Leveraging SaaS To Power Mobile Data Collections

Julie O’Shea: Hi everyone. Thanks for joining our webinar today, Leveraging SaaS to Power Mobile Data Collections and Advanced Collections. I’m Julie O’Shea and I’m the product marketing manager here with Cellebrite Enterprise Solutions. Before we get started, there are a few things that we’d like to review. We’re recording the webinar, so we’ll share an on-demand version after the webinar is complete. If you have any questions, please submit them in the questions window and we will answer them in our Q&A. If we don’t get to your question today, we will follow up with you directly after.

Now, I’d like to introduce our speaker today. We have Monica Harris. Monica has decades of experience, specializing in the development, implementation and training of software for eDiscovery services such as KLDiscovery and Consilio. Before joining Cellebrite, she worked with the U.S. Food and Drug Administration, where she oversaw policy and procedure curation, enterprise solution rollout and training for enterprise solutions. She is an active leader and mentor in the eDiscovery community and has lectured on trending topics in eDiscovery at American University and Georgetown University, and is the co-project trustee for the EDRN Text Message Metadata project. Monica has previously served as the assistant director of the DC chapter of women in eDiscovery, and as a board member of the Masters Conference. She currently serves as immediate past president of the Association of Certified eDiscovery Specialists, DC Chapter, also known as ACEDS, and is a member of the EDRN Global Advisory Council. Thank you for joining us today, Monica. If you’re ready, I’ll hand it over to you now so we can get started.

Monica Harris: Thank you, Julie, and good morning, good afternoon, and good evening everyone. Welcome to Leveraging SaaS to Power Mobile Data Collections and Advanced Collections. For the next 30 minutes or so, I’m going to tell you a story. A story that’s going to focus on what is happening in our industry, or what’s called the why. And then we will talk a little bit about some mobile forensics education, the how, and then we will launch into our big reveal. So let’s get started talking about some industry trends or just some things at Cellebrite Enterprise Solutions that we have noticed are going on in the industry, often called pain points.

So let’s start with infrastructure, because we have noticed for enterprise level mobile data collections, when we’re talking to our community at large, infrastructure could be a major challenge. So what do we mean when we talk about infrastructure for mobile data collections? So some of you may have seen The Lincoln Lawyer on Netflix, particularly season one because I think there might be two seasons out now. In episode eight, the main character uses a UFED Touch to conduct a mobile collection. So he connects his device right in the car and does the collection on the spot. It’s absolutely amazing, and when we’re talking about mobile data collection and infrastructure challenges, that is not what we’re talking about.

Specifically, what we’re talking about when we talk about the infrastructure behind enterprise level mobile data collection is something similar to what you see here. This is the infrastructure behind Endpoint Inspector, which is Cellebrite Enterprise Solutions’ flagship remote collection product, for a remote collection of computers and phones, and then in addition to that, it also has the ability to collect from cloud. It’s a single point of glass, or it’s a single pane of glass, I should say, for several collection sources. Although this is specific to one product and one solution at Cellebrite, most of the architecture behind mobile data collection, when you’re talking about enterprise level, when you’re talking about large corporations, when you’re talking about service providers, it pretty much works the same.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So let’s dive into a little bit of the busyness that could be happening in the architecture behind an enterprise mobile data collection solution. So starting with the investigator. The investigator could be you or I. It’s the investigator, it’s the examiner, it’s the eDiscovery practitioner. It is the person that sits down at a workstation and begins the collection process. They are looking to collect data. Once they set up that collection, there’s generally a server. There is a server someplace, somewhere. That server is going to receive the request that comes from the examiner, the investigator, you or I, and then it’s going to begin talking to the endpoints that the collection is for. The server is kind of your project manager. Let’s say, it’s your project manager in your entire setup, in your infrastructure setup. And when it starts talking, it could potentially, in this particular scenario, be talking to an endpoint that could be located at the office.

It could be talking to an endpoint that could be located at home, or it could be talking to an endpoint that’s going to connect to a mobile device, that is then going to send back data to a storage repository. That storage repository and the server, they could be the same thing, they could be separate. But basically, the takeaway from this slide is that the architecture for enterprise level collection of data, not just mobile data, but data in general, is complex. It’s very complex, and that’s one of the trends that we’re seeing in the industry today. One of the reasons why the infrastructure behind enterprise level collection, mobile data, is so complex has to do with the way that mobile data evolves. It is an emerging data source.

So for those servers, if you think about that server that had the box around it before, in that previous infrastructure slide, whether that server is Windows’ or Mac’s, the first set of updates that you could see that would have to be applied to the server is the fact that it could be a Windows or Mac server. Right? So you’ll need all of the updates that go with those operating systems to make sure that they’re up to date and secure. Then there is the fact that those servers need to talk to endpoints, and those endpoints need to have the latest and greatest in terms of innovation to be able to collect from whatever device that it encounters. But not just the device, it could be an iOS 15 that is looking to be collected, in case you are fortunate enough at this early date to have one. Perhaps you’re like me and you’re waiting for Black Friday. Maybe you’ve got one at your desk right now, and that’s what the examiner or the investigators looking to collect from.

