The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/588021
WWW.ILTANET.ORG 53 savvier at finding and potentially altering data files saved on devices. This is especially pertinent for a criminal case when the user's data could be incriminating. The alleged criminal might try to delete photos, videos, text messages, etc. from the device. He might also try clearing his browsing history, making recently visited websites not evident. If the data on the mobile device are uploaded to a computer, the person might even attempt to alter the information and resave it to the device. He might try changing the file extension to confuse any platform searching for the file. He could also try compressing the file and password-protecting it, making the data very difficult to access without a password. For the more sophisticated criminal, he might even attempt to create an "alternate data stream," hiding a file within a file so the new information is hidden from view. It sounds like it could be difficult for counsel to retrieve this information, doesn't it? Fortunately, digital forensics experts can recover the vast majority of altered or deleted information. They can conduct forensic exams of the mobile device and uncover deleted browsing histories, texts, photos and more. In addition, in the case of altered data, digital forensics experts can leverage software to flag suspicious files and conduct further analysis as needed. They can also decrypt password-protected files and recover the information inside. Even files merged using an alternate data stream can be separated and examined individually. While it might appear that the unwanted information is not accessible, digital forensics experts can often retrieve it, particularly if the collection of mobile data occurs relatively soon after the user alters or deletes the information, before it is overwritten by other data. CHALLENGES IN ACCESSING MOBILE DATA It's no secret there have been many significant breaches in data security in the past several years. As a result, many mobile devices have improved their operating system (OS) and data security capabilities. Apple's iOS now keeps information like text messages, email messages and location data in an encrypted area, and it requires a four-digit passcode or fingerprint scan to access that data. As other mobile device software developers have made mobile data more secure, it has become increasingly difficult to bypass these passwords and retrieve information. This can affect the ability of forensics experts to access the information on the device and retrieve the data. With the fingerprint scan, some jurisdictions give law enforcement the right to make a person unlock his phone, as his fingerprint is physical evidence, while a passcode — because the user is the only one who knows it — is intellectual property, and law enforcement cannot force the user to reveal it (though the law is continuously evolving in this area). IS IT DISCOVERABLE? Mobile data — text messages, email messages, Internet browsing histories, locations, etc. — can all be found thanks to newer review platform technology, even if the data are deleted or altered. Educate your users about the settings they can control on their mobile devices, and remember to capture these data points during the discovery process. If you're wondering if it is discoverable on your mobile device, the answer is probably "yes." About the Author John Burchfield is the President of DSi. A regular industry speaker, John has been instrumental to company growth, new market opportunities and client retention. He launched DSicover You and helped create the DSi's Remote Governance and Collection Platform (RGC) and DSihold. John has more than 20 years of experience in management, sales and business development. Contact him at jburchfield@dsicovery.com. All an investigator would have to do to retrieve the location information is access the user's Google account — and that can be done with or without the actual device.