- 0 Comments
By Craig Ball
When computer forensics was in its infancy, examiners collected evidence from disks by copying their contents byte-for-byte to matching, sterilized disks, creating archival and working copies called “clones.” Cloning drives was inefficient, expensive, and error prone compared to the imaging processes that replaced it. Yet, disk cloning worked for years, and countless cases were made on forensic evidence preserved by cloning and examined on cloned drives.
Now cloning may be coming back not to preserve hard drives but to collect data from mobile devices backed up online, particularly Android phones. If I’m right, it will be only a stopgap technique, but it will also be an effective (if not terribly efficient) conduit by which mobile data preserved online can be collected and analyzed in discovery.
Case in point: Google’s recently expanded offering of cheap-and-easy online backup of Android phones, including SMS and MMS messaging, photos, video, contacts, documents, app data, and more. This is a leap forward for all obliged to place a litigation hold on the contents of Android phones — a process heretofore unreasonably expensive and insufficiently scalable for e-discovery workflows. There just weren’t good ways to facilitate defensible, custodial-directed preservation of Android phone content. Instead, you had to take phones away from users and have a technical expert image them one-by-one.
Now it should be feasible to direct custodians to undertake a simple online preservation process for Android phones having many of the same advantages as the preservation methodology I described for iPhones two years ago. Simple. Scalable. Inexpensive.
But unlike the iOS/iTunes methodology, Android backups live in the cloud. At first, I anticipate there will be no means to download the complete Android backup to a PC for analysis. Consequently, when we must process the preserved data for litigation, we may need to first restore the data to a factory-initialized “clean” phone as a means to localize the data for collection. That’s not to say that Google won’t eventually offer a suitable takeout mechanism; after all, Google Takeout capabilities are second to none. But until we can back up Android content in a way that it can be faithfully and intelligibly retrieved directly from Google, examiners may revive the tried-and-true cloning of evidence to clean devices then collecting from the restored device. Everything old is new again.
It won’t be so bad to use this stopgap approach considering that e-discovery typically entails preservation of far more mobile sources than need ultimately be processed. So while backing up many online and cloning a few to clean phones certainly isn’t a perfect solution for Android evidence, it’s good enough and cheap enough that courts should give short shrift to parties claiming that preserving phone evidence is unduly burdensome or complex. For, as my e-discovery colleagues love to say, “Perfect isn’t the standard.” I agree. But neither is the standard, “We couldn’t be bothered, Judge.”
Craig Ball hails from Texas but now happily calls the Big Easy home. A board certified trial attorney in Texas and an Adjunct Professor at the University of Texas School of Law teaching Electronic Evidence and Digital Discovery, Craig is an expert in digital forensics, emerging technologies, visual persuasion, electronic discovery, and trial tactics, limiting his practice to service as a court-appointed Special Master in Electronically-Stored Information. An energetic speaker at CLE programs for the bench and the bar throughout the world, Craig is also an instructor in computer forensics and electronic evidence to multiple law enforcement and security agencies. Craig’s articles frequently appear in the national media. For nine years, he wrote the award winning column on computer forensics and e-discovery for American Lawyer Media called “Ball in your Court,” and still pens a popular blog of the same name at ballinyourcourt.com. Craig Ball is the 2019 recipient of the Texas Bar’s Gene Cavin Award for Lifetime Achievement in Continuing Education.
This article was originally posted on craigball.net and is shared here with full permission from the author.