Given that most people today regularly carry devices with computing power millions of times greater than what was required for the 1969 American lunar landing, it’s no surprise that the contents of these devices are crucial in the context of eDiscovery.
With personal and business communications, along with daily activities, increasingly stored on phones, extracting phone data has become a vital part of a successful eDiscovery process for legal and investigative purposes. However, extraction methods vary, and not all methods are suitable for every device due to various factors. Additionally, improper extraction can weaken a case, leading to misinformed findings and potentially flawed judicial rulings.
So, which extraction method is the best choice, and why?
The simple answer is that examiners should use a combination of methods to ensure the most comprehensive data set is obtained. However, practical limitations, such as time constraints, costs, privacy concerns, and legal restrictions (like court orders, subpoenas, and search warrants), often determine what methods can be applied.
This article delves into the different extraction options, outlining the advantages and drawbacks of each.
SIM Card Extractions
Whenever possible, the data on a device’s SIM (Subscriber Identity Module) card should be extracted independently. The SIM card is a small, removable component inserted into a mobile device, used to authenticate and identify a subscriber on a mobile network. It stores crucial information and identifiers, including:
- Integrated Circuit Card Identifier (ICCID) – Used to track and manage SIM cards within the mobile network infrastructure.
- International Mobile Subscriber Identity (IMSI) – A unique identifier assigned to each subscriber, enabling the mobile network to authenticate the user.
- Mobile Station International Subscriber Directory Number (MSISDN) – The phone number associated with the SIM.
- Call records
- Contacts
- Text messages
While some or all of this data may be retrieved through other extraction methods, independently extracting the SIM card could reveal additional information.
However, extracting data from a SIM card can be delicate, potentially damaging the device or causing data loss. It’s essential to understand the limitations of a device’s SIM structure before proceeding with extraction.
Physical Extractions
In simple terms, a physical extraction of phone data involves obtaining a bit-by-bit copy of the entire phone’s storage, including deleted data, unallocated space, and system files that may not be available through other extraction methods. A physical extraction is the most thorough of all extraction methods and should be performed whenever possible (within the limitations listed previously).
A physical extraction allows access to all data stored on the device, including deleted files and fragments of files that are still present in the phone’s memory. Deleted files can be recovered from the unallocated space, which can be important in forensic investigations.
A physical extraction is beneficial when comprehensive data recovery is needed, such as in investigations of criminal activity or cases where data deletion is suspected.
A physical extraction is not always available, especially when considering the extraction of an Apple iOS device. Routine software updates by Apple have led to the inability to conduct a full physical extraction in many cases, resulting in a file system being the maximum level of extraction available.
Although it is advantageous to perform a physical extraction, there are some factors that need to be considered before performing one. First, this is usually the most time-consuming method, especially if the phone is heavily used. There may not be enough time and/or money available to perform this type of extraction. Secondly, legal rulings may not allow for a physical extraction and extractions performed on a device might need to be much more focused and tailored than that provided by a physical extraction. The legal interpretations of what is “too invasive” are routinely changing as technology changes and as case law is further developed.
File System Extractions
A file system extraction focuses on retrieving files and data directly from the device’s file system, typically accessing readily available user data such as text messages, contacts, and emails. This method is often preferred when the goal is to obtain live, unaltered user data.
It is generally faster and more cost-effective than a physical extraction because it targets only active data, rather than creating a full bit-by-bit copy. Additionally, it is less intrusive and is more likely to be considered a suitable extraction method from a legal standpoint.
However, a file system extraction may miss important data stored in non-standard locations or hidden areas, and it will not recover deleted files or data from unallocated space. If such data is expected to be crucial, a physical extraction is recommended.
Logical Extractions
A logical extraction retrieves data from the device through its operating system via an application interface. This method is typically quicker and easier to perform compared to other extraction techniques. It is minimally invasive and only retrieves active data accessible to the phone’s operating system, such as contacts, messages, photos, and app data.
A logical extraction is ideal when only active, readily accessible data is needed.
However, the advantage of being quick and non-intrusive comes with limitations. Logical extractions cannot recover deleted files, data from unallocated space, or system-level information.
Key Takeaways
The increasing reliance on mobile devices for both personal and business communication has made the extraction of phone data an essential component of eDiscovery in legal and investigative processes. With a variety of extraction methods available—ranging from physical to logical extractions—each technique offers unique advantages and drawbacks, depending on the nature of the data and the specific requirements of a case. While physical extractions are the most thorough and comprehensive, they can be time-consuming, costly, and legally complicated. Conversely, methods like logical and file system extractions offer quicker, less invasive alternatives but may miss critical data, such as deleted files or information stored in unallocated space.
Ultimately, the choice of extraction method should be guided by the type of data required, the limitations of the device, and the legal considerations involved. A combination of extraction methods is often the best approach to ensure the most complete and accurate data is retrieved, particularly in cases where evidence integrity is paramount. Understanding the strengths and limitations of each method, as well as staying informed about technological and legal developments, is crucial for those involved in eDiscovery and forensic investigations.
Chris Korta |Certified eDiscovery Specialist (ACEDS)|Cellebrite Certified Operator (COO)
