Recently, I asked Siri, the intelligent personal assistant on Apple’s iOS system, how to conduct e-discovery on data generated on an Apple device. Although polite, she was confused (she still did not understand even after I explained that I was asking about “data,” not a “dad egg”). After apologizing for not answering my question, she offered to search the Web.

In fairness to Siri, it is a quandary: Even mobile forensic investigators are challenged as to how to view encrypted email and data on the latest generation of Apple mobile devices. But it is a question that the legal community is asking more often with the proliferation of Mac computers, iPhones, and iPads in the workplace. As of January 2012, almost half of all companies with 1,000 or more employees used Macs and planned to increase their use by 52 percent by the end of 2012, according to Forrester Research. The challenges of accessing data are further complicated by bring-your-own-device (BYOD) enterprise environments that give employees the flexibility to use personally-owned devices to connect to the corporate network for some IT services, such as email.

This proliferation presents a pesky problem to persons tasked with conducting e-discovery. The trouble is that Mac data is inherently different from Windows data. Because Mac data uses a unique file system with different file types and structures from Windows, it is impossible to review Mac data using a Windows-based system and retain original metadata and native review; a Windows-based system will have to interpret the data, potentially jeopardizing the metadata with significant errors, such as altered dates and file names.

Although the goal of e-discovery remains the same for all types of data, the process for identifying, acquiring, reviewing, producing—and even managing—an e-discovery project with Mac data must be handled differently.

With these challenges in mind, here are several practical tips to follow.


1. Identify Mac data early. One of the first tasks is to determine the scope of data to be gathered and reviewed for responsiveness and privilege. This starts with identifying the key custodians and locating where this information is kept, including Apple laptops and desktops (which run the Mac OS X operating system) and on iPhones and iPads (which run the iOS operating system).

2. Involve experts with Mac knowledge and experience. Given the dangers of corrupting data on a Windows-based review system, it is best to involve IT personnel and an e-discovery specialist with deep Mac expertise before attempting to collect the data. These experts will define where and how the data is stored and choose the best method for forensically acquiring it. To avoid inadvertently omitting key data, be sure to include Mac-only applications, such as iWorks suite, and data generated from Windows-based programs, such as Windows Microsoft Office. Office for Mac documents are stored differently in OS X.

3. Collect native data. Mac uses HFS and HFS+ file systems (systems developed by Apple to store, retrieve and update a set of files), while Windows uses FAT/NTFS file systems. Thus, the data must be collected using raw formats, such as .dd and .dmg and copied onto HFS+ formatted drives or imaged using Mac-specific forensic tools.

4. Render the Mac data carefully. The best way to review Mac data is in a Mac environment, though this is also the most costly and logistically challenging method. The next best alternative is to retain the most accurate representation of the native data in a Windows-based review platform. PDF is an optimal format for Mac data because it maintains the metadata, but not all files can be rendered into PDF.

5. Be careful with encrypted content. Password-protected and encrypted data can be troublesome to unlock from Apple mobile devices, particularly the iPhone 5, iPhone 4 and iPad mini. Each time Apple releases a major iOS version or hardware, legitimate forensic techniques are prevented from gaining access to encrypted and password-protected content. Techniques for gaining access are similar to jailbreaking, which Apple’s security technology constantly protects against. Experts, however, are making progress in their ability to extract more data from devices with the new chipsets.

6. Don’t forget about virtualization. Many Mac laptop and desktop users make use of virtualization and run Windows on their Macs in addition to the Mac OS through Bootcamp. Without skilled analysis, these virtual worlds could be missed entirely.


It would be shortsighted not to recognize the impact of the proliferation of Apple products on the e-discovery process. The technological differences between Mac-based and Windows-based programs means data will have to be identified, collected and reviewed following special procedures. It also means parties will need to carefully plan how to handle e-discovery projects that include Mac data.