Mobile devices: The next eDiscovery wave?

Ready or not, it is time for corporate legal and MIS departments to accept the fact that real and unique corporate Electronically Stored Information (ESI) resides on mobile devices such as iPhones, Blackberrys and tablets. Until recently, most lawyers exempted these devices from preservation and collection obligations with a wide variety of arguments; too difficult, redundant content, inaccessible, lack of explicit caselaw and bipartisan agreements. The rise of the mobile workforce, integrated communications, mobile apps and more have combined to make smart phones and tablets critical sources of unique ESI for corporate executives and other critical personnel. If we accept that mobile devices must be preserved and collected for civil discovery, then we get to the hard question of how to do it.

A quick walk through the history of mobile device forensics will help to understand where the wide array of current forensic extraction technology has come from. Criminal eDiscovery has always blazed the path for civil eDiscovery. The current wave of mobile device discovery is no different in this respect than the earliest wave of large volume email collections and productions in the Enron related investigations in the 2000-2002 period.

[Case study: Making eDiscovery an internal function]

Forensic acquisition, extraction and analysis started with relatively crude, manual command line tools that required an expert to run and testify to. Over time, these have evolved into sophisticated programs with wizards and other mechanisms that help to make this functionality accessible to a reasonably competent user with minimal training, such as we have seen with Michigan state troopers analyzing cell phones on road stops.

Just like computers, the earliest forensic cell phone acquisitions in the early 1990's used bit-copy imaging of the phone memory and the SIM cards. An investigator had to essentially 'read' the raw binary or hex code and translate it into call logs or wave files (voice messages) for prosecutors. Nascent PDA phones like the early BlackBerry released in 1999 dramatically increased business usage and the complexity of the data to be extracted. RIM brought the first smart phone to market in 2002 with an actual Operating System (OS) that could handle real email. Susteen claims to have brought the first commercial forensic cell phone software to market with their Secure View 1 product. The introduction of cell phone forensic technology in the 2003-2006 time period corresponds to the jump in business use and the explosion of civil eDiscovery. The NIST Computer Forensic Tool Testing project published their first mobile device Tool Specification in November 2007. Apple released the iPhone in 2007, which was the equivalent of dumping rocket fuel on the executive bonfire. Every C-level executive had to have one.

[How to build your own digital forensics lab for cheap]

That tells us where cell phone forensics came from. Over 20 technology providers actively market forensic software/hardware for mobile devices at this time. But most of these target law enforcement instead of corporate legal. The relatively high standard of care and training required for criminal forensics are not suitable or scalable for typical corporate civil discovery. The real question is whether these true forensic technologies can be adapted for use by legal IT professionals in civil litigation scenarios large and small. Widespread adoption of mobile device discovery will require practical preservation, extraction, processing and review of ESI from mobile devices with minimal training at a reasonable cost. We can see the next wave of eDiscovery sources on the horizon, but it is not yet clear if the market is ready to support the customer requirements.

Most of all, I would like to hear from corporate and law firm specialists on the ground floor who are actively evaluating or using technology to preserve, extract and analyze mobile devices for civil matters. Im interested in best practices and practical solutions as well as any offerings that my initial survey missed. This is the bleeding edge of civil discovery, so we all want to hear about your hard learned lessons tackling these complex and varied devices. So take the survey and shoot me a line at

Greg Buckles is the co-founder and CTO for the eDJ Group.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Greg Buckles

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place