In a recent investigation at a large US-based corporation, FTI Technology’s team of computer forensics specialists was asked to collect data from every mobile phone, USB device, computer and cloud source used by the company’s employees in order to piece together the clues surrounding a suspected fraudulent business transaction. Another matter this year involved a client’s request to collect information from its corporate Facebook page, which included the requirement to go back in time and recover historical and deleted data that was no longer resident on the site.

Completing these types of investigations has become standard practice within large organizations today, with social media, a wide range of mobile devices and multiple operating systems now playing a role. These sources introduce many variables, which can create significant obstacles for investigators seeking the key facts to solve a case. By examining matters that involve complex collections from social media and BYOD (“Bring Your Own Device”) environments, this article will reveal techniques for tackling common challenges in a defensible and efficient way.

Seasoned forensics investigators have historically collected data from a very broad range of devices and sources, from the unsophisticated “electronic organizers” of 15 years ago to the latest smartphones to the newest photo sharing websites. When investigators first encountered such devices, the tools to collect from them often didn’t exist. The first task for investigators might involve developing the software and methods to complete a collection, before moving forward with the collection itself. In recent years, forensics tools have become more robust and they will generally collect from thousands of different types of data stores and devices. Still, investigators must sometimes problem-solve new challenges “on the fly” and create new ways to access or uncover data depending on what roadblocks arise during a case.

When Social Media Comes Into Question

As outlined in the earlier example, data from Facebook, LinkedIn and Twitter is commonly used for business today, and consequently often comes into play during an investigation. These networks and data sources are constantly evolving, and with cybersecurity becoming a very widespread concern, privacy protections are becoming tighter and tighter. Securing these websites is paramount, but the more protected social media accounts become, the more challenging becomes the job of a computer forensic examiner trying to obtain data pertinent to an investigation.

In addition to Facebook and Twitter – from which experts have become fairly adept at collecting (even when deleted data is involved) – new sites are emerging all the time that introduce unforeseen challenges. Content from photo and video sharing sites has started to come into play for corporate investigations, with YouTube specifically becoming more and more prevalent due to the increase in corporations using it to offset content hosting costs.

Some steps for collecting from social media sites include working cooperatively with custodians to obtain access to personal passwords and answers to security questions, so as to be able to fully view individual accounts. This gives investigators the best possible access for collecting individual posts, likes, shares, comments and messages, as well as the metadata associated with them. This can also eliminate the need for collection of the entire dataset, as investigators can easily cull out non-responsive posts based on data, keywords or authors, and avoid collection of personal information. In the matter mentioned at the beginning of this article, this approach enabled investigators to obtain a rich set of data with which to move forward on the case.

In cases where deleted data is involved, or custodians are uncooperative in providing access to their social media accounts, examiners have a few options for how to recover the information they need. These steps include use of third-party software such as Cellebrite, Katana Forensic, Lantern and Internet Evidence Finder; and manual solutions customized by computer forensics experts that provide workarounds specific to the type of data and type of application/device they are working to access. Examiners may also need to conduct an extraction of files from iTunes back ups that can be viewed in a database for analysis and examination of cloud storage. In many cases data residing in social media or cloud-based applications exist in more than one place, and savvy forensics experts know where to look to recover what would otherwise be inaccessible.

Paramount to these types of investigations is that corporations ensure they have knowledgeable members on their team – whether internal or from outside partners – that are able to intimately understand the systems and preserve the data in a forensically sound and defensible way.

Collecting from Personal Devices

BYOD environments also pose unique challenges for investigators. Because the devices aren’t owned by the company, getting access can involve a negotiation process with the custodian that makes getting the data at best tricky and at worst impossible. Ideally, organizations allowing personal devices in the workplace will have clear policies in place defining who has what access to the device during an investigation or other event, how the device may interact with the network, and what restrictions are in place.

An example of these challenges is provided by a corporation whose chief of corporate security had used his personal phone for various investigations, and had call logs and text messages that needed to be produced for several matters. Because this executive did not want to provide unfettered access to his device, and the company did not have a predefined BYOD policy in place, the process for obtaining the required data became quite complex.

The eventual solution required the client to engage separate outside counsel and an additional computer forensics firm to act as intermediaries and to access the device. These firms handled the process of collecting from the executive’s device, parsing through the data and providing to the investigators only what was pertinent to the investigation. Obviously, this process added time and cost to the matters, much of which could have been avoided with a well-written BYOD policy in place ahead of time.

In investigations involving better prepared BYOD environments, attorneys prepare custodians who have already signed off on a BYOD access policy for the process of turning over their devices to investigators. If custodians still refuse to provide their devices, investigators set up interviews with them to determine what needs to be collected and establish an agreed upon process for obtaining that data. In addition to sound policy, mobile device management solutions are also critical to running a smooth BYOD investigation and avoiding costly issues.  

With proper implementation, mobile device management tools provide corporate IT with defensible intelligence about what data is contained on the devices as well as additional control and access to devices themselves.  This makes it easier to focus the scope to only devices likely to contain relevant information and to collect that data from them. Additionally, these solutions can require and document employee acceptance of the company's BYOD policy before granting access to company data, regulate whether actions such as text messaging or chat features can be used while the device is connected to company data and even record and collect communication information negating the need to physically interact with the device or custodian – all things that help make a mobile device investigation go more quickly and easily.

Complex investigations that involve the collection of data from personal devices and social media accounts can be very “hit or miss” in terms of what technology is able to accomplish. In these circumstances, corporations must implement an approach that involves experienced forensics examiners and a commitment to ongoing employee education as well as technology. It’s true that forensics technology is always evolving and providing investigators with an increasingly advanced set of tools to deal with the challenges of new devices and data sources. However in situations where the technology simply doesn’t exist, the involvement of an experienced computer forensic examiner who can look at the data manually and figure out exactly what the zeros and ones mean can make all the difference in breaking open a case.

Corporations should look at previous matters within their organizations, and those described in this article as lessons for what types of obstacles may arise in social media and BYOD collections. Doing so can offer a clearer understanding of what solutions work, the types of proactive policies that will make a difference in avoiding future pitfalls, and overall strategies for managing the bigger picture of growing data types and volumes. 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access