Cellebrite’s Solutions To Current eDiscovery Challenges

Si: Welcome friends and enemies to the Forensic Focus podcast. Today we have Monica with us from Cellebrite, and we are going to have a reasonably wide-ranging discussion, touching on SaaS and workflows and a number of other things. Monica, thanks for joining us today. How’s things? How are you doing? How’s your day been so far? <laugh>

Monica: <laugh> My day’s been great. Well, thank you for having me. First and foremost, I appreciate being here. My day has been great. It’s been pretty busy; busy in a great way. There’s a lot of amazing things going on in my wheelhouse, so I’m pretty excited to be here as well.

Si: That’s really cool. So, what exactly is your wheelhouse within Cellebrite?

Monica: Within Cellebrite my wheelhouse is product, but product specifically for our private sector line of business. So, ensuring that I interface with customers, to make sure that the requirements that are being transitioned to our engineering team are meeting or addressing their pain points. But we are talking about pain points that you may see, particularly in eDiscovery or in investigations, as it pertains to collections or decoding or even some of the downstream stuff that happens after that.

For data that could be mobile, computer, or even what we call workplace apps, which is some of those enterprise level type applications like Office 365 or Slack Box, for example. That’s part of it. And then I also work with our marketing team to do product marketing. So that could be just making sure that the great word about everything that we’re doing is out there.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

And then in addition to that, I also try to make sure that we are collaborating where it makes sense, with other technology companies, trying to start those conversations and understand if we can come together to solve a common problem. So, it’s a little bit of all of the above, working with engineering, working with marketing, working with the leadership team to just make sure that, through technology, through product development, product marketing, we are adding value to our customers and their organizations.

Si: That’s a hell of a serious role. So, what’s your personal background to come along and tackle it from such a broad perspective? I mean we talk to engineers a lot, and that’s really cool, and we talk to marketing people reasonably often, but actually the crossover between the two is quite rare. What’s your actual background on that?

Monica: Oh, that’s a great question. So, I started…I have an IT background and when I started in e-discovery, I was part of an engineering team. I was actually part of help desk, but I was working with proprietary software that was so new that I was placed in an engineering team. I was a kind of an unofficial DBA. It just so happened that that software was processing and document review software. And so I learned eDiscovery technology from the backend, although I was very customer facing. And so going from help desk, I moved into Quality assurance (QA), going from QA I moved to training.

And then I had an opportunity to stay with one company for nine years that probably tripled in size, while I was there. During that time, I got to wear every role or wear every hat I could possibly get my hands on, which was very interesting. From DBA to product, to project management, to hosting. And then found that really my passion was for product, and that’s where I stayed. That’s the kind of background that kind of lends itself to moving from what could be a customer facing role to maybe something that’s a little bit more back end and back and forth between the two.

Desi: Yeah. So, it seems like you’ve really grown into the role, just from the experience that you’ve had on the job, which is really interesting. So, I’ve personally worked for a few technology companies and kind of seen the pain points that some customers have with integration, and especially when trying to deal with their technology stack where they’ve got three, four vendors, they overlap in some areas. So, from your experience and in your current role now, do you see kind of like a common trend or just like some common little things that cause pain points for customers with the integration or just things that you’ve seen happen year after year that potentially the technology community could get better at?

Monica: Hmm. I think when it comes to integration and something that the technology community could get better at… I think it’s something that we could get better at. And there’s something that, I don’t know if we’ll ever be able to do enough of. There’ll always be a need for it, but it’s education. It’s education about what we’re doing and the value that it can create within an organization so that it can have easy adoption. I don’t know if easy adoption might be a bit of an oxymoron, but it’s the idea that you want the technology to be adopted and you want the benefits of the capabilities to be understood. And that happens through education. And so, when you’re talking about product integrations and, you know, large technology stacks, I think that’s one of the bigger challenges there.

Si: Without wanting to put you on the spot too much in that regard, do you find that you actually have customers who buy your products but then don’t really use it very much? I mean I’ve worked in a number of organizations with some very proactive IT security managers who have bought every product under the sun and then they’ve never configured them properly. Are you finding that you are able to get to customers who are buying your products and getting them to use it consistently? Or is it a fifty-fifty sort of mix? How do you find it?

