The following transcript was generated by AI and may contain inaccuracies.
Michelle: Hi everyone, and welcome. Thank you so much for joining today’s webinar, A New Data Hope: How to Conquer the Data Frontier in eDiscovery – and Win. I’m Michelle Durrenberger, Field Marketing Manager here at Cellebrite Enterprise Solutions, and I’m thrilled to kick things off with you today.
Before we dive in, just a few quick housekeeping notes. Yes, we are recording today’s session. You will receive access to an on-demand version once the webinar wraps up. If you have any questions during the presentation, please drop them into the Q&A window. We’ll tackle as many as we can during the live Q&A at the end.
Don’t worry if we don’t get to your questions—we will follow up with you directly after. Now let’s get to the good stuff. I’m excited to introduce our two fantastic presenters today, Joshua Hickman and Andy Jacobs, two experts who are ready to guide us through today’s data journey.
Joshua Hickman is a digital forensics expert in the Digital Forensic Unit line of business at Cellebrite. Previously he was Senior Vice President with Kroll’s Cyber Risk Practice, the Forensic Scientist Manager of the North Carolina Crime Lab’s Digital Evidence Section, and was a Special Agent with the North Carolina State Bureau of Investigation, where he concentrated on violent crimes and computer and internet-based crimes against children.
Joshua also served as a police officer in his hometown. In his spare time, he conducts mobile digital forensic research and writes about it on his personal blog, the Binary Hick. I guess we’re going to have to Google that and check it out. What a great name.
And I’m happy to introduce our second speaker, Andy Jacobs. Andy is a Solutions Engineer here with Cellebrite Enterprise Solutions, and he enjoys the challenges that come with complex litigation and focuses on digital forensics and eDiscovery. He has spent the past 10 years consulting law firms, service providers, and enterprises as an expert witness in digital forensics.
As a man for others, he assesses the needs of his clients to provide critical feedback to posture them for success. He believes that management and preservation of data is a critical component to legal teams’ arsenals. Andy now resides in Denver, Colorado, and can be found enjoying the mountains or the wonderful food scene around the state. Wherever he may be, you can find him cheering on his Ohio State Buckeyes and pestering his wife. Thank you all so much for joining us. Thank you to Josh and Andy. If you’re ready, I’ll hand it over to you, Andy, so we can get started.
Andy: Thanks for having us. I chatted with Josh on this, and the one thing that we really wanted to talk about was the left side of the EDRM. Our agenda today is: where do we start? When I call you and say, “Hey, I have this case. I don’t know what this case is about. It’s a lot of data. Maybe it’s X, Y, and Z. Where do we even start? I don’t even know where to look.” That’s why Josh and I were thinking over ideas and this is where we were going to go.
So our agenda today is: where do we start? What does data look like anymore? How does it go on the left side of the EDRM, because I think that’s one of the more important spots. And finally, any questions that come up, please let us know. So where does our investigation begin?
I had a call come in one day and it was, “Hey, Andy, I need you to collect everything over here. Just everything.” I’m like, “Oh, okay.” A lot of phone data, a lot of computer data. I talked to the attorney and said, “Hey, there’s a lot of pictures on this device, a lot of videos, a lot of stuff that doesn’t really look relevant to the scope.” “Well, we need everything.”
You told me a story the other day and I was really curious if you could set that stage for us. Josh, I’m calling you as the expert. How would you scope that call out? Can you give me some examples? That’s where I want to start.
Josh: Absolutely. As it turns out last night, this is fresh up-to-date information. I had a colleague of my wife, who is also an attorney, contact me last night about something like this. I’ll share this story because I think it’s good at understanding how this all kicks off, where we come into play.
He had a very specific set of questions that he needed answered. I waited for him to finish and I said, “Okay, which one of those questions do you want me to be able to answer for you if you were to bring me this person’s phone?” He’s like, “Well, all of them.” I was like, “Okay, cool.” So I started rattling off these things. I was like, “All right, let’s see if we can’t further hone in scope and make your objective as targeted as possible.”
And I think that is where it starts. This is the root. If you mess this part up, the rest of it just follows on after. It could end up being a hot mess and just burning budget unnecessarily. It just falls apart from there. So I think going into or coming to your expert with a very specific set of questions that you need answered to accomplish whatever objective you’re trying to accomplish—that’s where it starts. And I think that’s the absolute most important thing.
There are other things too, but there are benefits to being very targeted in what you’re trying to accomplish. You save budget, you save time, you get information back quicker versus “give me all the things.” I had a situation where I was sent to do a collection from a set of custodians. One of the custodians—and this was a BYOB type shop—had taken all of her wedding photos, and that turned into an absolute nightmare from a collection standpoint.
Andy: I think data is just getting larger and larger, and we’ll talk about that in a minute. I remember the days when I had my first cell phone—a picture was so small. And now when I get asked, “Can we get everything?” That could be an absolute large amount of data. We worked on this PowerPoint together—I couldn’t send it via email because it was just too big. Things have just gotten large. So when you say “I need everything,” I think the consultant needs to really get in there and say, “Okay, well what exactly? When you mean everything, what do you mean—the relevant everything?”
Josh: Right. And as a consultant, we’re not trying to pester you or bother you or be naggy or anything. The reason we do that is to help you stay focused so you’re as efficient as possible, not only from a monetary standpoint but from a time standpoint too.
Andy: I think it’s one of my favorite parts about the EDRM in general. We have this—it could be a large amount of volume on our left side. And to me, that’s the most important side. Preservation is key in pretty much every case that we run into. Preserve the data in that state and time that’s needed. And then eventually we’re going to get to that right side of the EDRM where it’s a smaller amount of data set.
But when I get that call, “I need everything,” it’s let’s identify what we need, let’s preserve what we need, and let’s finally get into a state that we can review what we need. It’s costly. It can be, not just for your time, that expert’s time, but then if we do need to get into a review platform, we need to parse that stuff out. It can take months to look at all that data. Between our emails bouncing back and forth, our phones, our laptops, our social media, our cloud repositories anymore. You don’t need—I always push back on that “I need everything” comment.
Josh: Yeah. The custodian who had taken her phone to her wedding literally shot all of her wedding photos. Part of that collection process, I ended up having to call the council back for the client and say, “Hey, this is going to take a long time. There’s literally almost a full terabyte of data sitting here. It’s going to take a while to get.” I explained to that council, “Not only do I have to get it, but then I got to get it into—they were using Relativity One at the time. I have to transmit that data up to a server somewhere. That’s just additional time.” But because it had not been properly scoped, we ended up collecting that entire phone.
Andy: I think one of the unsung heroes that I don’t hear much about anymore, but always saved me, was the custodian questionnaires. Where’s this data saved? Okay, do we need this? Do we—Andy has access to that. He might save something there. Maybe we should go. Or he doesn’t have access to that, so we don’t need to pull that full server. We don’t need to pull that full cloud repository. He only has access to these little—so those custodian questionnaires, I think, can be a fantastic way to save time, save money off the bat and keep things going.
Josh: From a counsel perspective, counsel may not necessarily be familiar with where all this data could possibly live. So the custodian really becomes that fulcrum in that entire process. Even if you don’t have a formal questionnaire that you can ask, I mean, sit down with the person who owns that device. “Where do you keep your data? Is there anywhere else? Is there another device in play?” We don’t know, but that person will know. People typically know where they keep their data. Even if they’re not very specific, they can at least give you some inkling of an idea about where I need to go to do that. And then it becomes a three-way communication: custodian, myself as an expert, and then counsel if that’s in play too.
Andy: Just the way it runs downstream. I thought this was highly interesting. So a KPMG investigation—they had a report that was published that said there’s five sources per custodian these days, at least from what they see. That can be a ton of data. And again, we talked about the custodian questionnaire, but I mean, we have computers. That’s the low-hanging fruit. I think not much has changed there in our investigations. We have our link files, we have our USB history.
But there’s cloud now, which is—God, I ran a case where a gentleman was syncing their Dropbox data from their server, logged in as Dropbox, right-click sync. Instead of having the three files he normally used, synced the whole thing, went home and just pulled everything. So if we were looking at, “Oh, were they emailing themselves X, Y, and Z?” No. Okay. Well, there was no USB history. USB is locked down. There’s so many ways anymore. These data sets just keep growing. So we have our computers, we have our cloud sources, we have our mobile sources. Social media can be highly interesting depending on the case.
Josh: Yeah, it’s interesting because you bring up the multi devices. I think PCs—laptop or desktop—like you said, that becomes low-hanging fruit, especially if we’re talking a corporate environment where your security systems officers have got pretty good visibility into the environment. But these phones and tablets can really start becoming endpoints where there is no visibility.
You mentioned the fact that your guy went out and uploaded stuff to himself or sent it over to Dropbox. I can tell you, at least on the consulting side, I would see that often where an organization had a bring-your-own-device or BYOD type setup. A lot of times your personal data gets commingled in with business data and it becomes a real headache, right?
If you were to take a look at my phone right now, I have my Outlook for Cellebrite and some other things, Cellebrite. But this is all on my personal phone. So if I ever had to be collected for whatever reason, they’re going to collect a ton of memes that I have on my phone because I think they’re hilarious because I think I’m a hilarious person. But then you’re going to get forehead shots of my kid where he likes to grab my phone and take a bunch of selfies and you can literally see him from here up.
I, as a collection person, would not want to collect that. That has no bearing on anything that I want to do. But because I’ve got multiple devices—I’ve got my personal device, I have my MacBook that’s synced to my personal phone. So if you were to collect my phone for Cellebrite data, you would find stuff from my MacBook sitting there. I literally have stuff laying all over the place. I have Dropbox. So to your point, not only are multiple physical devices in play, but you could probably have multiple cloud sources as well. You can just have data literally laying all over the place.
Andy: You mentioned forehead shots and stuff. We’ve all been there. You and I at least have been there where I’m going to go on location and collect someone’s data set. Okay. And it’s, “We need everything.” Well, if I’m pulling that full file system of a phone, I could be there for some time. That’s costing you money. That’s costing my client money.
And then if I’m going to have to go and upload all that to one of our favorite review platforms, now I’m having to go through all these pictures of just forehead shots that are taking up space in my review platform. So now it’s the paralegal’s time, the attorney’s time, the analyst’s time, and the storage space. I think if we can scope things out a little bit better and we don’t need pictures off Josh’s phone—it’s out of scope for this. We don’t care about Josh’s pictures. Maybe we just go after these text messages. Maybe we just go after these emails.
If we can start thinning that data set herd out on the left side of the EDRM to the right a little bit sooner, I think that saves everyone time. We also had a PWC survey that came in where 50% of cases take three to six months to complete. That’s a lot of time where we could be doing other things for these counsels and in-house counsel, these corporations. A lot of our listeners have other things to do other than dig through data and look at forehead shots.
Josh: Yeah, you’re absolutely correct. We talk about the collection side a whole lot, but the review side comes in—that right side of the EDRM—really that’s also a place that can be a real time suck, for lack of a better term. Because if I have an overly zealous collection, that’s going to result in people having to—like you said, I’ve got interns, paralegals and other people. Again, that’s time and money that is unnecessarily wasted when you could have been very targeted in your collection and called down a lot of that data that they just don’t have to look at. So that’s always a plus.
Yeah, I mean, I saw personal photos all the time. It ran the gamut. A lot of times that was just because I had to collect it because that’s what the court was ordering us to do as part of some type of litigation or whatever.
Andy: Oh, yeah. And I think if we have—oh goodness—five devices or five sources of data, and we have 10 custodians, it’s a lot of data sets we’re going through. It’s funny—I found a 256 megabyte flash drive in my drawer the other day. I know, right? It maybe holds one presentation on it. But it’s like nowadays, I mean, phones used to be small.
Josh: Yeah.
Andy: I only got a one terabyte Pixel or whatever. Am I going to use any of that? No. It’s all saved at the cloud anyways.
Josh: Yeah, I’m going to age myself in case the beard’s not doing it right. My first computer had four gigs of storage. That’s all it had. And the baseline phone now has, I don’t know how many orders of magnitude more storage space than my first PC, which to this day just boggles my mind. But it’s absolutely crazy how much—
Andy: And you are reviewing that. Our attorneys are reviewing that, our paralegals are reviewing that, and all that’s going to our favorite review platforms. It is just, it’s a time suck. And if we can pinpoint what we need a little bit earlier—custodian questionnaires or maybe having conversations with people if we have that luxury. Because again, I mean, I don’t want to have to come to your house and collect a one terabyte phone and then all this stuff, and you’re going to be staring over my shoulder like, “Hey, Andy, can you leave? It’s like dinnertime.”
Josh: Yeah, right. Or if you’re in a corporate setting and I’ve had to send someone from my team to go do a collection, you’re holding me up from going home. I’m now still on the clock. You’re holding me here. You’re paying me to sit there and twiddle my thumbs while someone is collecting data off of my phone. So all of these ancillary effects that happen because we’re collecting data that’s not needed at the end of the day, you have to take all of these things into consideration.
Andy: I think that goes through our data governance side, which was the far left—who has access to what. It was funny, I was at a company and just started and I noticed I had access to my HR profile. Okay. And I selected that folder. It’s like, “Oh, now I have access to a few other things I probably shouldn’t.” And raised the concern, but it’s like different audits—who has access to what, where does this data live? What—we talk a lot about phones. We still love our phones and I think phones are the next frontier.
We—you mentioned earlier—laptops and desktops really haven’t changed much, but there’s still this data network side of things of who has access to what, and that data governance. I mean, heck, my buddy’s got a phone where he has two different profiles. One for work, one for his personal use. And it can go and just, if need be, wipe that work side of things. So keeping that separate, but the reach is there.
Who has access to what I think is a very big—it is a spot that maybe is overlooked. But there should be no reason I have access to my CEO’s full share. But Lord knows there’s companies—companies that are listening, please make sure you keep an eye on it. Make sure that the right folks—do your audits, do your checks, keep things locked down. And again, wherever that data might live. Because again, if I have access to all these places, I might be sneaking and hide something there before I leave.
Josh: Right. I think that the previous slide actually had something that touches on this, in that we talk about the accountability of actually just holding the data that we collect. You touched on it just a second ago, about the regulatory things that we have to take into consideration. Regardless if I’m collecting from a phone or PC or tablet or whatever. Whatever the digital storage is, cloud, once you collect it, you were responsible for it at that point.
Think about all the regulatory requirements that come with data storage and processing. GDPR is huge. My wife—her company has a very large footprint in EMEA. She had to get spun up very quickly on what GDPR requirements were as far as data processing, handling, where it needs to go, wherever it is in the globe.
But even internally, even if you collect it from an employee, there could still be some PII or, Lord forbid, PHI, or some other intellectual property that you’ve now collected. Some of it may belong to your organization. Some of it may not. You may have a, again, a bring-your-own-device type setup where I have personal and professional data co-mingled. Well, even though I should not have had my personal data on there for whatever reason, I’m still responsible for it if I collect it and start.
So like you mentioned, who’s got access to these things? Does everybody need to have access? Absolutely not. You could have a disclosure requirement based on your regulatory requirements wherever you are. We have a multitude of data handling and regulatory requirements here in the US. But North Carolina, which is where I’m based out of, has actually something that’s written to the general statutes. Outside of civil stuff, there is a criminal component to it as well. So you have to take all these things into consideration because once you collect it, you own it until such time that you have disposed of it, according to whatever guidelines you may have.
Andy: And that’s fair. I mean, if we start doing backups after backups, after backups of your phone or my email or whatever, that can really grow. I mean, it depends if it’s full backup where every day I’m doing my 10 gig PST or whatever. I mean, you said who has access or heaven forbid there’s a breach or something.
Josh: Yeah, like—I’ll use my wife again as an example because she loves when I do this. Oh, does she know? No. Oh yeah. I tell her all the time. It’s fine. She’s a willing participant and I’ll just leave it at that. So she actually uses her professional laptop, a laptop that she uses issued by her organization. I see her all the time checking her personal Gmail. I’ll walk down the office and I’ll just happen to—”Hey, what’s going on?” And I’ll see Gmail open. I know that’s not work. She uses—they’re a Microsoft 365 shop. I’m like, that irks me as a professional in our space. That irks me to no end. Like you should never—streams should never cross.
Andy: Is that how you’re getting some of the gray?
Josh: Yes, absolutely. Between that and my kid. But it irks me because I always came up, “You don’t commingle your data.” But I think that that is a reality now. People do it, and we just have to take that into account when we start talking about data handling and collection.
Andy: I’m on your side on this one. I keep everything separate because I know darn well if anything—we’ve lived it where my wife kind of does the same thing. She’s an IT nerd and it’s—you love her to death. I’m like, “Honey, why? Why are you—why do you have a personal Slack on your work machine? Like, that’s—” “Well, I can chat you easily.” I’m like, “Oh God.”
Josh: You just die a little inside when you see it. That’s part of it. And she’ll ask me—
Andy: And they know what we do and it’s, “Honey, I—okay.”
Josh: Yeah, but from a collection perspective, like you said, you and I have dealt with this probably a million times, but that is just the reality of things. Especially when you get hired in a new job, they issue a couple of devices. There could be some co-mingling and you just have to take that into account and work around it.
Andy: Maybe your case that you mentioned before—I mean all these photos and whatnot—if that was maybe a work phone. Maybe they issued—it was a really nice phone. They issued better camera.
Josh: That’s right. Yeah. So yeah, you’re right. That’s a great point. Even if it’s just a company-owned device and I’m not supposed to use it for personal reasons, it’s going to happen. So yeah, I think going into collection and really review and everything, and presentation, all that, we have to go in with our eyes open and understand that there’s a good likelihood that I’m going to see some type of protected data type sitting there, and I have to take appropriate safeguards to make sure that I don’t get myself in trouble.
Andy: And before I go to the next topic, I’m going to hit on that because custodian questionnaire again, because I think they saved so much time. And it’s, “Darn it. Maybe I do use my personal laptop every now and then when I travel to check work email, because I’ll just log in like, ‘Oh, crap.’ I do send some text messages to clients or they’ll call my personal number. Yeah, I do do that, don’t I?” Where it’s like, now this just went into the fold.
Josh: I have a ton of people that I used to work with in the law enforcement space that still contact me on my personal phone with Cellebrite-related questions. So yeah, absolutely. It happens.
Andy: And we were talking a lot—a lot of phones. I still think computers are great. I mean, we’re on one right now. I think there’s your USB history. There’s always these footprints on computers. Everyone gets issued one. I might not get issued a phone. Did you get issued a phone? I got a test phone, I guess. But everyone gets issued a laptop or a desktop, whether their office. So it’s plenty of ways to stem from our cloud drives, our SharePoints. All that is tied to my laptop, my desktop.
And I think mobile phones are that final—well, I don’t want to say final because we have AI coming down the line. There’s never a final frontier.
Josh: No. There’s always something else.
Andy: There’s always something. But I still think phones are that wealth of knowledge. I mean, they track everything. They know how high—the altimeter on my device. They know how fast I’m going. They know what networks I’m on. I think computers being that low-hanging fruit. There’s a lot of data there that can make a case or break a case right off the bat.
Josh: Yeah. Some people do not have a traditional computing device if you think about it. Some people may not even have a PC. If it wasn’t for my job here, I would not have this PC sitting next to me. If it wasn’t for my job, I actually would not have a laptop. I could do everything I need to get done on a tablet. It’s not niche necessarily, but like you said, it’s that low-hanging fruit. These things have been around for a long time now. Not much has changed. They haven’t really, if you think about it. Windows, Mac OS—these things in some form or fashion have been around for quite some time. Linux, Unix.
Before that. So to your point, these phones—I’ve got a ton of them sitting on my desk—they’re very personal devices. If you think about it, I used to walk out of the house and make sure I’ve got my wallet, my keys. You do the pat. Now when I do my pat, I’m checking my back pocket to make sure my phone’s back there too because I don’t want to walk out of the house without it.
