“You have to understand that a smart phone is not just a hard drive.” Interviews with software providers and forensic specialists in mobile device eDiscovery have hammered home that lesson. Most Legal IT professionals are comfortable with the different options and standards for collecting ESI from laptops and network servers. Until fairly recently, the vast majority of civil discovery did not consider the ESI on mobile devices to be worth the effort to preserve, extract, review or produce. As corporate decision makers have become increasingly connected and mobile, their devices now store unique ESI that can provide an absolute chain of actions, locations and communications.
So if a mobile device is not just a hard drive, what is it, what does it store and how can you get it?
The first thing to understand is that every line of mobile devices is a unique combination of hardware, operating system and user software/apps that may store ESI in multiple locations and formats. Discounting PDAs, there are three common types of corporate mobile devices:
Mobile devices may store ESI in many locations:
Some phone forensics kits claim to support over 8,000 extraction profiles, but every provider seems to differ on exactly what can be extracted through different methods. Forensic examiners who specialize in mobile devices tend to have a kit with multiple tools to tackle a wide variety of devices. On the other hand, corporations can exercise policy and purchasing power over users to make a single solution a reasonable proposition.
The problem is that corporate executives always want the latest and greatest version or OS update, which leaves the software providers struggling to keep up. At the present time, according to the leading providers, no one can yet perform a full physical extraction from the latest iPhone 4, iPad 2 or encrypted Blackberry Bolds without jailbreaking or physically extracting the chip.
A company could make the argument that this effectively renders such devices ‘inaccessible’ under Rule 26, but they are still vulnerable to ‘good cause’ arguments. Moreover, with more than 20 cell phone forensic providers in the market, every one of them is working hard to be the first to conquer the latest generation of devices. Although a full physical image (think bit-by-bit copy) is the forensic ideal, the typical corporate litigation scenario centers around a cooperative custodian and live ‘documents’. Most of the leading mobile device kits or software can extract undeleted ESI from the device or from a backup file to meet a discovery request.
The key to managing the complexity, cost and defensibility of mobile devices is putting a user policy training and compliance process into effect that enables business usage. An unenforced policy is worse than no policy at all. Make it easy for users to register new apps and user credentials so that counsel can evaluate their discovery impact and eliminate exploratory collections.
So what kinds of ESI can you extract from these devices?
Smart phones and tablets can host any number of published or custom apps, each of which can store email attachments or other messages as database BLObs, compressed or encrypted files. The list below should be considered a good starting point for your custodian questionnaire or policy.
Types of information stored on mobile devices:
Some of this information on devices may be replicated on your enterprise systems, such as email and files that have been sent or synched with network file shares. These enterprise systems are already targeted in most discovery requests and have a wide range of preservation and collection solutions on the market.
The criminal charges against former BP engineer Kurt Mix put the spotlight on the value of text messages. Mr. Mix allegedly deleted hundreds of text messages regarding the BP spill response from his smart phone after he was notified that it was going to be collected. Because of this action, he was charged with intentionally destroying evidence requested by federal criminal authorities investigating the April 20, 2010, Deepwater Horizon disaster, for two counts of obstruction of justice. Considering these types of consequences, many corporate counsel are being forced to re-evaluate their mobile device policies.
In the 24/7 corporate lifestyle, a key custodian’s mobile device can be the key to reconstructing the chain of events at the heart of a case. These devices may not be relevant to many matters, but they are on the plaintiff’s radar and will show up in interrogatories and discovery requests.
Do not wait for a motion to compel you to create your policy, documentation and declarations. Understand what mobile devices are in use and what unique ESI may reside on them. If you are not ready to invest in large scale device extractions, then shape your device policies and legal hold instructions to minimize the creation of unique records on these devices. From our research, while many still rely on third party service providers for device extractions, a new crop of acquisition devices and software may enable corporate discovery teams to handle mobile devices as part of their standard eDiscovery workflow. But, no matter how firm your policy, you will need to have a mechanism for custodians under legal hold to notify the legal team of potentially relevant ESI and a way to capture that ESI.
Copyright © 2023 Legal IT Professionals. All Rights Reserved.