3:00 pm - 3:45 pm...thursday, may 21 litigation track 3:00 pm - 3:45 pm forensic discovery/extrac on...

Thursday, May 21 Litigation Track

3:00 PM - 3:45 PM

Forensic Discovery/Extrac on of Data from Electronic Devices and Effec ve Use in Trial

Presented by

Kendra Simmons Fredrikson & Byron, P.A.

505 E. Grand Ave, Suite 200 Des Moines, IA 50309

Christine Chalstrom President and CEO

Shepherd Data Services 650 Third Avenue South, Suite 460

Minneapolis, MN 55402

5/19/2020

Copyright 2020 Shepherd Data Services 1

What’s on that Device?Why Attorneys Should Care?

Forensic Discovery of Evidence

Kendra Simmons, Fredrikson & ByronChris Chalstrom, Shepherd Data Services

May 21, 2020

Copyright © 2020 Shepherd Data ServicesNo part of this presentation may be used without the express written consent of

Shepherd Data Services

Technology & Law

Our technological powers increase, but the side effects and potential hazards also escalate.

Alvin Toffler, Futurist, Journalist, Writer

Technology is outpacing the law.

Barry Steinhardt, Retired Director ACLU’s Program on Technology and Liberty

Technology ... is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other.

Carrie Snow, Stand‐up Comedian

1

2

3

5/19/2020


Why a Forensic Expert

Data Collection Assessment (Who, What, Where & How)

Device Data in Discovery & Trial

Why a Forensics Expert?Rule 1.1“A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”

Comment 8Includes duty to stay “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

Why a Forensics Expert?

4

5

6

5/19/2020


Why a Forensics Expert?

• Collect, preserve and manage evidence for discovery from clients and opposing parties

• Investigate potential wrongdoing

• Scope ‐ discovery and/or trial

• Ability to testify (in deposition or potentially at trial) regarding collection, production, and/or deletion




Discovery (Who, What, Where)

7

8

9

5/19/2020



• Identify volume, importance, and form of ESI as early as possible—on both sides

– Emails, text messages, electronic documents

– Volume compared to other discovery

– What could ESI establish that other discovery cannot?

– What is the risk of deletion by custodians?

• Both sides/all parties


• Prioritize• Plan order of discovery• Consider cost‐sharing proposal

with opponent• Seek through various types of

requests– Traditional written requests– Request for inspection

• Depositions to learn and authenticate

• When you’re the recipient of such request(s)




10

11

12

5/19/2020





Forensic Collection Options

• Manual – Examiner manually operates keypad and handset to document data.

• Logical ‐ Examiner connects a data cable to the device and acquisition platform and extracts active information on the device. Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files may be “locked” and so cannot be copied.

• File System – Examiner connects a data cable to the device and acquisition platform and extracts a portion of the file system.

• Physical (Non‐Invasive) – Examiner connects a data cable to the device and acquisition platform to provide physical acquisition of a device’s data without requiring opening the case of the device. The software will inject a custom boot loader into the device’s RAM and interact with the startup process to prevent the operating system from launching. Physical acquisition creates a bit‐by‐bit images of the partition, including unallocated space.

• Physical (JTAG) – Examiner connects acquisition device to Standard Test Access Port (TAPs) and instructs the processor to transfer raw data stored on connected memory chips.

Computers – PCs

• User Files – Active

• User Files – Deleted

• eMail

• USB History

• Jump Lists

• LNK Files

• Shellbags

• Prefetch Files

• Web History

13

14

15

5/19/2020


Mobile Devices

By Smartmo ‐ Own work, CC BY‐SA 3.0, https://commons.wikimedia.org/w/index.php?curid=22720596

Mobile Devices

iPhone Forensic Collection Options

• For the A5 chipset or later (iPhone 4s), only logical or file system extraction available. The decoding of this chip has not been developed yet.

• iOS version may limit extraction• Assumes examiner has passcode

https://cellephones.cellebrite.com/client/#itemPage

16

17

18

5/19/2020




https://www.cellebrite.com/en/unlock‐sales‐inquiry/https://www.cyberscoop.com/cellebrite‐iphone‐6‐ufed‐samsung‐galaxy‐facebook‐messenger‐snapchat/

19

20

21

5/19/2020


Partitions, Basic Folder Structure and Key Files

• Two disk partitions: system and user• File System based upon UNIX file

system• Uses a directory structure• Property Lists (Plists)

store, organize and access various data types

XML format or binary Data types include strings,

numbers, binary data, dates, and Boolean values

• SQLite database files Structured relational data storage Compact, high‐quality and open

source

Plists Define Look of iPhone

The Library Folder

AddressBook, Calendar, Call History, Notes, SMS, and Voicemail data are all stored in a SQLite database.

22

23

24

5/19/2020


The Address Book in SQLite

Parsed View of Contact

Parsed View of Conversations

25

26

27

5/19/2020


Looking for Deleted Data in SQLite

User Dictionary/Keyboard

If a user manually types a word into the iPhone, the device generates a dynamic dictionary file that stores words unique to that user. Includes information from text message, email, note, etc.

Location: var/mobile/library/keyword/

dynamic‐text.dat

Media Folder

28

29

30

5/19/2020


Photos Taken by Device

Photos taken from the device itself. All photos are incremented by 1.

Number is not reused.

Using EXIF InformationExchangeable Image File Format

31

32

33

5/19/2020


Apps and More AppsMuch more data in a large variety of applications

http://ipod.about.com/od/iphonesoftwareterms/qt/apps‐in‐app‐store.htm

34

35

36

5/19/2020


https://en.wikipedia.org/wiki/Android_version_historyhttps://www.quora.com/Why-did-Android-Q-become-Android-10

https://trickkas.com/android-10-release-date-features/

37

38

39

5/19/2020


“Google says we exert more control than they do, that we are closed and they are open. . . . Well, look the results – Android’s

a mess. It has different screen sizes and versions, over a hundred permutations. . . . I like being responsible for the whole

user experience. We do it not to make money. We do it because we want to make great products,

not crap like Android.”

Steve Jobs, Walter Isaacson, p. 514

��

40

41

42

5/19/2020


SIM Card

SD Card

Battery

External Card – Apps Can Store AnywhereInternal on the Device – Android APIs Control

Common Subdirectories• lib – custom library files an application needs• files – files the developer saves to internal

storage• cache – application cache• databases – SQL Lite• shared_prefs – saved values that power the

application

43

44

45

5/19/2020


46

47

48

5/19/2020


/boot/cache/data/misc/recovery/system

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx






49

50

51

5/19/2020


xxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxx

xxxxxxxxxxxxx

xxxxxxxxxxxxx





[email protected]@dfood.com+17631234567

52

53

54

5/19/2020



55

56

57

5/19/2020


Voice 001.m4a Voice 002.m4a

58

59

60

5/19/2020


._speech_nav_20.wav

._speech_nav_19.wav

._speech_nav_18.wav

._speech_nav_17.wav

._speech_nav_16.wav

._speech_nav_15.wav

._speech_nav_14.wav

._speech_nav_13.wav

._speech_nav_12.wav

._speech_nav_11.wav

._speech_nav_10.wav

._speech_nav_9.wav

._speech_nav_8.wav

._speech_nav_7.wav

._speech_nav_6.wav

._speech_nav_5.wav

._speech_nav_4.wav

._speech_nav_3.wav

._speech_nav_2.wav

._speech_nav_1.wav

The Cloud

61

62

63

5/19/2020





GuidesBOLCH JUDICIAL INSTITUTE, DUKE

LAW SCHOOL:Revised Guidelines and Suggested Practices for Implementing the 2015 Discovery Amendments to Achieve

Proportionality(Second Edition)

Six Factors to ConsiderImportance of Issues at Stake

Amount in ControversyRelative Access to Information

Parties’ ResourcesImportance of Discovery

Whether the Burden or Expense Outweighs Its Likely Benefit

https://judicialstudies.duke.edu/wp‐content/uploads/2018/11/Annotated‐Proportionality‐Guidelines‐and‐Best‐Practices‐2nd‐edition.pdf

The Sedona Conference Principles, Third Edition:Best Practices, Recommendations & Principles for

Addressing Electronic Document Production

19 Sedona Conf. J. 1 (2018)https://thesedonaconference.org/publication/The%20Sedona

%20Principles

Guides

“Costs and risks may increase if the technology makes it more difficult to preserve or collect relevant ESI for litigation. For example, mobile devices that are not synchronized with the organization’s servers may require physical collection of the mobile device to meet preservation or discovery obligations if there is unique, relevant ESI on the devicethat the IT or legal group cannot collect from the organization’s servers. This may be even more of a problem for texts, which can “roll off” the phone as memory is used up. Review cost for texts can also be exponentially higher because the texts are more difficult to sort by subject or author, and because of the shorthand that is frequently used in text messages. Notwithstanding the presence of such ESI on the device, it may not be necessary to image the device if the costs, burdens, and other issues associated with imaging the device outweigh the benefits of retrieving unique, relevant ESI from the device. Indeed, wholesale text message retention is regularly disproportionate for both sides of the litigation, e.g., in a wage and hour class action where employees use text messaging on their personal devices for work.” Contained within Comment 1.b., p. 63

64

65

66

5/19/2020


Wheels of Justice Turn Slowly

Asset Funding Group L.L.C. v. Adams & Reese, L.L.P., 2008 U.S. Dist. LEXIS 30348 (E.D. La. 2008)

https://mrf.co.za/a‐prince‐by‐any‐other‐name/

Wiped and Discarded iPhones Show Intent to DeprivePaisley Park Enterprises, Inc. v. Boxill, 330 F.R.D. 226 (D. Minn. 2019)

Defendant failed to stop auto‐delete and then wiped and discarded iPhones. Using a Rule 37 analysis, Court granted monetary sanctions but deferred on adverse

inference sanctions.

Rule 37 Case Law

Reports & Online

67

68

69

5/19/2020


70

71

72

5/19/2020


73

74

75

5/19/2020


Trial

Proposed exhibits

Consider and address authentication

Envision how ESI will aid in presenting of evidence and telling of your story

Consider most effective method of presentation

Trial

Testimony by forensic expert

– Collection

– Investigation and findings

Presentation as a witness and ability to explain to judge and jury




76

77

78

5/19/2020


“Right, my phone. When these things first appeared, they were so cool.

Only when it was too late did people realize they are as cool as electronic tags on remand prisoners.”

David Mitchell, Ghostwritten

Questions?

Kendra [email protected]

515‐242‐8919

Chris [email protected]

612‐659‐1234

Copyright © 2020 Shepherd Data Services, Inc.No part of this presentation may be used without the express written consent of

Shepherd Data Services

79

80

3:00 pm - 3:45 pm...thursday, may 21 litigation track 3:00 pm - 3:45 pm forensic discovery/extrac on...

Documents