Monica: That’s a good question. So usually what we find is customers will buy our products regardless of whether it’s our remote collection capability or advanced collection capability, or even decoding. And because of their needs, they’re using it for one to three specific use-cases, right? That’s what they do day in, day out. That’s what they need it for. And then as a product manager, you know, I’ll go back to customers on a reoccurring basis to understand their experience, if there’s any improvements that we can make in the product.

And that’s when I begin to hear from them things that…some of them I need to take back to the internal camps and have a discussion, about prioritizing, adding it to the roadmap. Some of it becomes that education piece wants more about, maybe it was innovation that was in the product, but not, wasn’t a part of their use case. Their use-case grew. And so now it’s an opportunity to educate them on the fact that the product can address, said pain point or use-case.

But generally, if you’re a technologist, you’ll geek out on the technology, so to speak, right? You want to press every button, see what it does. If you’re bringing this into your organization, you’re using it for a reason. You’ve got SOPs, that’s what you do. But you know, our workday or the challenges that we face within our workplaces, it expands. It’s dynamic.

And so, you know, really, it’s about understanding whether or not there’s an opportunity to educate further or whether or not we need to understand what’s happening specifically to go back and develop requirements that can then be prioritized because we need to add innovation to the product.

Desi: So that’s probably true… with everyone’s workday getting busier. And especially I guess, where Cellebrite’s market is, with that document review or used by like police forces or defense forces around the world. Those cases that they’re dealing with are just piling up. So maybe you could talk a little bit about some recent projects or innovations that your team has worked with, to make those jobs easier so that they can have the time within their own internal SOPs to maybe do some of that extra button pushing and innovation to find some other use cases for them.

Monica: Absolutely. So, what we found… In eDiscovery in particular, I would say is that mobile data in discovery and investigations has hit its tipping point. When I say mobile data, I mean text message data, chat data, communication data from phones. We’re seeing more of that in discovery and investigation than we’ve ever seen before. I think that initially there was hesitancy about collecting it because it’s not traditional communication that usually happens in emails, or things of that nature.

But we’ve seen the legal system begin to impose fines for not having it, whether that is the finance industry and compliance, or whether it’s just foliation and whether or not it was preserved. So, some of the things that we’ve done to make that more seamless is think about 2023 and today’s workforce and how we can allow them… how we can get over that first hump of collecting mobile data. Maybe something that’s very complex, may need several certifications. I don’t have the budget to fly people all around the world. We created remote collection, right?

And then you had to think about pain points. People don’t necessarily want you traversing through all of their text message data because perhaps not all of it is related to their professional work. So targeted collection of remote data. And then we had to think about things like, well ultimately, what are you using this data for? Is it going into an archive for compliance reasons so that you have it? Or are you moving it further downstream to take it into review so that some legal professionals or maybe even investigators could take a look at it?

So, then we have to think about how to take our native formats and put them in a format that could easily be ingested into a review platform. And so, in a lot of cases, either we created something that wasn’t there before, like remote collection, or we started to automate the process so that it was less button clicks, so that there was less manual labor ensuring a little bit more of a streamlined workflow.

Or even that you could address more cases because you were spending less time with the data handshake because we had streamlined its movement throughout your workflow. So those are some of the ways that we began to address that.

Si: Forgive me, eDiscovery is not really my personal area. But is it reactive or are you doing anything proactive in regards to it? So, are you, for example, collecting data? Is it possible to collect data constantly and then just have a big database that you can search when you’re interested?

Or is it a matter of pushing out the agents to all of your devices so that you can then, you know, collect it when it’s important, but at least you’re set up already to go? How does it actually work out in the real–well, <laugh>, I know how it works out in the real world. You have a problem, everybody panics and then you start dealing with it. That’s the real world–But, in the theoretical world that we like to inhabit: What’s the sort of plan and the way you guys operate?

Monica: Preservation in place for mobile data does not currently exist. It’s not possible given the setup. The setup of how our mobile data is housed. So, what we have done instead with that piece, that remote piece, and also consider, that I’m civil, not criminal. So consent, right? We’re talking about consent based collection. A custodian has to say ‘yes’ and be a part of the process. So, in that way we are looking at collections that happen after an investigation or illegal matter is considered.

