Tips And Tricks For Collecting Employee Chat Data

Julie O’Shea: Hi everyone. Thanks for joining today’s webinar Tips and Tricks for Collecting Employee Chat Data. I’m Julie O’Shea and I’m the product marketing manager here with Cellebrite Enterprise Solutions. Before we get started, there are a few notes that I’d like to review. We’re recording the webinar today, so we’ll share an on-demand version after the webinar is complete. If you have questions, please submit them in the questions window and we will answer them in our Q&A. If we don’t get to your question, we will follow up with you after the webinar.

Now our speaker today, we have Monica Harris. Monica has decades of experience specializing in the development, implementation and training of proprietary software for eDiscovery service providers such as KLDiscovery and Consilio. Before joining Cellebrite, she worked with the U.S. Food and Drug Administration, where she oversaw policy and procedure curation, enterprise solution rollout and training for enterprise solutions. Monica is an active leader and mentor in the eDiscovery community and has lectured on trending topics in eDiscovery at American University and Georgetown University and is the co-project trustee for the EDRM text message metadata project. She has previously served as the assistant director of the DC Chapter of Women in eDiscovery and as a board member of the Master’s Conference, she currently serves as an immediate past president of the Association of Certified eDiscovery Specialists ACEDS DC Chapter, and is a member of the EDRM Global Advisory Council.

Thank you for joining us today, Monica. If you’re ready, I’ll hand it over to you now so you can get started.

Monica Harris: Thank you, Julie, and thank you everyone for joining us today. For tips and tricks for collecting employee chat data. Let’s hop in. According to the 2023 Industry Trends for the Private Sector industry survey, collection of data from multiple devices like text message data from iOS and Android, as well as WhatsApp and Signal has surpassed the collection of data from email like Office 365 and Google Suite. With the collection of chat data from Teams and Slack coming in third.

It’s important to understand with collection of mobile device data being at the top of the list of service providers and corporations, how to get the most chat data from your mobile devices. So understanding the type of extraction that’s available for mobile devices is key. We can take physical extraction off of this list because we usually see that for older devices, and nowadays we see that the device manufacturers like Apple for example, are retiring some of those older devices. For example, when iOS 17 comes out later this year, we’re going to see Apple devices from 10 down, retired for 17. From there, we’ve got logical, advanced logical and full file system.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


For Cellebrite, logical extraction is what we have for Android, so that’s going to give you the text messages, contacts, call history and media. For advanced Logical, we have iOS because that’s primarily going through iTunes, and then full file system collection is going to be your holy grail, where not only are you going to get everything that you get with a logical or advanced logical extraction, but you also have the ability to get into some of those more nefarious applications. I wouldn’t necessarily say nefarious applications, but maybe applications that could be used by nefarious actors, like ones that have ephemeral messaging like Snapchat, Signal and Telegram.

But what happens when you need to collect text message data right away or as soon as possible? For that, we have Endpoint Mobile Now, which is Celebrite’s first SaaS solution for the private sector. Here’s how it works. Customers that have access to Endpoint Mobile Now can log into an online interface, or they’ll first be presented with any collections that may have been set up in the application. To set up a collection themselves. They could do it in two easy steps. First, by creating the collection, when you create the collection, you’ll need to give it a name. You’ll need to collect or add your storage, which could be Azure, Amazon S3, SFTP or network collection. Or if you don’t want to send your data over the wire or online, you could also do it for storage. Then you’re going to need the name of the custodian and an email address.

The email address is paramount because once you start the collection, which you could do right after you choose what type of data that you want to collect. The custodian is going to receive an email that’ll put a very lightweight application on a PC or a Mac, they can use their cable to connect their phone to the device, and then the application is going to collect data from their phone and send it back to the examiner. Two easy steps to collect as quickly as possible. That’s Endpoint Mobile Now.

But what happens when you’re not looking for text message data? You’re looking for those nefarious actors that could be using unsanctioned applications? Maybe they’re not nefarious actors, maybe they are working for the finance industry. Maybe you just did a text collection, you were using Mobile Now, and when you put that data in physical analyzer, you saw and installed applications that there were other applications on the device that you wanted to collect from more than just text message data. For that, we have Mobile Elite, which performs full file system collection. Not only can you do full file system collection, which sometimes can be lengthy when you think about the size of our phones nowadays, they could be 256 gigs, they could be 512. That could take some time. That’s time that the device is not with the employee or the custodian, and then also time to investigate that data.

But for a best practice or a tip or trick, you also have the ability to do targeted collection with full file system. So if we go back when you’re looking at that phone, when you see that you have Instagram or Snapchat, then you can target that specifically during collection. That way you’ll get the data faster, the collection shorter, and you can return the device back to the employee or the custodian that much faster.