Andy: I’ll go to the gym. I have my phone with me for my music. I go to the airport. I’m scrolling on probably a social media because I don’t really do that at home. And my laptop stays in my laptop bag. I’d bring it if I needed.
Josh: Right. And you think about all the things that you do on your phone, right? Outside of things you mentioned—I pay bills on my phone. I make doctor’s appointments on my phone. I’ve fallen into that newer generation where I don’t like talking to people on the phone, so I would rather just send a text message. I get what the hype is about now, but a lot of people communicate in that way.
Andy: It could be a text.
Josh: It’s, like somebody—these calls could be an email. I see where you’re going.
Yeah, that’s exactly the sentiment. Think about that from a data collection perspective. It’s hard to collect a phone call. I can collect the phone—I can see that a phone call is made. But if you’re like me and you do most of your transactions via text, that’s better than a phone call. There’s communication. I can even see the contents of the communication.
Andy: Oh, and the metadata behind it. Who’s texting who, when they come in, when was it received? There’s—I mean, that’s a whole other conversation on metadata. I do think computers are a great place to start. Again, it’s the easy place to start. Every analyst knows how to do USB history if they’re a decent analyst. Everyone knows how to look at the created, accessed, modified dates. There’s a lot there that link to things. I’m a big fan of link files because it’s going to show me really what my machine was doing when, where, and how.
Josh: Right. And on top of that too, our phones are syncing with our computers now.
Andy: Heck anymore. I mean, where you wouldn’t have a computer, I would. Because World of Warcraft is actually still around. And I need my computer for that.
Josh: That’s a good point. That’s a valid reason. I’ll allow it.
Andy: Thank you, sir. Which I do want to talk about—we talked a little bit on computers for fun. One—cloud has been everywhere. I mean, I mentioned my case where someone did Dropbox and they synced things over. So these audit logs, the return of the audit logs, if you will. Not to be confused with anything else that returns. Audit logs—these cloud-based repositories are everywhere. I mean, we share things. SharePoint—you said the Misses is a Microsoft shop. They’re SharePoint, all of the things. There’s Dropbox, Box. My Google Drive is synced to my phone, iCloud. How many times did you have a case where it was, “I don’t have my phone anymore. I lost it in a boating accident.”
Josh: Yeah. I had a really interesting—and actually—I did this one. It’s one of those things where you do the job well one time, and then word gets out and then they come back and want you to do that again in some other case. I actually had this happen several times where a potential client would say, “Okay, we’re interested in WhatsApp message history. Can you recover?” And my question back to them would be, “Maybe. Did they back their stuff up to the cloud?” Because a lot of these applications, even third party and native, they really harass you to back things up to the cloud.
And to the point, they’re so persistent. I’ll be like, “Finally yes. Just get off my case about this. Fine, I will do it.” This individual was backing their stuff up, their WhatsApp messages back up to their G Drive. And what ended up happening, we had a very long event horizon as a result because what I did is I had an exemplar device where I could sign into that person’s Google account, pull down the WhatsApp history and restore it to a phone and see messages that were going back for years. That whole thing that facilitated that was the cloud aspect of that. Things are getting sent up there. Sometimes users are aware of it, sometimes users are not, but it’s something that we have to take into account.
Andy: Well, the Mrs and I, like, we have a shared Google Drive. And it’s—the pictures get backed up automatically and it’s great. There’s a lot of easy things with it, but it’s every—everything is tethered to some cloud platform anymore.
Josh: Yeah. People—I mean, if you don’t sign into iCloud on an iPhone. Oof. They yell at you. Yeah. It yells constantly. It is not a pleasant experience. It’s like I don’t even want to use this phone anymore. “Fine, I’ll sign in.” I was teaching last week and one of my fellow instructors mentioned, she’s like, “I don’t pay for any extra cloud storage because I do all local backups to my workstation.” I’m like, “Wow, you’re definitely showing your age. Impressive.” But that’s how she managed her data. That backup was going to a MacBook that was probably syncing to iCloud, so it’s possible that those backups were still up there anyway. But yeah, I mean, cloud—
Andy: God, when you put it that way, that rabbit hole of, “Okay, like even though I’m not syncing my phone to the cloud, I’m putting it on the computer, which is going to the cloud.”
Josh: Right? It’s like inception. I mean, it just kind of goes on and on and on. And that from a collection perspective, and really when you interview your custodian, that’s kind of—you got to be thinking on those levels. Think of all the places that data could possibly get and maybe multiply that by three or something. And then you’ve actually probably got the true answer. I can put something somewhere and I may know about it, I may not as a user, but it may spider out and go in other places as well.
Andy: I mean, heaven forbid you look up one thing on your phone and how many times do you see, you scroll through Facebook or any social medias and it’s like that one thing you looked up is now everywhere.
Josh: Yeah. It’s that spider web of data. Wherever you’re signed in, just make the assumption that it’s there. And I think part of that scoping process is trying to determine, “Okay, custodian, what services do you use?” And don’t just limit it to the biggies, iCloud, Dropbox, G Drive. Think of other things—MEGA, that application wants to sync literally everything that you own to their backend. OneDrive, both corporate and personal. So you have to think about where could this data possibly go. It could go anywhere.
Andy: We talked about phones because we are—I think phones, like I said, maybe not the final frontier, but I know we do the pat down. I have my wallet, my phone and my keys. Don’t go anywhere without my phone. And there’s so much data on these darn devices anymore. With the phone unlocked, it knows—you and I can figure out—I know you can, maybe I can—you could figure out was the phone unlocked at a certain time? What app was used during that time? Fitness trackers—wife’s been dragging me hiking more to get in shape. So Strava, I’m a big Strava fan now, and it tracks the altimeter if you’re snowboarding. We’re out in Denver there. There’s data everywhere.
And we did a trend survey, and in 97% of eDiscovery cases, at least have one phone. Now I need to talk to Cellebrite who did this survey and see if that’s accurate. Because I have a work phone and personal phone. Now if I’m, like you said, co-mingling, I could easily see this number growing.
Josh: Yeah. Oh yeah. One of the things I dealt with at Kroll a lot of times was network intrusion and ransomware. Those—like, ransomware is just a nasty thing. But even if something—you think ransomware, okay, like attacker got in, they ransom the environment. As it turns out, I saw phones that came into play every so often with these types of cases because it was mentioned before—most of your security team is probably going to have pretty good visibility into laptops and desktop devices. But this becomes an additional endpoint that you may not have visibility. And that’s mobile device management—whole topic. But that’s where MDM really comes into play.
But it is something to consider. A lot of people, especially those that may have some type of public presence—think about LinkedIn, for example. I could use generative AI to craft some type of message that goes out to a person’s phone and continuously talk to them to the point where I have now gotten a set of credentials that I can access an environment. So phones are absolutely an attack surface. For things like ransomware, but also for other types of cases—think about intellectual property theft, or I have an individual who has left my organization, who took the client list with it. How did they do it? They used their phone and they got it out of there.
Andy: There’s so many ways to identify. Is it just taking pictures? Is it—someone may be leaving and this would be my next topic here in a minute. But if 97% of eDiscovery cases now have one phone, I would like to talk to whoever pulled that number. Because I think it’s going to grow. I mean, I have a personal phone. And then you have a tablet, which is still a mobile device. Now there could be three mobile devices.
Josh: You start getting out to that five device—three devices per person type situation. Oh goodness. Yeah, it’s crazy.
Andy: Wow. Now anything—I have—yeah, I have three mobile—oh, geez.
Josh: Uhhuh.
Andy: More mobile devices than computers. That’s—no, that’s something—
Josh: And I do, like, I have a phone, a MacBook, a tablet, and then I just have the big PC for Cellebrite-related things.
Andy: More Warcraft-related things. That’s mine.
Josh: Hey, same, same man.
Andy: It counts. On the phone side of things, I want to pick your brain on the different collection methods. Because if we’re talking to the left side of the EDRM and where do we really get in here in preservation, this is actually a screenshot from my old phone, my Galaxy. There’s a lot of junk on there. If I’m looking correctly, I mean, we have two different—we have Facebook, we have Signal, we have Discord. I mean, there’s a lot of different apps that I use. You and I might talk on Signal for a minute, then we’ll switch over to Discord for a minute and continue that conversation because it’s just the next app.
And there’s a lot of technology out there that allows us to put all those communication or conversations together in one thread from these different—I think it’s amazing. But you mentioned the point of how does data exfil. I think a lot of people talk. “Hey, we used to work together long ago. Do you remember that one project we worked on? Can you give me—what was that again? Who was that client?” “Oh, yeah, that one.”
Josh: Yeah, that’s—yeah. And think about it—I need to collect these sources. It’s part of my collection process. If the concern is data exfil, whether it be intellectual property or just again, a client list or contact information, something I should not be sending to someone else, just assume that individuals—like you said, they’re talking. Where they’re talking really just becomes a matter of what third-party applications. You got a few listed here.
Sure we offer the ability for Teams, or we offer Microsoft Teams as a part of corporate way to chat internally, in a corporate environment. We have Slack as well. Zoom has got a chat function. But I kind of think of this like my kid. If I tell my kid, “You can’t do X, Y, and Z,” he’s going to go out and do A, B, and C, until you tell him he can’t or he gets his hand slapped. And I think that this is a good example of that.
I know that the corporate overlords who are looking at Teams communications, they’re auditable. If I go to the 365 console, they can’t do that in Signal, they can’t do it in Telegram, they can’t do it to WhatsApp. So a lot of times you will find employees will be using these third-party chat applications to discuss business-related matters. It happens.
Andy: It’s funny. So I’m at a conference in New York—I was at a conference yesterday and I presented on a panel and I moderated the panel. And my first question was, “How many of you, hands up, send text messages?” Of course, everyone’s hand went up. “How many of you use a third-party app for those text messages? Like a Telegram or a Signal?” One or two went down. And it’s amazing—gosh, I remember when I was first getting phones and stuff, you had your Verizon text messaging app.
Josh: Yep.
Andy: And then it was the native Google app and now it’s Signal and Session and how these things expand. And I’m an Android or an iPhone user? I’m an Android user and I don’t have the blue—the bubbles that you have or the read notifications like iMessage. But I use Signal with Mrs. And she likes it because she gets to yell at me when I look at an app—look at the notification—and as I read it, I never respond.
