MICHAEL ZINN | E-Discovery
Trends – Attorney Forensics Requests in 2019
Having spoken at the Cleveland Employment Lawyers Associa- tion earlier in 2019, and having
been engaged by Cleveland attorneys to perform forensic examinations on a range of topics from preservation to suspected unauthorized access to suspected intellectual property the , I wanted to share some trends in attor- ney forensic requests so far this year. Some of the information in this article is speci c to Cleveland area employ- ment lawyers and other information is related to all attorney forensic re- quests so far this year.
80% of attorney forensic requests in 2019, to date involved the acquisition of records stored on an Apple iPhone.
Most requests for educational information from Cleveland area employment lawyers are related to the process, capabilities, limitations, and product resulting from the preservation and extraction of text messages.
Due in part to the past reliance of physical paper documents, members of the legal community commonly report they believe the most reliable and accurate way to forensically obtain text messages is to take screenshots on the cell phone and accept the text messages as displayed to the user as accurate.
In some cases, there is a desire to reproduce the text messages as visu- ally represented on the sending or re-
ceiving cell phone. What Should you as an Attorney Request When it Comes to Collect- ing Text Message
from an Apple iPhone?
I recommend a few key steps. Be-
fore you proceed with requesting a forensic examiner to image the Ap- ple iPhone, determine who owns the phone. If your client requesting you to engage a forensic examiner does not own the phone, do you have a valid court order? If you need text messag- es which you believe may have been deleted, time is a key concern. Make sure the phone is not turned o . If the phone is already turned o , leave it turned o . Put the phone in a faraday bag which will block wireless commu- nication with the phone. When a cell phone is communicating with a cel- lular network or wireless network the likelihood new data will be written to the phone and as a result possibly overwrite deleted records is higher.
Make sure that you have the phone’s password. If you do not have the phone’s password, do you have ac- cess to the computer with which the phone was synchronized? If all you have is an iPhone backup, that may be enough to collect information from the phone (as it existed on the phone when the given backup was created).
What format do you want the fo- rensic examiner to use to present the data? Do you suspect a text message may have been manipulated? If you do, then a screenshot is probably not the format you need for your case.  ere can be issues with authentici- ty of information displayed in screen- shots and if you need to authenticate the information in that screenshot, the forensic examiner will need to fo- rensically obtain information from thesendingorreceivingphones(orin
some cases both) and they may pro- vide the information you are asking them to extract as a spreadsheet.  ey may also provide you the information in the form of a web based interactive timeline.  e format the forensic ex- aminer can use to provide the infor- mation you requested depends largely on the forensic so ware used to per- form the forensic acquisition, exami- nation, and analysis. Not all tools are created equal and while one tool may do a better job at recovering deleted  les di erent so ware may provide the  les in a format you prefer.
In most situations, a forensic ex- aminer can produce information re- quested by the attorney in a spread- sheet.  is is one of the most com- mon formats for information extract- edfromacellphone.Doyouwantthe information to provide in native for- mat? It depends. If you need the fo- rensic examiner to collect text mes- sages, you should know the native for- mat for text messages on most smart phones is SQLite.  is is a database. It is not easy to read. You may want your forensic examiner to extract the SQLite database and authenticate the data and use a tool to extract text messages from the SQLite database as a spreadsheet, a web page timeline, or a PDF.  at will give you more  exi- bility to present the text messages in a comparatively easier to read format while being able to authenticate the information.
Michael Zinn is a recognized digital forensics and cybersecurity expert who holds a number of industry certi ca- tions including certi ed computer examiner (International Society of Forensic Computer Examiners), EC-Council computer hacking forensic investigator, AccessData certi ed examiner, and AccessData mobile examiner. He is an experienced computer security incident response team leader and is available for cybersecurity consultations and cybersecurity training.
ATTORNEY AT LAW MAGAZINE · OHIO · VOL. 5 NO. 3 4