But what happens when the employee is using sanctioned applications, the ones that are administered by it or just come from your employer overall? For that, we have Endpoint Inspector. Normally, when we are collecting from sanctioned applications, you think back to that slide I was showing a little earlier, you’re looking at data from M 365, so that could be your Teams, which is where you could find some of that information there or maybe even Slack. Within Endpoint Inspector, you have the ability to collect from OneDrive, SharePoint, Exchange, Teams, Slack and more, all in an aggregated fashion.

Not only do you have the ability to collect from all of those sources as opposed to putting in separate requests for just your Teams or just your email, but you also have the ability to pull the data out in whatever format works best for your downstream processes. Maybe you want to load file because you’re going to load that data directly to a review tool. Maybe you want the native so that you can process it and get the metadata from it that you want specifically, or maybe you just want metadata so that you can do a form of early data assessment and understand what kind of data you’re getting ready to export before you export it. You also have the ability when you’re searching across those multiple sources, including your chat data, including your email, to go in and do some filtering, whether that’s by date range or whether that’s by search terms, which we know in eDiscovery investigations can be numerous. Collecting from chat data and Endpoint Inspector is simple and it can be combined with other sources of data so that it’s faster for you to get the data that you need for your investigations and also for discovery.

So key takeaways for today’s webinar of Tips and Tricks for Collecting Employee Chat data. It depends. It depends on what you’re collecting. But the one thing that we know for sure from our 2023 survey is that we are seeing corporations and service providers collect more data from mobile devices than Office 365. My interpretation of that is that collecting from chat applications or chat data has surpassed email. We knew it was coming, that data is finally here, so what’s the best way to do it? Target, target and aggregate. Whether you’re targeting data, including text messages, so that you get that data back faster, so that you can avoid those sanctions and exfoliations, so that you can collect the data before the text messages might be deleted or even compromised. And also, even if you don’t target, if you pull back that full collection from the phone, you have the ability to see if there is more data there that needs a deeper dive for example, a full file system collection. Because with remote we are talking about logical. When you do your full file system collection, you can still target. No need to save gigs of data locally. You can bring back just the applications that you need, including the ones that might be unsanctioned.

And last but not least, when you are collecting from sanctioned applications, you have the ability to combine your collections. You can collect from Teams, Slack, and even email because although collection from mobile devices has surpassed that of email, email’s not going anywhere. And more likely than not, when you’re collecting data from custodians, you’ll need to do it from several sources. So why not save yourself the time and do it all at once? And that’s what I have for today’s webinar. Thanks, Julie. Do we have any questions?

Julie O’Shea: Yes, we do. All right. Let’s start with, can Mobile Now collect from third-party chat applications?

Monica Harris: That is a great question. So I did talk about three different applications technically I talks about four, but for collections, I talked about three. Endpoint Mobile Now, Endpoint Inspector, And then I also talked about Mobile Elite. Mobile Now is our SaaS platform that does logical collection for iOS and for Android. So you will get some third-party chat data for iOS because that’s advanced logical, but if you’re looking for third party chat data specifically, then we would recommend the Mobile Elite that you saw that does the full file system extraction so that you can get all of your third party chat applications and you can target it for our best practice. Great question. Thank you.

Julie O’Shea: Thank you. Okay, and next question, how much does Mobile Now cost? I knew that was coming.

Monica Harris: That is a great question, and for that I will direct you to sales, but what I can tell you is Mobile Now was built to be scalable and flexible, meaning that you have the ability to purchase mobile collections when you need them. So no need to be stuck in a bundle that does not fit your needs or doesn’t fit your budget. Mobile Now is available for customers when they need it, and for more information to that, we’ll refer you to sales.

Julie O’Shea: Perfect. How about, okay, can Endpoint Inspector collect from third party chat applications.

Monica Harris: Endpoint Inspector can collect from third party chat applications? That is a great question. Very much like Mobile Now, Endpoint Inspector has logical collection for mobile devices. However, in addition to the cloud sources that we saw during this presentation, cloud sources like Slack and Teams, Endpoint Inspector also has the ability to collect from WhatsApp using QR code collection. And coming very soon, endpoint Inspector will also have the ability to collect from Telegram using QR code collection. So when inspector does have the ability to collect from third party chat.

Julie O’Shea: Thank you for clarifying that. And seems like we have time for one more here, so we’ll end with this one. Can Mobile Elite collect from Discord?

Monica Harris: That is a great question. I think I’ve heard a couple of recent news articles about Discord as of late, and so it’s become a frequent topic. Yes, Mobile Elite does have the ability to collect from Discord.

Julie O’Shea: Wonderful. Well, thank you Monica. Like I said, we are running out of a lot of time for today, so we’ll wrap it up, but we will reach out to everyone individually after the webinar to answer those questions that we didn’t get a chance to get to. So thank you so much, Monica. That was a great discussion on how investigators can really make sure they’re collecting as much employee chat data as possible. And for any additional questions or to learn how you can get started with any of our solutions, you can reach out to us at Enterprise Marketing at cellebrite.com. Thank you Monica, and thanks everyone for joining us today. Hope everyone has a great rest of your day.

Leave a Comment