Maybe you don’t have an iOS or maybe you don’t have an Apple 15. Maybe you’ve got an iPhone 14, but your iPhone 14 has iOS 17 on it. iOS 17 came out about a month ago. By the time that I think a lot of you will be taking a look at this webinar, it could be that it came out about a month and a half ago. So right now, my phone is on 7.03 and that means about five weeks ago, 7.0, or 17.0 came out. So that’s, what, three updates in five weeks. That’s how often an operating system on an iPhone can update. Then add to that, Android has 14, that’s also recent, and with Android, although we don’t see as many consistent updates to the operating systems, the devices themselves that can work with the Android operating system, there is a plethora of those, whether it’s Samsung, Google, Huawei, the list goes on.

There are several Android manufacturers. So when that server is talking to endpoints, it needs to have all the intelligence that goes along with all of the various types of devices and all of the various types of operating systems that could be on devices, because not all of us always have phones that are up-to-date. It could be a matter of when your phone connects, when you’re connected to Wi-Fi, when you have power and connected to Wi-Fi, a combination of both. And then last but not least, add to that the applications that could be on the operating system, that could be on the device. On the right-hand side of the screen is a list of chat applications. Some of them might be familiar. Perhaps you’ve heard of Telegram, perhaps you’ve heard of Line or WeChat, but all… Or maybe even Discord, I think we used that for capture the flag not too long ago here at Cellebrite. But all of the applications that are listed on the right side of the screen are existing applications today, and if you’re not familiar with them, they could be applications that you could potentially run into in the near future.

So when we think about some of the challenges that come with maintaining servers, that do enterprise-level mobile data collection, there are several things to consider there. The server itself, the operating system that it’s running and making sure it’s up-to-date and secure. And then what the server does, its functionality, its purpose, the number of devices it can interact with, the number of operating systems that could be on those devices, and then the number of applications that could be on the operating systems, on the devices, that are touched by the server. All of that complexity is built into the trends that we see for server maintenance and server upgrades, particularly when, depending on who you are, these servers could be maintained by smaller groups. Let’s say, close groups of say, collection practitioners, forensic users. You may be in a company that’s in telecommunications, a company that’s in healthcare, a company that’s in insurance, and you’re in legal team, you’re an eDiscovery team, you’re on a forensics team. You may be running a skeleton crew, but yet part of your duties could be to maintain this infrastructure, to conduct this level of collection for hundreds of people.

Maybe you’re not inside a corporation, maybe you’re part of a service provider, right? So in a service provider, whether it’s a forensic service provider or an eDiscovery service provider, you are going to be dedicated to this work, but then it’s a different scenario there. Now you see hundreds and hundreds of customers, and you are much more likely to run into the different variations of phones, the different variations of operating system and the myriad of applications. So all of this factors into the complexity of infrastructure for enterprise level solutions and mobile data collection.

Then there are the data volumes that are increasing in eDiscovery. What you are looking at here are stats from a Logikcull blog that came out about a year ago, and I would be very interested, for reasons that we’re going to talk about in a moment, to understand if this is still the case. I think when we began to talk to the community at large about what they’re seeing, on average per case or per investigation, we’re going to find that these numbers have gone up. But right now, the community at large is aware of the fact that for a case, the average volume of data is about 130 gigs, about 130 gigs, and I wonder if that size has gone up. That means that that’s about 6.5 million pages of data because there wasn’t always an E in front of the discovery, and that the average number of custodians per case are 10 to 15.

So what does that mean and why may those volumes be going up? Well, that is due, in part, to the nature of the workforce. I think now we can call it post-pandemic era. I feel comfortable saying that, but about three years ago, we did start the trend towards remote work and then we begin to come back in hybrid fashion. But as of right now, these stats are from September, about 40% of us are either full-time remote or hybrid, a combination of the both. 40% of the workforce in the U.S. 65% of workers report wanting to work remote all of the time, and 98%, that is the highest debt in this entire presentation, 98% of workers want to work remote at least some of the time. And when we are not in the office, when you don’t have the ability to have those water cooler chats, when you don’t have the ability to walk up to someone in the office and begin to have a quick chat, what do you do?