We’re having more and more conversations about, just generally kind of understanding, because there are some exceptions to the rule. And I’ll give you an example. For instance, at an organization when you have executives, more than likely they’re always on legal hold. So that’s more than likely a case where you’re not going to wait for litigation or an investigation to ensue. Executives are usually on hold at all times.

So, there’s a couple exceptions to the rule, but for the most part, an eDiscovery on the civil side of things in your corporations, just private sector generally, you are seeing reaction rather than everyone on hold. Not everyone’s on hold. Your executives may be on hold, but not everyone’s on hold and we’re not collecting in advance until there’s a matter or a reason to do so.

Si: I’m going to just ask a question because I think this is the nature of American law. Because the way the warrants work, I’m aware, is subtly different to the way that they work here. Here in the UK, I don’t know how it is in Australia, I suspect it’s very similar. You know, if you are working on a company machine, all of that data belongs to the company, and they can do what the heck they like with it. They can start collecting left, right, and center from the second you basically sign your contract so long as you’ve been told upfront, you’ve signed off on the acceptable use policy for your company.

Monica: Absolutely.

Si: Is this something that is just an issue with the American law or is this sort of a universal thing?

Monica: So that’s a great…it could be either or…that’s a great question. It could be either or. Because I don’t know if you have this in the UK, but in the US we have: bring your own device. They’re not all necessarily company issued devices. So, it depends, if that is your personal computer, where you’re using a VPN to then go in and access all of the applications, the sanction applications. But oops, I just saved a file to my desktop, and now you’re in possession of professional data, which is on your personal property.

Same thing with your phone. If you have that mix of personal and professional on that device. So, and we saw a rise in that, particularly with the pandemic, because not everyone, once they sent their entire workforce home, had the ability to distribute hardware, laptops, phones to all of them. So, a lot of us are working with a mix, and for that reason, you really kind of see these challenges.

Desi: Yeah. So, I think just before we dive in a little bit more, maybe for the benefit of our audience, you could explain what legal hold is?

Monica: Absolutely. So, in civil litigation, when you have the reasonable thought that litigation may ensue, which usually means one company’s legal team sent a letter to another company’s legal team and said: This is something we’re considering. You then put everyone on hold. It’s a way to make sure that there’s no data affiliation, that once you find out that you’re going to be sued, folks don’t go to the shredder. Right? And now that’s just paper. And I’m joking of course. But the idea is that you don’t delete the data, it’s put on hold.

A majority of our data is part of those enterprise applications that I talked about, like Office 365, for example. So that’s hold in place. The custodian need do nothing. The organization owns the data, and so therefore they can just place a hold on it to ensure that regardless of what their retention policies may be, until someone comes in and says, this case is over, that data is not deleted. There are different challenges that come with that when you start talking about phones, right?

That’s, that’s not the easiest thing to do. Oftentimes, a legal hold will be sent out, this case is ensuing, we’ve identified you as a custodian or someone who may have information that’s pertinent to the case. And the next thing you know, the custodian walks outside and drops their phone in a puddle of water or forgets the passcode to their phone and has to take it to their provider to have their password reset. All kinds of things can happen when you’re talking about attempting to preserve mobile data, for example. But with all of our larger repositories of data, a hold-in-place is relevant.

Desi: So when you were talking about, Cellebrite working with an enterprise solution and you mentioned  data in place and being able to collect that in advance for this legal hold reason. What are some of the types of applications that can do that? Because you mentioned that it can’t be with mobile data at the moment, but is it things just like Office 365, like emails and just standard Word documents that exist within the enterprise? Is that some of the examples?

Monica: So, phones are different. Phones are just a little bit different. So, I think the question was when do you have the ability to place a legal hold in place? And you primarily see that with email communications, and with anything that you would access on your PC. But it really depends on the application, right? Not everything has hold-in-place options, but the largest repository of professional data, in most cases in the US lies within Microsoft. Right. And they definitely have the ability to produce holds.

Desi: Yeah.

