Please ensure Javascript is enabled for purposes of website accessibility
Home / Expert Opinion / eDiscovery Update / eDiscovery Update: 7 tips to preserve, review mobile device data

eDiscovery Update: 7 tips to preserve, review mobile device data

Peter Coons

Peter Coons

According to one survey I read, there are approximately 250 million mobile phone users in the United States. That number is staggering as it actually exceeds the estimated number of U.S. citizens 18 and over.

Basically, everyone has a mobile phone and as we all know, there are more to cellphones than just texting and calling. We can play games, search for soulmates, send disappearing messages (to the delight of Hilary Clinton), find a good fishing hole and know when we need to take an umbrella to work.

There’s an app for just about everything. In fact, as of July, 2015, there were close to 4 million apps available for download on the five leading app stores.

What if you are a litigation support professional or an attorney and you need to preserve and review ESI from one of those 4 million apps or 250 million phones?

You are in luck! There’s an app for that! Well, sure, if app is short for approach.

Here’s a list of 7 things to consider and questions to ask when dealing with mobile device collections:

  1. Can your vendor or internal IT department properly handle the preservation of a mobile device? Collecting ESI from mobile devices is not rocket science, but it does require proper training and experience as well as the proper tools. Yes, software, like a hammer, is a tool. In one person’s hand it can be used to build great things and in the hands of another it can be deadly! For example, some tools allow one to bypass security and unlock phones to access the data. But if done incorrectly, those attempts can result in the phone being completely wiped rendering it useless. Simply ask who is doing the preservation and their experience with preserving data from mobile devices.
  2. Which tool is being used? As stated above, you need tools (software) to preserve ESI from phones. There are many reputable and commercially available products used in our space. Find out which one is being used on your project and then do some research. If it is one you or your colleagues have never heard of, be weary.
  3. Ask about the types of reports that can be provided. Many tools can produce informative reports for you to review. For example, one software application I have used exports a multi-tab spreadsheet that details the call log, contacts, installed applications, videos, photos, SMS/MMS messages from the base messaging application (i.e. iMessage) and other potentially useful information. Ask yourself: what you are looking for when reviewing this data? Is it a simple call log? If so, then a standard report may be sufficient. But what aren’t you getting? Ask questions and don’t always rely on the standard reports. This leads to doing your homework and delving deeper into the installed apps or asking the experts!
  4. Review the report (assuming it contains app information) and find the list of installed apps. There will likely be apps beyond iMessage and email that may contain information. There probably are apps that you are unfamiliar with and some that you may use yourself. Regardless, get to work, do some research and pull out the pan; there may be a nugget in the river bed. I was chatting with a client who wanted us to produce all the text messages we could find on a particular phone. When I asked which text messages, the response was “the ones from the iPhone messaging app.” I explained that we found four additional messaging apps on the phone and all contained recent communications. There was a long pause followed by a “let me get back to you.” Apparently the stipulation only stated that they were to produce iMessages. How could an attorney make such a blunder (insert appropriate emoji) and limit the stipulation to a singular messaging app? In a survey conducted in late 2014, iMessage was the third most popular messaging app in use behind Facebook and Snapchat. If you are only looking at messages from iMessage then you may only be getting 17 percent of what’s out there. Don’t limit your request or review to just the base message app regardless and certainly don’t limit it to Apple products when Android owns over 50 percent of the market!
  5. Don’t rely exclusively on key terms to find what you are after. In my opinion, this holds true for ESI no matter where it exists, but especially on phones and messaging apps that use non-textual forms of communications, like emojis (i.e. smiley face). According to a survey conducted in 2013, 35 percent of respondents stated they used emojis daily and 74 percent stated they have used them at some point. Earlier this year, the judge in the “Silk Road” case ruled that a jury should take note of any emoticons in online messages used as evidence. (The Silk Road website allowed anonymous users to buy and sell illegal drugs, weapons and other illicit items. Ross Ulbricht is the alleged mastermind of the online criminal enterprise, with the nickname “Dread Pirate Roberts” or “DPR.”) The prosecution was reading online messages and chats out loud to the jury and not properly identifying emoticons. The defense felt strongly that the jury should see the chats and emoticons rather than relying on the reading, which could “distort a writer’s meaning.” The judge agreed and told the jury that it should take note of any such symbols in messages. “That is part of the evidence of the document,” the judge told them.
  6. Don’t expect to recover troves of deleted data. The technical reasons are beyond the scope of this article, but deleted data may be difficult to recover, depending on where it resides. There is not an easy button one can hit and automatically all the deleted texts, emails and photos are recovered. However, if you are going to this level of analysis make sure you find out who is doing the work. Just like finding the best lawyer or doctor for your current situation, you need to find the best mobile device forensic professional. Just because a person has the ability to run the tool to capture the data does not translate to them being the most qualified to do an in-depth forensic analysis. Ask for credentials, experience and references! Trust, but verify.
  7. Ask if you can get the data and a corresponding load file so it can be ingested into a review platform. Data is data no matter the source and mobile device ESI can fit nicely into review tools. Once in the tool, it can be run through analytics, searched for, or placed into pivot tables to make the process of review more efficient. By creating pivot tables with the data, reviewers can quickly see the frequency or time of phone calls or messages. One could also run analytics across the data set to interpret and pivot on “tone.” One can determine which messages were sent and received for business, personal and with some enhancement, the type of conversational tone used in the message such as “aggressive” or “flirtatious”.


In summary, remember the following items when dealing with mobile devices.

  1. Who is doing the work and have they done it before?
  2. Which tools are they using to do the work?
  3. Which reports are standard and does the information satisfy your needs?
  4. Review the reports and investigate the apps!
  5. Don’t rely exclusively on search terms.
  6. Don’t expect to find a lot of deleted data, but hire the right people to look.
  7. Consider placing the data into a review platform to take advantage of bells and whistles.

Peter Coons is a senior vice president at D4, providing eDiscovery and digital forensics consulting services to clients. Peter is a Certified Information Systems Security Professional (CISSP), an EnCase Certified Examiner (EnCE), an Access Data Certified Examiner (ACE), and a Certified Computer Examiner (CCE). He belongs to various digital investigation and information security based organizations. Peter holds a master’s degree in Digital Forensics Management from Champlain College and a bachelor’s degree in Economics from the State University of New York at Oneonta.