You sit down at your computer, you pull out your phone, you pull out your tablet, and you start a conversation. Depending on what the nature of the conversation is, it may not be email, it could be text message, it could be any of the ways that we can continuously communicate with each other. So then you begin to have that short message, that continuous message, that text message conversation. But this is the reason why I think those stats that we saw in the previous slide, they’re going to go up because this slide indicates that we’re going to see more of a trend towards remote work, and as long as that’s happening, we’re going to communicate more, and we’re going to communicate more within emerging data sources. That is my prediction. But when we’re communicating with each other through those emerging data sources, we’re often using our own devices that are enabled for work and for remote work at that.

Right now, 80% of organizations support bring your own device as opposed to company-issued devices. And that brings with it challenges that we’ve been looking at, I think throughout the past three years, and we’re still considering, they’re still front of mind. First and foremost, being employee privacy. When you are using your own device to have these conversations, because you may be part of the 40% that are full remote or hybrid, or part of the 60% that would like to be, then when there’s a need to collect for an investigation for a case, there is a real concern about understanding that only the data that’s relevant to the matter is being collected. That is still at the forefront of everyone’s mind and still a trend in the industry that we’re seeing today. But the biggest trend, potentially, is the most sensational.

About a year ago, I used to ask, what would it take for mobile data collection to hit its tipping point? The answer to that… I’d say maybe about two years ago I was asking that question, I think the answer revealed itself last year in all of the sanctions that we began to see in case law, whether it be civil or criminal. If you are interested in some of those cases that carry sanctions, Lubrizol, Pork Antitrust, for example, there’s a wealth of information that could be found about case law that involves text message data, in sources like Doug Austin’s, eDiscovery Today blog. That’s a wonderful source for those cases. And then in addition to that, Kelly Twigger’s eDiscovery Assistant. Her Case of the Week, goes and dives into a lot of case law as well, and a lot of that, just because of the trends. And a lot of the trends that we’ve been talking about during this webinar, they talk about cases that deal with text message data, but when you’re talking in your own organizations, you can go either route.

You can take a look at eDiscovery Today’s blog or eDiscovery Assistant Case of the Week, and you could pull those cases. I believe these same cases are included there as well. The difference is, these cases are sensational because of who they involve. It may be a little bit more challenging to remember what happened in Lubrizol. It may be a little bit more challenging to remember what happened in Pork Antitrust, but it’s pretty straightforward to remember Bob Dylan, Johnny Depp and Brett Favre. As long as you can remember those three folks, then you automatically will have at your disposal three cases, three civil cases, that involve text message data.

So let’s jump in starting with Bob Dylan, Bob Dylan who dodged a bullet because there was a case that was brought against Bob Dylan that was dropped. In the case, he was accused of sexually abusing a twelve-year-old girl in the ’60s, and as it turned out, it was not chronologically possible based on what the opposing party said they had as discovery. And part of what they said they had as discovery was in text message format. When that data was requested, the case was dropped. The case was dropped and as a result of that, sanctions were then requested, as a result that the case was even brought up against Bob Dylan. So this is definitely a case of when text messages weren’t able to be produced, the case was dropped, and then as a result of that, sanctions were then requested from the party that brought the charges or the allegations to begin with. So Bob Dylan and text message data definitely go together in civil cases.

But not just Bob Dylan, Johnny Depp. And this may be a case that you’re familiar with because while this happened last year, Netflix, Netflix strikes again. Netflix has made it relevant for us, with a recent documentary that came out earlier this year. What’s the takeaway from the Johnny Depp case? The difference that text messages can make. I was fortunate enough to be joined by Kenya Dixon at Relativity Fest this year, who reported on this very specific case during our session, and we do have a difference of opinion. So here the text messages were admissible in the UK, which is where Amber Heard won her defamation… Or won the defamation case that Johnny Depp actually brought against her. But the same text messages were not admissible and the U.S. And therefore Amber Heard lost.

Now, I’m sure an attorney will tell you that there was several reasons why Amber Heard lost, but text messages, as you can see in these headlines, factored into the case. If you ask Kenya, she’ll tell you that that had to do a lot with the ability of the legal team. If you ask a legal technologist that works at a digital intelligence company, I’m going to tell you it had to do with the evidence. It had to do with the evidence and whether or not it was admissible. This is a second case that was won or made, or won or lost, or in this case since it was tried in more than one country and more than once, it was actually one end lost. And a lot of that had to do with the evidence that was presented, and a lot of that was text message data. Not a lot, but it factored in and it was important.

And last but not least, Brett Favre, this case is actually ongoing. So we can look forward to more information about this in the upcoming months, and I’m sure that I’ll be including it in another webinar. At a very high level, in this case, Brett Favre was looking to build a volleyball arena at the University of Southern Maryland. And in conversations that happened via text, it was decided… Excuse me, it was decided that welfare funds were going to be used to build that arena, which sounds like a big no-no. Marcin Krieger, who also joined me at Relativity Fest in my session, did an amazing job of presenting this case. But at a 50,000′ view, Brett is being axed for text messages, which he’s saying, not only does he have, but he cannot necessarily verify that the text messages came from him. He can’t authenticate them.

