: Interesting, interesting. Well, Monica, thank you again for joining us on the Forensic Focus podcast. It’s been interesting.

Monica: Thank you so much for having me. I very much enjoyed our conversation.

Christa: Yeah, likewise. Thanks also to our listeners. You’ll be able to find this recording and transcript, along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.

Leave a Comment