Corporate Counsel
ALM Properties, Inc.
Page printed from: Corporate Counsel

Back to Article

Select 'Print' in your browser menu to print this document.

A Tough Fruit to Crack

Evan Koblentz

Corporate Counsel

2012-08-01 00:00:00.0


Apple iPad and iPhone devices are an increasingly common target in legal investigations. But important data in the newer models is difficult to access, say researchers who work for e-discovery and mobile forensics tool makers.

Data such as contacts, locations, message contents, settings, and time stamps are stored more securely in the iPad 2, the latest model iPad (unofficially known as iPad 3), and the iPhone 4S than in their predecessors. That's good for most users, but problematic for investigators and IT staff whose job is to obtain such information, say software experts.

"People are just starting to think critically about how to handle iOS data within e-discovery," says Paul Jordan, cofounder of mobile forensics company BlackBag Technologies Inc. BlackBag, based in San Jose, is among a group of specialists, including Cellebrite Mobile Synchronization Ltd. and others, who are working on the iOS challenges. E-discovery companies such as AccessData, Clearwell Systems Inc., Guidance Software Inc., Kroll Ontrack Inc., and Nuix are also in the game, all working to develop, license, or acquire technologies that access the inner sanctum of iOS device data.

Such companies are competing to develop business-class tools based on jailbreaks—mobile-speak for software that changes the device's operating system to allow full file access. Jailbreaks are legal in the United States, but they're not authorized by Apple. Hackers typically release consumer-grade jailbreaks for the latest Apple phones and tablets within weeks of the devices going on sale, but those attempts are insufficient for corporate and law enforcement requirements, mobile security experts say. Consumer-oriented jailbreaks are an effective starting point for helping investigators break through iOS technical walls, but the target is usually just the ability to install unauthorized software, not to retrieve sensitive information.

"One of the challenges, but also one of the value-adds we bring to customers, is keeping up with the rapid pace that Apple has set. There are always changes," explains BlackBag's Jordan. "There's always more to do, but there's no insurmountable challenge. The encryption component that Apple has included for protecting customer data is terrific, but it makes forensics on the device a little more difficult."

Apple is often a cooperative partner, Jordan says, but not at the sacrifice of customer privacy. "They're very concerned about user privacy, and understandably," he continues. "That's their foremost focus. That oftentimes can make forensics pretty difficult. You can't have two mandates." However, Apple is more open when working directly with law enforcement, other industry experts add. (Apple did not reply to requests for comment on this story.)

A revised operating system, iOS 6, was previewed at the 2012 Apple Worldwide Developer Conference in June. It will represent more changes for forensic companies to tackle. New jailbreaks will likely follow.

The large number and popularity of aftermarket "apps" can also be a challenge, says Jordan. A piece of software could become very popular, very fast, reaching "viral" status in days. When that happens, forensics experts must refocus to ensure that their products can access the application's data trail.

But apps going viral can also benefit those who seek critical device information. As more third-party applications integrate with core Apple software, the data that investigators can't get directly from an iPad or iPhone often can be reached when the device synchronizes with other products, observes Kroll's Jason Bergerson, manager of discovery collections service in Eden Prairie, Minnesota. Whether it's a simple stand-alone productivity application, a collaboration suite, or enterprise-class servers such as Microsoft's Active Directory and Exchange, sometimes the electronic smoking gun is found not only on a device but in other places where the device communicates, Bergerson says.

A vital player is Cellebrite, outside of Tel Aviv, which makes a product called UFED—Universal Forensic Extraction Device. It's a box that plugs into mobile devices, accesses data, and transfers it elsewhere. UFED is used by 80 U.S. government agencies, says James Grady, CEO of Cellebrite USA in Glen Rock, New Jersey. UFED came along five years ago, having been derived from Celle­brite's UME-36Pro—Universal Memory Exchanger—a device used by almost all cell phone stores to transfer customers' data when they change to new devices, Grady explains. Sharon Topper, vice president of marketing, adds that Cellebrite is negotiating with the Clearwell Systems division of information protection specialist Symantec, along with others in the e-discovery world, for possible partnerships.

Another e-discovery company, Nuix, also wants to gain traction in mobile forensics. At the Sydney company, "we don't have the ability to directly read a cell phone. But if you take an extract from a commercially available product, then we have the ability to view it," director of technology John Bargiel says. "We want Nuix to be installed on the same machine used to do that."

"We are hard at work on being able to specifically build the business intelligence to expose cell phone contacts," Bargiel continues. That should be ready in about three to six months, he says: "I would explain it as a different side of the same coin. Forensics and e-discovery have a lot of similarities." Eventually, all e-discovery companies will need to incorporate mobile forensics, he predicts.

Michael Kessler, CEO of Kessler International, says his company handles investigations for Fortune 500 corporations. He's directly affected by the state of mobile forensics. "One of the problems is that the hardware we use to extract information is not keeping up with technology, because technology is obviously one step ahead," Kessler says. "In each release there's something unique, and it takes a while for us to get accustomed to the problems that exist."

In addition to working with synchronized applications, as Kroll's Bergerson notes, another workaround of iOS challenges is reverse engineering. That's the complicated, although legal, process of determining how products work and finding their weaknesses. For example, in mobile forensics the technique can be used for discovering traces of phone calls that were secretly recorded, he says.

Even when iOS e-discovery is mastered, there will always be a new challenge for forensic researchers. At the Mobile Forensics Conference, a company called 42Six emphasized an even more mobile frontier. "We are rolling out a new capability to acquire user data from vehicles," says developer Ben LeMere, who also runs an iOS forensics LinkedIn group. "[It's] something I am very excited about and have been working on for a while."

*****

Federal Cloud Report: Standards and Data Loss at Issue

Businesses and government agencies should ensure that their cloud suppliers have clear policies to apply litigation holds and preserve data, U.S. government officials said in a report issued in June.

The 81-page report, "Cloud Computing Synopsis and Recommendations: Recommendations of the National Institute of Standards and Technology," explains the technology's definitions, network architectures, and current issues. It's free, and is authored by Lee Badger, Tim Grance, and Jeff Voas, all of NIST's computer security division, and Robert Patt-Corner, principal systems architect at government IT consultancy Global Tech.

Among legal aspects, "consumers should investigate whether a provider can support ad hoc legal requests," the report states. It also discusses data governance, in explaining that electronic information should be designed to interoperate with industry standards, stored securely and separately from other customers, regularly tested for readability, and permanently backed up or deleted on request. Such recommendations can prevent disaster when cloud providers fail.

Buyers should also understand the methods of transferring data to and from a cloud, whether the cloud company will take financial responsibility for data loss, and which employees of the cloud company perform which jobs. Incident response procedures, software licensing, and maintenance issues are also vital, the authors stated.

The report does not specifically address law firms or legal departments, but NIST works directly with the legal technology field in other ways. The institute sponsors the Text Retrieval Conference Legal Track, used for testing e-discovery software, and the National Software Reference Laboratory, whose software imaging catalog is used in e-discovery to automatically remove large amounts of nonresponsive information.

Versions of these articles first appeared in Law Technology News, a sibling publication of Corporate Counsel.