Of course, through triangulation, we can see that several other people have these text messages, but Brett seems to be answering a question that we’re not asking, in addition to not having evidence that has already been collected from other sources. So how this unfolds, this should be interesting, and I look forward to continuing this conversation with you all in future webinars. But these are three cases, three cases of celebrities, celebrities who have had civil cases brought against them. Text message data was part of the smoking gun, to be determined in some cases. We’re still trying to understand what’s happening with Brett Favre and the University of Southern Mississippi, but every headline that I have seen about this case involves text messages. So I’ll definitely be following this closely.

So for our industry trends, how does that summarize or what is our summary there? Enterprise solution architecture is server-based, that’s the most important takeaway from that really complicated diagram that we were looking at before. It doesn’t necessarily have to be a Cellebrite product. It doesn’t necessarily have to be our flagship product, Endpoint Inspector. When you’re talking about enterprise-level architecture, somewhere there’s a server and that server’s going to need to be maintained, and that server’s going to need to have updates because of the emerging and evolving technology that that server works with, whether it’s the device, the operating system or the application, or the applications, excuse me, that are on the mobile device.

Data volumes are growing. Data volumes are growing, and while we’re looking forward to new stats coming out in the new year, because we’re in Q4 of 2023 now, we know that’s happening because of trends within the workforce itself. We are leaning in or fully embracing remote work and hybrid work, and as a result of that, we still have to keep an eye towards privacy because while we’re at home, we are using our BYOD devices to communicate. And it’s not just the workforce, it’s celebrities too. It’s celebrities too, and there is plenty of civil case law to illustrate that, if you want to have these communications or if you want to start these conversations in your organizations about why text message data should be a part of all of your cases and all of your investigations.

So now that we’ve set the why, or talked a little bit about trends, let’s talk a little bit about mobile data collection itself. When I have an opportunity to talk to our community at large, there are some questions that consistently come up, and one of the most frequent questions that I encounter is when you receive a Cellebrite report, regardless of what format you might receive that in. Maybe it’s a UFDR and you’re using a Physical Analyzer, our Reader, to take a look at that, or maybe you have a CSV, the dreaded CSV, and you’re taking a look at the data in that. How do you know what was collected? How do you know what was done? So we have this slide here. If you’ve been with me in webinars before, you may have seen this slide. So I’ll try to walk through this and explain what mobile data extraction is for us here at Cellebrite.

So really this slide boils down to three type of extraction types. There’s logical, full file system and physical. For logical, you can break that up into two types. There’s logical and advanced logical. Logical is going to be the most basic form of extraction. You’ll get text messages, you’ll get contacts, call history, and then you’ll get some photos that go along with that. Well, just generally media, so it’s not just photos, it could be your audio as well. For your advanced logical, which usually means we are working with a backup. You usually see this when you’re working with iPhones. This is not an absolute, but it is very, very common when you are looking at iPhones. So you get everything that I just talked about, but because we are doing forensic extraction, you get a little bit more than the text message, the contacts, the call history and the media. You can also get a manifest of applications.

What does that mean? That means that if I were to do an advanced logical extraction of my iPhone 14, I would be able to see every application that’s on my phone. I wouldn’t be able to see what I use those applications or how long I use those applications for, but I could still see a manifest. For companies, let’s say for those who are in the financial industry, and you are regulated, and you’re looking to understand if your employees are talking to each other through unsanctioned applications, if you had an application manifest, you could then say, “Okay, I’m looking at about 10 employees. Those 10 employees all share applications,” maybe one of the applications I showed you in an earlier slide, maybe they all have Viber. If you’re noticing that all of your employees have Viber, it may be worth doing a full file system extraction to understand how long they’re using it, how often they’re using it, and then actually to collect the data from Viber itself. That is the difference between the advanced logical and the full file system.

The advanced logical is going to give you those applications, some device info, but the full file system extraction is going to give you a lot more. So what do we mean by device info? For example, device info will tell you things like whether or not automatically delete text messages in 30 days was set up on your phone. That’s a very important question. In some of the case law that we see, not the sensational case law that we went over earlier, but in some of the case law, there have been times when sanctions have not been imposed because custodians had their phones set up to wipe every 30 days, in terms of their text messages, and that was done far in advance of when the case actually began. So understanding information like that, that’s part of device info. That is not something you’re going to see in a logical extraction, but you can see it in some cases in advanced logical, you can absolutely see it in a full file system.

The full file system is the new holy grail, I call it, in terms of the amount of information that you’re going to be able to collect because it allows you to get into some of the more sensitive parts of the phone. That would be secured folder locations if you have an Android or maybe even an iOS keychain, but more importantly, that deleted data. We know with iPhones that was made easier than ever for no reason than we’re retaining text messages for 30 days. You don’t need a forensic extraction for that, but then what happens to the data after that? Full file systems have the potential to collect that data because they’re still the eDiscovery, it depends. It depends, and then of course there is physical extraction, that bit by bit copy or image of the phone.

As our phones have evolved, when you think about what we were talking about with server infrastructure and all of the complexity there. So as the devices themselves have evolved and we started to see things like full disk encryption, file encryption, and just several different layers of encryption that can be found on a phone, physical extraction, a physical imaging of phones has become more challenging with newer devices. So that is why we call full file system the new holy grail because you really see physical imaging of phones in older models, but not necessarily some of the newer ones like the iOS 15 that some of us may be clamoring to get. So at a 50,000′ view, that is mobile data extraction explained, but since we talked about condensing it down, right? So that physical imaging we usually see for older phones, and then the logical is contained in advanced logical.

So let’s take a moment to talk about the advanced logical versus the full file system and expand that out. In the previous slide, I’m showing you maybe about five or six things per extraction type, but this drills in far more in depth, in terms of what you can get with an extraction type. So for instance, if you’re looking at one of those Excels that Cellebrite has the ability to generate after you see an extraction. And your Excel has, oh, I don’t know, one, two, three, four, five, six, seven, eight, nine, 10, 11, so that’s 22, 24. If you see about 24 tabs in your Excel, then more than likely you are looking at a full file system extraction. All right, that is not something you’re going to see in advanced logical extraction. I can tell you that much. Now, whether or not it was a logical or advanced logical extraction, there is a few things that go into that. For instance, you’re not going to see browser history in a logical extraction, that was not on the previous slide. You’re not going to see documents in a logical extraction, that was not on the previous slide. You’re not going to see a list of applications in a logical extraction, that was not on the previous slide either.

So hopefully between this slide that’s very specific to the slide that you saw before, that will help you identify, when you’re looking at various reports that could be handed to you, if you are not the collecting party, if you’re the receiving party and you’re wondering what happened, well, we encourage you to have the conversation. That’s always the best way, but there’s also ways when you’re looking at the actual report that’s a part of the extraction, to understand what happened, or when you’re requesting a mobile data collection to know what to ask for. If it’s not enough to know if the application exists on the phone, if you actually want to know if it’s being used, then that’s a different conversation that you’re having with your collection practitioners. Same if it’s important to you to understand some of the more complex things that you see in the green box, like locations, for example, like cell phone towers. Those are all the power of advanced extraction. That’s not what you’re going to see in a logical or advanced logical extraction.

Also, I think what’s important to note on this slide is, when we’re talking about logical or advanced logical extraction, that can happen remotely. That can happen remotely. You do not need to be in the same room as the custodian or the employee. You do not need to take their phone away from them and disrupt them from business. That can happen remotely. Whereas advanced extraction, advanced extraction that is almost similar or akin to imaging or a physical copy of the phone, you must have the phone in hand for advanced collection. That cannot happen remotely. And due to the nature of that technology, as intuitive as it is, that is not something I would walk a custodian through. No, that would not be a great custodian experience.

All right, iCloud versus iTunes backup. What’s the difference? So just bearing in mind conversations I’ve had in the field with the community at large, oftentimes when I am talking to folks, I get the impression that, although the word iTunes is being used in conversation, they’re actually talking about iCloud and they’re not the same thing. So I thought that we would take some time to dive into that and talk a little bit about what the difference is. So iTunes, what’s the takeaway from this slide? The takeaway from this slide is for iTunes, you need a cable. It’s going to be the charging cable of the device. Well, it’s iTunes, we’re talking about Apple. So it’s that proprietary charging cable that the phone came from, and you need to install iTunes on a computer. So an installation on a computer is necessary. In addition to that, you’re going to need the charging cable of the phone, and in that way, you can move data back and forth between the computer and a device, and a device, as opposed to iCloud, which automatically backs up everything on your phone with a Wi-Fi connection, assuming you don’t go into your phone and change what iCloud backs up.

So you do have the ability with iCloud to say, “No, I actually do not want certain applications on this phone backed up.” But if you don’t, by default, iCloud will back up almost everything on your phone and it does it automatically, as long as you’re connected to Wi-Fi. So there is a difference. iTunes backups don’t happen automatically. That has to be initiated. It’s a very manual process. It requires a download and it requires hardware, whereas iCloud happens automatically and contains a lot more data, quite a lot more data. It’s almost the difference between a logical and advanced extraction. Almost, but it’s a good mnemonic device if you want to think about the two.

So then what’s the difference between an iTunes backup and an advanced logical extraction? Well, they’re very, very similar. They’re very similar in terms of what you can bring back, but there definitely are some differences. I think at the heart of the difference is the fact, that with the advanced logical extraction, that you are getting a forensically sound collection. So there’s a little bit more data that comes across in that extraction. And with that, we’re talking about things like your applications, your device information, and that partial file system data. That’s important, and that does make up a difference, like that application manifest, like the ability to understand, for example, some of the settings on the phone and then also the forensic container that the advanced logical extraction comes in. If you think that for any reason you may find yourself testifying in court, then the forensic container that’s hashed, that can prove that that’s a forensically sound extraction, that is the way to go.

That is the way to go for sure. But sometimes the smoking gun can be in the picture that is painted, and that is the difference within advanced logical extraction. About 60%, a little bit higher, of us in the United States have iPhones. We are a nation of iPhone users, so advanced logical extractions are normally what we see. We understand that there are Androids, but most of the time when I have the ability to talk to folks like the ones who are attending this webinar today, we’re talking about iPhones, we’re talking about iTunes, and so that brings advanced logical extraction to the forefront.

So the industry education summary. So in the past couple of minutes we have talked about mobile data extraction types, and they really boil down to three. Logical, whether that’s logical or advanced, logical, full file system or physical extraction. Logical extraction or advanced logical extraction for Cellebrite is what we call remote collection. Full file system is our advanced collection, and then physical extraction, which we have seen begin to become sunsetted as we see devices evolve. There are significant difference between iTunes and iClouds. Please do not use the two interchangeably, and then there are also differences between iTunes and device extractions, and I’m talking about those three extraction types that we talked about previously, primarily in how forensically sound it is in terms of that container, and primarily, and some of that more pertinent information that can come through in an advanced logical extraction that you may not see in an iTunes backup.

So now that we have talked a little bit about trends, and now that we’ve had a little bit of education about mobile device collection, let’s talk about the innovation. This is what we call the SaaS Trilogy, and this is why I’m so excited in today’s webinar today, because this is our big reveal. So in the SaaS Trilogy, we’ve talked a little bit about those trends, a quick summary of that, and then we’ve also talked about industry education, but it wouldn’t be a trilogy unless we added the innovation piece. So trends, education and innovation, because after all, who doesn’t love a good trilogy? Who doesn’t love a good trilogy? We all love a good trilogy. So with that, we also talked a little bit about advanced logical remote collection, right? And then we also talked a little bit about full file system.

Earlier, you may have remembered when we were looking at that very complex diagram of enterprise level architecture for on prem and cloud mobile device, I also talked about it’s not just mobile device collection, it can also be computer collection, and maybe with computer collection you might be doing incident response, and maybe conceptually that would be a trilogy. But today, today specifically, we are talking about the release of our very first SaaS product. The first SaaS product in a line of SaaS products, and that product is called Endpoint Mobile Now. With Endpoint Mobile Now, we have taken a look at all of the trends that we just discussed at the beginning of this webinar. The why, it is a SaaS solution that eliminates the complexity of that diagram that you saw earlier. So there’s no need for deployments, there’s no need for deployments at SaaS. There’s no need for maintenance or updates. The maintenance or updates that you know are consistent, because the operating systems on our devices are consistently updating, because the devices are consistently updating, and because the applications on the operating systems on the devices are constantly updating.

Imagine how many times you would have to update a server for enterprise level mobile data collection solution just to stay up to date with that. Well, now you don’t have to worry about that at all because there is SaaS. Real time mobile data collection, meaning you can collect when you need to collect. I wonder, out of all of those sensational cases that we talked about, would Brett Favre still have his text messages if we could collect from him in real time? It’s a question. It’s a question, we don’t know. We don’t know, but also real time mobile data collection is not as ubiquitous as we hope that it will be a year from now. But right now, you have the ability to collect mobile data that is always up-to-date for the latest technology that you can encounter in real time, and it is scalable.

It is scalable. If you collect 50 phones a year or if you collect five phones a year, this solution will work for you. And it’s actually tailored not towards the 50, it’s more tailored towards the five. It’s tailored towards organizations that are still understanding the trends and the education that I’ve presented in this webinar. It is tailored towards organizations that are seeing growth in mobile data collections, in their cases and investigations. So let’s show you, for those organizations that are seeing those trends, that are seeing that growth, that want to bring a mobile data collection system in-house, but perhaps do not have large teams that can work with the server maintenance updates, that can work with all of the evolving technology. We design this to be as simple and as easy as possible so that, when you get that investigation or when you get that case, you can get to that data as quickly as possible.

Now, I’ve done a lot of talking. I’ve done a lot of talking, so let’s show you what that actually looks like. This is Endpoint Mobile Now. When you first have access to the SaaS solution as the examiner, right? When you think back to that complex architecture diagram, there’s actually only two pieces. There’s only two pieces to that architecture when you’re talking about SaaS. And one is I am the user, I am you. I am the examiner, I am the investigator, I am the collection practitioner, and I know that I need to initiate a collection. So what do I do? I come into this product and I start with start collection. When I click on start collection, the application is going to ask me for some very, maybe about three, four pieces of information. So I can come in here and I can give this a collection name. I can set up a storage repository because the data that you’re going to collect is going to go to a storage location that you designate here.

No data that is collected is stored in the SaaS solution. I’m going to say that again. No collected data is stored with Cellebrite, none of it. The SaaS server that is set up here, its only job is to send emails and then tell the data to go back to a storage repository that is designated by the examiner. The examiner can choose a network location behind their VPN firewall to send that data to, they can choose an Amazon S3 bucket, or they can choose Azure Storage. Did I say SFTP? SFTP too. That list is growing. That list is growing, so we have a few options there. In addition, to anyone that does not want to send data over the network, you can also save it locally, right? So there’s several options for where the data goes, but the most important takeaway, when it comes to Mobile Now, is the data is not stored by Cellebrite. We are not hosting any data, so that data can stay within your network.

You’ll need the name of the custodian that you’re collecting data from, and you’ll need the custodian’s email address. If you choose, you can add an extra layer of security by adding a password to this collection, and if you choose, you can add notes for the collection, anything that will be helpful for the collected data later on. That’s it. From there, you can go in and choose the data to be collected. This might look very similar to those slides that we showed when we were talking about advanced logical collection because that’s what this is. This is targeted advanced logical collection, forensically sound, that will bring back data, that will help you paint a picture of the case. You can choose to bring all of it back or you could target what you want to see specifically. This will keep employee privacy at the forefront of the mind of the custodian, in the event that you are working with a BYOD device. It will also bring data back to you faster if the scope of the collection is smaller, and then that’s it.

From there, you can start the collection and just that quickly, you set up a mobile data collection. For the custodian, the process is also very straightforward. The custodian is going to receive an email, and in that email it’s going to tell them to download a mobile application. Very similarly to how you would have to install iTunes on the computer of the custodian if you wanted to do an iTunes backup. It’s also going to have an activation token that the mobile agent is going to need. This is the mobile agent and it’s operating system agnostic. It can work on either a Mac or a Windows computer. Once you launch it, it’s going to ask you for that activation code that was in the email. As the custodian, you can enter that activation code, grab the proprietary cable that came with your phone, or the charging cable that came with your phone, if it’s an iOS or Android. Again, very similar to an iTunes backup collection, with more data returned.

From here, there’s instructions on the phone. So the custodian can tell the agent, either I have an iOS or I have an Android, and the agent’s going to give the custodian some very simple instructions, things like, please make sure your display doesn’t turn off, or that it doesn’t lock, and connect your phone. And from there, we are off because the examiner, the user, you or I, when we were in the web interface for Mobile Now, we already told the agent we want text message data, or we want the actual advanced logical collection. So the agent already knows what to do. Once the phone is connected and the agent sees the activation code, that’s all the information it needs. It will start the collection process and then it will send the data back to the storage repository that the examiner set up, that SFTP, that network location, that Amazon S3 bucket or that Azure Blob, maybe it’s even stored locally. And that’s it. It’s that simple, collection done.

So summary for industry innovation. Cellebrite Enterprise Solutions is proud to announce that we have launched our first SaaS solution. That SaaS solution is for the remote targeted collection of mobile data as quickly as possible, whenever you need it, wherever you need it, and that solution is called Endpoint Mobile Now. It takes into account the trends that we have seen for infrastructure, allowing you to reduce your tech debt. It is always up-to-date with the latest innovation so that you can stay on top of evolving trends. And it’s scales with you, whether it’s three, five, or one, the number of mobile collections that you need are readily available. There are two steps to setting up this very simple process for collecting patent-pended targeted remote collection. That was a tongue twister. Let’s say that again. There are two steps for collecting and setting up this patent-pending targeted remote collection. There you go.

It’s logical collection for Androids and advanced logical collection for iOS devices, so that you have a more holistic view of the data. And for the custodian or the employee, it was designed to be as minimally evasive as possible. You get to keep your phone, you will not be parted with your phone. It’s targeted collection. So we are only looking for the evidence that is relevant to the device, and with a small download, similar that you would do with iTunes, you can just connect your phone, it will do all the work for you, and then send the data back to the person that requested it, the requesting party. No data is kept from Cellebrite. And that is all we have. Thank you very much for joining me today, for today’s webinar. Julie, do we have any questions?

Julie O’Shea: Yes, we sure do. Thanks, Monica. Let’s start with, how do you filter out business verse personal text messages on a BYOD?

Monica Harris: That’s a great question. So when were looking at Mobile Now, and we were looking at advanced logical extraction, you saw that we did not have to collect, for example, contacts, call logs, any of those things, pictures that were not attachments to a message, you could just target messages. But from there, I take this question being more specific, you’re then asking specifically, how do you collect the messages that are between myself and Julie, when we’re talking about a webinar, leveraging SaaS, in the month of October and the year of 2023? I think that’s what this question’s about.

So once, right now, during this webinar, we focused on the collection process. There’s a second piece. There’s a second piece to collection, and it’s called decoding and analysis. And all of this happens before you are ever in a review platform. Rather, you’re an investigative platform at this point. When you’re an investigative platform, like Cellebrite’s Physical Analyzer, you have the ability to do exactly what I just said. You can say, I’m only looking for the text messages between Monica and Julie, where they’re talking about today’s webinar, in the frame of October, 2023. And in that way, you can ensure that before you ever convert that data, so that it can be loaded to a review platform, that you’re only looking at the relevant data for the case. Great question.

Julie O’Shea: Thanks for clarifying that. Let’s see here. How about, is it possible to collect without an installation or cables?

Monica Harris: That’s a great question because we went through multiple collection methods, whether it was iTunes or logical, or advanced logical, or full file system, or even a physical collection. And the answer is from Cellebrite’s standpoint, no. No, there’s no, I think what you’re asking for is, wireless collection, and even now there’s no wireless collection. Well, how do I answer this question? You could do a wireless collection, but I don’t know if that would be the desired effect because of the level of security and encryption on a phone, and what would need to happen to the phone in order to be able to collect from it wirelessly. So assuming that you don’t want an undesired effect on the phone after collection, the answer is no. No, and from that standpoint, you are going to need the proprietary cable for the phone, and that’s across the board, regardless of the type of collection that takes place.

I know that’s a very frequent question. Sometimes it can even come across as, say, covert collections, but regardless of the multiple different types of collection, whether it’s remote and it’s the custodian that’s conducting the collection, or whether it is, say, advanced, and then that means that you’ve got a practitioner on site and they are working with a more, basically, almost all the contents on the phone. There will need to be a connection of some type. Great question.

Julie O’Shea: Got it. And this one, we have a need to collect from some of the applications that are on an earlier slide. Can you collect from Discord and WhatsApp?

Monica Harris: Oh, those are great questions. Yes. Yes, you can. So when we talked, we focused a lot in this webinar about text message data specifically, but those are chat applications or third-party chat applications that can be found on the phone, and they’re a little different between the two. WhatsApp is, last time I checked, statistically the most commonly used application for business in the U.S., and oftentimes we see WhatsApp data in advanced logical collections of iOS devices. In addition to that, that is also available in our flagship product, Endpoint Inspector. But when you began to talk about some of the newer applications, like Discord, which is gaining in popularity. We did use that for capture the flag in terms of communicating with our participants and then also with our dream team here at Cellebrite.

We can collect from those too, but those are different collection types and different solutions for that reason. When you think about a little bit of the education that we went through during the webinar, when you’re talking about Discord, Snapchat, any of the more, I call them complex, there are probably applications that come with end-to-end encryption. Maybe they are ephemeral. Then you’re looking at advanced collection methods in order to be able to work with that, and potentially you want advanced collection methods that have a SaaS architecture, very much like what we just talked about with Mobile Now because of how consistently those applications can update. So that was a very long answer. The answer is yes. Yes, we can, but you typically see that with our advanced collection solutions, as opposed to our remote or targeted collection solutions. Great question.

Julie O’Shea: Good, thank you. And last one, we’re going to have time for here today. Does Mobile Now store any collected data?

Monica Harris: No. No, Mobile Now does not store any collected data. The data is sent directly back to the examiner, directly back. We are not in the hosting business here at Cellebrite. That is not what we do. There are other companies that do it and they do it well, but we do not keep data here. We are committed to the extraction of data, and once we extract it, we want to get it to you as quickly as possible so that it can then be used for investigations, analysis and downstream processes. But Mobile Now does not store any collected data. Great question.

Julie O’Shea: Wonderful. Thank you, Monica. Well, like I mentioned, we are running out of time for allotted time here today. So we’re going to wrap this up and we will reach out to you individually after the webinar to answer the questions that we didn’t get to today. And I want to give a big thank you to Monica. That was a great discussion on how investigators and eDiscovery professionals can really leverage SaaS to power their mobile data collections and utilize those advanced collections as well. Never thought I would hear Bob Dylan, Lincoln Lawyer and Netflix so much in a webinar, but it was so informative and I’m sure our audience loved it as well. So thank you. And for any additional questions or to learn how you can get started with any of these solutions, you can reach out to us at enterprisemarketing@cellebrite.com or visit us at our website. Thank you Monica, and thank you everyone for joining us today. Hope everyone has a great rest of their day.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles