Trending Attorney Forensic Requests in 2019

forensic requests
Immigration Law Special Issue

Having spoken at the Cleveland Employment Lawyers Association earlier in 2019, and having been engaged by Cleveland attorneys to perform forensic examinations on a range of topics from preservation to suspected unauthorized access to suspected intellectual property theft, I wanted to share some trends in attorney forensic requests so far this year. Some of the information in this article is specific to Cleveland area employment lawyers and other information is related to all attorney forensic requests so far this year.

Eighty percent of attorney forensic requests in 2019, to date involved the acquisition of records stored on an Apple iPhone.

Advertisement

Answering Legal Banner

80% of attorney forensic requests in 2019 involved the acquisition of records stored on an Apple iPhone.

Most requests for educational information from Cleveland area employment lawyers are related to the process, capabilities, limitations, and product resulting from the preservation and extraction of text messages.

Due in part to the past reliance of physical paper documents, members of the legal community commonly report they believe the most reliable and accurate way to forensically obtain text messages is to take screenshots on the cell phone and accept the text messages as displayed to the user as accurate.

In some cases, there is a desire to reproduce the text messages as visually represented on the sending or receiving cell phone.

Advertisement

Eza Mediation

What to Request When Collecting Text Message From iPhone

I recommend a few key steps.

Before you proceed with requesting a forensic examiner to image the Apple iPhone, determine who owns the phone. If your client requesting you to engage a forensic examiner does not own the phone, do you have a valid court order? If you need text messages which you believe may have been deleted, time is a key concern. Make sure the phone is not turned off . If the phone is already turned off , leave it turned off. Put the phone in a faraday bag which will block wireless communication with the phone. When a cell phone is communicating with a cellular network or wireless network the likelihood new data will be written to the phone and as a result possibly overwrite deleted records is higher.

Make sure that you have the phone’s password. If you do not have the phone’s password, do you have access to the computer with which the phone was synchronized? If all you have is an iPhone backup, that may be enough to collect information from the phone (as it existed on the phone when the given backup was created).

What format do you want the forensic examiner to use to present the data? Do you suspect a text message may have been manipulated? If you do, then a screenshot is probably not the format you need for your case. There can be issues with authenticity of information displayed in screenshots and if you need to authenticate the information in that screenshot, the forensic examiner will need to forensically obtain information from the sending or receiving phones (or in some cases both) and they may provide the information you are asking them to extract as a spreadsheet. They may also provide you the information in the form of a web based interactive timeline. The format the forensic examiner can use to provide the information you requested depends largely on the forensic soft ware used to perform the forensic acquisition, examination, and analysis. Not all tools are created equal and while one tool may do a better job at recovering deleted files different soft ware may provide the files in a format you prefer.

In most situations, a forensic examiner can produce information requested by the attorney in a spreadsheet. This is one of the most common formats for information extracted from a cell phone. Do you want the information to provide in native format? It depends. If you need the forensic examiner to collect text messages, you should know the native format for text messages on most smart phones is SQLite. This is a database. It is not easy to read. You may want your forensic examiner to extract the SQLite database and authenticate the data and use a tool to extract text messages from the SQLite database as a spreadsheet, a web page timeline, or a PDF. That will give you more flexibility to present the text messages in a comparatively easier to read format while being able to authenticate the information. Michael Zinn

Michael Zinn

Michael Zinn is a recognized digital forensics and cybersecurity expert who holds a number of industry certifications including certified computer examiner (International Society of Forensic Computer Examiners), EC-Council computer hacking forensic investigator, AccessData certified examiner, and AccessData mobile examiner. He is an experienced computer security incident response team leader and is available for cybersecurity consultations and cybersecurity training.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts