Mobile Forensics for Me but Not for Thee

Written by Blogger

February 19, 2019

Over approximately the last decade, the convergence of smartphone technology, corporate BYOD policies, and the preeminent role of ESI in civil litigation have elevated exponentially the significance of mobile devices as a source of evidence. However, this development arrived with a built-in paradox that is poorly understood outside of the more technical circles in e-discovery and computer forensics and is not appreciated at all by most litigators. Thus, we will take a deeper look at this phenomenon in hopes of shedding some much-needed light.

Generally speaking, the forensically defensible acquisition of mobile device content falls within the sphere of computer forensics practitioners. It requires appropriate skill and training with highly complex software and/or proprietary hardware devices to facilitate both the acquisition and subsequent analysis of the data they contain. Suffice it to say that mobile devices do not give up their content easily, and represent a perpetually moving target with regard to continually-evolving hardware, operating system changes, and the evolution of the millions of apps available across the various mobile device platforms and manufacturers. Just as these issues present enormous challenges for computer forensics professionals in law enforcement, where lives can literally be at stake, their presence in civil litigation is similarly problematic if less frequently discussed.

For the moment, in order to establish a critical frame of reference for this discussion, let us turn to the slightly more familiar, more established topic of traditional computer forensics, as it relates to civil litigation. With a far longer historical record, tens of thousands of civil litigation attorneys have had occasion to engage the service of either a retained or neutrally-selected forensics examiner to obtain forensics images [1] of all manner of traditional computer workstations, laptops, and servers. Fortunately, this process is relatively simple and straightforward, primarily as a result of accepted standards with regard to methodologies such as write-blocking, device hash verification, and the self-authentication of the integrity of the digital evidence these techniques permit.

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.


As a result of these characteristics, even if a non-neutral examiner performed the imaging at an earlier point in time, assuming the application of the proper techniques in which all competent examiners are trained, it is not at all difficult for the properly-acquired disk image to be duplicated and further distributed to one or more separate examiners for detailed analysis. The reason this is possible is, again, due to the self-authenticating nature of such evidence, which can be validated by any subsequent examiner by subjecting the image to the universally accepted and implemented process of hash validation. In fact, this process is so sensitive, that the reversal of a single bit from a 1 to zero or vice versa will generate a different hash value. Thus, both the transparency and integrity of digital evidence are inherently built into the process we’re referring to as traditional computer forensics.

Now, returning to mobile device forensics, from a litigator’s perspective, it’s entirely logical to assume that an equivalent process exists to both preserve mobile device data, and facilitate the same degree of transparency and integrity of digital evidence. After all, the same forensics professionals offer these services to law firms, so we can trust that they have it covered.

Unfortunately, no such equivalent process exists. In fact, the practical reality with regard to digital evidence acquired from mobile devices in the context of civil litigation is that, unlike traditional computer forensics, where both sides are generally permitted equal access to independently examine the demonstrably identical evidence, mobile devices do not permit this. The result is the inspiration for the title of this article, by which I mean that one party in a litigation matter is routinely permitted to engage in the broadest collection and forensic analysis of mobile device content under their control while, unlike traditional computer forensics, the opposing party is forced to accept: (1) only the limited portions of data deemed permissible for production; and (2) which is almost universally provided in a format that is objectively inferior to that available to the producing party.

Perhaps the most obvious and practical solution to this problem is to permit forensic acquisition [2] and analysis of the mobile device by all parties. Although this might seem practical, given the unique nature of mobile devices and their intersection with BYOD policies, they usually contain highly personal information. Although generally not an issue in the context of a criminal investigation, it can be a significant source of contention in a civil matter. Thus, the now-familiar specter of balancing privacy with the obligation of seeking the truth in a digital world is again invoked.

Complicating matters further is the fact that forensic acquisition of mobile devices can be challenging even under favorable circumstances, and nearly impossible when unfavorable. Any experienced examiner will tell you that, no, they cannot acquire an iPhone at the convenience of their client during a 20-minute meeting they already have scheduled. In fact, acquisitions can sometimes take days and involve multiple technical hurdles. To the extent that the device owner is inconvenienced by being unable to use what is generally considered the most essential piece of technology in the daily lives of most Americans presents yet another obstacle to be considered.

Finally, the most challenging (and perhaps shocking) reality for civil litigators to be aware of is this: due to the inherent complexity of mobile devices, no two pieces of forensic acquisition technology can or will acquire 100% identical content from the same device. Without delving into details that are well beyond the scope of this article, in responding to a question from a consulting attorney regarding whether he should insist on and fight for equal access to a subject mobile device, an entirely reasonable response from the forensics expert might be, “What types of information are you comfortable not having access to that your opponent does?”

Such is the paradox with mobile device forensics, for which the time has come that litigators must become more aware of in ensuring the best possible representation of their clients in a digital world.

Jason L. Covey

Jason works in the litigation support department of AmLaw 200 firm Morris, Manning & Martin, LLP’s Atlanta headquarters, where he serves as the firm’s Digital Forensics & eDiscovery Manager.


 1The term forensic “image” refers to the creation of a file or (more commonly) series of files that contain the bit-level data from a physical hard drive. These image files can be created in a number of formats that, although some are proprietary (like the various formats introduced by EnCase and AccessData), are also so pervasive as to generally be supported by all reputable forensics’ software platforms.

2 In contrast with the term forensic “imaging,” which applies only to computer hard drives, forensic “acquisition” is the proper term referring to the collection of data from a mobile device in a forensically sound manner.

Forensic-Impact Articles

How to get started in the field of digital forensics

How to get started in the field of digital forensics

When you think of different career paths in the field of cyber you might not always notice the field of digital forensics. However, if you have a passion for all things digital and keen attention to detail this field could be the perfect place for you where a job is...

E3 Forensic Platform Version 3.2 Released

E3 Forensic Platform Version 3.2 Released

Paraben’s version 3.2 of the E3 Forensic Platform was released with a bang with support for new artifacts and new capabilities when it comes to Malware investigations. “With so many cases revolving around malware and ransomware, it was important that we make sure we...

Expectations of Facebook Data

Expectations of Facebook Data

As social media continues to rise so does the power of Facebook. If you are not on it personally you are for your business or to connect with people on a hobby. That being part of the Meta universe has become as essential as getting a driver’s license. So, what does...