Monica: After that you’ll see Slack, perhaps this is me going off statistics that are about a year or a year old, so forgive me. But after that you generally see Slack teams is within Microsoft, so that’s already covered, things of that nature.

But the rise of communication in mobile applications, means that now we’re going to resources like WhatsApp, for example. I think that’s one of the more commonly used applications in a professional setting and understanding how to…you cannot place holds there, quite frankly. So then it’s about streamlining the process and also accelerating the process of getting to the data as soon as possible before this affiliation.

Si: There’s a number of apps that certainly on the mobile phone front that are sold upon their ability to not retain data. I mean, WhatsApp, definitely springs to mind as one of them.

Monica: Yes.

Si: How are we managing that?

Monica: That’s a great question. So, you mentioned WhatsApp, which when I think about WhatsApp, I think about end-to-end encryption, which is pretty stringent. But when I think about applications that do not retain data, specifically, I think about applications or mobile applications specifically that have ephemeral data, like Snapchat, for example.

There’re a few others that come to mind as well. With our advanced collection capability, we do have the ability to collect and then also with our decoding applications to decode, data from ephemeral messaging applications. I’ll give you a very eDiscovery answer, such as: It depends, because it does depend. We do have the ability to collect data from ephemeral applications, but it depends.

For starters, we need the phone, we need the device. And then there are several caveats that then come into play, such as settings within the device. Did you set it to auto delete? How quickly did we get to the device, in terms of collecting data? Alex Murda for example, although that wasn’t a civil case, it was criminal, but that was Snapchat video that placed him at the scene of the crime. And so, the ability to collect that ephemeral data, I’d like to say sometimes ephemeral data is not as ephemeral anymore. There are instances where you can get to it, and then there’s instances where you cannot.

Desi: So with the rise of mobile apps being used, a lot of the mobile apps are developing desktop applications. So is it a challenge or is it kind of much of the muchness, once you understand how those ephemeral apps are working to then apply the same principles to a Windows or an Apple desktop application as it would be on a mobile phone.

Monica: Oh, that’s interesting. So, when we’re looking at those ephemeral applications, we’re specifically looking at the phone. I think that’s because of the data that’s housed on the phone, our ability to collect it and our ability to decode it. So, there’s a very specific type of data that we’re looking for in terms of the ephemeral applications. I think that’s key. Although you’re absolutely correct. You can have applications online on your phone or on the desktop. It could be either or. But for ephemeral applications, because of their nature, we need the physical device. That would be the phone.

Si: So just to clarify, when you say you need the physical device, this is a Cellebrite acquisition that requires a cable to be plugged into a machine rather than the remote acquisition of the physical device?

Monica: Correct. If we’re talking about accessing ephemeral data, yes. That’s advanced collection for us. Absolutely.

Si: So, do you have non-advanced collection now that you can do remotely for phones?

Monica: We absolutely do. We absolutely do. And so, with the, we call that the logical collection, you can see if those applications are there. You may not be able to dive into the data that’s available to them. Right. But you can at least initiate a collection from your office, or maybe even from home if you’re remote or hybrid, you can have the custodian send data to the location that you designate.

You can collect from the custodian what you want. You don’t have to pull back large amounts of data from their phone. You can target it. And then when you get that collection back, it could tell you, well, we’ve got all the text messages, we see Snapchat, but we’re not set up to collect all of the bits and pieces that would give you Snapchat. Perhaps that’s a phone you want to bring in house so that you can do a local collection that’ll give you more advanced capability.

Si: I believe there’s this concept, and again, I’ve done a bit of work for companies that have either American wings or are American companies to start with. And I was involved in an incident response for an organization which will remain nameless. And one of the things that happened during that incident response was that we went through and made sure that quite a lot of emails were marked as legally privileged, at the top and copied into lawyers so that we didn’t have to disclose them. Do you have a good way to filter out that kind of thing to prevent it from getting pushed into an eDiscovery system?

Monica: So, identifying privilege prior to collection and then ensuring that it’s not a part of the review process, or that it’s not shared with the legal team. I have questions about that workflow. Who is identifying the privileged data before it is collected? Because that will then prompt the next question then: Who is QCing the data, the privileged data?

