Your Digital Footprint

Check your email. Today is the day.

Open your cousin’s suggested link, “Private Places near the City”, on Pinterest.

Respond through Facebook messenger with your two favorite location options.

Check your texts. Your cousin picked a place – “Peaks Edge”.

Relay the meetup point to the buyers through WhatsApp.

Airdrop the secret documents from your laptop to your phone.

Google Maps “Peaks Edge” to head to the meet.

Facetime your cousin to go over the plan and alibi one last time.

Arrive early. Drop a pin on the meeting spot.

Notice a beautiful sunset and take a picture to capture it.

Google “What to do if a deal goes bad?”.

For collateral, take photos of the buyers as the approach.

Show buyers proof of the documents. Receive payment from the buyers through PayPal.

Send the documents to the buyers via an iCloud link.

Delete the documents from your device.

Leave Peaks Edge. FaceTime your cousin to chat about how you’re going to spend your cut!

Our digital footprint; always growing and ever evolving.

Each tweet, every text message, and the numerous photos we take and share all contribute to the complex mixture of information that defines our footprint. Simultaneous communication through multiple platforms on a mobile device has become ingrained in our everyday lives. These devices being so common place has made it easy to overlook how much information we share as documentation of our everyday communication and actions.

In 2017, mobile devices accounted for ~54% of all web traffic and were responsible for ~22 billion text messages sent daily. This figure does not include app-to-app messaging.  Once app-to-app messages were accounted for, this number skyrocketed an additional 60 billion messages sent per day between Facebook and WhatsApp alone. With this vast amount of information being shared via social media platforms on mobile devices, more and more of these platforms and devices have become the target of discovery. Being the focus for years, collection and searching processes have been worked into the industry standard workflows when dealing with email and hard drives. Being relatively new to the scene, mobile devices and social media platforms have uncharted waters yet to be navigated.

Challenges with Mobile Devices in Discovery

Make & Model – Mobile devices require a different collection method than traditional imaging of a hard drive. Forensic experts must be able to identify the make and model of the mobile device with which they’re dealing. They must then use that information to decide which collection format best fits that specific device. Depending on the device, it must be determined if a logical, physical, and/or file system extraction is the proper method. In some cases, multiple acquisitions of a device may be necessary. Similarly, additional acquisitions of external storage cards may be deemed appropriate.

Operating System – A mobile device operates on one of a plethora of operating systems. Not only are there different operating systems to take in to consideration, there are also various versions of the same operating system.  The operating system and specific version directly affect how collection tools can interact with the device as well as the data that can be extracted. Operating system information, in conjunction with the type of data to be collected, greatly assists the examiner in deciding on the type of collection to perform.

Privacy Concerns – Mobile devices hold troves of personal information about us, our families, our closest friends, and more. As new apps and technology are released, what we can do with our devices expands daily. As does the information, and type of information, we input into these apps and technologies. With the continuing growth of companies employing a “bring your own device” (BYOD) policy, devices are storing progressively more privileged company information and applications. Considering that these devices are capable of holding an array of information, it is likely that information exists on a device outside of the scope of target information. Unfortunately, most collection tools do not allow for extraction of individual pieces of data. Instead, they extract the entire contents of a device. Subsequently, the examiner is responsible for filtering out the superfluous information to export. Although untargeted information is not exported in this process, a custodian can become uncomfortable that the information was collected and exists outside of their reach. Providing a custodian an environment and experience in which they feel their most personal information is safe is critical in obtaining custodial consent for collection of their data. However, creating an environment for a custodian to feel confident when giving permission to collect their data is a new challenge that examiners are facing. For an examiner, being knowledgeable about the collection tools and the workflows, in addition to being able to answer any of a custodian’s questions, can be extremely helpful in setting a custodian’s mind at ease throughout the process.

Challenges with Social Media in Discovery

Collection Methods – Social media content is becoming more and more relevant in discovery. The days of taking a screen shot of a Facebook or Instagram post to be used as discovery are slowly fading away into the past. The industry standard is moving towards collection methods that provide forensic integrity and metadata that are unavailable through a screen shot.

API Updates – One of the biggest challenges when creating a workflow to collect social media content is the constant update of the platform’s API. Updates can change accessibility to certain metadata values, which makes the ability to collect consistent metadata a struggle for most collection tools. Inconsistent metadata fields in collections make processing social media content for review a constantly evolving workflow.

Public v. Private Accounts – In situations where it is required to collect a social media source and the credentials are unavailable, there can be extreme limits to the information accessible, if any at all. This is usually determined by the platform and the user’s privacy settings.

Account Accessibility – Two-factor authentication is widely used as a second layer of security for social media platforms. Although some collection tools offer data extraction while two-factor authentication is enabled, the security protocols for this feature are regularly updated. If a platform has two-factor authentication enabled, it can become a potential obstacle for collecting data. To ensure a smooth collection of credentialed accounts, it is best practice to use app passwords or ensure this feature is disabled.

Moving Forward

In the emerging world of mobile devices and social media in discovery, there is still much to be learned. The knowledge base constantly accumulating by forensic examiners is in its rudimentary stages. From knowing and understanding the implications of the target device’s physical and logical specifications, the unstable availability of metadata on different social platforms, to understanding the impact of personal settings on each platform – examiners are becoming more and more experienced in this section of discovery with every collection performed. The challenges and techniques for collection are ever changing, requiring examiners to stay up to date on current technology and share their knowledge with one another to build a community of discovery experts. It is exciting to imagine what the future of mobile devices and social media holds and the new challenges and possibilities it will offer the eDiscovery industry. 


22 billion texts


60 Billion app-to-app messages

– https://www.theverge.com/2016/4/12/11415198/facebook-messenger-whatsapp-number-messages-vs-sms-f8-2016

Comments ( 0 )

    Leave A Comment

    Your email address will not be published. Required fields are marked *