Josh: You’re on the read receipts. Yeah.
Andy: I mean, there’s so many different ways and we’ll send something on Discord because maybe she’s on her computer doing something. Or there’s just all these—I have some apps on my desktop to communicate with our colleagues across the country, across the world, that maybe I can’t text. And darn it, we’re talking about that. I mean, these different chat applications that are cloud-based like we discussed before, that end up on my—okay, if I lost my phone, maybe I can pull from computer and everything’s backed up somewhere.
Josh: That’s right. And you brought up a good point. A lot of times—SMS, we talk about SMS—how many people are using text messages? Well, at least here in the US and I know elsewhere globally this is starting to happen, is you’re starting to see the rise of RCS—Rich Communication Service. It is the successor to SMS. The technology has been around for a very long time, but Google has really taken that mantle and ran with it as far as getting people to adopt it.
And a lot of them are using this technology that before I could get SMS messages from an AT&T, Verizon, insert your service provider here. But now with RCS, that’s not something that’s available. That is encrypted end to end. Yep. They have no more visibility into it. For iPhones, it looks like I’m talking to a green bubble, but I can clearly see it’s RCS. The same things apply—get read receipts. I’m not compressing media as it’s going through, like it did before.
So the days of going to the service writer to pull SMS, those are slowly coming to an end because of this technology that has been around for some time but is now starting to see mainstream uptake. So that again, another consideration that you have to have.
Andy: And I think every case is different. Obviously, we talked a lot about let’s try to target the data, let’s narrow it down. We don’t need everything. I mean, I had one person ask me, “Just give me everything that looks out of place or anything that looks right.” “Darn it. They have all these Excel files on their data. I mean, it might be part of their job. I don’t know how.” So yeah, we talked about a lot of that, but one thing I wanted to discuss was how that scope expands.
And we’re going to the middle of the EDRM. You the expert are kind of doing your analysis now. And we have our databases, we have our unencrypted and or our—I’m sorry—our encrypted data sets. We talked to Signal before. I think that’s the easy one because it’s all over. It’s pretty popular. But we have our parsed data sets, our unparsed data sets. And if the scope goes that way—”Josh, I need all messages. I don’t need everything, but I need all messages”—what workflow would you use on that? Would that be a full file system and pull keychains?
Josh: Yeah. At that point, I think so. And I think this is a testament to the—a lot of people are paying attention to privacy now. And from a person who uses this technology, I’m all for it. I like to be able to do certain things on my phone. Banking, sending information about a doctor’s appointment about my kid, or what have you. The encryption and this protection provides that overhead that helps us get these things done in a safe manner.
However, that being said, as a digital forensic practitioner, it irritates me to no end because now I have to deal with these things. So to say that I’m conflicted is accurate. But I think at the end of the day, I would definitely fall more so on the side of privacy without a doubt. I think that that is something that everybody has the right to. But to your question, yeah. At that point, if I’m starting to talk about text messages, I don’t—if I’ve got a good idea about what I’m looking at, then yeah, I may need to do a secondary extraction. If it’s messaging, I’m probably going to go for that full file system because I may only get one swing at it as far from a collections perspective.
That’s fair. And I better go ahead and just get it all if I’m able to do so. Now I know that that kind of seems a little contradictory about scoping. But again, that’s where scoping really comes into play. If I know that messages are something that my client needs, absolutely I’m getting a full file system because that’s the only way I’m going to be able to get not only the data structures that I need from a data storage perspective, but also if I’m dealing with an app that has its data encrypted at rest, then it becomes a matter of, “Okay, I’m going to need the credentials obviously to get into those data structures.”
Andy: No, and that’s a good point. Because we talked about maybe trying to collect less data and how do we do the scope to get to we don’t need everything. And that’s when you the expert can go, “Okay, Mrs. You’re Mrs as an attorney.” And she says, “Hey, we don’t need pictures for this case. We don’t need—” but we have this pile to pull from and darn it, I don’t need to go back. Because if you and I are—we see that we’re on Discord and “Hey, check your Signal messages.” Darn it. We didn’t check, we didn’t collect that. You get Signal.
Josh: Right. Yeah.
Andy: In our side of the house, we only get so much time with a phone. I mean—
Josh: Yeah, you may only get one swing at it. And you have to always keep that in mind, not only from a perspective of the custodian becomes unavailable for whatever reason, but the device—the custodian may still remain available, but that data, the phone may become unavailable at some point. Like you said, it may end up in a toilet somewhere. It’s an accident. It becomes damaged. We damaged it.
Andy: But luckily, like you said before, though, maybe it’s backed up to the cloud. But also are those encryption keys backed up? There’s so many different instances where it’s, I’d rather have it and not need it, than need it and not.
Josh: Right. And I think that’s where you have to lean on your expert to understand how these things work under the hood, so to speak. Where does the data live, but like how do these third-party applications operate? Generally speaking, I don’t have to be getting down to the bits of the matter, but I just need to have a general idea. And I think for those that have to engage experts in that fashion, I think that’s where you really have to lean on your expert, whoever that person is, to tell you so you can make an informed decision about next steps.
Andy: And there’s so much to do on these phones. There’s so much for these attorneys and corporations to manage. We talked desktops, laptops earlier, but it’s expanding in so many different ways with cloud applications. And finally, now we have social media on these devices. And how many times has there been a corporate leak on social media or some insider doing X, Y, and Z and posting? And I think everyone talks. People like to brag. I think people like to have fun with things. People get in trouble because they talk and when you have social media to hide behind, there’s just so much.
And to me, I don’t log into—what do we have up here? Twitter. I don’t log into Twitter on my desktop. I don’t log into Instagram on my desktop. But if I’m at the airport and my flight’s delayed, you know what I’m doing? I’m looking at different recipes on Instagram. Different smoking meats or whatever. Reddit—on how to change my hiking structure or my new backpacking. Like there’s so much to do on social media and it’s all tied to your phone. Well, a lot of it’s tied to phone.
Josh: Yeah. A lot of it’s tied. And I think the other thing to remember too is that each one of these that you’ve got up here—so we’ve got Blue Sky, Reddit, Instagram, Facebook, and X or Twitter—each one of these applications actually have a one-to-one communication. So direct messages. But if you think about these platforms, especially Blue Sky, for example, and I think X is a good one, I mean, these are micro-blogging websites at the end of the day. That’s their essence. And so we have a one-to-many type communication mode.
And to your point, I may inadvertently disclose something I should not have. I may have some access to some type of sensitive data, or I may disclose enough information about myself online to where I’ve now become a target for some type of targeting phishing campaign. I see all the personal data that gets disclosed on LinkedIn, for example. If you were to look at my LinkedIn, you could see I was here, I went to school here, I did all these things. You could possibly craft something to target me. And I think a lot of people forget that a lot of times. So again, to your point, be careful what you’re disclosing online, not only from a personal perspective but definitely for work.
Andy: I worked on a slip and fall. And again, I’m out in Colorado, so we have a lot of mountains around. I worked on a slip and fall and this person was suing. They fell and whatever, but they kept posting that they were skiing up in the mountains. It doesn’t really help when you’re bragging about you’re not working and you’re hurt so bad, but look at that snowboarding trick you just pulled off, the same day that you slipped, whatever.
Josh: Yeah.
Andy: People just seem to—everyone’s different, but be careful on what you post. Yeah. It could come back to haunt you.
Josh: But I mean, this is great. It becomes another source of data that you may have to collect because it may help you accomplish whatever objective that you have. In your case with—I’m sure there was probably some potential litigation going on there, that now becomes a very critical piece of information if I am the defendant in that particular case. And so that is something else I now need to collect.
Andy: And if there’s—yeah, there’s so much on social media and I think depending how we get there. Social media is another—and that’s a whole other webinar. And I think there’s a few things we want to finish up with and it’s—I like your point of trust your experts. Trust, talk to these people that know these tools. Use your custodian questionnaires on maybe where does this data live? What do we do? Where does it go? Like you, like we were mentioning different chat applications. You can put them all together. So yeah, trust your experts is where I’m going to leave it. Josh, do you have any final words for us? I see we do have some questions as well.
Josh: Yeah, I think that—I think the trust your experts one was really good. But I think the takeaway here is when you’re going into an engagement, whatever that is, come in with a set of objectives in mind. That helps you scope not only the amount of data but the type of data that you need to collect and probably later review. So a little work upfront will save you a ton of work on the backside.
Andy: I like it. That’s why we talked—I love the left side of the EDRM because if we can define what we need, we define our scope, there’s no need to go back to the well. There’s no need to call our custodians again and interrupt—
Josh: Right.
Andy: If we’re taking months to work on some of these cases and we have to go back to that interrupt another 50 people in the office. That’s a lack of production. That’s a lot of money. I saw we did have a few questions come in. What do you got for us?
Michelle: Yes. Thank you so much guys. Yes. We did have a few questions come in. Let’s start with the following question. With the move to Passkey and the Authenticator app, are you seeing an impact on collection and processing of cell phones and other materials? You want to take that one?
Andy: That cat and mouse game with the way technology grows and trying to get data and like you mentioned privacy earlier, it’s always the stretch of it though.
Josh: Right.
Andy: And I saw your message. “I have searched public social media before to track down potential witnesses.” That’s fantastic. Like that’s spider web of where people are and whatnot.
Josh: Yeah. Another source of info.
Andy: Oh, there’s so much.
Michelle: Wow, guys. Time really flew by. We’re just about out of time, so we’ll go ahead and wrap things up here. Now, if we didn’t get to your question during the session, don’t worry. As we said, we’ll be following up with you individually after the webinar to make sure you get all the answers you need. And I just want to give a big shout out to everyone for joining us today. We really hope that you found this webinar valuable and inspiring.
And remember, if you have any questions, please feel free to reach out to us here at [email protected], or you can reach out to our two fabulous presenters at their email on the screen. Thank you all so much for joining us, and we’ll see you next time. Thanks everyone.
Josh: Thanks for having us. Take care.