That’s usually the biggest challenge we see with the identification of privileged data, who’s QCing it? So how are we identifying the privileged data before collection and does someone then need to go through and QC it to make it defensible? But it’s an interesting concept.

It’s definitely one, as a member of the product team that I have definitely heard, it’s that we want to take the identification of privilege and move it earlier on in the process. Normally that happens after we’ve collected, we’ve decoded, or we’ve processed it and we’ve got it in front of investigators or legal professionals who can then go through and identify it.

But then the question has come up, why even collect it? Or is there a way to not collect it? But then I have other questions about how did we identify the data to begin with and how are we ensuring all of the relevant data is being collected if we’re not… you know what I mean? If there’s certain caveats in place, parameters in place. So, I think I just feel like that’s a conversation that is in play, but I think we need to iron out a few more wrinkles in that, before we can do so defensively. Defensively

Si:

I think I’m going to throw this one out there. Because it’s something…Desi and I talked about a wee bit–a lot–over the last few weeks, months. I’m going to refrain from calling it artificial intelligence because I think that’s a hideous misnomer. But machine learning, in forensics and instant response in the world in general, in creating podcasts, and artwork. Is there a role for it in e-discovery? Is this something that Cellebrite’s working on/with/already has a solution for? Or is it something that you are treating with a reluctance to commit to, given the problems, it may or may not have.

Monica: Right. What does machine learning mean to you? When you say machine learning, do you mean like large language models? Are we talking about like ChatGPT?

Si: I think ChatGPT is a representation of a large language model that everybody is aware of. Machine learning, for me actually, is more applied statistics. So fundamentally you would be looking at patterns of data that are indicative of the type of thing that you would be looking for. Or the type of thing that you would not consider legally privileged, for example. So, you know, in my space, there’s things that would identify pornography versus innocent images. And therefore, my question is: Does that sort of thing exist within e-discovery.

Monica: Okay. That is exactly what I thought it was as well. I just wanted to make sure. In eDiscovery, we have technology assisted review and continuous active learning, natural language processing. There’s a couple of different flavors of machine learning. Would we be able to use that at Cellebrite? Of course. But again, when you’re talking about the eDiscovery use-case, we’re not seeing as many images and videos. It’s not that we’re working with data from body cams, for example.

We’re working with communication. And so, it’s about the concepts and themes that you can pull out of text as opposed to what you’d be able to identify in images and kind of what you were alluding to: the likelihood of privilege, the likelihood that the data is important to the subpoena or to the case. So, trying to understand how we can incorporate things like that. Of course, the more innovative that we can be, you know, the better, right. The more value that we can add. So those are continuous conversations for us.

Desi: How does Cellebrite go with working in the eDiscovery space with different languages? So, I’m assuming you guys would especially like OCR PDFs to then search through the text. But let’s say a company was merging with a Japanese one and wanted to do an eDiscovery case. Is that then a huge hurdle? Do you then need product integrations with potentially a different product from that region? Or can Cellebrite, cover all the languages that are kind of popular business languages? I would probably think that it’d only be like 20, I’d guess.

Monica: Agreed and yes. Usually when we see that, we don’t see it so much at the time of…and we can, right. So, for instance, our technical documentation or the language that’s presented in our UIs right. That’s kind of universal. But really, I think where you see the biggest challenge which we can artfully tackle is in decoding, it’s not so much within the collection itself.

It’s pretty straightforward. Data is here. We are acquiring data. But then once you unpack it, you see it there. But really the way that we address that, I think is through our UIs, making sure that they are in all of, what we’ll call the CJK languages, the romance languages, and some of those more popular business languages that you talked about. Then also in our technical documentation as well, so that we can present to a diverse audience.

Desi: And I just wanted to go back to–like right at the start–when you mentioned that mobile data–we’re kind of changing track here–but the mobile data doesn’t really have a legal hold mechanism at the moment. It’s probably not something that your company needs to tackle, but are you seeing any kind of companies that are making mobile apps that are used for business purposes, going down that route of making the change to incorporate like a legal hold little radio button? Like, so what Office 365 has, you can select custodians within that platform and say: For the last 90 days, I want all their data to be on legal hold. Are you seeing that with something like a big company like Slack that is used for a lot of business purposes?

Monica:

Yes. Yes. We do see that within applications such as Slack. It’s similar to what you described in Office 365, because licensing then becomes…it depends on what flavor of the application are you looking for. But again, that’s when you see the data stored in the cloud and large repositories where you can say, where you’ve got 90 days’ worth of data and you can place it on hold. But historically, take Apple for instance, because when you start talking about Androids, there’s several device manufacturers or even carriers that could come into play.

But whether it’s Apple and our backups, or whether it’s the actual carriers that provide service to the phones, there are regulations in place, and there’s also no precedent for certain things. So that’s not where we can go for the data. If you go back to Apple and say: This heinous crime happened, we’d like to go back 90 days, then, you know, it could be quicker to come to a company like Cellebrite and have us collect from the phone than to go back to Apple. You’re not going be able to go to a rise. Just kind of depends. Right.

Do you have all of the legal building blocks to be able to obtain that kind of data from the service providers? But again, what kind of timeframe are we looking at? Civil and civil litigation, there’s parameters. Things need to happen in a certain amount of time, and so oftentimes the, the shortest distance, is a straight line between two points, and that’s collecting from the phone as opposed to going to these other places. And when that happens, it makes legal hold a little bit more challenging, more challenging for those reasons. Yeah.

Si: How does the legality of it work out with the fact that there are two parties to a conversation?

Monica: Yes, yes. That’s a great question. Well, I’m not an attorney. But luckily, there are multiple people usually in conversations and by today’s standards, maybe not even two. It could be two, it could be three, it could be four. And so oftentimes when you see in the cases that I’ve read up on, oftentimes, the sanctions or exfoliation come because there are two people talking. And so either for a timeframe, there’s no data when there clearly should be data.

It’s not that you and I have been talking for the past year, but we suddenly stopped talking for 45 days between January and February. Right. Or it’s that you can triangulate the data, so you can find it on two people’s phones, but not the third person’s phone. And so sometimes the way to ensure that you can access some of the data is that triangulation, kind of what you’re alluding to. There’s more than one person in a conversation. Well, that’s oftentimes how you end up finding pieces of the data, if not all of the data because one person has gone and deleted the data.

So that’s a benefit of this type of data that more than one person has it. And so unless everyone in the conversation got together and decided they were all going to wipe the phones, you have a good chance of finding it on someone’s phone, even if they were just an observer in the conversation that didn’t actually participate.

Si: Yeah. Okay. I think it’s a fascinating space because you’ve got such a huge amount of data that you are having to troll through. Especially in a large organization, you know, if this is cropped up and of so many disparate times, because you’re not only seizing when we’re talking about communications data in the sense of, you know, let’s go back to Snapchat, Snapchat messages. But you’ve got Snapchat messages, you’ve got WhatsApp messages, you’ve got text messages, you’ve got emails, you’ve got phone calls I assume, although you’re not recording the content of them.

Would you pull metadata to say: That person A talk to person B? How are you consolidating all of this into a way that an investigator can actually work with it? Because you are talking about terabytes, petabytes, potentially in the larger organizations, worth of data, of a hugely disparate set of fields. How are you making this manageable?

Monica: Oh, that’s a great question. It really depends. It really depends. I have to give you another eDiscovery answer, right. So it just depends. So yes, the amount of data that we can collect is large and primarily that has to do with the size of phones nowadays. It used to be that we had eight gig phones. I don’t even know if they make eight gig phones anymore. It just starts 16. And even then you’re, you know, don’t put any music on that phone. You’re not going be able to fit it.

So we are seeing more data, but we make it manageable through the ability to parse the databases and put it in a format that’s readable. Which you could do through our physical analyzer, decoding product, if you want to take it further downstream than that, then we have the ability to convert it in readable format so that, a less technical professional, but maybe someone that’s more advanced with the law, for example, then has the ability to do it.

So, we can decode it, we can convert it. And even when we’re looking at our advanced extraction, our collection capability, you were talking about metadata, oftentimes it’s using that metadata to put together the different pieces of the conversation, which is how we can demonstrate that data was deleted or the identification of deleted data, right? We can see a continuous conversation where someone was talking at, oh, I don’t know, 4:53, someone was talking at 4:55, but the answer from 4:53 and 4:55 doesn’t match, which means someone probably spoke at 4:54. And so you can kind of begin to piece together in that way.

So, it depends, it depends on whether or not we’re talking about the identification of deleted items. If we’re talking about unpacking the data so that it’s readable, it can be cold, or if we’re talking about downstream and converting it into something that can be used by a completely different set of professionals with a different expertise, that’s outside of forensics. So, it depends.

Desi: So, I had a question on when you’re collecting text messages off a phone, and I guess different generations use technology differently and there’s been a trend for the younger generation to use voice memos to talk between each other.

Monica: Yes.

Desi: And so, is that something that is part of the advanced collection, or can be done remotely? Say if one person in a conversation was using voice memos and the other person was typing, how does that work in the collection sense?

Monica: Oh, that’s a great question. So we can collect that remotely. When we’re doing remote collections, you have the ability to do an advanced logical, which means you’re going to pull back deleted data, for example. And you’re not going to pull back any data that’s in an unallocated space, for example. But you’ll pull back all of the communication data.

In the case of when you’re sending those voice memos, they are happening via texting or within the application. You don’t necessarily have to text to send a voice memo, but you’re still within the application. Now it comes down to the application. If we’re talking about text messaging in particular, you’re sending voice memos, that’s an attachment. That’s, that’s what it’ll even out in, in the wash.

There’s an association between the voice memo and the metadata that comes with it, so it looks like an attachment. But if you go back to say, Signal, and someone sends you a voice memo in Signal, now we’re back to advanced collection capability, right? Really, it’s not about how you’re communicating within the application, although sometimes it is. There’s a difference between Snapchat video and Snapchat messaging, right. Those are two totally different things.

But as long as you stay within the parameter of text messaging, for example, we’re going be able to pull that. Once you move into chat applications, we’re now getting very specific to the version of the chat application, the version of the device and the version of the iOS or the operating system on the device. All three things matter.

Desi: Once the collection’s done, let’s just use the example of the text application in like normal text messaging, when it’s presented back to the investigator to look at, are those just decoded and put into to text and presented that way and then they have the option to then listen to it as well? Is that part of that process?

Monica: There’s a couple of different ways. And it just really depends. We try to be flexible, and make sure that the decoding, presents the data in a way, in enough formats, so that you have flexibility, because it’s not necessarily one size fits all. Perhaps it’s something that you want to stay within our product suite and take a look at it there.

Or maybe we have to convert the data in a format that allows you to take it in several different directions, because that may be where you want to listen to the audio messages or where you want to read the text messages. So after we’ve done the decoding, we are very flexible in terms of what other formats you can bring or take that data out in. Are you going to stay in our suite of products or are you going to take it elsewhere? And so, we’re just flexible about the formats in which we give it to you and so that you can listen to it or read it in the tool that you are most familiar with.

Si: I was looking at one of your other products a while ago and talking with someone about that. Cellebrite has a very, or on that product at least, rapid turnaround and development life cycle. How is it in the eDiscovery space? Obviously, you’re directly involved in this. Are you bringing ideas to engineers and are they being implemented at breakneck speed, and are you rolling out new versions? I mean, this other product I was talking about went through, I think it was three-point releases in about four months.

Monica: That’s a lot. Yes.

Si: Yeah. Which is quick for pretty much anything. Are you in that sort of same sort of development speed or are you a little more… I mean, it’s a young product for you guys, so, it is developing fast. But are you in that sort of space still? Or are you a little more mature and, you know, throwing out a point release every six months or…

Monica: It depends on the product that you’re referring to. Are you referring to a specific… So, when it comes our decoding products, you tend to see more rapid releases because of the version updates. Every time you wake up and your iPhone is telling you that it needs to upgrade, every time your iPhone doesn’t upgrade, but the applications on your phone are telling you that they want to upgrade and then, you know, the two years, maybe it’s two years for you, maybe it’s shorter, but when you buy a phone, so with our decoding products, yes, you see rapid releases.

At the point of collection, there are releases, sometimes it has to be rapid, but you don’t see it as much, because it doesn’t change. iOS 16. Right. And then, but before that, so it’s not as rapid. I would say for us, you have the ability to see rapid releases, because we’re responsive to our customer base. So, it just depends on what you tell us, for example.

But for that reason, we tend to have rapid releases, but it’s because we want to stay in touch with the customers and what’s happening there. And then it also depends on what you tell us, right. There’s some things that stay on the drawing board a little longer than others based on how deep we have to dive, to hit the finish line.

Desi: So, it’s really interesting that like…and it’s great that you’re driven by the customer base and their needs. And I don’t want to put you on the spot too much, but what’s kind of the weirdest outlier of application or requests that you’ve had in terms of like a customer’s like: Hey, we have this really niche case and you’ve taken that back to the engineering team and they’re just like: What are they doing that for?

Monica: Right. Why would we build that?

Desi: Yeah.

Monica: I would say some of the oddest requests you get from customers, without having a customer take a look or listen to this podcast and be like: Hey, that was my request, without kind of putting that into play. One of the oddest requests that you get from customers are when customers request things that you were doing quite some time ago, they realized that it’s still happening. There’s a reason why you moved away from it. And then there’s a request to bring it into the application.

And so, then you really have to kind of sit back and say…and I try to understand why something that you generally think you’ve evolved past is being requested. A lot of times it’s because you realize what you think you evolved past, you actually didn’t evolve past. So, it’s not that the customer is asking you for this antiquated feature.

It’s that there’s this other pain point and you’re not solving the root cause of the problem. Right. There’s another main point that you need to address so that customer stop asking you for this antiquated feature. So I think that’s a different way to answer your question, but it’s kind of part of the product development cycle and understanding what you’re being asked to do and why.

Desi: I think that’s a very common issue with a lot of like, not just e-discovery, just technology companies in general. With the advent of virtual machines and running legacy software these days, it’s stuff that I’ve seen requested a lot. It’s like: Hey, we need to collect this thing. And you’re like: Why are you running that? Like, it’s so insecure. And then you find out it’s running their payment system.

Monica: Exactly. There’s other dependencies. There’s that kind of… Yes. Absolutely.

Desi: Yeah.

Si: So where is Cellebrite–without going backwards–where are you focusing on going next? What’s your current objective?

Monica: That’s an interesting question. There’s always a bit of sensitivity around that because we are a publicly traded company. So, talking about what we’re doing in the future and not necessarily going the Martha Stewart route, although she came out fabulously in the end.

Si: Yes. <laugh>. That’s true.

Monica: So, some of the things we’re focused on, I think is really what we hear our customers saying to us. Things that there’s no solution for. And just kind of understanding how we can wrap our arms around or tackle that. Some of that we’ve spoken about even in this conversation. What do we do about the fact that more organizations than ever before are being sanctioned for exfoliation because we don’t have standardization around the preservation of mobile data?

And just kind of continuing to have conversations to understand what could go into that. What do we do to streamline the inclusion to make mobile data ubiquitous and eDiscovery cases and investigations? Now that we’re seeing not only can you be fined for not preserving it, but just for not having it present, and that kind of thing. So how can we bridge that gap of collection is for everyone, as opposed to, you know, a niche of folks as it was before.

There’s a couple of reoccurring themes that we’ve heard from the industry that we’re definitely having discussions about internally to understand how we address. And if it’s not something that you see in our product releases, then we always invite you to have a conversation with us, because what’s happening in the industry is really what drives what happens inside Cellebrite.

Si: Fantastic. Well, Monica, thank you so much for taking the time to speak with us today. We really, really appreciate having you on and we really enjoyed it as well. I think I speak for both of us there. Nod Desi. Yeah. Cool. <laugh> Man who needs another cup of coffee. So, thank you very much for listening to the Forensic Focus podcast. You can find any relevant links in the show notes, and you can find us on, pretty much everything going Apple, Spotify, and some other stuff. Desi, help me out.

Desi: Youtube.

Si: Thank you, that’ll do. So, Monica, you have the rest of your afternoon, have a lovely time. Desi, you have the rest of your day. Good luck mate. I’ll talk to you later. Fantastic. Thank you so much.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles