Regulatory attention toward off-platform communications
U.S. regulators have taken notice of the prevalence of off-platform communication in their investigations, particularly during the pandemic. They have levied large fines for companies’ failure to monitor their employees’ electronic communications, causing potential breaches of rules that require retention of business records.2 Further, “under SEC and CFTC rules, brokerage firms are supposed to preserve and monitor their employees’ written communications, which creates a paper trail for regulators who check compliance with investor-protection laws.”3 The financial service industry is experiencing record fines of approximately $2B as regulators, including the SEC and CFTC, find that off-platform communications unavailable to companies were a hindrance to their investigations.4
The Department of Justice (DoJ) has also increased focus on this type of activity. In a recently published DoJ memo regarding corporate criminal enforcement policies, the Deputy Attorney General emphasized concern over corporations’ usage of personal devices and third-party applications, and the ability of compliance programs to monitor for misconduct and recover relevant data during investigations. In assessing a company’s cooperation during a criminal investigation, “…prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”
Effect of BYOD policies
Most companies allow employees to purchase and use their own personal devices and service plans for business use, the costs of which are then either partially or fully reimbursed by the company. One of the primary drivers of Bring Your Own Device (BYOD) policies is cost reduction and efficiency for the company. From a risk perspective, the employer has no access to the personal content, nor sufficient control over the personal data on the device, which makes preservation and production of this information very challenging. There are no enterprise level capabilities to search the BYOD mobile devices and retrieve documents and files that may be relevant to an investigation. This means the company and its counsel must rely on individual employees to cooperate with and assist them in the retrieval of potentially relevant information. Until Mobile Device Management (MDM) software has options to access content on these devices, it is critical for the company to have a process for obtaining consent and the ability to individually preserve, search, and produce documents from each device in use.
With the proliferation of mobile devices, use of mobile device applications to conduct business has grown at a rapid pace and use of desktop and laptop computers has declined. In some cases, employees even use mobile devices as their primary mechanism for work communications. Android is reportedly more popular globally, but iPhones and Apple iOS leads the market in the U.S.5 The Apple iOS changes frequently and is keenly focused on user privacy and data security. In fact, the newest version of Apple iOS has added many new user features that can have an impact on investigations, such as the ability to edit and unsend messages, and recover recently deleted messages. Commercially available forensic software for mobile device analysis cannot keep pace with the changes, making it challenging to have tools available that can access all data on Apple devices during time-sensitive investigations. More importantly, the commercially available forensic software lacks the ability to tell the story of a user’s activities.
Mobile forensic complexity
Many forensic practitioners receive training for how to use forensic tools, but do not have a deep understanding of mobile operating systems, how data is stored on mobile devices, and the forensic artifacts available on a device that can help explain user activity with a high level of detail and certainty. Because of this, there is significant risk of overlooking important data and activities related to the matter. This can result in investigators and attorneys missing key evidence that can help inform legal strategy and shape the defense of a client.
When it comes to communicating on mobile devices, users have a plethora of application (app) options to choose from. Use of apps can depend on many factors, including popularity of apps in different regions of the world, ease of use on Android versus iOS, device type with which the user is communicating, availability of encryption in the app, and personal preference. Some of the most popular apps include:
1. eMail | 6. FB Messenger |
2. SMS and/or iMessage app | 7. SnapChat |
3. Whats App | 8. Telegram |
4. WeChat | 9. LinkedIn |
5. Signal | 10. Twitter |
Before diving into analysis of data from each app, forensic practitioners must understand if the data is stored within the application on the mobile device or in the cloud, and, if it is encrypted, ensure it is properly collected and accessible. For example, Signal data is only stored on the device and is encrypted, so the forensic practitioner should confirm the Signal data is accessible after the collection is completed and before the device is returned to the user. Other apps that store data between the mobile device and the cloud can be impacted by user settings, synchronization issues, and other factors, making documenting the application settings and synchronization status critical for accurate analysis and reporting. The use of rapid reports that contain information such as installed applications, sizes, and last used information can be used to quickly identify potential data sources of interest and verify completeness. Further, these reports allow interviewers to ask questions about potential data sources when custodian interviews and collections are taking place in parallel.
After ensuring completeness of the collections, forensic practitioners must be able to understand information parsed by the forensic tool automatically to help tell the story of user activity. For example, the Recents database on Apple iOS contains information parsed with iMessage chat data but is often overlooked. Metadata such as sender/recipient, contact information, and timestamps of when iMessages were sent/received are available in the Recents database. In certain situations, this metadata will remain after messages are deleted and with close analysis can be used to identify potential evidence of message deletion.
Chat data presents unique challenges in the way it is stored on the mobile device, captured, and exported by forensic tools. Chat threads can span years and be quite voluminous, making it challenging to review. This is especially important when multiple devices are collected, which can further exacerbate the problem. Review can be facilitated by transforming chat data into a reviewer-friendly format that closely resembles the user experience on the mobile device and loading into a review tool to utilize searching/filtering capabilities. Further, unitizing chat conversations into manageable segments is important to assist with quickly locating relevant portions of long conversations and distributing chat conversations among multiple reviewers. When it is time for production, this reviewer-friendly format and unitization is extremely important to providing the data in a format the other side will accept without issue and minimize the amount of time invested in redactions. For example, smaller unitization can help avoid having to redact large portions of long chat threads that are not relevant.
The Way Forward
All these issues, risks, and challenges can make current mobile forensics seem overwhelming. Unfortunately, the government and regulators often have little sympathy for the targets of their investigations in dealing with these challenges. The best course of action is to prepare in advance of an investigation and get the right help as early as possible when you become aware of a new investigation. It is critical to take the time to understand how employees actually communicate and not just focus on the mechanisms and tools the company provides. Bring in a forensic firm to help identify where potentially relevant communications might exist, preserve the evidence, and analyze the communications to tell the story of who, what, when, where, why, and how. Determine nuances and identify aggravating and mitigating factors as early as practicable—ideally at the beginning so that counsel can provide the best advice possible. If they don’t have the detailed facts, their representation will be handicapped unnecessarily. Those counsel who get this right will be able to focus their legal talent on the merits and actual legal issues, which can only benefit the outcome for the company.